CN105656914A - Multi-user management based method and apparatus for realizing switch forward domain isolation - Google Patents
Multi-user management based method and apparatus for realizing switch forward domain isolation Download PDFInfo
- Publication number
- CN105656914A CN105656914A CN201610064436.6A CN201610064436A CN105656914A CN 105656914 A CN105656914 A CN 105656914A CN 201610064436 A CN201610064436 A CN 201610064436A CN 105656914 A CN105656914 A CN 105656914A
- Authority
- CN
- China
- Prior art keywords
- switch
- account
- user
- regular
- user management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a multi-user management based method and apparatus for realizing switch forward domain isolation. According to the method, an administrator account is created and a password is set, a user logs in a switch operation system by using the administrator account and creates a plurality of common accounts, and at least two switch ports are designated to allocate to the common account when the common account is created; and creation of one common account represents creation of one virtual switch, for the final configuration, the user needs to log in the switch operation system by using the common account so as to execute related configuration operation, and the user creates the common account and configures associated attributes of the account so as to partition the virtual switch logically. According to the method, a plurality of switch devices can be virtualized, so as to realize maximum utilization of resources.
Description
Technical field
The present invention relates to switch virtualizing operating systems technical field, particularly relate to a kind of method that realizes and device that by logical partitioning port and multi-user management, switch is forwarded domain separation.
Background technology
Switch (switch) is a kind of equipment completing information exchange functions in a communications system. Personnel for special industry utilize switch to carry out dependence test item, such as related network device tester, they generally need to use all of the port on switch unlike domestic consumer and are verified, they simply verify the characteristic of various software module and different topological environmentals in most cases, often their real demand is intended merely to several port rather than wants one whole equipment, this is the very serious wasting of resources, especially even more serious when equipment lacks relatively.
Summary of the invention
It is an object of the invention to overcome the defect of prior art, it is provided that switch is forwarded the method that realizes and the device of domain separation by a kind of multi-user management.
For achieving the above object, the present invention proposes following technical scheme: what switch was forwarded domain separation by a kind of multi-user management realizes method, set up manager's account and password is set, user need to be signed in by described manager's account and creates multiple regular account in switch operating system, often create a regular account time need to specify at least two switch ports themselves is distributed to this regular account; Often create a regular account and namely represent one virtual switch of establishment, user finally configures and need to log in switch operating system by regular account, performing relevant configuration operation, user is by creating regular account and configuring the mode of this account association attributes and reach to divide in logic virtual switch.
Preferably, the division of described switch ports themselves is configured decision by user.
Preferably, the port number pro-rata that the division of described switch operating system software resource can have based on each virtual switch.
Preferably, user can manual allocation when creating regular account.
Preferably, described manager's account and regular account need to verify account authority.
The present invention also provides for a kind of multi-user management and switch forwards the device of domain separation, including manager's account module and switch, multiple regular account is set up in the operating system of described switch, each described regular account takies two ports of switch, namely one regular account represents one virtual switch of establishment, user logs in switch operating system eventually through regular account, reaches to divide in logic virtual switch.
The invention has the beneficial effects as follows: invention broadly provides the virtualization scheme of a kind of switch 1: N, by simply creating the mode of multi-user, make that switch is virtual turns to the equipment that multiple stage is separate, every virtual equipment must flow through the unique account of setting to log in management, ensures the safety of individuality; By User Defined mode flexibly, system hardware and software resource is divided, promote physical resource utilization rate and by all mutually isolated to the forwarding between each virtual switch and key-course; The tester being easy to those clients that cannot be commercially available suitable hardware product form and part special industry uses, and fictionalizes multiple stage switch device, reaches maximally utilizing of resource.
Accompanying drawing explanation
Fig. 1 is that a switch is divided into the principle schematic of multiple stage virtual switch by the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing of the present invention, the technical scheme of the embodiment of the present invention is carried out clear, complete description.
What switch was forwarded domain separation by disclosed a kind of multi-user management realizes method, first switch device default setting has manager's account and password, manager's account is only used for creating New Account and amendment related resource assignment configuration on equipment, namely user is by creating regular account and configuring the mode of this account association attributes, reaches to divide in logic virtual switch.
After switch power-up initializing completes, should be at account verification pattern, no matter user is connected on plank (telnet, SSH, console) by which kind of mode, is required for checking account authority (manager's account, regular account). The Main Function of the two account is as follows:
Manager's account: user passes through this Account Logon on switch operating system, only can create multiple regular accounts according to actually used situation, also need to specify when often creating a regular account >=2 switch ports themselves is distributed to this regular account.
Regular account: regular account by user by manager's account creation, must often create a regular account and namely represent one virtual switch of establishment. User finally configures also to be needed to log in switch operating system by regular account, performs relevant configuration operation.
About switch physical resource dividing, just as mentioned above, it be exactly the division of switch ports themselves in actually used, user configure decision. Divide about switch software resource, the port number pro-rata that simple way can have based on each virtual switch. In switch operating system, software resource is exactly nothing but each table item size, for instance MACtable, ARPtable, Routetable etc., because the port number of each virtual switch is that well, software resource just can obtain in complete machine ratio shared by port number in configuration in advance. Can certainly making user's manual allocation when creating regular account, this mode is more flexible.
Embodiment one, as it is shown in figure 1, how a switch is divided into multiple stage virtual switch:
The equipment of existing one 48 mouthfuls, MACtable capacity is 65536, and Routetable is 8192, it is contemplated that be divided into four virtual units.User first passes through manager's Account Logon switch operating system, create regular account A, divide 1-10 mouth to account A, software resource divides selects pro rate, now the MACtable capacity of account A is 65536/48*10, rounding downwards is 13653, and in like manner Routetable capacity is 1706 (8192/48*10); Now remaining total software resource is MACtable51883 (65536-13653), Routetable6486 (8192-1706). User creates regular account B again, divides 11-20 mouth to account B, different from account A, and the software resource distribution of account B uses manual configuration mode, artificial MACtable capacity 20000, the Routetable capacity 3000 configuring account B; Now remaining total software resource is MACtable31883 (51883-20000), Routetable3486 (6486-3000). User creates regular account C, divides 21-40 mouth to account C, and software resource uses pro-rata, and the MACtable capacity of account C is 22773 (31883/28*20), and Routetable capacity is 2490 (3486/28*20); Now remaining total software resource is MACtable9110 (31883-22773), Routetable996 (3486-2490). User creates regular account D, divide 41-48 mouth to account D, if software resource is not divided and selects manual assignment by user, then the MACtable capacity of account D is 9110 (9110/8*8), and Routetable capacity is 996 (996/8*8).
By the way, we complete machine is virtual the most at last turns to following four virtual units.
Device A, 10 mouthfuls, MACtable13653, Routetable1706; Equipment B, 10 mouthfuls, MACtable20000, Routetable3000; Equipment C, 20 mouthfuls, MACtable22773, Routetable2490; Equipment D, 8 mouthfuls, MACtable9110, Routetable996.
One complete machine finally can be divided into how many virtual switches, physical resource and software resource jointly restrict, the resource first exhausted determine the switch quantity that can fictionalize. If switch complete machine port distributes entirely, even if so there being software resource to remain, so newly created virtual switch as there is no available port and become without actually used meaning, this is accomplished by operating system to carry out inspection to be avoided this arrangement abnormalities when configuration. It is also same reason that software resource first exhausts.
Above-mentioned come into force by the method for switch ports themselves logical partitioning virtual switch, then the forwarding domain separation of virtual switch just conveniently achieves. Originally MACtable, Routetable etc. on switch can regard data base one by one as, and the forwarding behavior of every stream correspondence is also equivalent to the process by certain querying condition inquiry data base in fact, forwards by Query Result after retrieval. So the forwarding domain separation accomplished between each virtual machine, actual seek to accomplish data base separated from each other, be independent of each other. After separating virtual switch device A, B, C, D, as long as what create correspondence in systems is similar to A.MACtable, B.MACtable ... data base, corresponding virtual switch only safeguards the data base of oneself, also only inquire about one's own data base during work, so can realize forwarding domain separation.
The regular account that the isolation of Switch control aspect is created by user is distinguished. An account verification pattern is had during subscriber connecting equipment mentioned above, when user logs in regular account, just resource (the physical resource Single port belonging to current account can be configured after login, the amount of capacity of each table of software resource one), the relevant configuration of other modules, behavior and conventional switch are as good as.For the consideration of information security, currently logged on user is the configuration information that cannot view other regular accounts.
The present invention passes through many account managements, is mutually isolated forwarding territory and chain of command, just can share an equipment and be independent of each other between such multi-user between each virtual switch. For the user of actually used switch device, perhaps leaving unnecessary port on equipment at leisure, this must be the waste of resource, the port vacated can be leased to other users completely and use. By this programme, the webmaster of user A just need not the network environment of concerned with user B because all isolating in key-course and forwarding. From control plane, user A there is no concern that and causes us to configure damage because of the maloperation of user B, because user A and user B can not revise mutually and the configuration checking the other side, has so both ensured information security, and ensures again the independence of individuality. From forwarding plane, even if user B causes broadcast storm to have impact on Network because configuring improper, user A must do not interfered with, because user A and user B has mutually oneself independent forward table and is specific to the interface that themselves participation data forward yet. Pass through this programme, do not revise the planning of any legacy network and design, by the switch device that logical Virtual goes out, maintain the mode of the wire laying mode of legacy network, conventional physical Topology connection, build under custom in maintenance major part tradition, reach to greatly simplify the effect of management, simplification O&M, reduced programming design.
Fictionalize multiple stage switch device by this programme, reach maximally utilizing of resource. Such as originally needed the topological environmental of 4 equipment, as long as now by a device virtualization, then dependence test item can be performed by environment line.
The technology contents of the present invention and technical characteristic have revealed that as above; but those of ordinary skill in the art are still potentially based on teachings of the present invention and announcement and do all replacements without departing substantially from spirit of the present invention and modification; therefore; scope should be not limited to the content that embodiment is disclosed; and the various replacement without departing substantially from the present invention and modification should be included, and contained by present patent application claim.
Claims (6)
1. what switch was forwarded domain separation by a multi-user management realizes method, it is characterized in that: set up manager's account and password is set, user is by creating multiple regular account on described manager's Account Logon to switch operating system, and at least two switch ports themselves is distributed to described regular account by the time appointment often creating a described regular account; User finally configures and logs in switch operating system by described regular account, performs relevant configuration operation.
2. what switch was forwarded domain separation by multi-user management according to claim 1 realizes method, it is characterised in that the division of described switch ports themselves is configured decision by user.
3. what switch was forwarded domain separation by multi-user management according to claim 1 realizes method, it is characterised in that described switch operating system software resource divide the port number pro-rata having based on each virtual switch.
4. what switch was forwarded domain separation by multi-user management according to claim 1 realizes method, it is characterised in that user is manual allocation when creating regular account.
5. what switch was forwarded domain separation by multi-user management according to claim 1 realizes method, it is characterised in that described manager's account and regular account need to verify account authority.
6. what switch was forwarded domain separation by a multi-user management realizes device, it is characterized in that, including: manager's account module and switch, described manager's account module for setting up multiple regular account in the operating system of described switch, each described regular account at least takies two ports of described switch, namely one regular account represents one virtual switch of establishment, and user logs in switch operating system eventually through regular account, reaches to divide in logic virtual switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610064436.6A CN105656914A (en) | 2016-01-29 | 2016-01-29 | Multi-user management based method and apparatus for realizing switch forward domain isolation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610064436.6A CN105656914A (en) | 2016-01-29 | 2016-01-29 | Multi-user management based method and apparatus for realizing switch forward domain isolation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105656914A true CN105656914A (en) | 2016-06-08 |
Family
ID=56488079
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610064436.6A Pending CN105656914A (en) | 2016-01-29 | 2016-01-29 | Multi-user management based method and apparatus for realizing switch forward domain isolation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105656914A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494739A (en) * | 2018-03-01 | 2018-09-04 | 武汉噢易云计算股份有限公司 | Mac computer room batch login methods and system |
| CN113452722A (en) * | 2021-08-30 | 2021-09-28 | 统信软件技术有限公司 | User isolation method, data transmission method, computing device and storage medium |
| US11212317B2 (en) * | 2019-11-11 | 2021-12-28 | International Business Machines Corporation | Extending managed switching network to a virtualization layer in a computer |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1357997A (en) * | 2000-12-15 | 2002-07-10 | 华为技术有限公司 | Virtual local area network access method in Ethernet access network |
| CN1538675A (en) * | 2003-04-15 | 2004-10-20 | 华为技术有限公司 | Method of isolating user's ports of Ethernet exchanger |
| US6912592B2 (en) * | 2001-01-05 | 2005-06-28 | Extreme Networks, Inc. | Method and system of aggregate multiple VLANs in a metropolitan area network |
| CN101035052A (en) * | 2007-04-25 | 2007-09-12 | 中兴通讯股份有限公司 | Port separation method based on the virtual LAN |
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
-
2016
- 2016-01-29 CN CN201610064436.6A patent/CN105656914A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1357997A (en) * | 2000-12-15 | 2002-07-10 | 华为技术有限公司 | Virtual local area network access method in Ethernet access network |
| US6912592B2 (en) * | 2001-01-05 | 2005-06-28 | Extreme Networks, Inc. | Method and system of aggregate multiple VLANs in a metropolitan area network |
| CN1538675A (en) * | 2003-04-15 | 2004-10-20 | 华为技术有限公司 | Method of isolating user's ports of Ethernet exchanger |
| CN101035052A (en) * | 2007-04-25 | 2007-09-12 | 中兴通讯股份有限公司 | Port separation method based on the virtual LAN |
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
Non-Patent Citations (2)
| Title |
|---|
| 华三: "01-Fundamentals Configuration Guide-MDC configuration", 《HTTP://WWW.H3C.COM.HK/TECHNICAL_SUPPORT___DOCUMENTS/TECHNICAL_DOCUMENTS/SWITCHES/H3C_S12500_SERIES_SWITCHES/CONFIGURATION/OPERATION_MANUAL/H3C_S12500_CG-RELEASE7128-6W710/01/201301/772601_1285_0.HTM》 * |
| 李飞: "1:N的网络设备虚拟化技术——H3C Multitenant Device Context (MDC)", 《HTTP://WWW.H3C.COM/CN/D_201211/758702_30008_0.HTM》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494739A (en) * | 2018-03-01 | 2018-09-04 | 武汉噢易云计算股份有限公司 | Mac computer room batch login methods and system |
| US11212317B2 (en) * | 2019-11-11 | 2021-12-28 | International Business Machines Corporation | Extending managed switching network to a virtualization layer in a computer |
| CN113452722A (en) * | 2021-08-30 | 2021-09-28 | 统信软件技术有限公司 | User isolation method, data transmission method, computing device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8855116B2 (en) | Virtual local area network state processing in a layer 2 ethernet switch | |
| CN107135134B (en) | Private network cut-in method and system based on virtual switch and SDN technology | |
| CA3072731C (en) | Interconnected region controller, interconnected region control method, and computer storage medium | |
| CN103026660B (en) | Network policy configuration method, management equipment and network management centre device | |
| US20150113143A1 (en) | Network resource automation management | |
| Webb et al. | Topology switching for data center networks | |
| CN105284080B (en) | The virtual network management method and data center systems of data center | |
| US20130111036A1 (en) | Management method for network system, network system, and management server | |
| KR20170078626A (en) | System and method for supporting partition-aware routing in a multi-tenant cluster environment | |
| CN103141059A (en) | Private virtual local area network isolation | |
| RU2004106718A (en) | VIRTUAL NETWORK TOPOLOGY GENERATION | |
| CN105024990A (en) | Deployment method and device for network security attack and defense exercise environment | |
| Qi et al. | Data center network architecture in cloud computing: review, taxonomy, and open research issues | |
| CN105656914A (en) | Multi-user management based method and apparatus for realizing switch forward domain isolation | |
| CN103812930A (en) | Method and device for resource scheduling | |
| CN112769965B (en) | IP address management and distribution method, device and system | |
| US8588225B1 (en) | Physical resource to virtual service network mapping in a template based end-to-end service provisioning | |
| CN108989110A (en) | A kind of construction method and its relevant device of VPC network model | |
| CN105099953A (en) | Cloud data center virtual network isolation method and device | |
| US9712455B1 (en) | Determining availability of networking resources prior to migration of a server or domain | |
| CN103825891A (en) | Security flaw scanning system under cloud network environment | |
| CN105262753A (en) | System and method for achieving security policy based on SDN virtual switch | |
| CN115118607A (en) | SDN-based automatic virtual network topology construction method | |
| CN109040101A (en) | A method of different security services are used based on openflow protocol realization multi-tenant | |
| CN108512811A (en) | A kind of virtual network partition method and SDN controllers based on SDN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160608 |