CN114257473A - Method, device, equipment and medium for realizing multiple transparent bridges in resource pool - Google Patents

Method, device, equipment and medium for realizing multiple transparent bridges in resource pool Download PDF

Info

Publication number
CN114257473A
CN114257473A CN202111509502.3A CN202111509502A CN114257473A CN 114257473 A CN114257473 A CN 114257473A CN 202111509502 A CN202111509502 A CN 202111509502A CN 114257473 A CN114257473 A CN 114257473A
Authority
CN
China
Prior art keywords
data packet
target data
bridge
physical port
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111509502.3A
Other languages
Chinese (zh)
Other versions
CN114257473B (en
Inventor
王思覃
王辉
韩闯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111509502.3A priority Critical patent/CN114257473B/en
Publication of CN114257473A publication Critical patent/CN114257473A/en
Application granted granted Critical
Publication of CN114257473B publication Critical patent/CN114257473B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • H04L12/4625Single bridge functionality, e.g. connection of two networks over a single bridge
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure relates to a method, apparatus, device, and medium for implementing multiple transparent bridges in a resource pool; adding a corresponding label to the received service flow data packet to obtain a target data packet, wherein the label comprises identification information of a transparent bridge corresponding to the service flow data packet; sending the target data packet to the SDN bridge through the first interface so that the SDN bridge transmits the target data packet to the service chain, receiving the target data packet transmitted from the service chain, and determining a second interface of a corresponding transparent bridge according to a label in the target data packet; and receiving the target data packet through the second interface, and forwarding the target data packet to the corresponding physical port so that the physical port transmits the target data packet to the corresponding target end. The embodiment of the disclosure adds the label to the service traffic data packet, so that the transparent bridge corresponding to the service traffic data packet can be distinguished for correct forwarding, and the problem that a plurality of transparent bridges cannot share one service chain in the prior art is solved.

Description

Method, device, equipment and medium for realizing multiple transparent bridges in resource pool
Technical Field
The present disclosure relates to the field of computer security technologies, and in particular, to a method, an apparatus, a device, and a medium for implementing a plurality of transparent bridges in a resource pool.
Background
The resource pool is a collection of physical or virtual security function components, and the functions of the security function components may include firewall, load balancing, wide area network acceleration, intrusion detection/prevention, and the like. As the concept of the resource pool is gradually accepted by the public, the deployment schemes of the resource pool are gradually increased, and the implementation of a plurality of transparent bridges in the deployment schemes of the resource pool is an important link.
In the prior art, for a service chain, only one transparent bridge can normally use the service chain, if a plurality of transparent bridges in one server of a resource pool use the same service chain, when a traffic packet comes out of the service chain, the traffic packet returns to the transparent bridge where the traffic packet comes in, and the resource pool cannot determine the transparent bridge where the traffic packet comes in, so that a plurality of transparent bridges cannot share one service chain.
Disclosure of Invention
In order to solve the technical problem, the present disclosure provides a method, an apparatus, a device, and a medium for implementing a plurality of transparent bridges in a resource pool.
In a first aspect, the present disclosure provides a method for implementing multiple transparent bridges in a resource pool, including:
adding a corresponding label to a received service flow data packet to obtain a target data packet, wherein the label comprises identification information of a transparent bridge corresponding to the service flow data packet;
sending the target data packet to a Software Defined Network (SDN) bridge through a first interface, so that the SDN bridge transmits the target data packet to a service chain, receives the target data packet transmitted from the service chain, and determines a second interface of a corresponding transparent bridge according to a label in the target data packet;
and receiving the target data packet through the second interface, and forwarding the target data packet to a corresponding physical port so that the physical port transmits the target data packet to a corresponding target end.
Optionally, the receiving the target packet through the second interface and forwarding the target packet to a corresponding physical port includes:
receiving the target data packet through the second interface, and inquiring a corresponding preset flow table;
and determining a physical port corresponding to a target end according to the preset flow table, and forwarding the target data packet to the physical port.
Optionally, the adding a corresponding tag to the received service traffic data packet to obtain a target data packet includes:
adding corresponding labels to the service flow data packets by using a QinQ technology or a multi-protocol label switching (MPLS) technology;
and obtaining a target data packet according to the service flow data packet and the label.
Optionally, before adding the corresponding tag to the received service traffic data packet to obtain the target data packet, the method further includes:
and determining the received data packet as a service flow data packet.
Optionally, the determining that the received data packet is a service traffic data packet includes:
acquiring packet header information of a received data packet;
and determining the data packet as a service flow data packet according to the type of the protocol and the MAC address in the header information.
Optionally, the preset flow table is established in the following manner:
based on a learning mechanism, when a data packet is received each time, acquiring a physical port for sending the data packet and an MAC address corresponding to the physical port;
and establishing the preset flow table according to the physical port and the MAC address.
Optionally, the identification information is allocated by a resource pool.
In a second aspect, the present disclosure provides an apparatus for implementing multiple transparent bridges in a resource pool, including:
the system comprises an adding module, a receiving module and a processing module, wherein the adding module is used for adding a corresponding label to a received service flow data packet to obtain a target data packet, and the label comprises identification information of a transparent bridge corresponding to the service flow data packet;
a sending module, configured to send the target data packet to a Software Defined Network (SDN) bridge through a first interface, so that the SDN bridge transmits the target data packet to a service chain, receives the target data packet outgoing from the service chain, and determines a second interface of a corresponding transparent bridge according to a tag in the target data packet;
and the forwarding module is used for receiving the target data packet through the second interface and forwarding the target data packet to a corresponding physical port so that the physical port can transmit the target data packet to a corresponding target end.
Optionally, the forwarding module is specifically configured to:
receiving the target data packet through the second interface, and inquiring a corresponding preset flow table;
and determining a physical port corresponding to a target end according to the preset flow table, and forwarding the target data packet to the physical port so that the physical port transmits the target data packet to the corresponding target end.
Optionally, the adding module is specifically configured to:
adding corresponding labels to the service flow data packets by using a QinQ technology or a multi-protocol label switching (MPLS) technology;
and obtaining a target data packet according to the service flow data packet and the label.
Optionally, the apparatus further comprises:
a determination module specifically configured to: and determining the received data packet as a service flow data packet before adding a corresponding label to the received service flow data packet to obtain a target data packet.
Optionally, the determining module is further specifically configured to:
acquiring packet header information of a received data packet;
and determining the data packet as a service flow data packet according to the type of the protocol and the MAC address in the header information.
Optionally, the preset flow table is established in the following manner:
based on a learning mechanism, when a data packet is received each time, acquiring a physical port for sending the data packet and an MAC address corresponding to the physical port;
and establishing the preset flow table according to the physical port and the MAC address.
Optionally, the identification information is allocated by a resource pool.
In a third aspect, the present disclosure also provides a computer device, including:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method for implementing a plurality of transparent bridges in a resource pool as described in any of the embodiments of the present disclosure.
In a fourth aspect, the present disclosure also provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the method for implementing the plurality of transparent bridges in the resource pool according to any one of the embodiments of the present disclosure.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages: adding a corresponding label to the received service flow data packet to obtain a target data packet, wherein the label comprises identification information of a transparent bridge corresponding to the service flow data packet; sending the target data packet to the SDN bridge through the first interface so that the SDN bridge transmits the target data packet to the service chain, receiving the target data packet transmitted from the service chain, and determining a second interface of a corresponding transparent bridge according to a label in the target data packet; the target data packet is received through the second interface and forwarded to the corresponding physical port, so that the physical port transmits the target data packet to the corresponding target end, and the label is added to the service flow data packet, so that the transparent bridge corresponding to the service flow data packet can be distinguished for correct forwarding, and the problem that a plurality of transparent bridges cannot share one service chain in the prior art is solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a method for implementing multiple transparent bridges in a resource pool according to an embodiment of the present disclosure;
fig. 2A is a schematic flowchart of another implementation method of multiple transparent bridges in a resource pool according to an embodiment of the present disclosure;
fig. 2B is a schematic structural diagram of a service chain shared by a plurality of transparent bridges provided by the embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an apparatus for implementing multiple transparent bridges in a resource pool according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a computer device provided in an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
Fig. 1 is a schematic flowchart of a method for implementing multiple transparent bridges in a resource pool according to an embodiment of the present disclosure. The embodiment can be applied to the situation that a plurality of transparent bridges in one server in the resource pool share one service chain. The method of the embodiment may be performed by a device for implementing a plurality of transparent bridges in a resource pool, where the device may be implemented in a hardware and/or software manner and may be configured in a computer device. As shown in fig. 1, the method specifically includes the following steps:
and S110, adding a corresponding label to the received service traffic data packet to obtain a target data packet, wherein the label comprises identification information of a transparent bridge corresponding to the service traffic data packet.
The resource pool may be understood as a network device, which can implement multiple functions, and this embodiment mainly implements the functions of forwarding in a transparent bridge manner and enabling a data packet to pass through a security service chain in the forwarding process. The transparent bridge has the main functions of: and forwarding the data packet based on a Media Access Control (MAC) address. The transparent bridge in this embodiment is implemented based on an Open source virtual switch (OVS), and is therefore also referred to as an OVS bridge. The OVS bridge enables the forwarding logic of the transparent bridge. In this embodiment, multiple OVS bridges corresponding to the same service chain may be implemented on one resource pool server, and the number of OVS bridges is not specifically limited. The traffic data packet may be understood as a data packet related to the traffic received by the transparent bridge, i.e. OVS bridge. The identification information may be understood as information such as a number or a name corresponding to the OVS bridge. The destination packet may be understood as a packet to which a label is added on the basis of the traffic packet.
It should be noted that: the label does not affect the service function of the security equipment such as a firewall.
If multiple transparent bridges in a resource pool are realized in a service chain, the problem of how to return to the transparent bridge where the traffic data packet comes in when the traffic data packet comes out of the service chain is solved. In order to solve the problem, when any OVS bridge in a service chain receives a service traffic data packet sent through a certain physical port, a corresponding label needs to be added to the received service traffic data packet, where the label mainly includes identification information of a transparent bridge corresponding to the service traffic data packet, that is: identification information of the OVS bridge currently entered by the traffic data packet. That is, assuming that the OVS bridge 1 receives the service traffic data packet 1, the OVS bridge 1 needs to add a corresponding tag to the received service traffic data packet 1, where the tag is identification information corresponding to the OVS bridge 1. After adding the corresponding label to the received service traffic data packet, the OVS bridge can obtain a target data packet, where the target data packet carries the identification information of the OVS bridge into which the service traffic data packet currently enters.
And S120, sending the target data packet to the SDN bridge through the first interface so that the SDN bridge transmits the target data packet to the service chain, receiving the target data packet transmitted from the service chain, and determining a second interface of a corresponding transparent bridge according to a label in the target data packet.
The first interface may be understood as a virtual interface where the OVS bridge is connected to a Software Defined Network (SDN) bridge, and the OVS bridge can send the target data packet to the SDN bridge through the first interface. An SDN bridge may be understood as a bridge implemented based on an SDN flow table mechanism. A service chain may be understood as a process by which traffic flows between two virtual networks, passing through one or more service nodes. The service node is mainly a security device, such as a firewall or a load balancing device. The second interface may be understood as a virtual interface where the SDN bridge is connected to the OVS bridge, and the SDN bridge can send the target data packet to the OVS bridge through the second interface.
After obtaining a target data packet, the OVS bridge sends the target data packet to the SDN bridge through the first interface, after receiving the target data packet, the SDN bridge transmits the target data packet to the service chain, so that the service chain performs security filtering on the target data packet, if the target data packet passes the security filtering, the service chain transmits the target data packet to the SDN bridge, and the SDN bridge can receive the target data packet transmitted from the service chain and determine, according to identification information of the OVS bridge carried in a tag of the target data packet, which transparent bridge and a second interface corresponding to the transparent bridge the target data packet should be sent to. In an experimental environment, after determining a second interface of a corresponding transparent bridge, the SDN bridge sends the target data packet to the corresponding OVS bridge through the second interface, and at this time, a tag in the target data packet may not be removed.
Preferably, in the product or project practice, after determining the second interface of the corresponding transparent bridge, the SDN bridge needs to remove a tag from the target data packet, and send the data packet obtained after removing the tag to the corresponding OVS bridge through the second interface, so as to maintain the consistency between the data packet and the service traffic data packet, and ensure that the network can be correctly connected.
And S130, receiving the target data packet through the second interface, and forwarding the target data packet to the corresponding physical port so that the physical port can transmit the target data packet to the corresponding target end.
The physical port may be understood as an interface corresponding to the target end, the physical port is connected to the OVS bridge, and one OVS bridge may be connected to multiple physical ports. The destination may be understood as a client or a server that receives the destination data packet, and this embodiment is not particularly limited.
The OVS bridge receives the target data packet through a second interface of the OVS bridge and forwards the target data packet to a corresponding physical port, so that the physical port transmits the target data packet to a corresponding target end, and the target end can quickly receive the target data packet.
Preferably, in the product or project practice, the SDN bridge removes a label from the target data packet, and sends the data packet obtained after the label is removed to the corresponding OVS bridge through the second interface, so that the OVS bridge receives the data packet through the second interface of the OVS bridge and forwards the data packet to the corresponding physical port, and the physical port transmits the data packet to the corresponding target end, so that the data packet received by the target end is consistent with the service traffic data packet, thereby ensuring network connectivity.
In this embodiment, a corresponding tag is added to a received service traffic data packet to obtain a target data packet, where the tag includes identification information of a transparent bridge corresponding to the service traffic data packet; sending the target data packet to the SDN bridge through the first interface so that the SDN bridge transmits the target data packet to the service chain, receiving the target data packet transmitted from the service chain, and determining a second interface of a corresponding transparent bridge according to a label in the target data packet; the target data packet is received through the second interface and forwarded to the corresponding physical port, so that the physical port transmits the target data packet to the corresponding target end, and the label is added to the service flow data packet, so that the transparent bridge corresponding to the service flow data packet can be distinguished for correct forwarding, and the problem that a plurality of transparent bridges cannot share one service chain in the prior art is solved.
In this embodiment, optionally, before adding the corresponding tag to the received service traffic data packet to obtain the target data packet, the method may further include:
and determining the received data packet as a service flow data packet.
Specifically, since the service traffic data packet needs to be uploaded to the service chain for forwarding, the OVS bridge needs to determine that the currently received data packet is the service traffic data packet before adding the corresponding tag to the received service traffic data packet to obtain the target data packet.
In this embodiment, by determining that the received data packet is the service traffic data packet and then adding the corresponding tag, time can be saved, work efficiency can be improved, and the OVS bridge is prevented from adding tags to all data packets.
In this embodiment, optionally, the determining that the received data packet is a service traffic data packet may specifically include:
acquiring packet header information of a received data packet;
and determining the data packet as a service flow data packet according to the type of the protocol and the MAC address in the header information.
The data packet generally includes a header and a body. The packet header can be of fixed length, the packet body is of variable length, the lengths of the fields are fixed, the packet header structures of the request data packet and the reply data packet of the two parties are consistent, and the difference is the definition of the packet body. The header information may be understood as information carried in the header of the data packet, such as the type of protocol.
After receiving the data packet, the OVS bridge obtains header information of the data packet, and may determine whether the data packet is a traffic data packet according to a type of a Protocol in the header information, where if the type of the Protocol is an Internet Protocol (IP) Protocol or an Internet Protocol Version 6 (IPv 6) Protocol, the data packet usually belongs to a traffic data packet. In a special case, although some protocol types are IP protocol or IPv6 protocol, but may not belong to the traffic data packet, at this time, it can be further determined whether the data packet is a traffic data packet according to the MAC address, and if the MAC address is a special address, the data packet is not a traffic data packet. The method for determining the data packet as the service traffic data packet may be configured in the OVS bridge by the resource pool.
In the embodiment, the data packet is determined to be the service flow data packet by the method, so that the method is simple and quick, and can prevent errors, thereby improving the working efficiency.
In this embodiment, optionally, the identification information is allocated by a resource pool.
In this embodiment, the identification information of the transparent bridges is allocated through the resource pool, so that each transparent bridge can be distinguished, and forwarding of service traffic data is facilitated.
Fig. 2A is a schematic flowchart of another implementation method of multiple transparent bridges in a resource pool according to an embodiment of the present disclosure. The embodiment is optimized on the basis of the embodiment. Optionally, this embodiment explains in detail a process of receiving a target packet through the second interface and forwarding the target packet to a corresponding physical port. As shown in fig. 2A, the method specifically includes the following steps:
and S210, adding a corresponding label to the received service traffic data packet to obtain a target data packet, wherein the label comprises identification information of a transparent bridge corresponding to the service traffic data packet.
And S220, sending the target data packet to the SDN bridge through the first interface so that the SDN bridge transmits the target data packet to the service chain, receiving the target data packet transmitted from the service chain, and determining a second interface of a corresponding transparent bridge according to a label in the target data packet.
And S230, receiving the target data packet through the second interface, and querying a corresponding preset flow table.
The preset flow table is a corresponding relation table between different MAC addresses and physical ports which are established in advance.
After receiving the target data packet through the second interface of the OVS bridge, the OVS bridge needs to forward the target data packet, and since there may be a plurality of physical ports connected to the OVS bridge, a preset flow table corresponding to the OVS bridge needs to be queried at this time, so as to determine to which physical port the target data packet is sent.
And S240, determining a physical port corresponding to the target end according to a preset flow table, and forwarding the target data packet to the physical port so that the physical port transmits the target data packet to the corresponding target end.
The OVS bridge can finally determine the physical port corresponding to the target end by searching the physical port corresponding to the target end MAC address in the preset flow table, so as to forward the target packet to the physical port, so that the physical port transmits the target packet to the corresponding target end.
In this embodiment, a corresponding tag is added to a received service traffic data packet to obtain a target data packet, where the tag includes identification information of a transparent bridge corresponding to the service traffic data packet; sending the target data packet to the SDN bridge through the first interface so that the SDN bridge transmits the target data packet to the service chain, receiving the target data packet transmitted from the service chain, and determining a second interface of a corresponding transparent bridge according to a label in the target data packet; receiving a target data packet through a second interface, and inquiring a corresponding preset flow table; the method comprises the steps of determining a physical port corresponding to a target end according to a preset flow table, forwarding a target data packet to the physical port to enable the physical port to transmit the target data packet to the corresponding target end, adding a label to a service flow data packet to distinguish a transparent bridge corresponding to the service flow data packet, solving the problem that a plurality of transparent bridges cannot share one service chain in the prior art, and determining the physical port corresponding to the target end by inquiring the preset flow table corresponding to an OVS bridge to facilitate correct forwarding of the target data packet, improving forwarding efficiency and saving time.
In this embodiment, optionally, the adding a corresponding tag to the received service traffic data packet to obtain the target data packet may specifically include:
adding corresponding labels to the service flow data packets by using a QinQ technology or a multi-protocol label switching (MPLS) technology;
and obtaining a target data packet according to the service flow data packet and the label.
The QinQ technique can be understood as a technique for expanding a Virtual Local Area Network (VLAN) space, and achieves the function of expanding the VLAN space by adding a layer of 802.1Q Tag (Tag) on the basis of an 802.1Q Tag packet. The Multi-Protocol Label Switching (MPLS) technology is a new technology for guiding high-speed and efficient data transmission on an open communication network by using labels, and the meaning of Multi-Protocol means that MPLS can not only support protocols on various network layer levels, but also be compatible with various data link layer technologies on a second layer.
Specifically, a corresponding VLAN tag can be added to the service traffic data packet by using the QinQ technique, or a corresponding MPLS tag can be added to the service traffic data packet by using the MPLS technique, where the VLAN tag or the MPLS tag includes identification information of an OVS bridge corresponding to the service traffic data packet. And obtaining the target data packet according to the service flow data packet and the label.
In this embodiment, by adding the corresponding tag to the service traffic data packet by the above method, the current OVS bridge can be identified, so that the subsequent SDN bridge can determine which transparent bridge and the second interface corresponding to the transparent bridge the target data packet should be sent to according to the identification information of the OVS bridge carried in the tag.
In this embodiment, optionally, the preset flow table may be specifically established in the following manner:
based on a learning mechanism, when a data packet is received each time, acquiring a physical port for sending the data packet and an MAC address corresponding to the physical port;
and establishing the preset flow table according to the physical port and the MAC address.
Specifically, the OVS has a learning mechanism, according to the learning mechanism, when any OVS bridge in the resource pool receives a data packet each time, a physical port for sending the data packet and an MAC address corresponding to the physical port are obtained, then a preset flow table is established according to the physical port of the data packet and the MAC address corresponding to the physical port, and after the OVS bridges a new data packet, the preset flow table is continuously updated and maintained.
In this embodiment, the preset flow table is established by the above method, so that the physical port corresponding to the MAC address of the destination is determined by querying the corresponding preset flow table when the data packet is forwarded, and the data packet is forwarded to the destination through the physical port.
Specifically, fig. 2B is a schematic structural diagram of a service chain shared by a plurality of transparent bridges provided by the embodiment of the present disclosure, which exemplarily shows an implementation manner, as shown in fig. 2B:
br-int is an SDN bridge connected to a service chain, br-b-1 and br-b-2 are OVS bridges on one service chain that implement transparent bridge forwarding logic, p1i and p1o are virtual interfaces connected to br-int on br-b-1, p2i and p2o are virtual interfaces connected to br-int on br-b-2, p-1-1, p-1-2 and p-1-3 are port (port) names corresponding to three physical ports connected to br-b-1, and p-2-1, p-2-2 and p-2-3 are port names corresponding to three physical ports on br-b-2.
It should be noted that: fig. 2B does not show a service chain, and in fig. 2B, there are 2 OVS bridges on one service chain, and there are 3 physical ports connected to each OVS bridge, but this embodiment does not specifically limit the number of OVS bridges on one service chain and the number of physical ports connected to each OVS bridge.
The test terminal pc11 is accessed at the physical port p-1-1, the IP address is 10.0.0.1/24, and the MAC address is 00:00:00:00:00: 01; accessing a test terminal pc12 at a physical port p-1-2, wherein the IP address is 10.0.0.2/24, and the MAC address is 00:00:00: 02; the pc11 executes a ping 10.0.0.2, wherein a ping command can be understood as a probe command commonly used in networks. Meanwhile, a test terminal pc21 is accessed at a physical port p-2-1, the IP address is 10.0.0.1/24, and the MAC address is 00:00:00:00:00: 01; accessing a test terminal pc22 at a physical port p-2-2, wherein the IP address is 10.0.0.2/24, and the MAC address is 00:00:00:00:00: 02; the pc21 executes ping 10.0.0.2 to illustrate the service flow processing process as an example:
1. the data packet received by OVS bridge does not belong to the service flow data packet
An Address Resolution Protocol (ARP) request and a response between the pc11 and the pc12 are processed by br-b-1, an ARP request and a response between the pc21 and the pc22 are processed by br-b-2, and a data packet corresponding to the ARP request and the response does not belong to a service traffic data packet and does not need to be uploaded to a service chain. When receiving the packet, br-b-1 and br-b-2 respectively establish corresponding preset flow tables through a learning mechanism.
For example, assuming that pc11 sends an ARP request packet, but pc11 only knows the destination IP address and does not know the MAC address corresponding to the destination IP address, pc11 first sends the ARP request packet to br-b-1, br-b-1 forwards the ARP request packet to p-1-2 and p-1-3, respectively, p-1-2 receives the ARP request packet, when the target MAC address is determined to be the MAC address corresponding to the physical port of the target MAC address, an ARP response packet is sent to the pc11, specifically, the p-1-2 sends the ARP response packet to the br-b-1, the br-b-1 inquires a preset flow table corresponding to the br-b-1 to determine that the physical port corresponding to the MAC address of the pc11 is the p-1-1, the ARP response packet is forwarded to the p-1-1, and the pc11 can receive the ARP response packet.
2. The data packet received by OVS bridging belongs to the service flow data packet
(1) The pc11 sends out a first network Control Message Protocol (ICMP) request packet after receiving the ARP response packet, and the p-1-1 receives the first ICMP request packet which is processed by br-b-1. After br-b-1 determines that the first ICMP request packet belongs to a service flow data packet, a label is added to the first ICMP request packet, and since the path identifier of br-b-1 is 1, the identifier information in the label is 1. The first ICMP request packet carries identification information 1, is sent to p1i, sends the ICMP request packet carrying identification information to br-int through p1i, and transmits the first ICMP request packet carrying identification information to the service chain through br-int.
Meanwhile, the pc21 sends out a second ICMP request packet after receiving the ARP response packet, and the p-2-1 receives the second ICMP request packet which is processed by the br-b-2. And after the br-b-2 determines that the second ICMP request packet belongs to the service flow data packet, adding a label to the second ICMP request packet, wherein the path identifier of the br-b-2 is 2, so the identifier information in the label is 2. The second ICMP request packet carries identification information 2, and is sent to p2i, and the second ICMP request packet carrying identification information is sent to br-int through p2i, and is transmitted to the service chain through br-int.
It should be noted that: when receiving the packet, br-b-1 and br-b-2 respectively establish corresponding preset flow tables through a learning mechanism.
(2) And after the first ICMP request packet and the second ICMP request packet carrying the identification information come out of the service chain, both the first ICMP request packet and the second ICMP request packet are transmitted to br-int. After the br-int reads the identification information of the first ICMP request packet and the second ICMP request packet, the identification information is a packet of 1, and the identification information is removed and then is sent to br-b-1 through p1 o; the packet whose identification information is 2 is removed and transmitted to br-b-2 through p2 o.
(3) After p1o on br-b-1 receives the first ICMP request packet, it checks the corresponding preset flow table of br-b-1, and sends out the first ICMP request packet from p-1-2, and pc12 receives the packet.
Meanwhile, after the p2o on br-b-2 receives the second ICMP request packet, the preset flow table corresponding to br-b-2 is searched for forwarding, the second ICMP request packet is sent out from p-2-2, and the pc22 receives the packet.
And (4) conclusion: in the above example, 2 OVS bridges on one server in the resource pool share one service chain, and the service traffic IP addresses and MAC addresses on the two OVS bridges are the same, so that it is impossible to distinguish which OVS bridge the traffic belongs to according to these pieces of information. By adding the corresponding label to the service flow data packet, the resource pool can distinguish which OVS bridge the service flow data packet should go through according to the label, so that the service flow data packet can be correctly forwarded.
Fig. 3 is a schematic structural diagram of an apparatus for implementing multiple transparent bridges in a resource pool according to an embodiment of the present disclosure; the device is configured in computer equipment, and can realize the method for realizing the plurality of transparent bridges in the resource pool in any embodiment of the application. The device specifically comprises the following steps:
an adding module 310, configured to add a corresponding tag to a received service traffic data packet to obtain a target data packet, where the tag includes identification information of a transparent bridge corresponding to the service traffic data packet;
a sending module 320, configured to send the target data packet to a Software Defined Network (SDN) bridge through a first interface, so that the SDN bridge transmits the target data packet to a service chain, receives the target data packet coming out of the service chain, and determines a second interface of a corresponding transparent bridge according to a tag in the target data packet;
a forwarding module 330, configured to receive the target packet through the second interface, and forward the target packet to a corresponding physical port, so that the physical port transmits the target packet to a corresponding destination.
In this embodiment, optionally, the forwarding module 330 is specifically configured to:
receiving the target data packet through the second interface, and inquiring a corresponding preset flow table;
and determining a physical port corresponding to a target end according to the preset flow table, and forwarding the target data packet to the physical port so that the physical port transmits the target data packet to the corresponding target end.
In this embodiment, optionally, the adding module 310 is specifically configured to:
adding corresponding labels to the service flow data packets by using a QinQ technology or a multi-protocol label switching (MPLS) technology;
and obtaining a target data packet according to the service flow data packet and the label.
In this embodiment, optionally, the apparatus further includes:
a determination module specifically configured to: and determining the received data packet as a service flow data packet before adding a corresponding label to the received service flow data packet to obtain a target data packet.
In this embodiment, optionally, the determining module is further specifically configured to:
acquiring packet header information of a received data packet;
and determining the data packet as a service flow data packet according to the type of the protocol and the MAC address in the header information.
In this embodiment, optionally, the preset flow table is established in the following manner:
based on a learning mechanism, when a data packet is received each time, acquiring a physical port for sending the data packet and an MAC address corresponding to the physical port;
and establishing the preset flow table according to the physical port and the MAC address.
In this embodiment, optionally, the identification information is allocated by a resource pool.
Through the implementation device for multiple transparent bridges in the resource pool provided by the embodiment of the disclosure, a corresponding label is added to a received service traffic data packet to obtain a target data packet, wherein the label includes identification information of the transparent bridge corresponding to the service traffic data packet; sending the target data packet to the SDN bridge through the first interface so that the SDN bridge transmits the target data packet to the service chain, receiving the target data packet transmitted from the service chain, and determining a second interface of a corresponding transparent bridge according to a label in the target data packet; the target data packet is received through the second interface and forwarded to the corresponding physical port, so that the physical port transmits the target data packet to the corresponding target end, and the label is added to the service flow data packet, so that the transparent bridge corresponding to the service flow data packet can be distinguished for correct forwarding, and the problem that a plurality of transparent bridges cannot share one service chain in the prior art is solved.
The device for implementing the plurality of transparent bridges in the resource pool provided by the embodiment of the disclosure can execute the method for implementing the plurality of transparent bridges in the resource pool provided by any embodiment of the disclosure, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 4 is a schematic structural diagram of a computer device provided in an embodiment of the present disclosure. As shown in fig. 4, the computer apparatus includes a processor 410 and a storage device 420; the number of the processors 410 in the computer device may be one or more, and one processor 410 is taken as an example in fig. 4; the processor 410 and the storage 420 in the computer device may be connected by a bus or other means, as exemplified by the bus connection in fig. 4.
The storage device 420 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the method for implementing a plurality of transparent bridges in a resource pool in the embodiment of the present disclosure. The processor 410 executes various functional applications and data processing of the computer device by executing software programs, instructions and modules stored in the storage device 420, namely, implementing the method for implementing the plurality of transparent bridges in the resource pool provided by the embodiment of the present disclosure.
The storage device 420 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the storage 420 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the storage 420 may further include memory located remotely from the processor 410, which may be connected to a computer device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The computer device provided by this embodiment may be configured to execute the method for implementing multiple transparent bridges in the resource pool provided by any of the above embodiments, and has corresponding functions and beneficial effects.
The disclosed embodiments also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are used to implement a method for implementing a plurality of transparent bridges in a resource pool provided by the disclosed embodiments.
Of course, the storage medium provided by the embodiments of the present disclosure contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the method for implementing multiple transparent bridges in a resource pool provided by any embodiment of the present disclosure.
From the above description of the embodiments, it is obvious for a person skilled in the art that the present disclosure can be implemented by software and necessary general hardware, and certainly can be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present disclosure may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present disclosure.
It should be noted that, in the embodiment of the apparatus for implementing multiple transparent bridges in the resource pool, the included units and modules are only divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only used for distinguishing one functional unit from another, and are not used for limiting the protection scope of the present disclosure.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method for implementing a plurality of transparent bridges in a resource pool, the method comprising:
adding a corresponding label to a received service flow data packet to obtain a target data packet, wherein the label comprises identification information of a transparent bridge corresponding to the service flow data packet;
sending the target data packet to a Software Defined Network (SDN) bridge through a first interface, so that the SDN bridge transmits the target data packet to a service chain, receives the target data packet transmitted from the service chain, and determines a second interface of a corresponding transparent bridge according to a label in the target data packet;
and receiving the target data packet through the second interface, and forwarding the target data packet to a corresponding physical port so that the physical port transmits the target data packet to a corresponding target end.
2. The method of claim 1, wherein receiving the destination packet through the second interface and forwarding the destination packet to a corresponding physical port comprises:
receiving the target data packet through the second interface, and inquiring a corresponding preset flow table;
and determining a physical port corresponding to a target end according to the preset flow table, and forwarding the target data packet to the physical port.
3. The method of claim 1, wherein the adding a corresponding tag to the received service traffic data packet to obtain a target data packet comprises:
adding corresponding labels to the service flow data packets by using a QinQ technology or a multi-protocol label switching (MPLS) technology;
and obtaining a target data packet according to the service flow data packet and the label.
4. The method of claim 1, wherein before adding the corresponding tag to the received service traffic data packet to obtain the target data packet, the method further comprises:
and determining the received data packet as a service flow data packet.
5. The method of claim 4, wherein the determining that the received data packet is a traffic data packet comprises:
acquiring packet header information of a received data packet;
and determining the data packet as a service flow data packet according to the type of the protocol and the MAC address in the header information.
6. The method according to claim 2, characterized in that the preset flow table is established by:
based on a learning mechanism, when a data packet is received each time, acquiring a physical port for sending the data packet and an MAC address corresponding to the physical port;
and establishing the preset flow table according to the physical port and the MAC address.
7. The method according to any of claims 1-6, wherein the identification information is allocated by a resource pool.
8. An apparatus for implementing a plurality of transparent bridges in a resource pool, the apparatus comprising:
the system comprises an adding module, a receiving module and a processing module, wherein the adding module is used for adding a corresponding label to a received service flow data packet to obtain a target data packet, and the label comprises identification information of a transparent bridge corresponding to the service flow data packet;
a sending module, configured to send the target data packet to a Software Defined Network (SDN) bridge through a first interface, so that the SDN bridge transmits the target data packet to a service chain, receives the target data packet outgoing from the service chain, and determines a second interface of a corresponding transparent bridge according to a tag in the target data packet;
and the forwarding module is used for receiving the target data packet through the second interface and forwarding the target data packet to a corresponding physical port so that the physical port can transmit the target data packet to a corresponding target end.
9. A computer device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-7.
CN202111509502.3A 2021-12-10 2021-12-10 Method, device, equipment and medium for realizing multiple transparent bridges in resource pool Active CN114257473B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111509502.3A CN114257473B (en) 2021-12-10 2021-12-10 Method, device, equipment and medium for realizing multiple transparent bridges in resource pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111509502.3A CN114257473B (en) 2021-12-10 2021-12-10 Method, device, equipment and medium for realizing multiple transparent bridges in resource pool

Publications (2)

Publication Number Publication Date
CN114257473A true CN114257473A (en) 2022-03-29
CN114257473B CN114257473B (en) 2022-10-21

Family

ID=80794782

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111509502.3A Active CN114257473B (en) 2021-12-10 2021-12-10 Method, device, equipment and medium for realizing multiple transparent bridges in resource pool

Country Status (1)

Country Link
CN (1) CN114257473B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016127909A1 (en) * 2015-02-11 2016-08-18 Hangzhou H3C Technologies Co., Ltd. Packets forwarding
WO2017131285A1 (en) * 2016-01-25 2017-08-03 쿨클라우드(주) Container network management system and container networking method
US20170353373A1 (en) * 2016-06-02 2017-12-07 International Business Machines Corporation Middlebox tracing in software defined networks
CN107911258A (en) * 2017-12-29 2018-04-13 深信服科技股份有限公司 A kind of realization method and system in the secure resources pond based on SDN network
CN107920023A (en) * 2017-12-29 2018-04-17 深信服科技股份有限公司 A kind of realization method and system in secure resources pond
CN109495391A (en) * 2018-12-18 2019-03-19 天津城建大学 A kind of security service catenary system and data packet matched retransmission method based on SDN
US20200328966A1 (en) * 2017-12-26 2020-10-15 Huawei Technologies Co., Ltd. Packet processing method and apparatus
CN111953661A (en) * 2020-07-23 2020-11-17 深圳供电局有限公司 SDN-based east-west flow security protection method and system
CN112995316A (en) * 2021-02-25 2021-06-18 深信服科技股份有限公司 Data processing method and device, electronic equipment and storage medium
CN113300952A (en) * 2021-04-14 2021-08-24 启明星辰信息技术集团股份有限公司 Distributed drainage system for cloud security resource pool and drainage method thereof

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016127909A1 (en) * 2015-02-11 2016-08-18 Hangzhou H3C Technologies Co., Ltd. Packets forwarding
WO2017131285A1 (en) * 2016-01-25 2017-08-03 쿨클라우드(주) Container network management system and container networking method
US20170353373A1 (en) * 2016-06-02 2017-12-07 International Business Machines Corporation Middlebox tracing in software defined networks
US20200328966A1 (en) * 2017-12-26 2020-10-15 Huawei Technologies Co., Ltd. Packet processing method and apparatus
CN107911258A (en) * 2017-12-29 2018-04-13 深信服科技股份有限公司 A kind of realization method and system in the secure resources pond based on SDN network
CN107920023A (en) * 2017-12-29 2018-04-17 深信服科技股份有限公司 A kind of realization method and system in secure resources pond
CN109495391A (en) * 2018-12-18 2019-03-19 天津城建大学 A kind of security service catenary system and data packet matched retransmission method based on SDN
CN111953661A (en) * 2020-07-23 2020-11-17 深圳供电局有限公司 SDN-based east-west flow security protection method and system
CN112995316A (en) * 2021-02-25 2021-06-18 深信服科技股份有限公司 Data processing method and device, electronic equipment and storage medium
CN113300952A (en) * 2021-04-14 2021-08-24 启明星辰信息技术集团股份有限公司 Distributed drainage system for cloud security resource pool and drainage method thereof

Also Published As

Publication number Publication date
CN114257473B (en) 2022-10-21

Similar Documents

Publication Publication Date Title
CN110971433B (en) Method, device and system for acquiring SRv6 tunnel information
US9225641B2 (en) Communication between hetrogenous networks
US7260648B2 (en) Extension of address resolution protocol (ARP) for internet protocol (IP) virtual networks
CN107078963B (en) Route tracing in virtual extensible local area networks
CN110830371B (en) Message redirection method and device, electronic equipment and readable storage medium
CN108429680B (en) Route configuration method, system, medium and equipment based on virtual private cloud
CN112087386B (en) Message processing method, device and system
WO2012093429A1 (en) Communication control system, control server, forwarding node, communication control method, and communication control program
CN110798403B (en) Communication method, communication device and communication system
WO2015061706A1 (en) Location-based network routing
US9917794B2 (en) Redirection IP packet through switch fabric
CN109714274B (en) Method for acquiring corresponding relation and routing equipment
EP3292659B1 (en) Multicast data packet forwarding
EP3322135A1 (en) Packet transmission method and device
EP2731313A1 (en) Distributed cluster processing system and message processing method thereof
CN113098770B (en) Message sending method, route table item generating method, device and storage medium
CN114553638A (en) Communication method, device and system
US11032186B2 (en) First hop router identification in distributed virtualized networks
US20220345400A1 (en) Packet sending method and apparatus, and storage medium
CN112787934A (en) Method, device and equipment for load sharing in bit index explicit replication network
EP3229426A1 (en) Uplink data packet forwarding method and apparatus, and downlink data packet forwarding method and apparatus
CN108306825B (en) Equivalent forwarding table item generation method and VTEP device
CN107911495B (en) MAC address synchronization method and VTEP
CN114257473B (en) Method, device, equipment and medium for realizing multiple transparent bridges in resource pool
CN113556283A (en) Route management method and tunnel endpoint equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant