CN106850382A - A kind of flow lead method and device - Google Patents
A kind of flow lead method and device Download PDFInfo
- Publication number
- CN106850382A CN106850382A CN201611105531.2A CN201611105531A CN106850382A CN 106850382 A CN106850382 A CN 106850382A CN 201611105531 A CN201611105531 A CN 201611105531A CN 106850382 A CN106850382 A CN 106850382A
- Authority
- CN
- China
- Prior art keywords
- vlan
- message
- address
- layer retransmitting
- mac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4645—Details on frame tagging
- H04L12/465—Details on frame tagging wherein a single frame includes a plurality of VLAN tags
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/66—Layer 2 routing, e.g. in Ethernet based MAN's
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/80—Actions related to the user profile or the type of traffic
- H04L47/806—Broadcast or multicast traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The application is related to network safety filed, more particularly to a kind of flow lead method and device, it is used to solve the problems, such as a kind of traction mechanism that the message transmitted between the virtual machine in a certain VLAN can be drawn in third party VM of prior art needs, the flow lead method that the embodiment of the present application is provided, including:The message that the VM in a VLAN sends via source port is received, target MAC (Media Access Control) address and the first VLAN tag are carried in message;Based on the rule for pre-setting, generate and the regular corresponding two-layer retransmitting table for pre-setting;Based on two-layer retransmitting table, destination interface ID and VLAN ID corresponding with target MAC (Media Access Control) address is searched;The first VLAN tag carried in message is changed to second VLAN tag corresponding with VLAN ID;The 2nd VM that the message of the second VLAN tag is forwarded in the 2nd VLAN via destination interface will be carried.
Description
Technical field
The application is related to network safety filed, more particularly to a kind of flow lead method and device.
Background technology
At present, for the ruuning situation of existing server, a server can only run an operating system every time
And application, even being also required to dispose substantial amounts of server in small-sized data center, this not only result in every server
Utilization rate is very low, also considerably increases the cost of data processing.In order to overcome this defect, it is possible to use virtualization software, than
Such as Vmware Vsphere, Huawei fusionSphere, carry out analog hardware and create virtual computer system.Here, virtual meter
Calculation machine system namely virtual machine (Virtual Machine, VM) are a kind of software containers of tight isolation, and inside is containing operation
System and application.Placed on a computer by by many virtual machines, it is possible to achieve run on a physical server many
Individual operating system and application.And the information exchange between the virtual machine on Same Physical server can be by East and West direction flow
(between East and West direction flow namely virtual machine transmit message) is transmitted.
As shown in figure 1, being the networking schematic diagram between virtual machine in existing virtualized environment, virtual machine host machine is physics
Server includes virtual switch 0, virtual machine VM11, virtual machine VM12, virtual machine VM13, virtual machine VM14, wherein,
VM11, VM12, VM13 and VM14 are connected with virtual switch 0 respectively, and four virtual machines are in same virtual local area
In net (Virtual Local Area Network, VLAN).Understood according to existing network Layer2 switching technology, only in same
The broadcast and forwarding of message can be just carried out between virtual machine in the range of one VLAN.So, when VM13 accesses VM14, only need
The message of transmission will be needed to send to virtual switch 0, then the message is forwarded to by VM14 by virtual switch 0.This
Allow for the transmission between the virtual machine in existing virtualized environment message cannot pass through third party VM (be located at other VLAN in
Virtual machine) carry out security protection.
It can be seen that, need the message transmitted between a kind of virtual machine that will can be in a certain VLAN be drawn to the 3rd at present
Traction mechanism in square VM.
The content of the invention
The embodiment of the present application provides a kind of flow lead method and device, and being used to solve prior art needs one kind can be by
The message transmitted between virtual machine in a certain VLAN is drawn to the problem of the traction mechanism in third party VM.
The embodiment of the present application provides a kind of flow lead method, including:
Receive the message that the first virtual machine VM in the first virtual LAN VLAN sends via source port, the report
Purposeful MAC address and the first VLAN tag are carried in text;
Based on the rule for pre-setting, generate and the regular corresponding two-layer retransmitting table for pre-setting;
Based on the two-layer retransmitting table, destination interface mark ID and VLAN corresponding with the target MAC (Media Access Control) address is searched
ID;
The first VLAN tag carried in the message is changed to twoth VLAN corresponding with the VLAN ID for finding
Label;
To carry the second VLAN tag message be forwarded to via the destination interface for finding in the 2nd VLAN second
VM。
The embodiment of the present application provides a kind of flow lead device, including:
Receiver module, sends for receiving the first virtual machine VM in the first virtual LAN VLAN via source port
Message, purposeful MAC address and the first VLAN tag are carried in the message;
Generation module, for based on the rule for pre-setting, generation to turn with regular corresponding two layers for pre-setting
Deliver;
Searching modul, for based on the two-layer retransmitting table, searching destination interface mark corresponding with the target MAC (Media Access Control) address
Know ID and VLAN ID;
Change label model, for the VLAN that the first VLAN tag carried in the message is changed to and is found
The second ID corresponding VLAN tag;
Sending module, the message for will carry the second VLAN tag is forwarded to second via the destination interface for finding
The 2nd VM in VLAN..
In the embodiment of the present application, after the message that the VM in receiving a VLAN sends via source port, can
With the destination interface ID and VLAN ID corresponding with the target MAC (Media Access Control) address carried in the message of the inquiry in two-layer retransmitting table, and will
The first VLAN tag carried in the message is changed to second VLAN tag corresponding with the VLAN ID for finding, and finally may be used
To realize that the message that will carry the second VLAN tag is forwarded to the 2nd VM in the 2nd VLAN via the destination interface for finding.
The traction mechanism proposed using the application, it is possible to achieve successfully lead the message transmitted between the virtual machine in a certain VLAN
To guide to go in third party VM carries out security protection etc. and processes.Additionally, the embodiment of the present application, regular by difference using what is pre-set
Each port under VLAN and corresponding VLAN is divided in same broadcast domain respectively with each port, and by gathering the broadcast
The mac address information carried in the message of each VM transmission in domain, so that a complete two-layer retransmitting table is formed, at this two layers
In forward table record have the mac address information of virtual machine under different VLAN, between port id and VLAN ID threes
Corresponding relation.During virtual machine E-Packets, by inquiring about the two-layer retransmitting table, it is possible to achieve by message different
Broadcasted and forwarded under VLAN, only allow in two layers of retransmission technique of existing network message under same VLAN so as to be overcome
The limitation broadcasted and forwarded, and under this traction mechanism, without relying on the RESTful that virtualization manufacturer authorizes
API (internal interface of virtualization manufacturer) can just realize drawing the message in virtualized environment, so as to adapt to many
Plant the virtualized environment that virtualization manufacturer is provided.
Brief description of the drawings
Fig. 1 is the networking schematic diagram between virtual machine in existing virtualized environment;
Fig. 2 is a kind of flow lead method flow diagram that the embodiment of the present application one is provided;
Fig. 3 is that the networking that the embodiment of the present application two is provided in the virtualized environment after a kind of improvement between virtual machine is illustrated
Figure;
Fig. 4 is the networking schematic diagram after being improved to the networking shown in Fig. 1;
The flow lead structure drawing of device that Fig. 5 is provided for the embodiment of the present application three.
Specific embodiment
In the embodiment of the present application, after the message that the VM in receiving a VLAN sends via source port, can
With the destination interface ID and VLAN ID corresponding with the target MAC (Media Access Control) address carried in the message of the inquiry in two-layer retransmitting table, and will
The first VLAN tag carried in the message is changed to second VLAN tag corresponding with the VLAN ID for finding, and finally may be used
To realize that the message that will carry the second VLAN tag is forwarded to the 2nd VM in the 2nd VLAN via the destination interface for finding.
The traction mechanism proposed using the application, it is possible to achieve successfully lead the message transmitted between the virtual machine in a certain VLAN
To guide to go in third party VM carries out security protection etc. and processes.Additionally, the embodiment of the present application, regular by difference using what is pre-set
Each port under VLAN and corresponding VLAN is divided in same broadcast domain respectively with each port, and by gathering the broadcast
The mac address information carried in the message of each VM transmission in domain, so that a complete two-layer retransmitting table is formed, at this two layers
In forward table record have the mac address information of virtual machine under different VLAN, between port id and VLAN ID threes
Corresponding relation.During virtual machine E-Packets, by inquiring about the two-layer retransmitting table, it is possible to achieve by message different
Broadcasted and forwarded under VLAN, only allow in two layers of retransmission technique of existing network message under same VLAN so as to be overcome
The limitation broadcasted and forwarded, and under this traction mechanism, without relying on the RESTful that virtualization manufacturer authorizes
API (internal interface of virtualization manufacturer) can just realize drawing the message in virtualized environment, so as to adapt to many
Plant the virtualized environment that virtualization manufacturer is provided.
The embodiment of the present application is described in further detail with reference to Figure of description.
Embodiment one
As shown in Fig. 2 being a kind of flow lead method flow diagram of the offer of the embodiment of the present application one, comprise the following steps:
S201:The message that the VM in a VLAN sends via source port is received, mesh is carried in the message
Media access control (Medium Access Control, MAC) address and the first VLAN tag.
Here, target MAC (Media Access Control) address and the first VLAN tag are not only carried in message, source MAC is also carried.
In specific implementation, can determine that the message is received via which port by source MAC, i.e., by source MAC
To determine the source port of the virtual machine (VM) for sending the message.It is equally possible that determining this by target MAC (Media Access Control) address
Which port message will be sent to, i.e., by target MAC (Media Access Control) address come it is determined that receiving the mesh of the virtual machine (the 2nd VM) of the message
Port.First VLAN tag can be that the message passes through some virtual friendship during the 2nd VM is forwarded to by a VM
The VLAN tag being set when changing planes.
S202:Based on the rule for pre-setting, generate and the regular corresponding two-layer retransmitting table for pre-setting.
Can be by each in virtual environment under the different VLAN based on the rule for pre-setting in specific implementation
Port and corresponding VLAN is divided in same VLAN broadcast domains respectively with each port.Specifically, can will be specified many
No. ID and one set of No. ID composition with the corresponding VLAN of multiple ports difference of individual port, so, can be by by difference
The set of multiple ports and VLAN corresponding with multiple ports composition under VLAN is attributed to same VLAN broadcast domains, so that
Broadcast message can be transmitted between VM under different VLAN.Here, port id and the corresponding relation of VLAN ID can be one
One-to-one correspondence, or a port ID correspond to multiple different VLAN ID, can also be multiple port id correspondences
Same VLAN ID.
In specific implementation, the rule for pre-setting, each port id in the broadcast domain that will have been set can be based on
Corresponding relation with VLAN ID is recorded in two-layer retransmitting table.Here, two-layer retransmitting table is to be stored with above-mentioned broadcast domain
The initial forward table of the corresponding relation of each port id and VLAN ID.
In order to further determine that mac address information, port id, the triangular corresponding relations of VLAN ID, can receive
After message, the source MAC information in message is obtained, and source MAC information and the corresponding relation of source port ID and source vlan ID are deposited
Storage is in two-layer retransmitting table.So, by receiving the message that each virtual machine in broadcast domain is sent, and each message is obtained
Source MAC, it is possible to by the related mac address information of each virtual machine in the broadcast domain, between port id, VLAN ID threes
Corresponding relation store in two-layer retransmitting table, to be E-Packeted subsequently based on two-layer retransmitting table.
Here, the execution sequence of step S201 and step S202 is in no particular order, you can be based on before message is received
The rule for pre-setting formulates two-layer retransmitting table, it is also possible to made based on the rule for pre-setting again after message is received
Determine two-layer retransmitting table.Also, in two-layer retransmitting table, it is allowed to there is the situation of the information for lacking MAC Address, subsequently through collection
The information of the MAC Address in the message of each VM transmission, the information updating of the MAC Address that will can be carried in message is forwarded to two layers
In table.
S203:Based on two-layer retransmitting table, destination interface mark (IDentity, ID) corresponding with target MAC (Media Access Control) address is searched
With VLAN ID.
In specific implementation, search with the corresponding destination interface of target MAC (Media Access Control) address carried in message identify ID and with
The mode of the corresponding VLAN ID of target MAC (Media Access Control) address can be:
First, searched whether in two-layer retransmitting table with target MAC (Media Access Control) address identical MAC Address, if two layers turn
Found in delivering with the target MAC (Media Access Control) address identical MAC Address, further based in two-layer retransmitting table store MAC ground
Location information, port id, the triangular corresponding relations of VLAN ID, determine port id corresponding with the MAC Address for finding and
VLAN ID.Here, the port id determined as destination interface ID, the VLAN ID for determining as target MAC (Media Access Control) address correspondence
VLAN ID;
If do not found in two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address or purpose MAC
When address is a broadcast address, the message can be broadcasted with the regular corresponding broadcast domain for pre-setting, be had
Body can be:
According to each port id and the corresponding relation of VLAN ID in the broadcast domain set in above-mentioned rule, will report
Text is broadcasted into other VM in the broadcast domain.Wherein, not comprising the VM in a VLAN and comprising second in other VM
The 2nd VM in VLAN.
Additionally, the 2nd VM in the broadcast domain in the 2nd VLAN is receiving broadcasting packet, and recognize the report
After the target MAC (Media Access Control) address of carrying is identical with the MAC Address of oneself in text, message can also be replied to a VM.
After the message that the 2nd VM in the 2nd VLAN in receiving broadcast domain sends, it is possible to the message will be received
The MAC Address of port id, VLAN ID and the 2nd VM is recorded in two-layer retransmitting table.By said process, determine with
After the corresponding port id of mac address information and VLAN ID of the 2nd VM, in the MAC that next transfer destination address is the 2nd VM
During the message of address, it is possible to destination interface ID is directly inquired about in two-layer retransmitting table, it is no longer necessary to all in broadcast domain
Port is broadcast.
S204:The first VLAN tag carried in message is changed to second corresponding with the VLAN ID for finding
VLAN tag.
S205:The message that the second VLAN tag will be carried is forwarded in the 2nd VLAN via the destination interface for finding
2nd VM.
In the embodiment of the present application, after the message that the VM in receiving a VLAN sends via source port, can
With the destination interface ID corresponding with the target MAC (Media Access Control) address carried in the message of the inquiry in two-layer retransmitting table and and destination interface
Corresponding VLAN ID, and the first VLAN tag carried in the message is changed to corresponding with the VLAN ID for finding the
Two VLAN tags, may finally realize that the message that will carry the second VLAN tag is forwarded to via the destination interface for finding
The 2nd VM in two VLAN.Using the application propose traction mechanism, it is possible to achieve will be in a certain VLAN in virtual machine it
Between the message that transmits successfully be drawn in third party VM and go to carry out security protection etc. to process.Additionally, the embodiment of the present application, using pre-
By each port under different VLAN and with each port, corresponding VLAN is divided in same broadcast to the rule for first setting respectively
Domain, and by gathering the mac address information carried in the message that each VM in the broadcast domain is transmitted, thus formed one it is complete
Two-layer retransmitting table, in the two-layer retransmitting table record have the mac address information of virtual machine under different VLAN, port id with
And the corresponding relation between VLAN ID threes.During virtual machine E-Packets, by inquiring about the two-layer retransmitting table, can
To realize that message is broadcasted and forwarded under different VLAN, so as to overcome in two layers of retransmission technique of existing network only
The limitation for allowing message to be broadcasted and forwarded under same VLAN, and under this traction mechanism, it is virtual without relying on
The RESTful API (internal interface of virtualization manufacturer) for changing manufacturer's mandate can just realize entering the message in virtualized environment
Row traction, so as to adapt to the virtualized environment that various virtualization manufacturers are provided.
For the traction method that the embodiment of the present application one is provided, the technology of the embodiment of the present application is preferably reached to reach
Effect, the application is also made that improvement to the networking structure between virtual machine in existing virtualized environment, specifically refers to the application
Embodiment two.
Embodiment two
As shown in figure 3, the embodiment of the present invention two provides the networking between virtual machine in the virtualized environment after a kind of improvement
Schematic diagram, the system includes the first virtual machine VM31, the second virtual machine VM32, virtual switch and secure processing units
In drainage system.Here, secure processing units can be placed on the 3rd virtual machine VM33.
Specifically, VM31 and VM32 are connected with virtual switch respectively, wherein, VM31 is connected to the of virtual switch
On Single port Port31 and VLAN31, VM32 is used to be connected on the second port Port32 of virtual switch and use
VLAN32.Here, the type of first port and second port could be arranged to Access types, and the port of the type is pertaining only to one
Individual VLAN, and allow have pass through with the message of the VLAN ID identical VLAN tags, i.e. Port31 can be allowed to be had
The message of VLAN31 labels passes through, and Port32 can allow the message with VLAN32 labels to pass through.And in Port31 or
When Port32 needs to send message, removing with VLAN ID identical VLAN tags for carrying in the message can again be turned
Hair.
Virtual switch is connected by the 3rd port Port33 with the 4th port Port34 of VM33, wherein, the 3rd end
Mouthful could be arranged to Trunk types with the type of the 4th port, the port of the type may belong to multiple VLAN, and can be by
The two ports are positioned to allow for the message with VLAN31 labels or VLAN32 labels and pass through.And in Port33 or Port34
When needing to send message, the VLAN tag for carrying and the forwarding for carrying out message in the message can be retained.
In the embodiment of the present application, if VM31 needs to access VM32, VM31 can send destination to virtual switch
It is the message of VM32, source MAC and target MAC (Media Access Control) address has been carried here, in message, the source MAC is VM31's
MAC Address, the target MAC (Media Access Control) address is set to the MAC Address of VM32 in the embodiment of the present application, in actual applications, the purpose
MAC Address is it can also be provided that a broadcast address.
Virtual switch pass through Port31 receive VM31 send message, and for the message set one with where VM31
Corresponding first VLAN tag of virtual LAN VLAN, the as message set the label of VLAN31, due to carrying VLAN31 marks
The message of label can not be by the Port32 of virtual switch, but can be by the Port33's of virtual switch and VM33
Port34, based on this, the message can be just forwarded to virtual switch the Port34 of VM33 from the Port33 of oneself, so that will
The secure processing units that the message is successfully forwarded in VM33 carry out safe handling.
Here, secure processing units not only have function of safety protection, and the drainage system in secure processing units may be used also
With according to the rule that pre-sets, it is allowed to which message is made up of set in advance multiple ports and the VLAN corresponding with port
Broadcasted in set and forwarded.
In specific implementation, secure processing units to receive message carry out safe handling after, in secure processing units
Drainage system can be based on the two-layer retransmitting table that prestores, search purpose corresponding with the target MAC (Media Access Control) address of message carrying
Port id and VLAN ID corresponding with destination interface.In the corresponding destination interface ID of target MAC (Media Access Control) address for finding the message
After for Port 34, the first VLAN tag VLAN31 carried in the message is changed to and VLAN pairs where destination VM34
The the second VLAN tag VLAN32 for answering.After the pressure label conversion to message is completed, secure processing units are by VM33's
The message that Port34 will carry VLAN32 labels is sent to the Port33 of virtual switch.
Virtual switch can be based on the target MAC (Media Access Control) address carried in the message after the message is received, and virtually hand over
Destination interface ID corresponding with the target MAC (Media Access Control) address is inquired about in the two-layer retransmitting table changed planes, is determining that destination interface is
After Port32, the message is sent via Port32 to the virtual machine VM32 of destination, so that the message for successfully sending VM31
After by safe handling, the message is drawn using the drainage system in secure processing units to the virtual machine of destination
VM22.It is noted that the two-layer retransmitting table in virtual switch is different from the two-layer retransmitting table in drainage system here.It is virtual to hand over
Two-layer retransmitting table in changing planes is not do improved two-layer retransmitting table in the prior art, i.e., two-layer retransmitting table record is place
The relation of each port id in the virtual machine under same VLAN and same VLAN ID.And provided in the embodiment of the present application
In drainage system, the virtual machine under different VLAN can be divided in same broadcast domain by the rule that pre-sets,
And by two-layer retransmitting table of the syntagmatic record of the port id under different VLAN and VLAN ID after improvement.
The networking schematic diagram of the security protection system that the embodiment of the present application is provided is for reference only, in actual applications can be with
The demands such as the security according to message in virtual machine are selectively drawn.For example, in the networking schematic diagram shown in Fig. 1
In, if requirement of the message to security transmitted between VM13 and VM14 is higher, it is necessary to carry out security protection to it, can be by
Above-mentioned message is drawn after carrying out safe handling to secure processing units, then by the drainage system in secure processing units by message
Draw to the virtual machine of destination.
As shown in figure 4, being the networking schematic diagram after being improved to the networking shown in Fig. 1.
Specifically, VM13 and VM14 is disconnected from the virtual switch 0 in artwork 1, can be new in the server
A virtual switch 1 is built, and VM13 and VM14 are connected respectively on virtual switch 1, wherein, VM13 is connected to virtual friendship
Change planes on 1 port Port13 and use new VLAN13, VM14 to be connected on the port Port14 of virtual switch 1 and use
New VLAN14.Meanwhile, a newly-built virtual machine VM15 in the server, and secure processing units are run on the virtual machine,
Also, a drainage system is provided with the secure processing units.Virtual switch 1 is connected to VM15 by port Port0
Port0 on, and the two interconnection port types be set to trunk types, it is allowed to carry VLAN13 or VLAN14 mark
The message of label passes through.VM15 is connected in original virtual switch 0 by port Port1, and the Port1 port type
It is also configured as trunk types, it is allowed to which the message for carrying VLAN1 labels passes through.
Here, the drainage system in secure processing units by configure drainage rule by VLAN1 and Port1, VLAN13 with
Port0, VLAN14 and Port0 are set in a broadcast domain.Contain a two-layer retransmitting table in the inside of drainage system, first
During beginning state, the corresponding relation of each VLAN and port Port in broadcast domain where there being record in the two-layer retransmitting table, such as table
Shown in one:
Table one
Because drainage system was not before message was received, its internal two-layer retransmitting table is in original state, in table
Mac address information is state to be filled.Mac address information in during receiving message by learning message is recorded
Mac address information, port id, the triangular corresponding relations of VLAN ID.
Such as, if VM13 needs to access VM14, VM13 will carry source MAC (MAC Address of VM13), purpose
The message of MAC Address (here, target MAC (Media Access Control) address can be the MAC Address of VM14, can also be a broadcast address) from
Port13 enters virtual switch 1, and virtual switch 1 is that the message sets a VLAN13 label, and by the message from virtual
The Port0 of interchanger is transmitted to the Port0 of VM15.
Drainage system after the message for carrying VLAN13 come in by Port0 transmission is received, in obtaining the message
Source MAC (MAC Address of VM13), and the corresponding relation of the MAC Address of VM13, Port0, VLAN13 three record is existed
In two-layer retransmitting table.When the message is forwarded, due to not recording the MAC Address about VM14 in initial two-layer retransmitting table
Information, also just can not find corresponding port to send the message.In such a case, it is possible to the message is carried out in broadcast domain
Broadcast.After the virtual machine in broadcast domain receives message, if the target MAC (Media Access Control) address carried in identification outgoing packet is oneself
MAC Address or broadcast address, can also reply a message.Therefore, in this example, VM14 is receiving the message, and knows
After the target MAC (Media Access Control) address for not going out the message is the MAC Address or broadcast address of oneself, if also needing to reply one to VM13
Individual message, the then message that VM14 is replied will also enter virtual switch 1 from Port14, be the message by virtual switch 1
Set after a VLAN14 label, the message is transmitted to the Port0 of VM15 from the Port0 of virtual switch again.In VM15
Drainage system receive by Port0 transmission come in the mac address information for carrying VM14 and VLAN14 labels message it
Afterwards, the corresponding relation of the MAC Address of VM14, Port0, VLAN14 three can be recorded in two-layer retransmitting table.
Similarly, VM13 access VM11 when, or VM13 access VM14 when, or VM14 access VM11 when when, drainage
Device can learn to each message, and record MAC Address, Port ID, the corresponding relation of VLAN ID threes.Finally
The complete two-layer retransmitting table in the broadcast domain can be generated, as shown in Table 2.
Table two
VLAN ID | Port id | MAC |
VLAN 1 | Port 1 | VM11 MAC |
VLAN 1 | Port 1 | VM12 MAC |
VLAN 13 | Port 0 | VM13 MAC |
VLAN 14 | Port 0 | VM14 MAC |
After above-mentioned two-layer retransmitting table has been updated, if VM13 continues to access VM14, transmitted between VM13 and VM14
Message carry out security protection and the idiographic flow of traction and can be:
The message transmitted in VM13 enters virtual switch 1 from Port13, and virtual switch 1 is that the message sets one
VLAN13 labels, and the message is transmitted to the Port0 of VM15 from the Port0 of oneself, it is right in the secure processing units of VM15
The message is carried out after safe handling, is searched and purpose in the two-layer retransmitting table internally of the drainage system in secure processing units
MAC Address (here, suppose that target MAC (Media Access Control) address for VM14 MAC Address) corresponding destination interface ID and with destination interface pair
The VLAN ID for answering, obtain destination interface ID for Port 0, and VLAN ID are VLAN 14.The label of the message is repaiied by VLAN13
VLAN14 is changed to, and forwards it to virtual switch 1, the flow is removed label by virtual switch 1, from the port of Port14
It is forwarded to VM13.
If additionally, inquiring about the purpose less than the target MAC (Media Access Control) address of the message or the message in the two-layer retransmitting table
When MAC Address is broadcast address, can be specifically as follows in the broadcast domain of message broadcasting to place:The message is replicated, and will
The VLAN tag of the message sends after being revised as VLAN1 by VLAN13 from Port 1;The message is replicated, by the VLAN of the message
Label sends after being revised as VLAN14 by VLAN13 from Port 0.
If VM13 needs to access VM11, the message transmitted between VM13 and VM11 carries out the tool of security protection and traction
Body flow can be:
The message transmitted in VM13 enters virtual switch 1 from Port13, and virtual switch 1 is that the message sets one
VLAN13 labels, and the message is transmitted to the Port0 of VM15 from the Port0 of oneself, it is right in the secure processing units of VM15
The message is carried out after safe handling, is searched and purpose in the two-layer retransmitting table internally of the drainage system in secure processing units
MAC Address (MAC Address of VM11) corresponding destination interface ID and VLAN ID corresponding with destination interface, obtains destination
Mouth ID is Port1, and VLAN ID are VLAN 1.The label of the message is revised as VLAN11 by VLAN13, and forwards it to void
Intend interchanger 0, the flow is removed label and is forwarded to VM13 again by virtual switch 0.
If additionally, inquiring about the purpose less than the target MAC (Media Access Control) address of the message or the message in the two-layer retransmitting table
When MAC Address is broadcast address, can be specifically as follows in the broadcast domain of message broadcasting to place:The message is replicated, and will
The VLAN tag of the message sends after being revised as VLAN1 by VLAN13 from Port 1;The message is replicated, by the VLAN of the message
Label sends after being revised as VLAN14 by VLAN13 from Port 0.
A kind of flow corresponding with flow lead method is additionally provided based on same inventive concept, in the embodiment of the present application to lead
Leading-in device, because the principle of the device solve problem is similar to flow lead method in the embodiment of the present invention, therefore the device
Implementation may refer to the implementation of method, repeats part and repeats no more.
Embodiment three
As shown in figure 5, be the flow lead structure drawing of device of the offer of the embodiment of the present application three, including:
Receiver module 51, sends out for receiving the first virtual machine VM in the first virtual LAN VLAN via source port
The message for coming, carries purposeful MAC address and the first VLAN tag in the message;
Generation module 52, for based on the rule for pre-setting, generation and regular corresponding two layers for pre-setting
Forward table;
Searching modul 53, for based on the two-layer retransmitting table, searching destination interface corresponding with the target MAC (Media Access Control) address
Mark ID and VLAN ID;
Change label model 54, for the VLAN that the first VLAN tag carried in the message is changed to and is found
The second ID corresponding VLAN tag;
Sending module 55, the message for will carry the second VLAN tag is forwarded to via the destination interface for finding
The 2nd VM in two VLAN.
Alternatively, the generation module 52 specifically for:
By each port under specified different VLAN and with described each port, corresponding VLAN is divided in together respectively
In one broadcast domain;And,
The corresponding relation of described each port id and VLAN ID is recorded in the two-layer retransmitting table.
Alternatively, source MAC is also carried in the message;
Described device also includes:
Memory module 56, for the source MAC that will be carried in the message, a source port ID and VLAN is marked
The corresponding VLAN ID records of correspondence are signed in the two-layer retransmitting table, subsequently to be E-Packeted based on the two-layer retransmitting table.
Alternatively, the searching modul 53 specifically for:
Searched whether in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address;
If being found in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address, it is determined that go out and look into
The MAC Address corresponding destination interface ID and VLAN ID for finding.
Alternatively, the searching modul 53 is additionally operable to:
If do not found in the two-layer retransmitting table with the target MAC (Media Access Control) address identical MAC Address, will be described
Other VM in message broadcasting to the broadcast domain determined based on the rule for pre-setting, wherein, do not include in other VM
A VM in first VLAN and comprising the 2nd VM in the 2nd VLAN.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program
Product.Therefore, the present invention can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.And, the present invention can be used and wherein include the computer of computer usable program code at one or more
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) is produced
The form of product.
The present invention is the flow with reference to method according to embodiments of the present invention, terminal (system) and computer program product
Figure and/or block diagram are described.It should be understood that every first-class during flow chart and/or block diagram can be realized by computer program instructions
The combination of flow and/or square frame in journey and/or square frame and flow chart and/or block diagram.These computer programs can be provided
The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices
The device of the function of being specified in present one flow of flow chart or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy
In determining the computer-readable memory that mode works so that instruction of the storage in the computer-readable memory is produced and include finger
Make the manufacture of device, the command device realize in one flow of flow chart or multiple one square frame of flow and/or block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented treatment, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described
Property concept, then can make other change and modification to these embodiments.So, appended claims are intended to be construed to include excellent
Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification without deviating from essence of the invention to the present invention
God and scope.So, if these modifications of the invention and modification belong to the scope of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to comprising these changes and modification.
Claims (10)
1. a kind of flow lead method, it is characterised in that the method includes:
The message that the first virtual machine VM in the first virtual LAN VLAN sends via source port is received, in the message
Carry purposeful MAC address and the first VLAN tag;
Based on the rule for pre-setting, generate and the regular corresponding two-layer retransmitting table for pre-setting;
Based on the two-layer retransmitting table, destination interface mark ID and VLAN ID corresponding with the target MAC (Media Access Control) address is searched;
The first VLAN tag carried in the message is changed to the twoth VLAN mark corresponding with the VLAN ID for finding
Sign;
The 2nd VM that the message of the second VLAN tag is forwarded in the 2nd VLAN via the destination interface for finding will be carried.
2. the method for claim 1, it is characterised in that described based on the rule for pre-setting, generation with it is described in advance
The regular corresponding two-layer retransmitting table of setting, including:
By each port under specified different VLAN and with described each port respectively corresponding VLAN be divided in it is same wide
In broadcasting domain;And,
The corresponding relation of described each port id and VLAN ID is recorded in the two-layer retransmitting table.
3. method as claimed in claim 2, it is characterised in that also carry source MAC in the message;
After the message that the first virtual machine VM received in a VLAN sends, also include:
The source MAC that will be carried in the message, source port ID and the corresponding VLAN ID records of first VLAN tag
In the two-layer retransmitting table.
4. method as claimed in claim 3, it is characterised in that search destination interface mark corresponding with the target MAC (Media Access Control) address
Know ID and VLAN ID, including:
Searched whether in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address;
If being found in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address, it is determined that go out and find
MAC Address corresponding destination interface ID and VLAN ID.
5. method as claimed in claim 4, it is characterised in that it is described searched whether in the two-layer retransmitting table with it is described
After target MAC (Media Access Control) address identical MAC Address, also include:
If do not found in the two-layer retransmitting table with the target MAC (Media Access Control) address identical MAC Address, by the message
In other VM in broadcast to the broadcast domain determined based on the rule for pre-setting, wherein, not comprising the in other VM
A VM in one VLAN and comprising the 2nd VM in the 2nd VLAN.
6. a kind of flow lead device, it is characterised in that the device includes:
Receiver module, for receiving the report that the first virtual machine VM in the first virtual LAN VLAN sends via source port
Text, carries purposeful MAC address and the first VLAN tag in the message;
Generation module, for based on the rule for pre-setting, generation and the regular corresponding two-layer retransmitting table for pre-setting;
Searching modul, for based on the two-layer retransmitting table, searching destination interface mark ID corresponding with the target MAC (Media Access Control) address
With VLAN ID;
Change label model, for the first VLAN tag carried in the message to be changed to and the VLAN ID phases for finding
Corresponding second VLAN tag;
Sending module, the message for will carry the second VLAN tag is forwarded to the 2nd VLAN via the destination interface for finding
In the 2nd VM.
7. device as claimed in claim 6, it is characterised in that the generation module specifically for:
By each port under specified different VLAN and with described each port respectively corresponding VLAN be divided in it is same wide
In broadcasting domain;And,
The corresponding relation of described each port id and VLAN ID is recorded in the two-layer retransmitting table.
8. device as claimed in claim 7, it is characterised in that also carry source MAC in the message;
Described device also includes:
Memory module, for the source MAC that will be carried in the message, source port ID and first VLAN tag are corresponding
VLAN ID record in the two-layer retransmitting table, subsequently to be E-Packeted based on the two-layer retransmitting table.
9. device as claimed in claim 8, it is characterised in that the searching modul specifically for:
Searched whether in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address;
If being found in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address, it is determined that go out and find
The MAC Address corresponding destination interface ID and VLAN ID.
10. device as claimed in claim 9, it is characterised in that the searching modul is additionally operable to:
If do not found in the two-layer retransmitting table with the target MAC (Media Access Control) address identical MAC Address, by the message
Other VM in broadcast to the broadcast domain determined based on the rule for pre-setting, wherein, first is not included in other VM
A VM in VLAN and comprising the 2nd VM in the 2nd VLAN.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611105531.2A CN106850382B (en) | 2016-12-05 | 2016-12-05 | Flow traction method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611105531.2A CN106850382B (en) | 2016-12-05 | 2016-12-05 | Flow traction method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106850382A true CN106850382A (en) | 2017-06-13 |
CN106850382B CN106850382B (en) | 2020-07-10 |
Family
ID=59145484
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611105531.2A Active CN106850382B (en) | 2016-12-05 | 2016-12-05 | Flow traction method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106850382B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110311838A (en) * | 2019-07-24 | 2019-10-08 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of security service traffic statistics |
CN113014516A (en) * | 2019-12-20 | 2021-06-22 | 华为技术有限公司 | Method and device for transmitting data stream |
CN113630315A (en) * | 2021-09-03 | 2021-11-09 | 中国联合网络通信集团有限公司 | Network drainage method and device, electronic equipment and storage medium |
CN114640514A (en) * | 2022-03-03 | 2022-06-17 | 成都卫士通信息产业股份有限公司 | Security service system, access control method, and computer-readable storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1960293A (en) * | 2006-09-28 | 2007-05-09 | 北京启明星辰信息技术有限公司 | Method for implementing virtual engine technique for intrusion detection |
CN101707562A (en) * | 2009-11-27 | 2010-05-12 | 中兴通讯股份有限公司 | Method and device for realizing access of virtual local area network (VLAN) stacking in virtual private wire service (VPWS) |
CN102571738A (en) * | 2010-12-08 | 2012-07-11 | 中国电信股份有限公司 | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof |
US8300614B2 (en) * | 2009-05-14 | 2012-10-30 | Avaya Inc. | Preventing packet loops in unified networks |
CN103973578A (en) * | 2013-01-31 | 2014-08-06 | 杭州华三通信技术有限公司 | Virtual machine traffic redirection method and device |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
-
2016
- 2016-12-05 CN CN201611105531.2A patent/CN106850382B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1960293A (en) * | 2006-09-28 | 2007-05-09 | 北京启明星辰信息技术有限公司 | Method for implementing virtual engine technique for intrusion detection |
US8300614B2 (en) * | 2009-05-14 | 2012-10-30 | Avaya Inc. | Preventing packet loops in unified networks |
CN101707562A (en) * | 2009-11-27 | 2010-05-12 | 中兴通讯股份有限公司 | Method and device for realizing access of virtual local area network (VLAN) stacking in virtual private wire service (VPWS) |
CN102571738A (en) * | 2010-12-08 | 2012-07-11 | 中国电信股份有限公司 | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof |
CN103973578A (en) * | 2013-01-31 | 2014-08-06 | 杭州华三通信技术有限公司 | Virtual machine traffic redirection method and device |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110311838A (en) * | 2019-07-24 | 2019-10-08 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of security service traffic statistics |
CN113014516A (en) * | 2019-12-20 | 2021-06-22 | 华为技术有限公司 | Method and device for transmitting data stream |
CN113630315A (en) * | 2021-09-03 | 2021-11-09 | 中国联合网络通信集团有限公司 | Network drainage method and device, electronic equipment and storage medium |
CN114640514A (en) * | 2022-03-03 | 2022-06-17 | 成都卫士通信息产业股份有限公司 | Security service system, access control method, and computer-readable storage medium |
CN114640514B (en) * | 2022-03-03 | 2023-05-23 | 成都卫士通信息产业股份有限公司 | Security service system, access control method, and computer-readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106850382B (en) | 2020-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103595648B (en) | Method and system for balancing load at receiving side of server | |
CN106850382A (en) | A kind of flow lead method and device | |
CN103795636B (en) | Multicast processing method, device and system | |
CN107809367A (en) | The equipment loading method and SDN controllers, the network equipment of a kind of SDN | |
CN107547242B (en) | The acquisition methods and device of VM configuration information | |
CN101924699B (en) | Message forwarding method, system and provider edge equipment | |
CN105763512A (en) | SDN virtual network communication method and device | |
CN104486589B (en) | Access method and device in video monitoring system based on GVRP | |
CN106533890A (en) | Message processing method, device and system | |
CN103095546A (en) | Method, device and data center network for processing messages | |
CN105827495A (en) | Message forwarding method and device for VXLAN gateway | |
CN104580029B (en) | Address distribution method and device | |
CN103404084A (en) | MAC address forced forwarding device and method | |
CN106998297A (en) | A kind of virtual machine migration method and device | |
CN106209636A (en) | From the multicast data packet forwarding method and apparatus of VLAN to VXLAN | |
CN104869063A (en) | Host route processing method in virtual subnet, related devices and communication system | |
CN106209638A (en) | From VLAN to the message forwarding method of virtual expansible LAN and equipment | |
CN106209648A (en) | Multicast data packet forwarding method and apparatus across virtual expansible LAN | |
CN106878181A (en) | A kind of message transmitting method and device | |
CN106533889A (en) | Method of BPE cross-port extension device to realize link aggregation in chip | |
CN103931144A (en) | Method, equipment and system for communication in virtual domain | |
CN106209689A (en) | From the multicast data packet forwarding method and apparatus of VXLAN to VLAN | |
CN105939268B (en) | A kind of two-layer retransmitting table item polymerization and device | |
CN104683428A (en) | Network service processing method and device | |
CN106209616A (en) | One floods suppressing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |