CN111726305A - Virtual machine-oriented multistage flow table management and control method and system - Google Patents
Virtual machine-oriented multistage flow table management and control method and system Download PDFInfo
- Publication number
- CN111726305A CN111726305A CN202010558442.3A CN202010558442A CN111726305A CN 111726305 A CN111726305 A CN 111726305A CN 202010558442 A CN202010558442 A CN 202010558442A CN 111726305 A CN111726305 A CN 111726305A
- Authority
- CN
- China
- Prior art keywords
- flow table
- virtual machine
- message
- rule
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/25—Routing or path finding in a switch fabric
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Abstract
The invention discloses a virtual machine-oriented multistage flow table management and control method and a virtual machine-oriented multistage flow table management and control system. The virtual machine-oriented multistage flow table management and control method comprises the following steps: generating a port-mac binding flow table rule and issuing the rule to a flow table 0; registering an idle flow table N, and issuing the port-mac binding flow table rule to the flow table N; generating a multi-stage flow table distribution rule and issuing the multi-stage flow table distribution rule to a flow table 1; when a message enters an Openflow switch, determining that the message is sent by a virtual machine according to a port-mac binding flow table rule of a flow table0, and then forwarding the flow table of the message to a corresponding flow table N according to a multi-level flow table distribution rule of a flow table 1. According to the control method and the control system, the flow table of the Openflow switch is used as the unique identifier of the network resource of the virtual machine through the Mac address of the virtual machine and the Mac address of the access network card of the virtual machine, so that the SDN controller can rapidly index and allocate resources, and the Mac address of the virtual machine is used as a key matching item distributed by the multi-stage flow table, so that the function of preventing the Mac address from being maliciously modified by the virtual machine can be achieved.
Description
Technical Field
The invention belongs to the field of network communication equipment, and particularly relates to a virtual machine-oriented multistage flow table management and control method and a virtual machine-oriented multistage flow table management and control system.
Background
An OpenFlow switch conforming to the OpenFlow standard has a built-in multi-stage flow table processing logic, and each stage of flow table contains a plurality of flow table rules. The F multi-stage Flow tables are arranged according to a digital sequence, the initial index number is from 0, any message entering the OpenFlow switch starts to be processed from Table0, the available range of the OpenFlow switch Flow Table ID is 0-253 according to the OpenFlow standard protocol, and 254 Flow tables are in total.
When a message enters a flow Table for processing, the message is sequentially matched with all flow Table rules in the flow Table according to Priority (Priority), when a successfully matched flow Table rule is found, an instactionset associated with the flow Table rule is executed, the instactionset can forward the message to other subsequent flow Table processing through a Goto Table instruction, or forward the message through a Drop instruction, or modify the content of the message through a Set field instruction, or forward the message to a specified network port through an output port instruction, or encapsulate the message into a packet-in message and send the packet-in message to an SDN controller.
If the message does not find a flow Table rule which can be successfully matched in a flow Table, the flow Table rule is called a Table Miss, and as for an action after the Table Miss occurs, the action depends on the configuration of the flow Table: 1) directly discarding, 2) continuously forwarding to a subsequent flow table, and 3) encapsulating into a packet-in message and sending to the SDN controller.
As shown in fig. 1, according to the logic characteristics of the multi-level flow tables of the Openflow standard, in combination with the service characteristics of the cloud computing virtual network, the Openflow execution efficiency and the definition of management logic can be effectively improved by managing the multi-level flow tables, and the following methods are generally adopted in the management of the multi-level flow tables in the industry at present:
1) using only one level of Flow Table
All flow table rules are placed in the same level of flow table, and the execution order of the flow tables is controlled by the priority. In this way, if the flow table rule of a certain virtual machine is excessive, the network forwarding performance of other unified compute node virtual machines can be directly influenced.
2) Allocating Flow tables according to network protocols
According to the Flow Table rule of the Flow Table0, forwarding to different Flow tables according to network protocols, such as a TCP (transmission control protocol), a UDP (user datagram protocol), an ICMP (internet control protocol) and an ARP (address resolution protocol) protocol through a Goto Table instruction is completed, the scheme can avoid that the Flow tables of a certain single protocol are too many to cause the performance of other message protocols to be damaged, the performance loss among different network protocols is effectively isolated, but the Flow Table rule of a certain virtual machine is avoided to cause the network forwarding performance of other virtual machines to be damaged.
3) Distributing Flow tables according to cloud network service functions
The service functions of the cloud network, such as security groups, ACLs, Subnet, NAT, Vpc, Route, and the like, are allocated to different Flow tables in a pipeline manner, such a scheme may improve the manageability of the cloud network, but still cannot solve the Flow Table rule of a certain virtual machine, which may result in the problem that the network forwarding performance of other virtual machines is damaged.
Disclosure of Invention
The invention aims to provide a virtual machine-oriented multistage flow table management and control method and a virtual machine-oriented multistage flow table management and control system, so as to prevent a virtual machine from maliciously modifying a Mac address.
Therefore, the invention provides a virtual machine-oriented multistage flow table management and control method, which comprises the following steps:
a static flow table management engine of the SDN controller generates a port-Mac binding flow table rule according to the Mac address information and the port number of the virtual machine, and issues the port-Mac binding flow table rule to a flow table 0;
a static flow table management engine of the SDN controller generates a multi-stage flow table distribution rule according to Mac address information, port numbers and IP addresses of the virtual machines and issues the multi-stage flow table distribution rule to a flow table 1;
inquiring IP address information and a table resource pool of the virtual machine in a database according to Mac address information of the virtual machine, registering an idle flow table N, and issuing the port-Mac binding flow table rule to the flow table N, wherein N is a natural number and N is 2-252;
when a message enters an Openflow switch, determining that the message is sent by a virtual machine according to a port-MAC binding flow table rule of the flow table0, and acquiring a network entry port number of the virtual machine, an MAC address of a source virtual machine, an MAC address of a target virtual machine, an IP address of the virtual machine and an IP address of the target virtual machine according to the port-MAC binding flow table rule of the flow table 0; then forwarding the flow table of the message to a corresponding flow table N according to a multi-stage flow table distribution rule of the flow table 1;
and if the flow table processing rule of the flow table N is matched with the message, completing response processing on the message according to the flow table processing rule of the flow table N.
Preferably, after forwarding the flow table of the packet to the corresponding flow table N, the method further includes:
if the processing flow table rule of the flow table N does not match the message, the Openflow switch sends the message to an SDN controller through an OFPT _ PACKET _ IN message of an Openflow protocol;
the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message to extract a source target Mac address and query a FlowTable resource pool so as to obtain a required flow table number of the message;
the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message, generates a corresponding flow table processing rule according to the networking logic of the cloud network, and issues the flow table processing rule to a flow table N corresponding to the flow table number;
and finishing response processing on the message according to the issued flow table processing rule.
Preferably, before the static flow table management engine of the SDN controller generates the port-mac binding flow table rule, the method further includes:
the cloud platform creates a virtual machine, initializes the Mac address of the virtual machine and the Mac address of the virtual network card through a preset conversion rule, and accesses the virtual network card into the Openflow switch;
the Openflow switch sends the change event of the network card access to the SDN controller through an OFP _ PORT _ STATUS message of an Openflow protocol;
receiving the OFP _ PORT _ STATUS message by a static flow table management engine of the SDN controller, extracting a virtual network card name, and judging whether the virtual network card is a virtual machine network card or not by using the virtual network card name according to a virtual machine access network card definition rule;
if the name of the virtual network card is not the virtual machine network card, issuing a flow table rule, and forwarding the message matched with the network inlet to the flow table 1; and if the virtual network card is a virtual machine access network card, extracting Mac address information of the virtual network card, and converting the Mac address of the virtual network card into the Mac address of the virtual machine through a preset conversion rule.
Preferably, the OFP _ PORT _ STATUS message includes a name of the virtual network card, a Mac address, and a PORT number.
Preferably, the port-mac binding flow table rule includes:
the port number of the network inlet of the matched message is the port number of the virtual machine access network card, the source Mac address is the Mac address of the virtual machine, and the execution action is to forward the message to the flow table 1;
if the matching is hit, forwarding to the flow table 1;
and if the matching is not hit, executing the next flow hopping table rule, wherein the port number of the network inlet of the matched message is the port number of the virtual machine access network card, and the execution action is discarding.
Preferably, when the multi-level flow Table distribution rule is issued to the flow Table N, the execution action of the Table Miss is configured to be encapsulated into an OFPT _ PACKET _ IN message and sent to the SDN controller.
Preferably, the flow table rule logic of the multi-stage flow table distribution includes:
a) if the network inlet of the matching message is the network access port number of the virtual machine, forwarding the matching message to a flow table N allocated by the virtual machine;
b) if the network inlet of the matching message is an uplink port of the switch and the target Mac address is a virtual machine Mac, forwarding the matching message to a flow table N allocated by the virtual machine;
c) if the network inlet of the matching message is an uplink port of the switch, the target IP address is a virtual machine IP and the network protocol is an Ipv4 protocol, forwarding the matching message to a flow table N allocated by the virtual machine;
d) if the network inlet of the matching message is an uplink port of the switch, the target IP address is a virtual machine IP and the network protocol is an Ipv6 protocol, forwarding the matching message to a flow table N allocated by the virtual machine;
e) and if the network inlet of the matching message is an uplink port of the switch, the target IP address is the IP of the virtual machine and the network protocol is the arp protocol, forwarding the matching message to a flow table N allocated by the virtual machine.
A virtual machine oriented multi-level flow table management system for managing multi-level flow table processing for an OpenFlow switch, comprising a controller and a memory, the memory having stored therein computer program code, the controller executing the computer program code stored in the memory to perform the steps of:
a static flow table management engine of the SDN controller generates a port-Mac binding flow table rule according to the Mac address information and the port number of the virtual machine, and issues the port-Mac binding flow table rule to a flow table 0;
a static flow table management engine of the SDN controller generates a multi-stage flow table distribution rule according to Mac address information, port numbers and IP addresses of the virtual machines and issues the multi-stage flow table distribution rule to a flow table 1;
inquiring IP address information and a table resource pool of the virtual machine in a database according to Mac address information of the virtual machine, registering an idle flow table N, and issuing the port-Mac binding flow table rule to the flow table N, wherein N is a natural number and N is 2-252;
when a message enters an Openflow switch, determining that the message is sent by a virtual machine according to a port-MAC binding flow table rule of the flow table0, and acquiring a network entry port number of the virtual machine, an MAC address of a source virtual machine, an MAC address of a target virtual machine, an IP address of the virtual machine and an IP address of the target virtual machine according to the port-MAC binding flow table rule of the flow table 0; then forwarding the flow table of the message to a corresponding flow table N according to a multi-stage flow table distribution rule of the flow table 1;
and if the flow table processing rule of the flow table N is matched with the message, completing response processing on the message according to the flow table processing rule of the flow table N.
Preferably, after forwarding the flow table of the packet to the corresponding flow table N, the method further includes:
if the processing flow table rule of the flow table N does not match the message, the Openflow switch sends the message to an SDN controller through an OFPT _ PACKET _ IN message of an Openflow protocol;
the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message to extract a source target Mac address and query a FlowTable resource pool so as to obtain a required flow table number of the message;
the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message, generates a corresponding flow table processing rule according to the networking logic of the cloud network, and issues the flow table processing rule to a flow table N corresponding to the flow table number;
and finishing response processing on the message according to the issued flow table processing rule.
Preferably, before the static flow table management engine of the SDN controller generates the port-mac binding flow table rule, the method further includes:
the cloud platform creates a virtual machine, initializes the Mac address of the virtual machine and the Mac address of the virtual network card through a preset conversion rule, and accesses the virtual network card into the Openflow switch;
the Openflow switch sends the change event of the network card access to the SDN controller through an OFP _ PORT _ STATUS message of an Openflow protocol;
receiving the OFP _ PORT _ STATUS message by a static flow table management engine of the SDN controller, extracting a virtual network card name, and judging whether the virtual network card is a virtual machine network card or not by using the virtual network card name according to a virtual machine access network card definition rule;
if the name of the virtual network card is not the virtual machine network card, issuing a flow table rule, and forwarding the message matched with the network inlet to the flow table 1; and if the virtual network card is a virtual machine access network card, extracting Mac address information of the virtual network card, and converting the Mac address of the virtual network card into the Mac address of the virtual machine through a preset conversion rule.
Compared with the prior art, the virtual machine-oriented multistage flow table management and control method and system provided by the invention have the following beneficial effects:
1) the Flow Table (Flow Table) of the Openflow switch is used as a network resource of a virtual machine, the Mac address of the virtual machine and the Mac address of the virtual machine access network card are used as unique identifiers of the network resource of the virtual machine, rapid index and resource allocation of an SDN controller are achieved, and the Mac address of the virtual machine is used as a key matching item distributed by a multi-stage Flow Table, so that the function of preventing the virtual machine from modifying the Mac address maliciously can be achieved.
2) According to the Flow Table multi-stage Flow Table allocation method of the virtual machines, Flow Table rules generated by the multiple virtual machines are strictly isolated, the same node is guaranteed, the Flow Table rules of some virtual machines are too many, the network performance of other virtual machines cannot be influenced, and the processing performance and the rationality of an Openflow switch of a cloud network are improved through a reasonable Flow Table allocation mode.
3) The virtual machine to which the message belongs is sent through the MAC address, the IP address and the Ethernet protocol, and the Flow Table is guided to the corresponding Flow Table through the Flow Table rule, so that the accuracy and the efficiency of the network according to the Flow Table guide of the multi-stage Flow Table of the virtual machine are guaranteed.
Drawings
Fig. 1 is a schematic diagram of a multi-stage flow table processing logic built into an OpenFlow switch.
Fig. 2 is a schematic structural diagram of a virtual machine-oriented multi-stage flow table management and control system.
Fig. 3 is a flowchart of a virtual machine-oriented multi-stage flow table management method.
Detailed Description
The invention will be further explained with reference to the drawings.
Fig. 2 is a schematic structural diagram of a virtual machine-oriented multi-stage flow table management system, which is used to manage multi-stage flow table processing of an OpenFlow switch, as shown in fig. 2. The virtual machine-oriented multi-stage flow table management and control system comprises a controller and a memory, wherein computer program codes are stored in the memory, and the controller runs the computer program codes stored in the memory to execute the virtual machine-oriented multi-stage flow table management and control method.
The multi-stage Flow Table management and control system for the virtual machine plans a Flow Table (Flow Table)0 as a virtual machine Port-mac relation binding function. By taking the Mac address of the virtual machine as a key matching item distributed by the multi-stage flow table, the effect of preventing the Mac address from being maliciously modified by the virtual machine can be achieved.
Next, the Flow Table 1 is used as a multi-level Flow Table distribution function, and is used for matching and multi-level Flow Table distribution according to the IP address, Mac address, and port Number of the virtual machine. And the Flow Table N (N is natural and N is 2-252) is used as an independent Flow Table resource allocated to each virtual machine. The Flow Table 253 serves as a Flow Table for processing non-allocated packets, such as unknown ARP broadcast, unknown unicast packets, and the like.
When a virtual machine network card is created to access to the Openflow switch, the Openflow switch sends change information of a network interface to the SDN controller through an OPFT _ PORT _ STATUS message of an Openflow protocol. And the SDN controller acquires information such as a Mac address, a network card name, a Port Number and the like of the network interface according to the OPFT _ PORT _ STATUS message, and converts and acquires the Mac address of the virtual machine through a conversion rule of the Mac address of the network interface of the switch and the Mac address of the network card of the virtual machine. And according to the virtual Mac address, acquiring the IP address of the virtual machine through the local data record, acquiring the Flow Table ID of the space through the Flow Table resource pool, and recording that the Flow Table ID is occupied by the virtual machine Mac address.
Generating a Port-Mac bound Flow Table rule according to a Mac address of a virtual machine and a Port number of an access network card through a static Flow Table management engine of the SDN controller, issuing the Flow Table rule to a Flow Table0 of an Openflow switch, generating a multi-stage Flow Table distribution rule of the virtual machine according to the Mac address and an IP address of the virtual machine, issuing the multi-stage Flow Table distribution rule to a Flow Table 1 of the Openflow switch, and issuing the Flow Table rule of the SDN controller reported by the Table micro to the Flow Table N of the Openflow switch according to the distributed Flow Table N of the virtual machine. When a Table Miss occurs, the SDN controller acquires an OFPT _ PACKET _ IN message reported by the Openflow switch, inquires FlowTable resources according to Mac address information of the OFPT _ PACKET _ IN message, acquires an allocated FlowTable ID, calculates a Flow Table rule according to cloud network services and issues the Flow Table rule to a corresponding FlowTable ID of the Openflow switch, and the method for managing the multistage Flow tables allocated according to the virtual machines is realized.
Fig. 3 is a flowchart of a virtual machine-oriented multi-stage flow table management method, and as shown in fig. 3, the virtual machine-oriented multi-stage flow table management method includes steps S301 to S311.
Step S301: the cloud platform creates a virtual machine, initializes and sets a Mac address of the virtual machine and a Mac address of a virtual network card through a self-defined conversion rule, if the Mac address of the virtual machine network card is d0:0d:44:00:00:01, the Mac address of the virtual network card is fe:0d:44:00:00:01, and the virtual network card is accessed to the Openflow switch.
Step S302: and the Openflow switch sends the change event of the network card access to the SDN controller through an OFP _ PORT _ STATUS message of an Openflow protocol. The OFP _ PORT _ STATUS message includes information such as the name of the virtual network card, the Mac address, and the PORT number.
Step S303: receiving an OFP _ PORT _ STATUS message by a static flow table management engine of the SDN controller, extracting a virtual network card name, and judging whether the virtual network card name is a virtual machine network card or not according to a virtual machine access network card definition rule (under the general condition, the access network card name of a virtual machine starts with vnet);
step S304: if the name of the virtual network card is not the virtual machine network card, issuing a Flow Table rule, and forwarding the message matched with the network entry to a Flow Table 1 (multi-stage Flow Table distribution Flow Table); and if the virtual network card is a virtual machine access network card, extracting Mac address information of the virtual network card, and converting the Mac address of the virtual network card into the Mac address of the virtual machine through a self-defined conversion rule.
Step S305: a static Flow Table management engine of the SDN controller generates a Port-Mac binding Flow Table rule according to Mac address information and Port number of the virtual machine, and issues the Port-Mac binding Flow Table rule to a Flow Table 0(Port-Mac binding Flow Table), wherein the Port-Mac binding Flow Table rule logic is as follows:
a) the port number of the network inlet of the matched message is the port number of the virtual machine access network card, the source Mac address is the Mac address of the virtual machine, and the execution action is to forward the message to the Flow Table 1 (multi-stage Flow Table distribution Flow Table).
b) If the match is hit, the Flow Table is forwarded to the Flow Table 1 (multi-stage Flow Table allocation Flow Table).
c) And if the matching is not hit, executing the next flow hopping table rule, wherein the port number of the network inlet of the matched message is the port number of the virtual machine access network card, and the execution action is discarding.
The flow table rule is bound through the Port-Mac, so that the Mac address can be effectively prevented from being maliciously modified by the virtual machine, and the disorder of the data index of the SDN controller is avoided.
Step S306: and inquiring the IP address information of the virtual machine in the database according to the Mac address information of the virtual machine.
Step S307: a static Flow Table management engine of the SDN controller generates a Flow Table rule distributed by a multi-stage Flow Table according to Mac address information, port numbers and IP addresses of the virtual machines, and issues the Flow Table rule to Flow Table 1 (multi-stage Flow Table distribution Flow Table), wherein the Flow Table rule logic distributed by the multi-stage Flow Table is as follows:
a) and the network inlet matched with the message is the network access port number of the virtual machine, and the message is forwarded to the FlowTable N distributed by the virtual machine.
b) And the network inlet matched with the message is an uplink port of the switch, and the target Mac address is the virtual machine Mac, and then the message is forwarded to the Flow Table N distributed by the virtual machine.
c) And if the network inlet matched with the message is an uplink port of the switch, the target IP address is the IP of the virtual machine, and the network protocol is the Ipv4 protocol, the message is forwarded to the Flow Table N distributed by the virtual machine.
d) And if the network inlet matched with the message is an uplink port of the switch, the target IP address is the IP of the virtual machine, and the network protocol is the Ipv6 protocol, the message is forwarded to the Flow Table N distributed by the virtual machine.
e) And if the network inlet matched with the message is an uplink port of the switch, the target IP address is a virtual machine IP, and the network protocol is an arp protocol, forwarding the message to the Flow Table N distributed by the virtual machine.
And the Flow Table rules distributed by the multi-stage Flow tables ensure that messages sent by the virtual machine and messages entering from an external network can be distributed to the Flow Table N distributed by the virtual machine.
Step S308: inquiring a Table resource pool IN a database according to Mac address information of the virtual machine, registering an idle Flow Table ID (N), issuing a Flow Table rule to the Flow Table N, configuring an execution action of a Table Miss to be packaged into an OFPT _ PACKET _ IN message, and sending the OFPT _ PACKET _ IN message to the SDN controller.
Step S309: when a message enters an Openflow switch, determining that the message is sent by a virtual machine according to a port-MAC binding flow table rule of the flow table0, and acquiring a network entry port number of the virtual machine, an MAC address of a source virtual machine, an MAC address of a target virtual machine, an IP address of the virtual machine and an IP address of the target virtual machine according to the port-MAC binding flow table rule of the flow table 0; and then forwarding the flow table of the packet to a corresponding flow table N according to the multi-stage flow table distribution rule of the flow table 1.
And if the flow table processing rule of the flow table N is matched with the message, completing response processing on the message according to the flow table processing rule of the flow table N.
And if the Flow Table rule of the Flow Table N is not matched with the hit message, the Openflow switch sends the message to the SDN controller through an OFPT _ PACKET _ IN message of an Openflow protocol.
Step S310: the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message, extracts a source target Mac address, inquires a Flow Table resource pool, and obtains the Flow Table ID (N) through which the message needs to pass.
Step S311: the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message, generates a corresponding Flow processing Table rule according to the networking logic of the cloud network, and issues the Flow processing Table rule to the Flow Table ID N. And the message completes response processing according to the issued flow table processing rule.
According to the multi-stage Flow Table control method and system for the virtual machine, the Flow Table of the Openflow switch is used as a network resource of the virtual machine, and the Mac address of the virtual machine access network card are used as the unique identifier of the network resource of the virtual machine, so that the SDN controller can rapidly index and allocate resources.
Moreover, according to the Flow Table multi-stage Flow Table allocation method of the virtual machines, Flow Table rules generated by the multiple virtual machines are strictly isolated, the same node is guaranteed, the Flow Table rules of some virtual machines are excessive, the network performance of other virtual machines cannot be influenced, and the processing performance and the rationality of the Openflow switch of the cloud network are improved through a reasonable Flow Table allocation mode.
Further, the virtual machine-oriented multi-stage Flow Table management and control method and system report the virtual machine to which the Flow Table belongs through the MAC address, the IP address and the Ethernet protocol, and guide the Flow Table to the corresponding Flow Table is realized through the Flow Table rule, so that the accuracy and the efficiency of the network according to the Flow Table guide of the multi-stage Flow Table of the virtual machine are guaranteed.
It is to be understood that the present invention is not limited to the above-described embodiments, and that various changes and modifications may be made without departing from the spirit and scope of the invention, and it is intended to cover such changes and modifications as fall within the scope of the appended claims and equivalents thereof.
Claims (10)
1. A multi-stage flow table management and control method facing a virtual machine is characterized by comprising the following steps:
a static flow table management engine of the SDN controller generates a port-Mac binding flow table rule according to the Mac address information and the port number of the virtual machine, and issues the port-Mac binding flow table rule to a flow table 0;
a static flow table management engine of the SDN controller generates a multi-stage flow table distribution rule according to Mac address information, port numbers and IP addresses of the virtual machines and issues the multi-stage flow table distribution rule to a flow table 1;
inquiring IP address information and a table resource pool of the virtual machine in a database according to Mac address information of the virtual machine, registering an idle flow table N, and issuing the port-Mac binding flow table rule to the flow table N, wherein N is a natural number and N is 2-252;
when a message enters an Openflow switch, determining that the message is sent by a virtual machine according to a port-MAC binding flow table rule of the flow table0, and acquiring a network entry port number of the virtual machine, an MAC address of a source virtual machine, an MAC address of a target virtual machine, an IP address of the virtual machine and an IP address of the target virtual machine according to the port-MAC binding flow table rule of the flow table 0; then forwarding the flow table of the message to a corresponding flow table N according to a multi-stage flow table distribution rule of the flow table 1;
and if the flow table processing rule of the flow table N is matched with the message, completing response processing on the message according to the flow table processing rule of the flow table N.
2. The virtual machine-oriented multi-stage flow table management and control method according to claim 1, after forwarding the flow table of the packet to the corresponding flow table N, further comprising:
if the processing flow table rule of the flow table N does not match the message, the Openflow switch sends the message to an SDN controller through an OFPT _ PACKET _ IN message of an Openflow protocol;
the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message to extract a source target Mac address and query a FlowTable resource pool so as to obtain a required flow table number of the message;
the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message, generates a corresponding flow table processing rule according to the networking logic of the cloud network, and issues the flow table processing rule to a flow table N corresponding to the flow table number;
and finishing response processing on the message according to the issued flow table processing rule.
3. The virtual machine-oriented multi-stage flow table management and control method according to claim 2, wherein before the static flow table management engine of the SDN controller generates the port-mac binding flow table rule, the method further comprises:
the cloud platform creates a virtual machine, initializes the Mac address of the virtual machine and the Mac address of the virtual network card through a preset conversion rule, and accesses the virtual network card into the Openflow switch;
the Openflow switch sends the change event of the network card access to the SDN controller through an OFP _ PORT _ STATUS message of an Openflow protocol;
receiving the OFP _ PORT _ STATUS message by a static flow table management engine of the SDN controller, extracting a virtual network card name, and judging whether the virtual network card is a virtual machine network card or not by using the virtual network card name according to a virtual machine access network card definition rule;
if the name of the virtual network card is not the virtual machine network card, issuing a flow table rule, and forwarding the message matched with the network inlet to the flow table 1; and if the virtual network card is a virtual machine access network card, extracting Mac address information of the virtual network card, and converting the Mac address of the virtual network card into the Mac address of the virtual machine through a preset conversion rule.
4. The virtual machine-oriented multi-stage flow table management and control method according to claim 3, wherein the OFP _ PORT _ STATUS message contains a name of a virtual network card, a Mac address, and a PORT number.
5. The virtual machine-oriented multi-level flow table management and control method of claim 4, wherein the port-mac binding flow table rule comprises:
the port number of the network inlet of the matched message is the port number of the virtual machine access network card, the source Mac address is the Mac address of the virtual machine, and the execution action is to forward the message to the flow table 1;
if the matching is hit, forwarding to the flow table 1;
and if the matching is not hit, executing the next flow hopping table rule, wherein the port number of the network inlet of the matched message is the port number of the virtual machine access network card, and the execution action is discarding.
6. The virtual machine-oriented multi-stage flow Table management and control method according to claim 5, wherein when the multi-stage flow Table distribution rule is issued to the flow Table N, the execution action of the Table Miss is configured to be encapsulated into an OFPT _ PACKET _ IN message and sent to the SDN controller.
7. The virtual machine-oriented multi-stage flow table management and control method according to claim 6, wherein the flow table rule logic of the multi-stage flow table distribution includes:
a) if the network inlet of the matching message is the network access port number of the virtual machine, forwarding the matching message to a flow table N allocated by the virtual machine;
b) if the network inlet of the matching message is an uplink port of the switch and the target Mac address is a virtual machine Mac, forwarding the matching message to a flow table N allocated by the virtual machine;
c) if the network inlet of the matching message is an uplink port of the switch, the target IP address is a virtual machine IP and the network protocol is an Ipv4 protocol, forwarding the matching message to a flow table N allocated by the virtual machine;
d) if the network inlet of the matching message is an uplink port of the switch, the target IP address is a virtual machine IP and the network protocol is an Ipv6 protocol, forwarding the matching message to a flow table N allocated by the virtual machine;
e) and if the network inlet of the matching message is an uplink port of the switch, the target IP address is the IP of the virtual machine and the network protocol is the arp protocol, forwarding the matching message to a flow table N allocated by the virtual machine.
8. A virtual machine-oriented multi-stage flow table management and control system for managing multi-stage flow table processing of an OpenFlow switch, comprising a controller and a memory, wherein the memory stores computer program code therein, and the controller runs the computer program code stored in the memory to perform the following steps:
a static flow table management engine of the SDN controller generates a port-Mac binding flow table rule according to the Mac address information and the port number of the virtual machine, and issues the port-Mac binding flow table rule to a flow table 0;
a static flow table management engine of the SDN controller generates a multi-stage flow table distribution rule according to Mac address information, port numbers and IP addresses of the virtual machines and issues the multi-stage flow table distribution rule to a flow table 1;
inquiring IP address information and a table resource pool of the virtual machine in a database according to Mac address information of the virtual machine, registering an idle flow table N, and issuing the port-Mac binding flow table rule to the flow table N, wherein N is a natural number and N is 2-252;
when a message enters an Openflow switch, determining that the message is sent by a virtual machine according to a port-MAC binding flow table rule of the flow table0, and acquiring a network entry port number of the virtual machine, an MAC address of a source virtual machine, an MAC address of a target virtual machine, an IP address of the virtual machine and an IP address of the target virtual machine according to the port-MAC binding flow table rule of the flow table 0; then forwarding the flow table of the message to a corresponding flow table N according to a multi-stage flow table distribution rule of the flow table 1;
and if the flow table processing rule of the flow table N is matched with the message, completing response processing on the message according to the flow table processing rule of the flow table N.
9. The virtual machine-oriented multi-stage flow table management and control system according to claim 8, further comprising, after forwarding the flow table of the packet to the corresponding flow table N:
if the processing flow table rule of the flow table N does not match the message, the Openflow switch sends the message to an SDN controller through an OFPT _ PACKET _ IN message of an Openflow protocol;
the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message to extract a source target Mac address and query a FlowTable resource pool so as to obtain a required flow table number of the message;
the SDN controller analyzes the message content of the OFPT _ PACKET _ IN message, generates a corresponding flow table processing rule according to the networking logic of the cloud network, and issues the flow table processing rule to a flow table N corresponding to the flow table number;
and finishing response processing on the message according to the issued flow table processing rule.
10. The virtual machine-oriented multi-stage flow table management and control system of claim 9, wherein before the static flow table management engine of the SDN controller generates the port-mac binding flow table rule, the method further comprises:
the cloud platform creates a virtual machine, initializes the Mac address of the virtual machine and the Mac address of the virtual network card through a preset conversion rule, and accesses the virtual network card into the Openflow switch;
the Openflow switch sends the change event of the network card access to the SDN controller through an OFP _ PORT _ STATUS message of an Openflow protocol;
receiving the OFP _ PORT _ STATUS message by a static flow table management engine of the SDN controller, extracting a virtual network card name, and judging whether the virtual network card is a virtual machine network card or not by using the virtual network card name according to a virtual machine access network card definition rule;
if the name of the virtual network card is not the virtual machine network card, issuing a flow table rule, and forwarding the message matched with the network inlet to the flow table 1; and if the virtual network card is a virtual machine access network card, extracting Mac address information of the virtual network card, and converting the Mac address of the virtual network card into the Mac address of the virtual machine through a preset conversion rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010558442.3A CN111726305B (en) | 2020-06-18 | 2020-06-18 | Virtual machine-oriented multistage flow table management and control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010558442.3A CN111726305B (en) | 2020-06-18 | 2020-06-18 | Virtual machine-oriented multistage flow table management and control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111726305A true CN111726305A (en) | 2020-09-29 |
| CN111726305B CN111726305B (en) | 2021-03-16 |
Family
ID=72567348
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010558442.3A Active CN111726305B (en) | 2020-06-18 | 2020-06-18 | Virtual machine-oriented multistage flow table management and control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111726305B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910776A (en) * | 2021-01-18 | 2021-06-04 | 北京字节跳动网络技术有限公司 | Data forwarding method, device, equipment and medium |
| CN113259387A (en) * | 2021-06-21 | 2021-08-13 | 江苏天翼安全技术有限公司 | Method for preventing honeypot from being controlled to jump board machine based on virtual exchange |
| CN113839933A (en) * | 2021-09-13 | 2021-12-24 | 紫光云(南京)数字技术有限公司 | Method for solving multi-network card flow by utilizing security group |
| CN114697290A (en) * | 2022-03-16 | 2022-07-01 | 浪潮云信息技术股份公司 | Method for realizing floating IP function of VIP (very important person) by using flow table |
| CN115567397A (en) * | 2022-09-21 | 2023-01-03 | 雅砻江流域水电开发有限公司 | Cloud deployment method of integrated platform system of hydropower centralized control center |
| CN117714398A (en) * | 2024-02-05 | 2024-03-15 | 浪潮电子信息产业股份有限公司 | Data transmission system, method, electronic equipment and storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103281246A (en) * | 2013-05-20 | 2013-09-04 | 华为技术有限公司 | Message processing method and network equipment |
| CN103477593A (en) * | 2011-04-04 | 2013-12-25 | 日本电气株式会社 | Network system, switch, and connection terminal detection method |
| CN105471756A (en) * | 2015-11-17 | 2016-04-06 | 浪潮(北京)电子信息产业有限公司 | Data packet processing method and data packet processing device |
| CN105847157A (en) * | 2016-03-21 | 2016-08-10 | 中国人民解放军国防科学技术大学 | End-to-end communication method between identification networks based on SDN |
| CN106572032A (en) * | 2016-09-28 | 2017-04-19 | 浪潮电子信息产业股份有限公司 | Virtualized network priority implementation method |
| CN106936777A (en) * | 2015-12-29 | 2017-07-07 | 中移(苏州)软件技术有限公司 | Cloud computing distributed network implementation method based on OpenFlow, system |
| CN107147533A (en) * | 2017-05-31 | 2017-09-08 | 郑州云海信息技术有限公司 | A kind of flow table configuration distributing method and system based on SDN frameworks |
| CN108183862A (en) * | 2018-01-24 | 2018-06-19 | 上海宽带技术及应用工程研究中心 | Communication means/system, readable storage medium storing program for executing and the equipment of software definition switching network |
| CN108512763A (en) * | 2018-04-16 | 2018-09-07 | 广州市品高软件股份有限公司 | A kind of tracking of flow table rule generating process |
| CN109660443A (en) * | 2018-12-26 | 2019-04-19 | 江苏省未来网络创新研究院 | Physical equipment and virtual network communication method and system based on SDN |
| US20190230039A1 (en) * | 2018-01-19 | 2019-07-25 | Estinet Technologies Inc. | Method and system for extracting in-tunnel flow data over a virtual network |
| US20200036641A1 (en) * | 2016-09-14 | 2020-01-30 | At&T Intellectual Property I, L.P. | Method and system for dynamically distributing and controlling a virtual gateway |
-
2020
- 2020-06-18 CN CN202010558442.3A patent/CN111726305B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103477593A (en) * | 2011-04-04 | 2013-12-25 | 日本电气株式会社 | Network system, switch, and connection terminal detection method |
| CN103281246A (en) * | 2013-05-20 | 2013-09-04 | 华为技术有限公司 | Message processing method and network equipment |
| CN105471756A (en) * | 2015-11-17 | 2016-04-06 | 浪潮(北京)电子信息产业有限公司 | Data packet processing method and data packet processing device |
| CN106936777A (en) * | 2015-12-29 | 2017-07-07 | 中移(苏州)软件技术有限公司 | Cloud computing distributed network implementation method based on OpenFlow, system |
| CN105847157A (en) * | 2016-03-21 | 2016-08-10 | 中国人民解放军国防科学技术大学 | End-to-end communication method between identification networks based on SDN |
| US20200036641A1 (en) * | 2016-09-14 | 2020-01-30 | At&T Intellectual Property I, L.P. | Method and system for dynamically distributing and controlling a virtual gateway |
| CN106572032A (en) * | 2016-09-28 | 2017-04-19 | 浪潮电子信息产业股份有限公司 | Virtualized network priority implementation method |
| CN107147533A (en) * | 2017-05-31 | 2017-09-08 | 郑州云海信息技术有限公司 | A kind of flow table configuration distributing method and system based on SDN frameworks |
| US20190230039A1 (en) * | 2018-01-19 | 2019-07-25 | Estinet Technologies Inc. | Method and system for extracting in-tunnel flow data over a virtual network |
| CN108183862A (en) * | 2018-01-24 | 2018-06-19 | 上海宽带技术及应用工程研究中心 | Communication means/system, readable storage medium storing program for executing and the equipment of software definition switching network |
| CN108512763A (en) * | 2018-04-16 | 2018-09-07 | 广州市品高软件股份有限公司 | A kind of tracking of flow table rule generating process |
| CN109660443A (en) * | 2018-12-26 | 2019-04-19 | 江苏省未来网络创新研究院 | Physical equipment and virtual network communication method and system based on SDN |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910776A (en) * | 2021-01-18 | 2021-06-04 | 北京字节跳动网络技术有限公司 | Data forwarding method, device, equipment and medium |
| CN112910776B (en) * | 2021-01-18 | 2022-10-18 | 北京火山引擎科技有限公司 | Data forwarding method, device, equipment and medium |
| CN113259387A (en) * | 2021-06-21 | 2021-08-13 | 江苏天翼安全技术有限公司 | Method for preventing honeypot from being controlled to jump board machine based on virtual exchange |
| CN113839933A (en) * | 2021-09-13 | 2021-12-24 | 紫光云(南京)数字技术有限公司 | Method for solving multi-network card flow by utilizing security group |
| CN113839933B (en) * | 2021-09-13 | 2023-09-26 | 紫光云(南京)数字技术有限公司 | Method for solving multi-network card flow by utilizing security group |
| CN114697290A (en) * | 2022-03-16 | 2022-07-01 | 浪潮云信息技术股份公司 | Method for realizing floating IP function of VIP (very important person) by using flow table |
| CN115567397A (en) * | 2022-09-21 | 2023-01-03 | 雅砻江流域水电开发有限公司 | Cloud deployment method of integrated platform system of hydropower centralized control center |
| CN115567397B (en) * | 2022-09-21 | 2024-02-20 | 雅砻江流域水电开发有限公司 | Cloud deployment method of integrated platform system of hydropower centralized control center |
| CN117714398A (en) * | 2024-02-05 | 2024-03-15 | 浪潮电子信息产业股份有限公司 | Data transmission system, method, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111726305B (en) | 2021-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111726305B (en) | Virtual machine-oriented multistage flow table management and control method and system | |
| CN104010049B (en) | Ethernet ip message encapsulating method and Network Isolation and DHCP implementation methods based on SDN | |
| US7440415B2 (en) | Virtual network addresses | |
| US7330918B2 (en) | Buffer memory management method and system | |
| CN108377671B (en) | Method and computer equipment for processing message | |
| EP2773079B1 (en) | Device and method for access control list conversion | |
| CN105262683A (en) | Network system and method of controlling path | |
| CN103797774A (en) | Device and method for network address conversion | |
| CN112965824A (en) | Message forwarding method and device, storage medium and electronic equipment | |
| CN1946061B (en) | Method and device for fast processing message | |
| CN108471390B (en) | Cross-board processing system for service message and redirection method for service message | |
| CN108347392B (en) | Cross-board processing method, device and system for service message | |
| CN113472917B (en) | Network address conversion method, equipment and medium for data message | |
| CN106533943A (en) | Method for realizing microcode and flow table based on network switching chip | |
| CN111740910A (en) | Message processing method and device, network transmission equipment and message processing system | |
| CN114827292A (en) | Industrial heterogeneous protocol high-speed conversion optimization processing method and system | |
| Yan et al. | Open vSwitch Vxlan performance acceleration in cloud computing data center | |
| CN100586124C (en) | Securing communications equipment for processing data packets according to the send mechanism | |
| CN112235436A (en) | Network address translation rule matching method and equipment | |
| CN111294316B (en) | Network isolation method and device based on user mode protocol stack virtual router | |
| CN115514579B (en) | Method and system for realizing service identification based on IPv6 address mapping flow label | |
| CN105357332B (en) | A kind of method for network address translation and device | |
| CN115499392A (en) | Tenant isolation service method and device, and electronic equipment | |
| KR20210016802A (en) | Method for optimizing flow table for network service based on server-client in software defined networking environment and sdn switch thereofor | |
| CN111030971A (en) | Distributed access control method and device and storage equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |