CN111404732A - NAT gateway disaster recovery implementation method and system thereof - Google Patents

NAT gateway disaster recovery implementation method and system thereof Download PDF

Info

Publication number
CN111404732A
CN111404732A CN202010148472.7A CN202010148472A CN111404732A CN 111404732 A CN111404732 A CN 111404732A CN 202010148472 A CN202010148472 A CN 202010148472A CN 111404732 A CN111404732 A CN 111404732A
Authority
CN
China
Prior art keywords
nat device
nat
message
switch
tunnel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010148472.7A
Other languages
Chinese (zh)
Other versions
CN111404732B (en
Inventor
梁润强
史伟
闵宇
李卢群
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Eflycloud Computing Co Ltd
Original Assignee
Guangdong Eflycloud Computing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Eflycloud Computing Co Ltd filed Critical Guangdong Eflycloud Computing Co Ltd
Priority to CN202010148472.7A priority Critical patent/CN111404732B/en
Publication of CN111404732A publication Critical patent/CN111404732A/en
Application granted granted Critical
Publication of CN111404732B publication Critical patent/CN111404732B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0668Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a method and a system for realizing NAT gateway disaster recovery, wherein the system comprises a computing virtualization resource pool, a switch, AN L ACP convergence module, a synchronization module, AN NAT equipment module and a public network gateway module, the NAT equipment module comprises NAT equipment D1 and NAT equipment D2, the computing virtualization resource pool sends and receives message flow, the L ACP convergence module realizes the convergence of the message flow of the NAT equipment D1 and the NAT equipment D2, the synchronization module establishes a Vx L AN tunnel between the NAT equipment D1 and the NAT equipment D2, the NAT equipment D1 and the NAT equipment D2 both forward the message flow of the switch to the public network gateway module or forward the message flow of the public network gateway module to the switch, when each address link is connected for the first time, session identifiers are newly established on the NAT equipment D1 and the NAT equipment D2, and the newly connected first message is transmitted through the Vx L AN redirection.

Description

NAT gateway disaster recovery implementation method and system thereof
Technical Field
The invention relates to the technical field of NAT gateways in cloud computing, in particular to a method and a system for realizing NAT gateway disaster recovery.
Background
Nowadays, the popularity of the internet and the wave of cloud computing make people increasingly unable to leave the network environment. With the rapid development of the mobile internet, various applications and services emerge endlessly, application developers, service providers and the like need to implement their projects or products quickly, in a conventional IDC data center, it is generally necessary to deploy their own server devices or rent other server devices, and also need to build a complex network by themselves, which inevitably takes a lot of time, manpower and material resources, and is also very prone to errors during deployment, and is also not easy to expand and implement disaster recovery.
In a classical network, a user is very lack of network management capability on the cloud, the user has a virtual server of the classical network, the user only has the capability of communicating with a public network, and at most, security groups can perform some security control capabilities, but the network management capabilities such as network segment planning, subnet division, route management, public network access management by using NAT and the like are almost not available or very weak.
As a future development direction of cloud computing and virtualized networks, networking and service deployment will become simpler and more convenient, for a cloud computing center, NAT service is an indispensable requirement after a user uses a virtual network, and NAT service availability is crucial to user experience, so the cloud computing center needs to deploy stable NAT disaster recovery.
Currently, for NAT disaster recovery, in the industry, NAT active-standby redundancy is generally realized by a VRRP method, and NAT disaster recovery is realized by combining active synchronous sessions. However, this approach has significant disadvantages: firstly, the VRRP deployment mode is complicated and is not easy to manage, and the VRRP only works with the main equipment, so that idle equipment is wasted; secondly, it cannot be guaranteed that another device does not receive the message of the session before the session is successfully synchronized by the active session synchronization method, and the active session synchronization method wastes the bandwidth of the device, consumes the performance of the device, and adds complexity to the deployment of the device.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and a system for implementing NAT gateway disaster recovery, which enable all deployed devices to join in work by using L ACP to implement cross-device convergence, detect the device state through BFD, and synchronize sessions through a new connection message redirection manner, and can find device faults within milliseconds through BFD detection, and ensure that all sessions can be synchronized by other devices at the first time through the new connection message redirection manner, thereby ensuring that all messages of the sessions can find correct sessions, not only ensuring efficiency and accuracy, but also reducing consumption of device performance, and also simplifying device deployment.
In order to solve the technical problems, the invention provides the following technical scheme that the NAT gateway disaster recovery implementation system comprises a calculation virtualization resource pool, a switch, an L ACP convergence module, a synchronization module, a NAT equipment module and a public network gateway module, wherein the NAT equipment module comprises NAT equipment D1 and NAT equipment D2;
the computing virtual resource pool, the switch, the NAT equipment D1 and the public network gateway module are sequentially connected, the computing virtual resource pool, the switch, the NAT equipment D2 and the public network gateway module are sequentially connected, the L ACP convergence module is connected with the NAT equipment D1, the NAT equipment D2 and the switch, and the synchronization module is connected with the NAT equipment D1 and the NAT equipment D2;
the computing virtualization resource pool is used for sending and receiving message flow;
the switch is used for transmitting the message traffic sent by the computing virtualization resource pool to the NAT equipment D1 and the NAT equipment D2, and for receiving the message traffic sent by the NAT equipment D1 and the NAT equipment D2 and then transmitting the message traffic to the computing virtualization resource pool;
the L ACP convergence module is used for controlling a link convergence control L ACP protocol between the NAT device D1 and the switch to realize convergence of message traffic, and controlling a link convergence control L ACP protocol between the NAT device D2 and the switch to realize convergence of message traffic, wherein the NAT device D1 and the NAT device D2 both use the same MAC address and operation KEY to establish L ACP convergence with the switch, so that the switch, the NAT device D1 and the NAT device D2 form the same convergence group to realize cross-device convergence;
the synchronization module is used for establishing BFD detection between the NAT equipment D1 and the NAT equipment D2, detecting the connection state between the NAT equipment D1 and the NAT equipment D2 and judging whether the connection state is state synchronization or not, and is also used for establishing a Vx L AN tunnel between the NAT equipment D1 and the NAT equipment D2, the NAT equipment D1 and the NAT equipment D2 transmit message flow through the Vx L AN tunnel, and the Vx L AN tunnel is used for session synchronization between the NAT equipment D1 and the NAT equipment D2;
the NAT device D1 and the NAT device D2 are both configured to forward the packet traffic of the switch to the public network gateway module, or forward the packet traffic of the public network gateway module to the switch;
the NAT device D1 is also used for searching the message flow sent by the switch to find whether the message flow has a session identifier in the NAT device D1, if the session identifier exists, the message flow is directly sent to the public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or the switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch and the NAT device D1 learns that the state of the NAT device D2 is good through BFD detection in the synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the Vx L AN tunnel, and the NAT device D2 transmits the message flow to the public network gateway module;
the NAT device D2 is also used for searching the message flow sent by the switch to find whether the message flow has a session identifier in the NAT device D2, if the session identifier exists, the message flow is directly sent to the public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a Vx L AN tunnel or the switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch and the NAT device D2 learns that the state of the NAT device D1 is good through BFD detection in the synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the Vx L AN tunnel, and the NAT device D1 transmits the message flow to the public network gateway module;
the public network gateway module is used for receiving the message traffic of the NAT equipment D1 and the NAT equipment D2 and transmitting the message traffic to an external network; the public network gateway module is also used for receiving message traffic of an external network and determining whether the message traffic is sent to the NAT device D1 or the NAT device D2 according to routing calculation.
The NAT device D1 is further configured to search, for the message traffic sent by the public network gateway module, whether the message traffic has a session identifier in the NAT device D1, and if the message traffic has the session identifier, directly send the message traffic to the switch, if the message traffic does not have the session identifier, establish a new session identifier, after the session identifier is newly established, the NAT device D1 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, if the message traffic is from the Vx L AN tunnel, the message traffic is sent to the switch, and if the message traffic is from the public network gateway module and the NAT device D1 learns that the state of the NAT device D2 is good through BFD detection in the synchronization module, the NAT device D1 sends the message traffic to the NAT device D2 through the Vx L AN tunnel, and the NAT device D2 transmits the message traffic to the switch;
the NAT device D2 is further configured to search for a message traffic sent by the public network gateway module, determine whether the message traffic has a session identifier in the NAT device D2, directly send the message traffic to the switch if the message traffic has the session identifier, establish a new session identifier if the message traffic does not have the session identifier, after a new session identifier is created, the NAT device D2 determines whether the message traffic is from the Vx L AN tunnel or the public network gateway module, send the message traffic to the switch if the message traffic is from the Vx L AN tunnel, and transmit the message traffic to the switch if the message traffic is from the public network gateway module and the NAT device D2 finds that the NAT device D1 is in a good state through BFD detection in the synchronization module, and the NAT device D2 sends the message traffic to the NAT device D1 through the Vx L AN tunnel and then the NAT device D1 transmits the message traffic to the switch.
Further, each of the NAT device D1 and the NAT device D2 includes a network port em1, a network port em2, a network port em3, and a network port em 4; the computing virtualization resource pool comprises a plurality of Virtual Machines (VMs); the virtual machine VM is used for sending and receiving message flow;
the network port em1 is used for external equipment and is used for network management of the NAT equipment D1 and the NAT equipment D2;
the network port em2 is used for connecting a switch, and is used for transmitting message traffic between the switch and the NAT device D1, and transmitting message traffic between the switch and the NAT device D2;
the network port em3 is used for connecting a public network gateway module, and is used for transmitting message traffic between the public network gateway module and the NAT device D1, and transmitting message traffic between the public network gateway module and the NAT device D2;
the two network ports em4 are used for establishing a synchronization module and are connected with each other through the synchronization module, the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a Vx L AN tunnel between the NAT device D1 and the NAT device D2, and the Vx L AN tunnel is used for session synchronization.
Further, the network port em2 is further configured to, when the virtual machine VM sends the message traffic to the switch, the switch divides the message traffic into two paths through the network port em2 and evenly sends the two paths to the NAT device D1 and the NAT device D2 according to the L ACP protocol load, where the network port em2 converts the address of the virtual machine VM in the message traffic into the NAT address and sends the message traffic from the network port em3 to the public network gateway module;
the network port em3 is further configured to: the network port em3 receives the message traffic from the public network gateway module, converts the NAT address in the message traffic into the address of the virtual machine VM, and then sends the message traffic from the network port em2 back to the virtual machine VM.
The invention also aims to provide a method for realizing the disaster recovery of the NAT gateway, which comprises the following steps:
s1, the synchronization module establishes BFD detection between NAT equipment D1 and NAT equipment D2, and detects state synchronization between NAT equipment D1 and NAT equipment D2 in real time, moreover, the synchronization module establishes a Vx L AN tunnel between NAT equipment D1 and NAT equipment D2, and the Vx L AN tunnel is used for session synchronization between NAT equipment D1 and NAT equipment D2;
s2, according to the path aggregation control L ACP protocol, calculating that the virtualized resource pool sends message traffic to the switch, and the switch divides the message traffic into two paths of loads and evenly sends the two paths of loads to the NAT device D1 and the NAT device D2;
s3, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, if the session identifier exists, the message flow is directly sent to a public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or a switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch, the NAT device D1 sends the message flow to the NAT device D2 through the Vx L AN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module;
the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, if the message flow has the session identifier, the message flow is directly sent to a public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is established, the NAT device D2 judges whether the message flow is from a Vx L AN tunnel or a switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch, the NAT device D2 sends the message flow to the NAT device D1 through the Vx L AN tunnel, and the NAT device D1 transmits the message flow to the public network gateway module;
and S4, the public network gateway module transmits the message traffic to the external network.
Further, before the step S1, the method further includes steps S0, L ACP convergence module controlling a link convergence control L ACP protocol between the NAT device D1 and the switch to implement convergence of the message traffic, and L ACP convergence module controlling a link convergence control L ACP protocol between the NAT device D2 and the switch to implement convergence of the message traffic.
Further, after the step S4, the method further includes a step S5, after the public network gateway module receives the packet traffic of the external network, determines to send the packet traffic to the NAT device D1 or the NAT device D2 according to the routing calculation;
s6, if the message flow is sent to the NAT device D1, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, if the message flow has the session identifier, the message flow is directly sent to the switch, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or a public network gateway module, if the message flow is from the Vx L AN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D1 sends the message flow to the NAT device D2 through the Vx L AN tunnel, and then the NAT device D2 transmits the message flow to the switch;
if the message flow is sent to the NAT device D1, the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, if the message flow has the session identifier, the message flow is directly sent to the switch, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a Vx L AN tunnel or a public network gateway module, if the message flow is from the Vx L AN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D2 sends the message flow to the NAT device D1 through the Vx L AN tunnel, and then the NAT device D1 transmits the message flow to the switch;
and S7, the switch transmits the message flow to the computing virtualization resource pool.
Further, the NAT device D1 and the NAT device D2 are both provided with a network port em1, a network port em2, a network port em3, and a network port em 4; the computing virtualization resource pool is provided with a plurality of Virtual Machines (VM), and the VM sends and receives message flow;
the network port em1 is externally connected with equipment and is used for carrying out network management on the NAT equipment D1 and the NAT equipment D2;
the network port em2 transmits the message traffic between the switch and the NAT device D1, and transmits the message traffic between the switch and the NAT device D2; the virtual machine VM sends message traffic to the switch, the switch divides the message traffic into two paths of loads through the network port em2 and evenly sends the two paths of loads to the NAT device D1 and the NAT device D2, wherein the network port em2 sends the message traffic to the public network gateway module from the network port em3 after converting the address of the virtual machine VM in the message traffic into the NAT address;
the network port em3 transmits the message traffic between the public network gateway module and the NAT device D1, and transmits the message traffic between the public network gateway module and the NAT device D2; the network port em3 receives the message traffic from the public network gateway module, converts the NAT address in the message traffic into the address of the virtual machine VM, and sends the message traffic from the network port em2 back to the virtual machine VM;
the two network ports em4 establish a synchronization module and are connected with each other through the synchronization module, the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a Vx L AN tunnel between the NAT device D1 and the NAT device D2, and the Vx L AN tunnel is used for session synchronization.
Further, after the session identifier is newly established in step S3, the NAT device D1 determines whether the message flow is from a Vx L AN tunnel or a switch, and if the message flow is from a Vx L AN tunnel, the NAT device D1 sends the message flow to the public network gateway module, and if the message flow is from the switch, the NAT device D1 sends the message flow to the NAT device D2 through a Vx L AN tunnel, and the NAT device D2 transmits the message flow to the public network gateway module, where after the session identifier is newly established, the NAT device D1 determines whether the message flow is from a Vx L AN tunnel or a switch, and if the message flow is from a Vx L AN tunnel, sends the message flow to the public network gateway module, and if the message flow is from the switch and the NAT device D1 detects that the NAT device D2 is in good state through a BFD in the NAT synchronization module, the NAT device D1 sends the message flow to the device D2 through a Vx L AN, and then the device D2 transmits the message flow to the public network gateway module;
after the session identifier is newly established in step S3, the NAT device D2 determines whether the message traffic is from a Vx L AN tunnel or a switch, and if the message traffic is from a Vx L AN tunnel, the NAT device D2 sends the message traffic to the public network gateway module, and if the message traffic is from the switch, the AT device D2 sends the message traffic to the NAT device D1 through a Vx L AN tunnel, and then the NAT device D1 transmits the message traffic to the public network gateway module.
Further, after the session identifier is newly established in step S6, the NAT device D1 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, and if the message traffic is from a Vx L AN tunnel, the NAT device D1 sends the message traffic to the switch, and if the message traffic is from the public network gateway module, the NAT device D1 sends the message traffic to the NAT device D2 through a Vx L AN tunnel, and the NAT device D2 transmits the message traffic to the switch, wherein after the session identifier is newly established, the NAT device D1 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, and if the message traffic is from a Vx L AN tunnel, the NAT device D1 sends the message traffic to the NAT device D2 through a Vx L AN n tunnel, and if the NAT device D1 detects that the state of the NAT device D2 is good through a BFD in the synchronous NAT module, the NAT device D2 transmits the message traffic to the switch;
after the session identifier is newly established in step S6, the NAT device D2 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, and if the message traffic is from a Vx L AN tunnel, the NAT device D2 sends the message traffic to the NAT device D1 through a Vx L AN tunnel, and the NAT device D1 transmits the message traffic to the switch, where after the session identifier is newly established, the NAT device D2 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, and if the message traffic is from a Vx L AN tunnel, the NAT device D2 sends the message traffic to the switch through a Vx L AN tunnel, and if the message traffic is from the public network gateway module and the NAT device D2 detects that the state of the device D1 is good through a NAT D in the synchronization module, the device D1 transmits the message traffic to the switch D1 through a Vx L AN.
After the technical scheme is adopted, the method has the advantages that two pieces of NAT equipment are converged in a cross-device mode, L ACP cross-device convergence mode is used, all pieces of NAT equipment can work simultaneously and provide NAT services simultaneously, the defect that a VRRP redundancy protocol can only provide services for a single piece of equipment is overcome, BFD detection is used in disaster recovery of the NAT equipment, BFD detection is established between the two pieces of NAT equipment, each piece of equipment can be synchronized to the state of the other side within milliseconds, then in AN NAT module, whether a message belongs to new connection or not is judged, the first message of the new connection is redirected to a neighbor through a Vx L AN tunnel, the neighbor can establish the same session at the first time, all subsequent messages of the connection can be successfully searched for the session no matter which equipment passes through, the session redirection synchronization session synchronization mode is superior to the traditional method for actively synchronizing the two pieces of equipment, the traditional session synchronization mode not only needs to additionally establish threads on the equipment and can possibly cause the problems of searching for untimely session synchronization, the efficiency, the overall efficiency and the overall system can be improved, and the overall stability can be improved, and the overall system can be simple and the overall system can be conveniently deployed.
Drawings
Fig. 1 is a block diagram of a NAT gateway disaster recovery implementation system according to the present invention;
fig. 2 is a flowchart of the steps of a method for implementing NAT gateway disaster recovery according to the present invention.
Detailed Description
It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict, and the present application is further described in detail with reference to the drawings and specific embodiments.
Example 1
As shown in fig. 1, this embodiment provides a NAT gateway disaster recovery implementation system, which mainly includes a computing virtualized resource pool, a switch, an L ACP convergence module, a synchronization module, a NAT device module, and a public network gateway module, where the NAT device module includes a NAT device D1 and a NAT device D2, where the NAT device D1 and the NAT device D2 belong to devices of the same specification (with identical performance functions), the computing virtualized resource pool, the switch, a NAT device D1, and the public network gateway module are sequentially connected, the computing virtualized resource pool, the switch, a NAT device D2, and the public network gateway module are sequentially connected, the L ACP convergence module is connected to the NAT device D1, the NAT device D2, and the switch, and the synchronization module is connected to the NAT device D1 and the NAT device D2;
the computing virtualization resource pool is used for sending and receiving message flow; the NAT device D1 and the NAT device D2 both comprise a network port em1, a network port em2, a network port em3 and a network port em 4; the pool of computing virtualized resources comprises a number of virtual machines VM, such as virtual machine VM1, VM2, VM3, VM4, VM5, and so forth; the virtual machine VM is used for sending and receiving message flow; that is, the network ports em1, em2, em3 and em4 of the NAT device D1 are in accordance with the functional specifications of the network ports em1, em2, em3 and em4 of the NAT device D2;
the switch is used for transmitting the message traffic sent by the computing virtualization resource pool to the NAT equipment D1 and the NAT equipment D2, and for receiving the message traffic sent by the NAT equipment D1 and the NAT equipment D2 and then transmitting the message traffic to the computing virtualization resource pool;
the L ACP convergence module is used for controlling a link convergence control L ACP protocol between the NAT device D1 and the switch to realize convergence of message traffic, controlling a link convergence control L ACP protocol between the NAT device D2 and the switch to realize convergence of message traffic, and establishing L ACP convergence with the switch by using the same MAC address and operation KEY for the NAT device D1 and the NAT device D2 to enable the switch, the NAT device D1 and the NAT device D2 to form a same convergence group to realize cross-device convergence;
the L ACP convergence module configures that NAT device D1 and NAT device D2 belong to a convergence group together according to the specification of IEEE 802.3ad about L ACP device convergence standard, that is, a plurality of PORTs of a device are accessed into the same switch to realize convergence, L ACPDU (link convergence control protocol data unit for short) needs to be exchanged between the device and the switch, L ACP protocol specifies that system priority, system ID (MAC) and operation KEY are used for uniquely identifying a convergence group, different PORTs in the same convergence group are identified by PORT ID, according to the specification of IEEE 802.3ad, when two devices respectively access one PORT into the same switch to realize cross-device convergence, as long as the system priority, the system ID (MAC) and the operation KEY in L ACPDU which are interacted between the two devices and the switch are ensured to be the same, then the two devices are identified by using different PORT ID, namely, the cross-device convergence can be realized by L, and the two devices are ensured to be the same in system ID and the operation KEY, and the system ID and the MAC information can be not be set by Manual (MAC).
The synchronization module is used for establishing BFD detection between the NAT equipment D1 and the NAT equipment D2, detecting the connection state between the NAT equipment D1 and the NAT equipment D2 and judging whether the connection state is state synchronization or not, the synchronization module is also used for establishing a Vx L AN tunnel between the NAT equipment D1 and the NAT equipment D2, the NAT equipment D1 and the NAT equipment D2 transmit message flow through the Vx L AN tunnel, and the Vx L AN tunnel is used for session synchronization between the NAT equipment D1 and the NAT equipment D2, wherein the synchronization module is realized in the following way:
a) the network port em4 of the NAT device D1 is set to ip _ D1, and the network port em4 of the NAT device D2 is set to ip _ D2;
b) BFD detection is established between ip _ d1 and ip _ d2, and is used for detecting the state of the other side;
c) and a Vx L AN tunnel is established between the ip _ d1 and the ip _ d2 and is used for redirecting and transmitting a first message of a new connection.
The NAT device D1 and the NAT device D2 are both configured to forward the packet traffic of the switch to the public network gateway module, or forward the packet traffic of the public network gateway module to the switch;
the NAT device D1 is also used for searching the message flow sent by the switch to find whether the message flow has a session identifier in the NAT device D1, if the session identifier exists, the message flow is directly sent to the public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or the switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network NAT module, if the message flow is from the switch, the NAT device D1 needs to detect the NAT device D2 through BFD detection in the synchronization module, and if the state of the NAT device D2 is known to be good, the NAT device D1 sends the message flow to the NAT device D2 through the Vx L AN tunnel, and the NAT device D2 transmits the message flow to the public network gateway module;
the current mode for establishing the new session identifier is as follows:
A. establishing a session identifier by using a message five-tuple source address, a destination address, a source port, a destination port and a protocol type; the NAT function is to convert the source address into NAT address or to convert the destination address into private address, but when establishing the session identifier, it is established by using the non-translated address, so the destination address is used instead of NAT address;
B. the NAT device D1 and the NAT device D2 receive traffic from the virtual machine VM in the intranet from the network port em2, convert the source address into a designated address, transmit the address to the public network from the network port em3, receive traffic from the public network from the network port em3, convert the NAT address into a VM address of a certain virtual machine, and transmit the address to the virtual machine VM from the network port em 2;
C. because the same connection is made at network port em2 and network port em3 through address conversion, the same connection has more than one quintuple, assuming that a message quintuple sent by virtual machine VM1 at network port em2 is sip1, dip1, sp1, dp1 and pro, the quintuple [ sip1dip1sp1dp1pro ] is identified as session1, then after address conversion, it is assumed that sip1 becomes nip1, the converted quintuple is [ nip 1sp1dp1pro ] and also identified as session1, then subsequently, messages of which the quintuple is nip1, dip1, sp1, dp1 and pro are received from 3, session1 can be found again, and then the original sip1 is converted back to virtual machine 1 and VM 1;
D. in summary, as long as the quintuple before and after the NAT device is identified to the same session, the corresponding session can be found in both directions, and then address translation is performed. In the following, the new session id of the NAT device D2 is identical to the NAT device D1.
The NAT device D2 is further configured to search for a message flow sent by the switch, determine whether the message flow has a session identifier in the NAT device D2, directly send the message flow to the public network gateway module if the session identifier exists, establish a new session identifier if the message flow does not have the session identifier, after the session identifier is created, the NAT device D2 determines whether the message flow is from a Vx L AN tunnel or from the switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch, the NAT device D2 needs to detect the NAT device D1 through BFD detection in the synchronization module, and if the NAT device D1 is known to be in a good state, the NAT device D2 sends the message flow to the NAT device D1 through the Vx L AN tunnel, and the flow device D1 transmits the message to the public network gateway module.
The public network gateway module is used for receiving the message traffic of the NAT equipment D1 and the NAT equipment D2 and transmitting the message traffic to an external network; the public network gateway module is also used for receiving message traffic of an external network and determining whether the message traffic is sent to the NAT equipment D1 or the NAT equipment D2 according to routing calculation;
the NAT device D1 is also used for searching whether the message flow sent by the public network gateway module has a session identifier in NAT device D1 or not, if the session identifier exists, the message flow is directly sent to the switch, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or a public network gateway module, if the message flow is from the Vx L AN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D1 needs to detect the NAT device D2 through BFD detection in a synchronization module, and if the NAT device D2 is in a good state, the NAT device D1 sends the message flow to the NAT device D2 through the Vx L AN tunnel, and the NAT device D2 transmits the message flow to the switch;
the NAT device D2 is further configured to search, for a message traffic sent by the public network gateway module, whether the message traffic has a session identifier in the NAT device D2, and if the message traffic has the session identifier, directly send the message traffic to the switch, if the message traffic does not have the session identifier, establish a new session identifier, after creating the session identifier, the NAT device D2 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, if the message traffic is from a Vx L AN tunnel, the message traffic is sent to the switch, if the message traffic is from the public network gateway module, the synchronization module needs to detect the working state of the NAT device D1, and if the NAT device D1 is in a normal working state, the NAT device D2 sends the message traffic to the NAT device D1 through a Vx L AN tunnel, and then the NAT device D1 transmits the message traffic to the switch.
The network port em1 is used for external equipment and is used for network management of the NAT equipment D1 and the NAT equipment D2; specifically, the network port em1 of the NAT device D1 is used for an external device (e.g., a computer) to perform network management on the NAT device D1; the network port em1 of the NAT device D2 is used for an external device (e.g., a computer) to perform network management on the NAT device D2;
the network port em2 is used for connecting a switch and transmitting message traffic between the switch and a NAT device D1 and transmitting message traffic between the switch and a NAT device D2, and the network port em2 is also used for, when a virtual machine VM sends the message traffic to the switch, the switch divides the message traffic into two paths by the network port em2 and evenly sends the two paths to the NAT device D1 and the NAT device D2 according to a L ACP protocol load, wherein the network port em2 converts AN address of the virtual machine VM in the message traffic into AN NAT address and then sends the message traffic from the network port 3 to a public network gateway module, however, it needs to be specifically described by classification that the NAT device D1 receives the NAT address of the virtual machine VM from its network port 2 and converts the address of the virtual machine VM into the message traffic after the NAT address, if the message traffic does not have a session identification, the NAT device D1 sends the message traffic to the public network port D2 through a Vx L AN n 2 AN n tunnel, if the NAT device D2 sends the message traffic through a public network port 2, if the NAT device D2 identifier 2 a message traffic exists, if the NAT device D2 sends the message traffic through a public network identifier 2 a public network port 2 identifier 2 a NAT session identifier 2 a message traffic through a NAT session identifier 2 a NAT device D2 a NAT session identifier 2 to a public network traffic, if the NAT device D2 a message traffic, and then sends the message traffic through a public network gateway 2;
the NAT device D1 receives the message traffic from the public network gateway module, converts the NAT address in the message traffic into the address of the virtual machine VM, and sends the message traffic back to the virtual machine VM from the NAT port em2, however, the classification specifically indicates that the NAT device D1 receives the message traffic after the NAT address of the network port em3NAT is converted into the address of the virtual machine VM, if the message traffic does not have the session identifier, the NAT device D1 sends the message traffic to the NAT device D2 through the Vx L AN tunnel, the NAT device D2 sends the message traffic back to the virtual machine VM through the network port em2, if the message traffic does not have the session identifier, the device D1 sends the message traffic to the virtual machine VM through the virtual tunnel xNa L AN tunnel, if the message traffic does not have the session identifier, the message traffic is sent back to the virtual machine VM through the virtual tunnel NAT device D2, if the message traffic has the message traffic as the message traffic, the message traffic is sent back to the virtual machine VM 4642 through the virtual machine VM 4624 through the virtual tunnel identifier, if the message traffic has the session identifier, the message traffic as the message traffic, if the message traffic exists, the message traffic is sent to the virtual machine 463D 1 through the virtual machine 4623, the virtual tunnel identifier, the virtual machine 4623, the message traffic, if the message traffic, the message traffic is sent to the virtual machine 463D 4623, if the virtual machine 463D 463 tunnel identifier, the virtual machine 4623, the message traffic, if the message;
the two network ports em4 are used for establishing a synchronization module and are connected with each other through the synchronization module, the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a Vx L AN tunnel between the NAT device D1 and the NAT device D2, and the Vx L AN tunnel is used for session synchronization.
The system of the embodiment has the advantages that the first message of each new connection firstly passes through two pieces of NAT equipment and then reaches the virtual machine VM or the public network, and then the subsequent message of the connection can find the connection session to which the message belongs when passing through any one piece of NAT equipment.
Example 2
As shown in fig. 2, this embodiment provides a method for implementing NAT gateway disaster recovery based on the NAT gateway disaster recovery implementation system in embodiment 1, and the specific steps of the method are as follows:
the method comprises the steps that S11 and L ACP convergence modules control a L ACP protocol for link convergence control between NAT equipment D1 and an exchanger to achieve convergence of message traffic, and the L ACP convergence module controls a L ACP protocol for link convergence control between NAT equipment D2 and the exchanger to achieve convergence of the message traffic, wherein the NAT equipment D1 and the NAT equipment D2 use the same MAC address and operation KEY to establish L ACP convergence with the exchanger, so that the exchanger, the NAT equipment D1 and the NAT equipment D2 form the same convergence group, and cross-equipment convergence is achieved
S12, the synchronization module establishes BFD detection between NAT equipment D1 and NAT equipment D2, and detects state synchronization between NAT equipment D1 and NAT equipment D2 in real time, moreover, the synchronization module establishes a Vx L AN tunnel between NAT equipment D1 and NAT equipment D2, and the Vx L AN tunnel is used for session synchronization between NAT equipment D1 and NAT equipment D2;
s13, according to the path aggregation control L ACP protocol, calculating that the virtualized resource pool sends message traffic to the switch, and the switch divides the message traffic into two paths of loads and evenly sends the two paths of loads to the NAT device D1 and the NAT device D2;
s14, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, if the session identifier exists, the message flow is directly sent to a public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is established, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or a switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch, the synchronization module needs to detect the working state of the NAT device D2, and under the normal working state of the NAT device D2, the NAT device D1 sends the message flow to the NAT device D2 through the Vx L AN tunnel, and the NAT device D2 transmits the message flow to the public network gateway module, so that the process realizes that the message flow is redirected from the NAT device D1 to the NAT device D2;
similarly, the NAT device D2 and the NAT device D1 realize the same transmission process of the message flow, wherein the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, if the session identifier exists, the message flow is directly sent to a public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a Vx L AN tunnel or a switch, if the message flow is from a Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch, the synchronization module needs to detect the working state of the NAT device D1, and if the NAT device D1 is in a normal working state, the NAT device D2 sends the message flow to the NAT device D1 through the Vx L AN tunnel, and the NAT device D1 transmits the message flow to the public network gateway module, so that the message flow is redirected from the NAT device D2 to the NAT device D1;
s15, the public network gateway module transmits the message flow to the external network;
s16, after receiving the message traffic of the external network, the public network gateway module decides to send the message traffic to NAT device D1 or NAT device D2 according to the route calculation;
s17, if the message flow is sent to the NAT device D1, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, if the message flow has the session identifier, the message flow is directly sent to the switch, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is created, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or a public network gateway module, if the message flow is from the Vx L AN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the synchronization module needs to detect the working state of the NAT device D2, if the NAT device D2 is in a normal working state, the NAT device D1 sends the message flow to the NAT device D2 through the NAT device D L AN tunnel, the NAT device D2 transmits the message flow to the switch, and the process realizes that the message flow is redirected from the NAT device D1 to the NAT device D2;
if the message flow is sent to the NAT device D1, the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, if the message flow has the session identifier, the message flow is directly sent to the switch, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a Vx L AN tunnel or a public network gateway module, if the message flow is from the Vx L AN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, a synchronization module needs to detect the working state of the NAT device D1, if the NAT device D1 is in a normal working state, the NAT device D2 sends the message flow to the NAT device D1 through the Vx L AN tunnel, the NAT device D1 transmits the message flow to the switch, and the process realizes that the message flow is redirected to the device D1 by the device D2;
and S18, the switch transmits the message flow to the computing virtualization resource pool.
Further, the NAT device D1 and the NAT device D2 are both provided with a network port em1, a network port em2, a network port em3, and a network port em 4; the computing virtualization resource pool is provided with a plurality of Virtual Machines (VM), and the VM sends and receives message flow;
the network port em1 is externally connected with equipment and is used for carrying out network management on the NAT equipment D1 and the NAT equipment D2;
the NAT device D1 receives the message flow of which the address of the virtual machine VM is converted into the NAT address by the network port em2, if the message flow does not have the session identifier, the NAT device D1 sends the message flow to the NAT device D2 through a VxA L tunnel, the NAT device D2 sends the message flow to the network gateway module through the network port NAT port 6862, if the message flow does not have the session identifier, the NAT device D1 sends the message flow to the NAT device D1 through the network port, and if the message flow is sent to the NAT device D8653 through the network port, the NAT device D1 sends the message flow to the NAT device D1 through the public network port 8672 through the network port NAT device D8642, if the message flow is sent to the network port 1, the NAT device D1 sends the message flow to the NAT device D8672 through the NAT device D8653 tunnel, and if the message flow is sent to the NAT device D8672 through the NAT device D8653, the NAT device D1 sends the message flow to the NAT device D1 through the NAT device D8653 tunnel, if the NAT device D8653 message flow is a session identifier, the NAT device D1, the message flow sent to the NAT device D1, if the NAT device D1, the NAT device D1 sends the message flow through the NAT device D8653 through the NAT device D1 tunnel, and the NAT device D8653, if the NAT device D3614 message flow is a message flow, if the NAT device D1, the NAT device D367 tunnel, the NAT device D1, the NAT device D3614 message flow is a message flow, and the NAT device D367 tunnel, where the NAT device D;
the NAT equipment D1 receives the message traffic from the public network gateway module, converts the NAT address in the message traffic into the address of a virtual machine VM, and sends the message traffic back to the virtual machine VM from the network port em2, however, the classification concrete needs to be explained here, the NAT equipment D1 receives the message traffic after the NAT address of the network port em3 is converted into the address of the virtual machine VM, if the message traffic does not have the session identifier, the NAT equipment D1 sends the message traffic to the virtual machine VM through a Vx L AN tunnel, the NAT equipment D2 sends the message traffic back to the virtual machine VM through the NAT port em2, if the message traffic does not have the session identifier, the NAT equipment D1 sends the message traffic back to the virtual machine VM through the network port 2 through the virtual machine VM, and if the NAT equipment D6 receives the message traffic without the NAT address of the NAT equipment D1, the NAT equipment D354642 sends the message traffic back to the virtual machine VM through the virtual machine VM2 if the NAT equipment D354642 sends the message traffic through the virtual machine VM 463 tunnel identifier, and if the message traffic does not have the NAT equipment NAT address of the NAT 463 tunnel identifier, the NAT equipment D L, the message traffic after the message traffic is a message traffic sent back to the virtual machine VM L, if the message traffic through the NAT equipment D L, if the NAT equipment D L, and the NAT equipment D L sends the NAT equipment D L where the NAT equipment D;
the two network ports em4 establish a synchronization module and are connected with each other through the synchronization module, the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a Vx L AN tunnel between the NAT device D1 and the NAT device D2, and the Vx L AN tunnel is used for session synchronization.
Example 3
This embodiment provides a specific example of a method for implementing disaster recovery of a gateway based on the NAT gateway disaster recovery implementation method in embodiment 2, as follows:
example (c): com.com.
1. The virtual machine vm1 sends a syn message to baidu.com;
2. suppose that the left NAT device D1 receives the message, creates a new session identifier when passing through the NAT module, and redirects the syn message to the right NAT device D2 through the vxlan tunnel;
3. the right NAT device D2 receives the syn packet from the vxlan tunnel, and forwards the syn packet directly from the network port em3 to the public network gateway;
4. subsequent messages communicated between the virtual machine vm1 and the basic.com in the connection, whether received by the left NAT device D1 or the right NAT device D2, are forwarded out through the network port em2 or the network port em3 of the NAT device after being processed by the NAT module, and are not redirected to the neighbor NAT device through the vxlan tunnel.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that various equivalent changes, modifications, substitutions and alterations can be made herein without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims (10)

1. A NAT gateway disaster recovery implementation system is characterized by comprising a computing virtualization resource pool, a switch, an L ACP convergence module, a synchronization module, an NAT device module and a public network gateway module, wherein the NAT device module comprises NAT equipment D1 and NAT equipment D2;
the computing virtual resource pool, the switch, the NAT equipment D1 and the public network gateway module are sequentially connected, the computing virtual resource pool, the switch, the NAT equipment D2 and the public network gateway module are sequentially connected, the L ACP convergence module is connected with the NAT equipment D1, the NAT equipment D2 and the switch, and the synchronization module is connected with the NAT equipment D1 and the NAT equipment D2;
the computing virtualization resource pool is used for sending and receiving message flow;
the switch is used for transmitting the message traffic sent by the computing virtualization resource pool to the NAT equipment D1 and the NAT equipment D2, and for receiving the message traffic sent by the NAT equipment D1 and the NAT equipment D2 and then transmitting the message traffic to the computing virtualization resource pool;
the L ACP convergence module is used for controlling a link convergence control L ACP protocol between the NAT device D1 and the switch to realize convergence of message traffic, and controlling a link convergence control L ACP protocol between the NAT device D2 and the switch to realize convergence of message traffic, wherein the NAT device D1 and the NAT device D2 both use the same MAC address and operation KEY to establish L ACP convergence with the switch, so that the switch, the NAT device D1 and the NAT device D2 form the same convergence group to realize cross-device convergence;
the synchronization module is used for establishing BFD detection between the NAT equipment D1 and the NAT equipment D2, detecting the connection state between the NAT equipment D1 and the NAT equipment D2 and judging whether the connection state is state synchronization or not, and is also used for establishing a Vx L AN tunnel between the NAT equipment D1 and the NAT equipment D2, the NAT equipment D1 and the NAT equipment D2 transmit message flow through the Vx L AN tunnel, and the Vx L AN tunnel is used for session synchronization between the NAT equipment D1 and the NAT equipment D2;
the NAT device D1 and the NAT device D2 are both configured to forward the packet traffic of the switch to the public network gateway module, or forward the packet traffic of the public network gateway module to the switch;
the NAT device D1 is also used for searching the message flow sent by the switch to find whether the message flow has a session identifier in the NAT device D1, if the session identifier exists, the message flow is directly sent to the public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or the switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch and the NAT device D1 learns that the state of the NAT device D2 is good through BFD detection in the synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the Vx L AN tunnel, and the NAT device D2 transmits the message flow to the public network gateway module;
the NAT device D2 is also used for searching the message flow sent by the switch to find whether the message flow has a session identifier in the NAT device D2, if the session identifier exists, the message flow is directly sent to the public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a Vx L AN tunnel or the switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch and the NAT device D2 learns that the state of the NAT device D1 is good through BFD detection in the synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the Vx L AN tunnel, and the NAT device D1 transmits the message flow to the public network gateway module;
the public network gateway module is used for receiving the message traffic of the NAT equipment D1 and the NAT equipment D2 and transmitting the message traffic to an external network; the public network gateway module is also used for receiving message traffic of an external network and determining whether the message traffic is sent to the NAT device D1 or the NAT device D2 according to routing calculation.
2. The NAT gateway disaster recovery implementation system according to claim 1, wherein the NAT device D1 is further configured to search, for a message traffic sent by the public network gateway module, whether the message traffic has a session identifier in the NAT device D1, and if the message traffic has the session identifier, directly send the message traffic to the switch, if the message traffic has no session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D1 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, and if the message traffic is from the Vx L AN tunnel, the message traffic is sent to the switch, and if the message traffic is from the public network gateway module and the NAT device D1 finds, through BFD detection in the synchronization module, that the NAT device D L AN tunnel is in a good state, the NAT device D1 sends the message traffic to the NAT device D2 through the Vx L AN tunnel, and then the NAT device D2 transmits the message traffic to the switch;
the NAT device D2 is further configured to search for a message traffic sent by the public network gateway module, determine whether the message traffic has a session identifier in the NAT device D2, directly send the message traffic to the switch if the message traffic has the session identifier, establish a new session identifier if the message traffic does not have the session identifier, after a new session identifier is created, the NAT device D2 determines whether the message traffic is from the Vx L AN tunnel or the public network gateway module, send the message traffic to the switch if the message traffic is from the Vx L AN tunnel, and transmit the message traffic to the switch if the message traffic is from the public network gateway module and the NAT device D2 finds that the NAT device D1 is in a good state through BFD detection in the synchronization module, and the NAT device D2 sends the message traffic to the NAT device D1 through the Vx L AN tunnel and then the NAT device D1 transmits the message traffic to the switch.
3. The system according to claim 1, wherein the NAT device D1 and the NAT device D2 each include a network port em1, a network port em2, a network port em3, and a network port em 4; the computing virtualization resource pool comprises a plurality of Virtual Machines (VMs); the virtual machine VM is used for sending and receiving message flow;
the network port em1 is used for external equipment and is used for network management of the NAT equipment D1 and the NAT equipment D2;
the network port em2 is used for connecting a switch, and is used for transmitting message traffic between the switch and the NAT device D1, and transmitting message traffic between the switch and the NAT device D2;
the network port em3 is used for connecting a public network gateway module, and is used for transmitting message traffic between the public network gateway module and the NAT device D1, and transmitting message traffic between the public network gateway module and the NAT device D2;
the two network ports em4 are used for establishing a synchronization module and are connected with each other through the synchronization module, the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a Vx L AN tunnel between the NAT device D1 and the NAT device D2, and the Vx L AN tunnel is used for session synchronization.
4. The system according to claim 3, wherein the network port em2 is further configured to, when the virtual machine VM sends the packet traffic to the switch, the switch divides the packet traffic into two paths through the network port em2 and evenly sends the two paths according to a L ACP protocol load to the NAT device D1 and the NAT device D2, wherein the network port em2 converts an address of the virtual machine VM in the packet traffic into an NAT address and sends the packet traffic from the network port em3 to the public network gateway module;
the network port em3 is further configured to: the network port em3 receives the message traffic from the public network gateway module, converts the NAT address in the message traffic into the address of the virtual machine VM, and then sends the message traffic from the network port em2 back to the virtual machine VM.
5. A NAT gateway disaster recovery implementation method is characterized by comprising the following steps:
s1, the synchronization module establishes BFD detection between NAT equipment D1 and NAT equipment D2, and detects state synchronization between NAT equipment D1 and NAT equipment D2 in real time, moreover, the synchronization module establishes a Vx L AN tunnel between NAT equipment D1 and NAT equipment D2, and the Vx L AN tunnel is used for session synchronization between NAT equipment D1 and NAT equipment D2;
s2, according to a link aggregation control L ACP protocol, calculating that a virtualized resource pool sends message traffic to a switch, and the switch divides the message traffic into two paths of loads and evenly sends the two paths of loads to NAT equipment D1 and NAT equipment D2;
s3, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, if the session identifier exists, the message flow is directly sent to a public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or a switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch, the NAT device D1 sends the message flow to the NAT device D2 through the Vx L AN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module;
the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, if the message flow has the session identifier, the message flow is directly sent to a public network gateway module, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is established, the NAT device D2 judges whether the message flow is from a Vx L AN tunnel or a switch, if the message flow is from the Vx L AN tunnel, the message flow is sent to the public network gateway module, if the message flow is from the switch, the NAT device D2 sends the message flow to the NAT device D1 through the Vx L AN tunnel, and the NAT device D1 transmits the message flow to the public network gateway module;
and S4, the public network gateway module transmits the message traffic to the external network.
6. The method according to claim 5, wherein the step S1 is preceded by a step S0, a step S L ACP convergence module controlling a link convergence control L ACP protocol between the NAT device D1 and the switch to implement convergence of the packet traffic, and a step S L ACP convergence module controlling a link convergence control L ACP protocol between the NAT device D2 and the switch to implement convergence of the packet traffic.
7. The method according to claim 5, wherein the step S4 is followed by a step S5 in which, after receiving the packet traffic of the external network, the public network gateway module determines whether to send the packet traffic to the NAT device D1 or the NAT device D2 according to routing calculation;
s6, if the message flow is sent to the NAT device D1, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, if the message flow has the session identifier, the message flow is directly sent to the switch, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a Vx L AN tunnel or a public network gateway module, if the message flow is from the Vx L AN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D1 sends the message flow to the NAT device D2 through the Vx L AN tunnel, and then the NAT device D2 transmits the message flow to the switch;
if the message flow is sent to the NAT device D1, the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, if the message flow has the session identifier, the message flow is directly sent to the switch, if the message flow does not have the session identifier, a new session identifier needs to be established, after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a Vx L AN tunnel or a public network gateway module, if the message flow is from the Vx L AN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D2 sends the message flow to the NAT device D1 through the Vx L AN tunnel, and then the NAT device D1 transmits the message flow to the switch;
and S7, the switch transmits the message flow to the computing virtualization resource pool.
8. The method according to claim 7, wherein the NAT device D1 and the NAT device D2 are both provided with a network port em1, a network port em2, a network port em3, and a network port em 4; the computing virtualization resource pool is provided with a plurality of Virtual Machines (VM), and the VM sends and receives message flow;
the network port em1 is externally connected with equipment and is used for carrying out network management on the NAT equipment D1 and the NAT equipment D2;
the network port em2 transmits the message traffic between the switch and the NAT device D1, and transmits the message traffic between the switch and the NAT device D2; the virtual machine VM sends message traffic to the switch, the switch divides the message traffic into two paths of loads through the network port em2 and evenly sends the two paths of loads to the NAT device D1 and the NAT device D2, wherein the network port em2 sends the message traffic to the public network gateway module from the network port em3 after converting the address of the virtual machine VM in the message traffic into the NAT address;
the network port em3 transmits the message traffic between the public network gateway module and the NAT device D1, and transmits the message traffic between the public network gateway module and the NAT device D2; the network port em3 receives the message traffic from the public network gateway module, converts the NAT address in the message traffic into the address of the virtual machine VM, and sends the message traffic from the network port em2 back to the virtual machine VM;
the two network ports em4 establish a synchronization module and are connected with each other through the synchronization module, the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a Vx L AN tunnel between the NAT device D1 and the NAT device D2, and the Vx L AN tunnel is used for session synchronization.
9. The NAT gateway disaster recovery implementation method according to claim 5, wherein after the session identifier is newly created in step S3, the NAT device D1 determines whether the message traffic is from a Vx L AN tunnel or a switch, if the message traffic is from a Vx L AN tunnel, the message traffic is sent to the public network gateway module, if the message traffic is from the switch, the NAT device D1 sends the message traffic to the NAT device D2 through a Vx L AN tunnel, and the NAT device D2 transmits the message traffic to the public network gateway module, wherein after the session identifier is newly created, the NAT device D1 determines whether the message traffic is from a Vx L AN tunnel or a switch, if the message traffic is from a Vx L AN tunnel, the NAT device D1 sends the message traffic to the public network gateway module, and if the NAT device D1 finds that the state of the NAT device D2 is good through BFD detection in the synchronization module, the NAT device D1 sends the message traffic to the public network gateway module through a Vx L tunnel;
after the session identifier is newly established in step S3, the NAT device D2 determines whether the message traffic is from a Vx L AN tunnel or a switch, and if the message traffic is from a Vx L AN tunnel, the NAT device D2 sends the message traffic to the NAT device D1 through a Vx L AN tunnel, and the NAT device D1 transmits the message traffic to the public network gateway module, where after the session identifier is newly established, the NAT device D2 determines whether the message traffic is from a Vx L AN tunnel or a switch, and if the message traffic is from a Vx L AN tunnel, the NAT device D2 sends the message traffic to the public network gateway module, and if the message traffic is from the switch and the NAT device D2 finds that the state of the NAT device D1 is good through BFD detection in the synchronization module, the NAT device D2 sends the message traffic to the public network gateway module D1 through a Vx L AN NAT tunnel, and the NAT device D1 transmits the message traffic to the public network gateway module.
10. The method for implementing the NAT gateway disaster recovery according to claim 7, wherein after the session identifier is newly established in step S6, the NAT device D1 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, if the message traffic is from a Vx L AN tunnel, the message traffic is sent to the switch, if the message traffic is from the public network gateway module, the NAT device D1 sends the message traffic to the NAT device D2 through a Vx L AN tunnel, and then the NAT device D2 transmits the message traffic to the switch, wherein after the session identifier is newly established, the NAT device D1 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, if the message traffic is from a Vx L AN tunnel, the NAT device D1 sends the message traffic to the NAT switch through a Vx 45 AN tunnel, and if the message traffic is from the public network gateway module and the NAT device D1 finds that the state of the NAT device D2 is good through BFD detection in the synchronization module, the NAT device D1 transmits the message traffic to the switch 8536;
after the session identifier is newly established in step S6, the NAT device D2 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, and if the message traffic is from a Vx L AN tunnel, the NAT device D2 sends the message traffic to the NAT device D1 through a Vx L AN tunnel, and the NAT device D1 transmits the message traffic to the switch, where after the session identifier is newly established, the NAT device D2 determines whether the message traffic is from a Vx L AN tunnel or a public network gateway module, and if the message traffic is from a Vx L AN tunnel, the NAT device D2 sends the message traffic to the switch through a Vx L AN tunnel, and if the message traffic is from the public network gateway module and the NAT device D2 detects that the state of the device D1 is good through a NAT D in the synchronization module, the device D1 transmits the message traffic to the switch D1 through a Vx L AN.
CN202010148472.7A 2020-03-05 2020-03-05 NAT gateway disaster recovery implementation method and system thereof Active CN111404732B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010148472.7A CN111404732B (en) 2020-03-05 2020-03-05 NAT gateway disaster recovery implementation method and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010148472.7A CN111404732B (en) 2020-03-05 2020-03-05 NAT gateway disaster recovery implementation method and system thereof

Publications (2)

Publication Number Publication Date
CN111404732A true CN111404732A (en) 2020-07-10
CN111404732B CN111404732B (en) 2023-04-07

Family

ID=71432171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010148472.7A Active CN111404732B (en) 2020-03-05 2020-03-05 NAT gateway disaster recovery implementation method and system thereof

Country Status (1)

Country Link
CN (1) CN111404732B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800525A (en) * 2020-09-07 2020-10-20 广东睿江云计算股份有限公司 Gateway redundancy method and system
CN113691645A (en) * 2021-08-17 2021-11-23 浪潮思科网络科技有限公司 Method, equipment and storage medium for realizing NAT based on M-LAG environment
CN114567616B (en) * 2022-02-28 2023-10-31 天翼安全科技有限公司 Method, system and equipment for traversing VxLAN NAT

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100254255A1 (en) * 2002-10-18 2010-10-07 Foundry Networks, Inc. Redundancy support for network address translation (nat)
CN102355479A (en) * 2011-07-19 2012-02-15 杭州华三通信技术有限公司 Method and equipment for forwarding traffic of multi-NAT (network address translation) gateway
WO2014101708A1 (en) * 2012-12-26 2014-07-03 中兴通讯股份有限公司 Data transmission method and network node in layer 2 network
CN107547366A (en) * 2017-05-15 2018-01-05 新华三技术有限公司 A kind of message forwarding method and device
CN108900414A (en) * 2018-06-08 2018-11-27 新华三技术有限公司 Forwarding table generation method and device
CN109644157A (en) * 2016-08-31 2019-04-16 Nicira股份有限公司 Use the fringe node cluster network redundancy and fast convergence of bottom anycast VTEP IP
CN109743414A (en) * 2019-02-18 2019-05-10 国家计算机网络与信息安全管理中心 The method and computer readable storage medium of address translation availability are improved using redundancy link

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100254255A1 (en) * 2002-10-18 2010-10-07 Foundry Networks, Inc. Redundancy support for network address translation (nat)
CN102355479A (en) * 2011-07-19 2012-02-15 杭州华三通信技术有限公司 Method and equipment for forwarding traffic of multi-NAT (network address translation) gateway
WO2014101708A1 (en) * 2012-12-26 2014-07-03 中兴通讯股份有限公司 Data transmission method and network node in layer 2 network
CN109644157A (en) * 2016-08-31 2019-04-16 Nicira股份有限公司 Use the fringe node cluster network redundancy and fast convergence of bottom anycast VTEP IP
CN107547366A (en) * 2017-05-15 2018-01-05 新华三技术有限公司 A kind of message forwarding method and device
CN108900414A (en) * 2018-06-08 2018-11-27 新华三技术有限公司 Forwarding table generation method and device
CN109743414A (en) * 2019-02-18 2019-05-10 国家计算机网络与信息安全管理中心 The method and computer readable storage medium of address translation availability are improved using redundancy link

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
DIEGO KREUTZ,FERNANDO M.V.RAMOS: "Software-Defined Networkign:A Comprehensive Survey", <PROCEEDINGS OF THE IEEE> *
PO-WEN CHI,MING-HUNG WANG: "SDN Migration:An Efficient Approach to Integrate OpenFlow Networks with STP-Enabled Networks", 《2016 INTERNATIONAL COMPUTER SYMPOSIUM》 *
王桐: "城域网中vBRAS设备的应用组网设计及实现", 《中国优秀硕士学位论文数据库》 *
高腾飞: "基于CGN系统的NAT模块软件设计与实现", 《中国优秀硕士学位论文数据库》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800525A (en) * 2020-09-07 2020-10-20 广东睿江云计算股份有限公司 Gateway redundancy method and system
CN113691645A (en) * 2021-08-17 2021-11-23 浪潮思科网络科技有限公司 Method, equipment and storage medium for realizing NAT based on M-LAG environment
CN114567616B (en) * 2022-02-28 2023-10-31 天翼安全科技有限公司 Method, system and equipment for traversing VxLAN NAT

Also Published As

Publication number Publication date
CN111404732B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN108768817B (en) Virtual network networking system and data packet sending method
US10805145B2 (en) BFD over VxLAN on vPC uplinks
JP6663020B2 (en) Packet processing method, related device, and NVO3 network system
CN111404732B (en) NAT gateway disaster recovery implementation method and system thereof
EP2874359B1 (en) Extended ethernet fabric switches
US20220210047A1 (en) Sharing routes using an in-memory data store in a distributed network system
US11398956B2 (en) Multi-Edge EtherChannel (MEEC) creation and management
CN112583710B (en) Assisted replication in software defined networks
US10999195B1 (en) Multicast VPN support in data centers using edge replication tree
CN109728962B (en) Method and equipment for sending message
US11336570B1 (en) Layer three multi-homing for virtual networks
US20170163533A1 (en) Forwarding Packet In Stacking System
CN111786882B (en) Route processing method and device
EP4161003A1 (en) Evpn host routed bridging (hrb) and evpn cloud native data center
US11882016B2 (en) Systems and methods for data plane validation of multiple paths in a network
EP4344158A1 (en) Network interface card management system, packet processing method, and device
CN113810206B (en) Network automation arrangement management method, entity, controller and electronic equipment
CN113225252A (en) Establishment method, processing method and related equipment for Bidirectional Forwarding Detection (BFD) session
US11743180B2 (en) System and method for routing traffic onto an MPLS network
Fang et al. Hypernat: Scaling up network address translation with smartnics for clouds
CN111800525A (en) Gateway redundancy method and system
CN112866107A (en) IP address notification method, traffic guiding method and network equipment
WO2023231836A1 (en) File synchronization method, apparatus, device, and storage medium
Song Fault recovery port-based fast spanning tree algorithm (FRP-FAST) for the fault-tolerant Ethernet on the arbitrary switched network topology
US20240129223A1 (en) Systems and methods for data plane validation of multiple paths in a network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant