CN106850382A - A kind of flow lead method and device - Google Patents

A kind of flow lead method and device Download PDF

Info

Publication number
CN106850382A
CN106850382A CN201611105531.2A CN201611105531A CN106850382A CN 106850382 A CN106850382 A CN 106850382A CN 201611105531 A CN201611105531 A CN 201611105531A CN 106850382 A CN106850382 A CN 106850382A
Authority
CN
China
Prior art keywords
vlan
message
address
layer retransmitting
mac
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611105531.2A
Other languages
Chinese (zh)
Other versions
CN106850382B (en
Inventor
黄远军
何恐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201611105531.2A priority Critical patent/CN106850382B/en
Publication of CN106850382A publication Critical patent/CN106850382A/en
Application granted granted Critical
Publication of CN106850382B publication Critical patent/CN106850382B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4645Details on frame tagging
    • H04L12/465Details on frame tagging wherein a single frame includes a plurality of VLAN tags
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/66Layer 2 routing, e.g. in Ethernet based MAN's
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/80Actions related to the user profile or the type of traffic
    • H04L47/806Broadcast or multicast traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application is related to network safety filed, more particularly to a kind of flow lead method and device, it is used to solve the problems, such as a kind of traction mechanism that the message transmitted between the virtual machine in a certain VLAN can be drawn in third party VM of prior art needs, the flow lead method that the embodiment of the present application is provided, including:The message that the VM in a VLAN sends via source port is received, target MAC (Media Access Control) address and the first VLAN tag are carried in message;Based on the rule for pre-setting, generate and the regular corresponding two-layer retransmitting table for pre-setting;Based on two-layer retransmitting table, destination interface ID and VLAN ID corresponding with target MAC (Media Access Control) address is searched;The first VLAN tag carried in message is changed to second VLAN tag corresponding with VLAN ID;The 2nd VM that the message of the second VLAN tag is forwarded in the 2nd VLAN via destination interface will be carried.

Description

A kind of flow lead method and device
Technical field
The application is related to network safety filed, more particularly to a kind of flow lead method and device.
Background technology
At present, for the ruuning situation of existing server, a server can only run an operating system every time And application, even being also required to dispose substantial amounts of server in small-sized data center, this not only result in every server Utilization rate is very low, also considerably increases the cost of data processing.In order to overcome this defect, it is possible to use virtualization software, than Such as Vmware Vsphere, Huawei fusionSphere, carry out analog hardware and create virtual computer system.Here, virtual meter Calculation machine system namely virtual machine (Virtual Machine, VM) are a kind of software containers of tight isolation, and inside is containing operation System and application.Placed on a computer by by many virtual machines, it is possible to achieve run on a physical server many Individual operating system and application.And the information exchange between the virtual machine on Same Physical server can be by East and West direction flow (between East and West direction flow namely virtual machine transmit message) is transmitted.
As shown in figure 1, being the networking schematic diagram between virtual machine in existing virtualized environment, virtual machine host machine is physics Server includes virtual switch 0, virtual machine VM11, virtual machine VM12, virtual machine VM13, virtual machine VM14, wherein, VM11, VM12, VM13 and VM14 are connected with virtual switch 0 respectively, and four virtual machines are in same virtual local area In net (Virtual Local Area Network, VLAN).Understood according to existing network Layer2 switching technology, only in same The broadcast and forwarding of message can be just carried out between virtual machine in the range of one VLAN.So, when VM13 accesses VM14, only need The message of transmission will be needed to send to virtual switch 0, then the message is forwarded to by VM14 by virtual switch 0.This Allow for the transmission between the virtual machine in existing virtualized environment message cannot pass through third party VM (be located at other VLAN in Virtual machine) carry out security protection.
It can be seen that, need the message transmitted between a kind of virtual machine that will can be in a certain VLAN be drawn to the 3rd at present Traction mechanism in square VM.
The content of the invention
The embodiment of the present application provides a kind of flow lead method and device, and being used to solve prior art needs one kind can be by The message transmitted between virtual machine in a certain VLAN is drawn to the problem of the traction mechanism in third party VM.
The embodiment of the present application provides a kind of flow lead method, including:
Receive the message that the first virtual machine VM in the first virtual LAN VLAN sends via source port, the report Purposeful MAC address and the first VLAN tag are carried in text;
Based on the rule for pre-setting, generate and the regular corresponding two-layer retransmitting table for pre-setting;
Based on the two-layer retransmitting table, destination interface mark ID and VLAN corresponding with the target MAC (Media Access Control) address is searched ID;
The first VLAN tag carried in the message is changed to twoth VLAN corresponding with the VLAN ID for finding Label;
To carry the second VLAN tag message be forwarded to via the destination interface for finding in the 2nd VLAN second VM。
The embodiment of the present application provides a kind of flow lead device, including:
Receiver module, sends for receiving the first virtual machine VM in the first virtual LAN VLAN via source port Message, purposeful MAC address and the first VLAN tag are carried in the message;
Generation module, for based on the rule for pre-setting, generation to turn with regular corresponding two layers for pre-setting Deliver;
Searching modul, for based on the two-layer retransmitting table, searching destination interface mark corresponding with the target MAC (Media Access Control) address Know ID and VLAN ID;
Change label model, for the VLAN that the first VLAN tag carried in the message is changed to and is found The second ID corresponding VLAN tag;
Sending module, the message for will carry the second VLAN tag is forwarded to second via the destination interface for finding The 2nd VM in VLAN..
In the embodiment of the present application, after the message that the VM in receiving a VLAN sends via source port, can With the destination interface ID and VLAN ID corresponding with the target MAC (Media Access Control) address carried in the message of the inquiry in two-layer retransmitting table, and will The first VLAN tag carried in the message is changed to second VLAN tag corresponding with the VLAN ID for finding, and finally may be used To realize that the message that will carry the second VLAN tag is forwarded to the 2nd VM in the 2nd VLAN via the destination interface for finding. The traction mechanism proposed using the application, it is possible to achieve successfully lead the message transmitted between the virtual machine in a certain VLAN To guide to go in third party VM carries out security protection etc. and processes.Additionally, the embodiment of the present application, regular by difference using what is pre-set Each port under VLAN and corresponding VLAN is divided in same broadcast domain respectively with each port, and by gathering the broadcast The mac address information carried in the message of each VM transmission in domain, so that a complete two-layer retransmitting table is formed, at this two layers In forward table record have the mac address information of virtual machine under different VLAN, between port id and VLAN ID threes Corresponding relation.During virtual machine E-Packets, by inquiring about the two-layer retransmitting table, it is possible to achieve by message different Broadcasted and forwarded under VLAN, only allow in two layers of retransmission technique of existing network message under same VLAN so as to be overcome The limitation broadcasted and forwarded, and under this traction mechanism, without relying on the RESTful that virtualization manufacturer authorizes API (internal interface of virtualization manufacturer) can just realize drawing the message in virtualized environment, so as to adapt to many Plant the virtualized environment that virtualization manufacturer is provided.
Brief description of the drawings
Fig. 1 is the networking schematic diagram between virtual machine in existing virtualized environment;
Fig. 2 is a kind of flow lead method flow diagram that the embodiment of the present application one is provided;
Fig. 3 is that the networking that the embodiment of the present application two is provided in the virtualized environment after a kind of improvement between virtual machine is illustrated Figure;
Fig. 4 is the networking schematic diagram after being improved to the networking shown in Fig. 1;
The flow lead structure drawing of device that Fig. 5 is provided for the embodiment of the present application three.
Specific embodiment
In the embodiment of the present application, after the message that the VM in receiving a VLAN sends via source port, can With the destination interface ID and VLAN ID corresponding with the target MAC (Media Access Control) address carried in the message of the inquiry in two-layer retransmitting table, and will The first VLAN tag carried in the message is changed to second VLAN tag corresponding with the VLAN ID for finding, and finally may be used To realize that the message that will carry the second VLAN tag is forwarded to the 2nd VM in the 2nd VLAN via the destination interface for finding. The traction mechanism proposed using the application, it is possible to achieve successfully lead the message transmitted between the virtual machine in a certain VLAN To guide to go in third party VM carries out security protection etc. and processes.Additionally, the embodiment of the present application, regular by difference using what is pre-set Each port under VLAN and corresponding VLAN is divided in same broadcast domain respectively with each port, and by gathering the broadcast The mac address information carried in the message of each VM transmission in domain, so that a complete two-layer retransmitting table is formed, at this two layers In forward table record have the mac address information of virtual machine under different VLAN, between port id and VLAN ID threes Corresponding relation.During virtual machine E-Packets, by inquiring about the two-layer retransmitting table, it is possible to achieve by message different Broadcasted and forwarded under VLAN, only allow in two layers of retransmission technique of existing network message under same VLAN so as to be overcome The limitation broadcasted and forwarded, and under this traction mechanism, without relying on the RESTful that virtualization manufacturer authorizes API (internal interface of virtualization manufacturer) can just realize drawing the message in virtualized environment, so as to adapt to many Plant the virtualized environment that virtualization manufacturer is provided.
The embodiment of the present application is described in further detail with reference to Figure of description.
Embodiment one
As shown in Fig. 2 being a kind of flow lead method flow diagram of the offer of the embodiment of the present application one, comprise the following steps:
S201:The message that the VM in a VLAN sends via source port is received, mesh is carried in the message Media access control (Medium Access Control, MAC) address and the first VLAN tag.
Here, target MAC (Media Access Control) address and the first VLAN tag are not only carried in message, source MAC is also carried. In specific implementation, can determine that the message is received via which port by source MAC, i.e., by source MAC To determine the source port of the virtual machine (VM) for sending the message.It is equally possible that determining this by target MAC (Media Access Control) address Which port message will be sent to, i.e., by target MAC (Media Access Control) address come it is determined that receiving the mesh of the virtual machine (the 2nd VM) of the message Port.First VLAN tag can be that the message passes through some virtual friendship during the 2nd VM is forwarded to by a VM The VLAN tag being set when changing planes.
S202:Based on the rule for pre-setting, generate and the regular corresponding two-layer retransmitting table for pre-setting.
Can be by each in virtual environment under the different VLAN based on the rule for pre-setting in specific implementation Port and corresponding VLAN is divided in same VLAN broadcast domains respectively with each port.Specifically, can will be specified many No. ID and one set of No. ID composition with the corresponding VLAN of multiple ports difference of individual port, so, can be by by difference The set of multiple ports and VLAN corresponding with multiple ports composition under VLAN is attributed to same VLAN broadcast domains, so that Broadcast message can be transmitted between VM under different VLAN.Here, port id and the corresponding relation of VLAN ID can be one One-to-one correspondence, or a port ID correspond to multiple different VLAN ID, can also be multiple port id correspondences Same VLAN ID.
In specific implementation, the rule for pre-setting, each port id in the broadcast domain that will have been set can be based on Corresponding relation with VLAN ID is recorded in two-layer retransmitting table.Here, two-layer retransmitting table is to be stored with above-mentioned broadcast domain The initial forward table of the corresponding relation of each port id and VLAN ID.
In order to further determine that mac address information, port id, the triangular corresponding relations of VLAN ID, can receive After message, the source MAC information in message is obtained, and source MAC information and the corresponding relation of source port ID and source vlan ID are deposited Storage is in two-layer retransmitting table.So, by receiving the message that each virtual machine in broadcast domain is sent, and each message is obtained Source MAC, it is possible to by the related mac address information of each virtual machine in the broadcast domain, between port id, VLAN ID threes Corresponding relation store in two-layer retransmitting table, to be E-Packeted subsequently based on two-layer retransmitting table.
Here, the execution sequence of step S201 and step S202 is in no particular order, you can be based on before message is received The rule for pre-setting formulates two-layer retransmitting table, it is also possible to made based on the rule for pre-setting again after message is received Determine two-layer retransmitting table.Also, in two-layer retransmitting table, it is allowed to there is the situation of the information for lacking MAC Address, subsequently through collection The information of the MAC Address in the message of each VM transmission, the information updating of the MAC Address that will can be carried in message is forwarded to two layers In table.
S203:Based on two-layer retransmitting table, destination interface mark (IDentity, ID) corresponding with target MAC (Media Access Control) address is searched With VLAN ID.
In specific implementation, search with the corresponding destination interface of target MAC (Media Access Control) address carried in message identify ID and with The mode of the corresponding VLAN ID of target MAC (Media Access Control) address can be:
First, searched whether in two-layer retransmitting table with target MAC (Media Access Control) address identical MAC Address, if two layers turn Found in delivering with the target MAC (Media Access Control) address identical MAC Address, further based in two-layer retransmitting table store MAC ground Location information, port id, the triangular corresponding relations of VLAN ID, determine port id corresponding with the MAC Address for finding and VLAN ID.Here, the port id determined as destination interface ID, the VLAN ID for determining as target MAC (Media Access Control) address correspondence VLAN ID;
If do not found in two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address or purpose MAC When address is a broadcast address, the message can be broadcasted with the regular corresponding broadcast domain for pre-setting, be had Body can be:
According to each port id and the corresponding relation of VLAN ID in the broadcast domain set in above-mentioned rule, will report Text is broadcasted into other VM in the broadcast domain.Wherein, not comprising the VM in a VLAN and comprising second in other VM The 2nd VM in VLAN.
Additionally, the 2nd VM in the broadcast domain in the 2nd VLAN is receiving broadcasting packet, and recognize the report After the target MAC (Media Access Control) address of carrying is identical with the MAC Address of oneself in text, message can also be replied to a VM.
After the message that the 2nd VM in the 2nd VLAN in receiving broadcast domain sends, it is possible to the message will be received The MAC Address of port id, VLAN ID and the 2nd VM is recorded in two-layer retransmitting table.By said process, determine with After the corresponding port id of mac address information and VLAN ID of the 2nd VM, in the MAC that next transfer destination address is the 2nd VM During the message of address, it is possible to destination interface ID is directly inquired about in two-layer retransmitting table, it is no longer necessary to all in broadcast domain Port is broadcast.
S204:The first VLAN tag carried in message is changed to second corresponding with the VLAN ID for finding VLAN tag.
S205:The message that the second VLAN tag will be carried is forwarded in the 2nd VLAN via the destination interface for finding 2nd VM.
In the embodiment of the present application, after the message that the VM in receiving a VLAN sends via source port, can With the destination interface ID corresponding with the target MAC (Media Access Control) address carried in the message of the inquiry in two-layer retransmitting table and and destination interface Corresponding VLAN ID, and the first VLAN tag carried in the message is changed to corresponding with the VLAN ID for finding the Two VLAN tags, may finally realize that the message that will carry the second VLAN tag is forwarded to via the destination interface for finding The 2nd VM in two VLAN.Using the application propose traction mechanism, it is possible to achieve will be in a certain VLAN in virtual machine it Between the message that transmits successfully be drawn in third party VM and go to carry out security protection etc. to process.Additionally, the embodiment of the present application, using pre- By each port under different VLAN and with each port, corresponding VLAN is divided in same broadcast to the rule for first setting respectively Domain, and by gathering the mac address information carried in the message that each VM in the broadcast domain is transmitted, thus formed one it is complete Two-layer retransmitting table, in the two-layer retransmitting table record have the mac address information of virtual machine under different VLAN, port id with And the corresponding relation between VLAN ID threes.During virtual machine E-Packets, by inquiring about the two-layer retransmitting table, can To realize that message is broadcasted and forwarded under different VLAN, so as to overcome in two layers of retransmission technique of existing network only The limitation for allowing message to be broadcasted and forwarded under same VLAN, and under this traction mechanism, it is virtual without relying on The RESTful API (internal interface of virtualization manufacturer) for changing manufacturer's mandate can just realize entering the message in virtualized environment Row traction, so as to adapt to the virtualized environment that various virtualization manufacturers are provided.
For the traction method that the embodiment of the present application one is provided, the technology of the embodiment of the present application is preferably reached to reach Effect, the application is also made that improvement to the networking structure between virtual machine in existing virtualized environment, specifically refers to the application Embodiment two.
Embodiment two
As shown in figure 3, the embodiment of the present invention two provides the networking between virtual machine in the virtualized environment after a kind of improvement Schematic diagram, the system includes the first virtual machine VM31, the second virtual machine VM32, virtual switch and secure processing units In drainage system.Here, secure processing units can be placed on the 3rd virtual machine VM33.
Specifically, VM31 and VM32 are connected with virtual switch respectively, wherein, VM31 is connected to the of virtual switch On Single port Port31 and VLAN31, VM32 is used to be connected on the second port Port32 of virtual switch and use VLAN32.Here, the type of first port and second port could be arranged to Access types, and the port of the type is pertaining only to one Individual VLAN, and allow have pass through with the message of the VLAN ID identical VLAN tags, i.e. Port31 can be allowed to be had The message of VLAN31 labels passes through, and Port32 can allow the message with VLAN32 labels to pass through.And in Port31 or When Port32 needs to send message, removing with VLAN ID identical VLAN tags for carrying in the message can again be turned Hair.
Virtual switch is connected by the 3rd port Port33 with the 4th port Port34 of VM33, wherein, the 3rd end Mouthful could be arranged to Trunk types with the type of the 4th port, the port of the type may belong to multiple VLAN, and can be by The two ports are positioned to allow for the message with VLAN31 labels or VLAN32 labels and pass through.And in Port33 or Port34 When needing to send message, the VLAN tag for carrying and the forwarding for carrying out message in the message can be retained.
In the embodiment of the present application, if VM31 needs to access VM32, VM31 can send destination to virtual switch It is the message of VM32, source MAC and target MAC (Media Access Control) address has been carried here, in message, the source MAC is VM31's MAC Address, the target MAC (Media Access Control) address is set to the MAC Address of VM32 in the embodiment of the present application, in actual applications, the purpose MAC Address is it can also be provided that a broadcast address.
Virtual switch pass through Port31 receive VM31 send message, and for the message set one with where VM31 Corresponding first VLAN tag of virtual LAN VLAN, the as message set the label of VLAN31, due to carrying VLAN31 marks The message of label can not be by the Port32 of virtual switch, but can be by the Port33's of virtual switch and VM33 Port34, based on this, the message can be just forwarded to virtual switch the Port34 of VM33 from the Port33 of oneself, so that will The secure processing units that the message is successfully forwarded in VM33 carry out safe handling.
Here, secure processing units not only have function of safety protection, and the drainage system in secure processing units may be used also With according to the rule that pre-sets, it is allowed to which message is made up of set in advance multiple ports and the VLAN corresponding with port Broadcasted in set and forwarded.
In specific implementation, secure processing units to receive message carry out safe handling after, in secure processing units Drainage system can be based on the two-layer retransmitting table that prestores, search purpose corresponding with the target MAC (Media Access Control) address of message carrying Port id and VLAN ID corresponding with destination interface.In the corresponding destination interface ID of target MAC (Media Access Control) address for finding the message After for Port 34, the first VLAN tag VLAN31 carried in the message is changed to and VLAN pairs where destination VM34 The the second VLAN tag VLAN32 for answering.After the pressure label conversion to message is completed, secure processing units are by VM33's The message that Port34 will carry VLAN32 labels is sent to the Port33 of virtual switch.
Virtual switch can be based on the target MAC (Media Access Control) address carried in the message after the message is received, and virtually hand over Destination interface ID corresponding with the target MAC (Media Access Control) address is inquired about in the two-layer retransmitting table changed planes, is determining that destination interface is After Port32, the message is sent via Port32 to the virtual machine VM32 of destination, so that the message for successfully sending VM31 After by safe handling, the message is drawn using the drainage system in secure processing units to the virtual machine of destination VM22.It is noted that the two-layer retransmitting table in virtual switch is different from the two-layer retransmitting table in drainage system here.It is virtual to hand over Two-layer retransmitting table in changing planes is not do improved two-layer retransmitting table in the prior art, i.e., two-layer retransmitting table record is place The relation of each port id in the virtual machine under same VLAN and same VLAN ID.And provided in the embodiment of the present application In drainage system, the virtual machine under different VLAN can be divided in same broadcast domain by the rule that pre-sets, And by two-layer retransmitting table of the syntagmatic record of the port id under different VLAN and VLAN ID after improvement.
The networking schematic diagram of the security protection system that the embodiment of the present application is provided is for reference only, in actual applications can be with The demands such as the security according to message in virtual machine are selectively drawn.For example, in the networking schematic diagram shown in Fig. 1 In, if requirement of the message to security transmitted between VM13 and VM14 is higher, it is necessary to carry out security protection to it, can be by Above-mentioned message is drawn after carrying out safe handling to secure processing units, then by the drainage system in secure processing units by message Draw to the virtual machine of destination.
As shown in figure 4, being the networking schematic diagram after being improved to the networking shown in Fig. 1.
Specifically, VM13 and VM14 is disconnected from the virtual switch 0 in artwork 1, can be new in the server A virtual switch 1 is built, and VM13 and VM14 are connected respectively on virtual switch 1, wherein, VM13 is connected to virtual friendship Change planes on 1 port Port13 and use new VLAN13, VM14 to be connected on the port Port14 of virtual switch 1 and use New VLAN14.Meanwhile, a newly-built virtual machine VM15 in the server, and secure processing units are run on the virtual machine, Also, a drainage system is provided with the secure processing units.Virtual switch 1 is connected to VM15 by port Port0 Port0 on, and the two interconnection port types be set to trunk types, it is allowed to carry VLAN13 or VLAN14 mark The message of label passes through.VM15 is connected in original virtual switch 0 by port Port1, and the Port1 port type It is also configured as trunk types, it is allowed to which the message for carrying VLAN1 labels passes through.
Here, the drainage system in secure processing units by configure drainage rule by VLAN1 and Port1, VLAN13 with Port0, VLAN14 and Port0 are set in a broadcast domain.Contain a two-layer retransmitting table in the inside of drainage system, first During beginning state, the corresponding relation of each VLAN and port Port in broadcast domain where there being record in the two-layer retransmitting table, such as table Shown in one:
Table one
Because drainage system was not before message was received, its internal two-layer retransmitting table is in original state, in table Mac address information is state to be filled.Mac address information in during receiving message by learning message is recorded Mac address information, port id, the triangular corresponding relations of VLAN ID.
Such as, if VM13 needs to access VM14, VM13 will carry source MAC (MAC Address of VM13), purpose The message of MAC Address (here, target MAC (Media Access Control) address can be the MAC Address of VM14, can also be a broadcast address) from Port13 enters virtual switch 1, and virtual switch 1 is that the message sets a VLAN13 label, and by the message from virtual The Port0 of interchanger is transmitted to the Port0 of VM15.
Drainage system after the message for carrying VLAN13 come in by Port0 transmission is received, in obtaining the message Source MAC (MAC Address of VM13), and the corresponding relation of the MAC Address of VM13, Port0, VLAN13 three record is existed In two-layer retransmitting table.When the message is forwarded, due to not recording the MAC Address about VM14 in initial two-layer retransmitting table Information, also just can not find corresponding port to send the message.In such a case, it is possible to the message is carried out in broadcast domain Broadcast.After the virtual machine in broadcast domain receives message, if the target MAC (Media Access Control) address carried in identification outgoing packet is oneself MAC Address or broadcast address, can also reply a message.Therefore, in this example, VM14 is receiving the message, and knows After the target MAC (Media Access Control) address for not going out the message is the MAC Address or broadcast address of oneself, if also needing to reply one to VM13 Individual message, the then message that VM14 is replied will also enter virtual switch 1 from Port14, be the message by virtual switch 1 Set after a VLAN14 label, the message is transmitted to the Port0 of VM15 from the Port0 of virtual switch again.In VM15 Drainage system receive by Port0 transmission come in the mac address information for carrying VM14 and VLAN14 labels message it Afterwards, the corresponding relation of the MAC Address of VM14, Port0, VLAN14 three can be recorded in two-layer retransmitting table.
Similarly, VM13 access VM11 when, or VM13 access VM14 when, or VM14 access VM11 when when, drainage Device can learn to each message, and record MAC Address, Port ID, the corresponding relation of VLAN ID threes.Finally The complete two-layer retransmitting table in the broadcast domain can be generated, as shown in Table 2.
Table two
VLAN ID Port id MAC
VLAN 1 Port 1 VM11 MAC
VLAN 1 Port 1 VM12 MAC
VLAN 13 Port 0 VM13 MAC
VLAN 14 Port 0 VM14 MAC
After above-mentioned two-layer retransmitting table has been updated, if VM13 continues to access VM14, transmitted between VM13 and VM14 Message carry out security protection and the idiographic flow of traction and can be:
The message transmitted in VM13 enters virtual switch 1 from Port13, and virtual switch 1 is that the message sets one VLAN13 labels, and the message is transmitted to the Port0 of VM15 from the Port0 of oneself, it is right in the secure processing units of VM15 The message is carried out after safe handling, is searched and purpose in the two-layer retransmitting table internally of the drainage system in secure processing units MAC Address (here, suppose that target MAC (Media Access Control) address for VM14 MAC Address) corresponding destination interface ID and with destination interface pair The VLAN ID for answering, obtain destination interface ID for Port 0, and VLAN ID are VLAN 14.The label of the message is repaiied by VLAN13 VLAN14 is changed to, and forwards it to virtual switch 1, the flow is removed label by virtual switch 1, from the port of Port14 It is forwarded to VM13.
If additionally, inquiring about the purpose less than the target MAC (Media Access Control) address of the message or the message in the two-layer retransmitting table When MAC Address is broadcast address, can be specifically as follows in the broadcast domain of message broadcasting to place:The message is replicated, and will The VLAN tag of the message sends after being revised as VLAN1 by VLAN13 from Port 1;The message is replicated, by the VLAN of the message Label sends after being revised as VLAN14 by VLAN13 from Port 0.
If VM13 needs to access VM11, the message transmitted between VM13 and VM11 carries out the tool of security protection and traction Body flow can be:
The message transmitted in VM13 enters virtual switch 1 from Port13, and virtual switch 1 is that the message sets one VLAN13 labels, and the message is transmitted to the Port0 of VM15 from the Port0 of oneself, it is right in the secure processing units of VM15 The message is carried out after safe handling, is searched and purpose in the two-layer retransmitting table internally of the drainage system in secure processing units MAC Address (MAC Address of VM11) corresponding destination interface ID and VLAN ID corresponding with destination interface, obtains destination Mouth ID is Port1, and VLAN ID are VLAN 1.The label of the message is revised as VLAN11 by VLAN13, and forwards it to void Intend interchanger 0, the flow is removed label and is forwarded to VM13 again by virtual switch 0.
If additionally, inquiring about the purpose less than the target MAC (Media Access Control) address of the message or the message in the two-layer retransmitting table When MAC Address is broadcast address, can be specifically as follows in the broadcast domain of message broadcasting to place:The message is replicated, and will The VLAN tag of the message sends after being revised as VLAN1 by VLAN13 from Port 1;The message is replicated, by the VLAN of the message Label sends after being revised as VLAN14 by VLAN13 from Port 0.
A kind of flow corresponding with flow lead method is additionally provided based on same inventive concept, in the embodiment of the present application to lead Leading-in device, because the principle of the device solve problem is similar to flow lead method in the embodiment of the present invention, therefore the device Implementation may refer to the implementation of method, repeats part and repeats no more.
Embodiment three
As shown in figure 5, be the flow lead structure drawing of device of the offer of the embodiment of the present application three, including:
Receiver module 51, sends out for receiving the first virtual machine VM in the first virtual LAN VLAN via source port The message for coming, carries purposeful MAC address and the first VLAN tag in the message;
Generation module 52, for based on the rule for pre-setting, generation and regular corresponding two layers for pre-setting Forward table;
Searching modul 53, for based on the two-layer retransmitting table, searching destination interface corresponding with the target MAC (Media Access Control) address Mark ID and VLAN ID;
Change label model 54, for the VLAN that the first VLAN tag carried in the message is changed to and is found The second ID corresponding VLAN tag;
Sending module 55, the message for will carry the second VLAN tag is forwarded to via the destination interface for finding The 2nd VM in two VLAN.
Alternatively, the generation module 52 specifically for:
By each port under specified different VLAN and with described each port, corresponding VLAN is divided in together respectively In one broadcast domain;And,
The corresponding relation of described each port id and VLAN ID is recorded in the two-layer retransmitting table.
Alternatively, source MAC is also carried in the message;
Described device also includes:
Memory module 56, for the source MAC that will be carried in the message, a source port ID and VLAN is marked The corresponding VLAN ID records of correspondence are signed in the two-layer retransmitting table, subsequently to be E-Packeted based on the two-layer retransmitting table.
Alternatively, the searching modul 53 specifically for:
Searched whether in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address;
If being found in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address, it is determined that go out and look into The MAC Address corresponding destination interface ID and VLAN ID for finding.
Alternatively, the searching modul 53 is additionally operable to:
If do not found in the two-layer retransmitting table with the target MAC (Media Access Control) address identical MAC Address, will be described Other VM in message broadcasting to the broadcast domain determined based on the rule for pre-setting, wherein, do not include in other VM A VM in first VLAN and comprising the 2nd VM in the 2nd VLAN.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program Product.Therefore, the present invention can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Apply the form of example.And, the present invention can be used and wherein include the computer of computer usable program code at one or more The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) is produced The form of product.
The present invention is the flow with reference to method according to embodiments of the present invention, terminal (system) and computer program product Figure and/or block diagram are described.It should be understood that every first-class during flow chart and/or block diagram can be realized by computer program instructions The combination of flow and/or square frame in journey and/or square frame and flow chart and/or block diagram.These computer programs can be provided The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices The device of the function of being specified in present one flow of flow chart or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy In determining the computer-readable memory that mode works so that instruction of the storage in the computer-readable memory is produced and include finger Make the manufacture of device, the command device realize in one flow of flow chart or multiple one square frame of flow and/or block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented treatment, so as in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described Property concept, then can make other change and modification to these embodiments.So, appended claims are intended to be construed to include excellent Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification without deviating from essence of the invention to the present invention God and scope.So, if these modifications of the invention and modification belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising these changes and modification.

Claims (10)

1. a kind of flow lead method, it is characterised in that the method includes:
The message that the first virtual machine VM in the first virtual LAN VLAN sends via source port is received, in the message Carry purposeful MAC address and the first VLAN tag;
Based on the rule for pre-setting, generate and the regular corresponding two-layer retransmitting table for pre-setting;
Based on the two-layer retransmitting table, destination interface mark ID and VLAN ID corresponding with the target MAC (Media Access Control) address is searched;
The first VLAN tag carried in the message is changed to the twoth VLAN mark corresponding with the VLAN ID for finding Sign;
The 2nd VM that the message of the second VLAN tag is forwarded in the 2nd VLAN via the destination interface for finding will be carried.
2. the method for claim 1, it is characterised in that described based on the rule for pre-setting, generation with it is described in advance The regular corresponding two-layer retransmitting table of setting, including:
By each port under specified different VLAN and with described each port respectively corresponding VLAN be divided in it is same wide In broadcasting domain;And,
The corresponding relation of described each port id and VLAN ID is recorded in the two-layer retransmitting table.
3. method as claimed in claim 2, it is characterised in that also carry source MAC in the message;
After the message that the first virtual machine VM received in a VLAN sends, also include:
The source MAC that will be carried in the message, source port ID and the corresponding VLAN ID records of first VLAN tag In the two-layer retransmitting table.
4. method as claimed in claim 3, it is characterised in that search destination interface mark corresponding with the target MAC (Media Access Control) address Know ID and VLAN ID, including:
Searched whether in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address;
If being found in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address, it is determined that go out and find MAC Address corresponding destination interface ID and VLAN ID.
5. method as claimed in claim 4, it is characterised in that it is described searched whether in the two-layer retransmitting table with it is described After target MAC (Media Access Control) address identical MAC Address, also include:
If do not found in the two-layer retransmitting table with the target MAC (Media Access Control) address identical MAC Address, by the message In other VM in broadcast to the broadcast domain determined based on the rule for pre-setting, wherein, not comprising the in other VM A VM in one VLAN and comprising the 2nd VM in the 2nd VLAN.
6. a kind of flow lead device, it is characterised in that the device includes:
Receiver module, for receiving the report that the first virtual machine VM in the first virtual LAN VLAN sends via source port Text, carries purposeful MAC address and the first VLAN tag in the message;
Generation module, for based on the rule for pre-setting, generation and the regular corresponding two-layer retransmitting table for pre-setting;
Searching modul, for based on the two-layer retransmitting table, searching destination interface mark ID corresponding with the target MAC (Media Access Control) address With VLAN ID;
Change label model, for the first VLAN tag carried in the message to be changed to and the VLAN ID phases for finding Corresponding second VLAN tag;
Sending module, the message for will carry the second VLAN tag is forwarded to the 2nd VLAN via the destination interface for finding In the 2nd VM.
7. device as claimed in claim 6, it is characterised in that the generation module specifically for:
By each port under specified different VLAN and with described each port respectively corresponding VLAN be divided in it is same wide In broadcasting domain;And,
The corresponding relation of described each port id and VLAN ID is recorded in the two-layer retransmitting table.
8. device as claimed in claim 7, it is characterised in that also carry source MAC in the message;
Described device also includes:
Memory module, for the source MAC that will be carried in the message, source port ID and first VLAN tag are corresponding VLAN ID record in the two-layer retransmitting table, subsequently to be E-Packeted based on the two-layer retransmitting table.
9. device as claimed in claim 8, it is characterised in that the searching modul specifically for:
Searched whether in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address;
If being found in the two-layer retransmitting table and the target MAC (Media Access Control) address identical MAC Address, it is determined that go out and find The MAC Address corresponding destination interface ID and VLAN ID.
10. device as claimed in claim 9, it is characterised in that the searching modul is additionally operable to:
If do not found in the two-layer retransmitting table with the target MAC (Media Access Control) address identical MAC Address, by the message Other VM in broadcast to the broadcast domain determined based on the rule for pre-setting, wherein, first is not included in other VM A VM in VLAN and comprising the 2nd VM in the 2nd VLAN.
CN201611105531.2A 2016-12-05 2016-12-05 Flow traction method and device Active CN106850382B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611105531.2A CN106850382B (en) 2016-12-05 2016-12-05 Flow traction method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611105531.2A CN106850382B (en) 2016-12-05 2016-12-05 Flow traction method and device

Publications (2)

Publication Number Publication Date
CN106850382A true CN106850382A (en) 2017-06-13
CN106850382B CN106850382B (en) 2020-07-10

Family

ID=59145484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611105531.2A Active CN106850382B (en) 2016-12-05 2016-12-05 Flow traction method and device

Country Status (1)

Country Link
CN (1) CN106850382B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110311838A (en) * 2019-07-24 2019-10-08 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of security service traffic statistics
CN113014516A (en) * 2019-12-20 2021-06-22 华为技术有限公司 Method and device for transmitting data stream
CN113630315A (en) * 2021-09-03 2021-11-09 中国联合网络通信集团有限公司 Network drainage method and device, electronic equipment and storage medium
CN114640514A (en) * 2022-03-03 2022-06-17 成都卫士通信息产业股份有限公司 Security service system, access control method, and computer-readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960293A (en) * 2006-09-28 2007-05-09 北京启明星辰信息技术有限公司 Method for implementing virtual engine technique for intrusion detection
CN101707562A (en) * 2009-11-27 2010-05-12 中兴通讯股份有限公司 Method and device for realizing access of virtual local area network (VLAN) stacking in virtual private wire service (VPWS)
CN102571738A (en) * 2010-12-08 2012-07-11 中国电信股份有限公司 Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof
US8300614B2 (en) * 2009-05-14 2012-10-30 Avaya Inc. Preventing packet loops in unified networks
CN103973578A (en) * 2013-01-31 2014-08-06 杭州华三通信技术有限公司 Virtual machine traffic redirection method and device
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1960293A (en) * 2006-09-28 2007-05-09 北京启明星辰信息技术有限公司 Method for implementing virtual engine technique for intrusion detection
US8300614B2 (en) * 2009-05-14 2012-10-30 Avaya Inc. Preventing packet loops in unified networks
CN101707562A (en) * 2009-11-27 2010-05-12 中兴通讯股份有限公司 Method and device for realizing access of virtual local area network (VLAN) stacking in virtual private wire service (VPWS)
CN102571738A (en) * 2010-12-08 2012-07-11 中国电信股份有限公司 Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof
CN103973578A (en) * 2013-01-31 2014-08-06 杭州华三通信技术有限公司 Virtual machine traffic redirection method and device
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110311838A (en) * 2019-07-24 2019-10-08 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of security service traffic statistics
CN113014516A (en) * 2019-12-20 2021-06-22 华为技术有限公司 Method and device for transmitting data stream
CN113630315A (en) * 2021-09-03 2021-11-09 中国联合网络通信集团有限公司 Network drainage method and device, electronic equipment and storage medium
CN114640514A (en) * 2022-03-03 2022-06-17 成都卫士通信息产业股份有限公司 Security service system, access control method, and computer-readable storage medium
CN114640514B (en) * 2022-03-03 2023-05-23 成都卫士通信息产业股份有限公司 Security service system, access control method, and computer-readable storage medium

Also Published As

Publication number Publication date
CN106850382B (en) 2020-07-10

Similar Documents

Publication Publication Date Title
CN103595648B (en) Method and system for balancing load at receiving side of server
CN106850382A (en) A kind of flow lead method and device
CN103795636B (en) Multicast processing method, device and system
CN107809367A (en) The equipment loading method and SDN controllers, the network equipment of a kind of SDN
CN107547242B (en) The acquisition methods and device of VM configuration information
CN101924699B (en) Message forwarding method, system and provider edge equipment
CN105763512A (en) SDN virtual network communication method and device
CN104486589B (en) Access method and device in video monitoring system based on GVRP
CN106533890A (en) Message processing method, device and system
CN103095546A (en) Method, device and data center network for processing messages
CN105827495A (en) Message forwarding method and device for VXLAN gateway
CN104580029B (en) Address distribution method and device
CN103404084A (en) MAC address forced forwarding device and method
CN106998297A (en) A kind of virtual machine migration method and device
CN106209636A (en) From the multicast data packet forwarding method and apparatus of VLAN to VXLAN
CN104869063A (en) Host route processing method in virtual subnet, related devices and communication system
CN106209638A (en) From VLAN to the message forwarding method of virtual expansible LAN and equipment
CN106209648A (en) Multicast data packet forwarding method and apparatus across virtual expansible LAN
CN106878181A (en) A kind of message transmitting method and device
CN106533889A (en) Method of BPE cross-port extension device to realize link aggregation in chip
CN103931144A (en) Method, equipment and system for communication in virtual domain
CN106209689A (en) From the multicast data packet forwarding method and apparatus of VXLAN to VLAN
CN105939268B (en) A kind of two-layer retransmitting table item polymerization and device
CN104683428A (en) Network service processing method and device
CN106209616A (en) One floods suppressing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.