CN114944952B - Data processing method, device, system, equipment and readable storage medium - Google Patents
Data processing method, device, system, equipment and readable storage medium Download PDFInfo
- Publication number
- CN114944952B CN114944952B CN202210552408.4A CN202210552408A CN114944952B CN 114944952 B CN114944952 B CN 114944952B CN 202210552408 A CN202210552408 A CN 202210552408A CN 114944952 B CN114944952 B CN 114944952B
- Authority
- CN
- China
- Prior art keywords
- safety protection
- tenant
- message
- equipment
- vxlan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 32
- 238000000034 method Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 10
- 238000013507 mapping Methods 0.000 claims description 6
- 230000000694 effects Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 6
- 238000012550 audit Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4645—Details on frame tagging
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a data processing method, a device, a system, equipment and a readable storage medium in the technical field of computers. According to the application, the corresponding safety protection equipment of each tenant system is arranged in the safety protection pool, meanwhile, the flow sent by each tenant system is provided with the own tenant identification, so that after the flow reaches the network transfer equipment from the tenant system, the network transfer equipment can distinguish the flow trend based on the tenant identification in the flow, and whether the flow between different tenant systems or the flow of the tenant accessing the public network can flow through the safety protection pool, all the flows can be monitored by the visible safety protection pool, the problem of intranet IP conflict between different tenant systems is solved, and meanwhile, the safety protection pool can capture all the flows of each tenant system, so that the protection capability of the safety protection pool can be improved. Correspondingly, the data processing device, the system, the equipment and the readable storage medium have the technical effects.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data processing method, apparatus, system, device, and readable storage medium.
Background
Currently, the same switching device is connected with: each tenant system and a safety protection pool, wherein the gateway corresponding to each tenant system is realized inside the switching equipment. The scheme has the following problems: (1) The same switching device is provided with a gateway corresponding to each tenant system, if the intranets IP (Internet Protocol Address) of different tenant systems collide, the switching device cannot distinguish the trend of the flow, namely: the next hop of the traffic cannot be determined; (2) Because the switching equipment can directly determine the flow trend among different tenant systems, the flow among different tenant systems only passes through the switching equipment and cannot pass through the safety protection pool, so that the safety protection pool cannot monitor the flow.
Therefore, how to solve the problem of intranet IP conflict between different tenant systems, and simultaneously enable the security protection pool to capture traffic between different tenant systems is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, the present application is directed to a data processing method, apparatus, system, device and readable storage medium, so as to solve the problem of intranet IP conflict between different tenant systems, and enable a security protection pool to capture traffic between different tenant systems. The specific scheme is as follows:
in a first aspect, the present application provides a data processing method, applied to a network transit device, where the network transit device is connected to a security protection pool and at least two tenant systems, and the security protection pool is provided with security protection devices corresponding to each tenant system, and the data processing method includes:
acquiring a target message of a first tenant system accessing a second tenant system;
according to tenant identification carried by the target message, the target message is sent to first safety protection equipment in the safety protection pool, so that the first safety protection equipment sends the target message to the second tenant system through second safety protection equipment in the safety protection pool;
the first safety protection device corresponds to the first tenant system, and the second safety protection device corresponds to the second tenant system.
Optionally, the network transit device is an SDN (Software Defined Network ) switching device, the target packet is a vlan (Virtual extensible virtual local area network, virtual expansion local area network) packet, and the tenant identifier is a vlan identifier;
correspondingly, the obtaining the target message of the first tenant system for accessing the second tenant system includes:
the target message is obtained by utilizing a vxlan transfer station in the target message;
correspondingly, the sending the target message to the first safety protection device in the safety protection pool according to the tenant identifier carried by the target message includes:
extracting the vxlan identifier from the vxlan message;
determining a vlan (virtual local area network ) identifier corresponding to the vlan identifier;
deleting the vxlan identifier in the vxlan message, and adding the vlan identifier to the deleted message to obtain a first message;
and sending the first message to a flow port of the safety protection pool through a vlan channel corresponding to the vlan identifier, deleting the vlan identifier in the first message at the flow port to obtain a second message, and sending the second message to the first safety protection device.
Optionally, determining the vlan identifier corresponding to the vlan identifier includes:
and determining the vlan identification by querying a mapping table of the vlan and the vlan.
Optionally, the network transit device is a three-layer switching device without SDN function, the target message is a vxlan message, and the tenant identifier is a vxlan identifier;
correspondingly, the sending the target message to the first safety protection device in the safety protection pool according to the tenant identifier carried by the target message includes:
and sending the vxlan message to a vxlan transfer station in the safety protection pool according to a routing forwarding table, so that the vxlan transfer station deletes the vxlan identifier in the vxlan message to obtain a third message, and sending the third message to the first safety protection device.
Optionally, the method further comprises:
acquiring an object message of any tenant system accessing a public network;
according to the tenant identification carried by the object message, the object message is sent to first safety protection equipment in the safety protection pool, so that the first safety protection equipment sends the object message to the public network through an outlet router connected with a WAN (wide area network interface) of the first safety protection equipment.
In a second aspect, the present application provides a data processing apparatus, applied to a network transit device, where the network transit device is connected to a security protection pool and at least two tenant systems, and the security protection pool is provided with security protection devices corresponding to each tenant system, and the data processing apparatus includes:
the acquisition module is used for acquiring a target message of the first tenant system for accessing the second tenant system;
the forwarding module is used for sending the target message to first safety protection equipment in the safety protection pool according to the tenant identification carried by the target message, so that the first safety protection equipment sends the target message to the second tenant system through second safety protection equipment in the safety protection pool; the first safety protection device corresponds to the first tenant system, and the second safety protection device corresponds to the second tenant system.
In a third aspect, the present application provides a data processing system comprising: network transfer equipment, a safety protection pool and at least two tenant systems;
the network transfer equipment is respectively connected with the safety protection pool and each tenant system; safety protection equipment corresponding to each tenant system is arranged in the safety protection pool;
the network transit device is configured to implement the method of any one of the above.
Optionally, the network transit device is connected with each tenant system through a border router.
In a fourth aspect, the present application provides an electronic device, comprising:
a memory for storing a computer program;
and a processor for executing the computer program to implement the previously disclosed data processing method.
In a fifth aspect, the present application provides a readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the previously disclosed data processing method.
As can be seen from the above solution, the present application provides a data processing method, applied to a network transfer device, where the network transfer device is connected with a security protection pool and at least two tenant systems, and the security protection pool is provided with security protection devices corresponding to each tenant system, and includes: acquiring a target message of a first tenant system accessing a second tenant system; according to tenant identification carried by the target message, the target message is sent to first safety protection equipment in the safety protection pool, so that the first safety protection equipment sends the target message to the second tenant system through second safety protection equipment in the safety protection pool; the first safety protection device corresponds to the first tenant system, and the second safety protection device corresponds to the second tenant system.
Therefore, the application sets the corresponding safety protection equipment of each tenant system in the safety protection pool, and meanwhile, the flow sent by each tenant system has own tenant identification, so after the flow reaches the network transfer equipment from the tenant system, the network transfer equipment can identify the flow trend based on the tenant identification in the flow, and because the safety protection equipment of the tenant is set in the safety protection pool, the flow between different tenant systems or the flow of the tenant accessing the public network can flow through the safety protection pool, and the safety protection pool can monitor all the flows. Therefore, the application solves the problem of intranet IP conflict among different tenant systems, simultaneously ensures that the safety protection pool can capture all flow of each tenant system, and can improve the protection capability of the safety protection pool.
Correspondingly, the data processing device, the system, the equipment and the readable storage medium have the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a data processing method disclosed by the application;
FIG. 2 is a flow chart of another data processing method disclosed in the present application;
FIG. 3 is a schematic diagram of a network topology connection of a data processing system according to the present disclosure;
FIG. 4 is a flow chart of yet another data processing method of the present disclosure;
FIG. 5 is a schematic diagram of a network topology connection of another data processing system of the present disclosure;
FIG. 6 is a schematic diagram of a data processing apparatus according to the present disclosure;
FIG. 7 is a schematic diagram of an electronic device according to the present disclosure;
fig. 8 is a schematic diagram of another electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
At present, the existing scheme has the following problems: (1) The same switching equipment is provided with a gateway corresponding to each tenant system, and if the intranet IP of different tenant systems conflict, the switching equipment cannot distinguish the trend of the flow; (2) Because the switching equipment can directly determine the flow trend among different tenant systems, the flow among different tenant systems only passes through the switching equipment and cannot pass through the safety protection pool, so that the safety protection pool cannot monitor the flow. Therefore, the application provides a data processing scheme which can solve the problem of intranet IP conflict among different tenant systems, simultaneously enables the safety protection pool to capture the flow among different tenant systems,
referring to fig. 1, the embodiment of the application discloses a data processing method, which is applied to a network transfer device, wherein the network transfer device is connected with a security protection pool and at least two tenant systems, the security protection pool is provided with security protection devices corresponding to each tenant system, and the data processing method comprises the following steps:
s101, acquiring a target message of a first tenant system accessing a second tenant system.
S102, according to tenant identification carried by the target message, the target message is sent to first safety protection equipment in the safety protection pool, so that the first safety protection equipment sends the target message to a second tenant system through second safety protection equipment in the safety protection pool.
The first safety protection equipment corresponds to the first tenant system, and the second safety protection equipment corresponds to the second tenant system.
In this embodiment, the network relay device may be a router, a switch, or the like. Tenant identification is used to distinguish between different tenants. The tenant system is a network system constructed by a certain tenant for developing own business. The security protection pool is a system for providing network security services for each tenant by a network security service provider, wherein devices such as a gateway, a firewall, a flow audit device and the like can be managed. Any tenant can purchase the equipment such as the gateway, the firewall, the flow audit equipment and the like which the network security service provider wants to use from the network security service provider, so that the network security service provider can deploy the purchased equipment such as the gateway, the firewall, the flow audit equipment and the like for the tenant in the security protection pool. The safety protection equipment disclosed by the application refers to: gateway, firewall class device.
In one embodiment, the network transit device is an SDN switching device, the target message is a vxlan message, and the tenant identifier is a vxlan identifier; correspondingly, acquiring the target message of the first tenant system for accessing the second tenant system comprises the following steps: obtaining a target message by utilizing a vxlan transfer station (namely virtual vtep) in the target message; correspondingly, according to the tenant identifier carried by the target message, the target message is sent to the first safety protection device in the safety protection pool, including: extracting a vxlan identifier from the vxlan message; determining vlan identifiers corresponding to the vxlan identifiers; deleting the vlan identifier in the vlan message, and adding the vlan identifier to the deleted message to obtain a first message; and sending the first message to a flow port of the safety protection pool through a vlan channel corresponding to the vlan identifier, deleting the vlan identifier in the first message at the flow port to obtain a second message, and sending the second message to the first safety protection equipment. In one embodiment, determining a vlan identifier corresponding to the vlan identifier includes: the vlan identification is determined by querying a vlan-to-vlan mapping table. It can be seen that the vlan-to-vlan mapping table enables SDN switching devices to force forwarding of traffic.
It can be seen that when the network transit device is a switching device with SDN function, different tenant systems can be distinguished based on the switching device dividing vlan and vlan. Specifically, one tenant system is divided into one vxlan, so that different tenant systems are isolated from each other. At this time, a vxlan transfer station needs to be set in each tenant system, so as to receive the external message and send the message. Meanwhile, a vxlan transfer station is arranged at the switching equipment and is used for receiving the messages sent by each tenant system and sending other messages to each tenant system. Of course, the vlan is also required to be divided to distinguish security protection devices of different tenants, namely: the switching equipment communicates with the safety protection equipment corresponding to the tenant through the vlan channel corresponding to the tenant, so that the safety protection equipment of different tenants cannot interfere with each other, and even if the intranet IP of different tenant systems conflict, the switching equipment can also determine the next hop of the flow sent by the tenant systems. Wherein the vlan channel is a transmission channel in a logical sense.
In one embodiment, the network transit device is a three-layer switching device without SDN function, the target message is a vxlan message, and the tenant identifier is a vxlan identifier; correspondingly, according to the tenant identifier carried by the target message, the target message is sent to the first safety protection device in the safety protection pool, including: and sending the vxlan message to a vxlan transfer station in the safety protection pool according to the routing forwarding table, so that the vxlan transfer station deletes the vxlan identifier in the vxlan message to obtain a third message, and sending the third message to the first safety protection equipment. It can be seen that when the network transit device is a switching device without SDN function, the switching device is only used for forwarding vxlan packets. At this time, a vxlan transfer station is also set in each tenant system, and the vxlan transfer station originally set in the switching device is transferred to the security protection pool, and at this time, the switching device can determine the flow trend only by setting a route according to the IP of the virtual vtep in the security protection pool. After the vxlan transfer station in the safety protection pool removes the vxlan identification, corresponding safety protection equipment can be directly determined in the safety protection pool according to the route, and the IP conflict problem can be solved. Obviously, setting a vxlan transfer station in the safety protection pool increases the pressure of the safety protection pool compared to setting a vxlan transfer station at the switching device, possibly affecting the protection capacity of the safety protection pool. Therefore, the IP of the vtep arranged at the switching equipment can determine the flow trend, and the vtep can also determine the flow trend according to the gateway IP, so that the IP conflict problem can be solved.
In one embodiment, the method further comprises: acquiring an object message of any tenant system accessing a public network; according to tenant identification carried by the object message, the object message is sent to first safety protection equipment in the safety protection pool, so that the first safety protection equipment sends the object message to the public network through an outlet router connected with a WAN port of the first safety protection equipment. Therefore, messages accessed by any tenant system to the public network also flow through the safety protection pool, so that the safety protection pool can protect as much traffic as possible.
Therefore, in this embodiment, the security protection device corresponding to each tenant system is disposed in the security protection pool, and meanwhile, the traffic sent by each tenant system has its own tenant identifier, so after the traffic arrives at the network transfer device from the tenant system, the network transfer device can identify the traffic trend based on the tenant identifier in the traffic, and, because the security protection device of the tenant is disposed in the security protection pool, the traffic between different tenant systems or the traffic of the tenant accessing the public network can flow through the security protection pool, so that the security protection pool can monitor all the traffic. Therefore, the application solves the problem of intranet IP conflict among different tenant systems, simultaneously ensures that the safety protection pool can capture all flow of each tenant system, and can improve the protection capability of the safety protection pool.
Referring to fig. 2, another data processing method is disclosed in the embodiment of the present application, which is applied to an SDN switching device, where the SDN switching device is connected to a security protection pool and at least two tenant systems, and the security protection pool is provided with security protection devices corresponding to each tenant system, and includes:
s201, acquiring a vxlan message of the first tenant system for accessing the second tenant system by utilizing a vxlan transfer station in the first tenant system.
S202, extracting a vxlan identifier from the vxlan message; determining vlan identifiers corresponding to the vxlan identifiers; deleting the vlan identifier in the vlan message, and adding the vlan identifier to the deleted message to obtain a first message; and sending the first message to a flow port of the security protection pool through a vlan channel corresponding to the vlan identifier, deleting the vlan identifier in the first message at the flow port to obtain a second message, and sending the second message to the first security protection equipment, so that the first security protection equipment sends the target message to the second tenant system through the second security protection equipment in the security protection pool.
In one embodiment, determining a vlan identifier corresponding to the vlan identifier includes: the vlan identification is determined by querying a vlan-to-vlan mapping table.
It can be seen that when the network transit device is a switching device with SDN function, different tenant systems can be distinguished based on the switching device dividing vlan and vlan. The tenant system sends a vxlan message to SDN switching equipment, the SDN switching equipment removes the vxlan identifier of the vxlan message, and simultaneously marks the vlan identifier, and then sends the message to corresponding safety protection equipment, so that the safety protection equipment can continuously complete message forwarding according to the message destination address.
The network topology connection corresponding to fig. 2 may be compared with fig. 3, in fig. 3, the SDN switching device connects each tenant system through a border router, and the SDN switching device communicates with a gateway firewall (i.e. a security protection device) of each tenant system through a vlan channel. The IP of the lan port of the gateway firewall is the gateway IP of the corresponding tenant, and the IP of the WAN port of the gateway firewall and the exit router are in the same network segment. And starting a vtep on the SDN switching device for interacting with all tenant systems, and starting a vtep in each tenant system for interacting with the SDN switching device.
The gateway IP of each tenant is arranged on the gateway firewall of the safety resource pool (namely the safety protection pool), so that the north-south traffic of the tenant can pass through the safety resource pool, and more traffic can realize safety protection. The specific flow trend is as follows: the north-south traffic (including ARP requests and real traffic) of the tenant traffic system will reach the tenant vtep first, and the tenant vtep forwards the traffic to the vtep in the SDN switching device. For example: the opposite end of the vtep of the tenant a is the vtep on the SDN switching device, so the vtep of the tenant a uses the vnid (i.e., the vxlan identifier) exclusive to the tenant a to construct a vxlan message, and the vxlan message is forwarded to the border router through the internet, and is sent to the SDN switching device through the route by the border router. The boundary router is a router provided by a network operator and connected with a user, and provides network access service for the user. The vxlan message may be forwarded through IP, or may be forwarded through an MPLS (Multi-Protocol Label Switching, collectively referred to as multiprotocol label switching) private line. Then, the SDN switching device indexes to vlan values (namely vlan identifications) corresponding to the tenants according to the vnid in the vlan message, then uninstalls the vnid in the vlan message through SDN rules, marks corresponding vlan values, and finally forwards the vlan values to the security resource pool through trunk ports and vlan channels corresponding to the vlan values. The secure resource pool allocates a vlan channel for each tenant, and the vlan channel is connected with a gateway firewall and SDN switching equipment of the tenant. Before the traffic enters the secure resource pool but does not reach the gateway firewall, the vlan tag of the traffic is unloaded at the physical outlet of the resource pool, and then the traffic is sent to the lan port of the gateway firewall.
The internet traffic of the tenant system is forwarded through the route in the gateway firewall, and the next hop points to the IP of the exit router. The WAN ports of the gateway firewalls of all tenants are in the same vlan with the lan port of the egress router, which vlan is not co-network segment with each tenant vlan and thus isolated from the tenant network.
Therefore, the embodiment can unload vxlan traffic on the hardware switch, so that the security resource pool can be fully protected, the protection performance is improved, and the multi-tenant scenario is supported. The gateway of each tenant is arranged in the resource pool, so that the north-south traffic of the tenant can be completely protected.
Referring to fig. 4, an embodiment of the present application discloses a data processing method applied to a three-layer switching device having no SDN function, where the switching device is connected to a security protection pool and at least two tenant systems, and the security protection pool is provided with security protection devices corresponding to each tenant system, and the method includes:
s401, obtaining a vxlan message of the first tenant system for accessing the second tenant system.
S402, sending the vxlan message to a vxlan transfer station in the safety protection pool according to the routing forwarding table, so that the vxlan transfer station deletes the vxlan identifier in the vxlan message to obtain a third message, and sending the third message to the first safety protection device, so that the first safety protection device sends the target message to the second tenant system through the second safety protection device in the safety protection pool.
It can be seen that when the network transfer device is a switching device without SDN function, the switching device is only used for forwarding the vxlan message, and after the vxlan transfer station in the security protection pool removes the vxlan identifier, the corresponding security protection device is directly determined in the security protection pool.
The network topology connection corresponding to fig. 4 may be compared with fig. 5, in fig. 5, a switching device without SDN function connects each tenant system through a border router, and the switching device directly connects a gateway firewall (i.e. a security protection device) of each tenant system. The IP of the lan port of the gateway firewall is the gateway IP of the corresponding tenant, and the IP of the WAN port of the gateway firewall and the exit router are in the same network segment. Rather than setting vtep on the switching device, vtep is set in the secure resource pool to remove the vxlan identification on the traffic before it reaches the gateway firewall. It can be seen that fig. 5 replaces vtep on the switching device in fig. 3 with software vtep, and the aggregation switch in fig. 5 needs to use a common three-layer switch.
Based on fig. 5, the specific flow trend is: the north-south traffic (including ARP requests and real traffic) of the tenant traffic system will reach the tenant vtep first, which forwards the traffic to the switching device. The switching device only needs to forward the traffic according to the route, and the traffic can reach vtep in the secure resource pool. In this embodiment, the secure resource pool sets one vtep for each tenant. Wherein the vxlan message is UDP traffic, so the switching device only needs to set the route according to the IP of the virtual vtep. And after the vxlan traffic reaches the virtual vtep, unloading the vxlan mark, converting the vxlan mark into common traffic and forwarding the common traffic to the tenant gateway firewall. The internet traffic of the tenant system is forwarded through the route inside the gateway firewall, and the next hop points to the IP of the exit router. The WAN ports of the gateway firewalls of all tenants are in the same vlan with the lan port of the egress router, which vlan is not co-network segment with each tenant vlan and thus isolated from the tenant network.
Because the virtual vtep is arranged in the secure resource pool in the embodiment, the pressure of the secure resource pool is increased, so that the security protection capability of the secure resource pool is affected. The secure resource pool can still be used as a two-layer gateway of a multi-tenant cross-domain network to secure all the network traffic in the north-south direction and solve the problem of cross-domain and tenant IP conflict.
It can be seen that the manner of fig. 3 and fig. 5 can solve the problem of IP conflict between multiple tenants, and the north-south traffic of all tenants can pass through the resource pool. The problem of crossing tenant systems is solved through vxlan, so that each tenant system and the corresponding firewall gateway in the resource pool are in the same two layers.
A data processing apparatus according to an embodiment of the present application is described below, and a data processing apparatus described below and a data processing method described above may be referred to each other.
Referring to fig. 6, an embodiment of the present application discloses a data processing apparatus, which is applied to a network transfer device, where the network transfer device is connected to a security protection pool and at least two tenant systems, and the security protection pool is provided with security protection devices corresponding to each tenant system, and includes:
an obtaining module 601, configured to obtain a target packet of a first tenant system accessing a second tenant system;
the forwarding module 602 is configured to send the target packet to a first security protection device in the security protection pool according to the tenant identifier carried by the target packet, so that the first security protection device sends the target packet to a second tenant system through a second security protection device in the security protection pool; the first safety protection equipment corresponds to the first tenant system, and the second safety protection equipment corresponds to the second tenant system.
In one embodiment, the network transit device is an SDN switching device, the target message is a vxlan message, and the tenant identifier is a vxlan identifier;
correspondingly, the acquisition module is specifically configured to:
obtaining a target message by utilizing a vxlan transfer station in the target message;
correspondingly, the forwarding module is specifically configured to:
extracting a vxlan identifier from the vxlan message;
determining vlan identifiers corresponding to the vxlan identifiers;
deleting the vlan identifier in the vlan message, and adding the vlan identifier to the deleted message to obtain a first message;
and sending the first message to a flow port of the safety protection pool through a vlan channel corresponding to the vlan identifier, deleting the vlan identifier in the first message at the flow port to obtain a second message, and sending the second message to the first safety protection equipment.
In one embodiment, the forwarding module is specifically configured to:
the vlan identification is determined by querying a vlan-to-vlan mapping table.
In one embodiment, the network transit device is a three-layer switching device without SDN function, the target message is a vxlan message, and the tenant identifier is a vxlan identifier;
correspondingly, the forwarding module is specifically configured to:
and sending the vxlan message to a vxlan transfer station in the safety protection pool according to the routing forwarding table, so that the vxlan transfer station deletes the vxlan identifier in the vxlan message to obtain a third message, and sending the third message to the first safety protection equipment.
In one embodiment, the method further comprises:
the internet traffic processing module is used for acquiring an object message of any tenant system for accessing the public network; according to tenant identification carried by the object message, the object message is sent to first safety protection equipment in the safety protection pool, so that the first safety protection equipment sends the object message to the public network through an outlet router connected with a WAN port of the first safety protection equipment.
The more specific working process of each module and unit in this embodiment may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.
It can be seen that this embodiment provides a data processing apparatus, which can solve the problem of intranet IP conflict between different tenant systems, and simultaneously enable the security protection pool to capture traffic between different tenant systems,
a data processing system according to an embodiment of the present application is described below, and a data processing system described below and a data processing method described above may be referred to with each other.
The embodiment of the application discloses a data processing system, which comprises: network transfer equipment, a safety protection pool and at least two tenant systems; the network transfer equipment is respectively connected with the safety protection pool and each tenant system; the safety protection pool is provided with safety protection equipment corresponding to each tenant system; the network transit device is configured to implement the method described in any of the foregoing embodiments.
In one embodiment, a network transit device is connected to each tenant system through a border router. Reference is made in particular to fig. 3 or fig. 5.
The following describes an electronic device provided in an embodiment of the present application, and the electronic device described below and the data processing method and apparatus described above may be referred to each other.
Referring to fig. 7, an embodiment of the present application discloses an electronic device, including:
a memory 701 for storing a computer program;
a processor 702 for executing the computer program to implement the method disclosed in any of the embodiments above.
Referring to fig. 8, fig. 8 is a schematic diagram of another electronic device provided in this embodiment, where the electronic device may have a relatively large difference due to different configurations or performances, and may include one or more processors (central processing units, CPU) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing application programs 342 or data 344. Wherein the memory 332 and the storage medium 330 may be transitory or persistent. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instruction operations in the data processing apparatus. Still further, the central processor 322 may be configured to communicate with the storage medium 330 and execute a series of instruction operations in the storage medium 330 on the electronic device 301.
The electronic device 301 may also include one or more power supplies 326, one or more wired or wireless network interfaces 350, one or more input/output interfaces 358, and/or one or more operating systems 341. For example, windows ServerTM, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
In fig. 8, an application 342 may be a program that performs a data processing method, and data 344 may be data required or generated to perform the data processing method.
The steps in the data processing method described above may be implemented by the structure of the electronic device.
The following describes a readable storage medium according to an embodiment of the present application, and the readable storage medium and the data processing method, apparatus and device described above may be referred to with each other.
A readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the data processing method disclosed in the foregoing embodiments. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
The references to "first," "second," "third," "fourth," etc. (if present) are used to distinguish similar objects from each other and are not necessarily used to describe a particular order or sequence. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, or apparatus.
It should be noted that the description of "first", "second", etc. in this disclosure is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implying an indication of the number of technical features being indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present application.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of readable storage medium known in the art.
The principles and embodiments of the present application have been described herein with reference to specific examples, the description of which is intended only to assist in understanding the methods of the present application and the core ideas thereof; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (10)
1. The data processing method is characterized by being applied to network transfer equipment, wherein the network transfer equipment is connected with a safety protection pool and at least two tenant systems, the safety protection pool is provided with the safety protection equipment corresponding to each tenant system, and the data processing method comprises the following steps:
acquiring a target message of a first tenant system accessing a second tenant system;
according to tenant identification carried by the target message, the target message is sent to first safety protection equipment in the safety protection pool, so that the first safety protection equipment sends the target message to the second tenant system through second safety protection equipment in the safety protection pool;
the first safety protection device corresponds to the first tenant system, and the second safety protection device corresponds to the second tenant system.
2. A data processing method according to claim 1, wherein,
the network transfer equipment is SDN switching equipment, the target message is a vxlan message, and the tenant identifier is a vxlan identifier;
correspondingly, the obtaining the target message of the first tenant system for accessing the second tenant system includes:
the target message is obtained by utilizing a vxlan transfer station in the target message;
correspondingly, the sending the target message to the first safety protection device in the safety protection pool according to the tenant identifier carried by the target message includes:
extracting the vxlan identifier from the vxlan message;
determining vlan identifiers corresponding to the vlan identifiers;
deleting the vxlan identifier in the vxlan message, and adding the vlan identifier to the deleted message to obtain a first message;
and sending the first message to a flow port of the safety protection pool through a vlan channel corresponding to the vlan identifier, deleting the vlan identifier in the first message at the flow port to obtain a second message, and sending the second message to the first safety protection device.
3. The method for processing data according to claim 2, wherein the determining a vlan identifier corresponding to the vlan identifier includes:
and determining the vlan identification by querying a mapping table of the vlan and the vlan.
4. A data processing method according to claim 1, wherein,
the network transfer equipment is three-layer switching equipment without SDN function, the target message is a vxlan message, and the tenant identifier is a vxlan identifier;
correspondingly, the sending the target message to the first safety protection device in the safety protection pool according to the tenant identifier carried by the target message includes:
and sending the vxlan message to a vxlan transfer station in the safety protection pool according to a routing forwarding table, so that the vxlan transfer station deletes the vxlan identifier in the vxlan message to obtain a third message, and sending the third message to the first safety protection device.
5. The data processing method according to any one of claims 1 to 4, characterized by further comprising:
acquiring an object message of any tenant system accessing a public network;
according to the tenant identification carried by the object message, the object message is sent to first safety protection equipment in the safety protection pool, so that the first safety protection equipment sends the object message to the public network through an outlet router connected with a WAN port of the first safety protection equipment.
6. The data processing device is characterized by being applied to network transfer equipment, wherein the network transfer equipment is connected with a safety protection pool and at least two tenant systems, the safety protection pool is provided with safety protection equipment corresponding to each tenant system, and the data processing device comprises:
the acquisition module is used for acquiring a target message of the first tenant system for accessing the second tenant system;
the forwarding module is used for sending the target message to first safety protection equipment in the safety protection pool according to the tenant identification carried by the target message, so that the first safety protection equipment sends the target message to the second tenant system through second safety protection equipment in the safety protection pool; the first safety protection device corresponds to the first tenant system, and the second safety protection device corresponds to the second tenant system.
7. A data processing system, comprising: network transfer equipment, a safety protection pool and at least two tenant systems;
the network transfer equipment is respectively connected with the safety protection pool and each tenant system; safety protection equipment corresponding to each tenant system is arranged in the safety protection pool;
the network transit device is configured to implement the method of any one of claims 1 to 5.
8. The data processing system of claim 7, wherein the network transit device is connected to each tenant system through a border router.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the data processing method according to any one of claims 1 to 5.
10. A readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the data processing method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210552408.4A CN114944952B (en) | 2022-05-20 | 2022-05-20 | Data processing method, device, system, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210552408.4A CN114944952B (en) | 2022-05-20 | 2022-05-20 | Data processing method, device, system, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114944952A CN114944952A (en) | 2022-08-26 |
| CN114944952B true CN114944952B (en) | 2023-11-07 |
Family
ID=82909560
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210552408.4A Active CN114944952B (en) | 2022-05-20 | 2022-05-20 | Data processing method, device, system, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114944952B (en) |
Citations (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104579898A (en) * | 2015-01-26 | 2015-04-29 | 中国联合网络通信集团有限公司 | Tenant isolating method and system |
| CN105450668A (en) * | 2015-12-30 | 2016-03-30 | 中电长城网际系统应用有限公司 | Cloud security service implementing system and cloud security service implementing method |
| CN105939352A (en) * | 2016-06-03 | 2016-09-14 | 汉柏科技有限公司 | User isolation method and device based on session |
| CN106657442A (en) * | 2017-01-11 | 2017-05-10 | 浙江广播电视集团 | Method and system for realizing media shared storage network based on VxLAN |
| CN106789542A (en) * | 2017-03-03 | 2017-05-31 | 清华大学 | A kind of implementation method of cloud data center security service chain |
| CN106850379A (en) * | 2015-12-04 | 2017-06-13 | 中国电信股份有限公司 | Method and system for realizing subnet intercommunication |
| US9781122B1 (en) * | 2016-05-11 | 2017-10-03 | Oracle International Corporation | Multi-tenant identity and data security management cloud service |
| WO2018019092A1 (en) * | 2016-07-27 | 2018-02-01 | 华为技术有限公司 | Method for allocating vlan id in network, and controller |
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| CN107920023A (en) * | 2017-12-29 | 2018-04-17 | 深信服科技股份有限公司 | A kind of realization method and system in secure resources pond |
| CN108123865A (en) * | 2017-12-21 | 2018-06-05 | 新华三技术有限公司 | Message processing method and device |
| CN108173842A (en) * | 2017-12-26 | 2018-06-15 | 国家电网公司 | The disposition optimization method of software definition fire wall based on openstack cloud platforms |
| CN108521403A (en) * | 2018-03-09 | 2018-09-11 | 山东超越数控电子股份有限公司 | A method of multi-tenant network on Docker container platforms is isolated |
| CN109040101A (en) * | 2018-08-27 | 2018-12-18 | 北京安数云信息技术有限公司 | A method of different security services are used based on openflow protocol realization multi-tenant |
| CN109194640A (en) * | 2018-08-27 | 2019-01-11 | 北京安数云信息技术有限公司 | A kind of virtual platform East and West direction flow isolating and protecting method |
| CN109510834A (en) * | 2018-12-07 | 2019-03-22 | 北京神州绿盟信息安全科技股份有限公司 | A kind of security strategy delivery method and device |
| CN109756362A (en) * | 2018-11-23 | 2019-05-14 | 北京奇安信科技有限公司 | A kind of integrated processing method and device of third party's security component |
| CN109756512A (en) * | 2019-02-14 | 2019-05-14 | 深信服科技股份有限公司 | A kind of flow application recognition methods, device, equipment and storage medium |
| CN110177148A (en) * | 2019-05-30 | 2019-08-27 | 上海通联金融科技发展有限公司 | A kind of prosperous cloud service platform of IaaS |
| CN110557316A (en) * | 2018-05-30 | 2019-12-10 | 中国电信股份有限公司 | Message transmission method, system, device and computer readable storage medium |
| CN110635987A (en) * | 2019-09-09 | 2019-12-31 | 新华三信息安全技术有限公司 | Message transmission method, device, equipment and machine readable storage medium |
| CN110995744A (en) * | 2019-12-13 | 2020-04-10 | 深信服科技股份有限公司 | Message transmission method and device, software defined network switch and storage medium |
| CN111464511A (en) * | 2020-03-18 | 2020-07-28 | 紫光云技术有限公司 | Method for supporting multi-VPC isolation in cloud computing network |
| CN112217771A (en) * | 2019-07-11 | 2021-01-12 | 奇安信科技集团股份有限公司 | Data forwarding method and data forwarding device based on tenant information |
| CN112242925A (en) * | 2020-09-30 | 2021-01-19 | 新华三信息安全技术有限公司 | Safety management method and equipment |
| CN113014559A (en) * | 2021-02-18 | 2021-06-22 | 新华三信息安全技术有限公司 | Message processing method and device |
| WO2021135471A1 (en) * | 2019-12-31 | 2021-07-08 | 腾讯科技(深圳)有限公司 | Data transmission method and apparatus, network card and storage medium |
| CN113364741A (en) * | 2021-05-17 | 2021-09-07 | 网宿科技股份有限公司 | Application access method and proxy server |
| CN113726729A (en) * | 2021-07-13 | 2021-11-30 | 中国电信集团工会上海市委员会 | Website security protection method and system based on bidirectional drainage |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8935427B2 (en) * | 2010-09-23 | 2015-01-13 | Microsoft Corporation | Providing virtual networks using multi-tenant relays |
| JP6024474B2 (en) * | 2013-01-23 | 2016-11-16 | 富士通株式会社 | Multi-tenant system, management apparatus, management program, and control method of multi-tenant system |
| CN104601427B (en) * | 2013-10-31 | 2018-03-06 | 新华三技术有限公司 | Message forwarding method and device in data center network |
| US10412168B2 (en) * | 2016-02-17 | 2019-09-10 | Latticework, Inc. | Implementing a storage system using a personal user device and a data distribution device |
| US10560458B2 (en) * | 2017-07-06 | 2020-02-11 | Sap Se | Resource sharing in cloud computing |
| US10972386B2 (en) * | 2019-03-29 | 2021-04-06 | Juniper Networks, Inc. | Scalable multi-tenant underlay network supporting multi-tenant overlay network |
-
2022
- 2022-05-20 CN CN202210552408.4A patent/CN114944952B/en active Active
Patent Citations (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104579898A (en) * | 2015-01-26 | 2015-04-29 | 中国联合网络通信集团有限公司 | Tenant isolating method and system |
| CN106850379A (en) * | 2015-12-04 | 2017-06-13 | 中国电信股份有限公司 | Method and system for realizing subnet intercommunication |
| CN105450668A (en) * | 2015-12-30 | 2016-03-30 | 中电长城网际系统应用有限公司 | Cloud security service implementing system and cloud security service implementing method |
| US9781122B1 (en) * | 2016-05-11 | 2017-10-03 | Oracle International Corporation | Multi-tenant identity and data security management cloud service |
| CN105939352A (en) * | 2016-06-03 | 2016-09-14 | 汉柏科技有限公司 | User isolation method and device based on session |
| WO2018019092A1 (en) * | 2016-07-27 | 2018-02-01 | 华为技术有限公司 | Method for allocating vlan id in network, and controller |
| CN106657442A (en) * | 2017-01-11 | 2017-05-10 | 浙江广播电视集团 | Method and system for realizing media shared storage network based on VxLAN |
| CN106789542A (en) * | 2017-03-03 | 2017-05-31 | 清华大学 | A kind of implementation method of cloud data center security service chain |
| CN108123865A (en) * | 2017-12-21 | 2018-06-05 | 新华三技术有限公司 | Message processing method and device |
| CN108173842A (en) * | 2017-12-26 | 2018-06-15 | 国家电网公司 | The disposition optimization method of software definition fire wall based on openstack cloud platforms |
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| CN107920023A (en) * | 2017-12-29 | 2018-04-17 | 深信服科技股份有限公司 | A kind of realization method and system in secure resources pond |
| CN108521403A (en) * | 2018-03-09 | 2018-09-11 | 山东超越数控电子股份有限公司 | A method of multi-tenant network on Docker container platforms is isolated |
| CN110557316A (en) * | 2018-05-30 | 2019-12-10 | 中国电信股份有限公司 | Message transmission method, system, device and computer readable storage medium |
| CN109194640A (en) * | 2018-08-27 | 2019-01-11 | 北京安数云信息技术有限公司 | A kind of virtual platform East and West direction flow isolating and protecting method |
| CN109040101A (en) * | 2018-08-27 | 2018-12-18 | 北京安数云信息技术有限公司 | A method of different security services are used based on openflow protocol realization multi-tenant |
| CN109756362A (en) * | 2018-11-23 | 2019-05-14 | 北京奇安信科技有限公司 | A kind of integrated processing method and device of third party's security component |
| CN109510834A (en) * | 2018-12-07 | 2019-03-22 | 北京神州绿盟信息安全科技股份有限公司 | A kind of security strategy delivery method and device |
| CN109756512A (en) * | 2019-02-14 | 2019-05-14 | 深信服科技股份有限公司 | A kind of flow application recognition methods, device, equipment and storage medium |
| CN110177148A (en) * | 2019-05-30 | 2019-08-27 | 上海通联金融科技发展有限公司 | A kind of prosperous cloud service platform of IaaS |
| CN112217771A (en) * | 2019-07-11 | 2021-01-12 | 奇安信科技集团股份有限公司 | Data forwarding method and data forwarding device based on tenant information |
| CN110635987A (en) * | 2019-09-09 | 2019-12-31 | 新华三信息安全技术有限公司 | Message transmission method, device, equipment and machine readable storage medium |
| CN110995744A (en) * | 2019-12-13 | 2020-04-10 | 深信服科技股份有限公司 | Message transmission method and device, software defined network switch and storage medium |
| WO2021135471A1 (en) * | 2019-12-31 | 2021-07-08 | 腾讯科技(深圳)有限公司 | Data transmission method and apparatus, network card and storage medium |
| CN111464511A (en) * | 2020-03-18 | 2020-07-28 | 紫光云技术有限公司 | Method for supporting multi-VPC isolation in cloud computing network |
| CN112242925A (en) * | 2020-09-30 | 2021-01-19 | 新华三信息安全技术有限公司 | Safety management method and equipment |
| CN113014559A (en) * | 2021-02-18 | 2021-06-22 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN113364741A (en) * | 2021-05-17 | 2021-09-07 | 网宿科技股份有限公司 | Application access method and proxy server |
| CN113726729A (en) * | 2021-07-13 | 2021-11-30 | 中国电信集团工会上海市委员会 | Website security protection method and system based on bidirectional drainage |
Non-Patent Citations (3)
| Title |
|---|
| 云计算环境下新型网络安全技术及解决方案;罗原;;电信工程技术与标准化(12);第56-61页 * |
| 云计算网络中多租户虚拟网络隔离的分布式实现研究;严立宇;祖立军;叶家炜;周雍恺;吴承荣;;计算机应用与软件(11);第93-98页 * |
| 通过虚拟导流突破云环境安全部署问题;李陟;李小爽;;邮电设计技术(01);第45-49页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114944952A (en) | 2022-08-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10237230B2 (en) | Method and system for inspecting network traffic between end points of a zone | |
| US9729578B2 (en) | Method and system for implementing a network policy using a VXLAN network identifier | |
| CN108702326B (en) | Method, device and non-transitory machine-readable medium for detecting SDN control plane loops | |
| US9755959B2 (en) | Dynamic service path creation | |
| CN109076018B (en) | Method and equipment for realizing network element in segmented routing network by using IS-IS protocol | |
| RU2544766C2 (en) | Method, device and system for routing data between network segments | |
| US20190356594A1 (en) | Packet Processing Method, Apparatus, and System | |
| EP3343846B1 (en) | Method, device and system for processing packet | |
| US10263808B2 (en) | Deployment of virtual extensible local area network | |
| US10461958B2 (en) | Packet transmission method and apparatus | |
| EP3860057A1 (en) | Data transmission method and device | |
| CN104871495A (en) | Overlay virtual gateway for overlay networks | |
| EP3292659B1 (en) | Multicast data packet forwarding | |
| EP3292661B1 (en) | Packet forwarding | |
| US11522795B1 (en) | End to end application identification and analytics of tunnel encapsulated traffic in the underlay | |
| CN107404470A (en) | Connection control method and device | |
| CN105791072A (en) | Access method and device of Ethernet virtual network | |
| EP3292666B1 (en) | Multicast data packet forwarding | |
| EP3389234B1 (en) | Label management method and device for processing data stream | |
| EP3292664B1 (en) | Multicast data packet forwarding | |
| EP2548346B1 (en) | Packet node for applying service path routing at the mac layer | |
| CN115225568B (en) | Fast reroute to an ethernet vpn-vpn | |
| WO2020212998A1 (en) | Network address allocation in a virtual layer 2 domain spanning across multiple container clusters | |
| US20210184963A1 (en) | Communication Method and Communications Device | |
| EP4207699A1 (en) | Service packet forwarding method, sr policy sending method, device, and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |