CN114422218A - Tenant isolation method, device and storage medium - Google Patents
Tenant isolation method, device and storage medium Download PDFInfo
- Publication number
- CN114422218A CN114422218A CN202111676634.5A CN202111676634A CN114422218A CN 114422218 A CN114422218 A CN 114422218A CN 202111676634 A CN202111676634 A CN 202111676634A CN 114422218 A CN114422218 A CN 114422218A
- Authority
- CN
- China
- Prior art keywords
- tenant
- message
- identity information
- configuration information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 28
- 238000012545 processing Methods 0.000 claims abstract description 71
- 238000000034 method Methods 0.000 claims abstract description 36
- 206010048669 Terminal state Diseases 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 11
- 238000004891 communication Methods 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 13
- 238000013500 data storage Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 230000011664 signaling Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention provides a tenant isolation method, a tenant isolation device and a storage medium, and relates to the technical field of communication. The method comprises the following steps: receiving a service access request sent by a tenant; responding to the service access request, and acquiring tenant identity information of the tenant; issuing tenant configuration information for the tenant based on the tenant identity information; and storing the tenant configuration information in a preset storage area, and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system queries corresponding tenant configuration information from the preset storage area based on the tenant identity information, and performs service processing according to the tenant configuration information. The embodiment of the invention can realize multi-tenant isolation at the LAN side in the VCPE network element.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a tenant isolation method, device, and storage medium.
Background
With the gradual maturity of virtualization and transportation technologies, the application of network function virtualization has become a hot spot and trend of technical research. A traditional broadband access Network evolves toward a cloud access direction under the introduction of an NFV (Network Function Virtualization) technology, and a virtual gateway application based on VCPE (virtual client device) has become an important direction in the development of current Network Virtualization applications.
The VCPE is a multi-tenant service scenario, and has features of multi-tenancy, large capacity, high bandwidth, and the like, which determines that as the number of households increases, a VCPE network element needs to process data traffic from multiple users. However, since data generated and used in the VCPE network element is shared by multiple tenants, data between the multiple tenants may be infected with each other, thereby causing a service processing error. Therefore, how to implement multi-tenant isolation in VCPE becomes a difficult problem of NFV technology.
Disclosure of Invention
The invention provides a tenant isolation method, a device and a storage medium, which are used for realizing multi-tenant isolation on a LAN (local area network) side of a VCPE (virtual private provider edge).
According to a first aspect of the present invention, there is provided a tenant isolation method applied to a network virtual switching system, the method including:
receiving a service access request sent by a tenant;
responding to the service access request, and acquiring tenant identity information of the tenant;
issuing tenant configuration information for the tenant based on the tenant identity information;
and storing the tenant configuration information in a preset storage area, and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system queries corresponding tenant configuration information from the preset storage area based on the tenant identity information, and performs service processing according to the tenant configuration information.
Optionally, the tenant identity information is generated according to a virtual extended local area network identifier, an operator virtual local area network identifier, and a user virtual local area network identifier corresponding to the tenant.
Optionally, the functional node includes a traffic scheduling node, and the method further includes:
when a first message is received, identifying the message type of the first message;
determining a next hop functional node for processing the first message according to the message type;
extracting tenant identity information corresponding to the first message from a message expansion space and deleting the message expansion space to obtain a second message;
storing the tenant identity information into a private field of a message buffer area to obtain an expanded message;
and sending the second message to the functional node so that the functional node acquires tenant identity information from the private field of the message buffer and processes the second message according to the tenant identity information.
Optionally, the processing the second packet according to the tenant identity information includes:
querying tenant configuration information matched with the tenant identity information from a preset storage area based on the tenant identity information;
and processing the second message according to the tenant configuration information.
Optionally, the processing the second packet according to the tenant configuration information further includes:
allocating an IP address to the terminal equipment corresponding to the tenant according to the tenant configuration information; and/or the presence of a gas in the gas,
acquiring terminal state updating information of terminal equipment corresponding to the tenant based on the tenant configuration information;
and recording the terminal state updating information according to the tenant identification mark.
Optionally, the processing the second packet according to the tenant configuration information further includes:
determining the IP address of the terminal equipment corresponding to the tenant according to the tenant configuration management information;
determining the MAC address of the terminal equipment corresponding to the tenant according to the IP address;
and recording the MAC address according to the tenant identity information.
According to a second aspect of the present invention, there is provided an apparatus applied to a network virtual switching system, including a memory, a transceiver, a processor: a memory for storing a computer program; a transceiver for transceiving data under control of the processor; a processor for reading the computer program in the memory and performing the following operations:
receiving a service access request sent by a tenant;
responding to the service access request, and acquiring tenant identity information of the tenant;
issuing tenant configuration information for the tenant based on the tenant identity information;
and storing the tenant configuration information in a preset storage area, and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system queries corresponding tenant configuration information from the preset storage area based on the tenant identity information, and performs service processing according to the tenant configuration information.
According to a third aspect of the present invention, there is provided a tenant isolation apparatus applied to a network virtual switching system, the apparatus including:
the request receiving module is used for receiving a service access request sent by a tenant;
the information acquisition module is used for responding to the service access request and acquiring the tenant identity information of the tenant;
the information issuing module is used for issuing tenant configuration information for the tenant based on the tenant identity information;
and the information storage module is used for storing the tenant configuration information in a preset storage area and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system inquires corresponding tenant configuration information from the preset storage area based on the tenant identity information and performs service processing according to the tenant configuration information.
According to a fourth aspect of the present invention, there is provided a processor-readable storage medium storing a computer program for causing a processor to perform the aforementioned tenant isolation method.
The invention provides a tenant isolation method, a tenant isolation device and a storage medium, wherein the method comprises the following steps: receiving a service access request sent by a tenant; responding to the service access request, and acquiring tenant identity information of the tenant; issuing tenant configuration information for the tenant based on the tenant identity information; and storing the tenant configuration information in a preset storage area, and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system queries corresponding tenant configuration information from the preset storage area based on the tenant identity information, and performs service processing according to the tenant configuration information.
According to the embodiment of the invention, the unique tenant identity of each tenant is obtained, corresponding tenant configuration information is issued according to the tenant identity, and a tenant configuration information searching mechanism based on the tenant identity information is established, so that each functional node performs service processing according to the tenant identity information, and multi-tenant isolation of a LAN side in a VCPE network element is realized.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
Fig. 1 is a flowchart illustrating specific steps of a tenant isolation method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network virtual switching system according to an embodiment of the present invention;
FIG. 3 is a block diagram of an apparatus provided by an embodiment of the present invention;
fig. 4 is a structural diagram of a tenant isolation apparatus according to an embodiment of the present invention.
Detailed Description
The term "and/or" in the embodiments of the present invention describes an association relationship of associated objects, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The term "plurality" in the embodiments of the present invention means two or more, and other terms are similar thereto.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
Referring to fig. 1, a flowchart of specific steps of a tenant isolation method according to an embodiment of the present invention is shown.
And 102, responding to the service access request, and acquiring the tenant identity information of the tenant.
103, issuing tenant configuration information for the tenant based on the tenant identity information.
And 104, storing the tenant configuration information in a preset storage area, and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system queries corresponding tenant configuration information from the preset storage area based on the tenant identity information, and performs service processing according to the tenant configuration information.
The embodiment of the application provides a tenant isolation method, which is applied to a network virtual switching system and can realize multi-tenant isolation of a VCPE network element LAN side. Referring to fig. 2, a schematic structural diagram of a network virtual switching system provided in an embodiment of the present application is shown. As shown in fig. 2, the network virtual switch system includes an Input/Output (Input/Output) unit, a data processing unit, a data storage unit, and a signaling unit. Wherein the data I/O unit is connected to a vSwitch (virtual Switch); the data processing unit is connected with the data I/O unit; the data storage unit is connected with the signaling unit; the data processing unit may access or write to the data storage unit. The signaling unit is used for providing an external interface and a visual command line and managing the data processing unit according to control signaling. The data storage unit is used for storing the tenant information of multiple tenants and providing a tenant information query mechanism for the data processing unit. And the data processing unit is used for the isolation processing of the multi-tenant data stream. And the data I/O unit is used for sending and receiving the multi-tenant data stream.
It should be noted that the tenant isolation method provided in the embodiment of the present invention is mainly used for isolating multi-tenant data and services on a LAN (Local Area Network) side of a VCPE Network element, and therefore, the data processing unit in fig. 2 may specifically include a traffic scheduling node, a DHCP (Dynamic Host Configuration Protocol) service node, an ARP (Address Resolution Protocol) service node, and other functional nodes on the LAN side of the VCPE Network element. The DHCP service node may further include a DHCPv4 service end and a DHCPv6 service end. The flow scheduling node is used for realizing the functions of message identification, message statistics, message scheduling and the like. The DHCPv4 server is used for allocating ipv4 addresses to terminal devices of tenants, changing state information of the terminal devices of the tenants, and the like. The DHCPv6 server is used for allocating ipv6 addresses to terminal devices of tenants, changing state information of the terminal devices, and the like. The ARP service node is configured to store an IP (Internet Protocol) address of a terminal device of a tenant and an analyzed MAC (Media Access Control) address of the terminal device of the tenant.
In the embodiment of the invention, after the network virtual switching system receives the service access request sent by the tenant, the tenant identity information of the tenant is obtained. The tenant identity information is identity information distributed to the tenant by an operator according to network deployment conditions of a cell and a nearby machine room. Optionally, the tenant identity information includes a virtual extended local area network identifier, an operator virtual local area network identifier, and a user virtual local area network identifier corresponding to the tenant.
As an example, the network virtual switching system may establish, through a signaling unit, a tenant account for each tenant of the access system based on a management signaling, and configure tenant identity information for each tenant account, which specifically may include a virtual extended local area network identifier vxlan _ id, an operator virtual local area network identifier pvlan _ id, and a user virtual local area network identifier cvlan _ id.
Then, the lease configuration information is stored in a preset storage area. The preset storage area may be a designated area in a data storage unit of the network virtual switching system. It should be noted that, in the embodiment of the present invention, the corresponding relationship between the tenant configuration information and the tenant identity information is simultaneously stored in the preset storage area, for example, a tenant account is established for each tenant, and vxlan _ id, pvlan _ id, cvlan _ id and tenant configuration information of the tenant are stored in the tenant account. When each functional node, such as a data processing unit, in the network virtual switching system needs to perform service processing operation, corresponding tenant configuration information can be queried from a preset storage area according to tenant identity information of a tenant, so that service processing is performed according to the tenant configuration information. For example, the DHCP service node allocates an IP address to the terminal device of the tenant according to the tenant configuration information of the tenant; the ARP service node learns the MAC address of the terminal equipment of the tenant based on the tenant configuration information; and the flow scheduling node performs message processing based on the tenant configuration information, and the like.
According to the embodiment of the invention, the unique tenant identity of each accessed tenant is obtained, corresponding tenant configuration information is issued according to the tenant identity, and a tenant configuration information searching mechanism based on the tenant identity information is established, so that each functional node performs service processing according to the tenant identity information, and multi-tenant isolation on the LAN side in a VCPE network element is realized.
In an optional embodiment of the present invention, the functional node comprises a traffic scheduling node, and the method further comprises:
step S11, when a first message is received, identifying the message type of the first message;
step S12, determining a next hop functional node for processing the first message according to the message type;
step S13, extracting the tenant identity information corresponding to the first message from the message expansion space and deleting the message expansion space to obtain a second message;
step S14, storing the tenant identity information into a private field of a message buffer area to obtain a second message;
step S15, sending the second packet to the function node, so that the function node obtains the tenant identity information from the packet buffer private field, and processes the second packet according to the tenant identity information.
It should be noted that the message sent by the tenant may be a common internet service message, or an acceleration service message, or an encryption service message, etc. The original message sent by the tenant is encapsulated by VXLAN, the encapsulated VXLAN header contains VXLAN _ id, and then reaches VCPE via vSwitch. The vSwitch decapsulates the received message, strips off the vxlan header, obtains the vxlan _ id in the vxlan header and fills the vxlan _ id into the message extension space to obtain an ethernet message, that is, a first message in the embodiment of the present invention, and sends the first message to the VCPE. After receiving the first message, the VCPE extracts the tenant identity information corresponding to the first message from the message expansion space, deletes the message expansion space, and obtains a second message. The extracted tenant identity information is stored in a private field of a message buffer for other functional nodes in the VCPE to perform service processing based on the tenant identity information.
The flow scheduling node further provides a message forwarding function, specifically, the second message is sent to the next hop function node, and the next hop function node that receives the message performs service processing based on the tenant identity information stored in the private field of the message buffer, for example, the DHCP service node provides a DHCP service for the tenant corresponding to the tenant identity information, the ARP service node provides an ARP service for the tenant corresponding to the tenant identity information, and so on.
Similarly, after the message is processed, the functional node that receives the message needs to expand the message when replying the message to the tenant, and fills the tenant identity information in the message expansion space and sends the message to the vSwitch, and deletes the message expansion space during subsequent vSwitch processing, and sends the message sent by the VCPE to the tenant.
It should be noted that, when processing a packet, the traffic scheduling node may perform packet processing by using a vectorization packet processing technique, so as to perform traffic forwarding processing of a virtual network element.
In an optional embodiment of the present invention, the processing, according to the tenant identity information, the step S15 includes:
a11, inquiring tenant configuration information matched with the tenant identity information from a preset storage area based on the tenant identity information;
and A12, processing the second message according to the tenant configuration information.
After receiving the second message forwarded by the traffic scheduling node, the functional node in the network virtual switching system may query, according to the tenant identity information stored in the private field of the message buffer, tenant configuration information of a tenant corresponding to the second message from a preset storage area, so as to perform service processing on the tenant according to the queried tenant configuration information. For example, the DHCP service node provides a DHCP service for the tenant according to the tenant configuration information; and the ARP service node provides ARP service for the tenant according to the tenant configuration information, and the like.
In an optional embodiment of the present invention, the processing the second packet according to the tenant configuration information further includes:
step S21, distributing an IP address for the terminal device corresponding to the tenant according to the tenant configuration information; and/or the presence of a gas in the gas,
step S22, acquiring terminal state updating information of the terminal device corresponding to the tenant based on the tenant configuration information;
and step S23, recording the terminal state updating information according to the tenant identification.
For the DHCP service node, after receiving the second packet forwarded by the traffic scheduling node, the DHCP service node may query, according to the tenant identity information in the packet buffer private field, corresponding tenant configuration information from a preset storage area, and further allocate an IP address to each terminal device corresponding to the tenant according to the tenant configuration information, thereby maintaining an IP address pool of the terminal device of the LAN-side tenant.
In addition, the DHCP service node may further obtain, according to tenant configuration information of the tenant, terminal state update information of each terminal device corresponding to the tenant, which may specifically include an online state, an offline state, and an intermediate state of the terminal device. And then, according to the tenant identity information record, updating the terminal state updating information of the terminal equipment, and realizing the maintenance of the terminal state information.
In an optional embodiment of the present invention, the processing the second packet according to the tenant configuration information further includes:
step S31, determining the IP address of the terminal device corresponding to the tenant according to the tenant configuration management information;
step S32, determining the MAC address of the terminal device corresponding to the tenant according to the IP address;
and step S33, recording the MAC address according to the tenant identity information.
For the ARP service node, after receiving the second packet forwarded by the traffic scheduling node, the ARP service node may query, according to the tenant identity information in the packet buffer private field, corresponding tenant configuration information from a preset storage area, and further determine, according to the tenant configuration information, an IP address corresponding to each terminal device of the tenant. Then, a corresponding MAC address is determined according to the IP address corresponding to the terminal device, and the MAC address of the terminal device corresponding to the tenant is recorded based on the tenant identity information of the tenant.
In summary, in the embodiment of the present invention, by acquiring the unique tenant identity of each tenant accessing a service, and issuing corresponding tenant configuration information according to the tenant identity, a tenant configuration information search mechanism based on the tenant identity is established, so that each functional node performs service processing according to the tenant identity information, thereby implementing multi-tenant isolation at the LAN side in the VCPE network element.
EXAMPLE III
Referring to fig. 3, which shows a structure diagram of an apparatus provided in the third embodiment of the present invention, specifically including:
a memory 300 for storing a computer program.
A transceiver 310 for receiving and transmitting data under the control of a processor 320.
A processor 320 for reading the computer program in the memory 300 and performing the following operations:
receiving a service access request sent by a tenant;
responding to the service access request, and acquiring tenant identity information of the tenant;
issuing tenant configuration information for the tenant based on the tenant identity information;
and storing the tenant configuration information in a preset storage area, and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system queries corresponding tenant configuration information from the preset storage area based on the tenant identity information, and performs service processing according to the tenant configuration information.
Optionally, the tenant identity information is generated according to a virtual extended local area network identifier, an operator virtual local area network identifier, and a user virtual local area network identifier corresponding to the tenant.
Optionally, the functional nodes include a traffic scheduling node, and the processor is further configured to read the computer program in the memory and perform the following operations:
when a first message is received, identifying the message type of the first message;
determining a next hop functional node for processing the first message according to the message type;
extracting tenant identity information corresponding to the first message from a message expansion space and deleting the message expansion space to obtain a second message;
storing the tenant identity information into a private field of a message buffer area to obtain an expanded message;
and sending the second message to the functional node so that the functional node acquires tenant identity information from the private field of the message buffer and processes the second message according to the tenant identity information.
Optionally, the processing the second packet according to the tenant identity information includes:
querying tenant configuration information matched with the tenant identity information from a preset storage area based on the tenant identity information;
and processing the second message according to the tenant configuration information.
Optionally, the processing the second packet according to the tenant configuration information further includes:
allocating an IP address to the terminal equipment corresponding to the tenant according to the tenant configuration information; and/or the presence of a gas in the gas,
acquiring terminal state updating information of terminal equipment corresponding to the tenant based on the tenant configuration information;
and recording the terminal state updating information according to the tenant identity information.
Optionally, the processing the second packet according to the tenant configuration information further includes:
determining the IP address of the terminal equipment corresponding to the tenant according to the tenant configuration management information;
determining the MAC address of the terminal equipment corresponding to the tenant according to the IP address;
and recording the MAC address according to the tenant identification mark.
Where in fig. 3 the bus interface is an interface to a bus architecture, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 320, and various circuits of memory, represented by memory 300, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 310 may be a number of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium including wireless channels, wired channels, fiber optic cables, and the like. The processor 320 is responsible for managing the bus architecture and general processing, and the memory 300 may store data used by the processor 320 in performing operations.
The processor 320 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or a Complex Programmable Logic Device (CPLD), and may also have a multi-core architecture.
It should be noted that, the apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment and achieve the same technical effect, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are omitted here.
Example four
Referring to fig. 4, a structural diagram of a tenant isolation apparatus according to a fourth embodiment of the present invention is shown, and is applied to a network virtual switching system, and specifically includes:
a request receiving module 401, configured to receive a service access request sent by a tenant;
an information obtaining module 402, configured to obtain, in response to the service access request, tenant identity information of the tenant;
an information issuing module 403, configured to issue tenant configuration information for the tenant based on the tenant identity information;
an information storage module 404, configured to store the tenant configuration information in a preset storage area, and store a corresponding relationship between the tenant configuration information and the tenant identity information, so that each function node in the network virtual switching system queries corresponding tenant configuration information from the preset storage area based on the tenant identity information, and performs service processing according to the tenant configuration information.
Optionally, the tenant identity information is generated according to a virtual extended local area network identifier, an operator virtual local area network identifier, and a user virtual local area network identifier corresponding to the tenant.
Optionally, the functional node includes a traffic scheduling node, and the apparatus further includes:
the message receiving module is used for identifying the message type of a first message when the first message is received;
a node determining module, configured to determine, according to the packet type, a next hop functional node for processing the first packet;
the identity information acquisition module is used for extracting the tenant identity information corresponding to the first message from the message expansion space and deleting the message expansion space to obtain a second message;
the identity information storage module is used for storing the tenant identity information into a private field of a message buffer area;
and the message sending module is used for sending the second message to the functional node so that the functional node acquires the tenant identity information from the private field of the message buffer and processes the second message according to the tenant identity information.
Optionally, the apparatus further comprises:
the configuration information query module is used for querying tenant configuration information matched with the tenant identity information from a preset storage area based on the tenant identity information;
and the service processing module is used for processing the second message according to the tenant configuration information.
Optionally, the function node further includes a dynamic host configuration protocol service node, and the service processing module includes:
the first IP address determining submodule is used for allocating an IP address to the terminal equipment corresponding to the tenant according to the tenant configuration information; and/or the presence of a gas in the gas,
the terminal state acquisition submodule is used for acquiring terminal state updating information of terminal equipment corresponding to the tenant based on the tenant configuration information;
and the terminal state recording submodule is used for recording the terminal state updating information according to the tenant identification mark.
Optionally, the function node further includes an address resolution protocol service node, and the service processing module includes:
the second IP address determining submodule is used for determining the IP address of the terminal equipment corresponding to the tenant according to the tenant configuration management information;
the MAC address determining submodule is used for determining the MAC address of the terminal equipment corresponding to the tenant according to the IP address;
and the MAC address recording submodule is used for recording the MAC address according to the tenant identity information.
It should be noted that, the division of the modules and units in the embodiment of the present invention is schematic, and is only a logic function division, and there may be another division manner in actual implementation. In addition, each functional module and each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a processor readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It should be noted that, the apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment and achieve the same technical effect, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are omitted here.
An embodiment of the present invention further provides a processor-readable storage medium, which stores a computer program, where the computer program is used to enable a processor to execute the foregoing method.
The processor-readable storage medium can be any available medium or data storage device that can be accessed by a processor, including, but not limited to, magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs)), etc.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer-executable instructions. These computer-executable instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These processor-executable instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (14)
1. A tenant isolation method is applied to a network virtual switching system, and comprises the following steps:
receiving a service access request sent by a tenant;
responding to the service access request, and acquiring tenant identity information of the tenant;
issuing tenant configuration information for the tenant based on the tenant identity information;
and storing the tenant configuration information in a preset storage area, and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system queries corresponding tenant configuration information from the preset storage area based on the tenant identity information, and performs service processing according to the tenant configuration information.
2. The method according to claim 1, wherein the tenant identity information is generated according to a virtual extended local area network identifier, an operator virtual local area network identifier, and a user virtual local area network identifier corresponding to the tenant.
3. The method of claim 1, wherein the functional node comprises a traffic scheduling node, the method further comprising:
when a first message is received, identifying the message type of the first message;
determining a next hop functional node for processing the first message according to the message type;
extracting tenant identity information corresponding to the first message from a message expansion space and deleting the message expansion space to obtain a second message;
storing the tenant identity information into a private field of a message buffer;
and sending the second message to the functional node so that the functional node acquires tenant identity information from the private field of the message buffer and processes the second message according to the tenant identity information.
4. The method according to claim 3, wherein the processing the second packet according to the tenant identity information includes:
querying tenant configuration information matched with the tenant identity information from a preset storage area based on the tenant identity information;
and processing the second message according to the tenant configuration information.
5. The method of claim 4, wherein the functional nodes further comprise a dynamic host configuration protocol service node, and wherein processing the second packet according to the tenant configuration information comprises:
allocating an IP address to the terminal equipment corresponding to the tenant according to the tenant configuration information; and/or the presence of a gas in the gas,
acquiring terminal state updating information of terminal equipment corresponding to the tenant based on the tenant configuration information;
and recording the terminal state updating information according to the tenant identification mark.
6. The method of claim 4, wherein the functional node further comprises an address resolution protocol service node, and wherein processing the second packet according to the tenant configuration information comprises:
determining the IP address of the terminal equipment corresponding to the tenant according to the tenant configuration management information;
determining the MAC address of the terminal equipment corresponding to the tenant according to the IP address;
and recording the MAC address according to the tenant identity information.
7. An apparatus, applied to a network virtual switching system, includes a memory, a transceiver, a processor:
a memory for storing a computer program; a transceiver for transceiving data under control of the processor; a processor for reading the computer program in the memory and performing the following operations:
receiving a service access request sent by a tenant;
responding to the service access request, and acquiring tenant identity information of the tenant;
issuing tenant configuration information for the tenant based on the tenant identity information;
and storing the tenant configuration information in a preset storage area, and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system queries corresponding tenant configuration information from the preset storage area based on the tenant identity information, and performs service processing according to the tenant configuration information.
8. The apparatus of claim 7, wherein the tenant identity information is generated according to a virtual extended local area network identifier, an operator virtual local area network identifier, and a user virtual local area network identifier corresponding to the tenant.
9. The apparatus of claim 7, wherein the functional node comprises a traffic scheduling node, and wherein the processor is further configured to read the computer program in the memory and perform the following:
when a first message is received, identifying the message type of the first message;
determining a next hop functional node for processing the first message according to the message type;
extracting tenant identity information corresponding to the first message from a message expansion space and deleting the message expansion space to obtain a second message;
storing the tenant identity information into a private field of a message buffer area to obtain an expanded message;
and sending the second message to the functional node so that the functional node acquires tenant identity information from the private field of the message buffer and processes the second message according to the tenant identity information.
10. The apparatus of claim 9, wherein the processing the second packet according to the tenant identity information comprises:
querying tenant configuration information matched with the tenant identity information from a preset storage area based on the tenant identity information;
and processing the second message according to the tenant configuration information.
11. The apparatus of claim 10, wherein the functional nodes further comprise a dynamic host configuration protocol service node, and wherein the processing the second packet according to the tenant configuration information comprises:
allocating an IP address to the terminal equipment corresponding to the tenant according to the tenant configuration information; and/or the presence of a gas in the gas,
acquiring terminal state updating information of terminal equipment corresponding to the tenant based on the tenant configuration information;
and recording the terminal state updating information according to the tenant identification mark.
12. The apparatus of claim 10, wherein the functional node further comprises an address resolution protocol service node, and wherein the processing the second packet according to the tenant configuration information comprises:
determining the IP address of the terminal equipment corresponding to the tenant according to the tenant configuration management information;
determining the MAC address of the terminal equipment corresponding to the tenant according to the IP address;
and recording the MAC address according to the tenant identity information.
13. A tenant isolation apparatus, applied to a network virtual switching system, the apparatus comprising:
the request receiving module is used for receiving a service access request sent by a tenant;
the information acquisition module is used for responding to the service access request and acquiring the tenant identity information of the tenant;
the information issuing module is used for issuing tenant configuration information for the tenant based on the tenant identity information;
and the information storage module is used for storing the tenant configuration information in a preset storage area and storing the corresponding relationship between the tenant configuration information and the tenant identity information, so that each functional node in the network virtual switching system inquires corresponding tenant configuration information from the preset storage area based on the tenant identity information and performs service processing according to the tenant configuration information.
14. A processor-readable storage medium, characterized in that the processor-readable storage medium stores a computer program for causing a processor to execute the tenant isolation method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676634.5A CN114422218A (en) | 2021-12-31 | 2021-12-31 | Tenant isolation method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676634.5A CN114422218A (en) | 2021-12-31 | 2021-12-31 | Tenant isolation method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114422218A true CN114422218A (en) | 2022-04-29 |
Family
ID=81272246
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111676634.5A Pending CN114422218A (en) | 2021-12-31 | 2021-12-31 | Tenant isolation method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114422218A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115080950A (en) * | 2022-07-20 | 2022-09-20 | 深圳竹云科技股份有限公司 | Identity information processing method and device, computer equipment and storage medium |
| CN116743876A (en) * | 2023-08-14 | 2023-09-12 | 云筑信息科技(成都)有限公司 | Method for realizing multi-tenant scheduling based on xxl-job |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150139238A1 (en) * | 2013-11-18 | 2015-05-21 | Telefonaktiebolaget L M Ericsson (Publ) | Multi-tenant isolation in a cloud environment using software defined networking |
| CN111865658A (en) * | 2020-06-05 | 2020-10-30 | 烽火通信科技股份有限公司 | vCPE multi-tenant-based tenant service identification mapping method and system |
| CN112702252A (en) * | 2019-10-23 | 2021-04-23 | 华为技术有限公司 | Message processing method, system and related equipment |
-
2021
- 2021-12-31 CN CN202111676634.5A patent/CN114422218A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150139238A1 (en) * | 2013-11-18 | 2015-05-21 | Telefonaktiebolaget L M Ericsson (Publ) | Multi-tenant isolation in a cloud environment using software defined networking |
| CN112702252A (en) * | 2019-10-23 | 2021-04-23 | 华为技术有限公司 | Message processing method, system and related equipment |
| CN111865658A (en) * | 2020-06-05 | 2020-10-30 | 烽火通信科技股份有限公司 | vCPE multi-tenant-based tenant service identification mapping method and system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115080950A (en) * | 2022-07-20 | 2022-09-20 | 深圳竹云科技股份有限公司 | Identity information processing method and device, computer equipment and storage medium |
| CN115080950B (en) * | 2022-07-20 | 2022-11-15 | 深圳竹云科技股份有限公司 | Identity information processing method and device, computer equipment and storage medium |
| CN116743876A (en) * | 2023-08-14 | 2023-09-12 | 云筑信息科技(成都)有限公司 | Method for realizing multi-tenant scheduling based on xxl-job |
| CN116743876B (en) * | 2023-08-14 | 2023-12-08 | 云筑信息科技(成都)有限公司 | Method for realizing multi-tenant scheduling based on xxl-job |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107783815B (en) | Method and device for determining virtual machine migration | |
| CN107733670B (en) | Forwarding strategy configuration method and device | |
| CN107733799B (en) | Message transmission method and device | |
| CN108347493B (en) | Hybrid cloud management method and device and computing equipment | |
| CN116057910B (en) | Virtual private cloud communication and configuration method and related device | |
| CN107579900B (en) | Method, device and system for accessing VX L AN network from V L AN network | |
| TWI449380B (en) | Data center network system and packet forwarding method thereof | |
| US7496052B2 (en) | Automatic VLAN ID discovery for ethernet ports | |
| CN106412142B (en) | Resource equipment address obtaining method and device | |
| WO2020052605A1 (en) | Network slice selection method and device | |
| CN109728962B (en) | Method and equipment for sending message | |
| CN114422218A (en) | Tenant isolation method, device and storage medium | |
| CN107968749B (en) | Method for realizing QinQ route termination, switching chip and switch | |
| US9197598B2 (en) | MAC address distribution | |
| WO2020108438A1 (en) | Access system, method, and device. | |
| CN112887229B (en) | Session information synchronization method and device | |
| CN113162779B (en) | Multi-cloud interconnection method and equipment | |
| CN111294268B (en) | Method and device for avoiding IP address conflict | |
| CN110620706B (en) | Parameter adjusting method and equipment | |
| CN104426816A (en) | Virtual machine communication method and device | |
| CN107070688B (en) | Method for configuring node and node | |
| CN116489237A (en) | Data packet processing method and device and network equipment | |
| KR102023115B1 (en) | Communication method based on integrated flat id and system | |
| CN111917858B (en) | Remote management system, method, device and server | |
| CN114679370B (en) | Server hosting method, device, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |