CN106161457B - Network domains isolating device and method based on SDN - Google Patents

Network domains isolating device and method based on SDN Download PDF

Info

Publication number
CN106161457B
CN106161457B CN201610597418.4A CN201610597418A CN106161457B CN 106161457 B CN106161457 B CN 106161457B CN 201610597418 A CN201610597418 A CN 201610597418A CN 106161457 B CN106161457 B CN 106161457B
Authority
CN
China
Prior art keywords
port
sdn
address
network
data message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610597418.4A
Other languages
Chinese (zh)
Other versions
CN106161457A (en
Inventor
刘昱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201610597418.4A priority Critical patent/CN106161457B/en
Publication of CN106161457A publication Critical patent/CN106161457A/en
Application granted granted Critical
Publication of CN106161457B publication Critical patent/CN106161457B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5069Address allocation for group communication, multicast communication or broadcast communication

Abstract

A kind of network domains isolating device based on SDN is applied to SDN controller, including quarantine domain administrative unit, message receiving unit, data processing unit, quarantine domain administrative unit establish network domain list according to user demand;Message receiving unit receives the data message that SDN switch is received and forwarded, and records the port of the target MAC (Media Access Control) address in data message and SDN switch reception data message;Data processing unit, which searches MAC Address, whether there is the port for matching target MAC (Media Access Control) address with port relation table;If it exists, then judge that the port for matching target MAC (Media Access Control) address and SDN switch receive the port of data message with the presence or absence of in the same network domains in network domain list;If so, the port according to matching target MAC (Media Access Control) address generates and issues forwarding flow table.The present invention also provides the network domains partition methods based on SDN.The range that the present invention can control network message to broadcast, while improving the flexibility and safety of network.

Description

Network domains isolating device and method based on SDN
Technical field
The present invention relates to network communication fields, specifically, a kind of network domains isolating device and method based on SDN.
Background technique
Network domain separation refers to for two or more computers or network being divided into isolated area, and can incite somebody to action Harmful, different security levels, different type, the network domains of different purposes are kept apart, to ensure data information in trustable network Interior progress secure interactive and resource-sharing, and the broadcasting area of control broadcasting packet.The partition method of network domains is main at present It include: access control technology, access control technology is usually to apply to refer in the access control of router or three-tier switch interface It enables, these instructions are used to tell which data packet of router can be received, which data packet needs to refuse.It is to be connect as data packet It receives or refuses, can be determined by being similar to the specific indicated condition of source address, destination address, port numbers etc.;Virtual local area Net (Virtual Local Area Network, VLAN) technology, virtual LAN (VLAN) be one group of equipment in logic and User, these equipment and user are not limited by physical location, can be according to factors such as function, department and applications by their groups It knits, mutual communication just looks like that they are the same in the same network segment, virtual LAN of thus gaining the name.It is so current Network domains partition method haves the shortcomings that configuration is complicated, inflexible, if that is, both above technology realize general network every It from function, to be used cooperatively, to be configured respectively on access device and convergence device (usually three-tier switch), be configured Complicated, fallibility, or special scene is encountered, for example the case where being isolated, identical net are also required between the network of identical VLAN It the case where being isolated between section etc., is difficult to realize in aforementioned manners.
Summary of the invention
In view of this, the object of the present invention is to provide one kind to be based on SDN (Software Defined Network, software Define network) network domains isolating device and method so that Network Isolation is more flexible, efficient, safe.
A kind of network domains isolating device based on SDN provided in embodiment of the present invention is applied to SDN controller, institute SDN controller connection SDN switch is stated, and is connect including MAC Address and port relation table, including quarantine domain administrative unit, message Unit, data processing unit are received, quarantine domain administrative unit establishes network domain list, the network domain list packet according to user demand The port of SDN switch described in network is included, and the port of the SDN switch is divided into several network domains;Message connects It receives unit and receives the data message that the SDN switch is received and forwarded, and record the target MAC (Media Access Control) address in the data message And the SDN switch receives the port of the data message;Data processing unit searches the MAC Address and port relationship Table is with the presence or absence of the port for matching the target MAC (Media Access Control) address;If it exists, then judge the end of the matching target MAC (Media Access Control) address Mouth receives the port of the data message with the presence or absence of same described in the network domain list with the SDN switch In network domains;If so, the port according to the matching target MAC (Media Access Control) address generates and issues forwarding flow table.
Preferably, the data processing unit is also used to that the matching is not present in the MAC Address and port relation table When the port of the target MAC (Media Access Control) address, the network domains are determined according to the port for receiving the data message, and then be directed to It is broadcasted other ports in the determining network domains in addition to the port for receiving the data message.
Preferably, the data processing unit be also used to judge the port of the matching target MAC (Media Access Control) address with it is described Whether the port for receiving the data message is located at same SDN switch;If so, generating and issuing the forwarding flow table;If Be not then further judge the matching target MAC (Media Access Control) address port and the port for receiving the data message it Between whether have reachable path;If there is reachable path, according to generating and issue the forwarding flow table;If not having up to road Diameter, the then SDN switch for controlling and receiving data message abandon the data message.
It preferably, can also include the MAC Address of association host in the network domain list.
Preferably, the network domain list can also be checked according to user demand, updated, be deleted.
A kind of network domains partition method based on SDN provided in a further embodiment of this invention is applied to SDN and controls Device, the SDN controller connect SDN switch, and including MAC Address and port relation table, comprising: are established according to user demand Network domain list, the network domain list include the port of SDN switch described in network, and by the end of the SDN switch Mouth is divided into several network domains;The data message that the SDN switch is received and forwarded is received, and records the data message In target MAC (Media Access Control) address and the SDN switch receive the port of the data message;Search the MAC Address and port Relation table is with the presence or absence of the port for matching the target MAC (Media Access Control) address;If it exists, then judge the matching target MAC (Media Access Control) address Port and the SDN switch receive the port of the data message with the presence or absence of same in the network domain list In the network domains;If so, the port according to the matching target MAC (Media Access Control) address generates and issues forwarding flow table.
Preferably, if the port for matching the target MAC (Media Access Control) address is not present with port relation table in the MAC Address, The network domains then are determined according to the port for receiving the data message, and then are directed in the determining network domains and are removed institute Other ports except the port for receiving the data message are stated to be broadcasted.
Preferably, the step of port according to the matching target MAC (Media Access Control) address generates and issues forwarding flow table Further include: judge whether the port of the matching target MAC (Media Access Control) address is located at the port for receiving the data message Same SDN switch;If so, generating and issuing the forwarding flow table;If it is not, then further judging the matching mesh MAC Address port and the port for receiving the data message between whether there is reachable path;If having up to road Diameter, then according to generating and issue the forwarding flow table;If not having reachable path, the SDN switch of data message is controlled and received Abandon the data message.
It preferably, can also include the MAC Address of association host in the network domain list.
Preferably, the network domain list can also be checked according to user demand, updated, be deleted.
The above-mentioned network domains partition method based on SDN, the isolation of the realization network of freedom and flexibility, and then do not depending on tradition VLAN and access control function in the case where effectively control the range of network message broadcast, while a degree of raising The safety of network.
Below in conjunction with the drawings and specific embodiments, the present invention will be described in detail, but not as a limitation of the invention.
Detailed description of the invention
Fig. 1 is that the present invention is based on the applied environment figures of 10 1 embodiment of network domains isolating device of SDN.
Fig. 2 is that the present invention is based on the functional block diagrams of 10 1 embodiment of network domains isolating device of SDN.
Fig. 3 is that the present invention is based on the functional block diagrams of the another embodiment of network domains isolating device 10 of SDN.
Fig. 4 is that the present invention is based on the flow charts of one embodiment of network domains partition method of SDN.Main element symbol description
Network domains isolating device 10 based on SDN
SDN controller 1
SDN switch 2
Quarantine domain administrative unit 100
Message receiving unit 102
Data processing unit 104
Memory 106
Processor 108
The present invention that the following detailed description will be further explained with reference to the above drawings.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on this hair Embodiment in bright, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, shall fall within the protection scope of the present invention.
Fig. 1 is that the present invention is based on the applied environment figures of 10 1 embodiment of network domains isolating device of SDN.In Fig. 1, SDN controller 1 connects several SDN switches 2, and SDN switch 2 connects several hosts or subnet.In the present embodiment, if Dry host or subnet can need to be divided into multiple domains according to artificial, and then realize network domain separation and manage each network respectively Domain.
Fig. 2 is that the present invention is based on the functional block diagrams of 10 1 embodiment of network domains isolating device of SDN.In Fig. 2, base It is applied to SDN controller 1 in the network domains isolating device 10 of SDN, is received including quarantine domain administrative unit 100, message single First 102, data processing unit 104.
Quarantine domain administrative unit 100 is used to establish network domain list according to user demand.So-called network domains refer to being directed to The region that several hosts or subnet are artificially divided, in the present embodiment, several hosts or subnet can use SDN friendship The port changed planes on 2 is indicated, and then carrying out man-made division by the port in SDN switch 2 in network is several Network domains, specific example such as following table -1:
Table -1
Wherein the port g0/1 of SDN switch 2 (SW1, SW2, SW3), g0/2, g0/3 are divided into domain A, SDN exchanged The port g0/4 of machine 2 (SW1, SW2), g0/5, g0/6 are divided into domain B, by port g0/7, the g0/8 of SDN switch 2 (SW1), G0/9 is divided into domain C.In addition, in the present embodiment, SDN controller 1 is stored with MAC Address and port relation table (MAC- PORT table), the port of the corresponding SDN switch 2 of MAC Address of host that relation table storage SDN controller learns it Between corresponding relationship, the information in this table can be updated according to the reception of message, and the entry in table can also root Aging is carried out according to the setting period of user, the entry after aging is deleted immediately.
Certainly, in other embodiments, the description of quarantine domain can not only be retouched by switch port as described above It states, the token state of host MAC can also be increased on this basis.Table -2 is the token state for increasing host MAC for domain A in table 1 Example just no longer lifted herein wherein increasing the explanation of host MAC also as shown in domain A in table -2 for domain B, domain C in table -1 Example explanation.
Table -2
In the illustrating of above-mentioned table -2, for domain A characterization not only can with " interchanger+port " in table -1 come It indicates, can also be indicated by way of " interchanger+MAC ", " MAC ", " interchanger+port+MAC ".In this way, can It realizes and is isolated in the case where not interfere with each other with traditional isolating means, that is, VLAN can also be configured in this isolation scheme With the functions such as access control, while more complicated isolation scene demand can also can also be realized in method, specific as follows: 1. realize More fine-grained isolation --- it is based on the isolation of " interchanger+port+MAC ";2. realizing particular field in the case where virtualization The isolation of scape, i.e., based on " MAC " isolation can virtual-machine drift arrive another physical location when automatically reality Its existing isolation configuration follows.
In addition, in other embodiments, above-mentioned quarantine domain administrative unit 100 can also be used as an independent module, Use the application on SDN controller 1, it is only necessary to other of its satisfaction and the network domains isolating device 10 based on SDN The function and performance requirement of the information communication of functional module also can reach the technical effect in above embodiment.
Message receiving unit 102 receives the data message that the SDN switch 2 forwards, and records the mesh in data message MAC Address and the SDN switch 2 receive the port (hereinafter referred to as input port) of the data message.In this reality It applies in mode, when a certain SDN switch 2 receives on the data message that a certain host is sent and the SDN switch 2 without corresponding When forwarding flow table, forwards it to SDN controller 1 and received by message receiving unit 102, and record the mesh in data message MAC Address and SDN switch 2 input port.
Data processing unit 104, which searches MAC Address, whether there is the port for matching target MAC (Media Access Control) address with port relation table (hereinafter referred to as output port);If it exists, then judge that output port and input port whether there is in network domain list In the same network domains;If so, judging whether output port and input port are located at same SDN switch;If so, foundation Output port generates and issues forwarding flow table.
In the present embodiment, if matching the port of target MAC (Media Access Control) address with existing in the relation table of port in MAC Address, and It is located at the same network domains according to the input port that network domain list judges the output port and receives data message, but this is defeated When the case where exit port and output port are not on same interchanger, data processing unit 104 need to judge input port with Whether the path of output port is reachable, if reachable, generate according to the output port determined and issues forwarding flow table to relevant SDN switch 2;If unreachable, the SDN switch 2 for controlling and receiving data message abandons the data message.
In the present embodiment, if matching the port of target MAC (Media Access Control) address with existing in the relation table of port in MAC Address, and The same network domains are not on according to the input port that network domain list judges the output port and receives data message, number The data message is abandoned according to the SDN switch 2 that processing unit 104 then controls and receives data message.
In other embodiments, if there is no the ends for matching target MAC (Media Access Control) address with the relation table of port in MAC Address Mouthful, data processing module 104 then inquires network domain list according to the input port of record, judges which net the input port is in Network domain, however, it is determined that after network domains, the control data message of data processing unit 104 is in determining network domains in addition to input port Port broadcasted, realize the forwarding of data message;If can not judge which network domains input port is in, control and receive The SDN switch 2 of data message abandons the data message.In this embodiment, if having received destination host after being broadcasted Response message when, at this time data processing module 104 can also based on the received response message automatically update above-mentioned MAC Address with Port relation table (MAC-PORT table).
In the above-described embodiment, data processing unit 104 also control and receive forwarding flow table SDN switch 2 storage and When updating the received forwarding flow table of institute, and then be received again by data message, the received datagram of matching is judged whether there is The forwarding flow table of text, and if it exists, then directly carry out the forwarding of data message, and then improve the forward efficiency of data message.
In the above-described embodiment, quarantine domain administrative unit 100 quarantine domain can also be checked according to user demand, It updates, delete, and then realize the flexible management of quarantine domain.
Fig. 3 is that the present invention is based on the functional block diagrams of the another embodiment of network domains isolating device 10 of SDN.In Fig. 3, Network domains isolating device 10 based on SDN includes quarantine domain administrative unit 100, message receiving unit 102, data processing unit 104, memory 106 and processor 108, wherein quarantine domain administrative unit 100, message receiving unit 102, data processing unit 104 are stored in memory 106 in the form of functional module, and then are executed by processor 108 to realize above-mentioned functional module Function.
Fig. 4 is the present invention is based on the flow chart of one embodiment of network domains partition method of SDN, and this method is applied to Fig. 2 Or the network domains isolating device 10 based on SDN in Fig. 3.Network domain separation device 10 based on SDN may be present in SDN controller In 1.
In step S400, quarantine domain administrative unit 100 is used to establish network domain list according to user demand.So-called network domains Refer to the region artificially divided for several hosts or subnet, in the present embodiment, several hosts or subnet can To be characterized using the port in SDN switch 2, and then artificial draw is carried out by the port in SDN switch 2 in network Point, and described in the specifically division table -1 as above of network domain list.In addition, in the present embodiment, SDN controller 1 is stored with MAC Address and port relation table (MAC-PORT table), it is corresponding which is stored with the MAC Address that SDN controller learns Corresponding relationship between the port of SDN switch 2, the information in this table can be updated according to the reception of message, table Entry in lattice can also carry out aging according to the settable period, and the entry after aging is deleted immediately.
Certainly, in other embodiments, SDN switch 2 can not only be passed through as described above to the description of quarantine domain Port characterization, can also increase the token state of host MAC address on this basis, referring specifically to the narration above with respect to table -2.
In addition, in other embodiments, above-mentioned quarantine domain administrative unit 100 is also used as an independent module, integrate Application on SDN controller 1, it is only necessary to which it meets the other function with the network domains isolating device 10 based on SDN The function and performance requirement of the information communication of module also can reach the technical effect in above embodiment.
In step S402, message receiving unit 102 receives the data message that the SDN switch 2 forwards, and records data Target MAC (Media Access Control) address and SDN switch 2 in message receive the port (hereinafter referred to as input port) of data message.At this In embodiment, when a certain SDN switch 2 receives the data message that a certain host is sent, SDN controller 1 is forwarded it to It is received by message receiving unit 102, and records the target MAC (Media Access Control) address in data message and receive the data message The input port of SDN switch 2.
In step S404, the lookup MAC Address of data processing unit 104 whether there is with port relation table matches purpose MAC The port (hereinafter referred to as output port) of address.
In step S406, data processing unit 104, which exists in MAC Address with port relation table, matches target MAC (Media Access Control) address When port, it is same in network domain list to judge whether output port is located at the input port that SDN switch 2 receives data message In one network domains.
In step S408, data processing unit 104 receives the input terminal of data message in output port and SDN switch 2 When mouth is located at the same network domains in network domain list, judge that output port and interchanger receive the input port of data message Whether same SDN switch is located at.
In step S410, data processing unit 104 receives the input port position of data message in output port and interchanger When same SDN switch, generates according to output port and issue forwarding flow table.
In step S412, data processing unit 104 receives the input port of data message not in output port and interchanger Be be located at same SDN switch, further judge reception data message input port and determination output port between whether There is reachable path.
In the output end that step S414, data processing unit 104 receive the input port of data message and determine in judgement Mouthful between do not have path up to when, then control SDN switch 2 and abandon above-mentioned data message.If the judgement of data processing unit 104 connects Receiving between the input port of data message and the output port of determination has that path is reachable, then returns to step S410, according to output end Mouth generates and issues forwarding flow table.
In addition, data processing unit 104 judges that output port and SDN switch 2 receive data message in S406 Input port is not located in the same network domains in network domain list, according to step S414, controls and receives data message yet SDN switch 2 abandons the data message.
In step S416, if data processing unit 104 searches MAC Address, there is no match purpose MAC with port relation table The port of address, data processing module 104 are then inquired network domain list according to the input port of record, are judged at the input port In which network domains, after determining network domains, data processing unit 104 controls data message and removes input terminal in determining network domains It is broadcasted in port except mouthful, realizes the forwarding of data message.
Certainly, in the present embodiment, if data processing module 104 can not judge at input port according to network domain list In which network domains, then the SDN switch 2 that data message can be controlled and received according to setting abandons the data message or public It is broadcasted in network domains.
In the method for above embodiment, data processing unit 104 also controls and receives the SDN exchange of forwarding flow table When the storage of machine 2 and updating the received forwarding flow table of institute, and then be received again by data message, judges whether there is matching and receive Data message forwarding flow table, and then improve data message forward efficiency.
In the method for above embodiment, quarantine domain administrative unit 100 can also be according to user demand to isolation Domain is checked, is updated, is deleted, and then realizes the flexible management of quarantine domain.
In the method for above-mentioned embodiment, isolation can also provide according to the demand of user with management single-ended 100 The legitimacy of MAC Address and port ownership, it is regular according to this legitimacy, determine MAC-PORT table and network domain list such as table- 1, in table -2 corresponding relationship legitimacy so that self-learning function and the corresponding relationship of user's input have certain safety It ensures.
By executing the above-mentioned network domains partition method based on SDN, the isolation of the realization network of freedom and flexibility, and then not The range of network message broadcast is effectively controlled in the case where the function of relying on traditional VLAN and access control, it is a degree of Improve the safety of network.Meanwhile more complicated isolation scene demand may be implemented in this method, such as realizes more fine granularity Isolation --- the isolation based on some port+MAC;The isolation of special screne is realized in the case where for example needing to virtualize again, I.e. the isolation of Intrusion Detection based on host MAC can automatically realize its isolation when virtual machine (vm) migration is to another physical location Configuration follows.
It should be noted that embodiment as described above, does not constitute the restriction to invention protection scope.It is any in this hair Made modification in bright spirit and principle, equivalent replacement and improvement etc., should be included within the scope of the present invention.

Claims (10)

1. a kind of network domains partition method based on SDN is applied to SDN controller, the SDN controller connects SDN switch, And including MAC Address and port relation table characterized by comprising establish network domain list, the net according to user demand Network domain list includes the port of SDN switch described in network, and the port of the SDN switch is divided into several networks Domain;
Receive the data message that the SDN switch is received and forwarded, and record the target MAC (Media Access Control) address in the data message with And the SDN switch receives the port of the data message;
Searching the MAC Address whether there is the port for matching the target MAC (Media Access Control) address with port relation table;
If it exists, then the port and the SDN switch for judging the matching target MAC (Media Access Control) address receive the data message Port with the presence or absence of in the same network domains in the network domain list;
If so, judge the matching target MAC (Media Access Control) address port and the port for receiving the data message whether Positioned at same SDN switch;
If so, the port according to the matching target MAC (Media Access Control) address generates and issues forwarding flow table;
If it is not, then further judging the port for matching the target MAC (Media Access Control) address and the reception data message Whether there is reachable path between port;If having reachable path, the port according to the matching target MAC (Media Access Control) address is raw At and issue the forwarding flow table.
2. the network domains partition method based on SDN as described in claim 1, which is characterized in that further include:
If the port for matching the target MAC (Media Access Control) address is not present with port relation table in the MAC Address, connect according to described in The port for receiving the data message determines the network domains, and then receives the number except described in the determining network domains It is broadcasted according to other ports except the port of message.
3. the network domains partition method based on SDN as described in claim 1, which is characterized in that described according to the matching institute The step of port for stating target MAC (Media Access Control) address generates and issues forwarding flow table further include:
If not having reachable path, the SDN switch for controlling and receiving data message abandons the data message.
4. the network domains partition method based on SDN as described in claim 1, which is characterized in that in the network domain list also It may include the MAC Address for being associated with host.
5. the network domains partition method based on SDN as described in claim 1, which is characterized in that the network domain list may be used also To be checked, be updated according to user demand, be deleted.
6. a kind of network domains isolating device based on SDN is applied to SDN controller, the SDN controller connects SDN switch, And including MAC Address and port relation table characterized by comprising
Quarantine domain administrative unit, for establishing network domain list according to user demand, the network domain list includes institute in network The port of SDN switch is stated, and the port of the SDN switch is divided into several network domains;
Message receiving unit, the data message for receiving and forwarding for receiving the SDN switch, and record the data message In target MAC (Media Access Control) address and the SDN switch receive the port of the data message;
And data processing unit, for searching the MAC Address and port relation table with the presence or absence of matching the target MAC (Media Access Control) address Port;If it exists, then the port and the SDN switch for judging the matching target MAC (Media Access Control) address receive the data The port of message is with the presence or absence of in the same network domains in the network domain list;If so, judging the matching Whether the port of the target MAC (Media Access Control) address and the port for receiving the data message are located at same SDN switch;If It is that then the port according to the matching target MAC (Media Access Control) address generates and issues forwarding flow table;If it is not, then further judgement Whether have up to road between the port and the port for receiving the data message of the matching target MAC (Media Access Control) address Diameter;If having reachable path, the port according to the matching target MAC (Media Access Control) address generates and issues the forwarding flow table.
7. the network domains isolating device based on SDN as claimed in claim 6, which is characterized in that the data processing unit is also For being connect according to described in when the port for matching the target MAC (Media Access Control) address is not present with port relation table in the MAC Address The port for receiving the data message determines the network domains, and then receives the number except described in the determining network domains It is broadcasted according to other ports except the port of message.
8. the network domains isolating device based on SDN as claimed in claim 6, which is characterized in that the data processing unit is also For when not having reachable path, then the SDN switch for controlling and receiving data message to abandon the data message.
9. the network domains isolating device based on SDN as claimed in claim 6, which is characterized in that in the network domain list also It may include the MAC Address for being associated with host.
10. the network domains isolating device based on SDN as claimed in claim 6, which is characterized in that the network domain list may be used also To be checked, be updated according to user demand, be deleted.
CN201610597418.4A 2016-07-26 2016-07-26 Network domains isolating device and method based on SDN Active CN106161457B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610597418.4A CN106161457B (en) 2016-07-26 2016-07-26 Network domains isolating device and method based on SDN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610597418.4A CN106161457B (en) 2016-07-26 2016-07-26 Network domains isolating device and method based on SDN

Publications (2)

Publication Number Publication Date
CN106161457A CN106161457A (en) 2016-11-23
CN106161457B true CN106161457B (en) 2019-09-27

Family

ID=58059915

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610597418.4A Active CN106161457B (en) 2016-07-26 2016-07-26 Network domains isolating device and method based on SDN

Country Status (1)

Country Link
CN (1) CN106161457B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534201B (en) * 2016-12-26 2019-01-29 杭州盈高科技有限公司 A kind of virtual machine risk under SDN environment quickly isolates method
CN106878986B (en) * 2017-01-05 2021-03-26 新华三技术有限公司 User isolation method and device
CN106961394A (en) * 2017-03-31 2017-07-18 联想(北京)有限公司 Suppress interchanger to flood the method and apparatus of storm
CN107733718B (en) * 2017-11-03 2020-11-03 中国电子科技网络信息安全有限公司 Security isolation detection method for large-scale SDN network
CN111835859B (en) * 2020-07-20 2022-11-15 安徽华速达电子科技有限公司 Method for operating local area network equipment controller in cross-network segment mode and intelligent optical network equipment
CN112804131B (en) * 2021-01-08 2021-12-07 上海自恒信息科技有限公司 Access control method based on VLAN structure

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103166876A (en) * 2011-12-08 2013-06-19 中兴通讯股份有限公司 Transmission method for data among OpenFlow network domains and device
CN103986663A (en) * 2014-05-08 2014-08-13 中国联合网络通信集团有限公司 Data center, method for processing data and network controller
CN105227363A (en) * 2015-10-08 2016-01-06 上海斐讯数据通信技术有限公司 A kind of whole network port separation method based on SDN and device
CN105703960A (en) * 2016-04-25 2016-06-22 刘昱 Network function management system based on SDN and method thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10003641B2 (en) * 2014-09-16 2018-06-19 Telefonaktiebolaget Lm Ericsson (Publ) Method and system of session-aware load balancing
US9497123B2 (en) * 2014-12-18 2016-11-15 Telefonaktiebolaget L M Ericsson (Publ) Method and system for load balancing in a software-defined networking (SDN) system upon server reconfiguration

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103166876A (en) * 2011-12-08 2013-06-19 中兴通讯股份有限公司 Transmission method for data among OpenFlow network domains and device
CN103986663A (en) * 2014-05-08 2014-08-13 中国联合网络通信集团有限公司 Data center, method for processing data and network controller
CN105227363A (en) * 2015-10-08 2016-01-06 上海斐讯数据通信技术有限公司 A kind of whole network port separation method based on SDN and device
CN105703960A (en) * 2016-04-25 2016-06-22 刘昱 Network function management system based on SDN and method thereof

Also Published As

Publication number Publication date
CN106161457A (en) 2016-11-23

Similar Documents

Publication Publication Date Title
CN106161457B (en) Network domains isolating device and method based on SDN
US10999197B2 (en) End-to-end identity-aware routing across multiple administrative domains
US11805045B2 (en) Selective routing
JP7332689B2 (en) dynamic intent-based firewall
CN105379227B (en) For being directly connected to virtual privately owned interface with multiple virtual private cloud a pair of multi-connections
CN113261242B (en) Communication system and method implemented by communication system
CN103139037B (en) For realizing the method and apparatus of VLAN flexibly
EP2724497B1 (en) Private virtual local area network isolation
EP2853065B1 (en) IMPLEMENTING PVLANs IN A LARGE-SCALE DISTRIBUTED VIRTUAL SWITCH
CN104869013B (en) A kind of gateway configuration method and SDN controller based on SDN
WO2017128656A1 (en) Virtual private network (vpn) service optimization method and device
CN113273142A (en) Shunt controller control for programmable switch
JP2017533668A (en) System and method for supporting partition-aware routing in a multi-tenant cluster environment
EP2849396A1 (en) Network label distribution method, device and system
US11616718B2 (en) Implementation of service function chain on basis of software-defined network
US9509610B2 (en) Forwarding packet in stacking system
CN113302898A (en) Virtual routing controller for peer-to-peer interconnection of client devices
CN109412952B (en) Route information publishing method and device
KR101527377B1 (en) Service chaining system based on software defined networks
CN108540386A (en) One kind preventing Business Stream interrupt method and device
KR101794719B1 (en) Method and system for ip address virtualization in sdn-based network virthalization platform
CN104883325A (en) PVLAN switch and method of connecting the PVLAN switch to non-PVLAN apparatus
Cisco Transparent Bridging Commands
CN113395206B (en) Route determining method, device and network equipment
Cisco Transparent Bridging Commands

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant