CN107517129B - Method and device for configuring uplink interface of equipment based on OpenStack - Google Patents

Method and device for configuring uplink interface of equipment based on OpenStack Download PDF

Info

Publication number
CN107517129B
CN107517129B CN201710740862.1A CN201710740862A CN107517129B CN 107517129 B CN107517129 B CN 107517129B CN 201710740862 A CN201710740862 A CN 201710740862A CN 107517129 B CN107517129 B CN 107517129B
Authority
CN
China
Prior art keywords
vlan
address
target
firewall
range
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710740862.1A
Other languages
Chinese (zh)
Other versions
CN107517129A (en
Inventor
胡有福
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201710740862.1A priority Critical patent/CN107517129B/en
Publication of CN107517129A publication Critical patent/CN107517129A/en
Application granted granted Critical
Publication of CN107517129B publication Critical patent/CN107517129B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method and a device for configuring an uplink interface of equipment based on OpenStack, wherein the method comprises the following steps: when a request for creating a virtual firewall sent by a user host is received, sending a command for creating the virtual firewall to the firewall equipment, and sending a VLAN ID in a binding relationship established in advance to the firewall equipment so that the firewall equipment creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; receiving the target VLAN ID returned by the firewall equipment, and acquiring a target IP address bound with the target VLAN ID according to the binding relation; and sending the target IP address to the firewall equipment so that the firewall equipment configures an uplink interface of the virtual firewall, and the target IP address and the target VLAN ID are respectively an IP address and a VLAN ID of the uplink interface. By adopting the technical method provided by the application, the uplink interface of the equipment is automatically configured.

Description

Method and device for configuring uplink interface of equipment based on OpenStack
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for configuring an uplink interface of a device based on OpenStack.
Background
The OpenStack is a cloud computing management platform which is simple to implement, can be expanded in a large scale, is rich and has a unified standard, and almost supports all types of cloud environments. The service end of OpenStack provides an infrastructure, i.e., service, solution for a service cluster consisting of various sites providing different services through various complementary services, each of which provides APIs for integration.
OpenStack covers various aspects of networking, virtualization, operating systems, servers, and so on. OpenStack includes core items of a plurality of different service types, such as computation, object storage, mirroring service, identity service, network & address management (Neutron), and the like.
Neutron provides a Network virtualization technology of cloud computing, provides Network connection Service for other services of OpenStack, provides an interface for a user, and can define Network, Subnet and Router, configure DHCP, DNS, load balancing, L3 Service, and support GRE, VLAN, FWaaS (Firewall as a Service) and the like.
The FWaaS realizes the function of a firewall through software. Since the function is implemented by software, not as powerful as that by hardware devices, the FWaaS is usually replaced by a function of a firewall implemented by a hardware device. Where firewall devices are typically deployed at network egress locations.
Referring to fig. 1, fig. 1 is a schematic diagram of a network connection for creating a virtual firewall based on OpenStack shown in the prior art. In the prior art, when a user operates OpenStack to create a virtual network, since the virtual network cannot directly access an external network, the external network needs to be accessed by a physical device connected with the external network. Meanwhile, in order to maintain network security, network isolation needs to be performed through a firewall device. Thus, the firewall device serves as a bridge between the virtual network and the extranet. In order to establish the connection between the virtual network and the firewall device, the firewall device needs to virtualize a virtual firewall through a virtualization technology, and the communication between the virtual network and the firewall device is realized by establishing the connection between the virtual network and the virtual firewall.
Since the virtual network is created by OpenStack, configuration data of the virtual network is stored in the OpenStack server. When a user host in the virtual network needs to receive and send a message, the message passes through the OpenStack server.
In addition, when a virtual network is created through OpenSatck, only a downlink interface of the virtual firewall is configured on the firewall device, where the downlink interface refers to a virtual interface through which the virtual network communicates with the virtual protection wall, so that only communication between the virtual network and the virtual firewall device can be achieved, and communication between the virtual network and an external network cannot be achieved. In order to implement the communication between the virtual network and the external network, in the prior art, an administrator of the firewall device needs to manually configure an uplink interface for the virtual network on the firewall device, where the uplink interface refers to a virtual interface where the virtual firewall communicates with the external network.
When configuring an uplink interface for the virtual network, a firewall device administrator needs to specify an IP address, a VLAN ID, a default route, and the like of the uplink interface, where a next-hop device in the default route is an upstream device of the firewall device. In order to implement communication between the upstream device and the virtual firewall, an administrator of the upstream device also needs to manually configure an interface corresponding to the upstream interface on the upstream device based on information such as the IP address and VLAN ID of the upstream interface, including the IP address, VLAN ID, backhaul route, and the like that specify the interface.
In the prior art, each time a virtual firewall is created, an administrator of the firewall device needs to manually configure an uplink interface on the firewall device, and an administrator of the upstream device needs to manually configure an interface corresponding to the uplink interface on the upstream device.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for configuring an uplink interface of a device based on OpenStack, so as to implement automatic configuration of the uplink interface of the device.
Specifically, the method is realized through the following technical scheme:
a method for configuring an uplink interface based on OpenStack is applied to an OpenStack server, wherein the OpenStack server is preconfigured with an IP address range and a VLAN range, and the method comprises the following steps:
when a request for creating a virtual firewall sent by a user host is received, sending a command for creating the virtual firewall to the firewall equipment, and sending a VLAN ID in a binding relationship established in advance to the firewall equipment so that the firewall equipment creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLAN ID is any unused VLAN ID in the VLAN IDs in the binding relationship;
receiving the target VLAN ID returned by the firewall equipment, and acquiring a target IP address bound with the target VLAN ID according to the binding relation;
and sending the target IP address to the firewall equipment so that the firewall equipment configures an uplink interface of the virtual firewall, and the target IP address and the target VLAN ID are respectively an IP address and a VLAN ID of the uplink interface.
A method for configuring an uplink interface of equipment based on OpenStack is applied to firewall equipment and comprises the following steps:
receiving a command for creating a virtual firewall and a VLAN ID which are sent by an OpenStack server when receiving a request for creating the virtual firewall sent by a user host; the VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
creating a virtual firewall based on the command, selecting any unused VLAN ID from VLAN IDs in the binding relationship sent by an OpenStack server as a target VLAN ID, and sending the target VLAN ID to the OpenStack server so that the OpenStack server can obtain a target IP address bound with the target VLAN ID from the binding relationship;
and receiving the target IP address sent by the OpenStack server, and configuring an uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID are respectively an IP address and a VLANID of the uplink interface.
An apparatus for configuring an uplink interface based on OpenStack is applied to an OpenStack server, where the OpenStack server is preconfigured with an IP address range and a VLAN range, and includes:
the first sending unit is used for sending a command for creating the virtual firewall to the firewall equipment and sending the VLAN ID in the pre-established binding relationship to the firewall equipment when receiving a request for creating the virtual firewall sent by a user host, so that the firewall equipment creates the virtual firewall and acquires a target VLANID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLAN ID is any unused VLAN ID in the VLAN IDs in the binding relationship;
the obtaining unit is used for receiving the target VLAN ID returned by the firewall equipment and obtaining a target IP address bound with the target VLAN ID according to the binding relationship;
and the second sending unit is used for sending the target IP address to the firewall equipment so as to enable the firewall equipment to configure an uplink interface of the virtual firewall, and enable the target IP address and the target VLAN ID to become the IP address and the VLAN ID of the uplink interface respectively.
A device for configuring an uplink interface of equipment based on OpenStack is applied to firewall equipment and comprises:
the receiving unit is used for receiving a command for creating the virtual firewall and a VLAN ID which are sent by the OpenStack server when receiving a request for creating the virtual firewall sent by a user host; the VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
a creating unit configured to create a virtual firewall based on the command;
a selecting unit, configured to select any unused VLAN ID from the VLAN IDs in the binding relationship sent by the OpenStack server as a target VLAN ID;
a sending unit, configured to send the target VLAN ID to the OpenStack server, so that the OpenStack server obtains a target IP address bound to the target VLAN ID from the binding relationship;
and the configuration unit is used for receiving the target IP address sent by the OpenStack server and configuring an uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID are respectively used as the IP address and the VLAN ID of the uplink interface.
Because an IP address range and a VLAN range are configured in advance at the OpenStack server, an effective IP address is calculated from the IP address range based on an effective IP calculation algorithm, and a binding relationship between the effective IP address and a VLAN ID in the VLAN range is established in advance, when a virtual firewall needs to be created, the OpenStack server transmits a command for creating the virtual firewall and the VLAN ID in the binding relationship to the firewall device. And the firewall equipment creates a virtual firewall, selects any unused VLAN ID from the binding relationship as a target VLAN ID, and sends the target VLAN ID to the OpenStack server. And the OpenStack server acquires the target IP address bound with the target VLAN ID from the binding relationship and sends the target IP address to the firewall equipment. And configuring an uplink interface for the firewall equipment, and respectively taking the target IP address and the target VLAN ID as the IP address and the VLAN ID of the uplink interface, thereby realizing automatic configuration of the uplink interface for the virtual firewall based on OpenStack.
Drawings
Fig. 1 is a schematic diagram of a network connection for creating a virtual firewall based on OpenStack shown in the prior art;
fig. 2 is a flowchart of a method for configuring an uplink interface of a device based on OpenStack according to an embodiment of the present application;
fig. 3 is a hardware structure diagram of an OpenStack server where an OpenStack configuration device uplink interface based device according to a second embodiment of the present application is located;
fig. 4 is a device for configuring an uplink interface of a device based on OpenStack according to a second embodiment of the present application;
fig. 5 is a hardware structure diagram of a firewall device where a device that configures an uplink interface of a device based on OpenStack according to a third embodiment of the present application is located;
fig. 6 is a device for configuring an uplink interface of a device based on OpenStack according to a third embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Example one
In order to implement automatic configuration of an uplink interface of a device, an embodiment of the present application provides a method for configuring an uplink interface of a device based on OpenStack, please refer to fig. 2, and fig. 2 is a flowchart of a method for configuring an uplink interface of a device based on OpenStack according to an embodiment of the present application. The following steps are specifically executed:
step 201: initializing an OpenStack server, and establishing a binding relationship between an effective IP address and a VLAN ID in a preset VLAN range;
in this embodiment, the OpenStack server configures an IP address range and a VLAN range in advance. The IP address range belongs to an external network IP address range, and the IP address range can be amplified and modified according to actual requirements.
When the OpenStack server is initialized, a preconfigured IP address range can be calculated based on a preset effective IP calculation algorithm, and an effective IP address is obtained from the IP address range. And the effective IP address is an IP address which can be allocated to the virtual firewall uplink interface for use.
In this embodiment, since the IP address assigned to the upstream interface of the virtual firewall and the IP address assigned to the upstream device interface communicating with the virtual firewall must belong to the same network, at least one IP address must exist that belongs to the same network as the IP address assigned to the upstream interface of the virtual firewall. The network where the legal IP address allocated to the uplink interface of the virtual firewall is located at least comprises two reserved addresses and two legal IP addresses allocable to the host for use.
The effective IP calculation algorithm is that the OpenStack server acquires a legal IP address set which can be allocated to a host from a pre-configured IP address range, and then determines an effective IP address set allocated to a virtual firewall uplink interface from the legal IP address set.
For example, the IP address range pre-configured at the OpenStack server is 10.1.1.0/30-10.1.2.0/30. Because the subnet mask of the IP address in the IP address range is 30 bits, the network bit of each IP address in the IP address range is the first 30 bits of the 32-bit IP address, and the host bit is the last two bits, wherein the IP addresses of all 0 and all 1 bits of the host bit are reserved addresses and cannot be allocated to the host for use, so that only two legal IP addresses in the IP address formed by the two bits of the host bit can be allocated to the host for use. In other words, the IP address range may be divided into a number of subnets with only two legitimate IP addresses that may be assigned for use by the host.
Since the legal IP address assigned to the upstream interface of the virtual firewall and the legal IP address assigned to the upstream device interface communicating with the virtual firewall must belong to the same network, one of the two legal IP addresses available to the host in each subnet is assigned to the upstream interface to be configured and the other is assigned to the upstream device interface communicating with the virtual firewall.
Legal IP addresses which can be allocated to the hosts and are shown in Table 1 can be obtained from the IP address range 10.1.1.0/30-10.1.2.0/30.
Subnet serial number IP address 1 IP address 2
1 10.1.1.1 10.1.1.2
2 10.1.1.5 10.1.1.6
3 10.1.1.9 10.1.1.10
4 10.1.1.13 10.1.1.14
65 10.1.1.253 10.1.1.254
TABLE 1
According to table 1, two legal IP addresses that can be allocated to the host in the same subnet are shown, where the last bit of one IP address is odd and the last bit of the other IP address is even, for example, the last bit of IP address 10.1.1.1 of IP address 1 in subnet 1 is 1, and the last bit of IP address 10.1.1.2 of IP address 2 is 2.
Assuming that the OpenStack server determines an IP address with an odd last bit as an IP address that can be allocated to the virtual firewall uplink interface, an effective IP calculation algorithm preset by the OpenStack server is as follows:
1) acquiring an initial IP address from the IP address range;
2) judging whether the obtained IP address is a legal IP address or not; if the IP address is not a legal IP address, execute 3); if the IP address is a legal IP address, execute 4);
3) acquiring the IP address obtained by adding 1 to the binary digit of the IP address from the IP address range, judging whether the IP address added with 1 is in the IP address range, if so, executing 2), and if not, ending;
4) judging the parity of the last bit of the IP address, if the parity is an even number, executing 3); and if the number of the IP addresses is odd, adding the IP address into a preset IP list, and adding the IP address with the last bit +4 x n of the IP address into the IP list from the range of the IP addresses, wherein n is a positive integer.
5) And reading the last IP address in the IP list, and judging whether the IP address obtained by adding 1 to the last bit of the IP address is in the preset configured IP address range. If so, the IP address is retained in the IP list, and if not, the IP address is deleted from the IP list.
Since the last bit of the two legal IP addresses in the same subnet is even and larger than the last bit of the two legal IP addresses in the same subnet, if the last bit of the first obtained valid IP address is even in step 4), the legal IP address belonging to the same subnet as the IP address does not exist in the preset configured IP address range, and thus the IP address is not available.
Since the last bit of each IP address in the IP list is odd and the last IP address in the IP list may be the last IP address in the preset configured IP address range, it needs to be determined in step 5) whether the IP address obtained by adding 1 to the last bit of the last IP address in the IP list is within the preset configured IP address range, if so, the IP address is retained in the IP list, and if not, the IP address is deleted from the IP list.
Of course, the OpenStack server may also allocate a legal IP address with an even last bit of the IP address to the virtual firewall uplink interface for use.
It should be noted that, in this embodiment, the effective IP calculation algorithm needs to be adjusted correspondingly according to the change of the pre-configured IP address range, and the effective IP calculation algorithm may be flexible and changeable, and is not limited in this application.
In this embodiment, in an initialization process of the OpenStack server, the effective IP addresses may be sorted based on a preset IP address sorting mechanism, and then sequentially added to a preset IP list; and sorting the VLAN IDs in the VLAN range based on a preset VLAN sorting mechanism, and adding the VLAN IDs in the preset VLAN range to a preset VLAN list.
For example, in combination with the above example in this embodiment, it is assumed that the IP address sorting mechanism sorts the effective IP addresses in the order from small to large according to the last numerical value of the effective IP addresses, the VLAN sorting mechanism sorts the VLAN IDs in the preconfigured VLAN range in the order from small to large according to the numerical value of the VLAN IDs, and the preconfigured VLAN range is from VLAN 1 to VLAN 50. The OpenStack server can obtain the IP list shown in table 2 and the VLAN list shown in table 3 during an initialization process.
Figure BDA0001389085540000091
Figure BDA0001389085540000101
TABLE 2
Serial number VLAN ID
1 VLAN 1
2 VLAN 2
3 VLAN 3
50 VLAN 50
TABLE 3
In this embodiment, after obtaining the IP list and the VLAN list, the Openstack server may establish a binding relationship between an effective IP address in the IP list and a VLAN ID with the same sequence number in the VLAN list.
The number of the effective IP addresses in the IP list and the number of the VLAN IDs in the VLAN list may be different, and after the binding relationship between the effective IP addresses and the VLAN IDs with the same serial number is established, the IP list may have remaining effective IP addresses to be bound, or the VLAN list may have remaining VLAN IDs to be bound, or both the effective IP addresses in the IP list and the VLAN IDs in the VLAN list may have been bound.
Step 202: the OpenStack server sends a command for creating a virtual firewall to the firewall equipment, and sends the VLAN ID in the binding relationship to the firewall equipment;
in this embodiment, after the OpenStack server completes initialization, the OpenStack server already establishes a binding relationship between an effective IP address and a VLAN ID in a preconfigured VLAN range. When the OpenStack server receives a request sent by a user host for creating a virtual firewall, the OpenStack server may send a command for creating a virtual firewall to the firewall device, and send the VLAN ID in the binding relationship to the firewall device.
Step 203: the firewall equipment creates a virtual firewall based on the command for creating the virtual firewall, and selects any unused VLAN ID from the VLAN IDs in the binding relationship sent by the OpenStack server side as a target VLAN ID;
in this embodiment, when the firewall device receives a command sent by the OpenStack server to create a virtual firewall, the firewall device may generate a virtual firewall based on a virtualization technology. Meanwhile, after the firewall device receives the VLAN ID in the binding relationship sent by the OpenStack server, the firewall device may find whether an unused VLAN ID exists in the VLAN ID in the binding relationship.
If the VLAN IDs in the binding relationship have unused VLAN IDs, the firewall equipment can select any VLAN ID from the unused VLAN IDs as a target VLAN ID and send the target VLAN ID to the OpenStack server; and if the VLAN IDs in the binding relationship are all used, the firewall equipment sends information that the VLAN IDs are all used to the OpenSatck server side.
Step 204: when the OpenStack server receives a target VLAN ID sent by firewall equipment, the OpenStack server sends a target IP address bound with the target VLAN ID to the firewall equipment;
in this embodiment, when the OpenStack server receives the target VLAN ID sent by the firewall device, the OpenStack server searches for a valid IP address bound to the target VLAN ID from the binding relationship. And the OpenStack server takes the effective IP address as a target IP address and sends the target IP address to the firewall equipment.
Step 205: when the OpenStack server receives the information that the VLAN IDs sent by the firewall equipment are used, the OpenStack server sends prompt information of actual resources to the user host;
when the OpenStack server receives the information that the VLAN IDs sent by the firewall device are used, the OpenStack server searches whether an effective IP address which is not bound exists in an IP list or not and searches whether a VLAN ID which is not bound exists in the VLAN list or not;
if an effective IP address which is not bound exists and VLAN IDs in the VLAN range are bound, sending prompt information for increasing the VLAN range to the user host;
if the effective IP addresses are all bound and the VLAN ID which is not bound exists in the VLAN range, sending prompt information for increasing the IP address range to the user host;
and if the effective IP addresses are all bound and the VLAN IDs in the VLAN range are all bound, sending prompt information for increasing the IP address range and the VLAN range to the user host.
When the user host receives the prompt message, an administrator needs to increase an IP address range and/or a VLAN range at the OpenStack server according to the prompt message; the added IP address range and/or VLAN range are/is added behind the originally configured IP address range and/or originally configured VLAN range, so that the change of data generated by OpenStack based on the originally configured IP address range and VLAN range can be avoided, the IP address range is reduced, and/or after the VLAN range is changed, the OpenStack server calculates effective IP addresses based on the originally configured IP address range and VLAN range, and the process of establishing the binding relationship is carried out.
Step 206: when the firewall equipment receives the target IP address, the firewall equipment configures an uplink interface of the virtual firewall, and takes the target IP address and the target VLAN ID as the IP address and the VLAN ID of the uplink interface respectively.
In this embodiment, when the firewall device receives a target IP address sent by the OpenStack server, the firewall device configures an uplink interface for the created virtual firewall, uses the target IP address as an IP address of the uplink interface, and uses the target VLAN ID as a VLAN ID of the uplink interface.
In addition, the firewall device configures a security domain, VRF (Virtual Routing and forwarding), and a default route for the uplink interface. The next-hop IP address in the default route is an IP address belonging to the same network as the uplink interface, that is, an IP address of an upstream device interface communicating with the virtual firewall, and the firewall device may determine the next-hop IP address based on a preset default route calculation algorithm, where the default route calculation algorithm needs to be adjusted correspondingly according to a preset IP range and a preset valid IP calculation algorithm. In addition, please refer to related technologies for how to configure security domains and VRFs for interfaces, which is not described in detail in this application.
For example, in combination with the example in this embodiment, since the last bits of the valid IP addresses are odd numbers, and there is only one valid IP address belonging to the same network as each valid IP address, the default route calculation algorithm is: and determining the IP address obtained by adding 1 to the last bit of the target IP address as the next hop IP address in the default route. If the last bit of the effective IP address is even number and only one legal IP address belonging to the same network with each effective IP address exists, the default route calculation algorithm is as follows: and determining the IP address of the last bit of the target IP address minus 1 as the next hop IP address in the default route.
In this embodiment, the upstream device configures, in advance, a plurality of interfaces for communicating with the virtual firewall based on an IP address range, a VLAN range, a binding relationship, an effective IP calculation algorithm, and the like that are configured in advance on the OpenStack server. When any one of the parameters, such as an IP address range, a VLAN range, a binding relationship, an effective IP calculation algorithm, and the like, pre-configured by the OpenStack server is changed, the upstream device modifies an interface for communicating with the virtual firewall.
For example, in combination with the example in this embodiment, when the valid IP address changes from the last odd IP address to the last even IP address, the IP address of the interface configured by the upstream device for communicating with the virtual firewall changes from the last even IP address to the last odd IP address, and the last odd IP address of the next-hop IP address in the backhaul route changes from the last odd IP address to the last even IP address.
In summary, since the OpenStack server is configured with the IP address range and the VLAN range in advance, calculates the effective IP address from the IP address range based on the effective IP calculation algorithm, and establishes the binding relationship between the effective IP address and the VLAN ID in the VLAN range in advance, when a virtual firewall needs to be created, the OpenStack server transmits a command for creating the virtual firewall and the VLAN ID in the binding relationship to the firewall device. And the firewall equipment creates a virtual firewall, selects any unused VLAN ID from the binding relationship as a target VLAN ID, and sends the target VLAN ID to the OpenStack server. And the OpenStack server acquires the target IP address bound with the target VLAN ID from the binding relationship and sends the target IP address to the firewall equipment. And configuring an uplink interface for the firewall equipment, and respectively taking the target IP address and the target VLAN ID as the IP address and the VLAN ID of the uplink interface, thereby realizing automatic configuration of the uplink interface for the virtual firewall based on OpenStack.
Example two
Corresponding to the first embodiment of the method for configuring the device uplink interface based on the OpenStack, the present application further provides a second embodiment of a device for configuring the device uplink interface based on the OpenStack.
The second embodiment of the apparatus for configuring the device uplink interface based on the OpenStack can be applied to an OpenStack server. The second apparatus embodiment may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a device in a logical sense, the device is formed by reading a corresponding computer program instruction in a nonvolatile memory into a memory for running through a processor of an OpenStack server where the device is located. From a hardware aspect, as shown in fig. 3, a hardware structure diagram of an OpenStack service end where a device for configuring an uplink interface of a device based on OpenStack according to the second embodiment of the present disclosure is located is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the OpenStack service end where the device in the second embodiment is located may also include other hardware according to an actual function of the uplink interface of the device based on OpenStack, which is not described again.
Referring to fig. 4, fig. 4 is a diagram illustrating an apparatus for configuring an uplink interface of a device based on OpenStack according to a second embodiment of the present disclosure, which is applied to an OpenStack server. The device comprises: a first sending unit 410, an obtaining unit 420 and a second sending unit 430.
The first sending unit 410 is configured to, when receiving a request sent by a user host to create a virtual firewall, send a command to create the virtual firewall to the firewall device, and send a VLAN ID in a binding relationship established in advance to the firewall device, so that the firewall device creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLANID is any unused VLAN ID in the VLAN IDs in the binding relationship;
the obtaining unit 420 is configured to receive the target VLAN ID returned by the firewall device, and obtain a target IP address bound to the target VLAN ID according to the binding relationship;
the second sending unit 430 is configured to send the target IP address to the firewall device, so that the firewall device configures an uplink interface of the virtual firewall, and the target IP address and the target VLAN ID are an IP address and a VLAN ID of the uplink interface, respectively.
In this embodiment, the apparatus further includes:
the sorting unit is used for sorting the effective IP addresses based on a preset IP address sorting mechanism and sorting the VLAN IDs in the VLAN range based on a preset VLAN sorting mechanism;
and the establishing unit is used for establishing the binding relationship between the effective IP address and the VLAN ID with the same serial number.
A judging unit, configured to judge whether an unbound effective IP address exists and whether an unbound VLAN ID exists in the VLAN range if receiving a message that all VLAN IDs in the binding relationship returned by the firewall device are used;
a prompt message sending unit, configured to send a prompt message for increasing the VLAN range to the user host if an unbound valid IP address exists and the VLAN IDs in the VLAN range are bound; if the effective IP addresses are all bound and the VLAN ID which is not bound exists in the VLAN range, sending prompt information for increasing the IP address range to the user host; and if the effective IP addresses are all bound and the VLAN IDs in the VLAN range are all bound, sending prompt information for increasing the IP address range and the VLAN range to the user host.
EXAMPLE III
Corresponding to the first embodiment of the method for configuring the device uplink interface based on the OpenStack, the present application further provides a third embodiment of a device for configuring the device uplink interface based on the OpenStack.
The third embodiment of the apparatus for configuring the device uplink interface based on the OpenStack can be applied to firewall devices. The third embodiment of the apparatus may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a device in a logical sense, the device is formed by reading a corresponding computer program instruction in a nonvolatile memory into an internal memory through a processor of a firewall device where the firewall device is located to run. In terms of hardware, as shown in fig. 5, a hardware structure diagram of a firewall device where a device for configuring an uplink interface of a device based on OpenStack according to three embodiments of the present application is located is shown, where except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 5, the firewall device where the device in the third embodiment is located may also include other hardware according to an actual function of the uplink interface of the device configured based on OpenStack, and details of this are not repeated.
Referring to fig. 6, fig. 6 is a third embodiment of an apparatus for configuring an uplink interface of a device based on OpenStack according to the present application, and is applied to a firewall device. The device comprises: a receiving unit 610, a creating unit 620, a selecting unit 630, a transmitting unit 640, and a configuring unit 650.
The receiving unit 610 is configured to receive a command for creating a virtual firewall and a VLAN ID, where the command is sent by an OpenStack server when receiving a request for creating a virtual firewall, where the request is sent by a user host; the VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
the creating unit 620 is configured to create a virtual firewall based on the command;
the selecting unit 630 is configured to select any unused VLAN ID from the VLAN IDs in the binding relationship sent by the OpenStack server as a target VLAN ID;
the sending unit 640 is configured to send the target VLAN ID to the OpenStack server, so that the OpenStack server obtains a target IP address bound to the target VLAN ID from the binding relationship;
the configuration unit 650 is configured to receive the target IP address sent by the OpenStack server, and configure the uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID become an IP address and a VLAN ID of the uplink interface, respectively.
In this embodiment, the sending unit 640 is further configured to:
and if the VLAN IDs in the binding relationship are all used, sending information that the VLAN IDs are all used to the OpenStack server.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A method for configuring an uplink interface of a device based on OpenStack is applied to an OpenStack server, and is characterized in that the OpenStack server configures an IP address range and a VLAN range in advance, and comprises the following steps:
when a request for creating a virtual firewall sent by a user host is received, sending a command for creating the virtual firewall to firewall equipment, and sending a VLAN ID in a binding relationship established in advance to the firewall equipment so that the firewall equipment creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLAN ID is any unused VLAN ID in the VLAN IDs in the binding relationship;
receiving the target VLAN ID returned by the firewall equipment, and acquiring a target IP address bound with the target VLAN ID according to the binding relation;
and sending the target IP address to the firewall equipment so that the firewall equipment configures an uplink interface of the virtual firewall, and the target IP address and the target VLAN ID are respectively an IP address and a VLAN ID of the uplink interface.
2. The method of claim 1, wherein the pre-established binding relationship comprises:
sequencing the effective IP addresses based on a preset IP address sequencing mechanism, and sequencing the VLAN IDs in the VLAN range based on a preset VLAN sequencing mechanism;
and establishing a binding relationship between the effective IP address and the VLAN ID with the same serial number.
3. The method of claim 1, further comprising:
if receiving the message returned by the firewall equipment that the VLAN IDs in the binding relationship are all used, judging whether an unbound effective IP address exists or not and whether an unbound VLAN ID exists in the VLAN range or not;
if an effective IP address which is not bound exists and VLAN IDs in the VLAN range are bound, sending prompt information for increasing the VLAN range to the user host;
if the effective IP addresses are all bound and the VLAN ID which is not bound exists in the VLAN range, sending prompt information for increasing the IP address range to the user host;
and if the effective IP addresses are all bound and the VLAN IDs in the VLAN range are all bound, sending prompt information for increasing the IP address range and the VLAN range to the user host.
4. A method for configuring an uplink interface of equipment based on OpenStack is applied to firewall equipment and is characterized by comprising the following steps:
receiving a command for creating a virtual firewall and a VLAN ID which are sent by an OpenStack server when receiving a request for creating the virtual firewall sent by a user host; the OpenStack server configures an IP address range and a VLAN range in advance, and a VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
creating a virtual firewall based on the command, selecting any unused VLAN ID from VLAN IDs in the binding relationship sent by an OpenStack server as a target VLAN ID, and sending the target VLAN ID to the OpenStack server so that the OpenStack server can obtain a target IP address bound with the target VLAN ID from the binding relationship;
and receiving the target IP address sent by the OpenStack server, and configuring an uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID become the IP address and the VLAN ID of the uplink interface respectively.
5. The method of claim 4, further comprising:
and if the VLAN IDs in the binding relationship are all used, sending information that the VLAN IDs are all used to the OpenStack server.
6. An apparatus for configuring an uplink interface of a device based on OpenStack is applied to an OpenStack server, and is characterized in that the OpenStack server configures an IP address range and a VLAN range in advance, and includes:
the first sending unit is used for sending a command for creating the virtual firewall to the firewall equipment and sending the VLAN ID in the pre-established binding relationship to the firewall equipment when receiving a request for creating the virtual firewall sent by the user host, so that the firewall equipment creates the virtual firewall and obtains a target VLAN ID from the VLAN ID; wherein the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the VLAN range; the effective IP address is calculated from the IP address range based on a preset effective IP calculation algorithm; the target VLAN ID is any unused VLAN ID in the VLAN IDs in the binding relationship;
the obtaining unit is used for receiving the target VLAN ID returned by the firewall equipment and obtaining a target IP address bound with the target VLAN ID according to the binding relationship;
and the second sending unit is used for sending the target IP address to the firewall equipment so as to enable the firewall equipment to configure an uplink interface of the virtual firewall, and enable the target IP address and the target VLAN ID to become the IP address and the VLAN ID of the uplink interface respectively.
7. The apparatus of claim 6, further comprising:
the sorting unit is used for sorting the effective IP addresses based on a preset IP address sorting mechanism and sorting the VLAN IDs in the VLAN range based on a preset VLAN sorting mechanism;
and the establishing unit is used for establishing the binding relationship between the effective IP address and the VLAN ID with the same serial number.
8. The apparatus of claim 6, further comprising:
a judging unit, configured to judge whether an unbound effective IP address exists and whether an unbound VLAN ID exists in the VLAN range if receiving a message that all VLAN IDs in the binding relationship returned by the firewall device are used;
a prompt message sending unit, configured to send a prompt message for increasing the VLAN range to the user host if there is an unbound valid IP address and VLAN ids in the VLAN range are bound; if the effective IP addresses are all bound and the VLAN ID which is not bound exists in the VLAN range, sending prompt information for increasing the IP address range to the user host; and if the effective IP addresses are all bound and the VLAN IDs in the VLAN range are all bound, sending prompt information for increasing the IP address range and the VLAN range to the user host.
9. A device for configuring an uplink interface of equipment based on OpenStack is applied to firewall equipment and is characterized by comprising the following components:
the receiving unit is used for receiving a command for creating the virtual firewall and a VLAN ID which are sent by the OpenStack server when receiving a request for creating the virtual firewall sent by a user host; the OpenStack server configures an IP address range and a VLAN range in advance, and a VLAN ID sent by the OpenStack server is a VLAN ID in a binding relationship established in advance by the OpenStack server; the binding relationship is the binding relationship between the effective IP address and the VLAN ID in the preset VLAN range; the effective IP address is obtained by calculating the OpenStack server from the IP address range based on a preset effective IP calculation algorithm;
a creating unit configured to create a virtual firewall based on the command;
a selecting unit, configured to select any unused VLAN ID from the VLAN IDs in the binding relationship sent by the OpenStack server as a target VLAN ID;
a sending unit, configured to send the target VLAN ID to the OpenStack server, so that the OpenStack server obtains a target IP address bound to the target VLAN ID from the binding relationship;
and the configuration unit is used for receiving the target IP address sent by the OpenStack server and configuring an uplink interface of the virtual firewall, so that the target IP address and the target VLAN ID are respectively used as the IP address and the VLAN ID of the uplink interface.
10. The apparatus of claim 9, comprising:
the sending unit is further configured to:
and if the VLAN IDs in the binding relationship are all used, sending information that the VLAN IDs are all used to the OpenStack server.
CN201710740862.1A 2017-08-25 2017-08-25 Method and device for configuring uplink interface of equipment based on OpenStack Active CN107517129B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710740862.1A CN107517129B (en) 2017-08-25 2017-08-25 Method and device for configuring uplink interface of equipment based on OpenStack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710740862.1A CN107517129B (en) 2017-08-25 2017-08-25 Method and device for configuring uplink interface of equipment based on OpenStack

Publications (2)

Publication Number Publication Date
CN107517129A CN107517129A (en) 2017-12-26
CN107517129B true CN107517129B (en) 2020-04-03

Family

ID=60724031

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710740862.1A Active CN107517129B (en) 2017-08-25 2017-08-25 Method and device for configuring uplink interface of equipment based on OpenStack

Country Status (1)

Country Link
CN (1) CN107517129B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113132294B (en) * 2019-12-30 2022-05-13 中国移动通信集团四川有限公司 Data packet filtering method, system and device
CN111132170A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Communication method and device of virtual firewall, virtual firewall and topological structure
CN112491789B (en) * 2020-10-20 2022-12-27 苏州浪潮智能科技有限公司 OpenStack framework-based virtual firewall construction method and storage medium
CN112737948A (en) * 2020-12-30 2021-04-30 北京威努特技术有限公司 Data transmission method and device between VLANs and industrial control firewall equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104714823A (en) * 2015-03-06 2015-06-17 上海新炬网络信息技术有限公司 New mainframe configuration method based on OpenStack

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067380B (en) * 2012-12-26 2015-11-18 北京启明星辰信息技术股份有限公司 A kind of deployment configuration method and system of virtual secure equipment
CN103152256B (en) * 2013-02-22 2017-05-03 浪潮电子信息产业股份有限公司 Virtual routing network design method based on cloud computing data center
US9461969B2 (en) * 2013-10-01 2016-10-04 Racemi, Inc. Migration of complex applications within a hybrid cloud environment
US9419874B2 (en) * 2014-03-27 2016-08-16 Nicira, Inc. Packet tracing in a software-defined networking environment
CN105577628B (en) * 2014-11-11 2020-01-21 中兴通讯股份有限公司 Method and device for realizing virtual firewall
CN105812340B (en) * 2014-12-31 2019-01-08 新华三技术有限公司 A kind of method and apparatus of virtual network access outer net
US9609023B2 (en) * 2015-02-10 2017-03-28 International Business Machines Corporation System and method for software defined deployment of security appliances using policy templates
US9967852B2 (en) * 2015-03-23 2018-05-08 Verizon Digital Media Services Inc. CPE network configuration systems and methods
CN106850616B (en) * 2017-01-24 2019-10-18 南京理工大学 The method for solving distributed fire wall network consistent updates using SDN technology

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104714823A (en) * 2015-03-06 2015-06-17 上海新炬网络信息技术有限公司 New mainframe configuration method based on OpenStack

Also Published As

Publication number Publication date
CN107517129A (en) 2017-12-26

Similar Documents

Publication Publication Date Title
US11895154B2 (en) Method and system for virtual machine aware policy management
US10547463B2 (en) Multicast helper to link virtual extensible LANs
US11265368B2 (en) Load balancing method, apparatus, and system
CN107783815B (en) Method and device for determining virtual machine migration
CN107733670B (en) Forwarding strategy configuration method and device
EP3404878B1 (en) Virtual network apparatus, and related method
US8484353B1 (en) Resource placement templates for virtual networks
CN107517129B (en) Method and device for configuring uplink interface of equipment based on OpenStack
US20140254603A1 (en) Interoperability for distributed overlay virtual environments
CN106559292A (en) A kind of broad band access method and device
CN107666419B (en) Virtual broadband access method, controller and system
CN105379218A (en) Service flow processing method, apparatus and device
WO2014139383A1 (en) Virtual gateways and implicit routing in distributed overlay virtual environments
WO2015161325A1 (en) Automatic fabric multicast group selection in a dynamic fabric automation network architecture
US20180069787A1 (en) Exposing a subset of hosts on an overlay network to components external to the overlay network without exposing another subset of hosts on the overlay network
CN107547665B (en) Method, equipment and system for allocating DHCP (dynamic host configuration protocol) address
CN105939267B (en) Outband management method and device
CN107809386B (en) IP address translation method, routing device and communication system
CN110012118B (en) Method and controller for providing Network Address Translation (NAT) service
CN107171857B (en) Network virtualization method and device based on user group
US11018990B2 (en) Route priority configuration method, device, and controller
CN114070723A (en) Virtual network configuration method and system of bare metal server and intelligent network card
CN109150638A (en) A kind of route management method and device
CN109474713B (en) Message forwarding method and device
CN107819776B (en) Message processing method and device

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant