CN107517129B - Method and device for configuring uplink interface of equipment based on OpenStack - Google Patents
Method and device for configuring uplink interface of equipment based on OpenStack Download PDFInfo
- Publication number
- CN107517129B CN107517129B CN201710740862.1A CN201710740862A CN107517129B CN 107517129 B CN107517129 B CN 107517129B CN 201710740862 A CN201710740862 A CN 201710740862A CN 107517129 B CN107517129 B CN 107517129B
- Authority
- CN
- China
- Prior art keywords
- vlan
- address
- target
- firewall
- range
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a device for configuring an uplink interface of equipment based on OpenStack, wherein the method comprises the following steps: when a request for creating a virtual firewall sent by a user host is received, sending a command for creating the virtual firewall to the firewall equipment, and sending a VLAN ID in a binding relationship established in advance to the firewall equipment so that the firewall equipment creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; receiving the target VLAN ID returned by the firewall equipment, and acquiring a target IP address bound with the target VLAN ID according to the binding relation; and sending the target IP address to the firewall equipment so that the firewall equipment configures an uplink interface of the virtual firewall, and the target IP address and the target VLAN ID are respectively an IP address and a VLAN ID of the uplink interface. By adopting the technical method provided by the application, the uplink interface of the equipment is automatically configured.
Description
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for configuring an uplink interface of a device based on OpenStack.
Background
The OpenStack is a cloud computing management platform which is simple to implement, can be expanded in a large scale, is rich and has a unified standard, and almost supports all types of cloud environments. The service end of OpenStack provides an infrastructure, i.e., service, solution for a service cluster consisting of various sites providing different services through various complementary services, each of which provides APIs for integration.
OpenStack covers various aspects of networking, virtualization, operating systems, servers, and so on. OpenStack includes core items of a plurality of different service types, such as computation, object storage, mirroring service, identity service, network & address management (Neutron), and the like.
Neutron provides a Network virtualization technology of cloud computing, provides Network connection Service for other services of OpenStack, provides an interface for a user, and can define Network, Subnet and Router, configure DHCP, DNS, load balancing, L3 Service, and support GRE, VLAN, FWaaS (Firewall as a Service) and the like.
The FWaaS realizes the function of a firewall through software. Since the function is implemented by software, not as powerful as that by hardware devices, the FWaaS is usually replaced by a function of a firewall implemented by a hardware device. Where firewall devices are typically deployed at network egress locations.
Referring to fig. 1, fig. 1 is a schematic diagram of a network connection for creating a virtual firewall based on OpenStack shown in the prior art. In the prior art, when a user operates OpenStack to create a virtual network, since the virtual network cannot directly access an external network, the external network needs to be accessed by a physical device connected with the external network. Meanwhile, in order to maintain network security, network isolation needs to be performed through a firewall device. Thus, the firewall device serves as a bridge between the virtual network and the extranet. In order to establish the connection between the virtual network and the firewall device, the firewall device needs to virtualize a virtual firewall through a virtualization technology, and the communication between the virtual network and the firewall device is realized by establishing the connection between the virtual network and the virtual firewall.
Since the virtual network is created by OpenStack, configuration data of the virtual network is stored in the OpenStack server. When a user host in the virtual network needs to receive and send a message, the message passes through the OpenStack server.
In addition, when a virtual network is created through OpenSatck, only a downlink interface of the virtual firewall is configured on the firewall device, where the downlink interface refers to a virtual interface through which the virtual network communicates with the virtual protection wall, so that only communication between the virtual network and the virtual firewall device can be achieved, and communication between the virtual network and an external network cannot be achieved. In order to implement the communication between the virtual network and the external network, in the prior art, an administrator of the firewall device needs to manually configure an uplink interface for the virtual network on the firewall device, where the uplink interface refers to a virtual interface where the virtual firewall communicates with the external network.
When configuring an uplink interface for the virtual network, a firewall device administrator needs to specify an IP address, a VLAN ID, a default route, and the like of the uplink interface, where a next-hop device in the default route is an upstream device of the firewall device. In order to implement communication between the upstream device and the virtual firewall, an administrator of the upstream device also needs to manually configure an interface corresponding to the upstream interface on the upstream device based on information such as the IP address and VLAN ID of the upstream interface, including the IP address, VLAN ID, backhaul route, and the like that specify the interface.
In the prior art, each time a virtual firewall is created, an administrator of the firewall device needs to manually configure an uplink interface on the firewall device, and an administrator of the upstream device needs to manually configure an interface corresponding to the uplink interface on the upstream device.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for configuring an uplink interface of a device based on OpenStack, so as to implement automatic configuration of the uplink interface of the device.
Specifically, the method is realized through the following technical scheme:
a method for configuring an uplink interface based on OpenStack is applied to an OpenStack server, wherein the OpenStack server is preconfigured with an IP address range and a VLAN range, and the method comprises the following steps:
when a request for creating a virtual firewall sent by a user host is received, sending a command for creating the virtual firewall to the firewall equipment, and sending a VLAN ID in a binding relationship established in advance to the firewall equipment so that the firewall equipment creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLAN ID is any unused VLAN ID in the VLAN IDs in the binding relationship;
receiving the target VLAN ID returned by the firewall equipment, and acquiring a target IP address bound with the target VLAN ID according to the binding relation;
and sending the target IP address to the firewall equipment so that the firewall equipment configures an uplink interface of the virtual firewall, and the target IP address and the target VLAN ID are respectively an IP address and a VLAN ID of the uplink interface.
A method for configuring an uplink interface of equipment based on OpenStack is applied to firewall equipment and comprises the following steps:
receiving a command for creating a virtual firewall and a VLAN ID which are sent by an OpenStack server when receiving a request for creating the virtual firewall sent by a user host; the VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
creating a virtual firewall based on the command, selecting any unused VLAN ID from VLAN IDs in the binding relationship sent by an OpenStack server as a target VLAN ID, and sending the target VLAN ID to the OpenStack server so that the OpenStack server can obtain a target IP address bound with the target VLAN ID from the binding relationship;
and receiving the target IP address sent by the OpenStack server, and configuring an uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID are respectively an IP address and a VLANID of the uplink interface.
An apparatus for configuring an uplink interface based on OpenStack is applied to an OpenStack server, where the OpenStack server is preconfigured with an IP address range and a VLAN range, and includes:
the first sending unit is used for sending a command for creating the virtual firewall to the firewall equipment and sending the VLAN ID in the pre-established binding relationship to the firewall equipment when receiving a request for creating the virtual firewall sent by a user host, so that the firewall equipment creates the virtual firewall and acquires a target VLANID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLAN ID is any unused VLAN ID in the VLAN IDs in the binding relationship;
the obtaining unit is used for receiving the target VLAN ID returned by the firewall equipment and obtaining a target IP address bound with the target VLAN ID according to the binding relationship;
and the second sending unit is used for sending the target IP address to the firewall equipment so as to enable the firewall equipment to configure an uplink interface of the virtual firewall, and enable the target IP address and the target VLAN ID to become the IP address and the VLAN ID of the uplink interface respectively.
A device for configuring an uplink interface of equipment based on OpenStack is applied to firewall equipment and comprises:
the receiving unit is used for receiving a command for creating the virtual firewall and a VLAN ID which are sent by the OpenStack server when receiving a request for creating the virtual firewall sent by a user host; the VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
a creating unit configured to create a virtual firewall based on the command;
a selecting unit, configured to select any unused VLAN ID from the VLAN IDs in the binding relationship sent by the OpenStack server as a target VLAN ID;
a sending unit, configured to send the target VLAN ID to the OpenStack server, so that the OpenStack server obtains a target IP address bound to the target VLAN ID from the binding relationship;
and the configuration unit is used for receiving the target IP address sent by the OpenStack server and configuring an uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID are respectively used as the IP address and the VLAN ID of the uplink interface.
Because an IP address range and a VLAN range are configured in advance at the OpenStack server, an effective IP address is calculated from the IP address range based on an effective IP calculation algorithm, and a binding relationship between the effective IP address and a VLAN ID in the VLAN range is established in advance, when a virtual firewall needs to be created, the OpenStack server transmits a command for creating the virtual firewall and the VLAN ID in the binding relationship to the firewall device. And the firewall equipment creates a virtual firewall, selects any unused VLAN ID from the binding relationship as a target VLAN ID, and sends the target VLAN ID to the OpenStack server. And the OpenStack server acquires the target IP address bound with the target VLAN ID from the binding relationship and sends the target IP address to the firewall equipment. And configuring an uplink interface for the firewall equipment, and respectively taking the target IP address and the target VLAN ID as the IP address and the VLAN ID of the uplink interface, thereby realizing automatic configuration of the uplink interface for the virtual firewall based on OpenStack.
Drawings
Fig. 1 is a schematic diagram of a network connection for creating a virtual firewall based on OpenStack shown in the prior art;
fig. 2 is a flowchart of a method for configuring an uplink interface of a device based on OpenStack according to an embodiment of the present application;
fig. 3 is a hardware structure diagram of an OpenStack server where an OpenStack configuration device uplink interface based device according to a second embodiment of the present application is located;
fig. 4 is a device for configuring an uplink interface of a device based on OpenStack according to a second embodiment of the present application;
fig. 5 is a hardware structure diagram of a firewall device where a device that configures an uplink interface of a device based on OpenStack according to a third embodiment of the present application is located;
fig. 6 is a device for configuring an uplink interface of a device based on OpenStack according to a third embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Example one
In order to implement automatic configuration of an uplink interface of a device, an embodiment of the present application provides a method for configuring an uplink interface of a device based on OpenStack, please refer to fig. 2, and fig. 2 is a flowchart of a method for configuring an uplink interface of a device based on OpenStack according to an embodiment of the present application. The following steps are specifically executed:
step 201: initializing an OpenStack server, and establishing a binding relationship between an effective IP address and a VLAN ID in a preset VLAN range;
in this embodiment, the OpenStack server configures an IP address range and a VLAN range in advance. The IP address range belongs to an external network IP address range, and the IP address range can be amplified and modified according to actual requirements.
When the OpenStack server is initialized, a preconfigured IP address range can be calculated based on a preset effective IP calculation algorithm, and an effective IP address is obtained from the IP address range. And the effective IP address is an IP address which can be allocated to the virtual firewall uplink interface for use.
In this embodiment, since the IP address assigned to the upstream interface of the virtual firewall and the IP address assigned to the upstream device interface communicating with the virtual firewall must belong to the same network, at least one IP address must exist that belongs to the same network as the IP address assigned to the upstream interface of the virtual firewall. The network where the legal IP address allocated to the uplink interface of the virtual firewall is located at least comprises two reserved addresses and two legal IP addresses allocable to the host for use.
The effective IP calculation algorithm is that the OpenStack server acquires a legal IP address set which can be allocated to a host from a pre-configured IP address range, and then determines an effective IP address set allocated to a virtual firewall uplink interface from the legal IP address set.
For example, the IP address range pre-configured at the OpenStack server is 10.1.1.0/30-10.1.2.0/30. Because the subnet mask of the IP address in the IP address range is 30 bits, the network bit of each IP address in the IP address range is the first 30 bits of the 32-bit IP address, and the host bit is the last two bits, wherein the IP addresses of all 0 and all 1 bits of the host bit are reserved addresses and cannot be allocated to the host for use, so that only two legal IP addresses in the IP address formed by the two bits of the host bit can be allocated to the host for use. In other words, the IP address range may be divided into a number of subnets with only two legitimate IP addresses that may be assigned for use by the host.
Since the legal IP address assigned to the upstream interface of the virtual firewall and the legal IP address assigned to the upstream device interface communicating with the virtual firewall must belong to the same network, one of the two legal IP addresses available to the host in each subnet is assigned to the upstream interface to be configured and the other is assigned to the upstream device interface communicating with the virtual firewall.
Legal IP addresses which can be allocated to the hosts and are shown in Table 1 can be obtained from the IP address range 10.1.1.0/30-10.1.2.0/30.
Subnet serial number | IP address 1 | IP address 2 |
1 | 10.1.1.1 | 10.1.1.2 |
2 | 10.1.1.5 | 10.1.1.6 |
3 | 10.1.1.9 | 10.1.1.10 |
4 | 10.1.1.13 | 10.1.1.14 |
… | … | … |
65 | 10.1.1.253 | 10.1.1.254 |
TABLE 1
According to table 1, two legal IP addresses that can be allocated to the host in the same subnet are shown, where the last bit of one IP address is odd and the last bit of the other IP address is even, for example, the last bit of IP address 10.1.1.1 of IP address 1 in subnet 1 is 1, and the last bit of IP address 10.1.1.2 of IP address 2 is 2.
Assuming that the OpenStack server determines an IP address with an odd last bit as an IP address that can be allocated to the virtual firewall uplink interface, an effective IP calculation algorithm preset by the OpenStack server is as follows:
1) acquiring an initial IP address from the IP address range;
2) judging whether the obtained IP address is a legal IP address or not; if the IP address is not a legal IP address, execute 3); if the IP address is a legal IP address, execute 4);
3) acquiring the IP address obtained by adding 1 to the binary digit of the IP address from the IP address range, judging whether the IP address added with 1 is in the IP address range, if so, executing 2), and if not, ending;
4) judging the parity of the last bit of the IP address, if the parity is an even number, executing 3); and if the number of the IP addresses is odd, adding the IP address into a preset IP list, and adding the IP address with the last bit +4 x n of the IP address into the IP list from the range of the IP addresses, wherein n is a positive integer.
5) And reading the last IP address in the IP list, and judging whether the IP address obtained by adding 1 to the last bit of the IP address is in the preset configured IP address range. If so, the IP address is retained in the IP list, and if not, the IP address is deleted from the IP list.
Since the last bit of the two legal IP addresses in the same subnet is even and larger than the last bit of the two legal IP addresses in the same subnet, if the last bit of the first obtained valid IP address is even in step 4), the legal IP address belonging to the same subnet as the IP address does not exist in the preset configured IP address range, and thus the IP address is not available.
Since the last bit of each IP address in the IP list is odd and the last IP address in the IP list may be the last IP address in the preset configured IP address range, it needs to be determined in step 5) whether the IP address obtained by adding 1 to the last bit of the last IP address in the IP list is within the preset configured IP address range, if so, the IP address is retained in the IP list, and if not, the IP address is deleted from the IP list.
Of course, the OpenStack server may also allocate a legal IP address with an even last bit of the IP address to the virtual firewall uplink interface for use.
It should be noted that, in this embodiment, the effective IP calculation algorithm needs to be adjusted correspondingly according to the change of the pre-configured IP address range, and the effective IP calculation algorithm may be flexible and changeable, and is not limited in this application.
In this embodiment, in an initialization process of the OpenStack server, the effective IP addresses may be sorted based on a preset IP address sorting mechanism, and then sequentially added to a preset IP list; and sorting the VLAN IDs in the VLAN range based on a preset VLAN sorting mechanism, and adding the VLAN IDs in the preset VLAN range to a preset VLAN list.
For example, in combination with the above example in this embodiment, it is assumed that the IP address sorting mechanism sorts the effective IP addresses in the order from small to large according to the last numerical value of the effective IP addresses, the VLAN sorting mechanism sorts the VLAN IDs in the preconfigured VLAN range in the order from small to large according to the numerical value of the VLAN IDs, and the preconfigured VLAN range is from VLAN 1 to VLAN 50. The OpenStack server can obtain the IP list shown in table 2 and the VLAN list shown in table 3 during an initialization process.
TABLE 2
Serial number | VLAN ID |
1 | VLAN 1 |
2 | VLAN 2 |
3 | VLAN 3 |
… | … |
50 | VLAN 50 |
TABLE 3
In this embodiment, after obtaining the IP list and the VLAN list, the Openstack server may establish a binding relationship between an effective IP address in the IP list and a VLAN ID with the same sequence number in the VLAN list.
The number of the effective IP addresses in the IP list and the number of the VLAN IDs in the VLAN list may be different, and after the binding relationship between the effective IP addresses and the VLAN IDs with the same serial number is established, the IP list may have remaining effective IP addresses to be bound, or the VLAN list may have remaining VLAN IDs to be bound, or both the effective IP addresses in the IP list and the VLAN IDs in the VLAN list may have been bound.
Step 202: the OpenStack server sends a command for creating a virtual firewall to the firewall equipment, and sends the VLAN ID in the binding relationship to the firewall equipment;
in this embodiment, after the OpenStack server completes initialization, the OpenStack server already establishes a binding relationship between an effective IP address and a VLAN ID in a preconfigured VLAN range. When the OpenStack server receives a request sent by a user host for creating a virtual firewall, the OpenStack server may send a command for creating a virtual firewall to the firewall device, and send the VLAN ID in the binding relationship to the firewall device.
Step 203: the firewall equipment creates a virtual firewall based on the command for creating the virtual firewall, and selects any unused VLAN ID from the VLAN IDs in the binding relationship sent by the OpenStack server side as a target VLAN ID;
in this embodiment, when the firewall device receives a command sent by the OpenStack server to create a virtual firewall, the firewall device may generate a virtual firewall based on a virtualization technology. Meanwhile, after the firewall device receives the VLAN ID in the binding relationship sent by the OpenStack server, the firewall device may find whether an unused VLAN ID exists in the VLAN ID in the binding relationship.
If the VLAN IDs in the binding relationship have unused VLAN IDs, the firewall equipment can select any VLAN ID from the unused VLAN IDs as a target VLAN ID and send the target VLAN ID to the OpenStack server; and if the VLAN IDs in the binding relationship are all used, the firewall equipment sends information that the VLAN IDs are all used to the OpenSatck server side.
Step 204: when the OpenStack server receives a target VLAN ID sent by firewall equipment, the OpenStack server sends a target IP address bound with the target VLAN ID to the firewall equipment;
in this embodiment, when the OpenStack server receives the target VLAN ID sent by the firewall device, the OpenStack server searches for a valid IP address bound to the target VLAN ID from the binding relationship. And the OpenStack server takes the effective IP address as a target IP address and sends the target IP address to the firewall equipment.
Step 205: when the OpenStack server receives the information that the VLAN IDs sent by the firewall equipment are used, the OpenStack server sends prompt information of actual resources to the user host;
when the OpenStack server receives the information that the VLAN IDs sent by the firewall device are used, the OpenStack server searches whether an effective IP address which is not bound exists in an IP list or not and searches whether a VLAN ID which is not bound exists in the VLAN list or not;
if an effective IP address which is not bound exists and VLAN IDs in the VLAN range are bound, sending prompt information for increasing the VLAN range to the user host;
if the effective IP addresses are all bound and the VLAN ID which is not bound exists in the VLAN range, sending prompt information for increasing the IP address range to the user host;
and if the effective IP addresses are all bound and the VLAN IDs in the VLAN range are all bound, sending prompt information for increasing the IP address range and the VLAN range to the user host.
When the user host receives the prompt message, an administrator needs to increase an IP address range and/or a VLAN range at the OpenStack server according to the prompt message; the added IP address range and/or VLAN range are/is added behind the originally configured IP address range and/or originally configured VLAN range, so that the change of data generated by OpenStack based on the originally configured IP address range and VLAN range can be avoided, the IP address range is reduced, and/or after the VLAN range is changed, the OpenStack server calculates effective IP addresses based on the originally configured IP address range and VLAN range, and the process of establishing the binding relationship is carried out.
Step 206: when the firewall equipment receives the target IP address, the firewall equipment configures an uplink interface of the virtual firewall, and takes the target IP address and the target VLAN ID as the IP address and the VLAN ID of the uplink interface respectively.
In this embodiment, when the firewall device receives a target IP address sent by the OpenStack server, the firewall device configures an uplink interface for the created virtual firewall, uses the target IP address as an IP address of the uplink interface, and uses the target VLAN ID as a VLAN ID of the uplink interface.
In addition, the firewall device configures a security domain, VRF (Virtual Routing and forwarding), and a default route for the uplink interface. The next-hop IP address in the default route is an IP address belonging to the same network as the uplink interface, that is, an IP address of an upstream device interface communicating with the virtual firewall, and the firewall device may determine the next-hop IP address based on a preset default route calculation algorithm, where the default route calculation algorithm needs to be adjusted correspondingly according to a preset IP range and a preset valid IP calculation algorithm. In addition, please refer to related technologies for how to configure security domains and VRFs for interfaces, which is not described in detail in this application.
For example, in combination with the example in this embodiment, since the last bits of the valid IP addresses are odd numbers, and there is only one valid IP address belonging to the same network as each valid IP address, the default route calculation algorithm is: and determining the IP address obtained by adding 1 to the last bit of the target IP address as the next hop IP address in the default route. If the last bit of the effective IP address is even number and only one legal IP address belonging to the same network with each effective IP address exists, the default route calculation algorithm is as follows: and determining the IP address of the last bit of the target IP address minus 1 as the next hop IP address in the default route.
In this embodiment, the upstream device configures, in advance, a plurality of interfaces for communicating with the virtual firewall based on an IP address range, a VLAN range, a binding relationship, an effective IP calculation algorithm, and the like that are configured in advance on the OpenStack server. When any one of the parameters, such as an IP address range, a VLAN range, a binding relationship, an effective IP calculation algorithm, and the like, pre-configured by the OpenStack server is changed, the upstream device modifies an interface for communicating with the virtual firewall.
For example, in combination with the example in this embodiment, when the valid IP address changes from the last odd IP address to the last even IP address, the IP address of the interface configured by the upstream device for communicating with the virtual firewall changes from the last even IP address to the last odd IP address, and the last odd IP address of the next-hop IP address in the backhaul route changes from the last odd IP address to the last even IP address.
In summary, since the OpenStack server is configured with the IP address range and the VLAN range in advance, calculates the effective IP address from the IP address range based on the effective IP calculation algorithm, and establishes the binding relationship between the effective IP address and the VLAN ID in the VLAN range in advance, when a virtual firewall needs to be created, the OpenStack server transmits a command for creating the virtual firewall and the VLAN ID in the binding relationship to the firewall device. And the firewall equipment creates a virtual firewall, selects any unused VLAN ID from the binding relationship as a target VLAN ID, and sends the target VLAN ID to the OpenStack server. And the OpenStack server acquires the target IP address bound with the target VLAN ID from the binding relationship and sends the target IP address to the firewall equipment. And configuring an uplink interface for the firewall equipment, and respectively taking the target IP address and the target VLAN ID as the IP address and the VLAN ID of the uplink interface, thereby realizing automatic configuration of the uplink interface for the virtual firewall based on OpenStack.
Example two
Corresponding to the first embodiment of the method for configuring the device uplink interface based on the OpenStack, the present application further provides a second embodiment of a device for configuring the device uplink interface based on the OpenStack.
The second embodiment of the apparatus for configuring the device uplink interface based on the OpenStack can be applied to an OpenStack server. The second apparatus embodiment may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a device in a logical sense, the device is formed by reading a corresponding computer program instruction in a nonvolatile memory into a memory for running through a processor of an OpenStack server where the device is located. From a hardware aspect, as shown in fig. 3, a hardware structure diagram of an OpenStack service end where a device for configuring an uplink interface of a device based on OpenStack according to the second embodiment of the present disclosure is located is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the OpenStack service end where the device in the second embodiment is located may also include other hardware according to an actual function of the uplink interface of the device based on OpenStack, which is not described again.
Referring to fig. 4, fig. 4 is a diagram illustrating an apparatus for configuring an uplink interface of a device based on OpenStack according to a second embodiment of the present disclosure, which is applied to an OpenStack server. The device comprises: a first sending unit 410, an obtaining unit 420 and a second sending unit 430.
The first sending unit 410 is configured to, when receiving a request sent by a user host to create a virtual firewall, send a command to create the virtual firewall to the firewall device, and send a VLAN ID in a binding relationship established in advance to the firewall device, so that the firewall device creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLANID is any unused VLAN ID in the VLAN IDs in the binding relationship;
the obtaining unit 420 is configured to receive the target VLAN ID returned by the firewall device, and obtain a target IP address bound to the target VLAN ID according to the binding relationship;
the second sending unit 430 is configured to send the target IP address to the firewall device, so that the firewall device configures an uplink interface of the virtual firewall, and the target IP address and the target VLAN ID are an IP address and a VLAN ID of the uplink interface, respectively.
In this embodiment, the apparatus further includes:
the sorting unit is used for sorting the effective IP addresses based on a preset IP address sorting mechanism and sorting the VLAN IDs in the VLAN range based on a preset VLAN sorting mechanism;
and the establishing unit is used for establishing the binding relationship between the effective IP address and the VLAN ID with the same serial number.
A judging unit, configured to judge whether an unbound effective IP address exists and whether an unbound VLAN ID exists in the VLAN range if receiving a message that all VLAN IDs in the binding relationship returned by the firewall device are used;
a prompt message sending unit, configured to send a prompt message for increasing the VLAN range to the user host if an unbound valid IP address exists and the VLAN IDs in the VLAN range are bound; if the effective IP addresses are all bound and the VLAN ID which is not bound exists in the VLAN range, sending prompt information for increasing the IP address range to the user host; and if the effective IP addresses are all bound and the VLAN IDs in the VLAN range are all bound, sending prompt information for increasing the IP address range and the VLAN range to the user host.
EXAMPLE III
Corresponding to the first embodiment of the method for configuring the device uplink interface based on the OpenStack, the present application further provides a third embodiment of a device for configuring the device uplink interface based on the OpenStack.
The third embodiment of the apparatus for configuring the device uplink interface based on the OpenStack can be applied to firewall devices. The third embodiment of the apparatus may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a device in a logical sense, the device is formed by reading a corresponding computer program instruction in a nonvolatile memory into an internal memory through a processor of a firewall device where the firewall device is located to run. In terms of hardware, as shown in fig. 5, a hardware structure diagram of a firewall device where a device for configuring an uplink interface of a device based on OpenStack according to three embodiments of the present application is located is shown, where except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 5, the firewall device where the device in the third embodiment is located may also include other hardware according to an actual function of the uplink interface of the device configured based on OpenStack, and details of this are not repeated.
Referring to fig. 6, fig. 6 is a third embodiment of an apparatus for configuring an uplink interface of a device based on OpenStack according to the present application, and is applied to a firewall device. The device comprises: a receiving unit 610, a creating unit 620, a selecting unit 630, a transmitting unit 640, and a configuring unit 650.
The receiving unit 610 is configured to receive a command for creating a virtual firewall and a VLAN ID, where the command is sent by an OpenStack server when receiving a request for creating a virtual firewall, where the request is sent by a user host; the VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
the creating unit 620 is configured to create a virtual firewall based on the command;
the selecting unit 630 is configured to select any unused VLAN ID from the VLAN IDs in the binding relationship sent by the OpenStack server as a target VLAN ID;
the sending unit 640 is configured to send the target VLAN ID to the OpenStack server, so that the OpenStack server obtains a target IP address bound to the target VLAN ID from the binding relationship;
the configuration unit 650 is configured to receive the target IP address sent by the OpenStack server, and configure the uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID become an IP address and a VLAN ID of the uplink interface, respectively.
In this embodiment, the sending unit 640 is further configured to:
and if the VLAN IDs in the binding relationship are all used, sending information that the VLAN IDs are all used to the OpenStack server.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A method for configuring an uplink interface of a device based on OpenStack is applied to an OpenStack server, and is characterized in that the OpenStack server configures an IP address range and a VLAN range in advance, and comprises the following steps:
when a request for creating a virtual firewall sent by a user host is received, sending a command for creating the virtual firewall to firewall equipment, and sending a VLAN ID in a binding relationship established in advance to the firewall equipment so that the firewall equipment creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLAN ID is any unused VLAN ID in the VLAN IDs in the binding relationship;
receiving the target VLAN ID returned by the firewall equipment, and acquiring a target IP address bound with the target VLAN ID according to the binding relation;
and sending the target IP address to the firewall equipment so that the firewall equipment configures an uplink interface of the virtual firewall, and the target IP address and the target VLAN ID are respectively an IP address and a VLAN ID of the uplink interface.
2. The method of claim 1, wherein the pre-established binding relationship comprises:
sequencing the effective IP addresses based on a preset IP address sequencing mechanism, and sequencing the VLAN IDs in the VLAN range based on a preset VLAN sequencing mechanism;
and establishing a binding relationship between the effective IP address and the VLAN ID with the same serial number.
3. The method of claim 1, further comprising:
if receiving the message returned by the firewall equipment that the VLAN IDs in the binding relationship are all used, judging whether an unbound effective IP address exists or not and whether an unbound VLAN ID exists in the VLAN range or not;
if an effective IP address which is not bound exists and VLAN IDs in the VLAN range are bound, sending prompt information for increasing the VLAN range to the user host;
if the effective IP addresses are all bound and the VLAN ID which is not bound exists in the VLAN range, sending prompt information for increasing the IP address range to the user host;
and if the effective IP addresses are all bound and the VLAN IDs in the VLAN range are all bound, sending prompt information for increasing the IP address range and the VLAN range to the user host.
4. A method for configuring an uplink interface of equipment based on OpenStack is applied to firewall equipment and is characterized by comprising the following steps:
receiving a command for creating a virtual firewall and a VLAN ID which are sent by an OpenStack server when receiving a request for creating the virtual firewall sent by a user host; the OpenStack server configures an IP address range and a VLAN range in advance, and a VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
creating a virtual firewall based on the command, selecting any unused VLAN ID from VLAN IDs in the binding relationship sent by an OpenStack server as a target VLAN ID, and sending the target VLAN ID to the OpenStack server so that the OpenStack server can obtain a target IP address bound with the target VLAN ID from the binding relationship;
and receiving the target IP address sent by the OpenStack server, and configuring an uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID become the IP address and the VLAN ID of the uplink interface respectively.
5. The method of claim 4, further comprising:
and if the VLAN IDs in the binding relationship are all used, sending information that the VLAN IDs are all used to the OpenStack server.
6. An apparatus for configuring an uplink interface of a device based on OpenStack is applied to an OpenStack server, and is characterized in that the OpenStack server configures an IP address range and a VLAN range in advance, and includes:
the first sending unit is used for sending a command for creating the virtual firewall to the firewall equipment and sending the VLAN ID in the pre-established binding relationship to the firewall equipment when receiving a request for creating the virtual firewall sent by the user host, so that the firewall equipment creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLAN ID is any unused VLAN ID in the VLAN IDs in the binding relationship;
the obtaining unit is used for receiving the target VLAN ID returned by the firewall equipment and obtaining a target IP address bound with the target VLAN ID according to the binding relationship;
and the second sending unit is used for sending the target IP address to the firewall equipment so as to enable the firewall equipment to configure an uplink interface of the virtual firewall, and enable the target IP address and the target VLAN ID to become the IP address and the VLAN ID of the uplink interface respectively.
7. The apparatus of claim 6, further comprising:
the sorting unit is used for sorting the effective IP addresses based on a preset IP address sorting mechanism and sorting the VLAN IDs in the VLAN range based on a preset VLAN sorting mechanism;
and the establishing unit is used for establishing the binding relationship between the effective IP address and the VLAN ID with the same serial number.
8. The apparatus of claim 6, further comprising:
a judging unit, configured to judge whether an unbound effective IP address exists and whether an unbound VLAN ID exists in the VLAN range if receiving a message that all VLAN IDs in the binding relationship returned by the firewall device are used;
a prompt message sending unit, configured to send a prompt message for increasing the VLAN range to the user host if there is an unbound valid IP address and VLAN ids in the VLAN range are bound; if the effective IP addresses are all bound and the VLAN ID which is not bound exists in the VLAN range, sending prompt information for increasing the IP address range to the user host; and if the effective IP addresses are all bound and the VLAN IDs in the VLAN range are all bound, sending prompt information for increasing the IP address range and the VLAN range to the user host.
9. A device for configuring an uplink interface of equipment based on OpenStack is applied to firewall equipment and is characterized by comprising the following components:
the receiving unit is used for receiving a command for creating the virtual firewall and a VLAN ID which are sent by the OpenStack server when receiving a request for creating the virtual firewall sent by a user host; the OpenStack server configures an IP address range and a VLAN range in advance, and a VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
a creating unit configured to create a virtual firewall based on the command;
a selecting unit, configured to select any unused VLAN ID from the VLAN IDs in the binding relationship sent by the OpenStack server as a target VLAN ID;
a sending unit, configured to send the target VLAN ID to the OpenStack server, so that the OpenStack server obtains a target IP address bound to the target VLAN ID from the binding relationship;
and the configuration unit is used for receiving the target IP address sent by the OpenStack server and configuring an uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID are respectively used as the IP address and the VLAN ID of the uplink interface.
10. The apparatus of claim 9, comprising:
the sending unit is further configured to:
and if the VLAN IDs in the binding relationship are all used, sending information that the VLAN IDs are all used to the OpenStack server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710740862.1A CN107517129B (en) | 2017-08-25 | 2017-08-25 | Method and device for configuring uplink interface of equipment based on OpenStack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710740862.1A CN107517129B (en) | 2017-08-25 | 2017-08-25 | Method and device for configuring uplink interface of equipment based on OpenStack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107517129A CN107517129A (en) | 2017-12-26 |
CN107517129B true CN107517129B (en) | 2020-04-03 |
Family
ID=60724031
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710740862.1A Active CN107517129B (en) | 2017-08-25 | 2017-08-25 | Method and device for configuring uplink interface of equipment based on OpenStack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107517129B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113132294B (en) * | 2019-12-30 | 2022-05-13 | 中国移动通信集团四川有限公司 | Data packet filtering method, system and device |
CN111132170A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Communication method and device of virtual firewall, virtual firewall and topological structure |
CN112491789B (en) * | 2020-10-20 | 2022-12-27 | 苏州浪潮智能科技有限公司 | OpenStack framework-based virtual firewall construction method and storage medium |
CN112737948A (en) * | 2020-12-30 | 2021-04-30 | 北京威努特技术有限公司 | Data transmission method and device between VLANs and industrial control firewall equipment |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104714823A (en) * | 2015-03-06 | 2015-06-17 | 上海新炬网络信息技术有限公司 | New mainframe configuration method based on OpenStack |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103067380B (en) * | 2012-12-26 | 2015-11-18 | 北京启明星辰信息技术股份有限公司 | A kind of deployment configuration method and system of virtual secure equipment |
CN103152256B (en) * | 2013-02-22 | 2017-05-03 | 浪潮电子信息产业股份有限公司 | Virtual routing network design method based on cloud computing data center |
US9461969B2 (en) * | 2013-10-01 | 2016-10-04 | Racemi, Inc. | Migration of complex applications within a hybrid cloud environment |
US9419874B2 (en) * | 2014-03-27 | 2016-08-16 | Nicira, Inc. | Packet tracing in a software-defined networking environment |
CN105577628B (en) * | 2014-11-11 | 2020-01-21 | 中兴通讯股份有限公司 | Method and device for realizing virtual firewall |
CN105812340B (en) * | 2014-12-31 | 2019-01-08 | 新华三技术有限公司 | A kind of method and apparatus of virtual network access outer net |
US9609023B2 (en) * | 2015-02-10 | 2017-03-28 | International Business Machines Corporation | System and method for software defined deployment of security appliances using policy templates |
US9967852B2 (en) * | 2015-03-23 | 2018-05-08 | Verizon Digital Media Services Inc. | CPE network configuration systems and methods |
CN106850616B (en) * | 2017-01-24 | 2019-10-18 | 南京理工大学 | The method for solving distributed fire wall network consistent updates using SDN technology |
-
2017
- 2017-08-25 CN CN201710740862.1A patent/CN107517129B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104714823A (en) * | 2015-03-06 | 2015-06-17 | 上海新炬网络信息技术有限公司 | New mainframe configuration method based on OpenStack |
Also Published As
Publication number | Publication date |
---|---|
CN107517129A (en) | 2017-12-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11895154B2 (en) | Method and system for virtual machine aware policy management | |
US10547463B2 (en) | Multicast helper to link virtual extensible LANs | |
US11265368B2 (en) | Load balancing method, apparatus, and system | |
CN107783815B (en) | Method and device for determining virtual machine migration | |
CN107733670B (en) | Forwarding strategy configuration method and device | |
EP3404878B1 (en) | Virtual network apparatus, and related method | |
US8484353B1 (en) | Resource placement templates for virtual networks | |
CN107517129B (en) | Method and device for configuring uplink interface of equipment based on OpenStack | |
US20140254603A1 (en) | Interoperability for distributed overlay virtual environments | |
CN106559292A (en) | A kind of broad band access method and device | |
CN107666419B (en) | Virtual broadband access method, controller and system | |
CN105379218A (en) | Service flow processing method, apparatus and device | |
WO2014139383A1 (en) | Virtual gateways and implicit routing in distributed overlay virtual environments | |
WO2015161325A1 (en) | Automatic fabric multicast group selection in a dynamic fabric automation network architecture | |
US20180069787A1 (en) | Exposing a subset of hosts on an overlay network to components external to the overlay network without exposing another subset of hosts on the overlay network | |
CN107547665B (en) | Method, equipment and system for allocating DHCP (dynamic host configuration protocol) address | |
CN105939267B (en) | Outband management method and device | |
CN107809386B (en) | IP address translation method, routing device and communication system | |
CN110012118B (en) | Method and controller for providing Network Address Translation (NAT) service | |
CN107171857B (en) | Network virtualization method and device based on user group | |
US11018990B2 (en) | Route priority configuration method, device, and controller | |
CN114070723A (en) | Virtual network configuration method and system of bare metal server and intelligent network card | |
CN109150638A (en) | A kind of route management method and device | |
CN109474713B (en) | Message forwarding method and device | |
CN107819776B (en) | Message processing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |