CN111371666B

CN111371666B - Method, device and system for processing message

Info

Publication number: CN111371666B
Application number: CN201811602656.5A
Authority: CN
Inventors: 高远; 曾万梅; 高军
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2018-12-26
Filing date: 2018-12-26
Publication date: 2021-12-31
Anticipated expiration: 2038-12-26
Also published as: CN111371666A; WO2020135381A1

Abstract

A method, a device and a system for processing a message are provided. The method comprises the steps that a first network device sends a first VXLAN message to a second network device through NAT equipment, wherein the first VXLAN message comprises a first destination port number and a first source port number. And the first network equipment receives a fourth VXLAN message sent by the NAT equipment through a VXLAN tunnel, wherein the value of a fourth destination port number included in the fourth VXLAN message is equal to the value of the first source port number. And after the first network equipment determines that the fourth destination port number is the same as the first source port number, processing the fourth VXLAN message according to a VXLAN protocol.

Description

Method, device and system for processing message

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method, a device, and a system for processing a packet.

Background

A virtual extensible local area network (VXLAN) technology is a technology for encapsulating a two-layer message by using a three-layer protocol. VXLAN technology relates to messages in MAC-in-UDP format. Specifically, an ethernet frame based on a Media Access Control (MAC) protocol is encapsulated in a User Datagram Protocol (UDP) message. Further, the UDP packet is encapsulated in an Internet Protocol (IP) packet. IP packets may be transported in a three-layer network. Thus, transport of ethernet frames in a three-layer network is achieved. VXLAN technology identifies VXLAN network segments using a VXLAN Network Identifier (VNI). Different VXLAN network segments respectively correspond to different VNIs. The different VXLAN network segments are isolated. Two Virtual Machines (VMs) within the same VNI may communicate directly. That is, two VMs within the same VNI do not need to communicate via a VXLAN L3 gateway. Two VMs, each located in a different VNI, need to communicate via a VXLAN three-layer gateway. The VNI field contains 24 bits. A regulatory domain may contain up to 216 VXLAN segments.

A VXLAN Tunnel End Point (VTEP) device is an edge device in VXLAN. The VTEP device tunnels VXLAN traffic through VXLAN. A VXLAN tunnel refers to a point-to-point logical tunnel between two VTEP devices.

In practical applications, a Network Address Translation (NAT) device may be included in the VXLAN tunnel between the first VTEP device located in the private network and the second VTEP device located in the public network. In the process that the second VTEP device sends the VXLAN message to the first VTEP device through the NAT device, the NAT device can generate network address translation errors, so that the first VTEP device cannot receive the VXLAN message.

Disclosure of Invention

In VXLAN, in a process that a second network device located in a public network sends VXLAN traffic to a first network device located in a private network, the second network device changes a destination port number of the VXLAN traffic, so as to ensure that a NAT device on a transmission path of the VXLAN traffic does not generate a network address translation error, thereby ensuring that the first network device can receive the VXLAN traffic.

The technical scheme provided by the embodiment of the application is as follows.

In a first aspect, a method for processing a packet is provided, where the method includes that a first network device sends a first VXLAN packet to a second network device via a NAT device, where the first VXLAN packet includes a first destination port number and a first source port number, the first destination port number indicates that the first VXLAN packet is a VXLAN packet, and the first source port number indicates a port of the first network device, where the VXLAN packet is sent by the first network device. The first network device receives a fourth VXLAN message sent by the NAT device through a VXLAN tunnel, where the fourth VXLAN message includes a fourth destination port number, a value of the fourth destination port number is equal to a value of the first source port number, and the fourth destination port number is a destination port number of the fourth VXLAN message. Then, the first network device determines that the fourth destination port number in the fourth VXLAN message is the same as the first source port number. And the first network device processes the fourth VXLAN message according to VXLAN protocols.

Based on the solution provided by the embodiment, in VXLAN, the NAT device between the second network device and the first network device can complete the translation of VXLAN traffic from the public network to the private network, thereby ensuring that the first network device can receive VXLAN traffic sent by the second network device.

Optionally, the first VXLAN packet further includes an NAT tag, where the NAT tag indicates that the VXLAN packet sent by the first network device passes through the NAT device.

Optionally, the first VXLAN packet further includes a VXLAN header, and the VXLAN header includes the NAT tag.

Optionally, the first VXLAN packet further includes a first source IP address and a first destination IP address, where the first source IP address indicates an IP address of the first network device, and the first destination IP address indicates an IP address of the second network device.

Optionally, the fourth VXLAN packet further includes a fourth source IP address and a fourth destination IP address, where the fourth source IP address indicates the IP address of the second network device, and the fourth destination IP address indicates the IP address of the first network device.

In a second aspect, a method for processing a packet is provided, where the method includes that a second network device receives a second VXLAN packet sent by a NAT device, the second VXLAN packet includes a second destination port number and a second source port number, the second destination port number indicates that the second VXLAN packet is a VXLAN packet, and the second source port number indicates a port of the NAT device. Then, the second network device establishes a VXLAN tunnel between the NAT device and the second network device according to the second destination port number in the second VXLAN message. And the second network device sends a third VXLAN message to the NAT device via the VXLAN tunnel, where the third VXLAN message includes a third destination port number, a value of the third destination port number is equal to a value of the second source port number, and the third destination port number is a destination port number of the third VXLAN message.

In one possible implementation manner of the second aspect, the second VXLAN message further includes a NAT tag, where the NAT tag indicates that the VXLAN message passes through the NAT device, and before the second network device sends a third VXLAN message to the NAT device through the VXLAN tunnel, the method further includes the second network device determining that the second VXLAN message includes the NAT tag; the second network device determines the second source port number as the third destination port number.

Optionally, the second VXLAN packet further includes a VXLAN header, and the VXLAN header includes the NAT tag.

Optionally, the second VXLAN packet further includes a second source IP address and a second destination IP address, where the second source IP address indicates the IP address of the NAT device, and the second destination IP address indicates the IP address of the second network device.

Optionally, the third VXLAN packet further includes a third source IP address and a third destination IP address, where the third source IP address indicates the IP address of the second network device, and the third destination IP address indicates the IP address of the NAT device.

In a third aspect, a first network device is provided, where the first network device has a function of implementing the behavior of the first network device in the foregoing method. The functions can be realized based on hardware, and corresponding software can be executed based on hardware. The hardware or software includes one or more modules corresponding to the above-described functions.

In one possible design, the first network device includes a processor and an interface in a structure, and the processor is configured to support the first network device to perform corresponding functions in the above method. The interface is used for supporting communication between the first network device and the second network device, and sending information or instructions related to the method to the second network device through the NAT device, or receiving information or instructions related to the method from the second network device through the NAT device. The first network device may also include a memory, coupled to the processor, that retains program instructions and data necessary for the first network device.

In another possible design, the first network device includes: a processor, a transmitter, a receiver, a random access memory, a read only memory, and a bus. The processor is coupled to the transmitter, the receiver, the random access memory and the read only memory through the bus respectively. When the first network equipment needs to be operated, the first network equipment is guided to enter a normal operation state by starting a basic input/output system solidified in a read-only memory or a bootloader guiding system in an embedded system. After the first network device enters the normal operation state, the application program and the operating system are executed in the random access memory, so that the processor executes the method of the first aspect or any possible implementation manner of the first aspect.

In a fourth aspect, a first network device is provided, the first network device comprising: the main control board and the interface board, further, can also include the exchange network board. The first network device is configured to perform the first aspect or the method in any possible implementation manner of the first aspect. In particular, the first network device comprises means for performing the method of the first aspect or any possible implementation manner of the first aspect.

In a fifth aspect, a first network device is provided that includes a controller and a first forwarding sub-device. The first forwarding sub-apparatus comprises: the interface board further can also comprise a switching network board. The first forwarding sub-device is configured to execute the function of the interface board in the fourth aspect, and further, may also execute the function of the switching network board in the fourth aspect. The controller includes a receiver, a processor, a transmitter, a random access memory, a read only memory, and a bus. The processor is coupled to the receiver, the transmitter, the random access memory and the read only memory through the bus respectively. When the controller needs to be operated, the basic input/output system solidified in the read-only memory or the bootloader bootstrap system in the embedded system is started, and the bootstrap controller enters a normal operation state. After the controller enters a normal operation state, the application program and the operating system are operated in the random access memory, so that the processor executes the functions of the main control board in the fourth aspect.

In a sixth aspect, a computer storage medium is provided for storing a program, code or instructions for the first network device, which when executed by a processor or hardware device, performs the functions or steps of the first network device in the above aspects.

In a seventh aspect, a second network device is provided, where the second network device has a function of implementing the behavior of the second network device in the foregoing method. The functions can be realized based on hardware, and corresponding software can be executed based on hardware. The hardware or software includes one or more modules corresponding to the above-described functions.

In one possible design, the second network device includes a processor and an interface in its structure, and the processor is configured to support the second network device to perform the corresponding functions in the above method. The interface is used for supporting communication between the second network device and the NAT device, and sending the information or the instruction related to the method to the NAT device, or receiving the information or the instruction related to the method from the NAT device. The second network device may also include a memory, coupled to the processor, that stores necessary program instructions and data for the second network device.

In another possible design, the second network device includes: a processor, a transmitter, a receiver, a random access memory, a read only memory, and a bus. The processor is coupled to the transmitter, the receiver, the random access memory and the read only memory through the bus respectively. When the second network device needs to be operated, the second network device is guided to enter a normal operation state by starting a basic input/output system solidified in a read-only memory or a bootloader guiding system in an embedded system. After the second network device enters the normal operation state, the application program and the operating system are executed in the random access memory, so that the processor executes the method of the second aspect or any possible implementation manner of the second aspect.

In an eighth aspect, a second network device is provided, which includes: the main control board and the interface board, further, can also include the exchange network board. The second network device is configured to perform the second aspect or the method in any possible implementation manner of the second aspect. In particular, the second network device comprises means for performing the method of the second aspect or any possible implementation of the second aspect.

In a ninth aspect, a second network device is provided that includes a controller and a second forwarding sub-device. The second forwarding sub-device comprises: the interface board further can also comprise a switching network board. The second forwarding sub-device is configured to execute a function of the interface board in the eighth aspect, and further, may also execute a function of the switching network board in the eighth aspect. The controller includes a receiver, a processor, a transmitter, a random access memory, a read only memory, and a bus. The processor is coupled to the receiver, the transmitter, the random access memory and the read only memory through the bus respectively. When the controller needs to be operated, the basic input/output system solidified in the read-only memory or the bootloader bootstrap system in the embedded system is started, and the bootstrap controller enters a normal operation state. After the controller enters the normal operation state, the application program and the operating system are operated in the random access memory, so that the processor executes the functions of the main control board in the eighth aspect.

In a tenth aspect, a computer storage medium is provided for storing programs, codes or instructions for the second network device, which can be executed by a processor or a hardware device to perform the functions or steps of the second network device in the above aspects.

An eleventh aspect provides a system for processing a packet, where the system includes a first network device and a second network device, where the first network device is the first network device in the third aspect, the fourth aspect, or the fifth aspect, and the second network device is the second network device in the seventh aspect, the eighth aspect, or the ninth aspect.

Through the scheme, the data traffic processing method, the device and the system are provided by the embodiment of the application. When the method is applied to a VXLAN scene, in the process of sending VXLAN traffic to first network equipment located in a private network, second network equipment located in a public network changes a destination port number of the VXLAN traffic, and it is ensured that NAT equipment on a transmission path of the VXLAN traffic does not generate network address translation errors, so that the first network equipment can be ensured to receive the VXLAN traffic.

Drawings

Fig. 1 is a schematic diagram of a VXLAN architecture according to an embodiment of the present application;

fig. 2 is a schematic diagram of another VXLAN architecture according to an embodiment of the present application;

fig. 3 is a flowchart of a method for processing a packet according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of a first network device according to an embodiment of the present application;

fig. 5 is a schematic hardware structure diagram of a first network device according to an embodiment of the present application;

fig. 6 is a schematic hardware structure diagram of another first network device according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a second network device according to an embodiment of the present application;

fig. 8 is a schematic hardware structure diagram of a second network device according to an embodiment of the present application;

fig. 9 is a schematic hardware structure diagram of another second network device according to an embodiment of the present application.

Detailed Description

The following are detailed descriptions of the respective embodiments.

The virtual extensible local area network (VXLAN) technology referred to in this application can be referred to the specification of the Internet Engineering Task Force (IETF) Request For Comments (RFC) 7348, the contents of which are generally incorporated by reference as if reproduced in their entirety in this application.

Network Address Translation (NAT) techniques to which this application relates can be found in the description of IETF RFC1631, the contents of which RFC1631 are generally incorporated by reference in this application as if reproduced in their entirety.

Fig. 1 is a schematic diagram of a VXLAN architecture according to an embodiment of the present application. The VXLAN includes a first network device, a second network device, and a NAT device. The first network device is connected with the second network device via a communication link over which the NAT device is. That is, the communication link is between the first network device and the second network device, and the communication link passes through the NAT device. The first network device is located in a private network (private network) of the VXLAN. A private network may also be referred to as an intranet, such as a Local Area Network (LAN) used by an enterprise user or a home user. The second network device is located in a public network (public network) of the VXLAN. The public network may also be referred to as an extranet, such as a Wide Area Network (WAN). The NAT device is located between the private network and the public network. The NAT device may perform network address translation on data traffic from the private network and send the translated data traffic to the public network. The NAT device may also perform network address translation on data traffic from the public network and send the translated data traffic to the private network.

In a practical application scenario, the first network device and the second network device may be referred to as Provider Edge (PE) devices, and specifically, the first network device and the second network device may respectively include a router or a three-layer switch. In an embodiment of the present application, a VXLAN tunnel may be included between the first network device and the second network device. The first network device and the second network device are located at two ends of the VXLAN tunnel, respectively, and thus, the first network device and the second network device may be referred to as VXLAN Tunnel End Point (VTEP) devices. In an application scenario of VXLAN, a VTEP device may also be referred to as a Network Virtual Edge (NVE) device. In some application scenarios, a VTEP device is understood as a module integrated in an NVE device. In the present application, the VTEP apparatus is equivalent to the NVE apparatus without specific description. And the number of the first network device and the second network device is not limited in the present application. The first network device may be a plurality of devices, and the second network device may be a plurality of devices.

The first network device and the second network device may be connected to a Virtual Machine (VM), as shown in fig. 1, the first network device is connected to a first VM, and the second network device is connected to a second VM. Thus, the first network device may receive data traffic (e.g., a first service packet) from the first VM and forward the data traffic to the second network device, or the first network device receives data traffic (e.g., a second service packet) from the second network device and issues the data traffic to the first VM. Similarly, the second network device may perform the same operation, which is not described herein. In particular, the VM may be a router or a switch. In addition, the number of VMs is not limited in the present application, and the first network device or the second network device may be connected to a plurality of VMs. The VM may run in a server. A server may include at least one VM. In one possible implementation, a server may include multiple VMs. Different VMs may belong to different VXLAN segments.

In the network shown in fig. 1, the first network device receives a first service packet sent by the first VM. And the first network equipment packages the first service message into a first VXLAN message, and sends the first VXLAN message to the second network equipment. The first VXLAN message may be received by the NAT device on the communication link. And the NAT equipment converts the network address of the first VXLAN message from a private network to a public network. And the NAT equipment sends the converted first VXLAN message to the second network equipment, so that the second network equipment can receive the converted first VXLAN message. Similarly, the second network device may also send a third VXLAN packet to the first network device. And the NAT equipment converts the network address of the third VXLAN message from a public network to a private network. The value of the destination port number of the VXLAN message is 4789, as specified in RFC 7348. Specifically, the VXLAN message includes a User Datagram Protocol (UDP) header, and the value of the destination port number in the UDP header is 4789. The network device can determine that the received message is a VXLAN message according to the fact that the value of the destination port number in the UDP header is 4789. Thus, according to the provisions of RFC7348, the destination port number of the fixed and unique UDP is used to identify VXLAN messages.

Assume that the first VXLAN message is a VXLAN message sent by the first network device before a VXLAN tunnel is established between the first network device and the second network device. The NAT device may establish an address mapping table entry in the outgoing direction (outgoing direction) and an address mapping table entry in the incoming direction (incoming direction) according to the first VXLAN message. The exit direction refers to a direction from the private network to the public network, and the entry direction refers to a direction from the public network to the private network. The second network device may establish a VXLAN tunnel between the NAT device and the second network device according to the received first VXLAN packet translated by the NAT device. The VXLAN tunnel is established over the communication link between the first network device and the second network device, that is, the communication link is used to carry the VXLAN tunnel.

After the VXLAN tunnel is established, the second network device may send a third VXLAN message to the NAT device via the VXLAN tunnel. According to the foregoing, the destination port number of the fixed and unique UDP needs to be included in the VXLAN message so that the network device receiving the VXLAN message can identify the VXLAN message. For example, the destination port number of the UDP in the third VXLAN message has a value of 4789 so that the network device receiving the third VXLAN message can identify the third VXLAN message. And after receiving the third VXLAN message, the NAT equipment converts the third VXLAN message by using the address mapping table item of the previously established incoming direction. However, when the NAT device converts the third VXLAN packet using the address mapping table entry in the ingress direction, a conversion error will occur. The NAT device cannot find a destination port number and a destination Internet Protocol (IP) address of the private network corresponding to the third VXLAN packet according to the address mapping table entry in the entry direction, so that the first network device cannot receive the converted third VXLAN packet.

The embodiment of the application provides a method, equipment and a system for processing a message. In a VXLAN scenario, a NAT device between a second network device and a first network device can complete the translation of VXLAN traffic from a public network to a private network, thereby ensuring that the first network device can receive VXLAN traffic sent by the second network device. Fig. 2 is a network scenario that is disclosed in fig. 1, and an implementation manner for transmitting VXLAN messages is added. As shown in fig. 2, the first network device receives a first service packet from the first VM, and encapsulates the first service packet into a first VXLAN packet. And the NAT equipment carries out network address translation on the first VXLAN message to obtain a second VXLAN message, and then the NAT equipment sends the second VXLAN message to second network equipment. In addition, if the first network device is sending the first VXLAN packet, the VXLAN tunnel between the first network device and the second network device is not established. The NAT device may establish an address mapping table entry in the outgoing direction and an address mapping table entry in the incoming direction according to the first VXLAN packet. And after receiving the second VXLAN message, the second network equipment decapsulates the second VXLAN message according to a VXLAN protocol to obtain the first service message and forwards the first service message to a second VM. In addition, the second network device may establish a VXLAN tunnel between the NAT device and the second network device according to the second VXLAN packet. After the second network device establishes the VXLAN tunnel, VXLAN traffic may be sent to the NAT device via the VXLAN tunnel. For example, the second network device receives a second service packet from the second VM, and encapsulates the second service packet into a third VXLAN packet. When encapsulating the third VXLAN message, the second network device does not use the fixed and unique destination port number (e.g., 4789) of the VXLAN message, but uses the source port number of the second VXLAN message (i.e., the port number of the NAT device facing the second network device) as the destination port number of the third VXLAN message. Thus, when the third VXLAN message reaches the NAT device, the NAT device may use an address mapping table entry in the ingress direction to convert the third VXLAN message, and obtain a fourth VXLAN message. And the NAT equipment sends the fourth VXLAN message to the first network equipment. And after receiving the fourth VXLAN message, the first network equipment acquires a destination port number in the fourth VXLAN message. The first network device determines whether a destination port number in the fourth VXLAN message is equal to a source port number used when the first network device sends the VXLAN message. If the first network device determines that the destination port number in the fourth VXLAN message is equal to the source port number used when the first network device sends a VXLAN message, the first network device may determine that the fourth VXLAN message is a VXLAN message. Therefore, the first network device can perform decapsulation operation on the fourth VXLAN message according to a VXLAN protocol to obtain the second service message. Then, the first network device forwards the second service packet to the second VM. In this application, in one possible implementation manner, the first service packet and the second service packet are data packets, and in another possible implementation manner, the first service packet and the second service packet are control packets, such as Address Resolution Protocol (ARP) packets.

Accordingly, in VXLAN, the first network device and the second network device interact VXLAN traffic via the NAT device, see the description of the following embodiments.

Fig. 3 is a flowchart of a method for processing a packet according to an embodiment of the present application. The method shown in fig. 3 can be applied to the network structure shown in fig. 1 or fig. 2. Specifically, the method is applied to a VXLAN, where the VXLAN includes a first network device, a second network device, and a NAT device, the first network device is connected to the second network device via a communication link, and the NAT device is on the communication link. That is, the communication link is between the first network device and the second network device, and the communication link passes through the NAT device. In this embodiment, the first service packet is an ARP request packet, and the second service packet is an ARP reply packet. The method comprises the following steps:

s101, the first network device sends a first VXLAN message to the second network device through NAT equipment, the first VXLAN message comprises a first destination port number and a first source port number, the first destination port number indicates that the first VXLAN message is a VXLAN message, and the first source port number indicates a port, used for sending the VXLAN message, of the first network device.

As shown in fig. 2, the first network device is connected to a first VM. The first VM may send a first service packet to the first network device. The first service packet includes a first Media Access Control (MAC) address, a first source MAC address, and a first payload (payload). Referring to the encapsulation format of the first service packet in fig. 2, the first destination MAC address corresponds to dmac: ffff-ffff-ffff, and the first source MAC address corresponds to smac:1-1-1 and the payload corresponds to the first payload. The first service message is an ARP request message, dmac ffff-ffff-ffff represents that the first VM requests to acquire the MAC address of the second VM, smac 1-1-1 represents the MAC address of the first VM, and payload represents ARP request information. The first service packet may be implemented in an ethernet frame format.

And the first network equipment receives the first service message and packages the first service message into a first VXLAN message. The first VXLAN message includes a first destination port number and a first source port number. The first destination port number indicates that the first VXLAN packet is a VXLAN packet, and the first source port number indicates a port of the first network device for sending the VXLAN packet. Referring to the encapsulation format of the first VXLAN packet in fig. 2, the first destination port number corresponds to dport:4789, and the first source port number corresponds to sport: 60001. According to the description of the previous embodiment, dport 4789 is used to identify the first VXLAN packet. The first network device fills 4789 in the destination port number field of the UDP header in the first VXLAN message so that the network device receiving the first VXLAN message can recognize that the message is a VXLAN message based on 4789. 60001 indicates that when the first network device sends the first VXLAN packet to the second network device, the value of the first source port number in the first VXLAN packet is set to 60001. Further, 60001 is assigned by the first network device to be specific to VXLAN protocol. That is, when sending the VXLAN packet to the second network device, the first network device uses 60001 as the source port number, and 60001 is not allocated to other protocol packets for use. Further, 60001 is an exemplary value that illustrates the source port number used by the first network device to send a VXLAN message. In practical applications, the first network device may be statically assigned with a value of a source port number used for sending a VXLAN message, or the first network device may automatically obtain a value of a source port number used for sending a VXLAN message through an algorithm. For example, the first network device calculates the information in the VXLAN message using a hash algorithm.

The first VXLAN message may also include a first source IP address and a first destination IP address. The first source IP address is an IP address of the first network device, such as SIP 192.168.10.1 in fig. 2, which indicates that the sending end of the first VXLAN packet is the first network device. The first destination IP address is an IP address of the second network device, such as DIP:10.10.10.2 in fig. 2, which indicates that the receiving end of the first VXLAN packet is the second network device. The first VXLAN packet further includes a VXLAN Network Identifier (VNI), such as VNI:1000 in fig. 2, for identifying a VXLAN network segment.

And after packaging the first service message into the first VXLAN message, the first network equipment sends the first VXLAN message to the second network equipment through the communication link. It should be appreciated that according to VXLAN implementations, after a VXLAN tunnel is established, the first network device and the second network device may transmit VXLAN messages to each other via the VXLAN tunnel. Before the VXLAN tunnel is established, the first network device first sends a VXLAN message to the second network device over a communication link. Since the VXLAN message includes an IP header, the VXLAN message may be transmitted over the communication link and reach the second network device. Then, after receiving the VXLAN message, the second network device may dynamically establish the VXLAN tunnel according to information in the VXLAN message. After the VXLAN tunnel is established, the first network device and the second network device may transmit VXLAN messages to each other on the VXLAN tunnel. In this embodiment of the present application, for convenience of description, the first VXLAN packet is used as a VXLAN packet sent by the first network device before the VXLAN tunnel is established. Wherein the VXLAN tunnel is established over the communication link, that is, the communication link carries the VXLAN tunnel.

S102, the NAT device receives the first VXLAN message sent by the first network device to the second VXLAN device.

S103, the NAT equipment converts the first source port number into a second source port number and converts the first source IP address into a second source IP address to obtain a second VXLAN message, wherein the second source port number indicates a port of the NAT equipment, and the second source IP address indicates an IP address of the NAT equipment.

And S104, the NAT equipment sends the second VXLAN message to the second network equipment.

According to the description of the foregoing embodiment, the first network device is located in a private network, the second network device is located in a public network, and the NAT device is responsible for network address translation from the private network to the public network and network address translation from the public network to the private network. And the NAT equipment receives the first VXLAN message, and performs network address translation on the first VXLAN message to obtain a second VXLAN message.

Referring to fig. 2, for example, the IP address of the NAT device is 10.10.10.1, and the value of the port number of the NAT device is 60002. Wherein 10.10.10.1 is that the IP address of the NAT device is an IP address facing the second network device, that is, 10.10.10.1 is an IP address used when sending or receiving a message to or from a public network, and may be referred to as a public network IP address. That is, the IP address of the NAT device is the IP address used by the NAT device in communicating with the second network device. 60002 is a port of the NAT device, which is a port facing the second network device, that is, 60002 is a port number used when sending or receiving a packet to or from a public network, and may be referred to as a public network port number. That is, the port of the NAT device is a port used by the NAT device when communicating with the second network device. Correspondingly, the first source IP address 192.168.10.1 in the first VXLAN message may be referred to as a private network IP address, and the first source port number 60001 may be referred to as a private network port number. And the NAT equipment establishes an address mapping table item in the outgoing direction and an address mapping table item in the incoming direction according to the received first VXLAN message. For example, according to the packet transmission manner shown in fig. 2, the address mapping table entry in the outgoing direction may be represented as 192.168.10.1/60001 → 10.10.10.1/60002, i.e., private network source IP address/private network source port number → public network source IP address/public network source port number; accordingly, the address mapping table entry of the ingress direction may be represented as 10.10.10.1/60002 → 192.168.10.1/60001, i.e., public network destination IP address/public network destination port number → private network destination IP address/private network destination port number. The public network IP address and the public network port number used by the NAT device may be statically allocated or calculated by the NAT device according to an algorithm. Optionally, the NAT device may be implemented in a (network address translation, NAPT) manner, specifically, in a source address translation (SNAT) manner.

The NAT device converts the first VXLAN packet into the second VXLAN packet according to the address mapping table entry in the outgoing direction, which is shown in fig. 2. The second VXLAN message includes a second source port number (e.g., sport:60002) and a second source IP address (e.g., SIP: 10.10.10.1). The first destination IP address and the first destination port number in the first VXLAN message remain unchanged, corresponding to a second destination IP address (DIP:10.10.10.2) and the second destination port number (dport:4789) in the second VXLAN message. Correspondingly, the VNI in the first VXLAN message and the first service packet remain unchanged. Therefore, the second VXLAN message should be understood as a VXLAN message obtained by converting the first VXLAN message from a private network to a public network.

And after the NAT equipment converts the first VXLAN message into the second VXLAN message, the NAT equipment sends the second VXLAN message to the second network equipment through the communication link.

S105, the second network equipment receives the second VXLAN message sent by the NAT equipment.

And after receiving the second VXLAN message, the second network device determines that the second VXLAN message is a VXLAN message according to the condition that the value of the second destination port number in the second VXLAN message is 4789. And then, the second network equipment carries out decapsulation operation on the second VXLAN message according to a VXLAN protocol to obtain the first service message. And the second network equipment forwards the first service message to a second VM.

S106, the second network device establishes a VXLAN tunnel between the NAT device and the second network device according to the second destination port number in the second VXLAN message.

According to the foregoing embodiment, the first VXLAN message may be a VXLAN message sent by the first network device before the VXLAN tunnel is established. Thus, the first VXLAN message may be considered as a request message requesting establishment of a VXLAN tunnel between the first network device and the second network device. Similarly, the second VXLAN packet obtained through the translation by the NAT device does not change the function of the first VXLAN packet, and therefore, the second VXLAN packet may also be regarded as a request packet for requesting to establish a VXLAN tunnel between the NAT device and the second network device. The second network device may establish a VXLAN tunnel between the NAT device and the second network device according to the second destination port number in the second VXLAN message. Specifically, the second network device determines that the second VXLAN packet is a VXLAN packet according to the value of the second destination port number being 4789. Then, the second network device takes the second destination IP address in the second VXLAN message as the home terminal VTEP IP address of the VXLAN tunnel, that is, the VTEP IP address of the second network device; the second network device takes the second source IP address in the second VXLAN message as the peer VTEP IP address of the VXLAN tunnel. It should be noted that the second source IP address is the IP address of the NAT device. The second network device does not know the real IP address of the first network device due to the presence of the NAT device. And the first network equipment and the NAT equipment are integrated equipment in the appearance of the second network equipment, and the integrated equipment is positioned at the opposite end of the VXLAN tunnel. Thus, a VXLAN tunnel appears to the second network device to be established between the NAT device and the second network device. And after receiving the VXLAN message sent by the second network device, the NAT device does not identify whether the VXLAN message is a VXLAN message. And the NAT equipment forwards the VXLAN message according to the forwarding rule. Correspondingly, after the first network device receives the VXLAN packet sent by the second network device, the first network device determines that the VXLAN tunnel is already established, and the first network device considers that the home terminal VTEP IP address of the VXLAN tunnel is the IP address of the first network device, and the peer terminal VTEP IP address is the IP address of the second network device. Thus, the VXLAN tunnel established by the second network device appears to the first network device to be a VXLAN tunnel between the first network device and the second network device. According to the above, although the second network device establishes the VXLAN tunnel between the NAT device and the second network device, in an actual application effect, the VXLAN tunnel extends to the first network device.

And S107, the second network device sends a third VXLAN message to the NAT device through the VXLAN tunnel, wherein the third VXLAN message comprises a third destination port number, the value of the third destination port number is equal to the value of the second source port number, and the third destination port number is the destination port number of the third VXLAN message.

After the second network device establishes the VXLAN tunnel, the second network device may send a VXLAN message through the VXLAN tunnel, thereby implementing VXLAN traffic intercommunication between the first network device and the second network device. Specifically, the second network device may receive a second service packet sent by the second VM, encapsulate the second service packet into the third VXLAN packet, and send the third VXLAN packet to the NAT device. The second service packet may be a data packet. The second service packet may also be a control packet, such as an ARP packet. With reference to the foregoing embodiment, the second service packet is an ARP reply packet as an example.

And after receiving the first service message, the second VM determines that the first service message is an ARP request message. Thus, the second VM generates the second service packet, i.e., the ARP reply packet. The second VM encapsulates its MAC address in the second traffic message as a source MAC address (e.g., smac:2-2-2 of fig. 2), so that the first VM can obtain the MAC address of the second VM.

The second network device does not use the fixed and unique UDP destination port number (e.g., 4789) specified in RFC7348 as the value of the third destination port number of the third VXLAN message in encapsulating the second traffic message into the third VXLAN message. The second network device takes the value of the second source port number in the second VXLAN message (e.g., sport:60002 in fig. 2) as the value of the third destination port number (e.g., dport:60002 in fig. 2). Thus, the third VXLAN message can smoothly pass through the NAT device.

The third VXLAN message also includes a third source IP address indicating an IP address of the second network device (e.g., SIP:10.10.10.2 in fig. 2) and a third destination IP address indicating an IP address of the NAT device (e.g., DIP:10.10.10.1 in fig. 2). The third VXLAN message also includes a third source port number (e.g., sport:60008 in fig. 2). In practical applications, the second network device may be statically assigned a value of a source port number used for sending the VXLAN packet. The second network device may also automatically obtain the value of the source port number used to send the VXLAN message via an algorithm. For example, the second network device calculates the information in the VXLAN message using a hashing algorithm. The second network device may also randomly generate a value for a source port number used to send the VXLAN message. The first VXLAN message also includes a VNI, such as VNI 1000 in fig. 2, for identifying a VXLAN network segment.

And after the second network equipment generates the third VXLAN message, the second network equipment sends the third VXLAN message to the NAT equipment through the VXLAN tunnel.

And S108, the NAT equipment receives the third VXLAN message sent by the second network equipment through the VXLAN tunnel.

And S109, the NAT equipment converts the third destination port number into a fourth destination port number and converts the third destination IP address into a fourth destination IP address to obtain a fourth VXLAN message, wherein the value of the fourth destination port number is equal to the value of the first source port number, and the value of the fourth destination IP address is equal to the value of the first source IP address.

S110, the NAT device sends the fourth VXLAN message to the first network device through the VXLAN tunnel.

According to the description of the foregoing embodiment, the first network device is located in a private network, the second network device is located in a public network, and the NAT device is responsible for network address translation from the private network to the public network and network address translation from the public network to the private network. And the NAT equipment receives the third VXLAN message, and performs network address translation on the third VXLAN message to obtain a fourth VXLAN message.

Referring to fig. 2, in conjunction with the foregoing embodiment, the address mapping table entry in the ingress direction may be represented as 10.10.10.1/60002 → 192.168.10.1/60001, i.e., public network destination IP address/public network destination port number → private network destination IP address/private network destination port number. The NAT device converts the third VXLAN packet into the fourth VXLAN packet according to the address mapping table entry in the entry direction, which is shown in fig. 2. The fourth VXLAN message includes a fourth destination port number (e.g., dport:60001) and a fourth destination IP address (e.g., DIP: 192.168.10.1). The third source IP address and the third source port number in the third VXLAN message remain unchanged, corresponding to a fourth source IP address (SIP:10.10.10.2) and the fourth source port number (sport:60008) in the fourth VXLAN message. Correspondingly, the VNI in the fourth VXLAN message and the second service packet remain unchanged. Therefore, the fourth VXLAN message should be understood as a VXLAN message obtained by converting the third VXLAN message from a public network to a private network.

And after the NAT equipment converts the third VXLAN message into the fourth VXLAN message, the fourth VXLAN message is sent to the first network equipment through the VXLAN tunnel.

S111, the first network device receives the fourth VXLAN message sent by the NAT device through the VXLAN tunnel.

S112, the first network device determines that the fourth destination port number in the fourth VXLAN message is the same as the first source port number, and the fourth destination port number is the destination port number of the fourth VXLAN message.

S113, the first network device processes the fourth VXLAN packet according to VXLAN protocol.

According to the previous embodiment, the first source port number corresponds to sport:60001 in FIG. 2. 60001 indicates that when the first network device sends the first VXLAN packet to the second network device, the value of the first source port number in the first VXLAN packet is set to 60001. Further, 60001 is assigned by the first network device to be specific to VXLAN protocol. That is, when sending the VXLAN packet to the second network device, the first network device uses 60001 as the source port number, and 60001 is not allocated to other protocol packets for use. Thus, the first network device stores the value of the first source port number in the memory of the first network device as the source port number that sends the VXLAN packet.

After receiving the fourth VXLAN message, the first network device obtains the fourth destination port number (e.g., dport:60001 in fig. 2) in the fourth VXLAN message. The first network device determines whether the value of the fourth destination port number in the fourth VXLAN message is equal to the value of the first source port number. If the first network device determines that the value of the fourth destination port number in the fourth VXLAN message is equal to the value of the first source port number, the first network device may determine that the received fourth VXLAN message is a VXLAN message. In this way, the first network device can still determine whether the fourth VXLAN message is a VXLAN message when the fourth VXLAN message does not include a fixed and unique UDP destination port number (e.g., 4789). Therefore, the first network equipment can be ensured to receive and identify the VXLAN message sent by the second network equipment, and the intercommunication of the bidirectional VXLAN flow of the first network equipment and the second network equipment is ensured.

And the first network equipment processes the fourth VXLAN message according to VXLAN protocol under the condition that the fourth VXLAN message is determined to be a VXLAN message. Specifically, the first network device decapsulates the fourth VXLAN packet according to a VXLAN protocol to obtain the second service packet. Then, the first network device forwards the second service packet to the first VM. According to the foregoing, the second service packet may be an ARP reply packet, so that the first VM may obtain the MAC address of the second VM from the second service packet.

The method for processing a packet provided in this embodiment. In a VXLAN scenario, a NAT device is included between the second network device and the first network device. The second network device in the public network, in sending VXLAN traffic to the first network device in the private network, alters the destination port number of the VXLAN traffic, that is, the second network device does not use the destination port number of the fixed and unique UDP (e.g., 4789), but uses the source port number in the received VXLAN traffic as the destination port number of the UDP. Therefore, it is ensured that the NAT device on the VXLAN traffic transmission path does not generate a network address translation error, and the NAT device can complete the translation of VXLAN traffic from the public network to the private network, thereby ensuring that the first network device can receive VXLAN traffic sent by the second network device.

In the foregoing embodiment, the first network device and the second network device may learn, in a static configuration manner, that NAT devices exist on a communication link between the first network device and the second network device. Thus, the first network device and the second network device can process VXLAN traffic in the above-described implementation. In a possible implementation manner, the second network device may not know that the NAT device exists, and may make the second network device know that the NAT device exists on a communication link between the first network device and the second network device by adding identification information to the VXLAN packet.

Optionally, the second VXLAN packet further includes a NAT tag, where the NAT tag indicates that a VXLAN packet sent by the first network device to the second network device passes through the NAT device, and before the second network device sends a third VXLAN packet to the NAT device through the VXLAN tunnel, the method further includes: and the second network equipment determines that the second VXLAN message comprises the NAT mark. The second network device determines the second source port number as the third destination port number.

Specifically, an NAT flag may be set in the VXLAN packet received by the second network device, where the NAT flag indicates that the VXLAN packet sent by the first network device to the second network device passes through the NAT device. In one possible implementation, the first network device encapsulates the NAT tag in a VXLAN message. For example, the first network device encapsulates the NAT tag in the first VXLAN message. And when the first VXLAN message is converted into the second VXLAN message by the NAT equipment, the NAT mark is kept unchanged. Thus, the second VXLAN message also includes the NAT tag. In another possible implementation manner, the first network device does not encapsulate the NAT tag in the sent VXLAN message, but the NAT device is responsible for encapsulating the NAT tag. Specifically, after receiving the first VXLAN message, the NAT device identifies that the first VXLAN message is a VXLAN message according to a first destination port number (e.g., 4789) in the first VXLAN message. Then, the NAT device encapsulates the NAT tag in the second VXLAN packet during the process of converting the first VXLAN packet into the second VXLAN packet. After receiving the second VXLAN packet, the second network device may determine, according to the NAT tag, that NAT devices exist on a communication link between the first network device and the second network device, so that the second network device implements processing on VXLAN traffic according to the foregoing embodiment of the present application.

The NAT tag is not limited in the encapsulation position in the VXLAN message, and may be encapsulated in the header of VXLAN, or between the header and the payload of VXLAN message, or in the tail of the payload, for example.

The VXLAN header in the VXLAN message is used to encapsulate the VNI, as specified in RFC 7348. Also, the VXLAN header includes a reserved field. In one possible implementation, a 1-bit reserved field in the VXLAN header may be configured as the NAT tag. And when the NAT flag is set to be 1, the validity indicates that the VXLAN message sent by the first network device to the second network device passes through the NAT device.

Fig. 4 is a schematic structural diagram of a first network device 1000 according to an embodiment of the present application. The first network device 1000 shown in fig. 4 may perform the corresponding steps performed by the first network device in the methods of the above embodiments. The first network device is deployed in a VXLAN that also includes a second network device and a NAT device. The first network device is connected with the second network device via a communication link over which the NAT device is. That is, the communication link is between the first network device and the second network device, and the communication link passes through the NAT device. As shown in fig. 4, the first network device 1000 includes a receiving unit 1002, a processing unit 1004, and a transmitting unit 1006.

The sending unit 1006 is configured to send a first VXLAN message to a second network device through an NAT device, where the first VXLAN message includes a first destination port number and a first source port number, the first destination port number indicates that the first VXLAN message is a VXLAN message, and the first source port number indicates a port of the first network device, where the VXLAN message is sent by the first network device;

the receiving unit 1002 is configured to receive a fourth VXLAN packet sent by the NAT device through a VXLAN tunnel, where the fourth VXLAN packet includes a fourth destination port number, a value of the fourth destination port number is equal to a value of the first source port number, and the fourth destination port number is a destination port number of the fourth VXLAN packet;

a processing unit 1004 configured to determine that the fourth destination port number in the fourth VXLAN message is the same as the first source port number;

the processing unit 1004 is further configured to process the fourth VXLAN message according to VXLAN protocol.

Optionally, the first VXLAN packet further includes an NAT tag, where the NAT tag indicates that the VXLAN packet sent by the sending unit 1006 passes through the NAT device.

The first network device shown in fig. 4 may perform the corresponding steps performed by the first network device in the methods of the above embodiments. When the method is applied to a VXLAN scene, the NAT device between the second network device and the first network device can complete the conversion of VXLAN traffic from a public network to a private network, so that the first network device can receive the VXLAN traffic sent by the second network device.

Fig. 5 is a schematic hardware structure diagram of a first network device 1100 according to an embodiment of the present application. The first network device 1100 shown in fig. 5 may perform the corresponding steps performed by the first network device in the methods of the above embodiments.

As shown in fig. 5, the first network device 1100 includes a processor 1101, a memory 1102, an interface 1103, and a bus 1104. The interface 1103 may be implemented by a wireless or wired method, and specifically may be a network card. The processor 1101, memory 1102 and interface 1103 are connected by a bus 1104.

The interface 1103 may specifically include a transmitter and a receiver, and is used for transmitting and receiving information between the first network device and the NAT device and the second network device in the above embodiments. For example, the interface 1103 is configured to support sending a VXLAN message to the second network device via the NAT device; and the method is used for supporting the receiving of the VXLAN message sent by the NAT equipment. The interface 1103 is used to support the processes S101 and S111 in fig. 3, by way of example. The processor 1101 is configured to execute the processing performed by the first network device in the above embodiment. For example, the processor 1101 is configured to compare a destination port number included in the received VXLAN message with a source port number stored locally by the first network device; the VXLAN message processing module is used for processing the received VXLAN message; and/or other processes for the techniques described herein. By way of example, the processor 1101 is configured to support the processes S112 and S113 in fig. 3. Memory 1102 includes an operating system 11021 and application programs 11022 for storing programs, code, or instructions that when executed by a processor or hardware device may perform the processes of the method embodiments involving the first network device. Alternatively, the Memory 1102 may include a Read-only Memory (ROM) and a Random Access Memory (RAM). Wherein, the ROM comprises a Basic Input/Output System (BIOS) or an embedded System; the RAM includes an application program and an operating system. When the first network device 1100 needs to be operated, the first network device 1100 is booted to enter a normal operation state by booting through a BIOS that is solidified in a ROM or a bootloader boot system in an embedded system. After the first network device 1100 enters the normal operation state, the application program and the operating system that are run in the RAM, thereby completing the processing procedures related to the first network device in the method embodiment.

It is to be appreciated that fig. 5 shows only a simplified design of the first network device 1100. In practical applications, the first network device may comprise any number of interfaces, processors or memories.

Fig. 6 is a schematic hardware structure diagram of another first network device 1200 according to an embodiment of the present application. The first network device 1200 shown in fig. 6 may perform the corresponding steps performed by the first network device in the methods of the above embodiments.

As illustrated in fig. 6, the first network device 1200 includes: main control board 1210, interface board 1230, switch board 1220 and interface board 1240. The main control board 1210, the interface boards 1230 and 1240, and the switch board 1220 are connected to the system backplane through the system bus to realize intercommunication. The main control board 1210 is used to complete functions such as system management, device maintenance, and protocol processing. The switch network board 1220 is used for completing data exchange between interface boards (interface boards are also called line cards or service boards). Interface boards 1230 and 1240 are used to provide various service interfaces (e.g., POS interface, GE interface, ATM interface, etc.) and to enable forwarding of data packets

Interface board 1230 may include a central processor 1231, a forwarding entry store 1234, a physical interface card 1233, and a network processor 1232. The central processing unit 1231 is used for controlling and managing the interface board and communicating with the central processing unit on the main control board. The forwarding table entry store 1234 is used to store forwarding table entries. The physical interface card 1233 is used to complete the reception and transmission of traffic. The network memory 1232 is configured to control the physical interface card 1233 to transmit and receive traffic according to the forwarding table entry.

Specifically, the physical interface card 1233 is configured to send a VXLAN packet to the second network device through the NAT device, and receive the VXLAN packet sent by the NAT device.

Central processor 1211 is configured to compare a destination port number included in the received VXLAN packet with a source port number stored locally in the first network device.

Central processor 1211 is also for processing the received VXLAN message.

After receiving the VXLAN message, the physical interface card 1233 sends the VXLAN message to the central processor 1211 via the central processor 1231, and the central processor 1211 processes the VXLAN message.

The central processor 1231 is further configured to control the network memory 1232 to obtain the forwarding entries in the forwarding entry storage 1234, and the central processor 1231 is further configured to control the network memory 1232 to complete the traffic receiving and sending via the physical interface card 1233.

It should be understood that the operations of the interface board 1240 in the embodiment of the present invention are the same as the operations of the interface board 1230, and therefore, for brevity, the description is omitted. It should be understood that the first network device 1200 of the present embodiment may correspond to the functions and/or various steps of the foregoing method embodiments, and are not described herein again.

In addition, it should be noted that there may be one or more main control boards, and when there are multiple main control boards, the main control board may include an active main control board and a standby main control board. The interface board may have one or more boards, and the more the data processing capability of the first network device is, the more interface boards are provided. There may also be one or more physical interface cards on an interface board. The exchange network board may not have one or more blocks, and when there are more blocks, the load sharing redundancy backup can be realized together. Under the centralized forwarding architecture, the first network device may not need the switching network board, and the interface board undertakes the processing function of the service data of the whole system. Under the distributed forwarding architecture, the first network device may have at least one switching network board, and data exchange between the plurality of interface boards is realized through the switching network board, so as to provide large-capacity data exchange and processing capability. Therefore, the data access and processing capabilities of the first network device of the distributed architecture are greater than those of the centralized architecture. Which architecture is specifically adopted depends on the specific networking deployment scenario, and is not limited herein.

Fig. 7 is a schematic structural diagram of a second network device 2000 according to an embodiment of the present application. The second network device 2000 shown in fig. 7 may perform the corresponding steps performed by the second network device in the methods of the above embodiments. The second network device is deployed in a VXLAN that also includes a first network device and a NAT device. The first network device is connected with the second network device via a communication link over which the NAT device is. That is, the communication link is between the first network device and the second network device, and the communication link passes through the NAT device. As shown in fig. 7, the second network device 2000 includes a receiving unit 2002, a processing unit 2004, and a transmitting unit 2006.

The receiving unit 2002 is configured to receive a second VXLAN message sent by the NAT device, where the second VXLAN message includes a second destination port number and a second source port number, the second destination port number indicates that the second VXLAN message is a VXLAN message, and the second source port number indicates a port of the NAT device;

the processing unit 2004 is configured to establish a VXLAN tunnel between the NAT device and the second network device according to the second destination port number in the second VXLAN message;

the sending unit 2006 is configured to send a third VXLAN packet to the NAT device through the VXLAN tunnel, where the third VXLAN packet includes a third destination port number, a value of the third destination port number is equal to a value of the second source port number, and the third destination port number is a destination port number of the third VXLAN packet.

Optionally, the second VXLAN packet further includes an NAT tag, where the NAT tag indicates that the VXLAN packet passes through the NAT device, and the processing unit 2004 is further configured to determine that the second VXLAN packet includes the NAT tag; the processing unit 2004 is further configured to determine the second source port number as the third destination port number.

The second network device shown in fig. 7 may perform the corresponding steps performed by the second network device in the methods of the above embodiments. When the method is applied to a VXLAN scene, the NAT device between the second network device and the first network device can complete the conversion of VXLAN traffic from a public network to a private network, so that the first network device can receive the VXLAN traffic sent by the second network device.

Fig. 8 is a schematic hardware structure diagram of a second network device 2100 according to an embodiment of the present application. The second network device 2100 shown in fig. 8 may perform the corresponding steps performed by the second network device in the methods of the above embodiments.

As shown in fig. 8, the second network device 2100 includes a processor 2101, a memory 2102, an interface 2103, and a bus 2104. The interface 2103 may be implemented by a wireless or wired method, and specifically may be a network card. The processor 2101, memory 2102 and interface 2103 described above are connected by a bus 2104.

The interface 2103 may specifically include a transmitter and a receiver, which are used for transmitting and receiving information between the second network device and the first network device and the NAT device in the above embodiments. For example, the interface 2103 is used to support sending a VXLAN message to the NAT device, and is also used to support receiving a VXLAN message from the NAT device. By way of example, the interface 2103 is used to support the processes S105 and S107 in fig. 3. The processor 2101 is configured to perform the processing performed by the second network device in the above-described embodiments. For example, the processor 2101 is configured to establish a VXLAN tunnel; and/or other processes for the techniques described herein. By way of example, the processor 2101 is configured to support the process S106 of fig. 3. The memory 2102 includes an operating system 21021 and application programs 21022 for storing programs, code or instructions which when executed by a processor or hardware device may perform the processes of the method embodiments involving the second network device. Alternatively, the Memory 2102 may include a Read-only Memory (ROM) and a Random Access Memory (RAM). Wherein, the ROM comprises a Basic Input/Output System (BIOS) or an embedded System; the RAM includes an application program and an operating system. When the second network device 2100 needs to be operated, the second network device 2100 is booted to enter a normal operation state by booting through a BIOS that is solidified in a ROM or a bootloader boot system in an embedded system. After the second network device 2100 enters the normal operation state, the application program and the operating system that are run in the RAM are executed, thereby completing the processing procedures related to the second network device in the method embodiment.

It is to be appreciated that fig. 8 only shows a simplified design of the second network device 2100. In practical applications, the second network device may comprise any number of interfaces, processors or memories.

Fig. 9 is a schematic hardware structure diagram of another second network device 2200 according to an embodiment of the present application. The second network device 2200 shown in fig. 9 may perform the corresponding steps performed by the second network device in the methods of the above embodiments.

As illustrated in fig. 9, the second network device 2200 includes: a main control board 2210, an interface board 2230, a switch screen 2220 and an interface board 2240. The main control board 2210, the interface boards 2230 and 2240, and the switch board 2220 are connected to the system backplane through the system bus to realize intercommunication. The main control board 2210 is used for performing functions such as system management, device maintenance, and protocol processing. The switch fabric 2220 is used to complete data exchange between interface boards (also called line cards or service boards). The interface boards 2230 and 2240 are used for providing various service interfaces (e.g., POS interface, GE interface, ATM interface, etc.) and forwarding packets

Interface board 2230 may include a central processor 2231, a forwarding entry store 2234, a physical interface card 2233, and a network processor 2232. The central processor 2231 is used for controlling and managing the interface board and communicating with the central processor on the main control board. The forwarding table entry storage 2234 is used for storing forwarding table entries. Physical interface card 2233 is used to complete the reception and transmission of traffic. The network storage 2232 is configured to control the physical interface card 2233 to receive and transmit traffic according to the forwarding table entry.

Specifically, the physical interface card 2233 is configured to receive a VXLAN packet from the NAT device, or send a VXLAN packet to the NAT device.

Central processor 2211 is used to establish the VXLAN tunnel.

Central processor 2211 sends the VXLAN message to physical interface card 2233 via central processor 2231. The physical interface card 2233 sends the VXLAN message to the NAT device.

The central processor 2231 is further configured to control the network storage 2232 to obtain the forwarding entry in the forwarding entry storage 2234, and the central processor 2231 is further configured to control the network storage 2232 to complete the receiving and sending of the traffic via the physical interface card 2233.

It should be understood that the operations on the interface board 2240 in the embodiment of the present invention are the same as those of the interface board 2230, and therefore, for brevity, the description is omitted. It should be understood that the second network device 2200 of this embodiment may correspond to the functions and/or various steps of the foregoing method embodiments, and are not described herein again.

In addition, it should be noted that there may be one or more main control boards, and when there are multiple main control boards, the main control board may include an active main control board and a standby main control board. The interface board may have one or more boards, and the more interface boards are provided the stronger the data processing capability of the second network device is. There may also be one or more physical interface cards on an interface board. The exchange network board may not have one or more blocks, and when there are more blocks, the load sharing redundancy backup can be realized together. Under the centralized forwarding architecture, the second network device may not need the switching network board, and the interface board undertakes the processing function of the service data of the whole system. Under the distributed forwarding architecture, the second network device may have at least one switching network board, and the switching network board realizes data exchange among the plurality of interface boards, thereby providing large-capacity data exchange and processing capability. Therefore, the data access and processing capabilities of the second network device in the distributed architecture are greater than those of the centralized architecture. Which architecture is specifically adopted depends on the specific networking deployment scenario, and is not limited herein.

In addition, the present application provides a computer storage medium for storing computer software instructions for the first network device, which includes a program designed to execute the method embodiments.

In addition, the present application provides a computer storage medium for storing computer software instructions for the second network device, which includes a program designed to execute the method embodiments.

The embodiment of the present application further includes a system for processing a packet, where the system includes a first network device and a second network device, the first network device is the first network device in fig. 4, or fig. 5, or fig. 6, and the second network device is the second network device in fig. 7, or fig. 8, or fig. 9.

The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or in software instructions executed by a processor. The software instructions may consist of corresponding software modules that may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in user equipment. Of course, the processor and the storage medium may reside as discrete components in user equipment.

Those skilled in the art will recognize that in one or more of the examples described above, the functions described herein may be implemented in hardware or a combination of hardware and software. When implemented using a combination of hardware and software, the software may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

The above-mentioned embodiments further explain the objects, technical solutions and advantages of the present application in detail. It should be understood that the above description is only illustrative of particular embodiments of the present application.

Claims

1. A method for processing a packet, the method comprising:

a first network device sends a first virtual extensible local area network (VXLAN) message to a second network device through a Network Address Translation (NAT) device, wherein the first VXLAN message is obtained by packaging a first service message sent by a first Virtual Machine (VM) by the first network device and comprises a first destination port number and a first source port number, the first destination port number indicates that the first VXLAN message is a VXLAN message, the first source port number indicates a port used by the first network device for sending the VXLAN message, the first destination port number is different from the first source port number, and the first source port number is allocated to a VXLAN protocol by the first network device;

the first network device receives a fourth VXLAN message sent by the NAT device through a VXLAN tunnel, where the fourth VXLAN message includes a fourth destination port number, a value of the fourth destination port number is equal to a value of the first source port number, and the fourth destination port number is a destination port number of the fourth VXLAN message;

the first network device determining that the fourth destination port number in the fourth VXLAN message is the same as the first source port number;

the first network equipment processes the fourth VXLAN message according to a VXLAN protocol to acquire a second service message and forwards the second service message to the first VM;

the VXLAN tunnel is automatically established based on a second source port number and a second destination port number in a second VXLAN message after the second network device receives the second VXLAN message requesting to establish the VXLAN tunnel between the first network device and the second network device, and the second VXLAN message is obtained after the NAT device performs network address translation on the first VXLAN message; the second destination port number indicates that the second VXLAN message is a VXLAN message, and the second source port number indicates a port of the NAT device; the second VXLAN message further comprises an NAT marker, and the NAT marker indicates that the VXLAN message passes through the NAT equipment; the second VXLAN message is also used for the second network equipment to obtain a first service message by de-encapsulation, and the first service message is forwarded to a second VM; the second service packet is generated by the second VM after receiving the first service packet.

2. The method of claim 1, wherein the first VXLAN message further comprises the NAT tag.

3. The method of claim 2, wherein the first VXLAN message further comprises a VXLAN header, the VXLAN header comprising the NAT tag.

4. The method of any of claims 1-3, wherein the first VXLAN message further comprises a first source Internet Protocol (IP) address and a first destination IP address, the first source IP address indicating an IP address of the first network device, the first destination IP address indicating an IP address of the second network device.

5. The method of any of claims 1-3, wherein the fourth VXLAN message further comprises a fourth source IP address and a fourth destination IP address, the fourth source IP address indicating the IP address of the second network device, the fourth destination IP address indicating the IP address of the first network device.

6. A method for processing a packet, the method comprising:

a second network device receives a second virtual extensible local area network (VXLAN) message sent by a Network Address Translation (NAT) device, wherein the second VXLAN message comprises a second destination port number and a second source port number, the second destination port number indicates that the second VXLAN message is a VXLAN message, the second source port number indicates a port of the NAT device, the second VXLAN message is used for requesting to establish a VXLAN tunnel between a first network device and the second network device, the second VXLAN message is obtained after the NAT device performs network address translation on a first VXLAN message sent by the first network device, and the first VXLAN message is obtained by packaging a first service message sent by the first Virtual Machine (VM) through the first network device; the first VXLAN message includes a first destination port number indicating that the first VXLAN message is a VXLAN message and a first source port number indicating that the first network device is configured to send a VXLAN message, where the first destination port number is different from the first source port number, and the first source port number is allocated by the first network device to be dedicated to a VXLAN protocol;

the second network device decapsulates the second VXLAN message to obtain the first service message, forwards the first service message to a second VM, so that the second VM generates a second service message based on the first service message, and sends the second service message to the second network device;

the second network device automatically establishes a VXLAN tunnel between the NAT device and the second network device according to the second source port number and the second destination port number in the second VXLAN message;

the second network device sends a third VXLAN message to the NAT device through the VXLAN tunnel, where the third VXLAN message is a VXLAN message generated by the second network device based on the second service message, and the third VXLAN message includes a third destination port number, a value of the third destination port number is equal to a value of the second source port number, and the third destination port number is a destination port number of the third VXLAN message;

wherein the second VXLAN message further includes an NAT tag, the NAT tag indicates that the VXLAN message passes through the NAT device, and before the second network device sends a third VXLAN message to the NAT device via the VXLAN tunnel, the method further includes:

the second network equipment determines that the second VXLAN message comprises the NAT mark;

the second network device determines the second source port number as the third destination port number.

7. The method of claim 6, wherein the second VXLAN message further comprises a VXLAN header, the VXLAN header comprising the NAT tag, the NAT tag being responsible for encapsulation by the NAT device.

8. The method of claim 6 or 7, wherein the second VXLAN message further comprises a second source Internet Protocol (IP) address and a second destination IP address, the second source IP address indicating the IP address of the NAT device, the second destination IP address indicating the IP address of the second network device;

the second network device establishing a VXLAN tunnel between the NAT device and the second network device according to the second destination port number in the second VXLAN message, including:

determining that the second VXLAN message is a VXLAN message according to the value of the second destination port number;

and taking the second destination IP address as a VTEP IP address of the local end of the VXLAN tunnel, and taking the second source IP address as a VTEP IP address of the opposite end of the VXLAN tunnel.

9. The method of claim 6 or 7, wherein the third VXLAN message further comprises a third source IP address and a third destination IP address, the third source IP address indicating the IP address of the second network device, the third destination IP address indicating the IP address of the NAT device.

10. A first network device, wherein the first network device comprises:

a sender, configured to send a first virtual extensible local area network VXLAN message to a second network device via a network address translation NAT device, where the first VXLAN message is obtained by encapsulating, by the first network device, a first service message sent by a first virtual machine VM, and the first VXLAN message includes a first destination port number and a first source port number, the first destination port number indicates that the first VXLAN message is a VXLAN message, the first source port number indicates a port of the first network device, where the first network device is used to send the VXLAN message, the first destination port number is different from the first source port number, and the first source port number is allocated by the first network device to a VXLAN protocol dedicated purpose;

a receiver, configured to receive a fourth VXLAN packet sent by the NAT device through a VXLAN tunnel, where the fourth VXLAN packet includes a fourth destination port number, a value of the fourth destination port number is equal to a value of the first source port number, and the fourth destination port number is a destination port number of the fourth VXLAN packet;

a processor configured to determine that the fourth destination port number in the fourth VXLAN message is the same as the first source port number;

the processor is further configured to process the fourth VXLAN message according to a VXLAN protocol to obtain a second service message, and forward the second service message to the first VM;

11. The first network device of claim 10, wherein the first VXLAN message further comprises the NAT tag.

12. The first network device of claim 11, wherein the first VXLAN message further comprises a VXLAN header, the VXLAN header comprising the NAT tag.

13. The first network device of any of claims 10-12, wherein the first VXLAN message further comprises a first source internet protocol IP address and a first destination IP address, the first source IP address indicating an IP address of the first network device, the first destination IP address indicating an IP address of the second network device.

14. The first network device of any of claims 10-12, wherein the fourth VXLAN message further comprises a fourth source IP address and a fourth destination IP address, the fourth source IP address indicating an IP address of the second network device, the fourth destination IP address indicating an IP address of the first network device.

15. A second network device, the second network device comprising:

a receiver, configured to receive a second virtual extensible local area network VXLAN message sent by a network address translation NAT device, where the second VXLAN message includes a second destination port number and a second source port number, the second destination port number indicates that the second VXLAN message is a VXLAN message, the second source port number indicates a port of the NAT device, the second VXLAN message is used to request to establish a VXLAN tunnel between a first network device and the second network device, the second VXLAN message is obtained after the NAT device performs network address translation on a first VXLAN message sent by the first network device, and the first VXLAN message is obtained by encapsulating a first service message sent by the first virtual machine VM by the first network device; the first VXLAN message includes a first destination port number indicating that the first VXLAN message is a VXLAN message and a first source port number indicating that the first network device is configured to send a VXLAN message, where the first destination port number is different from the first source port number, and the first source port number is allocated by the first network device to be dedicated to a VXLAN protocol;

the processor is configured to decapsulate the second VXLAN packet to obtain the first service packet, forward the first service packet to a second VM, allow the second VM to generate a second service packet based on the first service packet, and send the second service packet to the second network device;

the processor is further configured to automatically establish a VXLAN tunnel between the NAT device and the second network device according to the second source port number and the second destination port number in the second VXLAN message;

a sender, configured to send a third VXLAN packet to the NAT device through the VXLAN tunnel, where the third VXLAN packet is a VXLAN packet generated by the second network device based on the second service packet, and the third VXLAN packet includes a third destination port number, a value of the third destination port number is equal to a value of the second source port number, and the third destination port number is a destination port number of the third VXLAN packet;

wherein the second VXLAN message further comprises a NAT marker indicating that the VXLAN message passes through the NAT device,

the processor is further configured to determine that the second VXLAN message includes the NAT tag;

the processor is further configured to determine the second source port number as the third destination port number.

16. The second network device of claim 15, wherein the second VXLAN message further comprises a VXLAN header, the VXLAN header comprising the NAT tag.

17. The second network device of claim 15 or 16, wherein the second VXLAN message further comprises a second source internet protocol IP address and a second destination IP address, the second source IP address indicating the IP address of the NAT device, the second destination IP address indicating the IP address of the second network device.

18. The second network device of claim 15 or 16, wherein the third VXLAN message further comprises a third source IP address and a third destination IP address, the third source IP address indicating the IP address of the second network device, the third destination IP address indicating the IP address of the NAT device.

19. A system for processing packets, the system comprising a first network device and a second network device, the first network device being the first network device according to any one of claims 10 to 14, and the second network device being the second network device according to any one of claims 15 to 18.

20. A computer-readable storage medium, in which a computer program is stored, which is loaded and executed by a processor to implement the method of processing a message according to any one of claims 1 to 5, and to implement the method of processing a message according to any one of claims 6 to 9.