Disclosure of Invention
The invention aims to provide a method for realizing external network multi-line access based on OpenStack, aiming at accessing different multi-network access provider services to an OpenStack cluster. The bottom layer user can easily obtain the network resources of different operators by using different formatting IP modes. Therefore, flexible, freely controllable and multi-network resource access and allocation are realized.
In order to achieve the above object, the present invention provides a method for implementing external network multi-line access based on OpenStack, including:
acquiring an IP address of an operator;
summarizing and mapping the acquired IP addresses to an intranet address with a preset digit;
based on a virtual route created by a neutron component of Openstack, the virtual route is set to an external gateway connected to a first preset IP in a gateway setting mode, a first interface is formed in a virtual router, and a second preset IP of the first interface is used for connecting an external network;
creating a plurality of virtual routing table files in a virtual router so as to correspond to an operator through each virtual routing table file;
creating a policy route in the virtual router to associate different addresses with the virtual routing table;
connecting the tenant network to a virtual router, and generating a second interface in the router, wherein the IP of the second interface is the internal gateway address of the tenant network for connecting an internal network;
the floating IP is configured on an external interface of the virtual router through the neutron component, and processing rules of the floating IP are set in the virtual routing table file, wherein the processing rules comprise: when the router receives a packet sent from an external network, if the destination address is the first floating IP, the destination address is modified to the IP of the first tenant, so that the received additional network packet is sent to the first tenant, and when the first tenant sends data to the external network, the original address is modified to be the second floating IP.
In one implementation, the step of summarizing and mapping the acquired IP addresses to an intranet address with a preset number of bits includes:
and realizing netmap through an external interface, and assembling and mapping the acquired IP addresses to a 16-bit intranet address.
The method for realizing the multi-line access of the external network based on the OpenStack provided by the embodiment of the invention has the advantages that multiple operators access, the tolerance for the access mode is high, and the existing network environment does not need to be changed. Even compatibility with traditional networks. All operations are finished in an Openstack platform layer, a user does not sense the operations, a server does not need to be invaded, and the risk is low. The resource switching is simple and flexible, and the requirements on operators are reduced.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention.
As shown in fig. 1-3, the present invention provides a method for implementing external network multi-line access based on OpenStack, including:
s101, acquiring an IP address of an operator;
s102, summarizing and mapping the acquired IP addresses to an intranet address with a preset digit;
s103, based on a virtual route created by the neutron component of Openstack, the virtual route is set to an external gateway connected to a first preset IP in a gateway setting mode, a first interface is formed in the virtual router, and a second preset IP of the first interface is used for connecting an external network;
s104, a plurality of virtual routing table files are established in the virtual router so as to correspond to an operator through each virtual routing table file;
s105, establishing a policy route in the virtual router so as to associate different addresses with a virtual route table;
s106, connecting the tenant network to the virtual router, and generating a second interface in the router, wherein the IP of the second interface is the internal gateway address of the tenant network and is used for connecting the internal network;
s107, the floating IP is configured on the external interface of the virtual router through the neutron component, and the processing rule of the floating IP is set in the virtual routing table file, wherein the processing rule comprises: when the router receives a packet sent from an external network, if the destination address is the first floating IP, the destination address is modified to the IP of the first tenant, so that the received additional network packet is sent to the first tenant, and when the first tenant sends data to the external network, the original address is modified to be the second floating IP.
In general, an external network interface in an openstack platform only has a public network address field and a gateway of an operator, and partial programs in network services are replaced by the method and the system. The addresses of a plurality of operators can be abstracted into a 16-bit intranet address segment, different addresses can be assigned to different operator networks on the intranet address segment, and the virtual machine of the tenant is loaded with the abstracted intranet segment and is not sensed when the public network address is switched.
It should be noted that Neutron is a core component of OpenStack, and the positioning of Neutron is as follows: naas (network as a service). Neutron realizes the network bridge function of internal and external network communication, and realizes the conversion and distribution of two-layer and three-layer network communication agents, namely, the tenant network and public network addresses. When the cloud platform node scale and the business scale are increased, the performance and the reliability of the Neutron service are greatly dependent.
As will be understood by those skilled in the art, all packet communications need to be sent to the vroters in the respective VPC areas (the vroters of the VPCs may be on one network node or multiple network nodes), and the vroters convert the VPC intranet addresses nat into EIP addresses in a floating IP manner, and then perform layer 2 (same network segment) or layer 3 (cross-network segment) communications between the EIP addresses. Communication between EIPs goes to a physical switch or a physical router.
When the virtual machine accesses the internet or crosses data center services, network communication is completed through the L3, namely the network node. All traffic destined for the public network or across the data traffic will first be sent to the vRouter of the respective VPC. The vRouter accesses the public network by way of floating IP or by way of SNAT. The difference is that floating IP is adapted to take external distribution services with one-to-one mapping of the external network addresses, whereas SNAT is adapted to access the external network by virtual machines, which can share one external address with multiple virtual machines.
Specifically, as shown in fig. 2 and fig. 3, in the embodiment of the present invention, an IP (24 bits) of operator 1, an IP (24 bits) of operator 2, and an IP (24 bits) of operator 3 may be obtained, in the specific embodiment, for example, in the existing three operators, mobile, universal, and telecommunication. Assume that the IP address of the public telecommunication network is: 202.96.209.0/24 (0-24), and the IP address of the Unicom public network is as follows: 58.246.194.0/24; the IP address of the mobile public network is as follows: 114.141.24.0/24.
The netmap is realized through an external interface, that is, the IP is converged and mapped to a 16-bit intranet address, for example:
202.96.209.0/24 to 10.255.0.10/16;
58.246.194.0/24 to 10.255.0.10/16
114.141.24.0/24 to 10.255.0.10/16
A virtual router vRouter is created through a neutron component of openstack, a Gateway connected to 10.255.0.10/16 is arranged outside in the vRouter in a Set Gateway mode, meanwhile, a new interface is added in the vRouter, and the IP is 10.255.0.2 and used for connecting an external network.
In the vRouter, through a developed script program, multiple virtual routing table files are created corresponding to different operators, for example:
telecommunication: CT ID:101
Communication: CU ID:102
Moving: CM ID:103
Different addresses are associated with the virtual routing table through a developed script program to establish a policy routing in the vRouter, and the IP of 10.255.0.10/1 is issued to the tenant in the form of a formatting IP, namely an access example in the in-and-out direction of a virtual machine.
SNAT examples
VM 192.168.1.11 bound to the public telecommunication network is first converted to 10.255.0.10, and then this address is mapped to 202.96.209.1. I.e. 192.168.1.11 access to the telecommunications direction is translated into 202.96.209.1 access to this telecommunications address. The mapping is unique and the entire translation process is recorded in the virtual routing table.
VM 192.168.1.21 bound to the internet is first converted to 10.255.0.11 and then mapped to 58.246.194.3. I.e. 192.168.1.21 access to the communication direction is converted into 58.246.194.3 access to the communication address. The mapping is unique and the entire translation process is recorded in the virtual routing table.
DNAT examples
When a user accesses 202.96.209.1, it will be mapped to 10.255.0.10 this address and translated into an access to 192.168.1.11.
Example of routing
The data packet sent by VM 192.168.1.11 arrives at 192.168.1.1 (internal gateway) and nat is converted into 10.255.0.10 (nat), and 10.255.0.10 after the address is changed sends the data packet to 10.255.0.1 (external gateway) and is mapped into 202.96.209.1 (mapping).
The operator network: the network address provided by the operator can be used for issuing the service. Each operator provides a network with independence. The IP across operators cannot be generic by default.
Openstack: the node running the program of the invention is responsible for running the virtual router, accessing the network resources of the operator and establishing the computing resources of the management tenant.
As shown in fig. 2 and 3, the program main body of the present invention: and a background process is operated in the openstack platform to be used as an enhancement and replacement of the openstack network component. And the system is responsible for establishing multiple operator resources in different virtual routing tables and establishing the corresponding relation between the IPs and the internal network segment. These correspondences are re-recorded in the virtual routing table.
Virtual routing table: in the linux system, the file is in the form of a file, and the file records the next hop address of the data packet reaching the final destination and the mapping relationship established by the program file.
Virtual router (vruter): and carrying a virtual routing table, and establishing a route through the virtual routing table entry. Analyzing the destination address of the data packet transmitted by various different types of networks, and converting the address of the non-TCP/IP network into a TCP/IP address, or vice versa; then, the data packets are transmitted to the designated position according to the optimal route according to the selected routing algorithm
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Those skilled in the art can modify or change the above-described embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.