CN113162782B - Data center network configuration method and device - Google Patents

Data center network configuration method and device Download PDF

Info

Publication number
CN113162782B
CN113162782B CN202010074275.5A CN202010074275A CN113162782B CN 113162782 B CN113162782 B CN 113162782B CN 202010074275 A CN202010074275 A CN 202010074275A CN 113162782 B CN113162782 B CN 113162782B
Authority
CN
China
Prior art keywords
network
strategy
identifier
tuple
newly added
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010074275.5A
Other languages
Chinese (zh)
Other versions
CN113162782A (en
Inventor
孔庆涛
贾荣明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Shandong Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Shandong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Shandong Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202010074275.5A priority Critical patent/CN113162782B/en
Publication of CN113162782A publication Critical patent/CN113162782A/en
Application granted granted Critical
Publication of CN113162782B publication Critical patent/CN113162782B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements

Abstract

The invention relates to a method and a device for configuring a data center network, wherein the method comprises the following steps: receiving a network configuration request sent by a tenant, wherein the network configuration request carries a newly added network strategy and a service identifier to which the newly added network strategy belongs; judging whether an inclusion relation exists between the newly added network strategy and the existing network strategy with the same service identifier, wherein the network strategy is provided with a sending identifier which comprises a first preset identifier for representing dominance and a second preset identifier for representing recessiveness; if yes, carrying out duplicate removal processing on the newly added network strategy and the existing network strategy to obtain a network strategy after the duplicate removal processing; and sending a network policy synchronization message to the network equipment, wherein the synchronization message comprises the network policy after the deduplication processing. The technical scheme provided by the embodiment of the invention is used for solving the problem of large network load caused by the non-standard network configuration in the prior art.

Description

Data center network configuration method and device
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of computers, in particular to a data center network configuration method and device.
[ background of the invention ]
Network devices are an important component of data centers. For a large-scale data center, the network devices are of a large variety and large in quantity, and a network management platform is usually used for managing and configuring the devices. Although the network management platform realizes the unified monitoring and management of the mass equipment, the network management platform essentially logs in the equipment to execute the configuration command, and the problems of high configuration difficulty, large workload and easy error are difficult to solve. With the continuous increase of the scale of the data center, the problem is more prominent.
In recent years, thanks to rapid development of cloud computing and virtualization technologies, software Defined Network (SDN) technologies have emerged, which aim to break the barriers of traditional Network technologies. The SDN emphasizes separation of a management plane and a data plane, centralizes control functions of all devices, facilitates uniform resource scheduling, realizes automatic deployment of network services, and improves flexibility, expandability and evolvability of a network architecture. At present, the SDN technology is in a development stage, the genres are numerous, and all large network manufacturers at home and abroad actively promote the SDN solution.
At present, a cloud network integration scheme is commonly used as a solution of the SDN, and a cloud platform is in butt joint with a virtual machine manager and a software defined network controller through an open interface. And the tenant logs in the cloud platform configuration network to perform configuration and issue. In the Cloud network integration scheme, virtual Private Cloud (VPC) is used to realize security isolation, and mutual access between VPCs is controlled by a firewall, but fine management of network policies cannot be realized. When the service is recovered, it is difficult to recover all the corresponding network configurations, which has potential safety hazard, and if the subnet planning of the service is not standardized, other services may be affected. Moreover, in the same VPC, there may be an inclusion relationship between the successively configured network policies, which may cause redundant configuration entries in the network device as time passes, thereby affecting the performance of the network device.
[ summary of the invention ]
In view of this, embodiments of the present invention provide a method and an apparatus for configuring a data center network, so as to solve the problem in the prior art that a network configuration is not standardized, so that a network load is large.
In order to achieve the above object, in a first aspect, the present invention provides a data center network configuration method, where the method includes:
receiving a network configuration request sent by a tenant, wherein the network configuration request carries a newly added network policy and a service identifier to which the newly added network policy belongs; judging whether an inclusion relation exists between the newly added network strategy and an existing network strategy with the same service identifier, wherein the network strategy is provided with a sending identifier which comprises a first preset identifier for representing dominance and a second preset identifier for representing recessiveness; if yes, carrying out duplicate removal processing on the newly added network strategy and the existing network strategy to obtain a duplicate-removed network strategy; and sending a network policy synchronization message to the network equipment, wherein the synchronization message comprises the network policy after the deduplication processing.
With reference to the first aspect, in one possible implementation, the network policy includes a plurality of tuples, each tuple representing a type of network configuration, each tuple including a plurality of elements, each element representing a corresponding one of the fields in the network configuration.
With reference to the first aspect, in a possible implementation manner, the determining whether an inclusion relationship exists between the newly added network policy and an existing network policy having the same service identifier includes:
calculating the inclusion relation between tuples of the same type in the newly added network strategy and the existing network strategy according to a preset operation mode;
when the tuple n contains a tuple m, setting the issuing identifier of the tuple m as the second preset identifier, and setting the issuing identifier of the tuple n as the first preset identifier, wherein m represents the tuple in the newly added network policy, and n represents the tuple in the existing network policy; or
When the tuple n is equal to the tuple m, comparing the configuration time of the tuple m with the configuration time of the tuple n, setting the issuing identification of the tuple configured first as the first preset identification, and setting the issuing identification of the tuple configured later as the second preset identification; or
When the tuple m contains the tuple n, setting the issuing identification of the tuple m as the first preset identification, and setting the issuing identification of the tuple n as the second preset identification.
With reference to the first aspect, in a possible implementation manner, the performing deduplication processing on the newly added network policy and the existing network policy to obtain a network policy after deduplication processing includes:
setting the issuing identification of the newly added network policy which has no inclusion relation with the existing network policy as the first preset identification;
calculating the newly added network strategy which has an inclusion relation with the existing network strategy according to a preset calculation mode to obtain a network strategy with a maximum range;
and setting the issuing identification of the network strategy with the maximum range as the first preset identification, and setting the issuing identifications of other network strategies as the second preset identification.
With reference to the first aspect, in a possible implementation manner, the calculating a newly added network policy that has an inclusion relationship with the existing network policy according to a preset calculation manner to obtain a network policy with a largest range includes:
when the newly added network policy contains the existing network policy, setting the issuing identifier of the newly added network policy as the first preset identifier, and updating the issuing identifier of the existing network policy from the first preset identifier to the second preset identifier;
and when the existing network policy contains the newly added network policy, setting the issuing identifier of the newly added network policy as the second preset identifier.
With reference to the first aspect, in a possible implementation manner, after performing deduplication processing on the newly added network policy and the existing network policy to obtain a network policy after deduplication processing, the method further includes:
deleting the existing network policy contained by the newly added network policy.
With reference to the first aspect, in a possible implementation manner, after the sending the network policy synchronization message to the network device, the method further includes:
receiving a network policy deleting request sent by the tenant, wherein the deleting request carries a network policy to be deleted;
reading an issuing identification of the network strategy to be deleted;
if the issued identification of the strategy to be deleted is the first preset identification, inquiring whether the strategy to be deleted has a lower-level network strategy provided with the second preset identification, if so, selecting a target network strategy from the lower-level network strategy, and updating the issued identification of the target network strategy from the second preset identification to the first preset identification; deleting the network strategy to be deleted;
and if the issued identification of the to-be-deleted strategy is the second preset identification, deleting the to-be-deleted network strategy.
In order to achieve the above object, in a second aspect, the present invention provides a data center network configuration apparatus, including:
the system comprises a receiving unit, a sending unit and a processing unit, wherein the receiving unit is used for receiving a network configuration request sent by a tenant, and the network configuration request carries a newly added network policy and a service identifier of the newly added network policy;
the judging unit is used for judging whether an inclusion relationship exists between the newly added network strategy and the existing network strategy with the same service identifier, wherein the network strategy is provided with a sending identifier, and the sending identifier comprises a first preset identifier for representing dominance and a second preset identifier for representing recessiveness;
the duplication elimination unit is used for carrying out duplication elimination processing on the newly added network strategy and the existing network strategy if an inclusion relation exists to obtain a network strategy after the duplication elimination processing;
and the sending unit is used for sending a network policy synchronization message to the network equipment, wherein the synchronization message comprises the network policy after the deduplication processing.
To achieve the above object, in a third aspect, the present invention provides a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the above-mentioned data center network configuration method.
In order to achieve the above object, in a fourth aspect, the present invention provides a computer device comprising: at least one processor; and at least one memory communicatively coupled to the processor, wherein the memory stores program instructions executable by the processor, and the processor calls the program instructions to perform the data center network configuration method described above.
In the scheme, the network strategies are configured and managed by taking the service as a center, fine management of the network strategies is realized, automatic duplicate removal is realized by issuing the identification in the network configuration process, the inclusion relation among the network strategies is automatically identified, the included network strategies are shielded, the duplicate removal process is completely transparent to tenants, and the problem that the network load is large due to the fact that the network configuration is not standard in the prior art is effectively solved.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
Fig. 1 is a schematic architecture diagram of a cloud network integration scheme networking provided by an embodiment of the present invention;
FIG. 2 is a schematic diagram of a data center network configuration scheme provided by an embodiment of the invention;
fig. 3 is a flowchart illustrating a data center network configuration method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a method for computing a routing configuration tuple according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a data center network configuration device according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of an alternative computer apparatus provided by an embodiment of the present invention.
[ detailed description ] embodiments
In order to better understand the technical scheme of the invention, the following detailed description of the embodiments of the invention is made with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the description of the invention and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely a binding relationship that describes a binding object, meaning that three relationships may exist, e.g., A and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter binding objects are in an "or" relationship.
It should be understood that although the terms first, second, third, etc. may be used to describe the terminals in the embodiments of the present invention, the terminals should not be limited by these terms. These terms are only used to distinguish one terminal from another. For example, a first terminal may also be referred to as a second terminal, and similarly, a second terminal may also be referred to as a first terminal, without departing from the scope of embodiments of the present invention.
The word "if" as used herein may be interpreted as "at 8230; \8230;" or "when 8230; \8230;" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
Fig. 1 is a schematic diagram of an architecture of a Cloud Network integration scheme networking provided in the prior art, and as shown in fig. 1, a Cloud platform is interfaced with a Virtual Private Cloud (VPC) and a Software Defined Network (SDN) controller through an open interface. And the tenant logs in a portal configuration network of the cloud platform to perform configuration and issue. The SDN controller converts the configuration into a configuration command which can be identified by the network equipment, and issues the configuration command to the physical and virtual network equipment by using standard protocols such as Netconf or OpenFlow and the like.
The cloud network integration scheme supports rapid and flexible deployment of services, achieves pooling of network resources, brings great convenience to network operation and maintenance, and nevertheless has partial functions to be optimized, especially in the aspect of network configuration. The network configuration related to the present disclosure refers to configuration issued by a network configuration portal of a cloud platform, and includes routing policy configuration, firewall policy configuration, security group policy configuration, and the like.
Firstly, in a cloud network integration scheme, a Virtual private cloud is used to realize security isolation, and mutual access between VPCs is controlled by a firewall, which is not essentially different from a traditional network in which a Virtual Routing Forwarding (VRF) isolation service is used. The maximum security isolation can be achieved by assigning one or more VPCs per service. However, in practice, especially in a private cloud scenario, there are many "large tenants", multiple services of the same tenant need to interact in real time, and the security control requirement for mutual access is not high, and in many cases, multiple services are deployed in the same VPC.
The network configurations of different services are different, and even if the same service is used, the network configurations corresponding to different sub-modules are different. Such a configuration mode based on VPC cannot realize fine management of network policies. When the service is recovered, it is difficult to recover all the corresponding network configurations, which has potential safety hazard, if the subnet planning of the service is not standardized, other services may be affected, and the network configuration is not standardized, which easily causes large network load.
Secondly, the network configuration is not uniform, but is continuously adjusted according to the service requirements. In the same VPC, there may be an inclusion relationship between successively configured network policies, which may cause redundant configuration entries in the network device over time, and affect the performance of the network device.
The proposal provides a data center network configuration system, which comprises a cloud platform and a network configuration module.
In a cloud platform, a Virtual Data Center (VDC) is a set of available resources, including computing, storage, and network resources, and tenants are the actual owner and manager of the VDC, which may be an organization or individual. According to the scheme, a service view is added in a cloud platform VDC, and a tenant creates a service before allocating resources. And taking the service as a center, distributing required calculation, storage and network resources, and then configuring a network strategy. Under different scenarios, a service and a virtual private cloud can be flexibly planned as needed, and fig. 2 is a schematic diagram of a data center network configuration scheme provided by an embodiment of the present invention, as shown in fig. 2.
The configuration method facing the service realizes the fine management of the network strategy, and is convenient for the query, the addition, the modification and the recovery of the network strategy.
Fig. 3 is a schematic flowchart of a data center network configuration method according to an embodiment of the present invention, where as shown in fig. 3, the method includes:
step S01, receiving a network configuration request sent by a tenant, wherein the network configuration request carries a newly added network strategy and a service identifier to which the newly added network strategy belongs;
step S02, judging whether an inclusion relation exists between the newly added network strategy and the existing network strategy with the same service identifier, wherein the network strategy is provided with an issued identifier, and the issued identifier comprises a first preset identifier for indicating dominance and a second preset identifier for indicating recessiveness;
step S03, if yes, the newly added network strategy and the existing network strategy are subjected to duplicate removal processing, and a network strategy after the duplicate removal processing is obtained;
and S04, sending a network policy synchronization message to the network equipment, wherein the synchronization message comprises the network policy after the duplicate removal processing.
Wherein the network policy is represented using tuples. In particular, the network configuration includes a plurality of tuples representing network configurations such as routing, firewall policies, security groups, and the like. For example, the first group of elements represents a routing configuration. Each tuple includes a plurality of elements, each element representing a corresponding one of the fields in the network configuration.
For example, the routing configuration may be represented as a quadruplet i = < i1, i2, i3, i4>, where elements i 1-i 4 represent "VRF virtual router", "destination address segment", "next hop address/egress", "routing priority", respectively.
The firewall policy may be represented as a six-element group j = < j1, j2, j3, j4, j5, j6>, where elements j 1-j 6 represent "vsys virtual firewall", "protocol type", "source address segment", "source port", "destination address segment", "destination port", respectively.
Each tuple represents several attributes of the network configuration, as shown in table 1.
TABLE 1 Attribute definition Table
Figure BDA0002378085100000081
Figure BDA0002378085100000091
Further, step S02, determining whether an inclusion relationship exists between the newly added network policy and the existing network policy with the same service identifier, includes the specific steps of:
calculating the inclusion relation between tuples with the same type in the newly added network strategy and the existing network strategy according to a preset operation mode;
when the tuple n comprises a tuple m, setting the issuing identification of the tuple m as a second preset identification, and setting the issuing identification of the tuple n as a first preset identification, wherein m represents the tuple in the newly added network strategy, and n represents the tuple in the existing network strategy; or
When the tuple n is equal to the tuple m, comparing the configuration time of the tuple m with the configuration time of the tuple n, setting the issuing identification of the tuple configured firstly as a first preset identification, and setting the issuing identification of the tuple configured later as a second preset identification; or
When the tuple m contains the tuple n, the issuing identification of the tuple m is set as a first preset identification, and the issuing identification of the tuple n is set as a second preset identification.
It will be appreciated that different types of tuples, operate differently.
Specifically, when the configuration time of the tuple m and the tuple n is compared, when the network policy is the routing policy, the configuration time of the "destination address field" element in the tuple m and the tuple n is compared. When the network policy is the firewall policy, the configuration time of the address field element and the port number element in the tuple m and the tuple n are compared at the same time.
Further, there are multiple implementation methods for tuple operation, taking a routing configuration as an example, and fig. 4 is a schematic diagram of a routing configuration tuple operation manner provided in the embodiment of the present application, as shown in fig. 4.
The routing configuration includes a first tuple m = < m1, m2, m3, m4>, a second tuple n = < n1, n2, n3, n4>, element 1 denotes "VRF", element 2 denotes "destination address segment", element 3 denotes "next hop address/egress", and element 4 denotes "routing priority". Where M2= the binary sequence of network bits of the destination address segment M2, L (M2) denotes the length of M2. N2= network bit binary sequence of destination address segment N2, L (N2) representing the length of N2.
For example, M2=192.168.10.0/24, then M2=110000001010100000001010,
n2=192.168.10.128/25, then N2=1100000010101000000010101.
As shown in figure 4 of the drawings,
firstly, judging whether elements 1, 3 and 4 of the first tuple and the second tuple are the same;
when one of the element 1, the element 3 and the element 4 is different, the first tuple m and the second tuple n have no inclusion relation;
when element 1, element 3, and element 4 are all the same, the length of the network binary sequence of element 2 of the first tuple and the second tuple are compared.
The first condition is as follows:
when the lengths of the network binary sequences of the element 2 of the first tuple and the second tuple are the same, further judging whether the element 2 of the first tuple is the same as the element 2 of the second tuple;
when the element 2 of the first tuple is the same as the element 2 of the second tuple, comparing the configuration time of the element 2 of the destination address field in the first tuple and the second tuple;
when element 2 in the first tuple is configured later than element 2 in the second tuple, the second tuple contains the first tuple.
When element 2 in the first tuple is configured before element 2 in the second tuple, the first tuple contains the second tuple.
And a second condition:
when the length of the network binary sequence of the element 2 of the first tuple is larger than that of the element 2 of the second tuple, intercepting the first L (N2) bit of the element 2 of the first tuple;
when the sequence of truncated values is the same as the network binary sequence of element 2 of the second tuple, the second tuple comprises the first tuple;
when the truncated value sequence is different from the network binary sequence of element 2 of the second tuple, the first tuple m and the second tuple n have no inclusion relation.
And a third situation:
when the length of the network binary sequence of the element 2 of the first tuple is smaller than that of the element 2 of the second tuple, intercepting the first L (M2) bit of the element 2 of the second tuple;
when the sequence of intercept values is the same as the network binary sequence of element 2 of the first tuple, the first tuple comprises a second tuple;
when the truncated value sequence is different from the network binary sequence of element 2 of the first tuple, the first tuple m and the second tuple n have no inclusion relation.
In this embodiment, the network configuration is represented by tuples, and the inclusion relationship between policies is determined, which can be converted into a relational operation of tuples. Only tuples of the same type can be subjected to relational operations.
Step S03, carrying out duplicate removal processing on the newly added network strategy and the existing network strategy to obtain a duplicate-removed network strategy, specifically comprising:
setting an issuing identifier of a newly added network policy which has no inclusion relation with the existing network policy as a first preset identifier;
calculating the newly added network strategy which has an inclusion relation with the existing network strategy according to a preset calculation mode to obtain a network strategy with the largest range;
and setting the issuing identification of the network strategy with the largest range as a first preset identification, and setting the issuing identifications of other network strategies as a second preset identification.
In this embodiment, the issued identifier of the existing network policy is the first preset identifier, that is, the issued identifier of the network policy is explicit.
It can be understood that after the issued identifier of the network policy is set as "hidden", the network policy will be automatically masked when the network policy is issued to the network device.
Further, the method for calculating the newly added network policy having an inclusion relation with the existing network policy according to a preset calculation mode to obtain the network policy with the largest range includes:
case 1: when the newly added network policy a contains the existing network policy b, setting the issuing identifier of the newly added network policy a as a first preset identifier, and updating the issuing identifier of the existing network policy b from the first preset identifier to a second preset identifier;
case 2: and when the existing network policy b contains the newly added network policy a, setting the issuing identifier of the newly added network policy a as a second preset identifier.
Further, in case 1, after setting the issuing identifier of the newly added network policy as a first preset identifier and updating the issuing identifier of the existing network policy from the first preset identifier to a second preset identifier, the method further includes:
and deleting the existing network policy contained in the added network policy.
Further, the method further comprises:
receiving a network policy deleting request sent by a tenant, wherein the deleting request carries a network policy to be deleted;
reading an issuing identifier of a to-be-deleted strategy c;
if the issued identification of the strategy c to be deleted is a first preset identification, inquiring whether a subordinate strategy with a second preset identification exists in the strategy c to be deleted, if so, selecting a target strategy from the subordinate strategies, and updating the issued identification of the target strategy from the second preset identification to the first preset identification; deleting the network strategy to be deleted;
and if the issued identification of the deletion-planned strategy c is a second preset identification, deleting the deletion-planned network strategy.
Further, when the tenant needs to modify the network policy, after step S03, the method further includes:
and deleting the existing network policy contained in the added network policy.
It can be understood that modifying the network policy is equivalent to adding the policy first and then deleting the original policy, and details are not described herein.
In the scheme, the network strategy is configured and managed by taking the service as the center, so that the refined management of the network strategy is realized, the query, the addition, the modification and the recovery of the network strategy are facilitated, and the potential safety hazard caused by incomplete recovery of the network strategy is avoided. And in the network configuration process, the automatic duplicate removal is realized by issuing the identification, the inclusion relation among the network strategies is automatically identified, the included network strategies are shielded, redundant configuration table items in the network are effectively reduced, the network load is effectively reduced, the duplicate removal process is completely transparent to tenants, and the problem that the network load is large due to the fact that the network configuration is not standard in the prior art is effectively solved.
Fig. 5 is a data center network configuration apparatus according to an embodiment of the present invention, and as shown in fig. 5, the apparatus includes a receiving unit 10, a determining unit 20, a deduplication unit 30, and a sending unit 40.
The receiving unit 10 is configured to receive a network configuration request sent by a tenant, where the network configuration request carries a newly added network policy and a service identifier to which the newly added network policy belongs;
the judging unit 20 is configured to judge whether an inclusion relationship exists between the newly added network policy and the existing network policy, where the network policy is provided with an issuing identifier, and the issuing identifier includes a first preset identifier used for indicating dominance and a second preset identifier used for indicating recessiveness;
a deduplication unit 30, configured to perform deduplication processing on the newly added network policy and the existing network policy if an inclusion relationship exists, to obtain a network policy after deduplication processing;
a sending unit 40, configured to send a network policy synchronization message to the network device, where the synchronization message includes the network policy after the deduplication processing.
The judgment unit 20 includes a calculation subunit, a first processing subunit, a second processing subunit, and a third processing subunit.
The calculation subunit is used for calculating the inclusion relationship between the tuples of the newly added network strategy and the tuples of the existing network strategy, which have the same type, according to a preset operation mode;
the first processing subunit is used for setting the issuing identifier of the tuple m as a second preset identifier and setting the issuing identifier of the tuple n as a first preset identifier when the tuple n comprises the tuple m, wherein m represents the tuple in the newly added network policy, and n represents the tuple in the existing network policy;
the second processing subunit is used for comparing the configuration time of the tuple m with the configuration time of the tuple n when the tuple n is equal to the tuple m, setting the issuing identifier of the tuple configured firstly as a first preset identifier, and setting the issuing identifier of the tuple configured later as a second preset identifier; or
And the third processing subunit is used for setting the issuing identifier of the tuple m as a first preset identifier and setting the issuing identifier of the tuple n as a second preset identifier when the tuple m contains the tuple n.
Optionally, the deduplication unit 30 includes a first setting subunit, a second setting subunit, and a third setting subunit.
The first setting subunit is used for setting the issuing identifier of the newly added network policy which has no inclusion relation with the existing network policy as a first preset identifier;
the second setting subunit is used for calculating a newly added network strategy which has an inclusion relation with the existing network strategy according to a preset calculation mode to obtain a network strategy with the largest range;
and the third setting subunit is used for setting the issuing identifier of the network policy with the largest range as the first preset identifier, and setting the issuing identifiers of other network policies as the second preset identifiers.
Optionally, the apparatus further comprises a deletion unit.
And the deleting unit is used for deleting the existing network policy contained in the newly added network policy.
Optionally, the apparatus further comprises a second receiving unit, a reading unit, and a processing unit.
The second receiving unit is used for receiving a network strategy deleting request sent by a tenant, and the deleting request carries a network strategy to be deleted;
the reading unit is used for reading the issued identification of the network strategy to be deleted;
the processing unit is used for inquiring whether the to-be-deleted strategy has a lower network strategy provided with a second preset identifier or not if the issued identifier of the to-be-deleted strategy is a first preset identifier, if so, selecting a target network strategy from the lower network strategy, and updating the issued identifier of the target network strategy from the second preset identifier to the first preset identifier; deleting the network strategy to be deleted;
and the deleting unit is also used for deleting the network strategy to be deleted if the issued identifier of the strategy to be deleted is a second preset identifier.
In the scheme, the network strategy is configured and managed by taking the service as the center, so that the refined management of the network strategy is realized, the query, the addition, the modification and the recovery of the network strategy are facilitated, and the potential safety hazard caused by incomplete recovery of the network strategy is avoided. And in the network configuration process, the identification is issued to realize automatic duplicate removal, the inclusion relation among the network strategies is automatically identified, the contained network strategies are shielded, redundant configuration table items in the network are effectively reduced, the network load is effectively reduced, the duplicate removal process is completely transparent to tenants, and the problem that the network load is large due to the fact that the network configuration is not standardized in the prior art is effectively solved.
An embodiment of the present invention provides a non-transitory computer readable storage medium storing computer instructions, wherein the computer instructions cause a computer to perform the following steps:
receiving a network configuration request sent by a tenant, wherein the network configuration request carries a newly added network strategy and a service identifier to which the newly added network strategy belongs; judging whether an inclusion relation exists between the newly added network policy and the existing network policy with the same service identifier, wherein the network policy is provided with an issued identifier, and the issued identifier comprises a first preset identifier for representing dominance and a second preset identifier for representing recessiveness; if yes, carrying out duplicate removal processing on the newly added network strategy and the existing network strategy to obtain a network strategy after the duplicate removal processing; and sending a network policy synchronization message to the network equipment, wherein the synchronization message comprises the network policy after the deduplication processing.
Optionally, the computer instructions cause the computer to further perform the steps of: the network policy includes a plurality of tuples, each tuple representing a type of network configuration, each tuple including a plurality of elements, each element representing a corresponding one of the fields in the network configuration.
Optionally, the computer instructions cause the computer to further perform the steps of:
calculating the inclusion relation between tuples with the same type in the newly added network strategy and the existing network strategy according to a preset operation mode; when the tuple n comprises a tuple m, setting the issuing identification of the tuple m as a second preset identification, and setting the issuing identification of the tuple n as a first preset identification, wherein m represents the tuple in the newly added network strategy, and n represents the tuple in the existing network strategy; or when the tuple n is equal to the tuple m, comparing the configuration time of the tuple m with the configuration time of the tuple n, setting the issuing identifier of the tuple configured firstly as a first preset identifier, and setting the issuing identifier of the tuple configured later as a second preset identifier; or when the tuple m contains the tuple n, setting the issuing identification of the tuple m as a first preset identification, and setting the issuing identification of the tuple n as a second preset identification.
Optionally, the computer instructions cause the computer to further perform the steps of:
setting an issuing identifier of a newly added network policy which has no inclusion relation with the existing network policy as a first preset identifier; calculating a newly added network strategy which has an inclusion relation with the existing network strategy according to a preset calculation mode to obtain a network strategy with the largest range; and setting the issuing identification of the network strategy with the largest range as a first preset identification, and setting the issuing identifications of other network strategies as a second preset identification.
Optionally, the computer instructions cause the computer to further perform the steps of:
when the newly added network policy contains the existing network policy, setting the issuing identifier of the newly added network policy as a first preset identifier, and updating the issuing identifier of the existing network policy from the first preset identifier to a second preset identifier; and when the existing network policy contains the newly added network policy, setting the issuing identifier of the newly added network policy as a second preset identifier.
Optionally, the computer instructions cause the computer to further perform the steps of:
and deleting the existing network policy contained in the added network policy.
Fig. 6 is a schematic diagram of a computer device 300 according to an embodiment of the present invention, where, as shown in fig. 6, the computer device 300 of this embodiment includes: at least one processor 310 and a communication interface 320; and at least one memory 330 communicatively coupled to the processor 310, wherein the memory 330 stores program instructions executable by the processor 310, and the processor 310 calls the program instructions to perform the data center network configuration method described above. To avoid repetition, it is not repeated herein.
The computer device 300 may be a desktop computer, a notebook computer, a palm computer, a cloud server, or other computer devices. The computer device may include, but is not limited to, a processor 310, a communication interface 320, and a memory 330. Those skilled in the art will appreciate that fig. 3 is merely an example of a computer device 300 and is not intended to limit the computer device 300 and may include more or fewer components than those shown, or some of the components may be combined, or different components, e.g., the computer device may also include a communication bus 340, etc.
The Processor 101 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The storage 330 may be an internal storage unit of the computer device 300, such as a hard disk or a memory of the computer device 300. The memory 330 may also be an external storage device of the computer device 300, such as a plug-in hard disk provided on the computer device 300, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 330 may also include both internal storage units of the computer device 300 and external storage devices. The memory 330 is used to store program instructions and other programs and data required by the computer device. The memory 330 may also be used to temporarily store data that has been output or is to be output.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (9)

1. A method for configuring a data center network, the method comprising:
receiving a network configuration request sent by a tenant, wherein the network configuration request carries a newly added network policy and a service identifier to which the newly added network policy belongs;
judging whether an inclusion relation exists between the newly added network strategy and an existing network strategy with the same service identifier, wherein the network strategy is provided with a sending identifier which comprises a first preset identifier for representing dominance and a second preset identifier for representing recessiveness;
if yes, performing duplicate removal processing on the newly added network policy and the existing network policy to obtain a duplicate-removed network policy;
sending a network policy synchronization message to network equipment, wherein the synchronization message comprises a network policy after deduplication processing;
the removing the duplicate of the newly added network policy and the existing network policy to obtain the network policy after the duplicate removal processing includes:
setting the issuing identification of the newly added network policy which has no inclusion relation with the existing network policy as the first preset identification;
calculating a newly added network strategy which has an inclusion relation with the existing network strategy according to a preset calculation mode to obtain a network strategy with a maximum range;
and setting the issuing identification of the network strategy with the largest range as the first preset identification, and setting the issuing identifications of other network strategies as the second preset identification.
2. The method of claim 1, wherein the network policy comprises a plurality of tuples, each tuple representing a type of network configuration, each tuple comprising a plurality of elements, each element representing a corresponding one of the fields in the network configuration.
3. The method of claim 1, wherein the determining whether an inclusion relationship exists between the newly added network policy and an existing network policy having the same service identifier comprises:
calculating the inclusion relation between tuples of the same type in the newly added network strategy and the existing network strategy according to a preset operation mode;
when the tuple n contains a tuple m, setting the issuing identifier of the tuple m as the second preset identifier, and setting the issuing identifier of the tuple n as the first preset identifier, wherein m represents the tuple in the newly added network policy, and n represents the tuple in the existing network policy; or
When the tuple n is equal to the tuple m, comparing the configuration time of the tuple m with the configuration time of the tuple n, setting the issuing identification of the tuple configured first as the first preset identification, and setting the issuing identification of the tuple configured later as the second preset identification; or
When the tuple m contains the tuple n, setting the issuing identification of the tuple m as the first preset identification, and setting the issuing identification of the tuple n as the second preset identification.
4. The method as claimed in claim 1, wherein the calculating the newly added network policy having an inclusion relationship with the existing network policy according to a preset calculating method to obtain the network policy with the largest range comprises:
when the newly added network policy contains the existing network policy, setting the issuing identifier of the newly added network policy as the first preset identifier, and updating the issuing identifier of the existing network policy from the first preset identifier to the second preset identifier;
and when the existing network policy contains the newly added network policy, setting the issuing identifier of the newly added network policy as the second preset identifier.
5. The method according to any one of claims 1 to 3, wherein after the performing the deduplication processing on the newly added network policy and the existing network policy to obtain a deduplicated network policy, the method further comprises:
deleting the existing network policy contained by the newly added network policy.
6. The method of claim 1, further comprising:
receiving a network policy deleting request sent by the tenant, wherein the deleting request carries a network policy to be deleted;
reading an issuing identification of the network strategy to be deleted;
if the issued identification of the strategy to be deleted is the first preset identification, inquiring whether the strategy to be deleted has a lower-level network strategy provided with the second preset identification, if so, selecting a target network strategy from the lower-level network strategy, and updating the issued identification of the target network strategy from the second preset identification to the first preset identification; deleting the network strategy to be deleted;
and if the issued identification of the to-be-deleted strategy is the second preset identification, deleting the to-be-deleted network strategy.
7. A data center network configuration apparatus, the apparatus comprising:
the system comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit is used for receiving a network configuration request sent by a tenant, and the network configuration request carries a newly added network policy and a service identifier to which the newly added network policy belongs;
the judging unit is used for judging whether an inclusion relationship exists between the newly added network strategy and the existing network strategy with the same service identifier, wherein the network strategy is provided with a sending identifier, and the sending identifier comprises a first preset identifier for representing dominance and a second preset identifier for representing recessiveness;
the duplication removing unit is used for carrying out duplication removing processing on the newly added network strategy and the existing network strategy if the inclusion relationship exists so as to obtain a network strategy after the duplication removing processing;
a sending unit, configured to send a network policy synchronization message to a network device, where the synchronization message includes a network policy after deduplication processing;
the duplicate removal unit comprises a first setting subunit, a second setting subunit and a third setting subunit;
the first setting subunit is configured to set, as a first preset identifier, an identifier issued by a newly added network policy that has no inclusion relation with an existing network policy;
the second setting subunit is used for calculating the newly added network strategy which has an inclusion relation with the existing network strategy according to a preset calculation mode to obtain the network strategy with the largest range;
and the third setting subunit is configured to set the issuing identifier of the network policy with the largest range as the first preset identifier, and set the issuing identifiers of other network policies as the second preset identifiers.
8. A non-transitory computer readable storage medium storing computer instructions, wherein the computer instructions cause the computer to perform the data center network configuration method of any one of claims 1 to 6.
9. A computer device comprising at least one processor; and at least one memory communicatively coupled to the processor, wherein the memory stores program instructions executable by the processor, and wherein the processor invokes the program instructions to perform the data center network configuration method of any of claims 1-6.
CN202010074275.5A 2020-01-22 2020-01-22 Data center network configuration method and device Active CN113162782B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010074275.5A CN113162782B (en) 2020-01-22 2020-01-22 Data center network configuration method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010074275.5A CN113162782B (en) 2020-01-22 2020-01-22 Data center network configuration method and device

Publications (2)

Publication Number Publication Date
CN113162782A CN113162782A (en) 2021-07-23
CN113162782B true CN113162782B (en) 2022-12-09

Family

ID=76881609

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010074275.5A Active CN113162782B (en) 2020-01-22 2020-01-22 Data center network configuration method and device

Country Status (1)

Country Link
CN (1) CN113162782B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630279B (en) * 2021-09-23 2022-12-27 中国建设银行股份有限公司 Network configuration method and device of network points

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248521A (en) * 2013-04-28 2013-08-14 华为技术有限公司 Business strategy rule configuring method and device, as well as communication system
CN104135461A (en) * 2013-05-02 2014-11-05 中国移动通信集团河北有限公司 Firewall policy processing method and device
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2725737B1 (en) * 2011-08-01 2016-01-20 Huawei Technologies Co., Ltd. Network policy configuration method, management device and network management centre device
US9515886B2 (en) * 2013-02-27 2016-12-06 Huawei Technologies Co., Ltd. Rule set orchestration processing method and apparatus, and cluster data system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248521A (en) * 2013-04-28 2013-08-14 华为技术有限公司 Business strategy rule configuring method and device, as well as communication system
CN104135461A (en) * 2013-05-02 2014-11-05 中国移动通信集团河北有限公司 Firewall policy processing method and device
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system

Also Published As

Publication number Publication date
CN113162782A (en) 2021-07-23

Similar Documents

Publication Publication Date Title
WO2016000362A1 (en) Method, device, and system for configuring flow entries
US11729085B2 (en) Cluster wide packet tracing
CN110838964B (en) Network docking system for virtual network and physical network
CN109284140B (en) Configuration method and related equipment
CN113127150B (en) Rapid deployment method and device of cloud primary system, electronic equipment and storage medium
CN104618304A (en) Data processing method and data processing system
US20150052575A1 (en) Steering Traffic Among Multiple Network Services Using a Centralized Dispatcher
WO2022267175A1 (en) Information processing method and apparatus, and computer device and storage medium
CN110955704A (en) Data management method, device, equipment and storage medium
CN108763963B (en) Distributed processing method, device and system based on data access authority
CN113162782B (en) Data center network configuration method and device
CN115225734A (en) Message processing method and network equipment
US11012542B2 (en) Data processing method and apparatus
CN104836738A (en) Router hardware item resource management method and device, and network equipment
CN114650223A (en) Network configuration method and device of Kubernetes cluster and electronic equipment
CN112583655B (en) Data transmission method and device, electronic equipment and readable storage medium
CN108540408B (en) Openstack-based distributed virtual switch management method and system
CN103414756B (en) A kind of task distribution method, distribution node and system
CN110995489B (en) Large data platform server management method, device, server and storage medium
CN110519147A (en) Data frame transmission method, device, equipment and computer readable storage medium
US20150229566A1 (en) Least Disruptive AF Assignments in TRILL LAN Adjacencies
CN105245428A (en) Method and device for configuring message processing rule
CN111327509A (en) Information updating method and device
CN114070889B (en) Configuration method, traffic forwarding device, storage medium, and program product
CN115580497A (en) Data transmission control method and equipment in container environment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant