CN109525582B - Message processing method, system and storage medium - Google Patents
Message processing method, system and storage medium Download PDFInfo
- Publication number
- CN109525582B CN109525582B CN201811376448.8A CN201811376448A CN109525582B CN 109525582 B CN109525582 B CN 109525582B CN 201811376448 A CN201811376448 A CN 201811376448A CN 109525582 B CN109525582 B CN 109525582B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- mac address
- message
- information table
- machine information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/66—Layer 2 routing, e.g. in Ethernet based MAN's
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention relates to the technical field of computers, discloses a message processing method, a message processing system and a message processing storage medium, and solves the problem that the prior art cannot realize the isolation protection of communication between virtual machines in the same port group. The method is applied to a message processing system and comprises the following steps: acquiring a message, and extracting a target mac address and a source mac address in the message; judging whether the target mac address exists in an isolation virtual machine information table or not; when the target mac address exists, acquiring an isolation vlan identifier corresponding to the target mac address, modifying the vlan identifier carried by the message into the isolation vlan identifier, and sending the message through an internal interface of the message processing system; if not, judging whether the source mac address exists in the isolation virtual machine information table or not; and when the source mac address exists, acquiring an original vlan identifier corresponding to the source mac address, modifying the vlan identifier carried by the message into the original vlan identifier, and sending the message through an external interface of the message processing system. The embodiment of the invention is suitable for message processing between the isolated virtual machines.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, a system, and a storage medium for processing a packet.
Background
The network layer security protection of the virtual machines is realized in the cloud environment, generally, all traffic of the virtual machines passes through the network security equipment, but for the communication between the virtual machines in the same port group, as the traffic is distributed to the same physical server node, the service traffic between the virtual machines is directly forwarded by the virtual switch in the node, and the isolation protection of the communication between the virtual machines in the same port group cannot be realized.
Disclosure of Invention
The invention aims to solve the problem that the prior art cannot realize the isolation and protection of communication between virtual machines in the same port group, and provides a message processing method, a message processing system and a storage medium.
In order to achieve the above object, an aspect of the present invention provides a message processing method, where the method is applied to a message processing system, and the method includes: acquiring a message, and extracting a target mac address and a source mac address in the message; judging whether the target mac address exists in an isolation virtual machine information table, wherein the isolation virtual machine information table comprises a mac address, an original vlan identifier and an isolation vlan identifier corresponding to the isolated virtual machine; when the target mac address exists in the isolation virtual machine information table, acquiring an isolation vlan identifier corresponding to the target mac address in the isolation virtual machine information table, modifying the vlan identifier carried by the message into the isolation vlan identifier, and sending the message through an internal interface of the message processing system; when the target mac address does not exist in the isolated virtual machine information table, judging whether the source mac address exists in the isolated virtual machine information table; and when the source mac address exists in the isolation virtual machine information table, acquiring an original vlan identifier corresponding to the source mac address in the isolation virtual machine information table, modifying the vlan identifier carried by the message into the original vlan identifier, and sending the message through an external interface of the message processing system.
Further, when the destination mac address does not exist in the isolated virtual machine information table, determining whether the source mac address exists in the isolated virtual machine information table includes: when the target mac address does not exist in the isolated virtual machine information table, acquiring a receiving interface of the message; judging whether the receiving interface is the internal interface or not; and when the receiving interface is the internal interface, judging whether the source mac address exists in the isolated virtual machine information table.
Further, the method further comprises: and when the receiving interface is not the internal interface, discarding the message.
A second aspect of the present invention provides a message processing system, including: the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a message and extracting a target mac address and a source mac address in the message; the first judging unit is used for judging whether the target mac address exists in an isolation virtual machine information table or not, wherein the isolation virtual machine information table comprises a mac address, an original vlan identifier and an isolation vlan identifier corresponding to the isolated virtual machine; a first processing unit, configured to, when the target mac address exists in the isolated virtual machine information table, obtain an isolated vlan identifier corresponding to the target mac address in the isolated virtual machine information table, modify the vlan identifier carried in the packet into the isolated vlan identifier, and send the packet through an internal interface of the packet processing system; a second judging unit, configured to judge whether the source mac address exists in the isolated virtual machine information table when the destination mac address does not exist in the isolated virtual machine information table; and the second processing unit is used for acquiring an original vlan identifier corresponding to the source mac address in the isolated virtual machine information table when the source mac address exists in the isolated virtual machine information table, modifying the vlan identifier carried by the message into the original vlan identifier, and sending the message through an external interface of the message processing system.
Further, the second determining unit is further configured to obtain a receiving interface of the packet when the destination mac address does not exist in the isolated virtual machine information table; judging whether the receiving interface is the internal interface or not; and when the receiving interface is the internal interface, judging whether the source mac address exists in the isolated virtual machine information table.
Further, the second determining unit is further configured to discard the packet when the receiving interface is not the intra-pair interface.
Furthermore, the internal interface of the message processing system is connected with a first virtual switch, the external interface of the message processing system is connected with a second virtual switch, the second virtual switch is connected with the physical switch, the first virtual switch is connected with the isolated virtual machine, and the second virtual switch is connected with the non-isolated virtual machine.
A third aspect of the present invention provides a storage medium having stored therein instructions that, when run on a computer, cause the computer to perform the message processing method as described above.
Through the technical scheme, after a message processing system acquires a message and extracts a target mac address and a source mac address in the message, the message processing system judges whether the target mac address exists in an isolation virtual machine information table, acquires an isolation vlan identifier corresponding to the target mac address in the isolation virtual machine information table when the target mac address exists in the isolation virtual machine information table, modifies the vlan identifier carried by the message into the isolation vlan identifier, sends the message through an internal interface of the message processing system, judges whether the source mac address exists in the isolation virtual machine information table when the target mac address does not exist in the isolation virtual machine information table, and acquires an original vlan identifier corresponding to the source mac address in the isolation virtual machine information table when the source mac address exists in the isolation virtual machine information table, and modifying the vlan identifier carried by the message into the original vlan identifier, and sending the message through an external interface of the message processing system. The embodiment of the invention solves the problem that the isolation protection of the communication between the virtual machines in the same port group can not be realized in the prior art, and realizes the isolation protection of the communication between the virtual machines in the same port group.
Drawings
FIG. 1 is a schematic diagram of an architecture of an isolated virtual machine according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a message processing method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of another message processing method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a message processing system according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
In a cloud environment, when two virtual machines in the same port group are allocated to the same physical server node, the service traffic between the two virtual machines is directly forwarded by a virtual switch in the node, and the service traffic for the situation cannot pass through a network security device deployed outside the physical node. The embodiment of the invention realizes the two-layer isolation protection of the virtual machine on the basis of not depending on the cloud computing platform, and the specific implementation process is as follows.
As shown in fig. 1, all the isolated virtual machines are hung under the first virtual switch, each isolated virtual machine is assigned an isolation vlan id, and information of each isolated virtual machine is stored on the cloud platform. The isolation virtual machine information table comprises a mac address, an original vlan identifier and an isolation vlan identifier corresponding to the isolated virtual machine. As shown in fig. 1, the isolated Virtual machines include VM (Virtual Machine) 1, VM2, and VM3, where the isolated Virtual Machine is connected to the first Virtual switch, the first Virtual switch is then connected to an internal interface of the message processing system, the external interface of the message processing system is connected to a second Virtual switch, the second Virtual switch is connected to the non-isolated Virtual Machine, that is, the non-isolated Virtual machines are VM4, VM5, and VM6, and the second Virtual switch is connected to the physical switch through physical ports. Embodiments of the present invention are directed to communications between isolated virtual machines, and between an isolated virtual machine and a non-isolated virtual machine.
Fig. 2 is a flowchart illustrating a message processing method according to an embodiment of the present invention. The method is applied to a message processing system, and before the message processing system processes a message, the isolation virtual machine information table is acquired from a cloud platform, so that information of an isolated virtual machine is acquired, as shown in fig. 2, the method includes the following steps:
Taking the virtual machine architecture shown in fig. 1 as an example, the following situations exist in the communication between the isolated virtual machines and the communication between the isolated virtual machine and the non-isolated virtual machine in the embodiment of the present invention: VM2 sends messages to VM1, VM1 sends messages to VM4, and VM4 sends messages to VM 1. The messages sent in the three situations need to be processed by a message processing system. The three message communications are based on the premise that the VM1 and the VM2 have the same original vlan id, and the VM1 and the VM4 have the same original vlan id, respectively, so that normal transmission of the messages in the three situations can be guaranteed, which is also a known premise that the virtual machine performs two-layer communications in the prior art.
After the message is acquired, extracting a destination mac address and a source mac address in the message, and judging the sending direction of the message according to the isolation virtual machine information table. The isolation virtual machine information table comprises the mac address, the original vlan identifier and the isolation vlan identifier corresponding to the isolated virtual machine. Therefore, it can be checked in the isolated virtual machine information table whether the destination mac address in the message exists, and if so, it indicates that the destination virtual machine for sending the message is the isolated virtual machine, VM2 including the above message sending case sends the message to VM1, and VM4 sends the message to VM 1. No matter the VM2 sends the message to the VM1, or the VM4 sends the message to the VM1, based on the premise that the virtual machines with the same original vlan identifier can communicate, the vlan carried in the message is the original vlan identifier. And the destination virtual machine is an isolated virtual machine, i.e., isolated virtual machine VM1, which is assigned an isolation vlan designation. Therefore, to send the message to the isolated virtual machine VM1, the vlan id carried by the message is modified to the isolated vlan id of VM 1. Now that the target mac address carried by the message is found from the isolation virtual machine information table, the isolation vlan id corresponding to the target mac address is extracted, that is, the vlan id carried by the message is modified into the isolation vlan id. And when the message processing system receives the message and judges that the target virtual machine is the isolated virtual machine, the message is sent to the corresponding isolated virtual machine through the internal interface of the message processing system.
Taking the example that the VM2 sends a message to the VM1, when the message sent by the VM2 to the VM1 reaches the message processing system through the first virtual switch, the system extracts a destination mac address of the message, that is, a mac address of the VM1, and searches for the mac address of the VM1 in the isolated virtual machine information table. Since the VM1 belongs to the isolated virtual machine, the mac address and the isolated vlan id of the VM1 are found in the isolated virtual machine information table, the vlan id carried in the message is modified to the isolated vlan id of the VM1, and then the message is sent to the VM1 through the intra-interface of the message processing system.
In addition, when the VM4 sends a message to the VM1, after the message sent by the VM4 to the VM1 reaches the message processing system through the second virtual switch, the system processes the message in a manner similar to that when the VM2 sends the message to the VM1, and modifies the vlan id carried in the message into the isolated vlan id of the VM1, and then sends the message to the VM1 through the intra-pair interface of the message processing system.
And if the target mac address of the message does not exist in the isolated virtual machine information table, judging whether the source mac address exists in the isolated virtual machine information table. That is, if the destination virtual machine of the message is not the isolated virtual machine, it is determined whether the virtual machine sending the message is the isolated virtual machine according to the source mac address. When the source mac address exists in the isolated virtual machine information table, it indicates that the virtual machine that sent the message is an isolated virtual machine, for example, corresponding to the case where the VM4 sends the message to the VM 1. Also based on the premise that the virtual machines with the same original vlan identifier can communicate, since the message is sent by the isolated virtual machine, the vlan carried in the message is the isolated vlan identifier. But since the destination virtual machine of the message is a non-isolated virtual machine, i.e., VM4, the vlan id of VM4 is consistent with the original vlan id of VM 1. Therefore, to send the message to the virtual machine VM4 that is not isolated, the vlan id carried in the message is modified to the original vlan id of VM1, and the message is sent to VM4 through the external interface of the message processing system.
Because the message processing system is set for the isolated virtual machine, when the system receives that the source mac address and the destination mac address do not exist in the information table of the isolated virtual machine, the message is directly discarded. In order to judge the message more quickly, the receiving interface of the message can be directly obtained without time consumption to search whether the source mac address of the message is found in the isolation virtual machine information table, and whether the receiving interface is the internal interface of the message processing system is judged, namely whether the message processing system is the message obtained from one side of the isolated virtual machine is judged. When the receiving interface of the message is not the internal interface, the message is obtained from the external interface. The target mac address of the message obtained through the processing steps does not exist in the information table of the isolated virtual machine, that is, the message is not sent to the isolated virtual machine, but the receiving interface of the message is judged to know that the interface for receiving the message is an external interface, that is, the message is sent from the non-isolated virtual machine to reach the message processing system, so that the message belongs to the message communicated between the non-isolated virtual machines, and the message processing system does not process the message and directly discards the message. The speed of processing the message is improved by directly judging whether the receiving interface is an internal interface or not, which is faster than the speed of judging whether the source mac address of the message exists in the information table of the isolation virtual machine or not.
And when the receiving interface of the message is the internal interface, further judging whether the source mac address exists in the isolation virtual machine information table, when the source mac address exists in the isolation virtual machine information table, acquiring an original vlan identifier corresponding to the source mac address in the isolation virtual machine information table, modifying the vlan identifier carried by the message into the original vlan identifier, and sending the message through an external interface of the message processing system. If the receiving interface of the message is the internal interface, but the source mac address does not exist in the isolation virtual machine information table, an error may occur in the sent message, and the message is also directly discarded.
To facilitate understanding of the embodiment of the present invention, fig. 3 provides a flowchart illustrating a method for processing a message. As shown in fig. 3, the method comprises the following steps:
307, judging whether the source mac address exists in the isolated virtual machine information table, if so, executing a step 308, otherwise, executing a step 306;
By the embodiment, the isolation of the network layer of the virtual machine is realized, the flow of the virtual machine is guided to the virtualization safety equipment, namely the message processing system for processing, the communication between the virtual machines in the same network segment is isolated and protected, and technical support is provided for the next message encryption communication between the virtual machines in the same network segment.
Correspondingly, fig. 4 is a schematic structural diagram of a message processing system according to an embodiment of the present invention. As shown in fig. 4, the system includes: an obtaining unit 41, configured to obtain a message, and extract a destination mac address and a source mac address in the message; a first determining unit 42, configured to determine whether the destination mac address exists in an isolation virtual machine information table, where the isolation virtual machine information table includes a mac address, an original vlan identifier, and an isolation vlan identifier corresponding to an isolated virtual machine; a first processing unit 43, configured to, when the destination mac address exists in the isolated virtual machine information table, obtain an isolated vlan identifier corresponding to the destination mac address in the isolated virtual machine information table, modify the vlan identifier carried in the packet into the isolated vlan identifier, and send the packet through an internal interface of the packet processing system; a second determining unit 44, configured to determine whether the source mac address exists in the isolated virtual machine information table when the destination mac address does not exist in the isolated virtual machine information table; and a second processing unit 45, configured to, when the source mac address exists in the isolated virtual machine information table, obtain an original vlan id corresponding to the source mac address in the isolated virtual machine information table, modify the vlan id carried in the packet into the original vlan id, and send the packet through an external interface of the packet processing system.
The embodiment of the invention solves the problem that the prior art can not realize the isolation and protection of the communication between the virtual machines in the same port group, and realizes the isolation and protection of the communication between the virtual machines in the same port group under the condition of not depending on a cloud computing platform.
Further, the second determining unit is further configured to obtain a receiving interface of the packet when the destination mac address does not exist in the isolated virtual machine information table; judging whether the receiving interface is the internal interface or not; and when the receiving interface is the internal interface, judging whether the source mac address exists in the isolated virtual machine information table.
Further, the second determining unit is further configured to discard the packet when the receiving interface is not the intra-pair interface.
Furthermore, the internal interface of the message processing system is connected with a first virtual switch, the external interface of the message processing system is connected with a second virtual switch, the second virtual switch is connected with the physical switch, the first virtual switch is connected with the isolated virtual machine, and the second virtual switch is connected with the non-isolated virtual machine.
The specific implementation manner of the message processing System in the embodiment of the present invention may be referred to as the implementation manner of the message processing method in the above embodiment, and the message processing System in the embodiment of the present invention may be applied to NFV (Network Function Virtualization) products such as a virtual IPS (Intrusion Prevention System), a virtual WAF (Web Application Firewall), and the like.
Correspondingly, an embodiment of the present invention further provides a storage medium, where the storage medium stores instructions, and when the storage medium runs on a computer, the storage medium enables the computer to execute the message processing method according to the foregoing embodiment.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (8)
1. A message processing method is applied to a message processing system, wherein a virtual switch connected with an isolated virtual machine is connected with an internal interface of the message processing system, a virtual switch connected with a non-isolated virtual machine is connected with an external interface of the message processing system, and the virtual switch connected with the non-isolated virtual machine is connected with a physical switch through a physical port, and the method comprises the following steps:
acquiring a message, and extracting a target mac address and a source mac address in the message;
judging whether the target mac address exists in an isolation virtual machine information table, wherein the isolation virtual machine information table comprises a mac address, an original vlan identifier and an isolation vlan identifier corresponding to the isolated virtual machine;
when the target mac address exists in the isolation virtual machine information table, acquiring an isolation vlan identifier corresponding to the target mac address in the isolation virtual machine information table, modifying the vlan identifier carried by the message into the isolation vlan identifier, and sending the message through an internal interface of the message processing system;
when the target mac address does not exist in the isolated virtual machine information table, judging whether the source mac address exists in the isolated virtual machine information table;
and when the source mac address exists in the isolation virtual machine information table, acquiring an original vlan identifier corresponding to the source mac address in the isolation virtual machine information table, modifying the vlan identifier carried by the message into the original vlan identifier, and sending the message through an external interface of the message processing system.
2. The method of claim 1, wherein when the destination mac address does not exist in the isolated virtual machine information table, the determining whether the source mac address exists in the isolated virtual machine information table comprises:
when the target mac address does not exist in the isolated virtual machine information table, acquiring a receiving interface of the message;
judging whether the receiving interface is the internal interface or not;
and when the receiving interface is the internal interface, judging whether the source mac address exists in the isolated virtual machine information table.
3. The method of claim 2, further comprising:
and when the receiving interface is not the internal interface, discarding the message.
4. A message processing system, wherein a virtual switch connected to an isolated virtual machine connects an internal interface of the message processing system, a virtual switch connected to a non-isolated virtual machine connects an external interface of the message processing system, and the virtual switch connected to the non-isolated virtual machine connects a physical switch through a physical port, the system comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a message and extracting a target mac address and a source mac address in the message;
the first judging unit is used for judging whether the target mac address exists in an isolation virtual machine information table or not, wherein the isolation virtual machine information table comprises a mac address, an original vlan identifier and an isolation vlan identifier corresponding to the isolated virtual machine;
a first processing unit, configured to, when the target mac address exists in the isolated virtual machine information table, obtain an isolated vlan identifier corresponding to the target mac address in the isolated virtual machine information table, modify the vlan identifier carried in the packet into the isolated vlan identifier, and send the packet through an internal interface of the packet processing system;
a second judging unit, configured to judge whether the source mac address exists in the isolated virtual machine information table when the destination mac address does not exist in the isolated virtual machine information table;
and the second processing unit is used for acquiring an original vlan identifier corresponding to the source mac address in the isolated virtual machine information table when the source mac address exists in the isolated virtual machine information table, modifying the vlan identifier carried by the message into the original vlan identifier, and sending the message through an external interface of the message processing system.
5. The system according to claim 4, wherein the second determining unit is further configured to obtain a receiving interface of the packet when the destination mac address does not exist in the isolated virtual machine information table; judging whether the receiving interface is the internal interface or not; and when the receiving interface is the internal interface, judging whether the source mac address exists in the isolated virtual machine information table.
6. The system according to claim 5, wherein the second determining unit is further configured to discard the packet when the receiving interface is not the intra-pair interface.
7. The system of claim 4, wherein the message processing system includes an internal interface coupled to a first virtual switch and an external interface coupled to a second virtual switch, the second virtual switch coupled to the physical switch, the first virtual switch coupled to the isolated virtual machine, and the second virtual switch coupled to the non-isolated virtual machine.
8. A storage medium having stored therein instructions which, when run on a computer, cause the computer to execute the message processing method according to any one of claims 1-3.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811376448.8A CN109525582B (en) | 2018-11-19 | 2018-11-19 | Message processing method, system and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811376448.8A CN109525582B (en) | 2018-11-19 | 2018-11-19 | Message processing method, system and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109525582A CN109525582A (en) | 2019-03-26 |
CN109525582B true CN109525582B (en) | 2021-07-30 |
Family
ID=65776223
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811376448.8A Active CN109525582B (en) | 2018-11-19 | 2018-11-19 | Message processing method, system and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109525582B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110602110A (en) * | 2019-09-18 | 2019-12-20 | 深圳市信锐网科技术有限公司 | Method, device, equipment and storage medium for isolating ports of whole network |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101222497A (en) * | 2007-01-11 | 2008-07-16 | 国际商业机器公司 | System and method for virtualized resource configuration |
CN101329639A (en) * | 2008-07-24 | 2008-12-24 | 武汉理工大学 | Method for implementing application program sharing under graticule manufacturing environment |
CN107395508A (en) * | 2016-05-17 | 2017-11-24 | 华为技术有限公司 | The method and apparatus to E-Packet |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9178715B2 (en) * | 2012-10-01 | 2015-11-03 | International Business Machines Corporation | Providing services to virtual overlay network traffic |
-
2018
- 2018-11-19 CN CN201811376448.8A patent/CN109525582B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101222497A (en) * | 2007-01-11 | 2008-07-16 | 国际商业机器公司 | System and method for virtualized resource configuration |
CN101329639A (en) * | 2008-07-24 | 2008-12-24 | 武汉理工大学 | Method for implementing application program sharing under graticule manufacturing environment |
CN107395508A (en) * | 2016-05-17 | 2017-11-24 | 华为技术有限公司 | The method and apparatus to E-Packet |
Also Published As
Publication number | Publication date |
---|---|
CN109525582A (en) | 2019-03-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109361608B (en) | Message processing method, system and storage medium | |
US10871981B2 (en) | Performing logical network functionality within data compute nodes | |
US11374899B2 (en) | Managing network connectivity between cloud computing service endpoints and virtual machines | |
EP3437259B1 (en) | Interworking between physical network and virtual network | |
WO2017100365A1 (en) | Directing data traffic between intra-server virtual machines | |
WO2018017336A1 (en) | Scaling service discovery in a micro-service environment | |
CN113326228B (en) | Message forwarding method, device and equipment based on remote direct data storage | |
US9674080B2 (en) | Proxy for port to service instance mapping | |
US10122548B2 (en) | Services execution | |
US10567344B2 (en) | Automatic firewall configuration based on aggregated cloud managed information | |
CN113326101B (en) | Thermal migration method, device and equipment based on remote direct data storage | |
EP3821589B1 (en) | Session management in a forwarding plane | |
US10153918B2 (en) | Joining an application cluster | |
CN108092923B (en) | Message processing method and device based on SR-IOV | |
CN109525582B (en) | Message processing method, system and storage medium | |
CN112839052B (en) | Virtual network security protection system, method, server and readable storage medium | |
CN108810183B (en) | Method and device for processing conflicting MAC addresses and machine-readable storage medium | |
US9912729B2 (en) | Encapsulation scheme for cloud computing environment | |
CN107493234B (en) | Message processing method and device based on virtual network bridge | |
CN114765567B (en) | Communication method and communication system | |
CN104683240A (en) | Method and device for processing data stream | |
US11115337B2 (en) | Network traffic segregation on an application basis in a virtual computing environment | |
US20180241670A1 (en) | Software switch for providing network function and operation method thereof | |
CN116319354B (en) | Network topology updating method based on cloud instance migration | |
CN117792982A (en) | Message forwarding method, message publishing method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: Room C202, floor 2, building 1, No. 12, Shangdi Information Road, Haidian District, Beijing 100085 Applicant after: Beijing Liufang cloud Information Technology Co., Ltd Applicant after: BEIJING 6CLOUD TECHNOLOGY Co.,Ltd. Address before: 100085 Beijing Haidian District Information Road No. 7 3 Floor 18-1-3017, 18-1-3018 Applicant before: BEIJING LIUFANG LING'AN NETWORK TECHNOLOGY Co.,Ltd. Applicant before: BEIJING 6CLOUD TECHNOLOGY Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |