CN108696370B

CN108696370B - Method, device and system for binding and unbinding server and service

Info

Publication number: CN108696370B
Application number: CN201710220693.9A
Authority: CN
Inventors: 保晶; 蒋宝成; 张震; 孙小军
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Group Gansu Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Group Gansu Co Ltd
Priority date: 2017-04-06
Filing date: 2017-04-06
Publication date: 2021-04-13
Anticipated expiration: 2037-04-06
Also published as: CN108696370A

Abstract

The invention discloses a method, a device and a system for binding and unbinding a server and a service, wherein the method comprises the following steps: receiving an online message sent by an online server, and sending the online message to an authentication server through an overlay network, wherein the online message carries identification information of the server; receiving first address information sent by an authentication server through an overlay network, searching and sending the first address information corresponding to the identification information of the server by the authentication server according to locally stored configuration information; and sending the first address information to the server so that the server configures the local address by adopting the first address information. Therefore, the binding of the server and the service is completed, when the server is moved, the server automatically acquires the service address, the binding of the server and the service can be automatically completed without manually configuring the access equipment and the server address, the binding process is convenient, and the equipment in the machine room is more flexible.

Description

Method, device and system for binding and unbinding server and service

Technical Field

The invention relates to the technical field of overlay networks and network services, in particular to a method, a device and a system for binding and unbinding a server and a service.

Background

At present, a data center network is generally constructed according to a fixed and non-flexible network, and the network is often closely coupled with a physical position. According to the network structure and the service, network management personnel divide the network into a plurality of L3 network segments, and each L3 network segment corresponds to one service. This model divides the traffic according to the network architecture, and the server location is strongly tied to the traffic.

However, with the development of data centers, the expansion and relocation of a computer room (cross-computer room relocation or internal relocation), the damage of network devices, and other situations all involve the problem of re-binding of servers and services. In the prior art, a network Protocol (IP) address of a service provided by a server is fixed, and in a process of re-binding the server and the service, the server and an access device need to be manually configured, that is, the IP address of the service is configured to the server, and meanwhile, a port of the access device is configured correspondingly on the access device connected with the server according to a physical address of the server. And when configuration is performed, each access device must be configured individually, and when the size of the machine room is large, the configuration process is more complicated, and the possibility of configuration problems is increased. Therefore, the existing mode of binding the server and the service through the configuration mode is inconvenient to use under the condition of large-scale relocation of the machine room equipment, and has low efficiency and poor accuracy.

Disclosure of Invention

The invention provides a method, a device and a system for binding and unbinding a server and a service, which are used for solving the problems of inconvenient use, low efficiency and poor accuracy of the server and the service in the prior art.

In order to solve the above problem, according to an aspect of an embodiment of the present invention, there is provided a server and service binding method, where the method includes:

the method comprises the steps that an access device receives an online message sent by an online server and sends the online message to an authentication server through an overlay network, wherein the online message carries identification information of the server;

receiving first address information of a service to be bound, which is sent by the authentication server through an overlay network, wherein the authentication server searches and sends the first address information corresponding to the identification information of the server according to locally stored configuration information;

and sending the first address information to the server so that the server configures a local address by adopting the first address information.

Further, the sending the online message to an authentication server through an overlay network includes:

the access equipment searches an authentication channel in an overlay network mapped by a port receiving the online message according to a mapping relation table stored locally and the port receiving the online message;

sending the online message to an authentication server through the searched authentication channel;

the receiving of the first address information of the service to be bound, which is sent by the authentication server through the overlay network, includes:

receiving first address information of a service to be bound, which is sent by the authentication server through a service channel in an overlay network, wherein the authentication server searches the service channel corresponding to the identification information of the server according to locally stored configuration information, and sends the first address information through the service channel.

Further, after receiving the first address information of the service to be bound, which is sent by the authentication server through the service channel in the overlay network, the method further includes:

and the access equipment updates the mapping relation between the port for receiving the online message and the service channel in a mapping relation table stored locally.

According to another aspect of the present invention, there is provided a server and service unbinding method based on the above server and service binding method, where the method includes:

the access equipment receives an offline message sent by a server and sends the offline message to an authentication server through an overlay network, wherein the offline message carries identification information of the server;

receiving second address information of the unbinding service sent by the authentication server through an overlay network, wherein the authentication server searches and sends the second address information corresponding to the identification information of the server according to locally stored configuration information;

and sending the second address information to the server so that the server adopts the second address information to configure a local address.

Further, the sending the logout message to an authentication server through an overlay network includes:

the access equipment searches a service channel in an overlay network mapped by the port receiving the offline message according to a mapping relation table stored locally and the port receiving the offline message;

sending the offline message to an authentication server through the searched service channel;

the receiving second address information of the unbinding service sent by the authentication server through the overlay network includes:

and receiving second address information of the unbinding service sent by the authentication server through an authentication channel in the overlay network, wherein the authentication server searches the authentication channel corresponding to the identification information of the server according to locally stored configuration information, and sends the second address information through the authentication channel.

Further, after receiving second address information of the unbundling service sent by the authentication server through an authentication channel in the overlay network, the method further includes:

and the access equipment updates the mapping relation between the port for receiving the offline message and the authentication channel in a mapping relation table stored locally.

According to another aspect of the present invention, there is provided a server and service binding method, the method including:

the authentication server receives an online message sent by access equipment through an overlay network, wherein the online message is forwarded after the access equipment receives the online message sent by the online server, and the online message carries identification information of the server;

searching first address information of a service to be bound corresponding to the identification information of the server according to locally stored configuration information;

and sending the searched first address information to access equipment through an overlay network, so that the access equipment sends the first address information to the server, and the server adopts the first address information to configure a local address.

Further, the receiving, by the authentication server, the online message sent by the access device through the overlay network includes:

the authentication server receives an online message sent by the access equipment through an authentication channel in an overlay network, wherein the online message is sent by the access equipment through the authentication channel by searching the authentication channel in the overlay network mapped by the port which receives the online message according to a mapping relation table stored locally and the port which receives the online message;

the sending the found first address information to the access device through the overlay network includes:

the authentication server searches a service channel corresponding to the identification information of the server according to the configuration information stored locally;

and sending the searched first address information to access equipment through the searched service channel.

Further, after the first address information found through the service channel found is sent to an access device, the method further includes:

the method comprises the steps that an authentication server receives a service access request of a user, wherein the service access request carries first address information of a server corresponding to a service to be accessed;

according to the locally stored security policy, determining a security policy adopted for the service access request of the service to be accessed and security equipment for executing the corresponding security policy, and correspondingly packaging the service access request;

and sending the encapsulated service access request to a security device executing a corresponding security policy, and forwarding the service access request to a server of the first address information by the security device.

the authentication server receives an offline message sent by the access equipment through an overlay network, wherein the offline message is forwarded after the access equipment receives the offline message sent by the server, and the offline message carries identification information of the server;

searching second address information of the unbinding service corresponding to the identification information of the server according to the locally stored configuration information;

and sending the searched second address information to access equipment through an overlay network, so that the access equipment sends the second address information to the server, and the server adopts the second address information to configure a local address.

Further, the receiving, by the authentication server, the offline message sent by the access device through the overlay network includes:

the authentication server receives an offline message sent by the access device through a service channel in an overlay network, wherein the offline message is sent by the access device through the service channel by searching the service channel in the overlay network mapped by the port receiving the offline message according to a mapping relation table stored locally and the port receiving the offline message by the access device;

the sending the found second address information to the access device through the overlay network includes:

the authentication server searches an authentication channel corresponding to the identification information of the server according to the configuration information stored locally;

and sending the searched second address information to access equipment through the searched authentication channel.

According to yet another aspect of the present invention, there is provided a server and service binding system, the system including:

the server is used for sending an online message to the access equipment, wherein the online message carries the identification information of the server;

the access equipment is used for receiving an online message sent by the online server and sending the online message to the authentication server through an overlay network;

the authentication server is used for receiving the online message sent by the access equipment through the overlay network; searching first address information of a service to be bound corresponding to the identification information of the server according to locally stored configuration information; sending the searched first address information to the access equipment through an overlay network;

the access device is further configured to receive the first address information sent by the authentication server through an overlay network, and send the first address information to the server;

the server is further configured to configure a local address by using the first address information.

According to another aspect of the present invention, there is provided a server and service unbinding system, including:

the server is used for sending an offline message to the access equipment, wherein the offline message carries the identification information of the server;

the access equipment is used for receiving the offline message sent by the server and sending the offline message to the authentication server through the overlay network;

the authentication server is used for receiving the offline message sent by the access equipment through the overlay network; searching second address information of the unbinding service corresponding to the identification information of the server according to the locally stored configuration information; sending the determined second address information to the access equipment through an overlay network;

the access device is further configured to receive the second address information sent by the authentication server through an overlay network, and send the second address information to the server;

the server is further configured to configure a local address by using the second address information.

According to another aspect of the present invention, there is provided a server and service binding apparatus, the apparatus including:

the system comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is used for receiving an online message sent by an online server and sending the online message to an authentication server through an overlay network, and the online message carries identification information of the server;

the second processing module is used for receiving first address information of the service to be bound, which is sent by the authentication server through an overlay network, wherein the authentication server searches and sends the first address information corresponding to the identification information of the server according to locally stored configuration information;

and the sending module is used for sending the first address information to the server so that the server adopts the first address information to configure a local address.

Further, the first processing module comprises:

the determining unit is used for searching an authentication channel in an overlay network mapped by a port which receives the online message according to a locally stored mapping relation table and the port which receives the online message;

a sending unit, configured to send the online message to an authentication server through the found authentication channel;

the second processing module is specifically configured to receive first address information of a service to be bound, which is sent by the authentication server through a service channel in an overlay network, where the authentication server searches for a service channel corresponding to the identifier information of the server according to locally stored configuration information, and sends the first address information through the service channel.

Further, the apparatus further comprises:

and the storage module is used for updating the mapping relation between the port for receiving the online message and the service channel in a locally stored mapping relation table.

According to another aspect of the present invention, there is provided a server and service unbinding device based on the above server and service binding device, the device including:

the first processing module is used for receiving an offline message sent by a server and sending the offline message to an authentication server through an overlay network, wherein the offline message carries identification information of the server;

the second processing module is used for receiving second address information of the unbinding service sent by the authentication server through the overlay network, wherein the authentication server searches and sends the second address information corresponding to the identification information of the server according to locally stored configuration information;

and the sending module is used for sending the second address information to the server so that the server adopts the second address information to configure a local address.

Further, the first processing module is specifically configured to search, according to a mapping relationship table stored locally and a port that receives the offline message, a service channel in an overlay network mapped by the port that receives the offline message; sending the offline message to an authentication server through the searched service channel;

the second processing module is specifically configured to receive second address information of the unbinding service, which is sent by the authentication server through an authentication channel in the overlay network, where the authentication server searches for an authentication channel corresponding to the identifier information of the server according to locally stored configuration information, and sends the second address information through the authentication channel.

Further, the apparatus further comprises:

and the storage module is used for updating the mapping relation between the port for receiving the offline message and the authentication channel in a mapping relation table stored locally.

a receiving module, configured to receive, through an overlay network, an online message sent by an access device, where the online message is forwarded after the access device receives an online message sent by an online server, and the online message carries identification information of the server;

the acquisition module is used for searching first address information of the service to be bound corresponding to the identification information of the server according to the locally stored configuration information;

and the issuing module is used for sending the searched first address information to access equipment through an overlay network so that the access equipment sends the first address information to the server and the server adopts the first address information to configure a local address.

Further, the receiving module is specifically configured to receive an online message sent by the access device through an authentication channel in an overlay network, where the online message is sent by the access device through the authentication channel by searching for the authentication channel in the overlay network mapped by the port that receives the online message according to a locally stored mapping relationship table and the port that receives the online message;

the issuing module is specifically configured to search a service channel corresponding to the identification information of the server according to locally stored configuration information; and sending the searched first address information to access equipment through the searched service channel.

Further, the apparatus further comprises:

the first service access module is used for receiving a service access request of a user, wherein the service access request carries first address information of a server corresponding to a service to be accessed;

the second service access module is used for determining a security policy adopted by the service access request of the service to be accessed and security equipment for executing the corresponding security policy according to the locally stored security policy, and correspondingly packaging the service access request;

and the third service access module is used for sending the encapsulated service access request to a security device executing a corresponding security policy, and forwarding the service access request to the server of the first address information by the security device.

a receiving module, configured to receive, through an overlay network, an offline message sent by an access device, where the offline message is forwarded after the access device receives the offline message sent by a server, and the offline message carries identification information of the server;

the acquisition module is used for searching second address information of the unbinding service corresponding to the identification information of the server according to the locally stored configuration information;

and the issuing module is used for sending the searched second address information to access equipment through an overlay network so that the access equipment sends the second address information to the server and the server adopts the second address information to configure a local address.

Further, the receiving module is specifically configured to receive, through a service channel in an overlay network, an offline message sent by the access device, where the offline message is a service channel in the overlay network mapped by a port that receives the offline message and is sent through the service channel, where the port that receives the offline message is searched for by the access device according to a locally stored mapping relationship table and the port that receives the offline message;

the issuing module is specifically used for searching an authentication channel corresponding to the identification information of the server according to the configuration information stored locally; and sending the searched second address information to access equipment through the searched authentication channel.

The invention has the following beneficial effects:

the invention embodiment a method, a device and a system for binding and unbinding a server and a service.A binding method receives an online message sent by an online server through an access device, and sends the online message to an authentication server through an overlay network, wherein the online message carries identification information of the server; receiving first address information of a service to be bound, which is sent by the authentication server through an overlay network, wherein the first address information is first address information corresponding to identification information of the server in configuration information locally stored by the authentication server; and sending the first address information to the server so that the server configures a local address by adopting the first address information, thereby completing the binding of the server and the service. In the embodiment of the invention, the access equipment sends the online message to the authentication server after receiving the online message, and the first address information of the service to be bound by the server is stored in the configuration information of the authentication server, so that the first address information can be forwarded to the server through the access equipment, the server can configure the address of the server, and the automatic binding between the server and the service is realized.

Drawings

Fig. 1A is a schematic diagram of a server and service binding process according to an embodiment of the present invention;

FIG. 1B is a diagram of a system architecture according to an embodiment of the present invention;

fig. 2A is a schematic diagram of a process of issuing a mapping relation table by an authentication server according to an embodiment of the present invention;

fig. 2B is a schematic diagram of a server and service binding process according to embodiment 2 of the present invention;

fig. 2C is a schematic structural diagram of a system for binding a server and a service according to embodiment 2 of the present invention;

fig. 3 is a schematic diagram of a process of unbinding a server and a service according to embodiment 3 of the present invention;

fig. 4 is a schematic diagram of a process of unbinding a server and a service according to embodiment 4 of the present invention;

fig. 5 is a schematic diagram of a server and service binding process provided in embodiment 5 of the present invention;

fig. 6 is a schematic diagram of a server and service binding process according to embodiment 6 of the present invention;

fig. 7A is a schematic diagram of an NSH package mode structure according to an embodiment of the present invention;

fig. 7B is a schematic flowchart of a process of a user accessing a service after a server is bound with the service according to embodiment 7 of the present invention;

fig. 8 is a schematic diagram of a process of unbinding a server and a service according to embodiment 8 of the present invention;

fig. 9 is a schematic structural diagram of a server and a service binding apparatus according to embodiment 12 of the present invention;

fig. 10 is a schematic structural diagram of a server and a service unbinding device according to embodiment 13 of the present invention;

fig. 11 is a schematic structural diagram of a server and a service binding apparatus according to embodiment 14 of the present invention;

fig. 12 is a schematic structural diagram of a server and a service unbinding device according to embodiment 15 of the present invention.

Detailed Description

The following describes specific embodiments of a method, an apparatus, and a system for binding and unbinding a server and a service according to embodiments of the present invention with reference to the accompanying drawings.

Example 1:

fig. 1A is a schematic diagram of a process of binding a server and a service provided in an embodiment of the present invention, where the process includes the following steps:

s11: the access equipment receives an online message sent by an online server and sends the online message to an authentication server through an overlay network, wherein the online message carries identification information of the server.

The server and the service binding method provided by the embodiment of the invention are applied to access equipment, and preferably, the access equipment is a switch supporting a Virtual extended Local Area Network (VxLAN) protocol and/or an OpenFlow protocol. The access equipment serves a machine room in the communication field, and a server connected with the access equipment provides service for users.

The embodiment of the invention takes a Software Defined Network (SDN) and an overlay Network as basic networks, and information interaction can be carried out between a common Network and the overlay Network.

Fig. 1B is a system architecture diagram provided in the embodiment of the present invention, where an access device is used as a two-layer gateway of an overlay network as an access side of the overlay network, and may be an SDN device based on an SDN, where the SDN device encapsulates data to be entered into the overlay network, specifically, encapsulates the online message. The SDN device may implement incorporating multiple VLANs into one overlay network or dividing multiple VLANs into different overlay networks. As shown in fig. 1B, the access side includes a plurality of access devices, i.e., an access device 1, an access device 2, an access device 3, and an access device 4, and each access device is connected to a corresponding server.

The authentication server is connected to a core side of the overlay network, the core side of the overlay network is also a gateway of the whole network, and the core side of the overlay network may adopt an SDN device, where the core side includes at least one core device, such as core device 1 and core device 2 shown in fig. 1B. The convergence side of the overlay network adopts traditional network equipment to create a data transmission channel in the overlay network. The convergence side includes a plurality of convergence devices, such as convergence device 1 and convergence device 2 shown in fig. 1B.

The mainstream protocols for constructing the overlay network can include VxLAN, NVGRE and SIT, and the VxLAN protocol is adopted in the embodiment of the invention.

The identification information of the server may be information that uniquely identifies the server, and may be, for example, information such as a physical address of the server or a device number of the server.

The process of sending a message to an authentication server by an access device through an overlay network belongs to the prior art, and is not described in detail in the embodiment of the present invention.

S12: and receiving first address information of the service to be bound, which is sent by the authentication server through an overlay network, wherein the authentication server searches for the first address information corresponding to the identification information of the server according to locally stored configuration information and sends the first address information.

The authentication server locally stores configuration information, finds first address information corresponding to the identification information of the server according to the configuration information, and sends the found first address information to the access equipment, wherein the first address information is address information of a service to be bound. The configuration information stores identification information of the server and first address information of the service to be bound corresponding to the identification information, where the identification information of the server may be MAC address information of the server. The configuration information can be preset by operation and maintenance personnel and is stored locally in the authentication server in advance.

S13: and sending the first address information to the server so that the server configures a local address by adopting the first address information.

The access equipment sends the first address information of the service to be bound to the server, and the server configures the address of the server as the first address information, so that the binding of the service and the server is completed. After binding, the server provides the service bound with the server for the user.

The embodiment of the invention receives an online message sent by an online server through access equipment, and sends the online message to an authentication server through an overlay network, wherein the online message carries identification information of the server; receiving first address information of a service to be bound, which is sent by the authentication server through an overlay network, wherein the first address information is first address information corresponding to identification information of the server in configuration information locally stored by the authentication server; and sending the first address information to the server so that the server configures a local address by adopting the first address information, thereby completing the binding of the server and the service. In the embodiment of the invention, the access equipment sends the online message to the authentication server after receiving the online message, and the first address information of the service to be bound by the server is stored in the configuration information of the authentication server, so that the first address information can be forwarded to the server through the access equipment, the server can configure the address of the server, and the automatic binding between the server and the service is realized.

Example 2:

on the basis of the above embodiment, in an embodiment of the present invention, sending the online message to the authentication server through the overlay network includes:

In the embodiment of the present invention, the authentication server locally stores a mapping relationship table for each access device at the beginning of configuration, and the authentication server communicates with the underlying network device by issuing an OpenFlow flow table, an SNMP, and a NETCONF network management protocol, thereby sending the locally stored mapping relationship table for each access device to the corresponding access device. Specifically, the authentication server itself may directly send the mapping table for each access device to the corresponding access device, or send the mapping table for each access device to the controller, and the controller sends the mapping table for each access device to the corresponding access device, where the controller and the authentication server are both connected to the core side of the overlay network.

Since each access device is not connected with the server at the beginning of configuration, each port of each access device corresponds to an authentication channel in the mapping relation table, namely corresponds to a VxLAN1 channel. Fig. 2A is a schematic diagram of a process of issuing a mapping relationship table by an authentication server according to an embodiment of the present invention, where the authentication server issues the mapping relationship table to an access device 1 through a corresponding device and a corresponding port on a convergence side, specifically, as shown in fig. 2A, the authentication server issues the mapping relationship table to the access device 2 through a port 8 of the device on the convergence side, and each port of each access device in the issued mapping relationship table has a mapping relationship with a VxLAN1 channel of an authentication channel.

It should be noted that, in the mapping relationship table locally stored in the access device, a mapping relationship between each port of the access device and a channel in the overlay network is stored, and when a certain port is not connected to the server, that is, when the port is an empty port, the port has a mapping relationship with an authentication channel in the overlay network, where the authentication channel may be, for example, a VxLAN1 channel.

Preferably, a plurality of service channels and a unique authentication channel are arranged in the overlay network, a port which is not accessed to the server on the access device is called an empty port, and each empty port in the mapping relation table is mapped to the authentication channel. The empty port is accessed into the server, and the access equipment sends the online message to the authentication server through the authentication channel according to the mapping relation table.

The authentication server locally stores configuration information, the configuration information stores identification information of the server and first address information of a service to be bound corresponding to the identification information, and the configuration information also stores a service channel in an overlay network corresponding to the identification information of the server. For example, the information stored in the configuration information is specifically as follows:

server name	MAC address	Belonging VLAN	Affiliated VXLAN	Address
					Server A	mac xaxxxx	VLAN10	VxLAN	10	10.1.1.2
……	……	……	……	……

The MAC address is a physical address of the server, that is, identification information of the server, the VLAN to which the MAC address belongs is identification information of a virtual local area network, that is, identification information of a service to be bound in a conventional network, the VXLAN to which the MAC address belongs is a service channel in an overlay network corresponding to the identification information of the server, and the address is first address information of the service to be bound.

For example, after the authentication server receives an online message sent by the access device, if the physical address of the online server carried in the online message is mac xaxxxx, the first address information 10.1.1.2 of the service to be bound is sent to the access device through a VxLAN10 service channel in the overlay network.

In order to realize isolation between service channels in an overlay network, service channels, namely VxLANN channels, cannot be accessed to each other by default, and isolation between services can be realized by using the default mutual access mechanism. For example, a VxLAN10 channel corresponds to service a, a VxLAN20 channel corresponds to service B, and a VxLAN10 channel is isolated from and does not communicate with a VxLAN20 channel by default, so that no interference exists between service a and service B, although a mechanism for determining whether VxLAN channels can be visited to each other may be redefined, for example, as shown in the following table:

overlay network	VxLAN	1	VxLAN10	VxLAN20
					VxLAN
1	Interworking	Is not communicated with	Is not communicated with
				VxLAN10	Is not communicated with	Interworking	Interworking
VxLAN20	Is not communicated with	Interworking	Interworking

For facilitating information interaction between a subsequent server and an authentication server, on the basis of the foregoing embodiment of the present invention, in the embodiment of the present invention, after receiving first address information of a service to be bound, which is sent by the authentication server through a service channel in an overlay network, the method further includes:

It should be noted that, in order to send the first address information sent by the authentication server to the online server according to the locally stored mapping relationship table, and in order to prevent information interaction between the server and the authentication server and information interference with other access devices, in the embodiment of the present invention, the access device may further store the mapping relationship between the port connected to the server and the service channel in the locally stored mapping relationship table. And ensuring that the channel mapped by the port of the access equipment connected with the server at the moment is the service channel. Taking the table as an example, in this case, the mapping relationship between the port connected to the server and the VxLAN10 service channel is stored in the mapping relationship table of the access device.

Fig. 2B is a schematic diagram of a binding process between a server and a service provided in an embodiment of the present invention, and a schematic diagram of a system structure of the binding method is shown in fig. 2C, where the binding process includes the following steps:

s21: the server is connected with the access device and sends an online message, wherein the online message carries the identification information of the server.

For example, at this time, the port of the server a connected to the access device is port 2, and the identification information of the server a is the physical address of the server a.

S22: the access device receives the online message, searches an authentication channel in an overlay network mapped by a port connected with the server according to a locally stored mapping relation table, and sends the online message to the authentication server through the authentication channel.

How to transmit the online message in the authentication channel in the overlay network is the prior art, and is not described herein again.

For example, in the mapping relationship table, a mapping relationship between the port 2 and the authentication channel VxLAN1 in the overlay network is stored.

S23: the authentication server searches for the first address information of the service to be bound corresponding to the identification information of the server and the service channel in the overlay network in the configuration information stored locally according to the identification information of the server carried in the received online information, and sends the searched first address information to the access device through the searched service channel corresponding to the identification information of the server.

For example, the configuration information in the authentication server is "service relationship correspondence table" as shown in fig. 2C, at this time, the service channel corresponding to the identification information of the server a is a VxLAN10 channel, and the first address information is 10.1.1.2.

S24: the access device receives first address information of a service to be bound, which is sent by an authentication server through a service channel in an overlay network.

For example, the access device receives the first address information from the VxLAN10 tunnel.

S25: the server receives the first address information and configures the self address as the first address information.

S26: the access device changes the mapping relation of the port connected with the server in the mapping relation table stored locally into the mapping relation between the port and the service channel for transmitting the first address information.

For example, at this time, the access device modifies the mapping relationship of port 2 in the mapping relationship table as: port 2 has a mapping relationship with the VxLAN10 traffic channel.

Example 3:

on the basis of the foregoing embodiments, in order to facilitate the unbinding between the server and the service, thereby implementing the unbinding between the server and the service in an automatic manner, an embodiment of the present invention provides a schematic diagram of an unbinding process between the server and the service, as shown in fig. 3, including the following steps:

s31: the access equipment receives a logout message sent by a server and sends the logout message to an authentication server through an overlay network, wherein the logout message carries identification information of the server.

The server and the service unbinding method provided by the embodiment of the invention are applied to an access device, and are preferably switches supporting a Virtual Extensible Local Area Network (VxLAN) protocol and/or an OpenFlow protocol.

The access equipment serves a machine room in the communication field, and a server connected with the access equipment provides service for users.

S32: and receiving second address information of the unbinding service sent by the authentication server through an overlay network, wherein the authentication server searches the second address information corresponding to the identification information of the server and sends the second address information according to the configuration information stored locally.

The authentication server locally stores configuration information, searches second address information corresponding to the server identification information according to the configuration information, and sends the searched second address information to the access equipment, wherein the second address information is address information of the unbinding service. The configuration information stores identification information of the server and second address information of the corresponding binding service, wherein the identification information of the server may be MAC address information of the server. The configuration information can be preset by operation and maintenance personnel and is stored locally in the authentication server in advance.

S33: and sending the second address information to the server so that the server adopts the second address information to configure a local address.

The access equipment sends the second address information of the service to be bound to the server, and the server configures the address of the server as the second address information, so that the binding between the service and the server is released. The second address information may be a fixed address, or a meaningless address.

Example 4:

on the basis of the above embodiments, in an embodiment of the present invention, the sending the offline message to the authentication server through the overlay network includes:

After the server is on line, the mapping relation between the port connected with the server and the service channel is stored in the access device, so that when the information sent by the server is received and the information needs to be sent to the authentication server through the corresponding service channel, the mapping relation of the port is searched in the mapping relation table according to the port connected with the server, the service channel corresponding to the port is determined, and the corresponding information is sent to the authentication server through the service channel.

In order to facilitate information interaction between a subsequent server and an authentication server, in the embodiment of the present invention, after receiving second address information of a unbinding service sent by the authentication server through an authentication channel in an overlay network, the method further includes:

After the server is on line, the mapping relation between the port connected with the server and the service channel is stored in the access equipment, after the server is off line, the access equipment sends the second address information to the server, and after the server is off line, the access equipment modifies the mapping relation between the port connected with the server and the authentication channel in the overlay network into the mapping relation between the port connected with the server and the authentication channel in the overlay network, so that the binding between the port and other servers is facilitated.

Fig. 4 is a schematic diagram of a process of unbinding a server from a service according to an embodiment of the present invention, where the process includes the following steps:

s41: and the server connected to the access equipment sends an offline message, wherein the offline message carries the identification information of the server.

For example, the identification information of the server is the physical address of the server.

S42: and the access equipment searches a service channel in the overlay network mapped by the port receiving the offline message according to the locally stored mapping relation table and the port receiving the offline message, and sends the offline message to an authentication server through the searched service channel.

How to transmit the offline message in the service channel in the overlay network is the prior art, and is not described herein again.

S43: the authentication server searches for second address information of the unbinding service corresponding to the identification information of the server and an authentication channel in the overlay network in the configuration information stored locally according to the identification information of the server carried in the received offline information, and sends the searched second address information to the access device through the searched authentication channel corresponding to the identification information of the server.

S44: and the access equipment receives second address information of the unbinding service sent by the authentication server through an authentication channel in the overlay network.

For example, the access device receives the second address information from the VxLAN1 authentication channel.

S45: the server receives the second address information and configures the self address as the second address information.

S46: the access device changes the mapping relation of the port connected with the server in the mapping relation table stored locally into the mapping relation between the port and the authentication channel for transmitting the second address information.

Example 5:

an embodiment of the present invention provides a schematic diagram of a server and service binding process, as shown in fig. 5, including the following steps:

s51: the authentication server receives an online message sent by the access device through an overlay network, wherein the online message is forwarded after the access device receives the online message sent by the online server, and the online message carries identification information of the server.

The server and the service binding method provided by the embodiment of the invention are applied to an authentication server.

Fig. 1B shows a structure diagram of the system, and details of a specific architecture of the system in the embodiment of the present invention are not repeated, which is specifically shown in embodiment 1.

S52: and searching the first address information of the service to be bound corresponding to the identification information of the server according to the locally stored configuration information.

The authentication server locally stores configuration information, where the configuration information stores identification information of the server and first address information of a service to be bound corresponding to the identification information, where the identification information of the server may be MAC address information of the server. The configuration information can be preset by operation and maintenance personnel and is stored locally in the authentication server in advance.

S53: and sending the searched first address information to access equipment through an overlay network, so that the access equipment sends the first address information to the server, and the server adopts the first address information to configure a local address.

And the authentication server sends the searched first address information to the access equipment through an overlay network. The access equipment sends the first address information of the service to be bound to the server, and the server configures the address of the server as the first address information, so that the binding of the service and the server is completed. When a user accesses the service via the public network, a server configured as the address of the service is found, and the server provides the service to the user.

In the embodiment of the invention, the access equipment sends the online message to the authentication server after receiving the online message, and the first address information of the service to be bound by the server is stored in the configuration information of the authentication server, so that the first address information can be forwarded to the server through the access equipment, the server can configure the address of the server, and the automatic binding between the server and the service is realized.

Example 6:

on the basis of the above embodiments, in an embodiment of the present invention, where the access device is located at an access side of an overlay network, and the authentication server is connected to a core side of the overlay network, and in order to ensure that information transmitted between the access device and the authentication server does not interfere with each other, the receiving, by the authentication server, an online message sent by the access device via the overlay network includes:

An embodiment of the present invention provides a schematic diagram of a server and service binding process, as shown in fig. 6, including the following steps:

s61: the server is connected with the access device and sends an online message, wherein the online message carries the identification information of the server.

S62: the access device receives the online message, searches an authentication channel in an overlay network mapped by a port connected with the server according to a locally stored mapping relation table, and sends the online message to the authentication server through the authentication channel.

S63: the authentication server searches for the first address information of the service to be bound corresponding to the identification information of the server and the service channel in the overlay network in the configuration information stored locally according to the identification information of the server carried in the received online information, and sends the searched first address information to the access device through the searched service channel corresponding to the identification information of the server.

S64: the access device receives first address information of a service to be bound, which is sent by an authentication server through a service channel in an overlay network.

S65: the server receives the first address information and configures the self address as the first address information.

Example 7:

the traditional safety protection is based on the wall type boundary protection, no safety protection exists when a boundary is crossed, and under the mode of an environment where a server can be moved, the safety based on the boundary protection cannot guarantee the service safety. In order to ensure that the network security policy is followed, no matter which port of the access device is connected to the server that implements the service, the obtained security protection is the same, on the basis of the foregoing embodiments, in the embodiment of the present invention, after the first address information that is found is sent to the access device through the service channel that is found, the method further includes:

To implement the following of the network security policy, bytes are reserved and definable in the VxLAN slave protocol header. In the embodiment of the invention, a Service chain design encapsulation format is provided through a Network Service Header (NSH). A service node mounting mode is added in a route forwarding mode, a traffic source and destination path change (namely, server relocation) is defined in an NSH format in the process of forwarding from a source to a destination, but the mounted service node follows, and the service node is designed into safety equipment to realize safety strategy following.

Fig. 7A is a schematic structural diagram of an NSH package mode according to an embodiment of the present invention, where the NSH package mode includes: the GPE encapsulation, NSH base header, and NSH extension of VXLAN, wherein the GPE encapsulation of VXLAN includes a protocol type (type) as shown, which is 0x894F, and 0x894F indicates that VXLAN carries NSH header; the NSH basic header also comprises a protocol type, wherein the protocol type is 0x6558, and 0x6558 indicates that a user two-layer message is behind the NSH header; the NSH extension may carry a plurality of service related contexts (contexts).

Fig. 7B is a schematic flow chart illustrating a process of a user accessing a service after a server is bound with the service, including the following steps:

s71: the user sends a service access request to an authentication server, wherein the service access request carries first address information of a server A corresponding to a service A to be accessed.

S72: and the authentication server determines a security policy adopted by the service access request of the service to be accessed and security equipment for executing the corresponding security policy according to the locally stored security policy, and correspondingly encapsulates the service access request.

S73: and the authentication server sends the encapsulated service access request to a security device executing a corresponding security policy, and the security device forwards the service access request to the server of the first address information.

S74: the service access request passes through the security device A and the security device C in sequence and then is transmitted to the server of the first address information.

And the server A is moved, is connected with the access equipment and sends an online message, wherein the online message carries the identification information of the server. The access device receives the online message, searches for an authentication channel in the overlay network mapped by the port receiving the online message according to a locally stored mapping relation table, and sends the online message to an authentication server through the authentication channel. The authentication server searches for first address information of a service to be bound and a service channel in an overlay network, which are locally stored in configuration information and correspond to the identification information of the server, according to the identification information of the server carried in the received online information, and sends the first address information to the access device through the searched service channel.

The access device receives first address information of a service to be bound, which is sent by an authentication server through a service channel in an overlay network. And sending the first address information to a server, and the server receives the first address information and configures the self address as the first address information. The access device changes the mapping relation of the port connected with the server in the mapping relation table stored locally into the mapping relation between the port and the service channel for transmitting the first address information. The user sends a service access request carrying the first address information, because the service address of the service A is fixed, the service access request sequentially passes through the safety device A and the safety device C, and then is transmitted to the moved server A providing the service A.

Example 8:

an embodiment of the present invention provides a schematic diagram of a process of unbinding a server from a service, as shown in fig. 8, including the following steps:

s81: the authentication server receives an offline message sent by the access device through an overlay network, wherein the offline message is forwarded after the access device receives the offline message sent by the server, and the offline message carries identification information of the server.

The process of sending a message to a service server by an access device through an overlay network belongs to the prior art, and is not described in detail in the embodiment of the present invention.

S82: and searching second address information of the unbinding service corresponding to the identification information of the server according to the locally stored configuration information.

S83: and sending the searched second address information to access equipment through an overlay network, so that the access equipment sends the second address information to the server, and the server adopts the second address information to configure a local address.

And the authentication server sends the searched second address information to the access equipment through the overlay network. The access equipment sends the second address information of the unbinding service to the server, and the server configures the address of the server as the second address information, so that the binding between the service and the server is released. The second address information may be a fixed address, or a meaningless address.

Example 9:

on the basis of the above embodiments, in an embodiment of the present invention, in order to ensure that information transmitted between the access device and the authentication server is not interfered with each other, the receiving, by the authentication server, of the offline message sent by the access device through the overlay network includes:

Example 10:

the embodiment of the invention provides a server and service binding system, which comprises:

Example 11:

based on the foregoing embodiments, an embodiment of the present invention provides a server and service unbinding system, where the system includes:

Example 12:

based on the foregoing embodiments, another embodiment of the present invention provides a schematic structural diagram of a server and a service binding apparatus, as shown in fig. 9, including:

the first processing module 91 is configured to receive an online message sent by an online server, and send the online message to an authentication server through an overlay network, where the online message carries identification information of the server;

a second processing module 92, configured to receive first address information of a service to be bound, where the first address information is sent by the authentication server through an overlay network, and the authentication server searches for and sends first address information corresponding to the identifier information of the server according to configuration information stored locally;

a sending module 93, configured to send the first address information to the server, so that the server configures a local address by using the first address information.

The first processing module 91 includes:

the second processing module 92 is specifically configured to receive first address information of a service to be bound, which is sent by the authentication server through a service channel in an overlay network, where the authentication server searches for a service channel corresponding to the identifier information of the server according to locally stored configuration information, and sends the first address information through the service channel.

The apparatus further comprises:

The server and the service binding device are positioned in the access equipment.

Example 13:

based on the foregoing embodiments, another embodiment of the present invention provides a schematic structural diagram of a server and a service unbinding device, as shown in fig. 10, including:

the first processing module 101 is configured to receive a logoff message sent by a server, and send the logoff message to an authentication server through an overlay network, where the logoff message carries identification information of the server;

a second processing module 102, configured to receive second address information of a unbinding service sent by the authentication server through an overlay network, where the authentication server searches for and sends second address information corresponding to the identifier information of the server according to locally stored configuration information;

a sending module 103, configured to send the second address information to the server, so that the server configures a local address by using the second address information.

The first processing module 101 is specifically configured to search, according to a mapping relationship table stored locally and a port that receives the offline message, a service channel in an overlay network that is mapped by the port that receives the offline message; sending the offline message to an authentication server through the searched service channel;

the second processing module 102 is specifically configured to receive second address information of a unbinding service, which is sent by the authentication server through an authentication channel in the overlay network, where the authentication server searches for an authentication channel corresponding to the identifier information of the server according to locally stored configuration information, and sends the second address information through the authentication channel.

The device further comprises:

the storage module 104 is configured to update a mapping relationship between a port that receives the offline message and the authentication channel in a mapping relationship table stored locally.

The server and the service unbinding device are positioned in the access equipment.

Example 14:

based on the foregoing embodiments, another embodiment of the present invention provides a structural schematic diagram of a server and a service binding apparatus, as shown in fig. 11, including:

a receiving module 111, configured to receive, through an overlay network, an online message sent by an access device, where the online message is forwarded after the access device receives an online message sent by an online server, and the online message carries identification information of the server;

an obtaining module 112, configured to search, according to locally stored configuration information, first address information of a service to be bound, where the first address information corresponds to the identification information of the server;

the issuing module 113 is configured to send the found first address information to an access device through an overlay network, so that the access device sends the first address information to the server, and the server configures a local address with the first address information.

The receiving module 111 is specifically configured to receive an online message sent by the access device through an authentication channel in an overlay network, where the online message is sent by the access device through the authentication channel by searching for the authentication channel in the overlay network mapped by the port that receives the online message according to a locally stored mapping relationship table and the port that receives the online message;

the issuing module 113 is specifically configured to search a service channel corresponding to the identifier information of the server according to the configuration information stored locally; and sending the searched first address information to access equipment through the searched service channel.

The device further comprises:

a first service access module 114, configured to receive a service access request of a user, where the service access request carries first address information of a server corresponding to a service to be accessed;

the second service access module 115 is configured to determine, according to a locally stored security policy, a security policy adopted for a service access request of the service to be accessed and a security device that executes a corresponding security policy, and correspondingly encapsulate the service access request;

a third service access module 116, configured to send the encapsulated service access request to a security device that executes a corresponding security policy, and forward the service access request to the server of the first address information by the security device.

The server and the service binding device are positioned in the authentication server.

Example 15:

based on the foregoing embodiments, another embodiment of the present invention provides a schematic structural diagram of a server and a service unbinding device, as shown in fig. 12, including:

a receiving module 121, configured to receive, through an overlay network, an offline message sent by an access device, where the offline message is forwarded after the access device receives the offline message sent by a server, and the offline message carries identification information of the server;

an obtaining module 122, configured to search, according to locally stored configuration information, second address information of a unbinding service corresponding to the identification information of the server;

the issuing module 123 is configured to send the found second address information to an access device through an overlay network, so that the access device sends the second address information to the server, and the server configures a local address with the second address information.

The receiving module 121 is specifically configured to receive, through a service channel in an overlay network, an offline message sent by the access device, where the offline message is a service channel in the overlay network, which is mapped by a port that receives the offline message and is found by the access device according to a locally stored mapping relationship table and the port that receives the offline message, and is sent through the service channel;

the issuing module 123 is specifically configured to search, according to the configuration information stored locally, an authentication channel corresponding to the identification information of the server; and sending the searched second address information to access equipment through the searched authentication channel.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A method for binding a server and a service, the method comprising:

2. The method of claim 1, wherein sending the onboarding message to an authentication server over an overlay network comprises:

3. The method of claim 2, wherein after receiving the first address information of the service to be bound, which is sent by the authentication server through a service channel in an overlay network, the method further comprises:

4. A server and service unbinding method based on the server and service binding method of any one of claims 1 to 3, wherein the method comprises:

5. The method of claim 4, wherein sending the logoff message to an authentication server over an overlay network comprises:

6. The method of claim 5, wherein after receiving the second address information of the unbundling service sent by the authentication server through an authentication channel in an overlay network, the method further comprises:

7. A method for binding a server and a service, the method comprising:

8. The method of claim 7, wherein the authentication server receiving an online message sent by an access device through an overlay network comprises:

9. The method as claimed in claim 8, wherein after sending the first address information found through the service channel found to the access device, the method further comprises:

10. A server and service unbinding method based on the server and service binding method of any one of claims 7 to 9, wherein the method comprises:

11. The method of claim 10, wherein the authentication server receiving a logoff message sent by an access device through an overlay network comprises:

12. A server and service binding system, the system comprising:

13. A server and service unbinding system, comprising:

14. A server and service binding apparatus, the apparatus comprising:

15. The apparatus of claim 14, wherein the first processing module comprises:

16. The apparatus of claim 15, wherein the apparatus further comprises:

17. A server and service unbinding device based on the server and service binding device according to any of claims 14-16, wherein the device comprises:

18. The apparatus according to claim 17, wherein the first processing module is specifically configured to search, according to a locally stored mapping relationship table and a port that receives the offline message, a service channel in an overlay network mapped by the port that receives the offline message; sending the offline message to an authentication server through the searched service channel;

19. The apparatus of claim 18, wherein the apparatus further comprises:

20. A server and service binding apparatus, the apparatus comprising:

21. The apparatus according to claim 20, wherein the receiving module is specifically configured to receive an online message sent by the access device through an authentication channel in an overlay network, where the online message is sent by the access device through the authentication channel by searching, according to a locally stored mapping relationship table and a port of the access device that receives the online message, for the authentication channel in the overlay network that is mapped by the port of the access device that receives the online message;

22. The apparatus of claim 21, wherein the apparatus further comprises:

23. A server and service unbinding device based on the server and service binding device according to any of claims 20-22, wherein the device comprises:

24. The apparatus according to claim 23, wherein the receiving module is specifically configured to receive, through a service channel in an overlay network, an offline message sent by the access device, where the offline message is a service channel in the overlay network, which is mapped by a port that receives the offline message and is found by the access device according to a locally stored mapping relationship table and the port that receives the offline message, and is sent through the service channel;