CN104486299A - ACL (Access Control List) issuing method and equipment - Google Patents
ACL (Access Control List) issuing method and equipment Download PDFInfo
- Publication number
- CN104486299A CN104486299A CN201410708842.2A CN201410708842A CN104486299A CN 104486299 A CN104486299 A CN 104486299A CN 201410708842 A CN201410708842 A CN 201410708842A CN 104486299 A CN104486299 A CN 104486299A
- Authority
- CN
- China
- Prior art keywords
- user class
- acl
- access device
- mark
- class mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
Abstract
The invention discloses an ACL (Access Control List) issuing method and equipment. The method comprises the following steps that an access device acquires an ACL corresponding to each user class identify issued on an upper connecting port; the access device receives a VDP (Vertical Data Processing) association request message from a physics server; a user class identify corresponding to a VM (Virtual Machine) is carried in the VDP association request message; the access device generates a VSI (Virtual Switch Interface) for the VM, and records a corresponding relation between the user class identify corresponding to the VM and the VSI corresponding to the VM in a preset information association table; the access device selects the ACL corresponding to the user class identify corresponding to the VM from the ACL issued on the upper connecting port, and confirms the selected ACL as the ACL corresponding to the VSI corresponding to the VM. According to the embodiment of the invention, the quantity of the ACL issued on the access device can be effectively reduced, the ACL resource is saved, the load of the access device is reduced, and the failure of ACL issuing is avoided.
Description
Technical field
The present invention relates to communication technical field, especially relate to the method and apparatus that a kind of ACL issues.
Background technology
EVB (Edge Virtual Bridging, edge is virtual bridged) core concept of technology is: by VM (Virtual Machine, virtual machine) flow all give the access device direct-connected with physical server and carry out exchanging and processing, thus make the enforcement of traffic policing and network control strategy become possibility.In order to the multiple VM realized physical server configures manage and control, access device needs for each VM generates a unique VSI (Virtual Switch Interface, virtual switch interface) virtual interface.
As shown in Figure 1, be the networking schematic diagram of EVB network, physical server configure multiple VM (VM1, VM2 and VM3) and a virtual switch.Because each VM uses same physical port to be connected with access device, therefore need the data feedback channel of isolating each VM on this physical port.Based on this, EVB network have employed S-VLAN (the Stack-Virtual Local Area Network of port mapping, stack VLAN) technology, this technology is also referred to as channel S technology, by dividing different S-VLAN for different VM, physical interface to be divided into several channel S (i.e. tunnel), and the corresponding channel S of each VM.
In order to be that VM generates VSI virtual interface on access device, the channel S application message that VM (as VM1) is corresponding is sent to access device by virtual switch, be that VM1 corresponding to channel S distributes at S-VLAN by access device, and by channel S response message, S-VLAN is sent to virtual switch, thus set up channel S between VM and access device.Further, virtual switch by channel S by VDP (Virtual Station Interface Discovery and Configuration Protocol corresponding for VM1, virtual switch interface finds and configuration protocol) associate request message and send to access device, be that VM1 generates VSI virtual interface by access device, and VDP is associated request message and send to VSI management server, on access device, ACL (Access Control List, Access Control List (ACL)) is issued for this VSI virtual interface by VSI management server.
In above-mentioned implementation, in order to manage VM and control, need on access device for the VSI virtual interface that VM is corresponding issues ACL, when VM quantity is more, need on access device, issue a large amount of ACL, due to the ACL resource-constrained that access device can be supported, therefore, ACL can be caused to issue failure.
Summary of the invention
A kind of method that the embodiment of the present invention provides access control list ACL to issue, the method is applied in the network comprising access device, controller and physical server, wherein, described physical server is configured with virtual machine VM, said method comprising the steps of:
Described access device obtains the ACL of each user class mark difference correspondence that first line of a couplet port issues;
Described access device receives and finds to associate request message with configuration protocol VDP from the virtual switch interface that the VM of physical server is corresponding; It is that physical server utilizes the stream table of self-controller to send that described VDP associates request message, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table, described VDP associates in request message and carries user class mark corresponding to described VM;
Described access device is after receiving VDP corresponding to described VM and associating request message, for described VM generating virtual Fabric Interface VSI virtual interface, and in pre-configured information association table, record the corresponding relation between user class mark corresponding to the described VM VSI virtual interface corresponding with described VM; The ACL that the described access device user class mark of selecting described VM corresponding from the ACL that described first line of a couplet port issues is corresponding, and determine that the ACL of described selection is the ACL that VSI virtual interface that described VM is corresponding is corresponding.
Described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carry medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message, and described access device records MAC Address corresponding to described VM and/or vlan information in described information association table.Further, each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
A kind of method that the embodiment of the present invention provides access control list ACL to issue, the method is applied in the network comprising access device, controller and physical server, wherein, described physical server is configured with virtual machine VM, said method comprising the steps of:
Described controller obtains the corresponding relation between the mark of the VM user class mark corresponding with VM;
Described controller utilizes described corresponding relation to generate stream table corresponding to described VM; Wherein, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table;
Stream table corresponding for described VM is handed down to physical server by described controller, utilize described stream table to send virtual switch interface corresponding to described VM to access device to make described physical server to find to associate request message with configuration protocol VDP, described VDP associates in request message and carries user class mark corresponding to described VM, and makes described access device utilize user class corresponding to described VM mark to issue ACL.
Described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carries medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message; Each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
The embodiment of the present invention provides a kind of access device, and be applied in the network comprising access device, controller and physical server, described physical server be configured with virtual machine VM, described access device comprises:
Obtain module, for obtaining the access control list ACL of each user class mark difference correspondence that first line of a couplet port issues;
Receiver module, finds to associate request message with configuration protocol VDP from the virtual switch interface that the VM of physical server is corresponding for receiving; It is that physical server utilizes the stream table of self-controller to send that described VDP associates request message, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table, described VDP associates in request message and carries user class mark corresponding to described VM;
Processing module, for after receiving VDP corresponding to described VM and associating request message, for described VM generating virtual Fabric Interface VSI virtual interface, and in pre-configured information association table, record the corresponding relation between user class mark corresponding to the described VM VSI virtual interface corresponding with described VM;
Select module, the ACL that the user class selecting described VM corresponding in the ACL issued from described first line of a couplet port mark is corresponding, and determine that the ACL of described selection is the ACL that VSI virtual interface that described VM is corresponding is corresponding.
Described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carries medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message; Described processing module, be further used for, in the process of the corresponding relation recorded in pre-configured information association table between user class mark corresponding to the described VM VSI virtual interface corresponding with described VM, in described information association table, recording MAC Address corresponding to described VM and/or vlan information.
Each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
The embodiment of the present invention provides a kind of controller, and be applied in the network comprising access device, controller and physical server, described physical server be configured with virtual machine VM, described controller specifically comprises:
Obtain module, the corresponding relation between the user class mark that the mark for obtaining VM is corresponding with VM;
Generation module, generates stream table corresponding to described VM for utilizing described corresponding relation; Wherein, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table;
Sending module, for stream table corresponding for described VM is handed down to physical server, utilize described stream table to send virtual switch interface corresponding to described VM to access device to make described physical server to find to associate request message with configuration protocol VDP, described VDP associates in request message and carries user class mark corresponding to described VM, and makes access device utilize user class corresponding to described VM mark to issue ACL.
Described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carries medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message; Each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
Based on technique scheme, in the embodiment of the present invention, by issuing each user class mark ACL corresponding respectively on the first line of a couplet port of access device, and based on VSI virtual interface corresponding to VM and user class mark, determine the ACL that VSI virtual interface is corresponding, thus only need to issue ACL on first line of a couplet port, and do not need on access device for the VSI virtual interface that VM is corresponding issues ACL, can effectively reduce quantity access device issuing ACL, save ACL resource, alleviate the burden of access device.When VM quantity is more, access device also can support issuing of ACL, avoids ACL to issue failure.
Accompanying drawing explanation
Fig. 1 is the networking schematic diagram of EVB network;
Fig. 2 is the method flow schematic diagram that a kind of ACL proposed in the embodiment of the present invention issues;
Fig. 3 is the form schematic diagram of the LLDP message proposed in the embodiment of the present invention;
Fig. 4 is the structural representation of a kind of access device that the embodiment of the present invention proposes;
Fig. 5 is the structural representation of a kind of controller that the embodiment of the present invention proposes.
Embodiment
For problems of the prior art, the embodiment of the present invention provides a kind of ACL method issued, the method can be applied in the network at least comprising access device, controller and physical server, this physical server is configured with one or more virtual switch, one or more VM.Take Fig. 1 as the application scenarios schematic diagram of the embodiment of the present invention, physical server configures VM1, VM2, VM3 and virtual switch, access device is connected with physical server, and controller is connected with physical server.
In the embodiment of the present invention, keeper can divide the user class of VM according to actual needs, so that VM is divided into corresponding user class.In a particular application, a VM can be divided into a user class, also can be divided into multiple user class, and each user class is to there being a user class mark.Such as, VM1 is divided into user class 1, and the user class of user class 1 is designated user class mark 1.Or VM1 is divided into user class 1 and user class 2, and the user class of user class 1 is designated user class mark 1, and the user class of user class 2 is designated user class mark 2.
Further, the partitioning standards of the user class of VM can be selected according to practical experience.Such as, the VM being positioned at same IP address field can be divided into same user class, and the VM being positioned at different IP addresses section can be divided into different user class.Application scenarios as shown in Figure 1, suppose that physical server is positioned at test department, and VM1, VM2, VM3 that this physical server configures all use IP address field 192.168.10.0/24, then VM1, VM2, VM3 can be divided into same user class A by keeper, and this user class A corresponding user class mark A.Further, suppose also there is the physical server that another is positioned at development department, and VM4, VM5, VM6 that this physical server configures all use IP address field 192.168.20.0/24, then VM4, VM5, VM6 can be divided into same user class B by keeper, and this user class B corresponding user class mark B.
In the embodiment of the present invention, can according to actual needs, the corresponding relation in advance on VSI management server between configure user class mark and ACL.Such as, configure user class mark A corresponding A CL1, ACL2, ACL3, ACL4 and ACL5 on VSI management server in advance, and configure user class identifies B corresponding A CL2, ACL3, ACL4, ACL5 and ACL6.Further, based on the user class mark corresponding to each VM, can configure on the controller in advance the mark (i.e. the unique identification of VM, the source MAC etc. as VM) of the VM user class corresponding with VM identify between corresponding relation.Such as, when VM1, VM2, VM3 are all divided into user class A, configure the corresponding relation that the source MAC of VM1 and user class identify A in advance on the controller, the source MAC of VM2 and user class identify the corresponding relation of A, and the source MAC of VM3 and user class identify the corresponding relation of A.
Under above-mentioned application scenarios, as shown in Figure 2, the method that this ACL issues specifically comprises the following steps:
Step 201, access device obtains the ACL of each user class mark difference correspondence that first line of a couplet port issues.In the embodiment of the present invention, the first line of a couplet port of access device refers to: the port be connected with polymerization unit on access device.Wherein, the message from physical server can be sent to polymerization unit by this first line of a couplet port by access device, and can by the message of this first line of a couplet port accepts from polymerization unit.
In the embodiment of the present invention, each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different.Such as, user class mark A corresponding A CL1, ACL2, ACL3, ACL4 and ACL5, user class mark B corresponding A CL2, ACL3, ACL4, ACL5 and ACL6.Based on this, the ACL that the first line of a couplet port that access device obtains issues is ACL1, ACL2, ACL3, ACL4, ACL5 and ACL6; ACL1, ACL2, ACL3, ACL4 and ACL5 respective user class mark A, ACL2, ACL3, ACL4, ACL5 and ACL6 respective user class mark B.
In the embodiment of the present invention, owing to being configured with the corresponding relation between user class mark and ACL in advance on VSI management server, therefore, VSI management server can issue each user class mark ACL corresponding respectively on the first line of a couplet port of access device, the ACL sending out user class mark A up and down corresponding at the first line of a couplet port of access device as VSI management server is ACL1, ACL2, ACL3, ACL4 and ACL5, and is ACL2, ACL3, ACL4, ACL5 and ACL6 at the ACL that the first line of a couplet port of access device sends out user class mark B corresponding up and down.Based on this, access device can obtain the ACL of each user class mark (as user class mark A and user class mark B) the difference correspondence that first line of a couplet port issues.
Step 202, controller obtains the corresponding relation between the mark (source MAC as VM) of the VM user class mark corresponding with VM, and utilizes this corresponding relation to generate stream table corresponding to VM.Wherein, have recorded the mark of this VM and user class mark corresponding to this VM in the stream table that this VM is corresponding.
Due to the corresponding relation between the user class mark that the mark (source MAC as VM) being configured with VM in advance is on the controller corresponding with VM, therefore controller can obtain the corresponding relation between the mark (source MAC as VM) of the VM user class mark corresponding with VM.Such as, the source MAC of controller acquisition VM1 and user class identify the corresponding relation of A, and the source MAC of VM2 and user class identify the corresponding relation of A, and the source MAC of VM3 and user class identify the corresponding relation of A.
Further, based on the corresponding relation between the user class mark that the mark of VM is corresponding with VM, controller can generate the stream table of each VM respectively, have recorded the unique identification (source MAC as VM) of VM and user class mark corresponding to VM in this stream table.Wherein, the match options of the stream table that VM is corresponding can be the source MAC of VM, and action can be in the extended field of LLDP (Link Layer DiscoveryProtocol, Link Layer Discovery Protocol) message, add user class mark.As shown in table 1, stream table corresponding to VM1 generated for controller, stream table that VM2 is corresponding, the stream table that VM3 is corresponding.
Table 1
| Match options | Action |
| The source MAC of VM1 | User class mark A is added in the extended field of LLDP message |
| The source MAC of VM2 | User class mark A is added in the extended field of LLDP message |
| The source MAC of VM3 | User class mark A is added in the extended field of LLDP message |
Step 203, stream table corresponding for VM is handed down to physical server by controller, as: stream table corresponding for this VM can be handed down to the virtual switch on physical server by controller.
Step 204, the stream table that physical server (virtual switch as on physical server) utilizes VM corresponding sends VDP corresponding to this VM to access device and associates request message.Wherein, this VDP associates in request message and carries user class mark corresponding to this VM (the stream table corresponding based on VM obtains).
In the embodiment of the present invention, virtual switch associates request message to this VDP that access device sends and specifically can be encapsulated in LLDP message, and this LLDP message can also carry MAC corresponding to VM (Media Access Control, medium access control) address and/or vlan information.
Concrete, the channel S application message that VM (as VM1) is corresponding is sent to access device by virtual switch, be that VM1 corresponding to channel S distributes at S-VLAN by access device, and by channel S response message, S-VLAN is sent to virtual switch, thus set up channel S between VM1 and access device.Further, (match options is the source MAC of VM1 to the stream table corresponding based on the VM1 shown in table 1, action is in the extended field of LLDP message, add user class mark A), VDP corresponding for VM1 association request message is sending in the process of access device by channel S by virtual switch, consider that the extensibility of LLDP agreement is stronger, in the embodiment of the present invention, VDP corresponding for VM1 can be associated request message and be encapsulated in LLDP message by virtual switch, and LLDP message is sent to access device.Further, the source MAC due to LLDP message can match the source MAC of the VM1 shown in table 1, and therefore, virtual switch adds user class mark A in the extended field of LLDP message.As shown in Figure 3, for the form schematic diagram of LLDP message, virtual switch can at the LLDPDU of LLDP message (Link Layer Discovery Protocol Data Unit, Link Layer Discovery Protocol data cell) TLV (Type Length Value, type lengths values) in add user class mark A.
Step 205, the VDP that access device receives from physical server associates request message (it is that the VDP that VM is corresponding associates request message that this VDP associates request message), and after receiving VDP corresponding to VM and associating request message, for VM generates VSI virtual interface, and in pre-configured information association table, record the corresponding relation between user class mark corresponding to the VM VSI virtual interface corresponding with VM.
Further, this VDP associates request message and specifically can be encapsulated in LLDP message, and this LLDP message can also carry MAC Address corresponding to VM and/or vlan information.Based on this, when access device records user class mark corresponding to this VM and VSI virtual interface in information association table, MAC Address corresponding to VM and/or vlan information can also be recorded in information association table.
Access device, after receiving LLDP message, for VM1 generates VSI virtual interface 1, and extracts MAC Address corresponding to VM1, vlan information and user class mark A from this LLDP message.Based on above-mentioned information, access device can record the corresponding relation between MAC Address corresponding to VM1, vlan information, user class mark A and VSI virtual interface 1 in pre-configured information association table.In like manner, access device can record the corresponding relation between MAC Address corresponding to VM2, vlan information, user class mark A and VSI virtual interface 2 in information association table, and access device can record the corresponding relation between MAC Address corresponding to VM3, vlan information, user class mark A and VSI virtual interface 3 in information association table.As shown in table 2, be a kind of example of the information association table that access device is safeguarded.Further, information association table can also be kept in the internal memory of access device this locality by access device.
Table 2
| VSI virtual interface | MAC Address | Vlan information | User class identifies |
| VSI virtual interface 1 | The MAC Address of VM1 | The vlan information of VM1 | User class mark A |
| VSI virtual interface 2 | The MAC Address of VM2 | The vlan information of VM2 | User class mark A |
| VSI virtual interface 3 | The MAC Address of VM3 | The vlan information of VM3 | User class mark A |
Step 206, the ACL that the access device user class mark of selecting VM corresponding from the ACL that first line of a couplet port issues is corresponding, and determine that the ACL of this selection is the ACL that VSI virtual interface that VM is corresponding is corresponding.
Such as, the ACL sending out user class mark A up and down corresponding at the first line of a couplet port of access device when VSI management server is ACL1, ACL2, ACL3, ACL4 and ACL5, and be ACL2 at the ACL that first line of a couplet port sends out user class mark B corresponding up and down, ACL3, ACL4, during ACL5 and ACL6, based on the information association table shown in table 2, the ACL that the user class that access device selects VM1 corresponding from the ACL that first line of a couplet port issues identifies A corresponding is respectively ACL1, ACL2, ACL3, ACL4, ACL5, and determine ACL1, ACL2, ACL3, ACL4, ACL5 is the ACL of VSI virtual interface 1 correspondence that VM1 is corresponding.Suppose that the user class that VM1 is corresponding is designated user class mark A and user class mark B, the ACL that the user class that then access device selects VM1 corresponding from the ACL that first line of a couplet port issues identifies A corresponding is respectively ACL1, ACL2, ACL3, ACL4, ACL5, and the ACL that the user class selecting VM1 corresponding from the ACL that first line of a couplet port issues identifies B corresponding is respectively ACL2, ACL3, ACL4, ACL5 and ACL6, based on the ACL do not overlapped, access device determines that ACL1, ACL2, ACL3, ACL4, ACL5, ACL6 are the ACL of VSI virtual interface 1 correspondence that VM1 is corresponding.
Message due to VM accesses network needs by first line of a couplet port repeat, therefore in the embodiment of the present invention, by issuing the ACL based on user class mark for first line of a couplet port, thus to conduct interviews control to the message of VM accesses network.Further, corresponding different QoS (Quality of Service, the service quality) strategy of different ACL, and access device to conduct interviews control to message based on qos policy corresponding to ACL.
Based on technique scheme, in the embodiment of the present invention, by issuing each user class mark ACL corresponding respectively on the first line of a couplet port of access device, and based on VSI virtual interface corresponding to VM and user class mark, determine the ACL that VSI virtual interface is corresponding, thus only need to issue ACL on first line of a couplet port, and do not need on access device for the VSI virtual interface that VM is corresponding issues ACL, can effectively reduce quantity access device issuing ACL, save ACL resource, alleviate the burden of access device.When VM quantity is more, access device also can support issuing of ACL, avoids ACL to issue failure.
Such as, in the prior art, need on access device for the VSI virtual interface 1 that VM1 is corresponding issues ACL1, ACL2, ACL3, ACL4, ACL5, and be that the VSI virtual interface 2 that VM2 is corresponding issues ACL1, ACL2, ACL3, ACL4, ACL5, and be that the VSI virtual interface 3 that VM3 is corresponding issues ACL1, ACL2, ACL3, ACL4, ACL5, need altogether on access device, issue 15 ACL.And in the embodiment of the present invention, only need for first line of a couplet port issues ACL1, ACL2, ACL3, ACL4, ACL5 on access device, need altogether on access device, issue 5 ACL.Aforesaid way can effectively reduce quantity access device issuing ACL, saves ACL resource, alleviates the burden of access device.By that analogy, when VM quantity is more, the ACL resource that can save is also more.
Based on the inventive concept same with said method, additionally provide a kind of access device in the embodiment of the present invention, be applied in the network comprising access device, controller and physical server, described physical server be configured with virtual machine VM, as shown in Figure 4, described access device specifically comprises:
Obtain module 11, for obtaining the access control list ACL of each user class mark difference correspondence that first line of a couplet port issues;
Receiver module 12, finds to associate request message with configuration protocol VDP from the virtual switch interface that the VM of physical server is corresponding for receiving; It is that physical server utilizes the stream table of self-controller to send that described VDP associates request message, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table, described VDP associates in request message and carries user class mark corresponding to described VM;
Processing module 13, for after receiving VDP corresponding to described VM and associating request message, for described VM generating virtual Fabric Interface VSI virtual interface, and in pre-configured information association table, record the corresponding relation between user class mark corresponding to the described VM VSI virtual interface corresponding with described VM;
Select module 14, the ACL that the user class selecting described VM corresponding in the ACL issued from described first line of a couplet port mark is corresponding, and determine that the ACL of described selection is the ACL that VSI virtual interface that described VM is corresponding is corresponding.
Described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carries medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message;
Described processing module 13, be further used for, in the process of the corresponding relation recorded in pre-configured information association table between user class mark corresponding to the described VM VSI virtual interface corresponding with described VM, in described information association table, recording MAC Address corresponding to described VM and/or vlan information.
In the embodiment of the present invention, each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can be separated deployment.Above-mentioned module can merge into a module, also can split into multiple submodule further.
Based on the inventive concept same with said method, additionally provide a kind of controller in the embodiment of the present invention, be applied in the network comprising access device, controller and physical server, described physical server be configured with virtual machine VM, as shown in Figure 5, described controller specifically comprises:
Obtain module 21, the corresponding relation between the user class mark that the mark for obtaining VM is corresponding with VM; Generation module 22, generates stream table corresponding to described VM for utilizing described corresponding relation; Wherein, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table;
Sending module 23, for stream table corresponding for described VM is handed down to physical server, utilize described stream table to send virtual switch interface corresponding to described VM to access device to make described physical server to find to associate request message with configuration protocol VDP, described VDP associates in request message and carries user class mark corresponding to described VM, and makes access device utilize user class corresponding to described VM mark to issue ACL.
In the embodiment of the present invention, described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carries medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message; Each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can be separated deployment.Above-mentioned module can merge into a module, also can split into multiple submodule further.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform method described in each embodiment of the present invention.It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.It will be appreciated by those skilled in the art that the module in the device in embodiment can carry out being distributed in the device of embodiment according to embodiment description, also can carry out respective change and be arranged in the one or more devices being different from the present embodiment.The module of above-described embodiment can merge into a module, also can split into multiple submodule further.The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.Be only several specific embodiment of the present invention above, but the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (10)
1. the method that issues of access control list ACL, the method is applied in the network comprising access device, controller and physical server, wherein, described physical server is configured with virtual machine VM, it is characterized in that, said method comprising the steps of:
Described access device obtains the ACL of each user class mark difference correspondence that first line of a couplet port issues;
Described access device receives and finds to associate request message with configuration protocol VDP from the virtual switch interface that the VM of physical server is corresponding; It is that physical server utilizes the stream table of self-controller to send that described VDP associates request message, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table, described VDP associates in request message and carries user class mark corresponding to described VM;
Described access device is after receiving VDP corresponding to described VM and associating request message, for described VM generating virtual Fabric Interface VSI virtual interface, and in pre-configured information association table, record the corresponding relation between user class mark corresponding to the described VM VSI virtual interface corresponding with described VM;
The ACL that the described access device user class mark of selecting described VM corresponding from the ACL that described first line of a couplet port issues is corresponding, and determine that the ACL of described selection is the ACL that VSI virtual interface that described VM is corresponding is corresponding.
2. the method for claim 1, it is characterized in that, described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carry medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message, and described access device records MAC Address corresponding to described VM and/or vlan information in described information association table.
3. the method for claim 1, is characterized in that, each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
4. the method that issues of access control list ACL, the method is applied in the network comprising access device, controller and physical server, wherein, described physical server is configured with virtual machine VM, it is characterized in that, said method comprising the steps of:
Described controller obtains the corresponding relation between the mark of the VM user class mark corresponding with VM;
Described controller utilizes described corresponding relation to generate stream table corresponding to described VM; Wherein, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table;
Stream table corresponding for described VM is handed down to physical server by described controller, utilize described stream table to send virtual switch interface corresponding to described VM to access device to make described physical server to find to associate request message with configuration protocol VDP, described VDP associates in request message and carries user class mark corresponding to described VM, and makes described access device utilize user class corresponding to described VM mark to issue ACL.
5. method as claimed in claim 4, it is characterized in that, described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carries medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message; Each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
6. an access device, be applied in the network comprising access device, controller and physical server, described physical server be configured with virtual machine VM, it is characterized in that, described access device specifically comprises:
Obtain module, for obtaining the access control list ACL of each user class mark difference correspondence that first line of a couplet port issues;
Receiver module, finds to associate request message with configuration protocol VDP from the virtual switch interface that the VM of physical server is corresponding for receiving; It is that physical server utilizes the stream table of self-controller to send that described VDP associates request message, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table, described VDP associates in request message and carries user class mark corresponding to described VM;
Processing module, for after receiving VDP corresponding to described VM and associating request message, for described VM generating virtual Fabric Interface VSI virtual interface, and in pre-configured information association table, record the corresponding relation between user class mark corresponding to the described VM VSI virtual interface corresponding with described VM;
Select module, the ACL that the user class selecting described VM corresponding in the ACL issued from described first line of a couplet port mark is corresponding, and determine that the ACL of described selection is the ACL that VSI virtual interface that described VM is corresponding is corresponding.
7. access device as claimed in claim 6, it is characterized in that, described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carries medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message;
Described processing module, be further used for, in the process of the corresponding relation recorded in pre-configured information association table between user class mark corresponding to the described VM VSI virtual interface corresponding with described VM, in described information association table, recording MAC Address corresponding to described VM and/or vlan information.
8. access device as claimed in claim 6, is characterized in that, each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
9. a controller, be applied in the network comprising access device, controller and physical server, described physical server be configured with virtual machine VM, it is characterized in that, described controller specifically comprises:
Obtain module, the corresponding relation between the user class mark that the mark for obtaining VM is corresponding with VM;
Generation module, generates stream table corresponding to described VM for utilizing described corresponding relation; Wherein, have recorded the mark of described VM and user class mark corresponding to described VM in described stream table;
Sending module, for stream table corresponding for described VM is handed down to physical server, utilize described stream table to send virtual switch interface corresponding to described VM to access device to make described physical server to find to associate request message with configuration protocol VDP, described VDP associates in request message and carries user class mark corresponding to described VM, and makes access device utilize user class corresponding to described VM mark to issue ACL.
10. controller as claimed in claim 9, it is characterized in that, described VDP associates request message and is encapsulated in Link Layer Discovery Protocol LLDP message, also carries medium access control MAC Address corresponding to described VM and/or virtual LAN VLAN information in described LLDP message; Each user class mark one or more ACL corresponding, and the ACL of different user class mark correspondences is identical or different; Each VM is divided into one or more user class, and the corresponding user class mark of each user class.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410708842.2A CN104486299B (en) | 2014-11-28 | 2014-11-28 | A kind of method and apparatus that ACL is issued |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410708842.2A CN104486299B (en) | 2014-11-28 | 2014-11-28 | A kind of method and apparatus that ACL is issued |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104486299A true CN104486299A (en) | 2015-04-01 |
| CN104486299B CN104486299B (en) | 2018-07-24 |
Family
ID=52760803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410708842.2A Active CN104486299B (en) | 2014-11-28 | 2014-11-28 | A kind of method and apparatus that ACL is issued |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104486299B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791149A (en) * | 2016-02-24 | 2016-07-20 | 杭州华三通信技术有限公司 | Message processing method and device |
| WO2018028594A1 (en) * | 2016-08-11 | 2018-02-15 | 中兴通讯股份有限公司 | Networking method for hybrid cloud platform, and hybrid cloud platform system |
| CN112019492A (en) * | 2019-05-31 | 2020-12-01 | 华为技术有限公司 | Access control method, device and storage medium |
| CN112910776A (en) * | 2021-01-18 | 2021-06-04 | 北京字节跳动网络技术有限公司 | Data forwarding method, device, equipment and medium |
| CN114144995A (en) * | 2019-07-18 | 2022-03-04 | 国际商业机器公司 | Link layer method for configuring bare computer server in virtual network |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102316001A (en) * | 2011-10-13 | 2012-01-11 | 杭州华三通信技术有限公司 | Virtual network connection configuration realizing method and network equipment |
| CN103516628A (en) * | 2012-06-25 | 2014-01-15 | 华为技术有限公司 | Method, device and system of updating network strategy |
| CN103563329A (en) * | 2011-06-07 | 2014-02-05 | 惠普发展公司,有限责任合伙企业 | Scalable multi-tenant network architecture for virtualized datacenters |
-
2014
- 2014-11-28 CN CN201410708842.2A patent/CN104486299B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103563329A (en) * | 2011-06-07 | 2014-02-05 | 惠普发展公司,有限责任合伙企业 | Scalable multi-tenant network architecture for virtualized datacenters |
| CN102316001A (en) * | 2011-10-13 | 2012-01-11 | 杭州华三通信技术有限公司 | Virtual network connection configuration realizing method and network equipment |
| CN103516628A (en) * | 2012-06-25 | 2014-01-15 | 华为技术有限公司 | Method, device and system of updating network strategy |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791149A (en) * | 2016-02-24 | 2016-07-20 | 杭州华三通信技术有限公司 | Message processing method and device |
| WO2018028594A1 (en) * | 2016-08-11 | 2018-02-15 | 中兴通讯股份有限公司 | Networking method for hybrid cloud platform, and hybrid cloud platform system |
| CN112019492A (en) * | 2019-05-31 | 2020-12-01 | 华为技术有限公司 | Access control method, device and storage medium |
| CN114144995A (en) * | 2019-07-18 | 2022-03-04 | 国际商业机器公司 | Link layer method for configuring bare computer server in virtual network |
| CN114144995B (en) * | 2019-07-18 | 2022-12-23 | 国际商业机器公司 | Method and system for configuring virtual port of physical server |
| CN112910776A (en) * | 2021-01-18 | 2021-06-04 | 北京字节跳动网络技术有限公司 | Data forwarding method, device, equipment and medium |
| CN112910776B (en) * | 2021-01-18 | 2022-10-18 | 北京火山引擎科技有限公司 | Data forwarding method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104486299B (en) | 2018-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104780088B (en) | A kind of transmission method and equipment of service message | |
| CN102801599B (en) | A kind of communication means and system | |
| CN104486299A (en) | ACL (Access Control List) issuing method and equipment | |
| CN105284080B (en) | The virtual network management method and data center systems of data center | |
| CN105577723B (en) | Virtualize the method and apparatus that load balancing is realized in network | |
| CN103078965B (en) | The IP address management method of virtual machine | |
| US20120084415A1 (en) | Method and equipment for self-configuring transmission in self-organized network | |
| JP2013168140A (en) | Method for deploying virtual machines | |
| CN103118149B (en) | Communication control method between same tenant's server and the network equipment | |
| WO2018019299A1 (en) | Virtual broadband access method, controller, and system | |
| CN103476023A (en) | Configuration method of access point equipment, access controller and communication system | |
| CN105635327A (en) | Method and device of address distribution | |
| CN103905232A (en) | Virtual-machine management system and method | |
| CN105704042A (en) | Message processing method, BNG and BNG cluster system | |
| US11824709B2 (en) | Network management method and device | |
| CN103441932A (en) | Host routing table entry generating method and device | |
| CN104812021B (en) | A kind of method and device of AP access AC | |
| CN103684861A (en) | Method and device for processing network configuration and communication system | |
| CN104219094A (en) | AP (access point) grouping configuration method and AP grouping configuration equipment | |
| JP2020529085A (en) | User authentication in BRAS transfer / control separation architecture | |
| CN104349511A (en) | Distribution method and apparatus of AP addresses in WLAN | |
| WO2016198004A1 (en) | Network gambit configuration method and apparatus under virtualization technology | |
| CN106161115A (en) | A kind of device management method being applied to VXLAN and device | |
| CN103684838B (en) | A method, an apparatus, a system for configuring a network strategy of a virtual machine | |
| CN108124285B (en) | Message transmission method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |