CN111464511A - Method for supporting multi-VPC isolation in cloud computing network - Google Patents
Method for supporting multi-VPC isolation in cloud computing network Download PDFInfo
- Publication number
- CN111464511A CN111464511A CN202010192875.1A CN202010192875A CN111464511A CN 111464511 A CN111464511 A CN 111464511A CN 202010192875 A CN202010192875 A CN 202010192875A CN 111464511 A CN111464511 A CN 111464511A
- Authority
- CN
- China
- Prior art keywords
- message
- tag
- virtual machine
- eaf
- vpc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4645—Details on frame tagging
- H04L12/4666—Operational details on the addition or the stripping of a tag in a frame, e.g. at a provider edge node
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for supporting multi-VPC isolation in a cloud computing network, which comprises a virtual machine outbound method and a virtual machine inter-access method, wherein the method for supporting multi-VPC isolation in the cloud computing network realizes a multi-VPC-supporting tenant isolation technology by dynamically expanding Border and FW groups according to the number of virtual machines of AN actual data center tenant, and greatly increases the number of the supported VPCs.
Description
Technical Field
The invention belongs to the field of cloud computing networks, and particularly relates to a method for supporting multi-VPC isolation in a cloud computing network.
Background
At present, a data center in general networking only has one group of firewall devices, so that the number of VPN instances where a message is located is limited on FW according to V L ANTag of the message, only 4K V L AN VPN instances can be distinguished, and a one-to-one mapping relationship between V L AN and VX L AN is formed on L eaf devices, so that the entire data center only supports 4K VPN instances, that is, 4K VPCs, under the current networking, and the number is far from meeting the requirement of a large-scale cloud computing data center.
All outbound traffic and functions of SNAT, EIP, network AC L and the like of all tenants are realized on one firewall, so that the equipment configuration is excessive, the equipment failure probability is increased, and once the firewall of the data center is abnormal, a virtual machine in the whole data center cannot access the outbound network.
Summary of the invention
In view of this, the present invention provides a method for supporting multiple VPC isolation in a cloud computing network, and provides a new networking and implementation method for a data center, so that the number of VPC isolation of tenants that can be supported by the data center is increased, VPCs of VX L AN number (4K × 4K) can be supported, instead of VPCs of V L AN number (4K), configuration of each firewall device is reduced, firewall failure probability is reduced, and maintainability of the data center is improved.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a method for supporting multi-VPC isolation in a cloud computing network comprises a virtual machine outbound method and a virtual machine inter-access method, wherein the virtual machine outbound method comprises the following steps:
a1, adding V L AN Tag to the message sent by the virtual machine;
a2, after the message reaches L eaf, searching the mapping relation between V L AN and VX L AN on L eaf, picking off the V L ANTag message and adding VX L AN Tag;
a3, after the message reaches the designated Border through Spine, removing VX L AN Tag and adding V L AN Tag to FW;
after the A4 FW receives the message, it distinguishes which VPN message is according to V L AN Tag of the message, then does NAT translation according to NAT translation rule, finally returns to Border and sends the message to the external network through the convergence switch;
the method for the mutual access between the virtual machines comprises the following steps:
b1, adding V L AN Tag to the IP message of the virtual machine B on the server;
b2, after the message reaches L eaf A, searching the mapping relation between V L AN and VX L AN on L eaf A, removing the V L AN Tag of the message, and increasing VX L AN Tag;
b3, after the message reaches L eaf B where the target virtual machine B is located through Spine, removing VX L AN Tag and adding V L AN Tag (the V L AN Tag and the V L AN Tag corresponding to the same VX L AN on L eafA at the moment can be the same or different) to the server;
b4, after the server receives the message, it distinguishes which VPC message is according to the V L AN Tag of the message, then sends the message to the appointed virtual machine according to the destination IP.
Further, in step B1, the V L AN Tag is added to the IP packet of the virtual machine B on the server, which is the destination IP sent by the virtual machine a.
Further, in step B3, V L AN Tag and V L AN Tag corresponding to the same VX L AN on L eaf a may be the same or different.
Compared with the prior art, the method for supporting multi-VPC isolation in the cloud computing network has the following advantages:
the invention provides a method for realizing multi-VPC isolation support in a cloud computing network, which realizes multi-VPC tenant isolation technology by dynamically expanding Border and FW groups according to the number of VPCs of tenants in AN actual data center, and greatly increases the number of VPCs supported.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the invention without limitation. In the drawings:
FIG. 1 is a schematic diagram of a new architecture networking and north-south traffic flow diagram of a data center according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating east-west traffic directions according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments of the present invention may be combined with each other without conflict.
In the description of the present invention, it is to be understood that the terms "central," "longitudinal," "lateral," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like are used in the orientation or positional relationship indicated in the drawings, which are merely for convenience in describing the invention and to simplify the description, and are not intended to indicate or imply that the referenced device or element must have a particular orientation, be constructed and operated in a particular orientation, and are therefore not to be construed as limiting the invention. Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," etc. may explicitly or implicitly include one or more of that feature. In the description of the invention, the meaning of "a plurality" is two or more unless otherwise specified.
In the description of the invention, it is to be noted that, unless otherwise explicitly specified or limited, the terms "mounted", "connected" and "connected" are to be construed broadly, e.g. as being fixed or detachable or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the creation of the present invention can be understood by those of ordinary skill in the art through specific situations.
The invention will be described in detail with reference to the following embodiments with reference to the attached drawings.
As shown in fig. 1 and fig. 2, a method for supporting multiple VPC isolation in a cloud computing network includes a virtual machine outbound method and a virtual machine inter-access method, where the virtual machine outbound method includes the following steps:
a1, adding V L AN Tag to the message sent by the virtual machine;
a2, after the message reaches L eaf, searching the mapping relation between V L AN and VX L AN on L eaf, picking off the V L ANTag message and adding VX L AN Tag;
a3, after the message reaches the designated Border through Spine, removing VX L AN Tag and adding V L AN Tag to FW;
after the A4 FW receives the message, it distinguishes which VPN message is according to V L AN Tag of the message, then does NAT translation according to NAT translation rule, finally returns to Border and sends the message to the external network through the convergence switch;
the method for the mutual access between the virtual machines comprises the following steps:
b1, adding V L AN Tag to the IP message of the virtual machine B on the server;
b2, after the message reaches L eaf A, searching the mapping relation between V L AN and VX L AN on L eaf A, removing the V L AN Tag of the message, and increasing VX L AN Tag;
b3, after the message reaches L eaf B where the target virtual machine B is located through Spine, removing VX L AN Tag and adding V L AN Tag (the V L AN Tag and the V L AN Tag corresponding to the same VX L AN on L eafA at the moment can be the same or different) to the server;
b4, after the server receives the message, it distinguishes which VPC message is according to the V L AN Tag of the message, then sends the message to the appointed virtual machine according to the destination IP.
In step B1, the V L AN Tag is added to the IP packet of the virtual machine B on the server, which is the destination IP sent by the virtual machine a.
In step B3, the V L AN Tag and the V L AN Tag corresponding to the same VX L AN on L eaf A may be the same or different.
Wherein L eaf is an access switch, Spine is a core switch, Border is a Border switch, and FW is a firewall.
The specific implementation process comprises the following steps:
the system networking method comprises the following steps:
because each group of Border and firewall equipment supports 4K V L ANs, when VPC data needing to be supported needs to be expanded, on the basis of original networking, a plurality of groups of Border equipment and firewall equipment are added to be connected to Spine equipment, and then are connected to the outlet routing equipment through a convergence switch.
The data center management layer method comprises the following steps:
each L eaf support 4K V L AN, isolate 4K VPC, record the mapping relation from V L1 AN to VX L AN on L0 eaf, the same VPC under different L eaf can use the same or different V L AN, only need to record the corresponding relation between V L AN and VX L AN on L eaf, the same VPC needs to correspond to the same VX L AN on different L eaf.
The same VPC can only visit the extranet through a group of Border and FW equipment finally, and different layers of VNI information are recorded on different Borders and correspond to different VPCs.
The flow (north-south flow) path of the virtual machine out of the external network is shown by an arrow in fig. 1, and the specific steps are as follows:
1. adding V L AN Tag to the message sent by the virtual machine;
2. after the message reaches L eaf, searching the mapping relation between V L AN and VX L AN on L eaf, picking off the V L ANTag message and adding VX L AN Tag;
3. after the message reaches the designated Border through Spine, removing VX L AN Tag and adding V L AN Tag to FW;
after receiving the message, the FW distinguishes which VPN message is according to the V L AN Tag of the message, then performs NAT conversion according to the NAT conversion rule, and finally returns to the Border to send the message to the external network through the aggregation switch.
The flow (east-west flow) path of the mutual visit between the virtual machines is shown by an arrow in fig. 2, and the specific steps are as follows:
1. the virtual machine A sends out a message with the destination IP being the IP of the virtual machine B, and V L AN Tag is added on the server;
2. after the message reaches L eaf A, searching the mapping relation between V L AN and VX L AN on L eaf A, picking off the V L ANTag message and adding VX L AN Tag;
3. after the message reaches L eaf B where the destination virtual machine B is located through Spine, removing VX L AN Tag and adding V L AN Tag (the V L AN Tag and the V L AN Tag corresponding to the same VX L AN on L eaf A at the moment can be the same or different) to the server;
4. after receiving the message, the server distinguishes which VPC message is according to the V L AN Tag of the message, and then sends the message to the appointed virtual machine according to the destination IP.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and should not be taken as limiting the invention, so that any modifications, equivalents, improvements and the like, which are within the spirit and principle of the present invention, should be included in the scope of the present invention.
Claims (3)
1. A method for enabling support of multiple VPC isolation in a cloud computing network, characterized by: the method for the virtual machine to go out of the Internet comprises a method for the virtual machine to go out of the Internet and a method for the virtual machine to mutually visit, wherein the method for the virtual machine to go out of the Internet comprises the following steps:
a1, adding V L AN Tag to the message sent by the virtual machine;
a2, after the message reaches L eaf, searching the mapping relation between V L AN and VX L AN on L eaf, picking off the V L AN Tag of the message, and adding VX L AN Tag;
a3, after the message reaches the designated Border through Spine, removing VX L AN Tag and adding V L AN Tag to FW;
after the A4 FW receives the message, it distinguishes which VPN message is according to V L AN Tag of the message, then does NAT translation according to NAT translation rule, finally returns to Border and sends the message to the external network through the convergence switch;
the method for the mutual access between the virtual machines comprises the following steps:
b1, adding V L AN Tag to the IP message of the virtual machine B on the server;
b2, after the message reaches L eaf A, searching the mapping relation between V L AN and VX L AN on L eaf A, removing the V L ANTag message and adding VX L AN Tag;
b3, after the message reaches L eaf B where the target virtual machine B is located through Spine, removing VX L AN Tag and adding V L ANTag to the server;
b4, after the server receives the message, it distinguishes which VPC message is according to the V L AN Tag of the message, then sends the message to the appointed virtual machine according to the destination IP.
2. The method of claim 1, wherein in step B1, the message of the IP of the virtual machine B is added with V L AN Tag on the server to obtain the destination IP of the virtual machine A.
3. The method of claim 1, wherein in step B3, the V L AN Tag and the V L AN Tag corresponding to the same VX L AN in L eaf A are the same or different.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010192875.1A CN111464511A (en) | 2020-03-18 | 2020-03-18 | Method for supporting multi-VPC isolation in cloud computing network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010192875.1A CN111464511A (en) | 2020-03-18 | 2020-03-18 | Method for supporting multi-VPC isolation in cloud computing network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111464511A true CN111464511A (en) | 2020-07-28 |
Family
ID=71680838
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010192875.1A Pending CN111464511A (en) | 2020-03-18 | 2020-03-18 | Method for supporting multi-VPC isolation in cloud computing network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111464511A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112104492A (en) * | 2020-09-07 | 2020-12-18 | 紫光云(南京)数字技术有限公司 | Networking structure of cloud computing data center |
| CN112671629A (en) * | 2020-09-24 | 2021-04-16 | 紫光云技术有限公司 | Method for realizing private line access under cloud network |
| CN112671826A (en) * | 2020-11-25 | 2021-04-16 | 紫光云技术有限公司 | Method for realizing issuing of virtual private cloud intercommunication configuration |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607308A (en) * | 2013-11-29 | 2014-02-26 | 杭州东信北邮信息技术有限公司 | Virtual machine multi-network management system and method in cloud computing environment |
| CN105939352A (en) * | 2016-06-03 | 2016-09-14 | 汉柏科技有限公司 | User isolation method and device based on session |
| CN107395508A (en) * | 2016-05-17 | 2017-11-24 | 华为技术有限公司 | The method and apparatus to E-Packet |
| CN107579900A (en) * | 2017-10-13 | 2018-01-12 | 锐捷网络股份有限公司 | From the method, apparatus and system of vlan network access VXLAN networks |
| CN107623636A (en) * | 2016-07-13 | 2018-01-23 | 华为技术有限公司 | A kind of user isolation method and interchanger |
| WO2018028676A1 (en) * | 2016-08-12 | 2018-02-15 | 新华三技术有限公司 | Interworking of ethernet virtual private network (evpn) and public network |
| CN108833250A (en) * | 2018-06-22 | 2018-11-16 | 山东超越数控电子股份有限公司 | A kind of retransmission method between VxLAN and VLAN |
| CN109218158A (en) * | 2017-07-05 | 2019-01-15 | 中国电信股份有限公司 | Data transmission method, control method and controller, gateway, intermediate NE and system based on VxLAN |
| CN109729019A (en) * | 2018-12-28 | 2019-05-07 | 新华三技术有限公司 | The method for limiting speed and device of private line service in a kind of EVPN networking |
| EP3611619A1 (en) * | 2018-08-14 | 2020-02-19 | Juniper Networks, Inc. | Multi-cloud virtual computing environment provisioning using a high-level topology description |
-
2020
- 2020-03-18 CN CN202010192875.1A patent/CN111464511A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607308A (en) * | 2013-11-29 | 2014-02-26 | 杭州东信北邮信息技术有限公司 | Virtual machine multi-network management system and method in cloud computing environment |
| CN107395508A (en) * | 2016-05-17 | 2017-11-24 | 华为技术有限公司 | The method and apparatus to E-Packet |
| CN105939352A (en) * | 2016-06-03 | 2016-09-14 | 汉柏科技有限公司 | User isolation method and device based on session |
| CN107623636A (en) * | 2016-07-13 | 2018-01-23 | 华为技术有限公司 | A kind of user isolation method and interchanger |
| WO2018028676A1 (en) * | 2016-08-12 | 2018-02-15 | 新华三技术有限公司 | Interworking of ethernet virtual private network (evpn) and public network |
| CN109218158A (en) * | 2017-07-05 | 2019-01-15 | 中国电信股份有限公司 | Data transmission method, control method and controller, gateway, intermediate NE and system based on VxLAN |
| CN107579900A (en) * | 2017-10-13 | 2018-01-12 | 锐捷网络股份有限公司 | From the method, apparatus and system of vlan network access VXLAN networks |
| CN108833250A (en) * | 2018-06-22 | 2018-11-16 | 山东超越数控电子股份有限公司 | A kind of retransmission method between VxLAN and VLAN |
| EP3611619A1 (en) * | 2018-08-14 | 2020-02-19 | Juniper Networks, Inc. | Multi-cloud virtual computing environment provisioning using a high-level topology description |
| CN109729019A (en) * | 2018-12-28 | 2019-05-07 | 新华三技术有限公司 | The method for limiting speed and device of private line service in a kind of EVPN networking |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112104492A (en) * | 2020-09-07 | 2020-12-18 | 紫光云(南京)数字技术有限公司 | Networking structure of cloud computing data center |
| CN112671629A (en) * | 2020-09-24 | 2021-04-16 | 紫光云技术有限公司 | Method for realizing private line access under cloud network |
| CN112671629B (en) * | 2020-09-24 | 2023-01-03 | 紫光云技术有限公司 | Method for realizing private line access under cloud network |
| CN112671826A (en) * | 2020-11-25 | 2021-04-16 | 紫光云技术有限公司 | Method for realizing issuing of virtual private cloud intercommunication configuration |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN114944952B (en) * | 2022-05-20 | 2023-11-07 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111464511A (en) | Method for supporting multi-VPC isolation in cloud computing network | |
| CN103227757B (en) | A kind of message forwarding method and equipment | |
| JP4008432B2 (en) | Apparatus and method for searching topology of network device | |
| US9160701B2 (en) | Addressing method, addressing apparatus, fabric manager, switch, and data routing method | |
| US8787374B2 (en) | Network system including lower and upper switches and link group interconnecting lower switches to upper switches, and method of operating the same | |
| US8989188B2 (en) | Preventing leaks among private virtual local area network ports due to configuration changes in a headless mode | |
| US8214528B2 (en) | Address identifier scaling in converged networks | |
| CN102263704B (en) | Topology construction method and device supporting layer 2 interconnection of data centers | |
| CN104718733B (en) | The method and system of packet-based identifier finger URL procotol (ILNP) load balance and Route Selection | |
| CN109660443A (en) | Physical equipment and virtual network communication method and system based on SDN | |
| CN105871718B (en) | A kind of SDN inter-domain routing implementation method | |
| EP2618535A1 (en) | Method and system for realizing virtual machine mobility | |
| US20160191462A1 (en) | Message forwarding in a virtual local area network | |
| EP3197107A1 (en) | Message transmission method and apparatus | |
| CN110505152B (en) | Route filtering method and device and electronic equipment | |
| CN103139037A (en) | Method and device used for achieving flexible virtual local area network | |
| CN102801820A (en) | MAC address publishing method and device in EVI network | |
| US11356357B2 (en) | Proactive prefix disaggregation for traffic assurance in data center routing | |
| CN103095508A (en) | Business access method and edge device | |
| CN113381936A (en) | Network information processing method and device and network equipment | |
| CN102780701B (en) | Access control method and equipment | |
| US10735276B2 (en) | Server, communication method, and recording medium | |
| CN107995124A (en) | Traffic scheduling method and device | |
| CN105591871B (en) | A kind of method and apparatus of the automatic discovery Virtual Private Network branch node of configuration | |
| JPH1127326A (en) | Hierarchical lan switch network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200728 |