CN111404732B - NAT gateway disaster recovery implementation method and system thereof - Google Patents

NAT gateway disaster recovery implementation method and system thereof Download PDF

Info

Publication number
CN111404732B
CN111404732B CN202010148472.7A CN202010148472A CN111404732B CN 111404732 B CN111404732 B CN 111404732B CN 202010148472 A CN202010148472 A CN 202010148472A CN 111404732 B CN111404732 B CN 111404732B
Authority
CN
China
Prior art keywords
nat device
message flow
nat
switch
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010148472.7A
Other languages
Chinese (zh)
Other versions
CN111404732A (en
Inventor
梁润强
史伟
闵宇
李卢群
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Eflycloud Computing Co Ltd
Original Assignee
Guangdong Eflycloud Computing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Eflycloud Computing Co Ltd filed Critical Guangdong Eflycloud Computing Co Ltd
Priority to CN202010148472.7A priority Critical patent/CN111404732B/en
Publication of CN111404732A publication Critical patent/CN111404732A/en
Application granted granted Critical
Publication of CN111404732B publication Critical patent/CN111404732B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0668Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a method and a system for realizing NAT gateway disaster recovery, wherein the system comprises the following steps: the method comprises the steps of calculating a virtualized resource pool, a switch, an LACP convergence module, a synchronization module, an NAT equipment module and a public network gateway module, wherein the NAT equipment module comprises NAT equipment D1 and NAT equipment D2; calculating message flow sent and received by the virtualized resource pool, realizing message flow aggregation of the NAT device D1 and the NAT device D2 by the LACP aggregation module, and establishing a VxLAN tunnel between the NAT device D1 and the NAT device D2 by the synchronization module; the NAT equipment D1 and the NAT equipment D2 both forward the message flow of the switch to the public network gateway module, or forward the message flow of the public network gateway module to the switch; when each address link is connected for the first time, session identifiers are newly established on the NAT equipment D1 and the NAT equipment D2, and a first newly connected message is transmitted between the session identifiers through the VxLAN tunnel in a redirection mode. The invention can ensure that all messages can find the correct session, ensure the efficiency and the accuracy and simplify the equipment deployment.

Description

NAT gateway disaster recovery implementation method and system thereof
Technical Field
The invention relates to the technical field of NAT gateways in cloud computing, in particular to a method and a system for realizing NAT gateway disaster recovery.
Background
Nowadays, the popularity of the internet and the wave of cloud computing make people increasingly unable to leave the network environment. With the rapid development of the mobile internet, various applications and services emerge endlessly, application developers, service providers and the like need to implement their projects or products quickly, in a conventional IDC data center, it is generally necessary to deploy their own server devices or rent other server devices, and also need to build a complex network by themselves, which inevitably takes a lot of time, manpower and material resources, and is also very prone to errors during deployment, and is also not easy to expand and implement disaster recovery.
In a classical network, a user is very lack of network management capability on the cloud, the user has a virtual server of the classical network, the user only has the capability of communicating with a public network, and at most, security groups can perform some security control capabilities, but the network management capabilities such as network segment planning, subnet division, route management, public network access management by using NAT and the like are almost not available or very weak.
As a future development direction of cloud computing and virtualized networks, networking and service deployment will become simpler and more convenient, for a cloud computing center, NAT service is an indispensable requirement after a user uses a virtual network, and NAT service availability is crucial to user experience, so the cloud computing center needs to deploy stable NAT disaster recovery.
Currently, for NAT disaster recovery, in the industry, NAT active-standby redundancy is generally realized by a VRRP method, and NAT disaster recovery is realized by combining active synchronous sessions. However, this approach has significant disadvantages: firstly, the VRRP deployment mode is complicated and is not easy to manage, and the VRRP only works with the main equipment, so that idle equipment is wasted; secondly, it cannot be guaranteed that another device cannot receive the message of the session before the session is successfully synchronized by means of the active synchronization session, and the active synchronization session wastes the bandwidth of the device, consumes the performance of the device, and adds complexity to the deployment of the device.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and a system for implementing NAT gateway disaster recovery, which enable all deployed devices to join in work by using an LACP to implement cross-device convergence, detect the device state through BFD, and synchronize sessions through a new connection message redirection manner, and can find device faults within milliseconds through BFD detection, and ensure that all sessions can be synchronized by other devices at the first time through the new connection message redirection manner, thereby ensuring that all messages of the sessions can find correct sessions, not only ensuring efficiency and accuracy, but also reducing consumption of device performance, and also simplifying device deployment.
In order to solve the technical problems, the invention provides the following technical scheme: a disaster recovery implementation system for an NAT gateway comprises a computing virtualization resource pool, a switch, an LACP aggregation module, a synchronization module, an NAT device module and a public network gateway module, wherein the NAT device module comprises an NAT device D1 and an NAT device D2;
the computing virtualization resource pool, the switch, the NAT equipment D1 and the public network gateway module are sequentially connected; the computing virtualization resource pool, the switch, the NAT equipment D2 and the public network gateway module are sequentially connected; the LACP aggregation module is connected with the NAT device D1, the NAT device D2 and the switch; the synchronization module is connected with the NAT device D1 and the NAT device D2;
the computing virtualization resource pool is used for sending and receiving message flow;
the switch is used for transmitting the message traffic sent by the computing virtualization resource pool to the NAT equipment D1 and the NAT equipment D2, and for receiving the message traffic sent by the NAT equipment D1 and the NAT equipment D2 and then transmitting the message traffic to the computing virtualization resource pool;
the LACP convergence module is configured to include: controlling a link between the NAT device D1 and the switch to converge and control an LACP (Link aggregation control protocol) protocol so as to realize the convergence of message flow; controlling a link between the NAT device D2 and the switch to converge and control an LACP (Link aggregation control protocol) protocol so as to realize the convergence of message flow; the method comprises the following steps that the NAT equipment D1 and the NAT equipment D2 both use the same MAC address and operation KEY to establish LACP convergence with a switch, so that the switch, the NAT equipment D1 and the NAT equipment D2 form a same convergence group, and cross-equipment convergence is achieved;
the synchronization module is used for establishing BFD detection between the NAT device D1 and the NAT device D2, detecting the connection state between the NAT device D1 and the NAT device D2 and judging whether the connection state is state synchronization; the synchronization module is also used for establishing a VxLAN tunnel between the NAT device D1 and the NAT device D2, the NAT device D1 and the NAT device D2 transmit message flow through the VxLAN tunnel, and the VxLAN tunnel is used for session synchronization between the NAT device D1 and the NAT device D2;
the NAT device D1 and the NAT device D2 are both used for forwarding the message traffic of the switch to the public network gateway module, or forwarding the message traffic of the public network gateway module to the switch;
the NAT device D1 is further configured to: searching whether the message flow sent by the switch has a session identifier in the NAT equipment D1, and if so, directly sending the message flow to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, and if the message flow is from the switch and the NAT device D1 finds that the NAT device D2 is in a good state through BFD detection in the synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module;
the NAT device D2 is further configured to: searching whether the message flow sent by the switch has a session identifier in NAT equipment D2, and if so, directly sending the message flow to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, and if the message flow is from the switch and the NAT device D2 obtains the condition that the NAT device D1 is in a good state through BFD detection in the synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the public network gateway module;
the public network gateway module is used for receiving the message traffic of the NAT equipment D1 and the NAT equipment D2 and transmitting the message traffic to an external network; the public network gateway module is also used for receiving message traffic of an external network and determining whether the message traffic is sent to the NAT device D1 or the NAT device D2 according to routing calculation.
Further, the NAT device D1 is further configured to: searching whether the message flow sent by the public network gateway module has a session identifier in NAT equipment D1, and if so, directly sending the message flow to a switch; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, and if the message flow is from the public network gateway module and the NAT device D1 knows that the NAT device D2 is in a good state through BFD detection in the synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the switch;
the NAT device D2 is further configured to: searching whether the message flow sent by the public network gateway module has a session identifier in NAT equipment D2, and if so, directly sending the message flow to a switch; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D2 determines whether the message flow is from a VxLAN tunnel or a public network gateway module, and sends the message flow to the switch if the message flow is from the VxLAN tunnel, and if the message flow is from the public network gateway module and the NAT device D2 finds that the NAT device D1 is in a good state through BFD detection in the synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the switch.
Further, the NAT device D1 and the NAT device D2 both include a network port em1, a network port em2, a network port em3, and a network port em4; the computing virtualization resource pool comprises a plurality of Virtual Machines (VMs); the virtual machine VM is used for sending and receiving message flow;
the network port em1 is used for externally connecting equipment and is used for carrying out network management on the NAT equipment D1 and the NAT equipment D2;
the network port em2 is used for connecting a switch and transmitting message flow between the switch and the NAT device D1 and message flow between the switch and the NAT device D2;
the network port em3 is used for connecting a public network gateway module, and is used for transmitting message traffic between the public network gateway module and the NAT device D1 and transmitting message traffic between the public network gateway module and the NAT device D2;
the two network ports em4 are used for establishing a synchronization module and are connected with each other through the synchronization module; and the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a VxLAN tunnel between the NAT device D1 and the NAT device D2, wherein the VxLAN tunnel is used for session synchronization.
Further, the network port em2 is further configured to: when the virtual machine VM sends the message flow to the switch, the switch divides the message flow into two paths through the network interface em2 and averagely sends the two paths to the NAT device D1 and the NAT device D2 according to the LACP protocol load, wherein the network interface em2 converts the address of the virtual machine VM in the message flow into the NAT address and then sends the message flow to the public network gateway module from the network interface em 3;
the network port em3 is further configured to: the network port em3 receives the message flow from the public network gateway module, converts the NAT address in the message flow into the address of the virtual machine VM, and then sends the message flow from the network port em2 back to the virtual machine VM.
The invention also aims to provide a method for realizing the disaster recovery of the NAT gateway, which comprises the following steps:
s1, a synchronization module establishes BFD detection between NAT equipment D1 and NAT equipment D2, and detects state synchronization between the NAT equipment D1 and the NAT equipment D2 in real time; moreover, the synchronization module establishes a VxLAN tunnel between the NAT device D1 and the NAT device D2, and the VxLAN tunnel is used for session synchronization between the NAT device D1 and the NAT device D2;
s2, according to a path convergence control LACP protocol, calculating that a virtualized resource pool sends message flow to a switch, and the switch divides the message flow into two paths of loads and evenly sends the two paths of loads to NAT equipment D1 and NAT equipment D2;
s3, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, and if the session identifier exists, the message flow is directly sent to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, if the message flow is from the switch, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module;
the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, and if the session identifier exists, the message flow is directly sent to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, if the message flow is from the switch, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the public network gateway module;
and S4, the public network gateway module transmits the message flow to an external network.
Further, step S0, before step S1, the LACP convergence module controls a link convergence control LACP protocol between the NAT device D1 and the switch, so as to implement convergence of the message traffic; and the LACP convergence module controls a link convergence control LACP protocol between the NAT device D2 and the switch to realize convergence of message traffic.
Further, after step S4, step S5 is further included, after the public network gateway module receives the message traffic of the external network, it determines whether to send the message traffic to the NAT device D1 or the NAT device D2 according to the routing calculation;
s6, if the message flow is sent to the NAT device D1, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, and if the message flow has the session identifier, the message flow is directly sent to a switch; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the switch;
if the message flow is sent to the NAT device D1, the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, and if the message flow has the session identifier, the message flow is directly sent to the switch; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the switch;
and S7, the switch transmits the message flow to the calculation virtualization resource pool.
Further, the NAT device D1 and the NAT device D2 are both provided with a network port em1, a network port em2, a network port em3, and a network port em4; the computing virtualization resource pool is provided with a plurality of Virtual Machines (VM), and the VM sends and receives message flow;
the network port em1 is externally connected with equipment and is used for carrying out network management on the NAT equipment D1 and the NAT equipment D2;
the network port em2 transmits the message flow between the switch and the NAT device D1, and transmits the message flow between the switch and the NAT device D2; the virtual machine VM sends message flow to the switch, the switch divides the message flow into two paths of loads and evenly sends the two paths of loads to the NAT device D1 and the NAT device D2 through the network port em2, wherein the network port em2 converts the address of the virtual machine VM in the message flow into an NAT address and then sends the message flow to the public network gateway module from the network port em 3;
the network interface em3 transmits the message flow between the public network gateway module and the NAT device D1 and transmits the message flow between the public network gateway module and the NAT device D2; receiving the message flow from the public network gateway module at the network interface em3, converting an NAT address in the message flow into an address of the virtual machine VM, and then sending the message flow from the network interface em2 to the virtual machine VM;
the two network ports em4 establish a synchronization module and are connected with each other through the synchronization module; and the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a VxLAN tunnel between the NAT device D1 and the NAT device D2, wherein the VxLAN tunnel is used for session synchronization.
Further, after the session identifier is newly established in the step S3, the NAT device D1 determines whether the message traffic is from a VxLAN tunnel or a switch, and if the message traffic is from a VxLAN tunnel, the message traffic is sent to the public network gateway module, and if the message traffic is from a switch, the NAT device D1 sends the message traffic to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message traffic to the public network gateway module; the method comprises the following steps: after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, and if the message flow is from the switch and the NAT device D1 obtains the condition that the NAT device D2 is in a good state through BFD detection in a synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module;
after the session identifier is newly established in the step S3, the NAT device D2 determines whether the message traffic is from a VxLAN tunnel or a switch, and if the message traffic is from a VxLAN tunnel, the message traffic is sent to the public network gateway module, and if the message traffic is from a switch, and if the message traffic is from an N switch, the AT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, and the NAT device D1 transmits the message traffic to the public network gateway module; the method comprises the following steps: after the session identifier is newly built, the NAT device D2 determines whether the message flow is from a VxLAN tunnel or a switch, and sends the message flow to the public network gateway module if the message flow is from the VxLAN tunnel, and if the message flow is from the switch and the NAT device D2 finds that the NAT device D1 is in a good state through BFD detection in the synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the public network gateway module.
Further, after the session identifier is newly established in step S6, the NAT device D1 determines whether the message traffic is from the VxLAN tunnel or the public network gateway module, and if the message traffic is from the VxLAN tunnel, the message traffic is sent to the switch, and if the message traffic is from the public network gateway module, the NAT device D1 sends the message traffic to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message traffic to the switch; the method comprises the following steps: after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, and if the message flow is from the public network gateway module and the NAT device D1 knows that the NAT device D2 is in a good state through BFD detection in the synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the switch;
after the session identifier is newly established in the step S6, the NAT device D2 determines whether the message traffic is from a VxLAN tunnel or a public network gateway module, and if the message traffic is from the VxLAN tunnel, the message traffic is sent to the switch, and if the message traffic is from the public network gateway module, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, and the NAT device D1 transmits the message traffic to the switch; the method comprises the following steps: after the session identifier is newly established, the NAT device D2 determines whether the message flow is from a VxLAN tunnel or a public network gateway module, and sends the message flow to the switch if the message flow is from the VxLAN tunnel, and if the message flow is from the public network gateway module and the NAT device D2 finds that the NAT device D1 is in a good state through BFD detection in the synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the switch.
After the technical scheme is adopted, the invention at least has the following beneficial effects: the invention converges two NAT devices by crossing devices, and uses the LACP crossing device converging mode, so that all NAT devices can work at the same time and provide NAT service at the same time, and the invention overcomes the defect that VRRP redundant protocol can only provide service by a single device; in disaster recovery of the NAT equipment, BFD detection is established between two pieces of NAT equipment by using a BFD detection mode, so that each piece of equipment can be synchronized to the state of the other side within milliseconds, then in an NAT module, a first message of new connection is redirected to a neighbor through a VxLAN tunnel by judging whether the message belongs to new connection or not, so that the neighbor can establish the same session at the first time, and all subsequent messages of the connection can successfully find the session regardless of which equipment passes through; the method for redirecting the synchronous session is superior to the traditional method for actively synchronizing the session between two devices, and the traditional session synchronization method not only needs to additionally establish a thread on the devices, but also can cause the problems of search failure and the like because the session is not synchronized in time; the invention can improve the efficiency, performance and accuracy of the whole system, is simple and convenient to deploy, and can improve the stability of the whole system.
Drawings
Fig. 1 is a block diagram of a NAT gateway disaster recovery implementation system according to the present invention;
fig. 2 is a flowchart of the steps of a method for implementing NAT gateway disaster recovery according to the present invention.
Detailed Description
It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict, and the present application is further described in detail with reference to the drawings and specific embodiments.
Example 1
As shown in fig. 1, this embodiment provides a NAT gateway disaster recovery implementation system, which mainly includes a computing virtualization resource pool, a switch, an LACP convergence module, a synchronization module, a NAT device module, and a public network gateway module, where the NAT device module includes a NAT device D1 and a NAT device D2, where the NAT device D1 and the NAT device D2 belong to devices of the same specification (with identical performance functions); the computing virtualization resource pool, the switch, the NAT equipment D1 and the public network gateway module are sequentially connected; the computing virtualization resource pool, the switch, the NAT equipment D2 and the public network gateway module are sequentially connected; the LACP convergence module is connected with the NAT equipment D1, the NAT equipment D2 and the switch; the synchronization module is connected with the NAT device D1 and the NAT device D2;
the computing virtualization resource pool is used for sending and receiving message flow; the NAT device D1 and the NAT device D2 both comprise a network port em1, a network port em2, a network port em3 and a network port em4; the computing virtualization resource pool comprises a plurality of virtual machines VM, such as virtual machines VM1, VM2, VM3, VM4, VM5 and the like; the virtual machine VM is used for sending and receiving message flow; that is, the functional specifications of the network port em1, the network port em2, the network port em3 and the network port em4 of the NAT device D1 are consistent with the functional specifications of the network port em1, the network port em2, the network port em3 and the network port em4 of the NAT device D2;
the switch is used for transmitting the message traffic sent by the computing virtualization resource pool to the NAT equipment D1 and the NAT equipment D2, and for receiving the message traffic sent by the NAT equipment D1 and the NAT equipment D2 and then transmitting the message traffic to the computing virtualization resource pool;
the LACP convergence module is configured to include: controlling a link convergence control LACP protocol between the NAT device D1 and the switch to realize convergence of message flow; controlling a link between the NAT device D2 and the switch to converge and control an LACP (Link aggregation control protocol) protocol so as to realize the convergence of message flow; the NAT device D1 and the NAT device D2 both use the same MAC address and operation KEY to establish LACP convergence with the switch, so that the switch, the NAT device D1 and the NAT device D2 form a same convergence group to realize cross-device convergence;
the LACP aggregation module configures the NAT equipment D1 and the NAT equipment D2 to belong to the same aggregation group according to the concrete configuration: according to the IEEE 802.3ad provisions for LACP device convergence standards: multiple PORTs of a device are accessed into the same switch to realize convergence, LACPDU (link convergence control protocol data unit for short) needs to be exchanged between the device and the switch, the LACP protocol specifies that a convergence group is uniquely identified by using system priority, system ID (MAC) and operation KEY, and different PORTs in the same convergence group are identified by PORT ID; according to the standard specification of IEEE 802.3ad, when two devices respectively access one of the PORTs to the same switch to implement cross-device convergence, as long as it is ensured that the system priority, system ID (MAC), and operation KEY in LACPDUs exchanged between the two devices and the switch are the same, then the two devices identify their own PORTs in the convergence group by using different PORT IDs, the cross-device convergence can be implemented by LACP, and it is ensured that the system priority, system ID (MAC), and operation KEY of the two devices are the same and the PORT IDs are different, which can be implemented by manual setting or device information synchronization.
The synchronization module is used for establishing BFD detection between the NAT device D1 and the NAT device D2, detecting the connection state between the NAT device D1 and the NAT device D2 and judging whether the connection state is state synchronization; the synchronization module is also used for establishing a VxLAN tunnel between the NAT device D1 and the NAT device D2, the NAT device D1 and the NAT device D2 transmit message flow through the VxLAN tunnel, and the VxLAN tunnel is used for session synchronization between the NAT device D1 and the NAT device D2; the implementation mode of the synchronization module is as follows:
a) Setting the network port em4 of the NAT device D1 as ip _ D1, and setting the network port em4 of the NAT device D2 as ip _ D2;
b) BFD detection is established between ip _ d1 and ip _ d2 and is used for detecting the state of the other side;
c) And a VxLAN tunnel is established between the ip _ d1 and the ip _ d2 and is used for redirecting and transmitting a first newly connected message.
The NAT device D1 and the NAT device D2 are both used for forwarding the message traffic of the switch to the public network gateway module, or forwarding the message traffic of the public network gateway module to the switch;
the NAT device D1 is further configured to: searching whether the message flow sent by the switch has a session identifier in the NAT equipment D1, and if so, directly sending the message flow to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, if the message flow is from the switch, the NAT device D1 needs to detect the NAT device D2 through BFD detection in a synchronization module, and under the condition that the state of the NAT device D2 is good, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module;
the current mode for establishing the new session identifier is as follows:
A. establishing a session identifier by using a message five-tuple source address, a destination address, a source port, a destination port and a protocol type; the NAT function is to convert the source address into NAT address or to convert the destination address into private address, but when establishing the session identifier, it is established by using the non-translated address, so the destination address is used instead of NAT address;
B. the NAT device D1 and the NAT device D2 receive the flow from the virtual machine VM of the internal network from the network port em2, after the source address is converted into the designated address, the flow from the public network is sent to the public network from the network port em3, the NAT address is converted into the address of a virtual machine VM of a certain virtual machine, and then the flow is sent back to the virtual machine VM from the network port em 2;
C. because the same connection is connected to network interface em2 and network interface em3 through address conversion, the same connection has more than one quintuple, if a message quintuple sent by virtual machine VM1 is sip1, dip1, sp1, dp1 and pro at network interface em2, first identifying quintuple [ sip 1sp1dp1pro ] as session1, then after address conversion, assuming that sip1 becomes nip1, then the converted quintuple is [ nip 1sp1dp1pro ] and also identified as session1, then subsequently receiving messages of quintuple nip1, dip1, sp1, dp1 and pro from em3, finding session1, then converting nip1 back to original sip1, and then sending back to virtual machine VM1;
D. in summary, as long as the quintuple before and after the NAT device is identified to the same session, the corresponding session can be found in both directions, and then address translation is performed. In the following, the new session identifier of the NAT device D2 is in accordance with the NAT device D1.
The NAT device D2 is further configured to: searching whether the message flow sent by the switch has a session identifier in NAT equipment D2, and if so, directly sending the message flow to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, if the message flow is from the switch, the NAT device D2 needs to detect the NAT device D1 through BFD detection in a synchronization module, and under the condition that the NAT device D1 is in a good state, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the public network gateway module.
The public network gateway module is used for receiving the message traffic of the NAT equipment D1 and the NAT equipment D2 and transmitting the message traffic to an external network; the public network gateway module is also used for receiving message flow transmission of an external network and determining whether the message flow is transmitted to the NAT equipment D1 or the NAT equipment D2 according to routing calculation;
the NAT device D1 is further configured to: searching whether the message flow sent by the public network gateway module has a session identifier in NAT equipment D1, and if so, directly sending the message flow to a switch; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D1 needs to detect the NAT device D2 through BFD detection in the synchronization module, and under the condition that the state of the NAT device D2 is good, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the switch;
the NAT device D2 is further configured to: searching whether the message flow sent by the public network gateway module has a session identifier in NAT equipment D2, and if so, directly sending the message flow to a switch; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D2 determines whether the message traffic is from a VxLAN tunnel or a public network gateway module, and sends the message traffic to the switch if the message traffic is from the VxLAN tunnel, and if the message traffic is from the public network gateway module, the synchronization module needs to detect the working state of the NAT device D1, and in a normal working state of the NAT device D1, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message traffic to the switch.
The network port em1 is used for externally connecting equipment and is used for carrying out network management on the NAT equipment D1 and the NAT equipment D2; specifically, the network interface em1 of the NAT device D1 is used for an external device (for example, a computer) to perform network management on the NAT device D1; the network interface em1 of the NAT device D2 is used for an external device (e.g., a computer) to perform network management on the NAT device D2;
the network port em2 is used for connecting a switch, and is used for transmitting message traffic between the switch and the NAT device D1 and transmitting message traffic between the switch and the NAT device D2; the network port em2 is used for: when the virtual machine VM sends the message flow to the switch, the switch divides the message flow into two paths through the network interface em2 and averagely sends the two paths to the NAT device D1 and the NAT device D2 according to the LACP protocol load, wherein the network interface em2 converts the address of the virtual machine VM in the message flow into the NAT address and then sends the message flow to the public network gateway module from the network interface em 3; however, the following descriptions are needed for the classification: the NAT device D1 receives message flow obtained after the network port em2 of the NAT device D1 converts the address of the virtual machine VM into the NAT address, if the message flow does not have the session identifier, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, the NAT device D2 sends the message flow to the public network gateway module through the network port em3 of the NAT device D2, and if the message flow has the session identifier, the NAT device D1 sends the message flow to the public network gateway module through the network port em3 of the NAT device D1; similarly, the NAT device D2 receives the message traffic after the network port em2 converts the address of the virtual machine VM into the NAT address, if the message traffic does not have the session identifier, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, the NAT device D1 sends the message traffic to the public network gateway module through the network port em3, and if the message traffic has the session identifier, the NAT device D2 sends the message traffic to the public network gateway module through the network port em 3;
the network port em3 is used for connecting a public network gateway module and is used for transmitting message flow between the public network gateway module and the NAT device D1 and transmitting message flow between the public network gateway module and the NAT device D2; the network port em3 is further configured to: the network port em3 receives the message flow from the public network gateway module, converts the NAT address in the message flow into the address of the virtual machine VM, and then sends the message flow from the network port em2 back to the virtual machine VM; however, the following descriptions are needed for the classification: the NAT device D1 receives the message flow after the NAT address of the network interface em3 is converted into the address of the virtual machine VM, if the message flow does not have the session identification, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, the NAT device D2 sends the message flow to the virtual machine VM through the network interface em2, and if the message flow has the session identification, the NAT device D1 sends the message flow to the virtual machine VM through the network interface em 2; similarly, the NAT device D2 receives the message traffic after the NAT address of its network port em3 is converted into the address of the virtual machine VM, if the message traffic does not have the session identifier, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, the NAT device D1 sends the message traffic to the virtual machine VM through its network port em2, and if the message traffic has the session identifier, the NAT device D2 sends the message traffic to the virtual machine VM through its network port em 2;
the two network ports em4 are used for establishing a synchronization module and are connected with each other through the synchronization module; and the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a VxLAN tunnel between the NAT device D1 and the NAT device D2, wherein the VxLAN tunnel is used for session synchronization.
The system of the embodiment has the advantages that the first message of each new connection firstly passes through two pieces of NAT equipment and then reaches the virtual machine VM or the public network, and then the subsequent message of the connection can find the connection session to which the message belongs when passing through any one piece of NAT equipment.
Example 2
As shown in fig. 2, this embodiment provides a method for implementing NAT gateway disaster recovery based on the NAT gateway disaster recovery implementation system in embodiment 1, and the specific steps of the method are as follows:
s11, the LACP convergence module controls a link convergence control LACP protocol between the NAT device D1 and the switch to realize convergence of message flow; the LACP convergence module controls a link convergence control LACP protocol between the NAT device D2 and the switch to realize convergence of message flow; the NAT device D1 and the NAT device D2 both use the same MAC address and operation KEY to establish LACP aggregation with the switch, so that the switch, the NAT device D1 and the NAT device D2 are combined in the same aggregation group, and cross-device aggregation is achieved
S12, the synchronization module establishes BFD detection between the NAT device D1 and the NAT device D2 and detects state synchronization between the NAT device D1 and the NAT device D2 in real time; moreover, the synchronization module establishes a VxLAN tunnel between the NAT device D1 and the NAT device D2, and the VxLAN tunnel is used for session synchronization between the NAT device D1 and the NAT device D2;
s13, according to a path convergence control LACP protocol, calculating that a virtualized resource pool sends message flow to a switch, and the switch divides the message flow into two paths of loads and evenly sends the two paths of loads to NAT equipment D1 and NAT equipment D2;
s14, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, and if the session identifier exists, the message flow is directly sent to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, if the message flow is from the switch, a synchronization module needs to detect the working state of the NAT device D2, and under the normal working state of the NAT device D2, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module, so that the process of redirecting the message flow to the NAT device D2 from the NAT device D1 is realized;
similarly, the NAT device D2 and the NAT device D1 implement the same message traffic transmission process: the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, and if the session identifier exists, the message flow is directly sent to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, if the message flow is from the switch, a synchronization module needs to detect the working state of the NAT device D1, and under the normal working state of the NAT device D1, the NAT device D1 transmits the message flow to the public network gateway module after the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, so that the process of redirecting the message flow to the NAT device D1 through the NAT device D2 is realized;
s15, the public network gateway module transmits the message flow to an external network;
s16, after receiving the message traffic of the external network, the public network gateway module determines whether to send the message traffic to the NAT device D1 or the NAT device D2 according to routing calculation;
s17, if the message flow is sent to the NAT device D1, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, and if the message flow has the session identifier, the message flow is directly sent to the switch; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D1 judges whether the message traffic is from a VxLAN tunnel or a public network gateway module, if the message traffic is from the VxLAN tunnel, the message traffic is sent to the switch, if the message traffic is from the public network gateway module, the synchronization module needs to detect the working state of the NAT device D2, and in the normal working state of the NAT device D2, the NAT device D1 sends the message traffic to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message traffic to the switch, so that the message traffic is redirected to the NAT device D2 by the NAT device D1;
if the message flow is sent to the NAT device D1, the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, and if the message flow has the session identifier, the message flow is directly sent to the switch; if the message flow does not have the session identifier, a new session identifier needs to be established; after the session identifier is newly established, the NAT device D2 judges whether the message traffic is from a VxLAN tunnel or a public network gateway module, if the message traffic is from the VxLAN tunnel, the message traffic is sent to the switch, if the message traffic is from the public network gateway module, the synchronization module needs to detect the working state of the NAT device D1, and in the normal working state of the NAT device D1, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message traffic to the switch, so that the message traffic is redirected to the NAT device D1 by the NAT device D2;
and S18, the switch transmits the message flow to the calculation virtualization resource pool.
Further, the NAT device D1 and the NAT device D2 are both provided with a network port em1, a network port em2, a network port em3, and a network port em4; the computing virtualization resource pool is provided with a plurality of Virtual Machines (VM), and the VM sends and receives message flow;
the network interface em1 is externally connected with equipment and is used for carrying out network management on the NAT equipment D1 and the NAT equipment D2;
the network port em2 transmits the message flow between the switch and the NAT device D1, and transmits the message flow between the switch and the NAT device D2; the virtual machine VM sends message flow to a switch, the switch evenly sends the message flow to the NAT device D1 and the NAT device D2 through the network interface em2 in two paths of loads, wherein the network interface em2 sends the message flow to a public network gateway module from the network interface em3 after converting the address of the virtual machine VM in the message flow into an NAT address; however, the following descriptions are required for the classification: the NAT device D1 receives message flow obtained after the network port em2 converts the address of the virtual machine VM into the NAT address, if the message flow does not have a session identifier, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, the NAT device D2 sends the message flow to the public network gateway module through the network port em3, and if the message flow has the session identifier, the NAT device D1 sends the message flow to the public network gateway module through the network port em 3; similarly, the NAT device D2 receives the message traffic after the network port em2 converts the address of the virtual machine VM into the NAT address, if the message traffic does not have the session identifier, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, the NAT device D1 sends the message traffic to the public network gateway module through the network port em3, and if the message traffic has the session identifier, the NAT device D2 sends the message traffic to the public network gateway module through the network port em 3;
the network interface em3 transmits the message flow between the public network gateway module and the NAT device D1 and transmits the message flow between the public network gateway module and the NAT device D2; the network port em3 receives the message flow from the public network gateway module, converts the NAT address in the message flow into the address of the virtual machine VM, and then sends the message flow from the network port em2 back to the virtual machine VM; however, the following descriptions are needed for the classification: the NAT device D1 receives the message flow after the NAT address of the network interface em3 is converted into the address of the virtual machine VM, if the message flow does not have the session identification, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, the NAT device D2 sends the message flow to the virtual machine VM through the network interface em2, and if the message flow has the session identification, the NAT device D1 sends the message flow to the virtual machine VM through the network interface em 2; similarly, the NAT device D2 receives the message traffic after the NAT address of its network port em3 is converted into the address of the virtual machine VM, if the message traffic does not have the session identifier, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, the NAT device D1 sends the message traffic to the virtual machine VM through its network port em2, and if the message traffic has the session identifier, the NAT device D2 sends the message traffic to the virtual machine VM through its network port em 2;
the two network ports em4 establish a synchronization module and are connected with each other through the synchronization module; and the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a VxLAN tunnel between the NAT device D1 and the NAT device D2, wherein the VxLAN tunnel is used for session synchronization.
Example 3
This embodiment provides a specific example of a method for implementing disaster recovery of a gateway based on the NAT gateway disaster recovery implementation method in embodiment 2, as follows:
example (a): com under assumption that vm1 accesses basic
1. The virtual machine vm1 sends a syn message to the basic.com;
2. suppose that the left NAT device D1 receives the message, creates a session identifier when passing through the NAT module, and redirects the syn message to the right NAT device D2 through the vxlan tunnel;
3. the right NAT device D2 receives the syn message from the vxlan tunnel and directly forwards the syn message to the public network gateway from the network port em 3;
4. subsequent messages communicated between the virtual machine vm1 and the basic.com in the connection, whether received by the left NAT device D1 or the right NAT device D2, are processed by the NAT module and forwarded by the network port em2 or the network port em3 of the NAT device itself, and are not redirected to the neighbor NAT device by the vxlan tunnel.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that various equivalent changes, modifications, substitutions and alterations can be made herein without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims (10)

1. A NAT gateway disaster recovery implementation system is characterized by comprising a calculation virtualization resource pool, a switch, an LACP convergence module, a synchronization module, an NAT device module and a public network gateway module, wherein the NAT device module comprises an NAT device D1 and an NAT device D2;
the computing virtualization resource pool, the switch, the NAT equipment D1 and the public network gateway module are sequentially connected; the computing virtualization resource pool, the switch, the NAT equipment D2 and the public network gateway module are sequentially connected; the LACP convergence module is connected with the NAT equipment D1, the NAT equipment D2 and the switch; the synchronization module is connected with the NAT device D1 and the NAT device D2;
the computing virtualization resource pool is used for sending and receiving message flow;
the switch is used for transmitting the message traffic sent by the computing virtualization resource pool to the NAT equipment D1 and the NAT equipment D2, and for receiving the message traffic sent by the NAT equipment D1 and the NAT equipment D2 and then transmitting the message traffic to the computing virtualization resource pool;
the LACP convergence module is configured to include: controlling a link convergence control LACP protocol between the NAT device D1 and the switch to realize convergence of message flow; controlling a link between the NAT device D2 and the switch to converge and control an LACP (Link aggregation control protocol) protocol so as to realize the convergence of message flow; the method comprises the following steps that the NAT equipment D1 and the NAT equipment D2 both use the same MAC address and operation KEY to establish LACP convergence with a switch, so that the switch, the NAT equipment D1 and the NAT equipment D2 form a same convergence group, and cross-equipment convergence is achieved;
the synchronization module is used for establishing BFD detection between the NAT device D1 and the NAT device D2, detecting the connection state between the NAT device D1 and the NAT device D2 and judging whether the connection state is state synchronization or not; the synchronization module is also used for establishing a VxLAN tunnel between the NAT device D1 and the NAT device D2, the NAT device D1 and the NAT device D2 transmit message flow through the VxLAN tunnel, and the VxLAN tunnel is used for session synchronization between the NAT device D1 and the NAT device D2;
the NAT device D1 and the NAT device D2 are both used for forwarding the message traffic of the switch to the public network gateway module, or forwarding the message traffic of the public network gateway module to the switch;
the NAT device D1 is further configured to: searching whether the message flow sent by the switch has a session identifier in the NAT equipment D1, and if so, directly sending the message flow to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, and if the message flow is from the switch and the NAT device D1 obtains the condition that the NAT device D2 is in a good state through BFD detection in a synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module;
the NAT device D2 is further configured to: searching whether the message flow sent by the switch has a session identifier in NAT equipment D2, and if so, directly sending the message flow to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, and if the message flow is from the switch and the NAT device D2 obtains the condition that the state of the NAT device D1 is good through BFD detection in a synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the public network gateway module; the public network gateway module is used for receiving the message traffic of the NAT equipment D1 and the NAT equipment D2 and transmitting the message traffic to an external network; the public network gateway module is also used for receiving message traffic of an external network and determining whether the message traffic is sent to the NAT device D1 or the NAT device D2 according to routing calculation.
2. The system according to claim 1, wherein the NAT device D1 is further configured to: searching whether the message flow sent by the public network gateway module has a session identifier in NAT equipment D1, and if so, directly sending the message flow to a switch; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, and if the message flow is from the public network gateway module and the NAT device D1 obtains the condition that the NAT device D2 is in a good state through BFD detection in the synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the switch;
the NAT device D2 is further configured to: searching whether the message flow sent by the public network gateway module has a session identifier in NAT equipment D2, and if so, directly sending the message flow to a switch; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D2 determines whether the message flow is from a VxLAN tunnel or a public network gateway module, and sends the message flow to the switch if the message flow is from the VxLAN tunnel, and if the message flow is from the public network gateway module and the NAT device D2 finds that the NAT device D1 is in a good state through BFD detection in the synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the switch.
3. The system according to claim 1, wherein the NAT device D1 and the NAT device D2 each include a network port em1, a network port em2, a network port em3, and a network port em4; the computing virtualization resource pool comprises a plurality of Virtual Machines (VMs); the virtual machine VM is used for sending and receiving message flow;
the network port em1 is used for externally connecting equipment and is used for carrying out network management on NAT equipment D1 and NAT equipment D2;
the network port em2 is used for connecting a switch, and is used for transmitting message traffic between the switch and the NAT device D1 and transmitting message traffic between the switch and the NAT device D2;
the network port em3 is used for connecting a public network gateway module, and is used for transmitting message traffic between the public network gateway module and the NAT device D1 and transmitting message traffic between the public network gateway module and the NAT device D2;
the two network ports em4 are used for establishing a synchronization module and are connected with each other through the synchronization module; and the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a VxLAN tunnel between the NAT device D1 and the NAT device D2, wherein the VxLAN tunnel is used for session synchronization.
4. The system according to claim 3, wherein the network port em2 is further configured to: when the virtual machine VM sends message flow to the switch, the switch divides the message flow into two paths through the network interface em2 and averagely sends the two paths to the NAT device D1 and the NAT device D2 according to the LACP protocol load, wherein the network interface em2 converts the address of the virtual machine VM in the message flow into the NAT address and then sends the message flow to the public network gateway module from the network interface em 3;
the network port em3 is further configured to: the network port em3 receives the message flow from the public network gateway module, converts the NAT address in the message flow into the address of the virtual machine VM, and then sends the message flow from the network port em2 back to the virtual machine VM.
5. A method for realizing disaster recovery of an NAT gateway is characterized by comprising the following steps:
s1, a synchronization module establishes BFD detection between NAT equipment D1 and NAT equipment D2, and detects state synchronization between the NAT equipment D1 and the NAT equipment D2 in real time; moreover, the synchronization module establishes a VxLAN tunnel between the NAT device D1 and the NAT device D2, and the VxLAN tunnel is used for session synchronization between the NAT device D1 and the NAT device D2;
s2, according to a link aggregation control LACP protocol, calculating that a virtualized resource pool sends message traffic to a switch, and the switch divides the message traffic into two paths of loads and evenly sends the two paths of loads to NAT equipment D1 and NAT equipment D2;
s3, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, and if the session identifier exists, the message flow is directly sent to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, if the message flow is from the switch, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module;
the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, and if the session identifier exists, the message flow is directly sent to a public network gateway module; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, if the message flow is from the switch, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the public network gateway module;
s4, the public network gateway module transmits the message flow to an external network;
s5, after receiving the message traffic of the external network, the public network gateway module determines whether the message traffic is sent to the NAT device D1 or the NAT device D2 according to routing calculation;
s6, if the message flow is sent to the NAT device D1, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, and if the message flow has the session identifier, the message flow is directly sent to the switch; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the switch;
if the message flow is sent to the NAT device D1, the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, and if the message flow has the session identifier, the message flow is directly sent to the switch; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D2 judges whether the message traffic is from a VxLAN tunnel or a public network gateway module, if the message traffic is from the VxLAN tunnel, the message traffic is sent to the switch, and if the message traffic is from the public network gateway module, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message traffic to the switch;
and S7, the switch transmits the message flow to the calculation virtualization resource pool.
6. The method for implementing the disaster recovery of the NAT gateway according to claim 5, wherein said step S1 is preceded by a step S0 in which an LACP convergence module controls a link convergence control LACP protocol between the NAT device D1 and the switch, so as to implement convergence of message traffic; and the LACP convergence module controls a link convergence control LACP protocol between the NAT device D2 and the switch to realize convergence of message flow.
7. The method according to claim 5, wherein step S4 is followed by step S5 in which, after receiving the packet traffic from the external network, the public network gateway module determines whether to send the packet traffic to the NAT device D1 or the NAT device D2 according to routing calculation;
s6, if the message flow is sent to the NAT device D1, the NAT device D1 searches whether the message flow has a session identifier in the NAT device D1, and if the message flow has the session identifier, the message flow is directly sent to the switch; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the switch;
if the message flow is sent to the NAT device D1, the NAT device D2 searches whether the message flow has a session identifier in the NAT device D2, and if the message flow has the session identifier, the message flow is directly sent to the switch; if the message flow does not have the session identifier, a new session identifier needs to be established by using the unconverted address; after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, if the message flow is from the public network gateway module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the switch;
and S7, the switch transmits the message flow to the calculation virtualization resource pool.
8. The method according to claim 7, wherein the NAT device D1 and the NAT device D2 are each provided with a network port em1, a network port em2, a network port em3, and a network port em4; the computing virtualization resource pool is provided with a plurality of Virtual Machines (VM), and the VM sends and receives message flow;
the network port em1 is externally connected with equipment and is used for carrying out network management on the NAT equipment D1 and the NAT equipment D2;
the network port em2 transmits the message flow between the switch and the NAT device D1, and transmits the message flow between the switch and the NAT device D2; the virtual machine VM sends message flow to the switch, the switch divides the message flow into two paths of loads and evenly sends the two paths of loads to the NAT device D1 and the NAT device D2 through the network port em2, wherein the network port em2 converts the address of the virtual machine VM in the message flow into an NAT address and then sends the message flow to the public network gateway module from the network port em 3;
the network interface em3 transmits the message flow between the public network gateway module and the NAT device D1 and transmits the message flow between the public network gateway module and the NAT device D2; the network port em3 receives the message flow from the public network gateway module, converts the NAT address in the message flow into the address of the virtual machine VM, and then sends the message flow from the network port em2 back to the virtual machine VM; the two network ports em4 establish a synchronization module and are connected with each other through the synchronization module; and the synchronization module detects state synchronization between the NAT device D1 and the NAT device D2 through the two network ports em4, and establishes a VxLAN tunnel between the NAT device D1 and the NAT device D2, wherein the VxLAN tunnel is used for session synchronization.
9. The method for implementing the disaster recovery of the NAT gateway according to claim 5, wherein after the session identifier is newly established in step S3, the NAT device D1 determines whether the message traffic is from a VxLAN tunnel or a switch, if the message traffic is from the VxLAN tunnel, the message traffic is sent to the public network gateway module, and if the message traffic is from the switch, the NAT device D1 sends the message traffic to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message traffic to the public network gateway module; the method comprises the following steps: after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, and if the message flow is from the switch and the NAT device D1 finds that the NAT device D2 is in a good state through BFD detection in the synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the public network gateway module;
after the session identifier is newly established in the step S3, the NAT device D2 determines whether the message traffic is from a VxLAN tunnel or a switch, and if the message traffic is from a VxLAN tunnel, the message traffic is sent to the public network gateway module, and if the message traffic is from a switch, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message traffic to the public network gateway module; the method comprises the following steps: after the session identifier is newly established, the NAT device D2 judges whether the message flow is from a VxLAN tunnel or a switch, if the message flow is from the VxLAN tunnel, the message flow is sent to a public network gateway module, if the message flow is from the switch and the NAT device D2 detects that the NAT device D1 is in a good state through BFD in the synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the public network gateway module.
10. The method according to claim 7, wherein after the session identifier is newly created in step S6, the NAT device D1 determines whether the packet traffic is from a VxLAN tunnel or a public network gateway module, and sends the packet traffic to the switch if the packet traffic is from the VxLAN tunnel, and after the NAT device D1 sends the packet traffic to the NAT device D2 through the VxLAN tunnel if the packet traffic is from the public network gateway module, the NAT device D2 transmits the packet traffic to the switch; the method comprises the following steps: after the session identifier is newly established, the NAT device D1 judges whether the message flow is from a VxLAN tunnel or a public network gateway module, if the message flow is from the VxLAN tunnel, the message flow is sent to the switch, and if the message flow is from the public network gateway module and the NAT device D1 obtains the condition that the NAT device D2 is in a good state through BFD detection in the synchronization module, the NAT device D1 sends the message flow to the NAT device D2 through the VxLAN tunnel, and then the NAT device D2 transmits the message flow to the switch;
after the session identifier is newly established in the step S6, the NAT device D2 determines whether the message traffic is from the VxLAN tunnel or the public network gateway module, and if the message traffic is from the VxLAN tunnel, the message traffic is sent to the switch, and if the message traffic is from the public network gateway module, the NAT device D2 sends the message traffic to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message traffic to the switch; the method comprises the following steps: after the session identifier is newly established, the NAT device D2 determines whether the message flow is from a VxLAN tunnel or a public network gateway module, and sends the message flow to the switch if the message flow is from the VxLAN tunnel, and if the message flow is from the public network gateway module and the NAT device D2 finds that the NAT device D1 is in a good state through BFD detection in the synchronization module, the NAT device D2 sends the message flow to the NAT device D1 through the VxLAN tunnel, and then the NAT device D1 transmits the message flow to the switch.
CN202010148472.7A 2020-03-05 2020-03-05 NAT gateway disaster recovery implementation method and system thereof Active CN111404732B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010148472.7A CN111404732B (en) 2020-03-05 2020-03-05 NAT gateway disaster recovery implementation method and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010148472.7A CN111404732B (en) 2020-03-05 2020-03-05 NAT gateway disaster recovery implementation method and system thereof

Publications (2)

Publication Number Publication Date
CN111404732A CN111404732A (en) 2020-07-10
CN111404732B true CN111404732B (en) 2023-04-07

Family

ID=71432171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010148472.7A Active CN111404732B (en) 2020-03-05 2020-03-05 NAT gateway disaster recovery implementation method and system thereof

Country Status (1)

Country Link
CN (1) CN111404732B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111800525A (en) * 2020-09-07 2020-10-20 广东睿江云计算股份有限公司 Gateway redundancy method and system
CN113691645A (en) * 2021-08-17 2021-11-23 浪潮思科网络科技有限公司 Method, equipment and storage medium for realizing NAT based on M-LAG environment
CN114567616B (en) * 2022-02-28 2023-10-31 天翼安全科技有限公司 Method, system and equipment for traversing VxLAN NAT

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102355479A (en) * 2011-07-19 2012-02-15 杭州华三通信技术有限公司 Method and equipment for forwarding traffic of multi-NAT (network address translation) gateway
WO2014101708A1 (en) * 2012-12-26 2014-07-03 中兴通讯股份有限公司 Data transmission method and network node in layer 2 network
CN107547366A (en) * 2017-05-15 2018-01-05 新华三技术有限公司 A kind of message forwarding method and device
CN108900414A (en) * 2018-06-08 2018-11-27 新华三技术有限公司 Forwarding table generation method and device
CN109644157A (en) * 2016-08-31 2019-04-16 Nicira股份有限公司 Use the fringe node cluster network redundancy and fast convergence of bottom anycast VTEP IP
CN109743414A (en) * 2019-02-18 2019-05-10 国家计算机网络与信息安全管理中心 The method and computer readable storage medium of address translation availability are improved using redundancy link

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7647427B1 (en) * 2002-10-18 2010-01-12 Foundry Networks, Inc. Redundancy support for network address translation (NAT)

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102355479A (en) * 2011-07-19 2012-02-15 杭州华三通信技术有限公司 Method and equipment for forwarding traffic of multi-NAT (network address translation) gateway
WO2014101708A1 (en) * 2012-12-26 2014-07-03 中兴通讯股份有限公司 Data transmission method and network node in layer 2 network
CN109644157A (en) * 2016-08-31 2019-04-16 Nicira股份有限公司 Use the fringe node cluster network redundancy and fast convergence of bottom anycast VTEP IP
CN107547366A (en) * 2017-05-15 2018-01-05 新华三技术有限公司 A kind of message forwarding method and device
CN108900414A (en) * 2018-06-08 2018-11-27 新华三技术有限公司 Forwarding table generation method and device
CN109743414A (en) * 2019-02-18 2019-05-10 国家计算机网络与信息安全管理中心 The method and computer readable storage medium of address translation availability are improved using redundancy link

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
SDN Migration:An Efficient Approach to Integrate OpenFlow Networks with STP-Enabled Networks;Po-Wen Chi,Ming-Hung Wang;《2016 International Computer Symposium》;20170220;全文 *
Software-Defined Networkign:A Comprehensive Survey;Diego Kreutz,Fernando M.V.Ramos;<Proceedings of the IEEE>;20141219;第103卷(第1期);全文 *
城域网中vBRAS设备的应用组网设计及实现;王桐;《中国优秀硕士学位论文数据库》;20200216;全文 *
基于CGN系统的NAT模块软件设计与实现;高腾飞;《中国优秀硕士学位论文数据库》;20180616;全文 *

Also Published As

Publication number Publication date
CN111404732A (en) 2020-07-10

Similar Documents

Publication Publication Date Title
US10805145B2 (en) BFD over VxLAN on vPC uplinks
JP6663020B2 (en) Packet processing method, related device, and NVO3 network system
US10749742B2 (en) Managing virtual port channel switch peers from software-defined network controller
CN108768817B (en) Virtual network networking system and data packet sending method
CN111404732B (en) NAT gateway disaster recovery implementation method and system thereof
US9736278B1 (en) Method and apparatus for connecting a gateway router to a set of scalable virtual IP network appliances in overlay networks
EP2874359B1 (en) Extended ethernet fabric switches
EP3240250B1 (en) Virtual router terminating an overlay tunnel in a storage area network
US11398956B2 (en) Multi-Edge EtherChannel (MEEC) creation and management
US11528213B2 (en) Sharing routes using an in-memory data store in a distributed network system
CN111510378A (en) EVPN message processing method, device and system
CN112929274A (en) Method, equipment and system for processing route
CN112583710B (en) Assisted replication in software defined networks
US10999195B1 (en) Multicast VPN support in data centers using edge replication tree
US11336570B1 (en) Layer three multi-homing for virtual networks
US20240129223A1 (en) Systems and methods for data plane validation of multiple paths in a network
CN111786882A (en) Route processing method and device
CN113225252B (en) Establishment method, processing method and related equipment for Bidirectional Forwarding Detection (BFD) session
EP4344158A1 (en) Network interface card management system, packet processing method, and device
CN113965521A (en) Data packet transmission method, server and storage medium
CN114553707B (en) Method and device for generating topology information of network and delimiting network faults
Matties Distributed responder ARP: Using SDN to re-engineer ARP from within the network
CN111800525A (en) Gateway redundancy method and system
Fang et al. Hypernat: Scaling up network address translation with smartnics for clouds
WO2023231836A1 (en) File synchronization method, apparatus, device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant