TWI625949B - Control system for controlling virtual overlay network through controller to generate tenant virtual network and control method thereof - Google Patents
Control system for controlling virtual overlay network through controller to generate tenant virtual network and control method thereof Download PDFInfo
- Publication number
- TWI625949B TWI625949B TW105117807A TW105117807A TWI625949B TW I625949 B TWI625949 B TW I625949B TW 105117807 A TW105117807 A TW 105117807A TW 105117807 A TW105117807 A TW 105117807A TW I625949 B TWI625949 B TW I625949B
- Authority
- TW
- Taiwan
- Prior art keywords
- network
- tenant
- virtual network
- virtual
- tenant virtual
- Prior art date
Links
Abstract
本發明提供一種透過控制器管控虛擬覆蓋網路以生成租戶虛擬網路之管控系統及其管控方法。前述之管控系統包含多租戶虛擬網路建構與管控子系統、虛擬覆蓋網路建構子系統以及多租戶虛擬網路控制器子系統。前述之多租戶虛擬網路建構與管控子系統用於決策多租戶虛擬網路之生成並收集虛擬網路資料,而虛擬覆蓋網路建構子系統,則於網路底層環境建立通訊隧道,以提供多租戶虛擬網路上之虛擬機發送的封包可跨實體機進行溝通,前述之多租戶虛擬網路控制器子系統用於監控虛擬網路資訊,並決策多租戶虛擬網路上之虛擬機發送封包流向。 The invention provides a control system for controlling a virtual overlay network through a controller to generate a tenant virtual network and a control method thereof. The foregoing control system includes a multi-tenant virtual network construction and control subsystem, a virtual overlay network construction subsystem, and a multi-tenant virtual network controller subsystem. The aforementioned multi-tenant virtual network construction and control subsystem is used to determine the generation of multi-tenant virtual networks and collect virtual network data, while the virtual overlay network construction subsystem establishes a communication tunnel in the underlying environment of the network to provide Packets sent by virtual machines on a multi-tenant virtual network can communicate across physical machines. The multi-tenant virtual network controller subsystem is used to monitor virtual network information and determine the flow of packets sent by virtual machines on a multi-tenant virtual network. .
Description
本發明係針對雲端維運系統中之多租戶虛擬網路(Multi-Tenant Virtual Network)進行生成與管控,透過虛擬覆蓋網路建構子系統生成虛擬覆蓋網路(Virtual Overlay Network),允許使用者或維運人員建立租戶虛擬網路,並透過虛擬網路控制器(Virtual Network Controller)集中管理虛擬機(Virtual Machine,VM)網路存取與流向,確保虛擬機在租戶虛擬網路內網路連通以及租戶間的虛擬網路完全隔離。 The invention generates and manages a multi-Tenant Virtual Network in a cloud maintenance system, and constructs a virtual overlay network through a virtual overlay network to enable a user or The maintenance personnel establish a tenant virtual network and centrally manage the virtual machine (VM) network access and flow through the virtual network controller (Virtual Network Controller) to ensure that the virtual machine is connected to the network in the tenant virtual network. And the virtual network between tenants is completely isolated.
隨著雲端運算技術和虛擬化技術的日益成熟,雲端運算服務需求的快速發展。為了滿足雲端運算服務之彈性移動、可靠性、資訊安全性、隨需服務、高可用性等特性。網路資源與應用模式因而逐漸虛擬化而形成虛擬網路。租戶可以申租獨立虛擬網路,其租戶所屬的虛擬機得以介接在其虛擬網路之上,達成不同租戶間的網路第二層隔離,藉以達成資訊安全性並達成多種應用架構。目前所熟知一般應用於網路第二層隔離技術如下: With the maturity of cloud computing technology and virtualization technology, the demand for cloud computing services has grown rapidly. In order to meet the flexible mobility, reliability, information security, on-demand services, high availability and other features of cloud computing services. Network resources and application models are thus gradually virtualized to form a virtual network. Tenants can subscribe to a separate virtual network, and the virtual machine to which the tenant belongs can be connected to the virtual network to achieve the second layer of network isolation between different tenants, so as to achieve information security and achieve multiple application architectures. The second-layer isolation technology generally known to be applied to the network is as follows:
(1)虛擬區域網路(Virtual Local Area Network,VLAN):虛擬區域網路是目前管理實體或虛擬網路中最常見的做法。透過虛擬區域網路可將網路細分成邏輯上的區域網路,針對網路架構中之資料鏈結層(第二層) 進行隔離,並各自給予不同的IP子網路。此方法可防止惡意的封包竊取達到網路隔離的效果,為網路管理提供更完整的資訊安全保障,亦可降低區域網內資料大量流通時,因封包過多導致網路壅塞的問題。然而,此做法卻因VLAN個數有4096上限的原因,限制可管控之網路的大小,使網路的規模無法向外擴展。更因為必須因VLAN之差異給予不同的IP子網段,造成IP資源的浪費。 (1) Virtual Local Area Network (VLAN): Virtual area network is the most common practice in current management entities or virtual networks. The virtual area network can be used to subdivide the network into logical regional networks for the data link layer (second layer) in the network architecture. Isolation is performed and each is given a different IP subnet. This method can prevent the malicious packet stealing from achieving the effect of network isolation, provide more complete information security for network management, and reduce the problem of network congestion caused by too many packets when the data in the regional network is widely distributed. However, this method limits the size of the network that can be controlled due to the 4096 upper limit of the number of VLANs, so that the size of the network cannot be scaled out. Moreover, because different IP subnet segments must be given due to differences in VLANs, IP resources are wasted.
(2)虛擬覆蓋網路(Virtual Overlay Network),在虛擬機發送的封包上使用通訊隧道Tunnel技術進行封裝,常見Tunnel封裝有GRE、VxLAN、NVGRE...等等類型,在原本的第二層網路上根據Tunnel封裝的識別碼能夠將原本實體網路分成多個獨立虛擬租戶網路,達到與前述虛擬區域網路相同的第二層隔離效果,除大幅提升其4096組虛擬網路上限外,更解決需要實體交換器設備設定支援的維運瓶頸。 (2) The virtual overlay network (Virtual Overlay Network) is encapsulated on the packets sent by the virtual machine using the tunnel technology of the communication tunnel. The common tunnel is encapsulated with GRE, VxLAN, NVGRE, etc., in the original second layer. According to the identifier of the tunnel encapsulation on the network, the original physical network can be divided into multiple independent virtual tenant networks to achieve the same second layer isolation effect as the virtual local area network, except that the 4096 virtual network upper limit is greatly increased. It also solves the bottleneck of maintenance that requires physical switch device setting support.
雖然虛擬覆蓋網路機制能改良原有之虛擬區域網路的限制,但此方法的實作必須仰賴OpenFlow規則支持,由規則訂定對特定Tunnel封裝識別碼進行特定操作,知名雲端系統OpenStack即是使用此種架構。其做法是在系統啟動之前必須決定虛擬覆蓋網路建立範圍,若需改變虛擬網路範圍,則必須手動將計算節點上的網路代理程式重啟,造成維運管理的不便,且其做法中沒有SDN控制器,而是使用計算節點上的網路代理程式在OpenFlow交換器中下達靜態規則,對OpenFlow交換器的儲存空間造成負擔。 Although the virtual overlay network mechanism can improve the limitations of the original virtual local area network, the implementation of this method must rely on the OpenFlow rule support, and the specific operation of the specific tunnel encapsulation identifier is determined by the rules. The well-known cloud system OpenStack is Use this architecture. The practice is to determine the virtual coverage network establishment range before the system is started. If the virtual network range needs to be changed, the network agent on the computing node must be manually restarted, resulting in inconvenience in maintenance management, and there is no such way. Instead of using the network agent on the compute node, the SDN controller issues static rules in the OpenFlow switch, putting a burden on the storage space of the OpenFlow switch.
(3)在此先前的專利技術中有提及使用SDN控制器控制虛擬機封包達成租戶網路隔離之概念,專利題目與公開號係為Virtual Network (WO/2015/000386)。此篇專利提出之虛擬化網路概念係使用SDN控制器搭配OpenFlow交換器透過控制OpenFlow table操控網路流向,SDN控制器根據虛擬機發送的封包表頭上的來源MAC與目的MAC進而判斷是否同屬一個虛擬網路,若同屬一個虛擬網路則下達OpenFlow規則至交換器給予通行,若不同則禁止。 (3) In this prior patented technology, the concept of using a SDN controller to control virtual machine packets to achieve tenant network isolation is mentioned. The patent title and the public number are Virtual Network. (WO/2015/000386). The virtualized network concept proposed in this patent uses the SDN controller and the OpenFlow switch to control the network flow by controlling the OpenFlow table. The SDN controller determines whether it belongs to the same source according to the source MAC and the destination MAC address on the packet header sent by the virtual machine. A virtual network, if it belongs to a virtual network, releases OpenFlow rules to the switch to give access. If it is different, it is forbidden.
此篇專利所提出之控制器管控實屬創意難得,但其使用來源MAC與目的MAC做為OpenFlow規則過於瑣碎,同屬一個虛擬網路的兩台虛擬機會因為來源MAC不同而導致OpenFlow交換器會向SDN控制器詢問兩次,過多的詢問次數將造成SDN控制器的負擔,瑣碎且冗長OpenFlow規則存於OpenFlow交換器將消耗OpenFlow交換器的儲存空間,尤其從其存於OpenFlow交換器的OpenFlow規則只能看到來源與目的MAC資訊,無法直接由維運人員判讀其所屬虛擬網路,不利於真實上線雲端環境的維護。實非一良善之設計,而亟待加以改良。因此,針對雲端運算服務維運系統中虛擬網路資源的管理,提出適用於此系統的多租戶虛擬網路生成與管控方法,實為雲端運算服務發展的重要關鍵。 The controller management proposed in this patent is rare, but its use of source MAC and destination MAC as OpenFlow rules is too trivial. Two virtual machines belonging to the same virtual network will cause OpenFlow switches due to different source MAC addresses. Asking the SDN controller twice, the number of excessive queries will cause a burden on the SDN controller. The trivial and lengthy OpenFlow rules stored in the OpenFlow switch will consume the storage space of the OpenFlow switch, especially from its OpenFlow rules stored in the OpenFlow switch. Only the source and destination MAC information can be seen, and the virtual network cannot be directly interpreted by the maintenance personnel, which is not conducive to the maintenance of the real online cloud environment. It is not a good design, and it needs to be improved. Therefore, for the management of virtual network resources in the cloud computing service maintenance system, the multi-tenant virtual network generation and management method applicable to this system is proposed, which is an important key to the development of cloud computing services.
綜上所述,如何提供一種可藉由控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之技術方案乃本領域亟需解決之技術問題。 In summary, how to provide a technical solution for controlling a virtual overlay network by a controller to generate a multi-tenant virtual network is a technical problem that needs to be solved in the field.
為解決前揭之問題,本發明之目的即在於提供一種方法與系統以進行雲端維運系統中之多租戶虛擬網路的生成與管控,用以達成虛擬覆蓋網路之建構,提供使用者或維運人員建立租戶虛擬網路,確保虛擬機在租戶虛擬網路內網路連通以及租戶間的虛擬網路完全隔離。同時因虛擬 覆蓋網路的特性,本發明大幅提升傳統虛擬區域網路4096組虛擬網路上限外,更解決需要實體交換器設備設定支援的維運瓶頸。透過租戶識別碼的幫助,虛擬交換器上的流向規則能夠大幅簡化,節省其存取空間的消耗。而租戶識別碼更能夠幫助維運人員判讀封包所屬租戶虛擬網路,對於真實上線雲端環境的維護上是一大助益。 In order to solve the problems disclosed above, the object of the present invention is to provide a method and system for generating and controlling a multi-tenant virtual network in a cloud maintenance system, to achieve virtual virtual network construction, providing users or The maintenance personnel establish a tenant virtual network to ensure that the virtual machine is connected to the virtual network within the tenant virtual network and the virtual network between the tenants is completely isolated. Simultaneous virtual Covering the characteristics of the network, the present invention greatly improves the virtual network upper limit of the 4096 sets of the traditional virtual local area network, and further solves the bottleneck of the maintenance that requires the physical switch device setting support. With the help of the tenant identification code, the flow rules on the virtual switch can be greatly simplified, saving the consumption of its access space. The tenant identification code can help the maintenance personnel to interpret the tenant virtual network of the package, which is a great help for the maintenance of the real online cloud environment.
本發明之次一目的係在於提供一種適用於雲端運算服務系統的虛擬化網路管理機制。係利用集中式虛擬化網路控制器,納管虛擬交換器、虛擬機以及虛擬網路資源。俾使整體雲端運算服務系統中的網路管理可支援虛擬機即時遷移(live-migration)之特點,並可跨越虛擬交換器的管理限制,使虛擬化網路安全管理機制具備網路管理設定之可攜性,消除於虛擬化網路環境常見之叢集劃分限制,達到虛擬隔離群組內虛擬機之無縫式遷移,提升虛擬網路管理之效能,彈性地管理所有虛擬交換器,且可掌握整體虛擬網路之拓樸全貌與資源,並滿足雲端運算服務之高彈性移動、資訊安全性、高可用性之特性,俾使本發明之系統成為適用於雲端運算服務系統之網路管理系統。 A second object of the present invention is to provide a virtualized network management mechanism suitable for a cloud computing service system. It utilizes a centralized virtualized network controller to manage virtual switches, virtual machines, and virtual network resources.网路 Enables network management in the overall cloud computing service system to support the characteristics of virtual machine live-migration, and can manage the virtual network security management mechanism with network management settings. Portability, eliminating the clustering restrictions common to virtualized network environments, achieving seamless migration of virtual machines in virtual isolation groups, improving the effectiveness of virtual network management, and flexibly managing all virtual switches, and mastering them The overall topology and resources of the overall virtual network, and the characteristics of the highly flexible mobile, information security, and high availability of the cloud computing service, make the system of the present invention a network management system suitable for the cloud computing service system.
達成上述發明目的之管控系統。可提供管理者使用虛擬覆蓋網路建構子系統於實體機上建立虛擬覆蓋網路於實體伺服器間建立通訊隧道(Tunnel),並在虛擬機進入虛擬網路時,利用虛擬網路控制器與虛擬交換器(Virtual Switch)來管控所有的虛擬網路資源以及虛擬機所在之網路拓樸位置。使用者或管理者可自由建立租戶虛擬網路,並將虛擬機納管進特定虛擬網路,使其虛擬機在租戶虛擬網路內網路連通以及租戶間的虛擬網路完全隔離。 A control system that achieves the above object of the invention. The administrator can use the virtual overlay network construction subsystem to establish a virtual overlay network on the physical machine to establish a communication tunnel between the physical servers, and use the virtual network controller when the virtual machine enters the virtual network. The Virtual Switch manages all virtual network resources and the network topology where the virtual machines are located. The user or administrator can freely establish a tenant virtual network and pipe the virtual machine into a specific virtual network, so that the virtual machine is completely connected to the virtual network in the tenant virtual network and the virtual network between the tenants is completely isolated.
本發明所提出之透過使用控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之管控系統包括:多租戶虛擬網路建構與管控子系統、虛擬覆蓋網路建構子系統、以及虛擬網路控制器子系統,前述各個子系統說明如下: The control system proposed by the present invention for controlling a virtual overlay network by using a controller to generate a multi-tenant virtual network includes: a multi-tenant virtual network construction and control subsystem, a virtual overlay network construction subsystem, and a virtual network control The subsystems, the aforementioned subsystems are described as follows:
前述之多租戶虛擬網路建構與管控子系統包含:多租戶虛擬網路操作與呈現模組、多租戶虛擬網路資源與拓樸相依關係知識庫、多租戶虛擬網路區域生成決策單元、多租戶虛擬網路生成決策單元、多租戶虛擬網路資源綁定虛擬機決策單元、多租戶虛擬網路資源與拓樸監控收集單元、虛擬覆蓋網路建構需求傳送單元,以及多租戶虛擬網路訊息傳送單元。 The foregoing multi-tenant virtual network construction and control subsystem includes: multi-tenant virtual network operation and presentation module, multi-tenant virtual network resource and topology dependency knowledge base, multi-tenant virtual network area generation decision unit, and more Tenant virtual network generation decision unit, multi-tenant virtual network resource binding virtual machine decision unit, multi-tenant virtual network resource and topology monitoring collection unit, virtual overlay network construction demand transmission unit, and multi-tenant virtual network message Transfer unit.
前述之虛擬覆蓋網路建構子系統包含多租戶虛擬覆蓋網路建構子系統溝通單元、多租戶虛擬覆蓋網路建構決策單元、以及虛擬交換器與網路節點控制單元。 The aforementioned virtual overlay network construction subsystem includes a multi-tenant virtual overlay network construction subsystem communication unit, a multi-tenant virtual overlay network construction decision unit, and a virtual switch and network node control unit.
前述之虛擬網路控制器子系統包含:多租戶虛擬網路拓樸監控單元、多租戶虛擬網路控制器知識庫、多租戶虛擬網路決策單元、多租戶虛擬網路單點傳遞(unicast)單元、多租戶虛擬網路租戶識別碼綁定單元、多租戶虛擬網路多點傳遞(multicast)單元、虛擬交換器與網路節點偵測器、以及多租戶虛擬網路控制器訊息傳遞單元。 The aforementioned virtual network controller subsystem includes: multi-tenant virtual network topology monitoring unit, multi-tenant virtual network controller knowledge base, multi-tenant virtual network decision-making unit, multi-tenant virtual network unicast (unicast) Unit, multi-tenant virtual network tenant identification code binding unit, multi-tenant virtual network multicast (multicast) unit, virtual switch and network node detector, and multi-tenant virtual network controller message delivery unit.
本發明所提出之系統更進一步地考量虛擬化網路環境中虛擬機即時遷移(live-migration)之特點,在系統機制之設計上增加虛擬隔離群組之網路設定的可攜性。係透過前述子系統對於整體虛擬化網路資源的持續監控與收集,以及虛擬化網路流向的集中管控機制,使本系統所涵蓋之虛擬化網路中的虛擬隔離群組之設定具有可攜性,並可使虛擬隔離群組無 限制於虛擬化環境常見之叢集劃分,可達到虛擬隔離群組內虛擬機之無縫式遷移,提升維運人員管控虛擬化網路之效率。 The system proposed by the present invention further considers the characteristics of virtual machine live-migration in a virtualized network environment, and increases the portability of the network setting of the virtual isolation group in the design of the system mechanism. Through the continuous monitoring and collection of the entire virtualized network resources and the centralized management and control mechanism of the virtualized network flow, the virtual isolation group in the virtualized network covered by the system is portable. Sex and make the virtual isolation group absent Restricted to the common clustering of virtualized environments, the seamless migration of virtual machines in the virtual isolation group can be achieved, and the efficiency of the maintenance personnel to control the virtualized network can be improved.
綜合以上所述,本發明之管控系統提高虛擬化網路中的網路安全,並提供虛擬化網路維運人員一個俱備可攜性與彈性之虛擬隔離群組系統,提升維運人員在管控虛擬化環境之效率。 In summary, the control system of the present invention improves the network security in the virtualized network, and provides a virtual isolation group system for the virtualized network maintenance personnel to be portable and flexible, thereby improving the maintenance personnel. Manage the efficiency of your virtualized environment.
100‧‧‧實體例概要圖 100‧‧‧Community example summary
110‧‧‧虛擬化網路範疇 110‧‧‧Virtual Network Category
111‧‧‧虛擬交換器 111‧‧‧Virtual Switch
111-a‧‧‧虛擬交換器-a 111-a‧‧‧Virtual Switch-a
111-b‧‧‧虛擬交換器-b 111-b‧‧‧Virtual Switch-b
111-c‧‧‧虛擬交換器-c 111-c‧‧‧Virtual Switch-c
112‧‧‧虛擬機 112‧‧‧Virtual Machine
112-a~112-k‧‧‧虛擬機-a~虛擬機-k 112-a~112-k‧‧‧Virtual Machine-a~Virtual Machine-k
113‧‧‧多租戶虛擬網路區域 113‧‧‧Multi-tenant virtual network area
113-a~113-b‧‧‧多租戶虛擬網路區域-a-多租戶虛擬網路區域-b 113-a~113-b‧‧‧Multi-tenant virtual network area-a-multi-tenant virtual network area-b
114‧‧‧多租戶虛擬網路 114‧‧‧Multi-tenant virtual network
114-a~114-b‧‧‧多租戶虛擬網路-a~多租戶虛擬網路-b 114-a~114-b‧‧‧Multi-tenant virtual network-a~multi-tenant virtual network-b
120‧‧‧實體網路與實體機範疇 120‧‧‧Physical network and physical machine category
121‧‧‧實體機 121‧‧‧ physical machine
121-a~121-c‧‧‧實體機-a~實體機-c 121-a~121-c‧‧‧body machine-a~body machine-c
123‧‧‧實體交換器 123‧‧‧Physical exchanger
124‧‧‧網際網路 124‧‧‧Internet
200‧‧‧透過控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之管控系統 200‧‧‧Control system for managing virtual overlay networks through controllers to generate multi-tenant virtual networks
210‧‧‧多租戶虛擬網路建構與管控子系統 210‧‧‧Multi-tenant virtual network construction and control subsystem
211‧‧‧多租戶虛擬網路操作與呈現模組 211‧‧‧Multi-tenant virtual network operation and presentation module
212‧‧‧多租戶虛擬網路資源與拓樸相依關係知識庫 212‧‧‧Multi-tenant virtual network resource and topology-dependent knowledge base
213‧‧‧多租戶虛擬網路區域生成決策單元 213‧‧‧Multi-tenant virtual network area generation decision unit
214‧‧‧多租戶虛擬網路生成決策單元 214‧‧‧Multi-tenant virtual network generation decision-making unit
215‧‧‧多租戶虛擬網路資源綁定虛擬機決策單元 215‧‧‧Multi-tenant virtual network resource binding virtual machine decision unit
216‧‧‧多租戶虛擬網路資源與拓樸監控收集單元 216‧‧‧Multi-tenant virtual network resources and topology monitoring collection unit
217‧‧‧虛擬覆蓋網路建構需求傳送單元 217‧‧‧Virtual Overlay Network Construction Demand Transfer Unit
218‧‧‧多租戶虛擬網路訊息傳送單元 218‧‧‧Multi-tenant virtual network messaging unit
220‧‧‧虛擬覆蓋網路建構子系統 220‧‧‧Virtual Overlay Network Construction Subsystem
221‧‧‧多租戶虛擬覆蓋網路建構子系統溝通單元 221‧‧‧Multi-tenant virtual overlay network construction subsystem communication unit
222‧‧‧多租戶虛擬覆蓋網路建構決策單元 222‧‧‧Multi-tenant virtual overlay network construction decision-making unit
223‧‧‧虛擬交換器與網路節點控制單元 223‧‧‧Virtual Switch and Network Node Control Unit
230‧‧‧多租戶虛擬網路控制器子系統 230‧‧‧Multi-tenant virtual network controller subsystem
231‧‧‧多租戶虛擬網路拓樸監控單元 231‧‧‧Multi-tenant virtual network topology monitoring unit
232‧‧‧多租戶虛擬網路控制器知識庫 232‧‧‧Multi-tenant virtual network controller knowledge base
233‧‧‧多租戶虛擬網路決策單元 233‧‧‧Multi-tenant virtual network decision-making unit
234‧‧‧多租戶虛擬網路單點傳遞(unicast)單元 234‧‧‧Multi-tenant virtual network unicast unit
235‧‧‧多租戶虛擬網路租戶識別碼綁定單元 235‧‧‧Multi-tenant virtual network tenant identification code binding unit
236‧‧‧多租戶虛擬網路多點傳遞(multicast)單元 236‧‧‧Multi-tenant virtual network multicast unit
237‧‧‧虛擬交換器與網路節點偵測器 237‧‧‧Virtual Switch and Network Node Detector
238‧‧‧多租戶虛擬網路控制器訊息傳遞單元 238‧‧‧Multi-tenant virtual network controller messaging unit
300‧‧‧多租戶虛擬網路建構與管控子系統運作流程圖 300‧‧‧Multi-tenant virtual network construction and control subsystem operation flow chart
圖1係為本發明第一實施例使用控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之管控系統方塊圖 1 is a block diagram of a control system for using a controller to control a virtual overlay network to generate a multi-tenant virtual network according to a first embodiment of the present invention;
圖2係為本發明多租戶虛擬網路建構與管控子系統之內部方塊圖。 2 is an internal block diagram of a multi-tenant virtual network construction and control subsystem of the present invention.
圖3係為本發明虛擬覆蓋網路建構子系統之內部方塊圖。 3 is an internal block diagram of a virtual overlay network construction subsystem of the present invention.
圖4係為本發明多租戶虛擬網路控制器子系統內部方塊圖。 4 is an internal block diagram of a multi-tenant virtual network controller subsystem of the present invention.
圖5係為本發明多租戶虛擬網路建構與管控子系統運作流程圖。 FIG. 5 is a flow chart of the operation of the multi-tenant virtual network construction and control subsystem of the present invention.
圖6係為本發明多租戶虛擬化網路控制器子系統運作流程圖。 6 is a flow chart showing the operation of the multi-tenant virtualized network controller subsystem of the present invention.
圖7多租戶虛擬網路控制器子系統決策以及建構多租戶網路之流程圖。 Figure 7 is a flow chart of the multi-tenant virtual network controller subsystem decision and construction of a multi-tenant network.
圖8係為本發明之系統實施例概要圖。 Figure 8 is a schematic diagram of an embodiment of the system of the present invention.
圖9係為本發明之系統實施例架構圖。 Figure 9 is a block diagram of an embodiment of the system of the present invention.
以下將描述具體之實施例以說明本發明之實施態樣,惟其並非用以限制本發明所欲保護之範疇。 The specific embodiments are described below to illustrate the embodiments of the invention, but are not intended to limit the scope of the invention.
本發明係使用虛擬覆蓋網路建構子系統於實體機上建立虛擬覆蓋網路於實體伺服器間建立通訊隧道(Tunnel),並在虛擬機進入虛擬網 路時,利用虛擬網路控制器與虛擬交換器(Virtual Switch)來管控所有的虛擬網路資源以及虛擬機所在之網路拓樸位置。使用者或管理者可自由建立租戶虛擬網路,並將虛擬機納管進特定虛擬網路,使其虛擬機在租戶虛擬網路內網路連通以及租戶間的虛擬網路完全隔離。為了更進一步闡述本發明之詳細運作過程,此處利用實施例之標的詳加說明。然而說明本身並非意圖限制此專利。反之,發明人已經考慮所主張的標的亦可以其他方式體現、包括不同的步驟或與此文件中所述的步驟相似的步驟結合、與其他現有或未來的技術之結合。 The invention uses the virtual overlay network construction subsystem to establish a virtual overlay network on the physical machine to establish a communication tunnel between the physical servers, and enters the virtual network in the virtual machine. In the road, the virtual network controller and the virtual switch are used to control all the virtual network resources and the network topology where the virtual machine is located. The user or administrator can freely establish a tenant virtual network and pipe the virtual machine into a specific virtual network, so that the virtual machine is completely connected to the virtual network in the tenant virtual network and the virtual network between the tenants is completely isolated. In order to further illustrate the detailed operation of the present invention, the details of the embodiments are used herein. However, the description itself is not intended to limit the patent. On the contrary, the inventors have considered that the claimed subject matter may also be embodied in other ways, including different steps or steps in combination with steps described in this document, in combination with other existing or future technologies.
本發明的實施例關注於更進一步解釋本發明所包含的系統以及相關子系統,並使用詳細流程圖的呈現,闡明本發明的重要技術與系統流程。並透過實施例概要圖說明本發明的應用範疇與使用場景。 Embodiments of the present invention are directed to further explaining the systems and associated subsystems encompassed by the present invention, and using the presentation of detailed flowcharts to illustrate the important techniques and system flows of the present invention. The application scope and usage scenarios of the present invention will be described by way of an overview of the embodiments.
請參閱圖1,其為本發明第一實施例使用控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之管控系統方塊圖。前述之使用控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之管控系統200進一步包含下列之軟體模組:多租戶虛擬網路建構與管控子系統210、虛擬覆蓋網路建構子系統220、以及多租戶虛擬網路控制器子系統230。前述之軟體模組可透過呼叫程序進行連接。 Please refer to FIG. 1, which is a block diagram of a control system for controlling a virtual overlay network to generate a multi-tenant virtual network using a controller according to a first embodiment of the present invention. The foregoing management system 200 for controlling a virtual overlay network using a controller to generate a multi-tenant virtual network further includes the following software modules: a multi-tenant virtual network construction and control subsystem 210, a virtual overlay network construction subsystem 220, And a multi-tenant virtual network controller subsystem 230. The aforementioned software module can be connected through a calling program.
前述之多租戶虛擬網路建構與管控子系統210係為系統整體運作之控制決策者,主要之功能為決策多租戶虛擬網路的生成並收集虛擬網路之資料。前述之虛擬覆蓋網路建構子系統220,負責視需求為底層環境建立通訊隧道,以供多租戶虛擬網路上的虛擬機發送的封包能夠跨實體機進行溝通。另外,多租戶虛擬網路控制器子系統230用於監控虛擬網路資訊 並決定多租戶虛擬網路上的虛擬機發送的封包流向,可視為整體運作行為之執行者。原則上,前述三子系統各自獨立運作,且透過溝通管道即時傳遞彼此運作所需條件與資訊。 The aforementioned multi-tenant virtual network construction and control subsystem 210 is the control decision maker of the overall operation of the system. The main function is to determine the generation of the multi-tenant virtual network and collect the data of the virtual network. The aforementioned virtual overlay network construction subsystem 220 is responsible for establishing a communication tunnel for the underlying environment as needed, so that the packets sent by the virtual machines on the multi-tenant virtual network can communicate across the physical machine. In addition, the multi-tenant virtual network controller subsystem 230 is used to monitor virtual network information. And determine the flow of packets sent by the virtual machine on the multi-tenant virtual network, which can be regarded as the executor of the overall operational behavior. In principle, the three subsystems operate independently and communicate the conditions and information required for each other's operations through the communication channel.
請參閱圖2,其為前述多租戶虛擬網路建構與管控子系統210之內部方塊圖,此子系統最主要之目的為達到動態決策、建立並管理多租戶虛擬網路,作為整體系統架構之管控決策處。多租戶虛擬網路建構與管控子系統進一步包含:多租戶虛擬網路操作與呈現模組211、多租戶虛擬網路資源與拓樸相依關係知識庫212、多租戶虛擬網路區域生成決策單元213、多租戶虛擬網路生成決策單元214、多租戶虛擬網路資源綁定虛擬機決策單元215、多租戶虛擬網路資源與拓樸監控收集單元216、虛擬覆蓋網路建構需求傳送單元217、以及多租戶虛擬網路訊息傳送單元218。 Please refer to FIG. 2 , which is an internal block diagram of the foregoing multi-tenant virtual network construction and management subsystem 210. The primary purpose of the subsystem is to achieve dynamic decision making, establish and manage a multi-tenant virtual network, as an overall system architecture. Control the decision-making office. The multi-tenant virtual network construction and control subsystem further includes: a multi-tenant virtual network operation and presentation module 211, a multi-tenant virtual network resource and topology dependency knowledge base 212, and a multi-tenant virtual network area generation decision unit 213. a multi-tenant virtual network generation decision unit 214, a multi-tenant virtual network resource binding virtual machine decision unit 215, a multi-tenant virtual network resource and topology monitoring collection unit 216, a virtual overlay network construction requirement transmission unit 217, and Multi-tenant virtual network messaging unit 218.
前述之多租戶虛擬網路操作與呈現模組211用於提供管理者或虛擬化網路維運人員使用介面,提供查詢與管控設定之功能,包括總覽虛擬隔離群組之整體概況,並可無限制於虛擬化環境常見之叢集劃分,任意查詢虛擬網路隔離情況,適時地調度虛擬網路之虛擬機成員。 The multi-tenant virtual network operation and presentation module 211 is used to provide a manager or virtualized network operator interface to provide query and control settings, including an overview of the overall virtual isolation group, and no It is limited to clustering common in virtualized environments, arbitrarily querying virtual network isolation, and scheduling virtual machine members of virtual networks in a timely manner.
多租戶虛擬網路區域生成決策單元213、多租戶虛擬網路生成決策單元214、以及多租戶虛擬網路資源綁定虛擬機決策單元215係接收來自多租戶虛擬網路操作與呈現模組211之指令,分別判斷管理者對虛擬網路區域、虛擬網路、虛擬網卡操作的合法性。多租戶虛擬網路資源與拓樸監控收集單元216在多租戶虛擬網路建構與管控子系統210執行期間,主動監控虛擬化網路環境,並透過多租戶虛擬網路控制器子系統230收集網路資源與拓樸訊息。即時將訊息更新進多租戶虛擬網路資源與拓樸相依關係知 識庫212。 The multi-tenant virtual network area generation decision unit 213, the multi-tenant virtual network generation decision unit 214, and the multi-tenant virtual network resource binding virtual machine decision unit 215 receive the multi-tenant virtual network operation and presentation module 211. The instruction determines the legality of the administrator's operation on the virtual network area, the virtual network, and the virtual network card. The multi-tenant virtual network resource and topology monitoring collection unit 216 actively monitors the virtualized network environment during the execution of the multi-tenant virtual network construction and management subsystem 210 and collects the network through the multi-tenant virtual network controller subsystem 230. Road resources and topology information. Instantly update messages into multi-tenant virtual network resources and topology dependencies Library 212.
虛擬覆蓋網路建構需求傳送單元217與多租戶虛擬網路訊息傳送單元218,分別用於連接虛擬覆蓋網路建構子系統220及虛擬網路控制器子系統230。 The virtual overlay network construction requirement transfer unit 217 and the multi-tenant virtual network message transfer unit 218 are respectively used to connect the virtual overlay network construction subsystem 220 and the virtual network controller subsystem 230.
請參閱圖3,其為虛擬覆蓋網路建構子系統220之內部方塊圖。多租戶虛擬覆蓋網路建構子系統溝通單元221負責接收來自多租戶虛擬網路建構與管控子系統210之操作訊息,並將此訊息傳送至多租戶虛擬覆蓋網路建構決策單元222分析多租戶虛擬網路區域操作訊息並轉換成建立或刪除通訊隧道所需的訊息,並透過虛擬交換器與網路節點控制單元223向實體機上的虛擬交換器進行操作以建立或刪除通訊隧道。 Please refer to FIG. 3, which is an internal block diagram of the virtual overlay network construction subsystem 220. The multi-tenant virtual overlay network construction subsystem communication unit 221 is responsible for receiving operation information from the multi-tenant virtual network construction and control subsystem 210, and transmitting the message to the multi-tenant virtual overlay network construction decision unit 222 for analyzing the multi-tenant virtual network. The road area operates the message and converts it into the message required to establish or delete the communication tunnel, and operates the virtual switch on the physical machine through the virtual switch and network node control unit 223 to establish or delete the communication tunnel.
請參閱圖4,其為多租戶虛擬網路控制器子系統230內部方塊圖。多租戶虛擬網路控制器子系統230用於管理虛擬化網路之流向與拓樸,並依據多租戶虛擬網路建構與管控子系統210所決策之多租戶虛擬網路區域、多租戶虛擬網路、多租戶虛擬網路資源綁定虛擬機,透過控制虛擬交換器與網路流向之方式,動態建構多租戶虛擬網路。 Please refer to FIG. 4, which is an internal block diagram of the multi-tenant virtual network controller subsystem 230. The multi-tenant virtual network controller subsystem 230 is used to manage the flow and topology of the virtualized network, and constructs and manages the multi-tenant virtual network area and multi-tenant virtual network determined by the multi-tenant virtual network 210. The multi-tenant virtual network resource is bound to the virtual machine, and the multi-tenant virtual network is dynamically constructed by controlling the virtual switch and the network flow direction.
多租戶虛擬網路控制器子系統230包含多租戶虛擬網路拓樸監控單元231、多租戶虛擬網路控制器知識庫232、多租戶虛擬網路決策單元233、多租戶虛擬網路單點傳遞單元234、多租戶虛擬網路租戶識別碼綁定單元235、多租戶虛擬網路多點傳遞單元236、虛擬交換器與網路節點偵測器237、以及多租戶虛擬網路控制器訊息傳遞單元238。 The multi-tenant virtual network controller subsystem 230 includes a multi-tenant virtual network topology monitoring unit 231, a multi-tenant virtual network controller knowledge base 232, a multi-tenant virtual network decision unit 233, and a multi-tenant virtual network single point delivery. Unit 234, multi-tenant virtual network tenant identification code binding unit 235, multi-tenant virtual network multi-point delivery unit 236, virtual switch and network node detector 237, and multi-tenant virtual network controller messaging unit 238.
多租戶虛擬網路拓樸監控單元231於多租戶虛擬網路控制器子系統230執行期間,會持續偵測是否有交換器提出網路存取的需求,若有 任何需求被提出,此單元將會把需求轉發給多租戶虛擬網路決策單元233。換言之,此單元為虛擬化網路控制器子系統230中監控並接收網路存取需求的關鍵單元,係為一個持續不間斷運作之單元,用以掌握所有虛擬交換器的網路存取流向。 During the execution of the multi-tenant virtual network controller subsystem 230, the multi-tenant virtual network topology monitoring unit 231 continuously detects whether there is a need for the switch to make network access, if any Any requirements are raised and the unit will forward the request to the multi-tenant virtual network decision unit 233. In other words, this unit is the key unit in the virtualized network controller subsystem 230 that monitors and receives network access requirements. It is a unit that continues to operate continuously to grasp the network access flow of all virtual switches. .
虛擬交換器與網路節點偵測器237與前述之多租戶虛擬網路拓樸監控單元231雷同,皆會在虛擬化網路控制器子系統230執行期間持續進行偵測。不同之處在於虛擬交換器與網路節點偵測器237主要監控的資訊為整體虛擬化網路的拓樸並加以記錄相關資訊,並包含所涵蓋之虛擬交換器以及網路節點(此處之網路節點可視為虛擬網路中的所有虛擬機)。當虛擬交換器與網路節點偵測器偵測到虛擬化網路拓樸有異動時,會將相關之異動紀錄於多租戶虛擬網路控制器知識庫232,以供其他單元進行網路環境或條件之判讀。 The virtual switch and network node detector 237 is identical to the multi-tenant virtual network topology monitoring unit 231 described above and will continue to detect during execution of the virtualized network controller subsystem 230. The difference is that the information mainly monitored by the virtual switch and the network node detector 237 is the topology of the entire virtualized network and records related information, and includes the virtual switch and the network node covered (here A network node can be thought of as all virtual machines in a virtual network. When the virtual switch and the network node detector detect a change in the virtualized network topology, the related transaction is recorded in the multi-tenant virtual network controller knowledge base 232 for the other unit to perform the network environment. Or conditional interpretation.
多租戶虛擬網路決策單元233之主要動作為決策虛擬交換器之需求,可視為整體虛擬化網路控制器子系統230之關鍵控管單元,整體網路拓樸以及多租戶虛擬網路之決策皆由此單元進行集中式之管理。透過多租戶虛擬網路決策單元233分析從虛擬機發送出的網路封包來源與目的,並參照虛擬化網路控制器知識庫的網路環境資訊,判斷此封包合適的處理方式,若封包的來源與目的不在同一台實體機上,封包在送進實體機間的通訊隧道前,需要為封包配置租戶識別碼,則需將封包送至多租戶虛擬網路租戶識別碼綁定單元235,封包的種類也關係到其處理方式,若封包屬於單點傳遞(unicast),則將封包送至多租戶虛擬網路單點傳遞(unicast)單元234,若封包屬於多點傳遞(multicast),則將封包送至多租戶虛擬網路多點傳遞 (multicast)單元236。 The main action of the multi-tenant virtual network decision unit 233 is to determine the requirements of the virtual switch, which can be regarded as the key control unit of the overall virtualized network controller subsystem 230, the overall network topology and the decision of the multi-tenant virtual network. This unit is managed centrally. The multi-tenant virtual network decision unit 233 analyzes the source and destination of the network packet sent from the virtual machine, and refers to the network environment information of the virtualized network controller knowledge base to determine the appropriate processing manner of the packet, if the packet is The source and destination are not on the same physical machine. Before the packet is sent to the communication tunnel between the physical machines, the tenant identification code needs to be configured for the packet. The packet needs to be sent to the multi-tenant virtual network tenant identification code binding unit 235. The type is also related to its processing mode. If the packet belongs to unicast, the packet is sent to the multi-tenant virtual network unicast unit 234. If the packet belongs to multi-cast, the packet is sent. Multi-point delivery for up to tenant virtual networks (multicast) unit 236.
換言之,透過多租戶虛擬網路決策單元233將封包送至合適的處理單元,產生的對應的網路流向,即能讓存在相同租戶虛擬網路的虛擬機互通,不同租戶虛擬網路的虛擬機彼此隔離。 In other words, the multi-tenant virtual network decision unit 233 sends the packet to the appropriate processing unit, and the corresponding network flow direction is generated, that is, the virtual machine sharing the virtual network of the same tenant can be interconnected, and the virtual machine of the different tenant virtual network is generated. Isolated from each other.
多租戶虛擬網路控制器訊息傳遞單元238係為多租戶虛擬網路控制器子系統230對外之溝通管道,主要可分成兩大部分,一方面提供多租戶虛擬網路建構與管控子系統210與多租戶虛擬網路控制器230資訊傳遞之媒介,可透過此單元連接前述之多租戶虛擬網路建構與管控子系統210以及虛擬覆蓋網路建構子系統220,以即時地交換虛擬隔離群組設定與虛擬化網路之狀態。另一方面,此單元更進一步的提供多租戶虛擬網路控制器230與虛擬交換器之間訊息傳遞之溝通管道,使多租戶虛擬網路控制器230可利用此單元即時且正確地生成建構整個虛擬化網路之拓樸,並實際產生整體虛擬化網路中之所有虛擬隔離群組。可視此單元為多租戶虛擬網路控制器230之關鍵對外介面之媒介。 The multi-tenant virtual network controller message delivery unit 238 is a communication channel of the multi-tenant virtual network controller subsystem 230, which can be mainly divided into two parts. On one hand, the multi-tenant virtual network construction and control subsystem 210 is provided. The multi-tenant virtual network controller 230 transmits information to the multi-tenant virtual network construction and control subsystem 210 and the virtual overlay network construction subsystem 220 to instantly exchange virtual isolation group settings. And the state of the virtualized network. On the other hand, the unit further provides a communication pipeline for message transmission between the multi-tenant virtual network controller 230 and the virtual switch, so that the multi-tenant virtual network controller 230 can use the unit to generate the entire construction immediately and correctly. Virtualize the topology of the network and actually generate all the virtual isolation groups in the overall virtualized network. This unit can be seen as a medium for the key external interface of the multi-tenant virtual network controller 230.
整合綜觀圖4之多租戶虛擬網路控制器230其單元與單元間之關係詳述如下:當多租戶虛擬網路控制器230啟動時,會觸發多租戶虛擬網路拓樸監控單元231與虛擬交換器與網路節點偵測器237進行持續性之虛擬化網路資源與需求的監控與收集,此兩單元皆會將所偵測到之必要資訊即時同步於多租戶虛擬網路控制器知識庫232之中。其中虛擬交換器與網路節點偵測器237著重於虛擬化網路中虛擬交換器與虛擬機之監控。主要目的為探測整體網路的相關設備與節點。除此之外,虛擬化網路流向拓樸監控單元會監控管理整體虛擬化網路之流向與拓樸,並將接收到之網路流向 需求傳送給多租戶虛擬網路決策單元233,由此決策單元進行需求的判讀與流向的決定。當多租戶虛擬網路決策單元233完成決定後,會將相對應之決策轉送給多租戶虛擬網路單點傳遞(unicast)單元234、多租戶虛擬網路租戶識別碼綁定單元235或多租戶虛擬網路多點傳遞(unicast)單元236。此三單元會依照接收之需求,將最後產生之流向規則透過多租戶虛擬網路控制器訊息傳遞單元238,實際發送給虛擬交換器,用以正確即時的產生虛擬網路之拓樸與流向。 The relationship between the unit and the unit of the multi-tenant virtual network controller 230 of FIG. 4 is as follows: When the multi-tenant virtual network controller 230 is started, the multi-tenant virtual network topology monitoring unit 231 and the virtual device are triggered. The switch and network node detector 237 continuously monitors and collects virtualized network resources and requirements. Both units synchronize the detected necessary information to the multi-tenant virtual network controller knowledge. Among the libraries 232. The virtual switch and network node detector 237 focuses on the monitoring of virtual switches and virtual machines in the virtualized network. The main purpose is to detect related devices and nodes of the overall network. In addition, the virtualized network flow to the topology monitoring unit monitors the flow and topology of the overall virtualized network and streams the received network. The demand is transmitted to the multi-tenant virtual network decision unit 233, whereby the decision unit makes the decision of the demand and the direction of the flow. When the multi-tenant virtual network decision unit 233 completes the decision, the corresponding decision is forwarded to the multi-tenant virtual network unicast unit 234, the multi-tenant virtual network tenant identification code binding unit 235 or the multi-tenant. A virtual network unicast unit 236. The three units will actually send the generated flow direction rules to the virtual switch through the multi-tenant virtual network controller message delivery unit 238 according to the received requirements, so as to correctly and correctly generate the topology and flow direction of the virtual network.
圖5~圖7係為本發明第二實施例使用控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之管控方法流程圖。前述之管控方法係應用於第一實施例之使用控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之管控系統200,其步驟說明如下: 5-7 are flowcharts of a control method for controlling a virtual overlay network to generate a multi-tenant virtual network by using a controller according to a second embodiment of the present invention. The foregoing control method is applied to the control system 200 for controlling the virtual overlay network using the controller to generate a multi-tenant virtual network in the first embodiment, and the steps are as follows:
請參閱圖5,係為本發明之多租戶虛擬網路建構與管控子系統運作流程圖。當多租戶虛擬網路建構與管控子系統210啟動後,管理者(步驟310)能夠透過多租戶虛擬網路操作與呈現模組211進行查詢多租戶虛擬網路系統資訊動作(步驟320),藉以了解現有的多租戶虛擬網路區域、多租戶虛擬網路以及虛擬網卡於多租戶虛擬網路上的分布,了解目前多租戶虛擬網路的設定與拓樸。接著本系統之管理者能夠透過多租戶虛擬網路操作與呈現模組211進行多租戶虛擬網路區域(步驟330)、多租戶虛擬網路(步驟340)、虛擬網卡綁定租戶虛擬網路(步驟350)三種操作,各步驟說明如下: Please refer to FIG. 5, which is a flowchart of the operation of the multi-tenant virtual network construction and control subsystem of the present invention. After the multi-tenant virtual network construction and control subsystem 210 is activated, the administrator (step 310) can query the multi-tenant virtual network system information action through the multi-tenant virtual network operation and presentation module 211 (step 320). Learn about the distribution of existing multi-tenant virtual network areas, multi-tenant virtual networks, and virtual NICs on multi-tenant virtual networks to understand the current multi-tenant virtual network settings and topology. Then, the administrator of the system can perform the multi-tenant virtual network area (step 330), the multi-tenant virtual network (step 340), and the virtual network card binding tenant virtual network through the multi-tenant virtual network operation and presentation module 211 ( Step 350) Three operations, each step is described as follows:
操作多租戶虛擬網路區域(步驟330),管理者將能夠透過操作介面上顯示自多租戶虛擬網路資源與拓樸相依關係知識庫212的實體網路拓樸,選定多台實體機實體網卡進行圈選,當管理者透過多租戶虛擬網 路區域(步驟330)操作圈選完成需要的實體網卡後,便需逐一進行以下兩步驟:傳遞建立虛擬網路區域訊息至虛擬覆蓋網路建構子系統(步驟331)與傳遞操作指令至多租戶虛擬網路控制器子系統(步驟332)。虛擬覆蓋網路建構子系統220經由多租戶虛擬覆蓋網路建構子系統溝通單元221接收到操作的指令類形可分成建立、刪除與更新多租戶虛擬網路區域等操作,多租戶虛擬覆蓋網路建構決策單元222將會進行決策操作指令內圈選的實體網卡是否能夠形成虛擬網路區域,形成虛擬網路區域的必要條件為封包必須能夠互通,並不限於單一區域網路,只要網路可達接能夠成為多租戶虛擬網路區域。當確定能夠形成虛擬區域網路後,虛擬交換器與網路節點控制單元223將會對其控管的虛擬交換器進行操作建立全網狀(full mesh)的通訊隧道建立。至此完成多租戶虛擬網路區域的基礎建設。多租戶虛擬網路控制器子系統230接收到操作的指令也可分成建立、刪除與更新多租戶虛擬網路區域等操作,會先將此設定存放在多租戶虛擬網路控制器知識庫232,供後續比對封包時使用。至此則完成多租戶虛擬網路區域全部設定動作。 Operating the multi-tenant virtual network area (step 330), the administrator will be able to select multiple physical entity NICs through the physical network topology of the multi-tenant virtual network resource and the topology-dependent knowledge base 212 displayed on the operation interface. Circle through the multi-tenant virtual network After the path area (step 330) is operated to circle the required physical network card, the following two steps are required to be performed: transferring the virtual network area information to the virtual overlay network construction subsystem (step 331) and transferring the operation instruction to the multi-tenant virtual The network controller subsystem (step 332). The virtual overlay network construction subsystem 220 receives the operation instruction type through the multi-tenant virtual overlay network construction subsystem communication unit 221, and can be divided into operations of establishing, deleting, and updating a multi-tenant virtual network area, and a multi-tenant virtual overlay network. The construction decision unit 222 will perform a virtual network area for the physical network card selected in the decision operation instruction. The necessary condition for forming the virtual network area is that the packet must be interoperable, and is not limited to a single area network, as long as the network can be The connection can become a multi-tenant virtual network area. When it is determined that the virtual local area network can be formed, the virtual switch and network node control unit 223 will operate on the managed virtual switch to establish a full mesh communication tunnel establishment. This completes the infrastructure of the multi-tenant virtual network area. The instructions for receiving the operation of the multi-tenant virtual network controller subsystem 230 can also be divided into the operations of establishing, deleting and updating the multi-tenant virtual network area, and the settings are first stored in the multi-tenant virtual network controller knowledge base 232. Used for subsequent comparison of packets. At this point, all the settings of the multi-tenant virtual network area are completed.
操作多租戶虛擬網路(步驟340),管理者同樣透過操作介面上顯示自多租戶虛擬網路資源與拓樸相依關係212的網路拓樸去選擇多租戶虛擬網路要建立在哪個多租戶虛擬網路區域底下,可進行的操作種類有加入、刪除與更新三種。接著進行以下步驟:傳遞操作指令至多租戶虛擬網路控制器系統,多租戶虛擬網路控制器子系統230(步驟341)接收到此指令後一樣將此資訊存放在多租戶虛擬網路控制器知識庫232,供後續比對封包時使用。至此完成多租戶虛擬網路設定動作。 Operating the multi-tenant virtual network (step 340), the administrator also selects the multi-tenant virtual network to establish the multi-tenant by using the network topology of the multi-tenant virtual network resource and the topology-dependent relationship 212 on the operation interface. Under the virtual network area, there are three types of operations that can be added, deleted, and updated. Then, the following steps are performed: the operation instruction is delivered to the multi-tenant virtual network controller system, and the multi-tenant virtual network controller subsystem 230 (step 341) stores the information in the multi-tenant virtual network controller knowledge after receiving the instruction. The library 232 is used for subsequent comparison of the packets. This completes the multi-tenant virtual network setting action.
操作虛擬網卡與租戶虛擬網路綁定(步驟350)透過操作介面 上顯示自多租戶虛擬網路資源與拓樸相依關係212的網路拓樸去選擇虛擬網卡要綁定在哪個多租戶虛擬網路區域下的租戶虛擬網路,可進行的操作種類有加入與更新三種。接著進行以下步驟:傳遞操作指令至多租戶虛擬網路控制器系統(步驟351),多租戶虛擬網路控制器子系統230接收到此指令後一樣將此資訊存放在多租戶虛擬網路控制器知識庫232,供後續比對封包時使用。至此完成虛擬網卡與租戶虛擬網路綁定操作設定動作。 Operating the virtual network card to bind to the tenant virtual network (step 350) through the operation interface The network topology from the multi-tenant virtual network resource and the topology-dependent relationship 212 is displayed to select the tenant virtual network to which the virtual network card is to be bound in the multi-tenant virtual network area, and the types of operations that can be performed are added. Update three. Then, the following steps are performed: the operation instruction is delivered to the multi-tenant virtual network controller system (step 351), and the multi-tenant virtual network controller subsystem 230 stores the information in the multi-tenant virtual network controller knowledge after receiving the instruction. The library 232 is used for subsequent comparison of the packets. This completes the virtual network card and tenant virtual network binding operation setting action.
請參閱圖6,其為多租戶虛擬化網路控制器子系統運作流程圖。其細部說明如下:當虛擬化網路控制器子系統啟動後(步驟410),為了達到即時掌握整體多租戶虛擬網路資訊並動態生成多租戶虛擬隔離之目標,此控制器會透過多租戶虛擬網路拓樸監控單元231與虛擬交換器與網路節點偵測器237進行網路環境相關之監控偵測動作,即為監控多租戶虛擬化網路封包(步驟420)與偵測虛擬交換器與網路節點(步驟440)兩動作。偵測虛擬交換器與網路節點(步驟440)定期向虛擬交換器發送拓樸感知封包,藉以了解虛擬交換器彼此的連通性與拓樸形狀,監控多租戶虛擬化網路封包(步驟420)將接收來自虛擬交換器不認識的網路封包,同時也偵測到被控管的虛擬交換器上存在的虛擬網卡,藉以掌握虛擬網卡是否搬遷到其他的虛擬交換器。拓樸資訊與連接在虛擬交換器上的虛擬網卡資訊將會被存在多租戶虛擬網路控制器知識庫232,同時存放接收自圖5操作介面對虛擬網路區域、虛擬網路與虛擬網卡綁定虛擬網路指令(步驟430),控制器將有足夠的資訊為任何一個被送入控制器的網路封包決策其所屬租戶網路及其流向。監控多租戶虛擬化網路封包(步驟420)收到的網路封包皆是來自虛擬交換器不認識的封包,因此控制器除了蒐集資訊外,更需要分析封包資訊進而向 虛擬交換器下達合適的指令,告知其正確的封包流向(步驟450),以達成租戶網路間的隔離。控制器會先進行動作判斷網路存取需求的來源虛擬交換器是否隸屬於任何虛擬網路(步驟480),若不屬於任何租戶虛擬網路,將進行動作建構生成一般虛擬化網路存取流向訊息(步驟490),即允許此封包能夠被正常送至其目標不予阻擋,並進行動作傳遞流向訊息至此網路存取隸屬之虛擬交換器(步驟491)。若控制器判斷封包是屬於曾經被登記過的租戶虛擬網路內,則必須進行動作建構生成虛擬網路流向訊息(步驟460),其可能的動作將於圖七進行詳細描述,並後續進行動作傳遞流向訊息至此網路存取隸屬之虛擬交換器(步驟481)。 Please refer to FIG. 6, which is a flowchart of the operation of the multi-tenant virtualized network controller subsystem. The details are as follows: After the virtualized network controller subsystem is started (step 410), in order to achieve instant grasp of the overall multi-tenant virtual network information and dynamically generate the goal of multi-tenant virtual isolation, the controller will use multi-tenant virtual The network topology monitoring unit 231 performs a network environment-related monitoring and detecting action with the virtual switch and the network node detector 237, that is, monitoring the multi-tenant virtualized network packet (step 420) and detecting the virtual switch. Acting with the network node (step 440). Detecting the virtual switch and the network node (step 440) periodically sends a topology aware packet to the virtual switch to understand the connectivity and topology of the virtual switches, and monitor the multi-tenant virtualized network packet (step 420) The network packet that is not recognized by the virtual switch is received, and the virtual network card existing on the virtual switch of the controlled switch is also detected, so as to grasp whether the virtual network card is moved to another virtual switch. The topology information and the virtual network card information connected to the virtual switch will be stored in the multi-tenant virtual network controller knowledge base 232, and will be stored and received from the virtual network area, the virtual network and the virtual network card. The virtual network command (step 430), the controller will have enough information to determine the network of the tenant to which it belongs and its flow direction for any network packet that is sent to the controller. The network packets received by the monitoring multi-tenant virtualized network packet (step 420) are all packets that are not recognized by the virtual switch, so in addition to collecting information, the controller needs to analyze the packet information and then The virtual switch issues the appropriate command to inform it of the correct packet flow (step 450) to achieve isolation between the tenant networks. The controller will first perform an action to determine whether the virtual switch of the source access requirement belongs to any virtual network (step 480). If it does not belong to any tenant virtual network, action construction will be performed to generate general virtualized network access. The flow direction message (step 490) allows the packet to be sent normally to its target without blocking, and the action is passed to the message to the virtual switch of the network access (step 491). If the controller determines that the packet belongs to the tenant virtual network that has been registered, the action construction must be performed to generate a virtual network flow message (step 460), and the possible actions will be described in detail in FIG. The flow direction message is passed to the virtual switch to which the network access belongs (step 481).
請參閱圖7,其為多租戶虛擬網路控制器子系統230決策以及建構多租戶網路之流程圖,其細部說明如下:當控制器控管範圍內的虛擬交換器收到來自存在某已被登記的虛擬網路內的虛擬網卡發出的封包,被送至控制器中尋求進一步的流向指示(步驟461),首先控制器判斷的是封包是否來自詢問的虛擬交換器上的虛擬網卡(步驟462),此判斷在於得知是否為封包發送的起點,若是封包屬於來自詢問的虛擬交換器上的虛擬網卡,則表示這個封包是剛被送入此虛擬網路,可視為其在虛擬網路中旅程的起點,因此後續的動作我們需要為此封包配置虛擬覆蓋網路辨識碼(Tunnel ID)。 Please refer to FIG. 7, which is a flow chart of the multi-tenant virtual network controller subsystem 230 decision and constructing a multi-tenant network. The detailed description thereof is as follows: when the virtual switch in the controller control range receives a certain from the existence The packet sent by the virtual network card in the registered virtual network is sent to the controller for further flow direction indication (step 461). First, the controller determines whether the packet is from the virtual network card on the inquiring virtual switch (step 462), the judgment is to know whether it is the starting point of the packet transmission. If the packet belongs to the virtual network card from the virtual switch of the inquiry, it indicates that the packet is just sent to the virtual network, which can be regarded as being in the virtual network. The starting point of the journey, so for the subsequent actions we need to configure the virtual overlay network ID (Tunnel ID) for this packet.
在此封包為起點的條件下,首先判斷封包類型是否為單點傳播(unicast)(步驟467),若根據封包目標MAC位址得知為單點傳播,則進行動作判斷來源封包的來源與目的MAC位址是否屬於同一個租戶虛擬網路(步驟471),若判斷屬於同一個租戶虛擬網路,代表此封包為合法封包,控 制器將進行動作通知虛擬交換器為此封包配置租戶識別碼,並單點傳送方式送到目的地(步驟472)。但若來源與目的MAC位置並非屬於同一虛擬網路,則表示此封包為一非法封包,控制器將進行動作通知虛擬交換器丟棄此封包(步驟470)。 Under the condition that the packet is the starting point, it is first determined whether the packet type is unicast (step 467), and if it is known as unicast according to the packet destination MAC address, the action determines the source and destination of the source packet. Whether the MAC address belongs to the same tenant virtual network (step 471). If it is determined to belong to the same tenant virtual network, the packet is legally packetized. The controller will notify the virtual switch that the virtual switch has configured the tenant identification code for this packet and unicasts it to the destination (step 472). However, if the source and destination MAC addresses are not in the same virtual network, it indicates that the packet is an illegal packet, and the controller will perform an action to notify the virtual switch to discard the packet (step 470).
在此封包為起點的條件下,接著判斷封包類型是否為廣播傳播(multicast)(步驟468),若封包確實為廣播封包則進行動作,通知虛擬交換器為封包配置虛擬覆蓋網路辨識碼,並多點傳送方式送到目的地(步驟469)。這邊採用多點傳送模擬廣播封包的效果,因為若此虛擬交換器上存在不只一個租戶虛擬網路的虛擬網卡,直接以廣播方式傳送將導致虛擬網卡可能收到非同一租戶虛擬網卡發出的封包,因此採用多點傳送的方式避免此問題,在多租戶虛擬網路控制器知識庫232將有足夠的資訊得知哪些虛擬交換器上的連接埠(ports)是屬於同一虛擬網路,因此將此封包配置虛擬覆蓋網路辨識碼後往這些連接埠集群傳送,並同時往虛擬覆蓋網路對外建立的full mesh的連接埠集群傳送,讓存在其他實體機上的同一虛擬網路的虛擬網卡也能夠接收到封包。 After the packet is used as a starting point, it is determined whether the packet type is a multicast (step 468), and if the packet is indeed a broadcast packet, the virtual switch is notified to configure a virtual overlay network identifier for the packet, and The multicast mode is sent to the destination (step 469). This is the effect of multicast multicast packet transmission, because if there is more than one virtual network card of the tenant virtual network on the virtual switch, direct broadcast will cause the virtual network card to receive packets from the same tenant virtual network card. Therefore, multicasting is used to avoid this problem. In the multi-tenant virtual network controller knowledge base 232, there will be enough information to know which virtual switches are connected to the same virtual network, so The packet is configured to be virtualized with the network identification code and then transmitted to the ports and clusters. At the same time, the virtual mesh network is connected to the external network to establish a full mesh connection, so that the virtual network card of the same virtual network on other physical machines is also Can receive the packet.
以上已講解完控制器判斷的是封包是否來自詢問的虛擬交換器上的虛擬網卡(步驟462)中封包是來自詢問的虛擬交換器上的虛擬網卡的情況,接著講解控制器判斷封包並非來自詢問的虛擬交換器上的虛擬網卡的情況。若虛擬交換器收到一個封包判斷其封包並非來自其本身之上的虛擬網卡,代表此封包是從其他虛擬交換器發送過來,並再這裡結束其在虛擬網路的旅程。 It has been explained above that the controller determines whether the packet is from the virtual network card on the virtual switch in question (step 462), the packet is from the virtual network card on the virtual switch of the query, and then the controller determines that the packet is not from the query. The case of a virtual NIC on a virtual switch. If the virtual switch receives a packet to determine that its packet is not from its own virtual network card, it represents that the packet was sent from another virtual switch and then ends its journey on the virtual network.
在此封包為終點的條件下,首先判斷封包類型是否為單點傳 播(步驟463),由於其在送出的虛擬交換器已經先判斷過此封包為合法封包才被送出,因此在這個狀況下,控制器不需要做額外的判斷,只需要進行動作通知虛擬交換器將封包以單點傳送方式送到目的地(步驟465)。 Under the condition that the packet is the end point, first determine whether the packet type is a single point transmission. Broadcast (step 463), since the virtual switch that has sent the packet has first determined that the packet is sent as a legal packet, in this case, the controller does not need to make additional judgments, and only needs to perform an action notification virtual switch. The packet is sent to the destination in a unicast manner (step 465).
在此封包為終點的條件下,接著判斷封包是否為廣播封包(步驟464),若其目標MAC為廣播位址,則進行動作通知虛擬交換器將封包以多點傳送方式送到目的地(步驟466)。與封包在起點進行的多點傳送方式不同,這裡的封包已經被配置虛擬覆蓋網路辨識碼,我們根據此識別碼下達需要進行多點傳送的連接埠集群,並且將不再往虛擬覆蓋網路對外建立的full mesh的連接埠集群傳送,避免產生網路迴圈造成廣播風暴。 After the packet is the end point, it is determined whether the packet is a broadcast packet (step 464), and if the target MAC is a broadcast address, the action is notified to the virtual switch to send the packet to the destination in a multicast manner (step 466). Different from the multicast mode in which the packet is started at the beginning, the packet here has been configured with a virtual overlay network identification code. Based on this identifier, we issue a connection cluster that needs to be multicast, and will no longer go to the virtual overlay network. The external mesh connection established by the external network is transmitted to avoid broadcast storms caused by network loops.
請參閱圖8,其為本發明一實施例概要圖100。圖示例說明本發明建構並使用控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之系統的應用範疇與使用場景,並可透過此圖例揭示本系統實施於虛擬化環境和實體環境中的案例。除此之外,於此概要圖中更進一步詳加說明虛擬化網路環境中之設備與專有名詞之定義,以期加以釐清本發明之系統所使用之方法與實例。 Please refer to FIG. 8, which is a schematic diagram 100 of an embodiment of the present invention. The figure illustrates an application scope and usage scenario of a system for constructing and using a controller to control a virtual overlay network to generate a multi-tenant virtual network, and the illustration is used to reveal that the system is implemented in a virtualized environment and a physical environment. Case. In addition, the definitions of devices and proper nouns in a virtualized network environment are further illustrated in this summary in order to clarify the methods and examples used in the system of the present invention.
圖8係為虛擬化網路範疇110與實體網路與實體機範疇120組合而成的示意圖,用來闡明虛擬化網路與實體網路之間的交互關係。一般而言虛擬化網路需建構於實體網路與實體機之上,實體網路與實體機範疇120包含實體機121、實體交換器123,以及對外連接的網際網路124,透過虛擬化的技術,每台實體機上可以有虛擬交換器111與多台虛擬機112,本發明之系統建構的租戶虛擬網路區域113以實體機上的虛擬交換器為單位進行圈選,形成租戶虛擬網路區域113的範圍內才能允許網路互通,並在租戶 虛擬網路區域113範圍下建立租戶虛擬網路114,113-a租戶網路區域下包含114-a與114-b兩個租戶虛擬網路,虛擬機112上的虛擬網卡則能夠選擇要供裝在哪個租戶虛擬網路中,租戶虛擬網路內的虛擬機彼此能夠互通,租戶虛擬網路之間則彼此隔離,114-a內的虛擬機112-a、112-b、112-c彼此互通,但與114-b內的其他虛擬機則完全隔離。 FIG. 8 is a schematic diagram of a virtualized network category 110 combined with a physical network and a physical machine category 120 for illustrating the interaction between the virtualized network and the physical network. In general, a virtualized network needs to be built on a physical network and a physical machine. The physical network and physical machine category 120 includes a physical machine 121, an entity switch 123, and an externally connected Internet 124. The virtual switch 111 and the plurality of virtual machines 112 can be configured on each physical machine. The tenant virtual network area 113 constructed by the system of the present invention is circled by a virtual switch on the physical machine to form a tenant virtual network. In the range of the road area 113, network interworking can be allowed, and in the tenant A tenant virtual network 114 is established in the virtual network area 113. The 113-a tenant network area includes two tenant virtual networks 114-a and 114-b, and the virtual network card on the virtual machine 112 can be selected to be installed. In which tenant virtual network, the virtual machines in the tenant virtual network can communicate with each other, and the tenant virtual networks are isolated from each other, and the virtual machines 112-a, 112-b, 112-c in 114-a communicate with each other. However, it is completely isolated from other virtual machines in 114-b.
先前技術中的虛擬區域網路(VLAN)常被用作網路第二層隔離,但由於其上限個數以及需要實體網路設備支援等限制,並不適用在多租戶虛擬網路對彈性供裝的需求。而先前技術中的虛擬覆蓋網路(Virtual Overlay Network),知名雲端管理系統OpenStack使用虛擬覆蓋網路搭配OpenFlow靜態規則達成多租戶虛擬網路,其如果要改變虛擬覆蓋網路範圍,需手動控制計算節點,在多租戶虛擬網路環境供裝與管理上並不方便。此外,先前技術中適用於多租戶虛擬化網路的先前專利,因其使用來源與目標MAC區分虛擬機所屬租戶,藉以隔離不同租戶間的網路封包達成多租戶虛擬網路之效果,但其使用MAC做為流向規則區分,將造成OpenFlow規則表內規則過於細碎冗長,不但占用其OpenFlow交換器儲存空間,無法直接從規則辨識出其所屬的租戶將造成維運除錯的不便。綜觀前文所述,先前技術中的確缺少適用於虛擬環境的多租戶虛擬網路供裝與管理機制。因此本發明即針對虛擬化網路環境之特徵,發展一個適合用於雲端運算服務系統的多租戶虛擬網路供裝與管理機制。 The virtual local area network (VLAN) in the prior art is often used as the second layer of network isolation. However, due to the limitation of the number of upper limits and the need for physical network device support, it is not suitable for flexible provisioning in multi-tenant virtual networks. The demand for the installation. In the prior art, the virtual overlay network (Virtual Overlay Network), the well-known cloud management system OpenStack uses a virtual overlay network with OpenFlow static rules to achieve a multi-tenant virtual network. If you want to change the virtual coverage network range, you need to manually control the calculation. Nodes are not convenient for provisioning and management in a multi-tenant virtual network environment. In addition, the prior patents applied to the multi-tenant virtualized network in the prior art, because the source and the destination MAC are used to distinguish the tenants of the virtual machine, thereby isolating the network packets between different tenants to achieve the effect of the multi-tenant virtual network, but Using the MAC as the flow direction rule will cause the rules in the OpenFlow rule table to be too long and cumbersome. It not only occupies the storage space of the OpenFlow switch, but also cannot directly identify from the rules that the tenant to which it belongs will cause inconvenience in maintenance. Looking at the foregoing, the prior art does lack a multi-tenant virtual network provisioning and management mechanism for virtual environments. Therefore, the present invention is directed to the characteristics of a virtualized network environment, and develops a multi-tenant virtual network provisioning and management mechanism suitable for use in a cloud computing service system.
本發明所提應用於虛擬化網路之建構並使用控制器管控虛擬覆蓋網路以生成多租戶虛擬網路之方法與系統,與其他習用技術相互比 較時,更具備下列優點: The method and system of the present invention applied to the construction of a virtualized network and using a controller to control a virtual overlay network to generate a multi-tenant virtual network, compared with other conventional technologies In the meantime, it has the following advantages:
本發明之多租戶虛擬網路系統係考量虛擬化網路環境之特性,設計出適合用於雲端運算服務系統的多租戶虛擬網路管理機制。此機制系統可涵蓋先前技術之網路第二層隔離特性,達成租戶虛擬網路內封包互通,以及租戶虛擬網路之間封包溝通阻隔。透過集中控管的控制器,支援虛擬化網路環境中虛擬機即時遷移之特點,達到虛擬隔離群組之網路管理設定的可攜性。 The multi-tenant virtual network system of the present invention considers the characteristics of the virtualized network environment and designs a multi-tenant virtual network management mechanism suitable for the cloud computing service system. This mechanism system can cover the second layer isolation feature of the prior art network, achieve packet interworking in the tenant virtual network, and block the communication barrier between the tenant virtual networks. Supports the real-time migration of virtual machines in a virtualized network environment through a centralized controller, and achieves the portability of network management settings of virtual isolation groups.
本發明使用虛擬化網路控制器搭配虛擬覆蓋網路,突破虛擬區域網路中的個數限制並免除其需對底層實體網路交換器設定的繁雜手續。 The invention uses a virtualized network controller with a virtual overlay network to break through the number limit in the virtual local area network and eliminates the complicated procedures that need to be set for the underlying physical network switch.
本發明透過虛擬覆蓋網路建構子系統根據需求動態建立虛擬覆蓋網路生成多租戶虛擬網路區域,能夠在中央控管虛擬覆蓋網路範圍,大幅提升管理方便性。 The invention constructs a virtual overlay network through a virtual overlay network to dynamically generate a multi-tenant virtual network area according to requirements, and can centrally control the virtual overlay network range, thereby greatly improving management convenience.
本發明之系統的多租戶虛擬網路建構與管控子系統採用友善且高可用之多租戶虛擬網路操作與呈現模組,俾使管理者或網路維運人員可同步查閱現有之多租戶虛擬網路區域、多租戶虛擬網路與虛擬化網路之拓樸,並可依據整體網路管理之考量任意規劃並綁定虛擬網卡於租戶虛擬網路上,增加雲端運算服務網路維運管理系統之安全性與可用性。 The multi-tenant virtual network construction and control subsystem of the system of the present invention adopts a friendly and highly available multi-tenant virtual network operation and presentation module, so that the administrator or network operator can simultaneously view the existing multi-tenant virtual Network area, multi-tenant virtual network and virtualized network topology, and can plan and bind virtual network card to tenant virtual network according to the overall network management considerations, and increase cloud computing service network maintenance management system Security and availability.
本發明使用虛擬化網路控制器搭配虛擬覆蓋網路為網路封包配置租戶專屬的識別碼,控制器能夠根據識別碼判斷下達合適的規則,大幅減少控制器需對虛擬交換器下達的flow數量,並且其識別碼能直接從規則辨識出其所屬的租戶,將大幅提升維運除錯效率與方便。 The invention uses the virtualized network controller and the virtual overlay network to configure the tenant-specific identification code for the network packet, and the controller can determine the appropriate rule according to the identification code, thereby greatly reducing the number of flows that the controller needs to release to the virtual switch. And its identification code can directly identify the tenants to which it belongs, which will greatly improve the efficiency and convenience of maintenance.
上列詳細說明係針對本發明之一可行實施例之具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The detailed description of the preferred embodiments of the present invention is intended to be limited to the scope of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW105117807A TWI625949B (en) | 2016-06-06 | 2016-06-06 | Control system for controlling virtual overlay network through controller to generate tenant virtual network and control method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW105117807A TWI625949B (en) | 2016-06-06 | 2016-06-06 | Control system for controlling virtual overlay network through controller to generate tenant virtual network and control method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201743587A TW201743587A (en) | 2017-12-16 |
| TWI625949B true TWI625949B (en) | 2018-06-01 |
Family
ID=61230460
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW105117807A TWI625949B (en) | 2016-06-06 | 2016-06-06 | Control system for controlling virtual overlay network through controller to generate tenant virtual network and control method thereof |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI625949B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI764160B (en) * | 2020-06-01 | 2022-05-11 | 鴻海精密工業股份有限公司 | An implementation method, a device for high availability based on openstack, and an electronic device |
| US11388274B2 (en) | 2020-06-01 | 2022-07-12 | Hon Hai Precision Industry Co., Ltd. | Method for implementing high availability of bare metal node based on OpenStack and electronic device using the same |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI822474B (en) * | 2022-11-18 | 2023-11-11 | 中華電信股份有限公司 | Mobile network management system and method for private network |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101595688A (en) * | 2007-01-30 | 2009-12-02 | 微软公司 | Cross over public network to connect the private virtual lan of any main frame |
| CN104521196A (en) * | 2012-06-06 | 2015-04-15 | 瞻博网络公司 | Physical path determination for virtual network packet flows |
-
2016
- 2016-06-06 TW TW105117807A patent/TWI625949B/en active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101595688A (en) * | 2007-01-30 | 2009-12-02 | 微软公司 | Cross over public network to connect the private virtual lan of any main frame |
| CN104521196A (en) * | 2012-06-06 | 2015-04-15 | 瞻博网络公司 | Physical path determination for virtual network packet flows |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI764160B (en) * | 2020-06-01 | 2022-05-11 | 鴻海精密工業股份有限公司 | An implementation method, a device for high availability based on openstack, and an electronic device |
| US11388274B2 (en) | 2020-06-01 | 2022-07-12 | Hon Hai Precision Industry Co., Ltd. | Method for implementing high availability of bare metal node based on OpenStack and electronic device using the same |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201743587A (en) | 2017-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6556875B2 (en) | Software-defined data center and service cluster placement method there | |
| US20180278541A1 (en) | Software-Defined Data Center and Service Cluster Scheduling and Traffic Monitoring Method Therefor | |
| JP5497244B2 (en) | Method, master switch, switching network, program, apparatus, and system for implementing flow control in a switching network | |
| EP2086178B1 (en) | Link aggregation method and device, mac frame receiving/sending method and system | |
| EP2843906B1 (en) | Method, apparatus, and system for data transmission | |
| RU2595540C9 (en) | Chassis controllers for converting universal flows | |
| US11310150B2 (en) | Connectivity segment coloring | |
| US9602385B2 (en) | Connectivity segment selection | |
| US20140010096A1 (en) | Port mirroring in distributed switching systems | |
| EP2525532A1 (en) | Method and apparatus of connectivity discovery between network switch and server based on vlan identifiers | |
| US20140098815A1 (en) | Ip multicast service leave process for mpls-based virtual private cloud networking | |
| WO2017000260A1 (en) | Method and apparatus for switching vnf | |
| CN105162704B (en) | The method and device of multicast replication in Overlay network | |
| JP6417942B2 (en) | Control device, communication system, tunnel endpoint control method and program | |
| CN104468358A (en) | Message forwarding method and device of distributive virtual switch system | |
| JP2013545359A (en) | Method, master switch, switching network, program, apparatus and system for switching in a switching network | |
| KR20160003009A (en) | A method and system for updating distributed resilient network interconnect [d r n i] states | |
| CN102739495A (en) | Network system, machine allocation device and machine allocation method | |
| CN104144082A (en) | Method for detecting loop in two-layer network and controller | |
| JP2014510483A (en) | Multicast data transfer method and apparatus supporting virtual terminal | |
| TWI625949B (en) | Control system for controlling virtual overlay network through controller to generate tenant virtual network and control method thereof | |
| KR20170114923A (en) | Method and apparatus for communicating using network slice | |
| CN114500169B (en) | Method for establishing VXLAN tunnel, method and device for forwarding message | |
| US9984028B2 (en) | Redundancy for port extender chains | |
| CN110572288A (en) | Data exchange method based on trusted container |