CN102413041A - Method, device and system for moving security policy - Google Patents
Method, device and system for moving security policy Download PDFInfo
- Publication number
- CN102413041A CN102413041A CN2011103503545A CN201110350354A CN102413041A CN 102413041 A CN102413041 A CN 102413041A CN 2011103503545 A CN2011103503545 A CN 2011103503545A CN 201110350354 A CN201110350354 A CN 201110350354A CN 102413041 A CN102413041 A CN 102413041A
- Authority
- CN
- China
- Prior art keywords
- vdp
- association
- virtual machine
- server
- security strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000005012 migration Effects 0.000 claims description 37
- 238000013508 migration Methods 0.000 claims description 37
- 230000005540 biological transmission Effects 0.000 claims description 15
- 230000004044 response Effects 0.000 description 13
- 230000008569 process Effects 0.000 description 10
- 238000012217 deletion Methods 0.000 description 9
- 230000037430 deletion Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000002567 autonomic effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 101150106148 TOR1 gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 101150049389 tor2 gene Proteins 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention relates to a method, a device and a system for moving a security policy. A video data processor (VDP) correlation message transmitted by a server in which a virtual machine is moved is received by a data center access switch, and a VDP correlation state is set as a correlation state according to the VDP correlation message; configuration information of the virtual machine is acquired by the data center access switch, and a security policy is generated according to the configuration information; when the virtual machine is moved out of the server, a VDP disassociation message transmitted by the server is received by the data center access switch, and the VDP correlation state is set as a disassociation state according to the VDP disassociation message; and the security policy of the virtual machine is deleted by the data center access switch. Due to the adoption of the method, the device and the system, the problem that the security policy is moved along with the movement of the virtual machine can be solved.
Description
Technical field
The present invention relates to field of optical networks, relate in particular to a kind of methods, devices and systems of security strategy migration.
Background technology
Virtual data center is merged by three kinds of resource degree of depth of calculating, storage, network and forms, so the mainframe virtualization technology can realize smoothly and must be matched by the suitable network security strategy, otherwise all are not all known where to begin.Virtual data center occurs early mainly comprising technology such as cluster calculating, is main to promote calculated performance; And the mainframe virtualization technology mainly is multiple operating system while in a physics X86 system that occurred in recent years and the technology of depositing, and to shorten the service deployment time, the raising resource utilization is a main purpose.Virtual data center has brought some challenges to network security, the especially migration of virtual machine, and calculate the adding of cluster main frame and leaving etc. all is that conventional data centers is unexistent.The ultimate challenge of virtual data center is exactly that network security policy will be followed the virtual machine Autonomic Migration Framework.When creating virtual machine or virtual machine (vm) migration, virtual machine host needs and can normally move, and except the resource rational management on the server, the rational management that its network connects also is essential.Data center network generally all adopts the networking mode of flattening, is that big double layer network and the virtual double layer network safe practice that combines also are the significant concern points that virtual data center network is built.
Under traditional double layer network safe practice, network security policy can't be with the migration of virtual machine Autonomic Migration Framework.At present more common finds and configuration protocol (English full name: Virtual Station Interface Discovery and Configuration Protocol based on webmaster or virtual machine; Be called for short: in virtual machine (vm) migration scheme VDP), there is certain hysteresis quality in the migration of network security policy with respect to the migration of virtual machine.
Summary of the invention
The embodiment of the invention provides the methods, devices and systems of a kind of security strategy migration, can realize that the security strategy configuration moves with virtual machine (vm) migration.
On the one hand, the present invention implements to provide a kind of method of security strategy migration, and said method comprises:
Data center's access switch receives the virtual machine of the server transmission of the virtual machine of moving into and finds and configuration protocol VDP association messages;
According to said VDP association messages, the VDP association status is set to association;
Obtain the configuration information of said virtual machine, and generate security strategy according to said configuration information;
When said virtual machine was moved out said server, the VDP that receives said server transmission separated association messages, and separates association messages according to said VDP, and said VDP association status is set to separate association;
Delete the said security strategy of said virtual machine.
On the other hand, the embodiment of the invention provides a kind of device of security strategy migration, and said device comprises:
Receiver is used to receive the virtual machine that the server of virtual machine sends of moving into and finds and configuration protocol VDP association messages;
Associative cell is used for according to said VDP association messages, and the VDP association status is set to association;
Generation unit is used to obtain the configuration information of said virtual machine, and generates security strategy according to said configuration information;
Separate associative cell, be used for when said virtual machine is moved out said server, the VDP that receives said server transmission separates association messages, and separates association messages according to said VDP, and said VDP association status is set to separate association;
Delete cells, the said security strategy that is used to delete said virtual machine.
The third aspect, the embodiment of the invention provide a kind of system that comprises the device of above-mentioned security strategy migration.
In the above embodiment of the present invention, when virtual machine was moved into server, virtual machine was related with the access switch VDP of data center that directly links to each other with server, and data center's access switch obtains the configuration information of this virtual machine, issues the security strategy of virtual machine; When said virtual machine is moved out; Virtual machine with separate related with the access switch VDP of data center that server directly links to each other; Said data center inserts the security strategy of the said virtual machine of exchange deletion, has realized that issuing with the related reconciliation with VDP of deletion is related of security strategy closely links to each other, and need not human configuration; And solved the problem that the migration of the relative virtual machine of migration of security strategy lags behind in the prior art, saved great amount of time cost and Financial cost.
Description of drawings
The method flow diagram that Fig. 1 moves for the security strategy that the embodiment of the invention provides;
Fig. 2 is the message format of the VDP message that transmits between the server in the embodiment of the invention and the data center's access switch;
Fig. 3 is the related sequential chart of VDP between server and the data center's access switch in the embodiment of the invention;
The Organization Chart that Fig. 4 moves for the security strategy that the embodiment of the invention provides;
The method flow diagram that Fig. 5 moves for the another kind of security strategy that the embodiment of the invention provides;
The device sketch map that Fig. 6 moves for the security strategy that the embodiment of the invention provides.
Embodiment
The embodiment of the invention provides a kind of methods, devices and systems of security strategy migration.Wherein, When virtual machine is moved into server; Virtual machine is related with the access switch VDP of data center that directly links to each other with said server, and data center's access switch issues the security strategy of virtual machine, when said virtual machine is moved out server; Virtual machine with separate related with the access switch VDP of data center that said server directly links to each other; The security strategy that said data center access switch is deleted said virtual machine has realized that issuing with the related reconciliation with VDP of deletion is related of security strategy closely links to each other, and need not human configuration; And solved the problem that the migration of the relative virtual machine of migration of security strategy lags behind in the prior art, saved great amount of time cost and Financial cost.
Through accompanying drawing and embodiment, technical scheme of the present invention is done further detailed description below.
The method flow diagram that Fig. 1 moves for the security strategy that the embodiment of the invention provides.As shown in Figure 1, present embodiment may further comprise the steps:
Preferably, said server comprises a VSI state machine; Said data center access switch comprises the 2nd VSI state machine.
Alternatively, the VSI state machine is a state transition diagram, exactly is a directed graph, is made up of a group node and one group of corresponding transfer function, is used to describe virtual interface (Virtual Station Interface, VSI) state.For example; VSI state machine in the server is used to be provided with the VDP association status and the variation thereof of server and virtual machine, and the 2nd VSI state machine in data center's access switch is used to be provided with the VDP association status and the variation thereof of data center's access switch and virtual machine.
Preferably, receive the VDP association messages of the server transmission of this virtual machine of moving into (VM) with the direct-connected TOR equipment of server network interface card.
Preferably; Said according to said VDP association messages; The VDP association status is set to related also comprising before: receive said server and at a said VSI state machine the preparatory association messages of VDP that sends after the VDP association status is the preparatory association of VDP is set, the VDP association status of a said VSI state machine is set to preparatory association.
Preferably; Said according to said VDP association messages; The VDP association status is set to association and is specially: receive said server and at a said VSI state machine VDP association messages that the VDP association status sends for related back is set, the VDP association status of said the 2nd VSI state machine is set to association.
Alternatively, after TOR equipment received the VDP association messages that the server of the virtual machine of moving into sends, the VSI state parameter through the 2nd VSI state machine is set realized that for related the VDP association status of said the 2nd VSI state machine is set to association.
Wherein, step 101 and 102 is the related process of VDP of carrying out.
Alternatively, TOR equipment generates the security strategy of said virtual machine according to the configuration information of the said virtual machine that obtains, and said security strategy is issued in the chip of TOR equipment self.
For the said virtual machine of moving in the said server, after the related success of TOR equipment VDP, the VDP message that the said virtual machine of TOR device parses sends, and from said VDP message, obtain the configuration information of said virtual machine.According to said configuration information, TOR equipment issues security strategy, and said security strategy comprises that MAC information, vlan information and the virtual machine of virtual machine insert the port information of TOR equipment.
When step 104, said virtual machine were moved out said server, TOR equipment received the VDP that said server sends and separates association messages, and separates association messages according to said VDP, and said VDP association status is set to separate association.
Preferably, separate association messages according to said VDP, said the 2nd VSI state machine VSI state parameter in the said TOR equipment is set to separate association.
Wherein, step 104 is separated related process for carrying out VDP.
Preferably, the configuration information of said virtual machine comprises that MAC information, vlan information and the said virtual machine of said virtual machine insert the port information of said TOR equipment; Comprise that perhaps IP address information, MAC information, vlan information and the said virtual machine of said virtual machine insert the port information of said TOR equipment.
Preferably, said TOR equipment is represented a kind of data center access switch, supports the VDP agreement.Just come representative data center access switch with TOR equipment in the embodiment of the invention, all support the equipment of VDP agreement all in protection scope of the present invention.
Fig. 2 is the message format of the VDP message that transmits between the server in the embodiment of the invention and the data center's access switch.As shown in Figure 2, the implication of each parameter is following in the VDP message:
TLV type is used for identifying the type of VSI TLV.
TLV information string length is used for identifying the length of VSI TLV information character string.
OUI is used for identifying EVB serial protocols (EVB, CDCP, ECP and VDP).
Subtype is used for identifying the subtype of VSI TLV.When the Subtype value was 0x0002, sign TLV type was VDP TLV.
Mode is used for identifying the pattern of TLV.Mode comprises two bytes: first byte is used for identifying preparatory association, association, remove state such as association, or refusal or confirm the response of certain state; Second byte is used to identify the reason of the related or preparatory association status of refusal.Mode can distinguish VSI TLV, thus the VSI state machine of control in the Control Server with access switch that the server network interface card links to each other in the variation of state parameter of state machine.
VSI Mgr ID is used for identifying and comprises the VSI type or/and the VSI management database of example definition.
VSI Type ID is used for identifying the id information of VSI type.
VSI Type ID Version be used for identifying VSI type I D expection/version that requires.
VSI Instance ID is used for identifying the unique id information that connects instance.This id information and IETFRFC 4122 are consistent.
MAC/VLAN Format is used for identifying MAC and the form of vlan information among the TLV.VSI TLV supports multiple MAC/VLAN information format, and this parameter can be used for expanding the VDP agreement.After the expansion, also can comprise the IP address information of virtual machine among the VSITLV.
MAC/VLANs is used for identifying MAC related with the VSI instance and vlan information.
Fig. 3 is the related sequential chart of VDP between server and the data center's access switch in the embodiment of the invention.As shown in Figure 3, the process of carrying out the VDP association is following:
Step 301, server sends the preparatory association messages TxTLV of VDP (PreASSOC) to switch.
The initialization VSI state parameter of a VSI state machine is related for not in the server.
The system manager creates virtual machine or when other servers are moved into virtual machine in server, it is related in advance that server at first is provided with self the VSI state parameter of a VSI state machine.
After the VSI state parameter of a VSI state machine was set to preparatory association in the server, server sent the preparatory association messages TxTLV of VDP (PreASSOC) to switch.
Step 302, switch sends response message PreAssoc_ACK_Rx to server.
The initialization VSI state parameter of the 2nd VSI state machine is related for not in the switch.
After switch received the preparatory association messages of VDP, the 2nd VSI state machine carried out preparatory association process, and the VSI state parameter that self is set is related in advance, and sent response message PreAssoc_ACK_Rx to server.
Step 303, server sends VDP association messages TxTLV (ASSOC) to switch.
Server receives after the 2nd VSI state machine that switch sends successfully is provided with the response message of the preparatory association status of VDP, and the VDP association status that self is set is for related, and sends VDP association messages TxTLV (ASSOC) to switch.
Step 304, switch sends response message Assoc_ACK_Rx to server.
After switch received the VDP association messages, the 2nd VSI state machine carried out association process, and the VSI state parameter that self is set is association, and sends response message Assoc_ACK_Rx to server.
In the one VSI state machine and the 2nd VSI state machine timeout mechanism is arranged all,, can get into automatically and separate association status if a period of time is not received the other side's message.From sequential chart shown in Figure 3, can see, after the association success, can ceaselessly send message between server and the switch and keep association status.
Further, carrying out VDP, to separate related process following:
Step 305, server sends VDP to switch and separates association messages TxTLV (DeASSOC).
After virtual machine was moved out from server, the VSI state machine in the server was provided with local VDP association status for separating association, and server sends VDP to switch and separates association messages TxTLV (DeASSOC).
Step 306, switch sends response message DeAssoc_ACK_Rx to server.
Switch receives after VDP separates association messages, and the 2nd VSI state machine is separated association process, and the VSI state parameter that self is set is for separating association, and sends response message DeAssoc_ACK_Rx to server.
Server withdraws from this association flow process after receiving the related successful response message of separating of switch transmission.
The VDP association status of the 2nd VSI state machine in the VSI state machine in the server and the switch remains consistent, and it is that message interaction through server and switch is realized that both states are consistent.
The Organization Chart that Fig. 4 moves for the security strategy that the embodiment of the invention provides.As shown in Figure 4, present embodiment comprises following equipment:
TOR1 equipment 401, equipment 401 are a kind of data center access switch equipment, support the VDP agreement, directly link to each other with the network interface card of equipment 403.
Preferably, equipment 401 is provided with the VDP association status for related after receiving the VDP association messages that the equipment 403 of the virtual machine VM1 that moves into sends.
Preferably, the VDP association is set after, equipment 401 is resolved the VDP messages, from VSI TLV (as shown in Figure 2), obtains MAC and the vlan information of VM1, according to the inbound port of VDP protocol massages, record MAC and VLAN correspondence port information.In equipment 401, preserve MAC information, vlan information and port information, generate security strategy according to MAC information, vlan information and PORT information then, and it is issued in the chip of equipment 401.
Alternatively; MAC/VLAN Format among the VSI TLV can be used for expanding the VDP agreement; The IP address information that also can comprise virtual machine in the VDP protocol massages after the expansion, equipment 401 is resolved the VDP protocol massages after the expansion, obtains IP address information, MAC information and the vlan information of virtual machine; According to the inbound port of VDP protocol massages, write down the corresponding port information of this virtual machine.In equipment 401, preserve IP address information, MAC information, vlan information and port information,, generate the security strategy binding table according to IP address information, MAC information, vlan information and port information.
Preferably, when moving out in the virtual machine VM1 slave unit 403, equipment 401 receives the VDP that equipment 403 sends and separates association messages, the VDP association status is set for separating association, and deletes the security strategy of virtual machine VM1.
Alternatively, VDP separates the two kinds of situation that are associated with: a kind of is that equipment 401 is not received the message that the VM1 in the equipment 403 sends for a long time, at this moment can get into association status automatically; Another kind is exactly server administrators' operation, and deletion VM1 perhaps lets VM1 move away, and at this moment equipment 403 can initiatively send VDP and separate association messages, and the type through the control of the Mode field among VSI TLV message is provided with the VDP association status for separating association.
TOR2 equipment 402, equipment 402 are a kind of data center access switch equipment, support the VDP agreement, directly link to each other with the network interface card of equipment 404.
Equipment 402 is provided with the VDP association status for related after receiving the VDP association messages that the equipment 404 of the virtual machine VM1 that moves into sends.After the VDP association was set, equipment 402 was resolved the VDP message, obtains the configuration information of virtual machine VM1, and said configuration information comprises MAC information, vlan information and the access interface information of virtual machine VM1.According to said configuration information, equipment 402 generates the security strategy of the virtual machine VM1 of the equipment 404 of moving into, and it is issued in the chip of equipment 402.
When moving out in the virtual machine VM1 slave unit 404, equipment 402 receives the VDP that equipment 404 sends and separates association messages, the VDP association status is set for separating association, and deletes the security strategy of virtual machine VM1.
Wherein, equipment 403 is a server, and when in equipment 403, creating a virtual machine or moving into a virtual machine, equipment 403 can be to the VDP association messages of equipment 401 transmissions that directly links to each other with the network interface card of self.
When virtual machine VM1 slave unit 403 moved out, equipment 403 sent a VDP to equipment 401 and separates association messages.
Equipment 404 is a server, and when in equipment 404, creating a virtual machine or moving into a virtual machine, equipment 404 can be to the VDP association messages of equipment 402 transmissions that directly links to each other with the network interface card of self.
When virtual machine VM1 slave unit 404 moved out, equipment 404 sent a VDP to equipment 402 and separates association messages.
Preferably, TOR equipment is represented a kind of data center access switch, supports the VDP agreement.Just come representative data center access switch with TOR in the embodiment of the invention, all support the equipment of VDP agreement all in protection scope of the present invention.
The method flow diagram that Fig. 5 moves for the another kind of security strategy that the embodiment of the invention provides.As shown in Figure 5, present embodiment may further comprise the steps:
Preferably, behind the virtual machine of moving in the said server, said server sends the preparatory association messages of VDP to said TOR equipment after a VSI state machine is provided with the VDP association status and is preparatory association.
After said TOR equipment receives the preparatory association messages of said VDP, according to the value of first byte in the Mode parameter in the message packet association status of VDP is set, the value that association status is corresponding in advance is 0x00.Said TOR equipment VDP association status is set to preparatory association; And the said VSI state machine in said server returns a response message; If in the message packet in the Mode parameter value of second byte be 0x00; Represent that preparatory association status is provided with success, if be other values, it is unsuccessful to show that then preparatory association status is provided with.
Said server receives after the preparatory association status of VDP that said TOR equipment returns is provided with the response message of success, local VDP association status is set for related, and sends the VDP association messages to said TOR equipment.
After said TOR equipment receives this VDP association messages, according to the value of first byte in the Mode parameter in the message association status of VDP is set, the value that association status is corresponding is 0x02.After said the 2nd VSI state machine VDP association status in the said TOR equipment is set to association; Said TOR equipment returns a response message to said server; If in the message packet among the Mode value of second byte be 0x00; The expression association status is provided with success, if be other values, it is unsuccessful to show that then association status is provided with.
After the related success of VDP, said TOR equipment can receive or send message to this virtual machine, and after said TOR equipment received the VDP message that said virtual machine sends, analytic message therefrom obtained the configuration information of said virtual machine.Said configuration information comprises the configuration information of the VSI instance that said virtual machine is corresponding, the MAC information and the vlan information of said virtual machine.Through the inbound port of VDP protocol massages, said TOR equipment can also obtain the access interface information of said virtual machine.
VSI TLV message comprises a MAC/VLAN Format parameter, and this parameter is used for identifying MAC and the form of vlan information among the TLV.VSI TLV supports multiple form, and this parameter can be used for expanding the VDP agreement.After the expansion, also can comprise the IP address information of virtual machine in the VSI TLV message.
Said TOR equipment generates security strategy according to the said configuration information that obtains, and this security strategy is issued in the chip of said TOR equipment.MAC information, vlan information and access interface information according to said virtual machine issue secure mac address.IP address information, MAC information, vlan information and access interface information according to said virtual machine issue the security strategy binding table.
When said virtual machine from the deletion of said server or when moving out of, a said VSI state machine is provided with local VDP association status for after separating association, said server is separated association messages to said TOR equipment transmission VDP.
Step 508 receives after VDP separates association messages, and said TOR equipment is separated association process, and the VDP association status is set for separating association.
Said TOR equipment receives after this VDP separates association, according to the value of first byte in the Mode parameter in the message packet association status of VDP is set, and separating the corresponding value of association status is 0x03.After said the 2nd VSI state machine VDP association status is set to association; Said TOR device-to-server returns a response message; If in the message packet in the Mode parameter value of second byte be 0x00; Expression is separated association status success is set, if be other values, shows that then separating association status is provided with unsuccessful.
Said TOR equipment is provided with VDP separate association after, the security strategy of deleting said virtual machine immediately.
Preferably, said TOR equipment is represented a kind of data center access switch, supports the VDP agreement.Just come representative data center access switch with TOR equipment in the embodiment of the invention, all support the equipment of VDP agreement all in protection scope of the present invention.
The device sketch map that Fig. 6 moves for the security strategy that the embodiment of the invention provides.As shown in Figure 6, present embodiment comprises with lower unit:
Receiver 601 is used to receive the virtual machine that the server of virtual machine sends of moving into and finds and configuration protocol VDP association messages.
Preferably, said server comprises a VSI state machine; The device of said security strategy migration comprises the 2nd VSI state machine.
Preferably, receive the VDP association messages of the said server transmission that migrates into virtual machine (VM) with the device (TOR equipment) of the direct-connected said security strategy migration of the network interface card of said server.
Associative cell 602 is used for according to said VDP association messages, and the VDP association status is set to association.
Preferably, associative cell 602 specifically will receive said server and at a said VSI state machine VDP association messages that the VDP association status sends for related back will be set, and the VDP association status of said the 2nd VSI state machine is set to association.
After TOR equipment received the VDP association messages that the server of the virtual machine of moving into sends, the VSI state parameter through the 2nd VSI state machine was set to association, realizes that the VDP association status of the 2nd VSI state machine is set to association.
Generation unit 603 is used to obtain the configuration information of said virtual machine, and generates security strategy according to said configuration information.
Preferably, the configuration information of said virtual machine comprises that MAC information, vlan information and the said virtual machine of said virtual machine insert the port information of said TOR equipment; Comprise that perhaps IP address information, MAC information, vlan information and the said virtual machine of said virtual machine insert the port information of said TOR equipment.
Separate associative cell 604, when being used for said virtual machine and moving out said server, receive the VDP that said server sends and separate association messages, and separate association messages according to said VDP, said VDP association status is set to separate association.
When said virtual machine is moved out said server, said TOR equipment will receive the VDP that said server sends and separate association messages.Separate association messages according to said VDP, said the 2nd VSI state machine VSI state parameter in the said TOR equipment is set to separate association.
Delete cells 605, the said security strategy that is used to delete said virtual machine.
Preferably, said device also comprises: preparatory associative cell 606, be used to receive the preparatory association messages of VDP that said server sends in the related in advance back of a said VSI state machine VDP, and the VDP association status of said the 2nd VSI state machine is set to preparatory association.
Preferably, said TOR equipment is represented a kind of data center access switch, supports the VDP agreement.Just come representative data center access switch with TOR in the embodiment of the invention, all support the equipment of VDP agreement all in protection scope of the present invention.
The embodiment of the invention also provides a kind of system that comprises the device of above-mentioned security strategy migration, and this system comprises the device and the server of the security strategy migration in the embodiment of the invention.When server is moved at virtual machine by the system that the embodiment of the invention provided; Issue the security strategy of virtual machine, when virtual machine is moved out server, the security strategy of deletion virtual machine; The deployment that has realized security strategy thus relatedly with VDP relatedly closely links to each other with going with going to dispose; Need not human configuration, and solved the problem that the migration of the relative virtual machine of migration of security strategy lags behind in the prior art, saved great amount of time cost and Financial cost.
The professional should further recognize; The unit and the algorithm steps of each example of describing in conjunction with embodiment disclosed herein; Can realize with electronic hardware, computer software or the combination of the two; For the interchangeability of hardware and software clearly is described, the composition and the step of each example described prevailingly according to function in above-mentioned explanation.These functions still are that software mode is carried out with hardware actually, depend on the application-specific and the design constraint of technical scheme.The professional and technical personnel can use distinct methods to realize described function to each certain applications, but this realization should not thought and exceeds scope of the present invention.
The software module that the method for describing in conjunction with embodiment disclosed herein or the step of algorithm can use hardware, processor to carry out, perhaps the combination of the two is implemented.Software module can place the storage medium of any other form known in random asccess memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or the technical field.
Above-described embodiment; The object of the invention, technical scheme and beneficial effect have been carried out further explain, and institute it should be understood that the above is merely embodiment of the present invention; And be not used in qualification protection scope of the present invention; All within spirit of the present invention and principle, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (11)
1. the method for security strategy migration is characterized in that said method comprises:
Data center's access switch receives the virtual machine of the server transmission of the virtual machine of moving into and finds and configuration protocol VDP association messages;
According to said VDP association messages, the VDP association status is set to association;
Obtain the configuration information of said virtual machine, and generate security strategy according to said configuration information;
When said virtual machine was moved out said server, the VDP that receives said server transmission separated association messages, and separates association messages according to said VDP, and said VDP association status is set to separate association;
Delete the said security strategy of said virtual machine.
2. the method for security strategy migration as claimed in claim 1 is characterized in that said server comprises a VSI state machine; Said data center access switch comprises the 2nd VSI state machine.
3. the method for security strategy migration as claimed in claim 2; It is characterized in that; Said according to said VDP association messages; The VDP association status is set to related also comprising before: receive said server and at a said VSI state machine VDP preparatory association messages of VDP association status for preparatory related back transmission is set, the VDP association status of said the 2nd VSI state machine is set to preparatory association.
4. like the method for claim 2 or the migration of 3 described security strategies; It is characterized in that; Said according to said VDP association messages; The VDP association status is set to association and is specially: receive said server and at a said VSI state machine VDP association messages that the VDP association status sends for related back is set, the VDP association status of said the 2nd VSI state machine is set to association.
5. like any method that described security strategy is moved among the claim 1-4; It is characterized in that the configuration information of said virtual machine is: the MAC information of said virtual machine, vlan information and said virtual machine insert the port information of said data center access switch; Perhaps the IP address information of said virtual machine, MAC information, vlan information and said virtual machine insert the port information of said data center access switch.
6. the device of security strategy migration is characterized in that said device comprises:
Receiver is used to receive the virtual machine that the server of virtual machine sends of moving into and finds and configuration protocol VDP association messages;
Associative cell is used for according to said VDP association messages, and the VDP association status is set to association;
Generation unit is used to obtain the configuration information of said virtual machine, and generates security strategy according to said configuration information;
Separate associative cell, be used for when said virtual machine is moved out said server, the VDP that receives said server transmission separates association messages, and separates association messages according to said VDP, and said VDP association status is set to separate association;
Delete cells, the said security strategy that is used to delete said virtual machine.
7. the device of security strategy migration as claimed in claim 6 is characterized in that said server comprises a VSI state machine; The device of said security strategy migration comprises the 2nd VSI state machine.
8. the device of security strategy migration as claimed in claim 7; It is characterized in that; Said device also comprises: preparatory associative cell; Be used to receive said server and at a said VSI state machine the preparatory association messages of VDP that the VDP association status sends for preparatory related back be set, the VDP association status of said the 2nd VSI state machine is set to association.
9. like the device of claim 7 or the migration of 8 described security strategies; It is characterized in that; Said associative cell specifically will: receive said server and at a said VSI state machine VDP association messages that the VDP association status sends for related back is set, the VDP association status of said the 2nd VSI state machine is set to association.
10. like any device that described security strategy is moved among the claim 6-9; It is characterized in that the configuration information of said virtual machine is: the MAC information of said virtual machine, vlan information and said virtual machine insert the port information of said data center access switch; Perhaps the IP address information of said virtual machine, MAC information, vlan information and said virtual machine insert the port information of said data center access switch.
11. the system of a security strategy migration is characterized in that, comprises device and server like each described security strategy migration of claim 6-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110350354.5A CN102413041B (en) | 2011-11-08 | 2011-11-08 | Method, device and system for moving security policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110350354.5A CN102413041B (en) | 2011-11-08 | 2011-11-08 | Method, device and system for moving security policy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102413041A true CN102413041A (en) | 2012-04-11 |
| CN102413041B CN102413041B (en) | 2015-04-15 |
Family
ID=45914900
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110350354.5A Active CN102413041B (en) | 2011-11-08 | 2011-11-08 | Method, device and system for moving security policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102413041B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102752215A (en) * | 2012-07-16 | 2012-10-24 | 杭州华三通信技术有限公司 | Processing method for VDP (vertical data processing) request messages and edge switch |
| WO2013159518A1 (en) * | 2012-04-23 | 2013-10-31 | Hangzhou H3C Technologies Co., Ltd. | Migration of a security policy of a virtual machine |
| WO2013170698A1 (en) * | 2012-05-16 | 2013-11-21 | 华为技术有限公司 | Method for processing message after migration of virtual machine vm and device thereof |
| CN103428038A (en) * | 2012-05-18 | 2013-12-04 | 中兴通讯股份有限公司 | Method and device for detecting tenant identification of virtual machine |
| CN103516554A (en) * | 2013-10-22 | 2014-01-15 | 杭州华三通信技术有限公司 | Method and equipment for VM (Virtual Machine) migration |
| WO2014067468A1 (en) * | 2012-11-01 | 2014-05-08 | Hangzhou H3C Technologies Co., Ltd. | Edge virtual bridging station with primary and secondary physical network cards |
| CN103997414A (en) * | 2013-02-18 | 2014-08-20 | 华为技术有限公司 | Configuration information generation method and network control unit |
| WO2015081766A1 (en) * | 2013-12-04 | 2015-06-11 | 蓝盾信息安全技术有限公司 | Sdn based virtual machine security policy migration system and method |
| CN105262604A (en) * | 2014-06-24 | 2016-01-20 | 华为技术有限公司 | Virtual machine migration method and equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110085563A1 (en) * | 2009-10-14 | 2011-04-14 | Dell Products, Lp | Virtualization Aware Network Switch |
| CN102025535A (en) * | 2010-11-17 | 2011-04-20 | 福建星网锐捷网络有限公司 | Virtual machine management method and device and network equipment |
| CN102136931A (en) * | 2010-09-20 | 2011-07-27 | 华为技术有限公司 | Method for configuring virtual port network strategies, network management center and related equipment |
| CN102143138A (en) * | 2010-09-15 | 2011-08-03 | 华为技术有限公司 | Method and device for configuring virtual local area network (VLAN) in live migration process of virtual machine |
| CN102160036A (en) * | 2008-09-15 | 2011-08-17 | 国际商业机器公司 | Securing live migration of a virtual machine within a service landscape |
-
2011
- 2011-11-08 CN CN201110350354.5A patent/CN102413041B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102160036A (en) * | 2008-09-15 | 2011-08-17 | 国际商业机器公司 | Securing live migration of a virtual machine within a service landscape |
| US20110085563A1 (en) * | 2009-10-14 | 2011-04-14 | Dell Products, Lp | Virtualization Aware Network Switch |
| CN102143138A (en) * | 2010-09-15 | 2011-08-03 | 华为技术有限公司 | Method and device for configuring virtual local area network (VLAN) in live migration process of virtual machine |
| CN102136931A (en) * | 2010-09-20 | 2011-07-27 | 华为技术有限公司 | Method for configuring virtual port network strategies, network management center and related equipment |
| CN102025535A (en) * | 2010-11-17 | 2011-04-20 | 福建星网锐捷网络有限公司 | Virtual machine management method and device and network equipment |
Non-Patent Citations (1)
| Title |
|---|
| R.RECIO,S.KRISHNASAMY,R.SHARMA: "Ethernet Virtual Bridging Automation Use Cases", 《DC CAVES WORKSHOP ITC 22》, 30 September 2010 (2010-09-30) * |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013159518A1 (en) * | 2012-04-23 | 2013-10-31 | Hangzhou H3C Technologies Co., Ltd. | Migration of a security policy of a virtual machine |
| WO2013170698A1 (en) * | 2012-05-16 | 2013-11-21 | 华为技术有限公司 | Method for processing message after migration of virtual machine vm and device thereof |
| CN103428038B (en) * | 2012-05-18 | 2018-06-12 | 中兴通讯股份有限公司 | The detection method and device of tenant identification of virtual machine |
| CN103428038A (en) * | 2012-05-18 | 2013-12-04 | 中兴通讯股份有限公司 | Method and device for detecting tenant identification of virtual machine |
| CN102752215B (en) * | 2012-07-16 | 2015-03-11 | 杭州华三通信技术有限公司 | Processing method for VDP (vertical data processing) request messages and edge switch |
| GB2512790A (en) * | 2012-07-16 | 2014-10-08 | Hangzhou H3C Tech Co Ltd | VDP request packet processing |
| CN102752215A (en) * | 2012-07-16 | 2012-10-24 | 杭州华三通信技术有限公司 | Processing method for VDP (vertical data processing) request messages and edge switch |
| WO2014012435A1 (en) * | 2012-07-16 | 2014-01-23 | Hangzhou H3C Technologies Co., Ltd. | Vdp request packet processing |
| GB2512790B (en) * | 2012-07-16 | 2015-09-02 | Hangzhou H3C Tech Co Ltd | VDP request packet processing |
| US9465703B2 (en) | 2012-11-01 | 2016-10-11 | Hangzhou H3C Technologies Co., Ltd. | Edge virtual bridging station with primary and secondary physical network cards |
| WO2014067468A1 (en) * | 2012-11-01 | 2014-05-08 | Hangzhou H3C Technologies Co., Ltd. | Edge virtual bridging station with primary and secondary physical network cards |
| CN103795603A (en) * | 2012-11-01 | 2014-05-14 | 杭州华三通信技术有限公司 | Edge virtual bridging method and device based on multiple network interface cards |
| CN103795603B (en) * | 2012-11-01 | 2017-08-11 | 新华三技术有限公司 | A kind of edge based on many network interface cards virtual bridged implementation method and equipment |
| CN106452857A (en) * | 2013-02-18 | 2017-02-22 | 华为技术有限公司 | Method for generating configuration information and network control unit |
| CN103997414B (en) * | 2013-02-18 | 2016-11-09 | 华为技术有限公司 | Generate method and the network control unit of configuration information |
| CN103997414A (en) * | 2013-02-18 | 2014-08-20 | 华为技术有限公司 | Configuration information generation method and network control unit |
| US9940153B2 (en) | 2013-02-18 | 2018-04-10 | Huawei Technologies Co., Ltd. | Method for generating configuration information, and network control unit |
| CN103516554B (en) * | 2013-10-22 | 2017-01-18 | 杭州华三通信技术有限公司 | Method and equipment for VM (Virtual Machine) migration |
| CN103516554A (en) * | 2013-10-22 | 2014-01-15 | 杭州华三通信技术有限公司 | Method and equipment for VM (Virtual Machine) migration |
| WO2015081766A1 (en) * | 2013-12-04 | 2015-06-11 | 蓝盾信息安全技术有限公司 | Sdn based virtual machine security policy migration system and method |
| CN105262604A (en) * | 2014-06-24 | 2016-01-20 | 华为技术有限公司 | Virtual machine migration method and equipment |
| CN105262604B (en) * | 2014-06-24 | 2019-01-08 | 华为技术有限公司 | Virtual machine migration method and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102413041B (en) | 2015-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102413041B (en) | Method, device and system for moving security policy | |
| CN104539743B (en) | A kind of cloud computing system and its control method | |
| US20130315242A1 (en) | Network Communication Method and Device | |
| CN101309272B (en) | Authentication server and mobile communication terminal access controlling method of virtual private network | |
| CN103795602B (en) | Network strategy configuration method and device of virtual network | |
| CN101964799B (en) | Solution method of address conflict in point-to-network tunnel mode | |
| US11671363B2 (en) | Method and apparatus for cross-service-zone communication, and data center network | |
| CN103118149B (en) | Communication control method between same tenant's server and the network equipment | |
| EP2547043B1 (en) | Method, apparatus and system for deploying layer 2 network device | |
| US9591528B2 (en) | Data forwarding method, device, and base station | |
| WO2016146011A1 (en) | Method, system and management system for constructing virtual non-volatile storage medium | |
| CN103944867A (en) | Dynamic host configuration protocol (DHCP) message processing method, device and system | |
| CN104219298B (en) | Group system and its method for data backup | |
| WO2016154917A1 (en) | Method and apparatus for managing virtualized network function | |
| CN102710486B (en) | Channel S state advertisement method and apparatus | |
| CN104954333A (en) | Method and system for message transmission | |
| CN111158865A (en) | Method for realizing multiplexing virtual serial port | |
| CN107451092A (en) | A kind of data transmission system based on IB networks | |
| CN104461779B (en) | A kind of storage method of distributed data, apparatus and system | |
| CN108566421B (en) | Network type distribution method and system based on network attached storage | |
| CN104219160A (en) | Method and device for generating input parameter | |
| CN101388796B (en) | Information sending processing method, communication equipment and communication system | |
| CN114679303B (en) | Source address verification method and device for satellite Internet | |
| CN114629678B (en) | TLS-based intranet penetration method and device | |
| CN109413142A (en) | A kind of iSCSI virtual protocol implementation method under Linux |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231121 Address after: No. 1-9, 24th Floor, Unit 2, Building 1, No. 28, North Section of Tianfu Avenue, High tech Zone, Chengdu, Sichuan Province, 610000 Patentee after: Sichuan Huakun Zhenyu Intelligent Technology Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |