CN111800326B - Message transmission method and device, processing node and storage medium - Google Patents
Message transmission method and device, processing node and storage medium Download PDFInfo
- Publication number
- CN111800326B CN111800326B CN201910275914.1A CN201910275914A CN111800326B CN 111800326 B CN111800326 B CN 111800326B CN 201910275914 A CN201910275914 A CN 201910275914A CN 111800326 B CN111800326 B CN 111800326B
- Authority
- CN
- China
- Prior art keywords
- vlan
- message
- attribute
- virtual
- local area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/30—Peripheral units, e.g. input or output ports
- H04L49/3009—Header conversion, routing tables or routing tags
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4645—Details on frame tagging
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/35—Switches specially adapted for specific applications
- H04L49/354—Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
Abstract
The embodiment of the invention provides a message transmission method and device, a processing node and a storage medium. The embodiment of the invention provides a message transmission method, which comprises the following steps: the method comprises the steps that an internal virtual switch receives a message sent by a virtual machine through a virtual switch port with a first attribute, wherein the message carries at least two layers of VLAN (virtual local area network) tag IDs; identifying that the message comes from a virtual machine switching port with the first attribute according to a first flow table, and forwarding the message to an external virtual switch; therefore, if the double-layer VLAN ID is determined to be from the virtual machine switching port with the first attribute, the message packet with the double-layer VLAN ID can be normally and transparently sent out by using the existing virtual switch.
Description
Technical Field
The present invention relates to cloud computing technologies in the field of communications, and in particular, to a method and an apparatus for packet transmission, a processing node, and a storage medium.
Background
Cloud Computing (Cloud Computing), an internet-based Computing approach by which shared software and hardware resources and information can be provided to computers and other devices on demand. Openstack has been used in important fields such as communications, finance, and industry as a resource management and scheduling platform in a cloud environment.
The network is an important component of cloud computing, and the neutron in Openstack is used as a network functional component in the cloud computing, so that two-layer and three-layer functions of the network are realized. In a cloud environment, on one hand, for a Network Function Virtual (NFV) service scenario, a Virtual Network element (i.e., a Virtual machine implementing a Network Function) may connect multiple networks, and a simple method is used to create a port for each Network to which the Virtual machine is connected, so that if the number of networks is large, the number of Network cards becomes large; on the other hand, for a common service scenario, most companies deploy their services and services in the cloud, and a data transmission packet only carries a single-layer Virtual Local Area Network Identity (VLAN ID), which not only causes a shortage of VLAN resources for service providers, but also cannot distinguish services according to the VLAN ID; for users, the private network VLAN ID of the user cannot be flexibly planned, so that the user network lacks certain isolation.
With the appearance of Vlan transparent transmission technology, a plurality of different Vlan IDs can be added to a data packet, and in the transmission process of the data packet with an inner-layer Vlan ID, the inner-layer Vlan ID is neither sensed by a two-layer device nor stripped, so that the data packet can be transparently transmitted on the two-layer device. Therefore, the port number of the virtual machine and the port number of the second-layer equipment are greatly saved, and users can distinguish own services according to own requirements and vlan.
In one mode, VLAN distribution is carried out on different services from the perspective of terminal services, but the division needs to be planned in advance, and once the planning is finished, modification is very complicated;
in another mode, different processing of the message is carried out according to the access type, so that transparent transmission of the message is realized, but a physical layer fails in a virtual network scene;
in another way, multiple QinQ (also called a Stacked VLAN or a Double VLAN) interfaces are configured during message transmission, different links are used to carry data packets of different inner-layer VLAN tags, multiple links are required, and configuration and adjustment of each link can be completed with the participation of a configuration worker.
Disclosure of Invention
In view of this, embodiments of the present invention are intended to provide a message transmission method and apparatus, a processing node, and a storage medium.
The technical scheme of the invention is realized as follows:
a message transmission method comprises the following steps:
the method comprises the steps that an internal virtual switch receives a message sent by a virtual machine through a virtual switch port with a first attribute, wherein the message carries at least two layers of VLAN (virtual local area network) tag IDs;
and identifying that the message comes from the virtual machine switching port with the first attribute according to the first flow table, and forwarding the message to an external virtual switch.
Based on the above solution, the identifying, according to the first flow table, that the packet is from the virtual machine switch port having the first attribute, and forwarding the packet to the external virtual switch includes:
and the internal virtual switch forwards the message to the external virtual switch according to a second flow table.
Based on the above scheme, the method further comprises:
and after receiving the message, the external virtual switch strips the outer layer VLAN ID in the at least two layers of VLAN IDs of the message, reserves the inner layer VLAN ID in the at least two layers of VLAN IDs and adds the segmented ID in the message.
Based on the above scheme, the method further comprises:
dividing virtual machines corresponding to tenants into different internal virtual local area networks;
allocating the inner VLAN ID to the internal virtual local area network;
if an inner VLAN ID is allocated to the internal virtual local area network, configuring a second attribute for the internal virtual local area network;
and setting the first attribute for a virtual machine exchange port corresponding to the internal virtual local area network configured with the second attribute.
Based on the above scheme, the method further comprises:
according to modification requirements, modifying the VLAN ID of the internal virtual local area network and correspondingly modifying the first attribute of the internal virtual local area network;
and/or the presence of a gas in the gas,
correspondingly modifying a second attribute of the virtual machine exchange port according to the first attribute of the internal virtual local area network;
and/or modifying the virtual machine contained in the virtual local area network with the second attribute.
Based on the above scheme, the method further comprises:
and identifying that the message is not from the virtual machine exchange port with the first attribute according to the first flow table, and forwarding the message according to a third flow table and/or a fourth flow table.
Based on the above scheme, the method further comprises:
and the virtual machine adds the inner layer VLAN ID and the outer layer VLAN ID into a message based on a QinQ technology, and forwards the message to the internal virtual switch through a virtual machine switching interface with the first attribute.
A message transmission apparatus, comprising:
the virtual switch comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving a message sent by a virtual machine through a virtual switch port with a first attribute, and the message carries at least two layers of VLAN (virtual local area network) tag IDs (identities);
and the first forwarding module is used for recognizing that the message comes from the virtual machine switching port with the first attribute according to the first flow table by the virtual machine switching port and forwarding the message to an external virtual switch.
Based on the above scheme, the first forwarding module is specifically configured to forward, by the internal virtual switch, the packet to the external virtual switch according to a second flow table.
Based on the above scheme, the apparatus further comprises:
and the processing module is used for stripping the outer VLAN ID in the at least two layers of VLAN IDs of the message after the external virtual switch receives the message, reserving the inner VLAN ID in the at least two layers of VLAN IDs and adding the segmented ID in the message.
Based on the above scheme, the apparatus further comprises:
the division module is used for dividing the virtual machines corresponding to the tenants into different internal virtual local area networks;
an allocation module, configured to allocate the inner VLAN ID to the internal virtual local area network;
a first configuration module, configured to configure a second attribute for the internal virtual local area network if an inner VLAN ID is allocated for the internal virtual local area network;
and the second configuration module is used for setting the first attribute for the virtual machine exchange port corresponding to the internal virtual local area network configured with the second attribute.
Based on the above scheme, the apparatus further comprises:
the modification module is used for modifying the VLAN ID of the internal virtual local area network and correspondingly modifying the first attribute of the internal virtual local area network according to modification requirements; and/or correspondingly modifying the second attribute of the virtual machine switching port according to the first attribute of the internal virtual local area network; and/or modifying the virtual machine contained in the virtual local area network with the second attribute.
Based on the above scheme, the apparatus further comprises:
and the second forwarding module is used for identifying that the message is not from the virtual machine switching port with the first attribute according to the first flow table, and forwarding the message according to a third flow table and/or a fourth flow table.
Based on the above scheme, the apparatus further comprises:
and the message module is used for adding the inner layer VLAN ID and the outer layer VLAN ID into a message by the virtual machine based on a QinQ technology and forwarding the message to the internal virtual switch through a virtual machine switching interface with the first attribute.
A processing node, comprising:
a memory;
and the processor is connected with the memory and used for realizing the message transmission method provided by any technical scheme by executing the computer executable instructions stored on the memory.
A computer storage medium stores computer-executable instructions, and after the computer-executable instructions are executed, the message transmission method provided by any technical scheme can be realized.
According to the technical scheme provided by the embodiment of the invention, the message which is received by the internal virtual machine and simultaneously contains the inner layer VLAN ID and the outer layer VLAN ID is normally forwarded to the external virtual switch so as to be forwarded to the external network. The technical scheme provided by the embodiment of the invention can be matched with the first flow table, whether the double-layer VLAN ID is determined to come from the switching port of the virtual machine with the specific first attribute can be determined through matching, if so, the message is normally forwarded, on one hand, the normal outward sending of the message packet of the double-layer VLAN ID is realized by using the existing virtual switch, and meanwhile, the message can be forwarded to the external VLAN identified by the public network equipment based on the external VLAN ID and can be further forwarded to the internal VLAN in the corresponding external VLAN through the internal slave VLAN ID, so that the information isolation of different virtual machines is further realized by the internal VLAN.
Drawings
Fig. 1 is a schematic flowchart of a first message transmission method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a second message transmission method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a message transmission apparatus according to an embodiment of the present invention;
fig. 4 is a schematic diagram of virtualization of a computing node in a cloud platform according to an embodiment of the present invention;
fig. 5 is a schematic diagram of matching a flow table according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a processing node according to an embodiment of the present invention.
Detailed Description
The technical solution of the present invention is further described in detail with reference to the drawings and the specific embodiments of the specification.
As shown in fig. 1, this embodiment provides a packet transmission method, including:
step S110: the method comprises the steps that an internal virtual switch receives a message sent by a virtual machine through a virtual switch port with a first attribute, wherein the message carries at least two layers of VLAN (virtual local area network) tag IDs;
step S120: and identifying that the message comes from the virtual machine switching port with the first attribute according to the first flow table, and forwarding the message to an external virtual switch.
The packet may carry a multi-layer VLAN ID, for example, a two-layer VLAN ID, a three-layer VLAN ID, and a four-layer VLAN ID. In this embodiment, the VLAN ID at the outermost layer may be an ID of an external virtual local area network, which may be referred to as an outer VLAN ID for short; the VLAN IDs within the outermost layer may be collectively referred to as inner layer VLAN IDs. If the virtual local area network nesting occurs, if the virtual local area network n belongs to the virtual local area network n +1, the VLAN ID of the virtual local area network n +1 is positioned at the outer layer of the VLAN ID of the virtual local area network n.
The message transmission method provided in this embodiment may be used in a cloud platform provided with a virtual machine and the like. An internal virtual switch can be arranged in the cloud platform and can be directly connected with different virtual machines. For example, the virtual machine is connected to an internal virtual switch through a virtual machine switch port.
And an external virtual switch can be further arranged in the cloud platform and is connected with the plurality of internal virtual switches. In still other embodiments, the virtual switches within the cloud platform may be relatively high-ranked and may also be directly connected to the external virtual switch.
In this embodiment, the virtual machines connected by the internal virtual switch may be divided into different virtual local area networks. Different virtual local area networks may be provided with different VLAN IDs. Therefore, in step S110, the internal virtual machine switch may receive the packet with the dual-layer VLAN ID sent by the virtual machine. The message includes, but is not limited to, an Address Resolution Protocol (ARP) message. In this embodiment, the inner VLAN ID may be an ID of a VLAN where a virtual machine that sends a packet with a double-layer VLAN ID is located, or an ID of an internal virtual VLAN where a virtual machine that receives the packet is located. For example, virtual machine a is located within platform a, virtual machine B is located within platform B; the platform A is provided with an external virtual local area network 1, and meanwhile, a virtual machine A is provided with an internal virtual local area network A in the platform A; the virtual machine B is positioned in a virtual local area network 2 where the platform B is positioned, and the virtual machine B is positioned in a virtual local area network B arranged in the platform B. The double-layer VLAN ID can be a double-layer source VLAN ID or a double-layer destination VLAN ID. In this embodiment, the virtual local area network a and the virtual local area network B may not be a VLAN recognized by an extranet or a public network device, and therefore may be referred to as an internal virtual local area network, an intranet virtual local area network, or a private virtual local area network. Both virtual local area network 1 and virtual local area network 2 may be external virtual local area networks that are recognized by external or public network devices. When the packet carries a double-layer VLAN ID, the VLAN ID of the extranet VLAN is located inside the VLAN ID of the intranet VLAN, which is called an inner-layer VLAN ID.
The outer VLAN ID may be an ID of a virtual local area network where the virtual machine is located, and the outer VLAN ID may be an ID of a virtual local area network that can be identified by an external network device.
For example, assuming that a virtual machine a sends a packet to a virtual machine B, the packet sent by the virtual machine a to the virtual machine B may carry a source VLAN ID and/or a destination VLAN ID of a double layer. If the packet carries the VLAN IDs of the double-layer source and the destination at the same time, the packet sent by the virtual machine a includes: VLAN ID of the virtual local area network 1, VLAN ID of the virtual local area network A; VLAN ID of virtual local area network B and VLAN ID of virtual local area network 2.
After receiving the packet with the dual-layer VLAN ID, the internal virtual switch in this embodiment will determine whether the source port of the packet is sent by the virtual switch port with the first attribute, instead of directly discarding the packet. If the message is sent from the virtual switch port with the first attribute, which indicates that the message is a legal message, the message is normally forwarded to the external virtual switch according to the first flow table, so that the external virtual switch forwards the message to the outside.
Therefore, the message with the double-layer VLAN ID can be smoothly forwarded to the external virtual switch through the internal virtual switch and further can be forwarded to the external network through the attribute setting of the port and the configuration of the first flow table, so that transparent forwarding of the inner-layer VLAN ID with the double-layer VLAN ID is realized at least at the internal virtual switch. At this time, a transmission link for performing the internal VLAN ID is not specially set, and since whether forwarding is allowed or not is determined by whether the virtual machine switching port has the first attribute, the internal VLAN ID is not written into the first flow table in advance, and thus, the internal VLAN ID can be dynamically configured as required. In this embodiment, the forwarding is performed based on a virtual switch port carrying a dual-layer VLAN ID, so transparent forwarding of the VLAN ID can still be achieved in a physical layer, and a phenomenon of transmission failure in the physical layer in the related art will not occur.
In some embodiments the first flow table may include a matching field that includes at least two matching fields, one being a virtual machine switch port and the other being an outer VLAN ID. If one packet carries an outer layer VLAN ID, the data packet needs to be forwarded to an external virtual switch; if the virtual machine switch port of the packet is the virtual machine switch port with the first attribute defined in the first flow table, the packet may be considered as a packet with a double-layer VLAN ID that needs to be forwarded to the external virtual switch.
Further, since the packet in this embodiment carries both the outer VLAN ID and the inner VLAN ID, normal routing of data between two external VLAN networks can be achieved as long as it is ensured that the VLANs of the external VLAN networks are unique throughout the network. Since the inner VLAN ID is valid only inside the external VLAN, the VLAN IDs of the internal VLANs set in different external VLANs may be the same. For example, the VLAN IDs of the internal virtual local area networks respectively set in the virtual local area network 1 and the virtual local area network 2 may be the same, and thus, the resource of the VLAN ID is not strained by the introduction of the internal virtual local area network.
In some embodiments, the first flow table may be configured to be dedicated to transport packets having a dual layer VLAN ID.
Further, the step S120 may include:
and the internal virtual switch forwards the message to the external virtual switch according to a second flow table.
In this embodiment, the internal virtual switch may be a flow table that can be used for packet transmission with a single-layer VLAN ID and a double-layer VLAN ID.
The second flow table may be provided with a matching field and a switching port connected to a corresponding external virtual switch.
In some embodiments, the first flow table may have a higher priority than the second flow table. In this way, it can be ensured that the packet with the double-layer VLAN ID is matched prior to the entry in the first flow table, so as to ensure that the packet with the double-layer VLAN ID is forwarded normally rather than being discarded.
Having a single layer VLAN ID includes, but is not limited to, ARP messages and/or Control Message Protocol (ICMP) messages.
The first flow table and the second flow table are both provided with matching domains, and the operation actions after the matching domains are matched comprise at least forwarding and discarding. When the operation action is forwarding, a forwarding port, a forwarding address, a jump flow table, or the like is also arranged.
The operational acts may further include: stripping one or more fields in the message; the actions of repackaging the message, copying the message content or the header, etc. are not discussed one by one here.
The match field may include one or more match fields. The matching field includes matching fields including, but not limited to, at least one of:
a matching port;
VLAN IDs, e.g., outer VLAN IDs;
a tunnel number;
an IP protocol number;
ARP-OP;
a transport layer port number;
masked metadata (metadata).
In this embodiment, the packet of the packet carries information that can be matched with the matching field in the matching field, and if the matching information matches the matching field consistently, the operation action corresponding to the matching field is executed.
Further, as shown in fig. 2, the method further includes:
step S130: and after receiving the message, the external virtual switch strips the outer layer VLAN ID in the at least two layers of VLAN IDs of the message, reserves the inner layer VLAN ID in the at least two layers of VLAN IDs and adds the segmented ID in the message.
A message with a double layer VLAN ID, the outer layer VLAN ID indicating that the message needs to be forwarded to the outer network. The external virtual switch strips off the outer VLAN ID after receiving the message with the double-layer VLAN ID from the internal virtual switch, and replaces the outer VLAN ID with a segment ID that can be recognized by the public network. The Segmentation ID may be recognized by the public network device.
Further, the method further comprises:
dividing virtual machines corresponding to tenants into different internal virtual local area networks;
allocating the inner VLAN ID to the internal virtual local area network;
if an inner VLAN ID is allocated to the internal virtual local area network, configuring a second attribute for the internal virtual local area network;
and setting the first attribute for a virtual machine exchange port corresponding to the internal virtual local area network configured with the second attribute.
In this embodiment, one tenant may be configured with one or more virtual machines, and if information security between tenants is ensured, virtual machines of different tenants may be divided into different internal virtual local area networks to implement information isolation and improve information security of different tenants.
In this embodiment, the internal virtual lan can be divided into at least two types:
one, an internal virtual local area network provided with a VLAN ID;
and the other is an internal virtual local area network without a VLAN ID.
If the VLAN ID is set, the message sent by the virtual machine of the internal virtual local area network can be a message carrying a double-layer VLAN ID.
In order to distinguish between these two types of internal virtual local area networks in the present embodiment, a second attribute may be set for the internal virtual local area network provided with the VLAN ID.
If the second attribute is set, the virtual machine exchange ports configured in the internal virtual local area network at least comprise one virtual machine exchange port set with the first attribute.
In other embodiments, the method further comprises:
according to modification requirements, modifying the VLAN ID of the internal virtual local area network and correspondingly modifying the first attribute of the internal virtual local area network;
and/or the presence of a gas in the gas,
correspondingly modifying a second attribute of the virtual machine exchange port according to the first attribute of the internal virtual local area network;
and/or modifying the virtual machine contained in the virtual local area network with the second attribute.
In this embodiment, because the packet carrying the double-layer VLAN ID is forwarded based on the virtual machine switching port, dynamic modification may be performed according to requirements, and after the modification, the first flow table may be adaptively modified, which is simple to modify. And the VLAN ID of the internal virtual local area network can be dynamically configured according to the requirement.
Further, the method further comprises:
and identifying that the message is not from the virtual machine exchange port with the first attribute according to the first flow table, and forwarding the message according to a third flow table and/or a fourth flow table.
If the currently received message is identified not to come from the virtual machine exchange port with the first attribute based on the first flow table, normal exchange processing can be carried out according to the third flow table and/or the fourth flow table; if the message which is not from the virtual machine exchange port with the first attribute is matched with the third flow table and/or the fourth flow table, determining whether to forward or discard; the third flow table and the fourth flow table can be any current forwarding flow table, so that the compatibility with the prior art is high.
Further, the method further comprises:
and the virtual machine adds the inner layer VLAN ID and the outer layer VLAN ID into a message based on a QinQ technology, and forwards the message to the internal virtual switch through a virtual machine switching interface with the first attribute.
In this embodiment, the QinQ technology is used to implement the encapsulation of the dual-layer VLAN ID, which is simple to implement.
The method further comprises the following steps:
when the external virtual machine switch receives a message which comprises an outer layer VLAN ID replaced by a segment ID and an inner layer VLAN ID, the segment ID is stripped, and the message with the segment ID stripped is sent to the internal virtual switch; and the internal virtual switch sends the message received from the external virtual switch to the virtual machine with the inner layer VLAN ID.
In this embodiment, it is sufficient to receive the original packet carrying the double-layer VLAN ID normally, and the method has the characteristics of simple implementation and strong compatibility with the prior art.
As shown in fig. 3, this embodiment provides a message transmission apparatus, including:
a receiving module 110, configured to receive, by an internal virtual switch, a packet sent by a virtual machine through a virtual switch port with a first attribute, where the packet carries at least two layers of VLAN tag IDs;
the first forwarding module 120 is configured to identify, by the virtual machine switch port according to the first flow table, that the packet is from the virtual machine switch port with the first attribute, and forward the packet to the external virtual switch.
In some embodiments, the receiving module 110 and the first forwarding module 120 may be both program modules, and the program modules, when executed by the processor, enable receiving and forwarding of a message with a dual-layer VLAN ID.
In other embodiments, the receiving module 110 and the first forwarding module 120 may be a combination of hardware and software modules, which may include various programmable arrays; the programmable array includes, but is not limited to, a complex programmable array or a field programmable array.
In still other embodiments, the receiving module 110 and the first forwarding module 120 may both be pure hardware modules including, but not limited to, application specific integrated circuits.
In some embodiments, the first forwarding module 120 is specifically configured to forward, by the internal virtual switch, the packet to the external virtual switch according to a second flow table.
In some embodiments, the apparatus further comprises:
and the processing module is used for stripping the outer VLAN ID in the at least two layers of VLAN IDs of the message after the external virtual switch receives the message, reserving the inner VLAN ID in the at least two layers of VLAN IDs and adding the segmented ID in the message.
In some embodiments, the apparatus further comprises:
the division module is used for dividing the virtual machines corresponding to the tenants into different internal virtual local area networks;
an allocation module, configured to allocate the inner VLAN ID to the internal virtual local area network;
a first configuration module, configured to configure a second attribute for the internal virtual local area network if an inner VLAN ID is allocated for the internal virtual local area network;
and the second configuration module is used for setting the first attribute for the virtual machine exchange port corresponding to the internal virtual local area network configured with the second attribute.
In some embodiments, the apparatus further comprises:
the modification module is used for modifying the VLAN ID of the internal virtual local area network and correspondingly modifying the first attribute of the internal virtual local area network according to modification requirements; and/or correspondingly modifying the second attribute of the virtual machine switching port according to the first attribute of the internal virtual local area network; and/or modifying the virtual machine contained in the virtual local area network with the second attribute.
In some embodiments, the apparatus further comprises:
and the second forwarding module is used for identifying that the message is not from the virtual machine switching port with the first attribute according to the first flow table, and forwarding the message according to a third flow table and/or a fourth flow table.
In some embodiments, the apparatus further comprises:
and the message module is used for adding the inner layer VLAN ID and the outer layer VLAN ID into a message by the virtual machine based on a QinQ technology and forwarding the message to the internal virtual switch through a virtual machine switching interface with the first attribute.
Several specific examples are provided below in connection with any of the embodiments described above:
the QinQ technique (also called a staged VLAN or Double VLAN) means that a user private VLAN tag is encapsulated in a public VLAN tag, so that a message with two layers of VLAN ids passes through a backbone network of an operator, and the private VLAN tag is shielded in the public network only according to propagation of an outer VLAN tag, so that not only is data streams distinguished, but also different user VLAN tags can be reused because the private VLAN tag is transparently transmitted, and only the outer VLAN tag is required to be unique on the public network, and the number of available VLAN tags is actually increased.
Since most companies deploy their services and services in the cloud, and the transmitted data packets only carry a single-layer VLAN ID, for the service provider, not only is VLAN resources in short supply, but also services cannot be distinguished according to the VLAN ID; for users, the private network VLAN ID of the user cannot be flexibly planned, so that the user network lacks certain isolation. And the QinQ technology is used in the cloud environment, so that the data message can be nested in multiple layers, and the method has good expandability without other limitations except the limitation of the message length of the Ethernet (Ethernet).
In the example, in an Openstack cloud environment, an Openflow virtual machine switch Openvswitch is used to construct a QinQ message with two layers of VLAN IDs, and the data packet is put through in a flow table of the Openvswitch, so that the QinQ message can be forwarded under a private network of a user, and VLAN transparent transmission of a virtual machine network in the Openstack cloud environment is realized.
As shown in fig. 4, at least one switching software supporting virtual machine switching, for example, Openvswitch software, is provided in the computing node, and a corresponding bridge br-int (to which all virtual machines are connected, which may be understood as the aforementioned internal virtual switch) and br-data (external virtual switch, which is used for virtual machine packet forwarding across nodes) are created. Modifying the flow table of br-int to enable the data packet with the double-layer VLAN ID coming out of the virtual machine switching port to be transmitted; and modifying the flow table of the br-data so that the inner layer VLAN ID of the data packet is reserved when the virtual machine of the node is in communication.
In this example, the Openvswitch version may be 2.8.0 version or more, and it is ensured that the data packet goes through the virtual bridge created by Openvswitch.
And supporting a matching field of port, VLAN _ ID and MAC _ DA, and performing actions of adding and stripping VLAN labels and forwarding to a physical port.
The flow table should support the following basic functions:
flow table priority;
matching the domain: port, MAC _ DA, VLAN _ ID, TUN _ ID, dial TYPE (DL _ TYPE), ARP _ OP, IP protocol number, transport layer port number, masked METADATA (METADATA). In addition, filtering fields required by security groups and firewalls required by the cloud management platform are required to be supported, and the filtering fields are generally a source media access control address (MAC _ SA), a destination media access control address (MAC _ DA), an IP protocol number, a source network protocol address (IP _ SA), a destination network protocol address (IP _ DA), and a transmission control protocol/user datagram protocol (TCP/UDP) port number.
The actions are discarding the message, forwarding to the physical port, forwarding to the tunnel port, forwarding to the controller, adding VLAN tag (PUSH _ VLAN), stripping VLAN tag (POP _ VLAN), SET _ FIELD (setting message FIELD), copying specific FIELD (COPY _ FIELD), GOTO _ TABLE (flow TABLE skip).
As shown in fig. 4, at least the flow table 0, the flow table 24, the flow table 25, and the flow table 60 are arranged on the compute node. The flow table 0 here is one of the aforementioned first flow tables. The flow table 60 is one of the aforementioned second flow tables. Flow table 24 may be the third flow table described above, and flow table 25 is one of the fourth flow tables described above.
In fig. 4, the computing node includes a network port eth0 and a network port eth 0.1; here, the network port eth0 and the network port eth0.1 may both be ports of a physical layer, and may be a network port corresponding to a network card. These two network ports may correspond to the internal virtual local area network Vlan: 1 and internal virtual local area network Vlan: 2. if the two internal virtual local area networks are both allocated with VLAN IDs, the tap device is a two-layer device through VLAN tags, can receive and transmit media control layer (MAC) data packets, has an MAC layer function, can be used as a network bridge with a network card, and supports MAC layer data broadcasting. Also shown in fig. 4 is qvo apparatus. The function of the qvo device is consistent with that of the related art and will not be described in detail here.
The technical scheme comprises the following specific steps:
step 1: in an OpenStack environment, when a Neutron-Openvswitch-agent of a Neutron is established by starting a network, initialization setting is automatically carried out on Openvswitch, so that the Openvswitch supports forwarding of multilayer VLAN ID data packets.
Step 2: in the Openstack cloud, after a cloud tenant creates a private network with a 'vlan-metadata' through a cloud platform and creates several virtual machines using the private network, the cloud platform sends a virtual machine creation message to a computing node (physical machine). The private network here corresponds to the internal virtual local area network described above.
The compute node prepares the necessary resources for the virtual machine and creates a port of the virtual machine on bridge br-int of Openvswitch.
And step 3: when receiving a virtual machine switching port sent by a cloud platform, a neutron-openvswitch-agent configures a corresponding flow table for the port on a bridge br-int, and the flow table is used for the ingress and egress of a common data packet, and may be a flow table 0.
Flow table 0: priority 10, match: virtual machine switch port, icmp6/ARP and other messages, actions: jumps to flow table 24 or flow table 25; (ii) a
Flow table 24: priority 2, matching: virtual machine switch port, icmp6/ARP (for ARP messages, the source address must be 192.168.186.11), action: jumps to flow table 60;
flow table 25: priority 2, matching: virtual machine exchange port, other message, action: jumps to flow table 60;
flow table 60: priority 3, action: and (4) forwarding normally.
And 4, step 4: when the virtual machine switch port inherits the VLAN-transfer attribute of the network, a dot1Q-tunnel VLAN mode needs to be set on the port of the Openvswitch, the mode is based on the extension of the 802.1Q protocol, and a layer of 802.1Q label is added on the original 802.1Q packet header for realization.
It needs to be configured with an extra flow table 0 for ingress and egress of data packets with inner VLAN. Flow table 0: priority 11 (higher priority setting so that packets with internal VLAN match directly on this rule), match: virtual machine switch port, ARP message, whether with VLAN ID (for matching with data packet with internal VLAN from virtual machine), action; jumps to the flow table 60 and completes normal forwarding.
And 5: and configuring a corresponding flow table for the port on the br-data. The device is used for the access of common data packets and is characterized in that:
flow table 0: priority 4, matching: virtual machine switch port, packet original VLAN ID (outer VLAN ID), action: and modifying the outer VLAN ID into the segmentation ID of the virtual network, and forwarding normally.
Step 6: when a cloud tenant modifies a 'vlan-metadata' attribute of a network or a port, virtual machine deletion, port binding/unbinding operations are performed, a neutron-Openvswitch-agent dynamically deletes the attribute/flow table added to an Openvswitch port and a bridge to realize a QinQ function.
The internal virtual switch br-int and the external virtual switch br-data use the flow table for data forwarding may be as shown in fig. 5. The br-int firstly processes the ARP message or the ICMP6 message based on the flow table 0, and determines whether the current message to be sent out carries a message of at least a double-layer VLAN ID. If the message comes from the port with the vlan-transfer, the message is normally forwarded based on the flow table 0, and when the message is normally forwarded, the message jumps to the flow table 60 and is normally forwarded to the br-data. If the packet with at least two layers of VLAN IDs is not from a port with 'VLAN-forwarding', the packet can be discarded directly.
If the packet only has a single-layer VLAN ID, forwarding may be performed according to the flow table, and if the packet with the single-layer VLAN ID is forwarded normally, the packet is subsequently sent to the br-data based on the flow table 60. Specifically, forwarding a packet based on the flow table 24 includes: and matching according to the source IP carried by the message, and then forwarding.
If the packet only has a single-layer VLAN ID, the packet may also be directly forwarded based on the flow table 25, where the forwarding based on the flow table 25 is performed according to the source MAC carried by the packet.
When the br-data receives the message sent by the br-int, the outer layer VLAN ID of the message is stripped according to the flow table, the network segment ID is marked, and the memory VLAN ID is stored.
The flow table design of steps 3 and 4 above is as follows:
under the Openstack cloud environment, a VLAN-transparent attribute is added to a network/port of a cloud tenant, so that the QinQ message in tenant service is automatically packaged and forwarded, and a two-layer VLAN ID message can be transmitted under a tenant network.
The data links are multiplexed. The QinQ message and the common message are both carried by one data link, the original flow table is kept, and the corresponding flow table is only set for the ARP message in the QinQ format.
Under the Openstack cloud environment, a plurality of ports do not need to be created for the virtual machine, only a plurality of sub-interfaces need to be added to the ports inside the virtual machine, and different VLAN IDs are set respectively, so that the maintenance and configuration actions of the ports are greatly reduced;
the cloud tenant can dynamically change the 'vlan-transparent' attribute and can dynamically configure the format of the message.
In the scheme, an Openstack management platform is used for calling Openvswitch software to complete VLAN transparent transmission configuration of the virtual machine interface. And physical equipment resources are greatly saved.
There is a relative need to create multiple QinQ interfaces and multiple links available on a two-tier device. In the Openstack cloud environment, a plurality of ports do not need to be created for the virtual machine, only one port needs to be created on the openswitch, a plurality of sub-interfaces are added inside the virtual machine, and the VLAN ID is configured.
The scheme adopts a plurality of levels of flow tables, different types of functions are put on different flow tables, and different flow tables are set aiming at different messages (ARP, ICMP and the like); in addition, on the flow table, the ARP message in QinQ format is separately matched with the message in common format, so that the messages in different formats can be processed and controlled in finer granularity.
Under an openstack cloud environment, a vlan-branch' is added to a virtual network, and a message format can be dynamically configured.
QinQ: also called Stacked VLAN or Double VLAN. The standard is from IEEE 802.1ad, which realizes that a user private network VLAN Tag is packaged in a public network VLAN Tag, so that a message with two layers of VLAN tags passes through a backbone network (public network) QinQ technology of an operator, and the number of VLANs is effectively expanded by stacking two 802.1Q headers in an Ethernet frame, so that the number of VLANs can reach 4096x4096 at most.
As shown in fig. 6, the present embodiment provides a computing node, including:
a memory;
and the processor is connected with the memory and is used for implementing the message transmission method provided by any of the foregoing technical solutions by executing the computer executable instructions located on the memory, for example, one or more of the message transmission methods shown in fig. 1 and/or fig. 2.
The memory can be various types of memories, such as random access memory, read only memory, flash memory, and the like. The memory may be used for information storage, e.g., storing computer-executable instructions, etc. The computer-executable instructions may be various program instructions, such as object program instructions and/or source program instructions, and the like.
The processor may be various types of processors, such as a central processing unit, a microprocessor, a digital signal processor, a programmable array, a digital signal processor, an application specific integrated circuit, or an image processor, among others.
The processor may be connected to the memory via a bus. The bus may be an integrated circuit bus or the like.
In some embodiments, the electronic device may further include: a communication interface, which may include: a network interface, e.g., a local area network interface, a transceiver antenna, etc. The communication interface is also connected with the processor and can be used for information transceiving.
In some embodiments, the electronic device also includes a human interaction interface, which may include various input and output devices, such as a keyboard, a touch screen, and the like, for example.
The present embodiments provide a computer storage medium having stored thereon computer-executable instructions; the computer-executable instructions, when executed, enable implementing the message transmission method provided by any of the foregoing technical solutions, for example, one or more of the message transmission methods shown in fig. 1 and/or fig. 2.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (14)
1. A method for packet transmission, comprising:
the method comprises the steps that an internal virtual switch receives a message sent by a virtual machine through a virtual switch port with a first attribute, wherein the message carries at least two layers of VLAN (virtual local area network) tag IDs; wherein the first attribute is: the 'vlan-transparent' attribute;
identifying that the message comes from a virtual machine port with the first attribute according to a first flow table, and forwarding the message to an external virtual switch;
and after receiving the message, the external virtual switch strips the outer layer VLAN ID in the at least two layers of VLAN IDs of the message, reserves the inner layer VLAN ID in the at least two layers of VLAN IDs and adds the segmented ID in the message.
2. The method of claim 1, wherein identifying that the packet is from a virtual machine port having the first attribute according to the first flow table, and forwarding the packet to an external virtual switch comprises:
and the internal virtual switch forwards the message to the external virtual switch according to a second flow table.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
dividing virtual machines corresponding to tenants into different internal virtual local area networks;
allocating the inner VLAN ID to the internal virtual local area network;
if an inner VLAN ID is allocated to the internal virtual local area network, configuring a second attribute for the internal virtual local area network;
and setting the first attribute for a virtual machine port corresponding to the intranet configured with the second attribute.
4. The method of claim 3, further comprising:
according to modification requirements, modifying the VLAN ID of the internal virtual local area network and correspondingly modifying the first attribute of the internal virtual local area network;
and/or the presence of a gas in the gas,
correspondingly modifying a second attribute of the virtual machine port according to the first attribute of the internal virtual local area network;
and/or modifying the virtual machine contained in the virtual local area network with the second attribute.
5. The method according to claim 1 or 2, characterized in that the method further comprises:
and identifying that the message is not from the virtual machine port with the first attribute according to the first flow table, and forwarding the message according to a third flow table and/or a fourth flow table.
6. The method according to claim 1 or 2, characterized in that the method further comprises:
and the virtual machine adds the inner layer VLAN ID and the outer layer VLAN ID into a message based on a QinQ technology, and forwards the message to the internal virtual switch through a virtual machine switching interface with the first attribute.
7. A message transmission apparatus, comprising:
the virtual switch comprises a receiving module, a sending module and a sending module, wherein the receiving module is used for receiving a message sent by a virtual machine through a virtual switch port with a first attribute, and the message carries at least two layers of VLAN (virtual local area network) tag IDs (identities); wherein the first attribute is: the 'vlan-transparent' attribute;
the first forwarding module is used for identifying that the message comes from a virtual machine port with the first attribute according to a first flow table and forwarding the message to an external virtual switch;
and the processing module is used for stripping the outer VLAN ID in the at least two layers of VLAN IDs of the message after the external virtual switch receives the message, reserving the inner VLAN ID in the at least two layers of VLAN IDs and adding the segmented ID in the message.
8. The apparatus according to claim 7, wherein the first forwarding module is specifically configured to forward, by the internal virtual switch, the packet to the external virtual switch according to a second flow table.
9. The apparatus of claim 7 or 8, further comprising:
the division module is used for dividing the virtual machines corresponding to the tenants into different internal virtual local area networks;
an allocation module, configured to allocate the inner VLAN ID to the internal virtual local area network;
a first configuration module, configured to configure a second attribute for the internal virtual local area network if an inner VLAN ID is allocated for the internal virtual local area network;
and the second configuration module is used for setting the first attribute for the virtual machine port corresponding to the intranet configured with the second attribute.
10. The apparatus of claim 9, further comprising:
the modification module is used for modifying the VLAN ID of the internal virtual local area network and correspondingly modifying the first attribute of the internal virtual local area network according to modification requirements; and/or modifying the second attribute of the virtual machine port correspondingly according to the first attribute of the internal virtual local area network; and/or modifying the virtual machine contained in the virtual local area network with the second attribute.
11. The apparatus of claim 7 or 8, further comprising:
and the second forwarding module is used for identifying that the message is not from the virtual machine port with the first attribute according to the first flow table, and forwarding the message according to a third flow table and/or a fourth flow table.
12. The apparatus of claim 7 or 8, further comprising:
and the message module is used for adding the inner layer VLAN ID and the outer layer VLAN ID into a message by the virtual machine based on a QinQ technology and forwarding the message to the internal virtual switch through a virtual machine switching interface with the first attribute.
13. A processing node, comprising:
a memory;
a processor coupled to the memory for implementing the method provided by any of claims 1 to 6 by executing computer-executable instructions stored on the memory.
14. A computer storage medium having stored thereon computer-executable instructions that, when executed, are capable of performing the method provided by any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910275914.1A CN111800326B (en) | 2019-04-08 | 2019-04-08 | Message transmission method and device, processing node and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910275914.1A CN111800326B (en) | 2019-04-08 | 2019-04-08 | Message transmission method and device, processing node and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111800326A CN111800326A (en) | 2020-10-20 |
| CN111800326B true CN111800326B (en) | 2021-08-24 |
Family
ID=72805106
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910275914.1A Active CN111800326B (en) | 2019-04-08 | 2019-04-08 | Message transmission method and device, processing node and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111800326B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491710B (en) * | 2020-11-09 | 2023-06-23 | 锐捷网络股份有限公司 | Message forwarding method and device based on Openflow |
| CN112822087B (en) * | 2020-12-30 | 2022-12-20 | 深圳市共进电子股份有限公司 | Data distinguishing method, data distinguishing device, router and network relay equipment |
| CN113098780B (en) * | 2021-02-22 | 2023-04-28 | 网宿科技股份有限公司 | Message processing method of virtual network, electronic equipment and storage medium |
| CN113114640B (en) * | 2021-03-29 | 2022-05-27 | 新华三大数据技术有限公司 | Authentication method and device |
| CN113852535A (en) * | 2021-07-29 | 2021-12-28 | 浪潮软件科技有限公司 | OpenStack vlan transparent transmission implementation method and system |
| CN113726637B (en) * | 2021-09-09 | 2022-11-01 | 华云数据控股集团有限公司 | Network traffic transparent transmission method and device based on cloud platform and storage medium |
| CN114024898B (en) * | 2021-11-09 | 2023-06-30 | 湖北天融信网络安全技术有限公司 | Message transmission method, device, equipment and storage medium |
| CN114285661B (en) * | 2021-12-28 | 2023-06-30 | 中国银联股份有限公司 | Private network access method, device, equipment and storage medium |
| CN115086272B (en) * | 2022-06-23 | 2023-11-21 | 杭州云合智网技术有限公司 | ARP (Address resolution protocol) answering substituting method, device, equipment and storage medium |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5403061B2 (en) * | 2009-09-24 | 2014-01-29 | 日本電気株式会社 | Communication identification system between virtual servers and communication identification method between virtual servers |
| CN104486242B (en) * | 2014-12-19 | 2017-10-13 | 上海斐讯数据通信技术有限公司 | A kind of VLAN centralized Control method and system of EPON networks |
| CN105635332A (en) * | 2015-12-21 | 2016-06-01 | 国云科技股份有限公司 | Method for multiple virtual machines to share IP of single external network |
| CN105915427B (en) * | 2016-03-31 | 2019-12-17 | 华为技术有限公司 | Message sending and receiving method and device |
| CN107770026B (en) * | 2016-08-17 | 2020-11-03 | 中国电信股份有限公司 | Tenant network data transmission method, tenant network system and related equipment |
| CN107968749B (en) * | 2017-11-21 | 2021-04-20 | 锐捷网络股份有限公司 | Method for realizing QinQ route termination, switching chip and switch |
| CN108337192B (en) * | 2017-12-28 | 2021-02-23 | 华为技术有限公司 | Message communication method and device in cloud data center |
-
2019
- 2019-04-08 CN CN201910275914.1A patent/CN111800326B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111800326A (en) | 2020-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111800326B (en) | Message transmission method and device, processing node and storage medium | |
| CN111885075B (en) | Container communication method, device, network equipment and storage medium | |
| US11929945B2 (en) | Managing network traffic in virtual switches based on logical port identifiers | |
| US10063470B2 (en) | Data center network system based on software-defined network and packet forwarding method, address resolution method, routing controller thereof | |
| US10320664B2 (en) | Cloud overlay for operations administration and management | |
| US9596099B2 (en) | Scalable network virtualization with aggregate endpoints | |
| EP2491684B1 (en) | Method and apparatus for transparent cloud computing with a virtualized network infrastructure | |
| US20150124823A1 (en) | Tenant dhcp in an overlay network | |
| US20200007472A1 (en) | Service insertion in basic virtual network environment | |
| CN110311860B (en) | Multilink load balancing method and device under VXLAN | |
| US10652145B2 (en) | Managing data frames in switched networks | |
| CN113973082A (en) | Message processing method and network equipment | |
| CN108259295B (en) | MAC address synchronization method and device | |
| CN111404797B (en) | Control method, SDN controller, SDN access point, SDN gateway and CE | |
| WO2022007702A1 (en) | Message processing method and network device | |
| CN112583655B (en) | Data transmission method and device, electronic equipment and readable storage medium | |
| CN109286564B (en) | Message forwarding method and device | |
| WO2021052381A1 (en) | Message sending method and apparatus | |
| CN115987778B (en) | Container communication method based on Kubernetes cluster | |
| CN113726915A (en) | Network system, message transmission method therein and related device | |
| US10491423B2 (en) | VLAN tag communication method by using a remote network element port and apparatus | |
| WO2022166465A1 (en) | Message processing method and related apparatus | |
| EP4184873A1 (en) | Communication method, cp device, and nat device | |
| JP2023543199A (en) | Routing information transmission method and device | |
| CN102868606B (en) | Method, primary route device and the system that VRRP heartbeat message sends |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |