JP2014175938A - Communication system, communication method, control device, control device control method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a communication system enhancing the safety of a resource sharing network.SOLUTION: The communication system includes: a plurality of communication nodes divided into groups; a switch for connecting the plurality of communication nodes and for processing a packet according to a processing rule to process the packet; and a control device for setting the processing rule to the switch. The control device sets to the switch a processing rule to transfer a broadcast packet, which is transmitted from a communication node to a plurality of other communication nodes subordinate to the same group, whereas the control device does not set to the switch a processing rule to transfer a broadcast packet to a communication node subordinate to a group different from the transmission source communication node of the broadcast packet.

Description

  The present invention relates to a communication system, a communication method, a control device, a control method for the control device, and a program. In particular, the present invention relates to a communication system, a communication method, a control device, a control method for the control device, and a program for centrally controlling switches arranged in a network.

  In recent years, a technique called OpenFlow has been proposed (see Non-Patent Documents 1 and 2). OpenFlow captures communication as an end-to-end flow and performs path control, failure recovery, load balancing, and optimization on a per-flow basis. The OpenFlow switch specified in Non-Patent Document 2 includes a secure channel for communication with the OpenFlow controller, and operates according to a flow table that is appropriately added or rewritten from the OpenFlow controller. In the flow table, for each flow, a set of a match condition (Match Fields) to be matched with a packet header, flow statistical information (Counters), and an instruction (Instructions) defining processing contents is defined (non-patented). (Refer to the section “4.1 Flow Table” in Document 2).

  For example, when the OpenFlow switch receives a packet, the OpenFlow switch searches the flow table for an entry having a matching condition (see “4.3 Match Fields” in Non-Patent Document 2) that matches the header information of the received packet. If an entry that matches the received packet is found as a result of the search, the OpenFlow switch updates the flow statistical information (counter) and processes the processing (designated) in the instruction field of the entry for the received packet. Perform packet transmission, flooding, discard, etc. from the port. On the other hand, if no entry matching the received packet is found as a result of the search, the OpenFlow switch sends an entry setting request to the OpenFlow controller via the secure channel, that is, a control for processing the received packet. An information transmission request (Packet-In message) is transmitted. The OpenFlow switch receives a flow entry whose processing content is defined and updates the flow table. As described above, the OpenFlow switch performs packet transfer using the entry stored in the flow table as control information.

  Furthermore, the use of cloud computing in which a plurality of users share hardware and applications is progressing. In cloud computing, resources in a data center constructed by a plurality of servers and routers are often divided into a plurality of tenants and used. In such a data center, each tenant uses the same physical resource, but provides an independent network to the user for each tenant.

  Patent Document 1 discloses a PAN server that manages a specific communication path between terminals in a LAN (Local Area Network). This PAN server sets the communication path of each terminal device as label information, and causes each switch and terminal to set the generated label information. When there is information indicating PAN communication in a frame of data from a certain port of each connected switch, each connected switch outputs the information to the port specified by the route label information described in the frame.

JP 2005-073230 A

Nick McKeown and seven others, "OpenFlow: Enabling Innovation in Campus Networks", [online], [searched February 1, 2013], Internet <URL: http://www.openflowswitch.org//documents/openflow- wp-latest.pdf> "OpenFlow Switch Specification" Version 1.1.0. (Wire Protocol 0x02) [Search February 1, 2013], Internet <URL: http://www.openflowswitch.org/documents/openflow-spec-v1.1.0. pdf>

  Each disclosure of the above prior art document is incorporated herein by reference. The following analysis was made by the present inventors.

  The broadcast packet is a packet transmitted toward communication nodes belonging to the same domain. In other words, the broadcast packet reaches all communication nodes belonging to the same domain unless physically partitioned by a router, an L3 switch (layer 3 switch), or the like. That is, in a situation where a plurality of users share resources in the data center as in cloud computing, the broadcast packet reaches a communication node (resource) assigned to another tenant. More specifically, when a broadcast packet is transmitted in a network constructed for a specific tenant, it is difficult to prevent the broadcast packet from being transferred to a network constructed for another tenant. Yes (it is difficult to ensure network independence for each tenant). However, since each tenant is a separate and independent entity, transferring a packet to a network for another tenant can be a security threat.

  An object of the present invention is to provide a communication system, a communication method, a control device, a control method for a control device, and a program that contribute to improving the security of the network in which resources are shared.

  According to a first aspect of the present invention, a plurality of communication nodes grouped, a switch that connects the plurality of communication nodes, and processes a packet according to a processing rule for processing the packet, and the switch A control device for setting a processing rule, wherein the control device forwards a broadcast packet transmitted to another plurality of communication nodes belonging to the same group to the plurality of other communication nodes. The processing rule is set in the switch, and the processing rule for transferring the broadcast packet to a communication node belonging to a group different from the communication node that is the transmission source of the broadcast packet is not set in the switch. Is provided.

According to a second aspect of the present invention, the communication includes a plurality of communication nodes grouped, and a switch that connects the plurality of communication nodes and processes a packet according to a processing rule for processing the packet. A communication method for a system, the step of transmitting a broadcast packet to a plurality of other communication nodes belonging to the same group, and a processing rule for transferring the broadcast packet to the plurality of other communication nodes. And setting the switch.
The method is associated with a specific machine such as a communication node and a switch.

  According to a third aspect of the present invention, there is provided a control device that sets a processing rule for processing a packet in a switch that connects a plurality of grouped communication nodes, the communication nodes being in the same group. A processing rule for transferring a broadcast packet to be transmitted to a plurality of other communication nodes belonging to the plurality of other communication nodes is set in the switch, and the broadcast packet is transmitted to the transmission source of the broadcast packet. A control device is provided that does not set a processing rule for transferring to a communication node belonging to a group different from the node in the switch.

According to a fourth aspect of the present invention, there is provided a control method for a control device that sets processing rules for processing a packet in a plurality of switches that connect a plurality of grouped communication nodes. A first communication node connected to a first switch of the plurality of switches is connected to a second switch of the plurality of switches and belongs to the same group as the first communication node. When transmitting a broadcast packet to two communication nodes, the management information indicating the correspondence between the group and the communication node belonging to the group, and the topology of the network composed of the connections between the plurality of switches and the plurality of communication nodes Based on the first and second switches, and first for forwarding the broadcast packet to the second switch. A process rule is set in the first switch, and a second process rule for sending the broadcast packet from a port connected to the second communication node is set in the second switch. And a method for controlling the control device.
The method is associated with a specific machine called a control device that controls a switch that processes a packet.

According to a fifth aspect of the present invention, there is provided a program that is executed by a computer that controls a control device that sets a processing rule for processing a packet in a plurality of switches that connect a plurality of grouped communication nodes. A first communication node connected to a first switch of the plurality of switches is connected to a second switch of the plurality of switches and is the same as the first communication node; When transmitting a broadcast packet to the second communication node belonging to the group, management information indicating correspondence between the group and the communication node belonging to the group, and connections between the plurality of switches and the plurality of communication nodes A process for identifying the first and second switches based on the topology of the network
A process for setting the first processing rule for transferring the broadcast packet to the second switch in the first switch, and the broadcast packet is transmitted from a port connected to the second communication node. And a process for setting a second processing rule for the second switch to the second switch.
This program can be recorded on a computer-readable storage medium. The storage medium can be non-transient such as a semiconductor memory, a hard disk, a magnetic recording medium, an optical recording medium, or the like. The present invention can also be embodied as a computer program product.

  According to each aspect of the present invention, a communication system, a communication method, a control device, a control method for a control device, and a program for improving the security of the network in a network sharing resources are provided.

It is a figure for demonstrating the outline | summary of one Embodiment. It is a figure which shows an example of the communication system which concerns on 1st Embodiment. 2 is a diagram illustrating an example of an internal configuration of a switch 10. FIG. 4 is a diagram illustrating an example of processing rules set in a switch 10. FIG. It is a figure of an example of the processing content which can be set to an instruction field, and its content. 3 is a diagram illustrating an example of an internal configuration of a control device 20. FIG. It is a figure which shows an example of the entry of topology DB22. It is a figure which shows an example of the entry of packet transfer path | route DB25. It is a figure which shows an example of the entry of resource information DB31. 4 is a flowchart showing an example of the operation of the switch 10. 3 is a flowchart showing an example of the operation of the control device 20. 3 is a flowchart showing an example of the operation of the control device 20. 3 is a flowchart showing an example of the operation of the control device 20. 3 is a flowchart showing an example of the operation of the control device 20. 3 is a flowchart showing an example of the operation of the control device 20. 3 is a flowchart showing an example of the operation of the control device 20. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 1st Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 1st Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 1st Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 1st Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 1st Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 1st Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 1st Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 1st Embodiment. It is a figure which shows an example of the communication system which concerns on 2nd Embodiment. It is a figure which shows an example of an internal structure of the control apparatus 20a. 3 is a diagram illustrating an example of an internal configuration of a management device 40. FIG. It is a figure which shows an example of the entry of resource DB43. It is a figure which shows an example of the entry of allocation resource DB45. It is a figure which shows an example of the entry of tenant resource DB47. It is a flowchart which shows an example of operation | movement of the control apparatus 20a. It is a flowchart which shows an example of operation | movement of the broadcast range determination part 28a. It is a flowchart which shows an example of operation | movement of the control apparatus 20a. It is a flowchart which shows an example of operation | movement of the control apparatus 20a. It is a flowchart which shows an example of operation | movement of the control apparatus 20a. It is a flowchart which shows an example of operation | movement of the control apparatus 20a. It is a flowchart which shows an example of operation | movement of the control apparatus 20a. 4 is a flowchart showing an example of the operation of the management device 40. 4 is a flowchart showing an example of the operation of the management device 40. 4 is a flowchart showing an example of the operation of the management device 40. 4 is a flowchart showing an example of the operation of the management device 40. 4 is a flowchart showing an example of the operation of the management device 40. 4 is a flowchart showing an example of the operation of the management device 40. 4 is a flowchart showing an example of the operation of the management device 40. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 2nd Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 2nd Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 2nd Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 2nd Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 2nd Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 2nd Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 2nd Embodiment. It is a sequence diagram which shows an example of operation | movement of the communication system which concerns on 2nd Embodiment. It is a figure which shows an example of a structure of a communication system.

  First, an outline of an embodiment will be described with reference to FIG. Note that the reference numerals of the drawings attached to the outline are attached to the respective elements for convenience as an example for facilitating understanding, and the description of the outline is not intended to be any limitation.

  As described above, in a network that shares resources, there may be a problem with the security of the network. Therefore, a communication system that improves the security of a network that shares resources is desired.

  Therefore, the communication system shown in FIG. 1 is provided as an example. The communication system connects a plurality of communication nodes 101-1 to 101-4 and a plurality of communication nodes 101-1 to 101-4, and processes the packets according to a processing rule for processing the packets. The switch 102 and a control device 103 that sets a processing rule for the switch 102 are included. The control device 103 sets a processing rule for transferring a broadcast packet to be transmitted to a plurality of other communication nodes belonging to the same group to the other plurality of communication nodes in the switch 102, and broadcasts. A processing rule for transferring a packet to a communication node belonging to a group different from the communication node that is the transmission source of the broadcast packet is not set in the switch 102.

  For example, when the communication nodes 101-1 to 101-3 belong to the same group and the communication node 101-1 transmits a broadcast packet, the control device 103 sends the broadcast packet to the switch 102. -2 and 101-3 are set as processing rules. More specifically, the control device 103 sets a processing rule for sending a broadcast packet from the ports connected to the communication nodes 101-2 and 101-2 to the switch 102. On the other hand, the control device 103 does not set the processing rule for sending the broadcast packet from the port connected to the communication node 101-4 to the switch 102. This is because the communication node 101-4 belongs to a different group from the communication node 101-1. As a result, broadcast packets are transferred only to communication nodes belonging to the same group, and the security of the network is improved.

  Hereinafter, specific embodiments will be described in more detail with reference to the drawings.

[First Embodiment]
The first embodiment will be described in more detail with reference to the drawings.

  FIG. 2 is a diagram illustrating an example of a communication system according to the first embodiment. Referring to FIG. 2, switches 10-1 to 10-3 for realizing connection between networks, a control device 20 for controlling a network including the switches 10-1 to 10-3, and a switch 10-1. A configuration including communication nodes 30-1 and 30-2, a communication node 30-3 connected to the switch 10-2, and communication nodes 30-4 and 30-5 connected to the switch 10-3 is shown. Has been. For example, the control device 20 corresponds to an open flow controller, and the switches 10-1 to 10-3 correspond to open flow switches. The control device 20 and the switches 10-1 to 10-3 are each connected by a secure channel.

  The control device 20 controls the operation or stop of the communication nodes 30-1 to 30-5. More specifically, the control device 20 operates or stops each communication node by transmitting a control message to the communication nodes 30-1 to 30-5. In the following description, the switches 10-1 to 10-3 are referred to as “switch 10” when it is not necessary to distinguish them. Similarly, the communication nodes 30-1 to 30-5 are expressed as “communication node 30” when it is not necessary to distinguish them. The communication system shown in FIG. 2 is an example, and the number of switches and communication nodes and their connection are not limited to the configuration shown in FIG. For example, although a plurality of switches 10-1 to 10-3 are illustrated in FIG. 2, the number of switches that connect the communication nodes 30-1 to 30-5 may be one.

  In the communication system shown in FIG. 2, for example, the communication nodes 30-1 to 30-3 are allocated to the tenant A, and the communication nodes 30-4 and 30-5 are allocated to another tenant B and operated. Thus, the plurality of communication nodes 30-1 to 30-5 included in the communication system are divided into a plurality of groups and assigned to each tenant. However, the communication nodes 30 allocated to each tenant are not fixed, and the communication nodes 30 that can be used by each tenant vary. For example, in a certain period T1, communication nodes 30-1 to 30-3 are allocated to tenant A, and communication nodes 30-4 and 30-5 are allocated to tenant B, respectively. However, in another period T2, the communication nodes 30-1 and 30-2 are allocated to the tenant A, and the communication nodes 30-3 to 30-5 are allocated to the tenant B, respectively. In such a case, tenants A and B share the communication node 30-3. As described above, the communication system according to the present embodiment increases the degree of utilization of resources (communication nodes 30) by constructing a flow-based network and appropriately switching the resources allocated to each tenant.

  Next, the operation when the communication node 30 transmits a broadcast packet in the communication system shown in FIG. 2 will be outlined.

  When the communication node 30 transmits a broadcast packet, the broadcast packet needs to be transferred only to a communication node belonging to the same tenant as the communication node 30 that transmitted the broadcast packet. For example, in the above-described period T1, the broadcast packet transmitted by the communication node 30-1 belonging to the tenant A needs to be transferred to the communication nodes 30-2 and 30-3, but the communication node belonging to another tenant B It is not transferred to 30-4 and 30-5.

  On the other hand, in the above-described period T2, the broadcast packet transmitted by the communication node 30-1 belonging to the tenant A needs to be transferred to the communication node 30-2, but the communication node 30-3 belonging to another tenant B is required. It is not transferred to 30-5. The control device 20 manages the allocation status of the communication node 30 to each tenant and the operating state (operating state or stopped state) of the communication node 30 allocated to the tenant as resource management information. Based on this resource management information, the control device 20 appropriately sets a processing rule in the switch 10 to transfer the broadcast packet to an appropriate communication node 30.

  The communication node 30 is a computer such as a server. However, the communication node 30 is not limited to a server, and may be a firewall, a load balancer, an encryption device, or the like. Further, the communication node 30 is not limited to a physical machine, and may be a virtual machine, and a physical machine and a virtual machine may be mixed in the communication system.

  The communication node 30 receives the control message from the control device 20 and switches the operation mode. For example, when the control device 20 instructs the transition from the stopped state to the operating state, the communication node 30 executes a start process (boot process). When the control device 20 instructs the transition from the operating state to the stopped state, the communication node 30 executes a termination process (shutdown process). Alternatively, the communication node 30 may start (start the job) or end (end the job) a service provided to the tenant instead of the start process and the end process.

  FIG. 3 is a diagram illustrating an example of the internal configuration of the switch 10. The switch 10 includes a communication unit 11, a table management unit 12, a table database (table DB) 13, and a transfer processing unit 14.

  The communication unit 11 is means for realizing communication with the control device 20 that sets a processing rule (flow entry) in the switch 10. In the present embodiment, the communication unit 11 communicates with the control device 20 using the OpenFlow protocol of Non-Patent Document 2. However, the communication protocol between the communication unit 11 and the control device 20 is not limited to the open flow protocol.

  The table management unit 12 is means for managing the flow table held in the table DB 13. More specifically, the table management unit 12 registers the processing rule instructed by the control device 20 in the table DB 13, and when notified from the transfer processing unit 14 that a new packet has been received, Require rules to be set.

  The table DB 13 is configured by a database that can store one or more flow tables to be referred to when the transfer processing unit 14 processes received packets.

  The transfer processing unit 14 includes a table search unit 141 and an action execution unit 142. The table search unit 141 is a means for searching for an entry having a match field that matches the received packet from the flow table stored in the table DB 13. The action execution unit 142 is a unit that performs packet processing according to the processing content indicated in the instruction field of the entry searched by the table search unit 141.

  If no entry having a match field that matches the received packet is found, the transfer processing unit 14 notifies the table management unit 12 to that effect. Further, the transfer processing unit 14 updates the statistical information registered in the table DB 13 according to the packet processing.

  FIG. 4 is a diagram illustrating an example of processing rules set in the switch 10. Referring to FIG. 4, a match field (Match Field) that stores a rule that matches a packet header of a received packet, a flow statistics information field (Counters) that stores statistical information such as a packet that conforms to the rule, and a rule that matches An entry (processing rule) in which an instruction field (Instructions) for storing processing contents (Action) to be applied to a packet to be associated is shown is shown. The match field includes a plurality of columns for storing rules relating to input ports, transmission source MAC addresses, and the like. Further, as a rule for matching with the packet header of the received packet, a wild card may be set in the condition of the match field.

  FIG. 5 is a diagram of processing contents that can be set in the instruction field and an example of the contents. Referring to FIG. 5, for example, OUTPUT is an action for outputting a received packet to a designated port (interface). Also, SET_VLAN_VID to SET_TP_DST are actions for correcting the field of the packet header. By combining these, the switch 10 can output the packet from the designated port after rewriting the VLAN ID of the packet transmitted from a certain source to the destination, for example.

  FIG. 6 is a diagram illustrating an example of the internal configuration of the control device 20. The control device 20 includes a topology management unit 21, a topology database (topology DB) 22, a control message processing unit 23, a route / action calculation unit 24, a packet transfer route database (packet transfer route DB) 25, and a processing rule. Node communication for communicating with the management unit 26, the processing rule database (processing rule DB) 27, the broadcast range determining unit 28, the configuration change processing unit 29, the resource information database (resource information DB) 31, and the switch 10. And the unit 32.

  The topology management unit 21 connects the connection information of the switch 10 to be controlled by the control device 20 (information regarding the connection between the switch 10 and the communication node 30 and the connection between the switches 10 via the control message processing unit 23 and the node communication unit 32. Information) and manage the network topology. The topology management unit 21 may request the switch 10 to provide connection information and manage the topology of the network based on information obtained from the response, or the communication system administrator may control the topology in advance. You may input into the apparatus 20. FIG.

  The topology DB 22 is a database that stores the network topology. Since the topology of the network to be controlled by the control device 20 is composed of the connection between the switches 10 and the connection between the switch 10 and the communication node 30, the topology DB 22 stores information regarding these connections.

  FIG. 7 is a diagram illustrating an example of entries in the topology DB 22. FIG. 7A shows an entry related to the connection between the switches 10. Referring to FIG. 7A, the connection between the switches 10 is defined by a set of DPID (DataPath ID) for identifying each switch 10 and a port number corresponding to the DPID.

  FIG. 7B shows an entry related to the connection between the switch 10 and the communication node 30. Referring to FIG. 7B, the switch 10 and the communication node are associated with each other by associating the DPID of the switch 10 and its port number with the MAC address of the NIC (Network Interface Card) included in the communication node 30 connected to the port. 30 connections are defined. In the following description, when a MAC address of a communication device (for example, the switch 10 or the communication node 30) is described, it means a MAC address of a NIC included in the communication device.

  The control message processing unit 23 analyzes the message received from the switch 10 and delivers it to the corresponding processing means in the control device 20.

  The route / action calculation unit 24 calculates a packet transfer route for each flow based on the network topology stored in the topology DB 22. The route / action calculation unit 24 registers the calculated packet transfer route in the packet transfer route DB 25. The route / action calculation unit 24 calculates a packet transfer route when the switch 10 is requested to set a processing rule.

  Further, the route / action calculation unit 24 is designated by the broadcast range determination unit 28 as the range (switch 10 and its connection port) for transferring the broadcast packet, and receives an instruction to calculate the packet transfer route for broadcast. The route / action calculation unit 24 registers the packet transfer route for broadcast calculated in accordance with the instruction in the packet transfer route DB 25. In the following description, a broadcast packet transfer path is referred to as a broadcast path. Further, a unicast packet transfer path is referred to as a unicast path. The route / action calculation unit 24 calculates a unicast route and a broadcast route, and registers each packet transfer route in the packet transfer route DB 25 using a different format.

  FIG. 8 is a diagram illustrating an example of entries in the packet transfer path DB 25. FIG. 8A is an example of an entry related to a unicast route. An entry related to a unicast route is composed of an IN information field, an OUT information field, and a link information field. The IN information field stores a port where a packet is first input. The OUT information field stores the port that outputs the packet last. The link information field stores information about the link that passes through.

  FIG. 8B is an example of an entry related to a broadcast route. The entry related to the broadcast path is composed of a tenant ID field that stores a tenant ID for identifying a tenant and a rule part field that stores information corresponding to a matching rule of a processing rule that realizes the broadcast path. The rule field is prepared for each switch 10 that realizes a broadcast route. For example, in FIG. 2, if the broadcast path is switch 10-1 (start point), switch 10-2, switch 10-3 (end point), matching of processing rules set in switch 10-1 and switch 10-2. The rule is stored in the rule part field. More specifically, the MAC address of the communication node 30 that has transmitted the broadcast packet and the broadcast address are stored in the rule part field.

  The processing rule management unit 26 manages processing rules set in the switch 10. The processing rule management unit 26 generates a processing rule to be set in the switch 10 based on the packet transfer route calculated by the route / action calculation unit 24 and registers the generated processing rule in the processing rule DB 27. In addition, the processing rule management unit 26 generates a processing rule to be set in the switch 10 based on an instruction from the broadcast range determination unit 28 and registers the generated processing rule in the processing rule DB 27. Alternatively, the processing rule management unit 26 deletes the processing rule set for the switch 10 based on an instruction from the broadcast range determination unit 28. Further, the processing rule management unit 26 sets the calculated processing rule in the switch 10 via the control message processing unit 23 and the node communication unit 32.

  More specifically, the processing rule management unit 26 generates a processing rule for transferring a unicast packet between communication nodes based on the unicast route calculated by the route / action calculation unit 24 and sets the processing rule in the switch 10. To do. Further, the processing rule management unit 26 generates a processing rule for transferring the broadcast packet to the communication node 30 belonging to the tenant based on the broadcast route calculated by the route / action calculation unit 24 and sets the processing rule in the switch 10.

  There are two processing rules having different properties as processing rules for realizing the packet transfer path. The first processing rule is a processing rule for transferring a packet from one switch 10 to another switch 10. The second processing rule is a processing rule for sending a packet from a port connected to the communication node 30 that receives the packet. Note that the processing rules for realizing the broadcast path are expressed as a broadcast transfer rule, a processing rule corresponding to the first processing rule, and a packet out rule as a processing rule corresponding to the second processing rule. Give an explanation.

  The broadcast range determination unit 28 is a means for determining the switch 10 to which a broadcast packet transmitted by the communication node 30 belonging to the tenant and its connection port are to be transferred based on the resource management information and topology information stored in the resource information DB 31. . The broadcast range determination unit 28 designates the determined switch 10 and its connection port, and instructs the route / action calculation unit 24 to calculate a broadcast route. Alternatively, the broadcast range determination unit 28 instructs the processing rule management unit 26 to generate a packet-out rule and set or delete the packet-out rule.

  The configuration change processing unit 29 recognizes a change in the topology of the network provided to the tenant based on the resource management information stored in the resource information DB 31. Further, the configuration change processing unit 29 reflects the recognized topology change in the topology DB 22. For example, when the resource management information is rewritten and the communication node 30 assigned to the tenant is deleted, this is equivalent to the disappearance of the communication node 30 from the network, so the disappearance of the communication node 30 is reflected in the topology DB 22. To do.

  Further, the configuration change processing unit 29 switches the operation mode of the communication node 30 based on the resource management information stored in the resource information DB 31. For example, when the resource management information indicates that the communication node 30-1 is stopped, the configuration change processing unit 29 sends a control message to the communication node 30-1 via the control message processing unit 23 and the node communication unit 32. By transmitting, the communication node 30-1 is stopped.

  The resource information DB 31 stores resource management information. FIG. 9 is a diagram illustrating an example of entries in the resource information DB 31. The entry of the resource information DB 31 includes a resource ID field for uniquely identifying the communication node 30, a resource type field indicating the type of the communication node 30 (for example, server, virtual machine, firewall, load balancer, encryption device, etc.), A state management flag indicating the operating state (operating state / stopped state) of the communication node 30, a group ID field for identifying a group to which the communication node 30 belongs, a resource attribute field for storing other attribute values related to the communication node 30, (See FIG. 9A). In the group ID, a value indicating a group to which the communication node 30 belongs and a value indicating that the communication node 30 does not belong to any group can be stored. Thus, the resource management information indicates at least the correspondence between the group and the communication node 30 belonging to the group. Alternatively, the resource management information is information indicating an ID for identifying each group (tenant), an ID for identifying a resource (communication node 30) belonging to each group, and an operation state of the resource (communication node) belonging to each group.

  FIG. 9B is an example of resource management information of the communication system shown in FIG. Referring to FIG. 9B, it can be seen that the communication nodes 30-1 to 30-3 belong to the tenant A, and these communication nodes 30 are in an operating state. Further, it can be seen that the communication nodes 30-4 and 30-5 belong to the tenant B, the communication node 30-4 is in an operating state, and the communication node 30-5 is in a stopped state.

  The resource management information can be rewritten from outside the control device 20. For example, the communication node 30 assigned to each tenant and its operation state are managed by rewriting the resource management information by the communication system administrator (data center administrator) using a terminal or the like not shown in FIG.

  Each unit (processing means) of the switch 10 and the control device 20 shown in FIGS. 3 and 6 is executed by a computer program that causes a computer constituting these devices to execute each process described later using the hardware. It can also be realized.

  Next, operations of the switch 10 and the control device 20 will be described.

  FIG. 10 is a flowchart illustrating an example of the operation of the switch 10. FIG. 10 shows an operation example when the switch 10 receives a packet.

  The transfer processing unit 14 of the switch 10 compares the processing rule match field stored in the table DB 13 with the packet header of the received packet, and searches for a processing rule that matches the packet header of the received packet. (Steps S101 and S102).

  When there is a processing rule having a match field that matches the packet header of the received packet (step S102, Yes branch), the transfer processing unit 14 performs processing specified in the instruction field of the processing rule searched in step S101. (Action) is executed on the received packet (step S103).

  On the other hand, when there is no processing rule having a match field that matches the packet header of the received packet (step S102, No branch), the received packet is transferred to the control device 20 (step S104). Although not shown in the flowchart of FIG. 10, the switch 10 adds (ADD) or deletes (DEL) a flow entry stored in the table DB 13 by receiving a FlowMod message from the control device 20.

  FIG. 11 is a flowchart illustrating an example of the operation of the control device 20. FIG. 11 shows an operation example of the control device 20 when a packet is sent from the switch 10.

  When receiving the packet transmitted by the switch 10, the control message processing unit 23 determines whether or not the packet is a broadcast packet (step S201).

  If it is not a broadcast packet (step S201, No branch), the process which concerns on step S202-S206 is performed. On the other hand, if it is a broadcast packet (step S201, Yes branch), the processing according to steps S207 to S213 is executed.

  In step S202, the route / action calculation unit 24 calculates the source and destination communication nodes 30 from the packet header, and calculates the packet transfer route (unicast route) using the network topology stored in the topology DB 22. To do. Thereafter, the route / action calculation unit 24 registers the unicast route calculated in the previous step in the packet transfer route DB 25 (step S203).

  In step S204, the processing rule management unit 26 generates a processing rule (flow entry) that realizes the unicast route calculated by the route / action calculation unit 24. Thereafter, the processing rule management unit 26 registers the generated processing rule in the processing rule DB 27 and sets the processing rule in the corresponding switch 10 via the control message processing unit 23 and the node communication unit 32 (step S205). .

  In step S206, the processing rule management unit 26 instructs the switch 10 closest to the destination communication node 30 to send the packet to the destination communication node 30 (instructs packet out), and sends the packet to the destination communication node 30. Transmit to the communication node 30.

  In step S207, the broadcast range determination unit 28 determines the switch 10 to which the received broadcast packet is to be transferred and its connection port (determines the broadcast range). More specifically, the broadcast range determination unit 28 determines the switch 10 to which the communication node 30 belonging to the same group as the communication node 30 that transmitted the broadcast packet is connected and its connection port. At that time, the broadcast range determination unit 28 searches the resource information DB 31 and acquires a communication node group belonging to the same group as the communication node 30 that is the transmission source of the broadcast packet.

  For example, when the resource management information as shown in FIG. 9B is registered in the resource information DB 31, if the communication node 30-1 transmits a broadcast packet, the communication nodes 30-2 and 30-3 It can be acquired as a communication node belonging to the same group. Thereafter, the broadcast range determining unit 28 refers to the network topology stored in the topology DB 22 to determine the switch 10 to which the acquired communication node group is connected and its connection port. In the above example, the switches 10-1 and 10-2 are determined as the switch 10 to which the acquired communication node group is connected. The broadcast range determination unit 28 designates the determined switch 10 and its connection port, and instructs the route / action calculation unit 24 to calculate a packet transfer route.

  In step S208, the route / action calculation unit 24 calculates a broadcast route. More specifically, the route / action calculation unit 24 calculates a broadcast route between the switch 10 that first received the broadcast packet and the switch 10 determined in the previous step (step S208).

  Thereafter, the route / action calculation unit 24 registers the broadcast route calculated in the previous step in the packet transfer route DB 25 (step S209). More specifically, the tenant ID of the tenant including the transmission source communication node 30 is stored in the tenant ID field, and the MAC address and broadcast address of the transmission source communication node 30 are stored in the rule part field.

  In steps S <b> 210 and S <b> 11, the processing rule management unit 26 generates a processing rule that realizes the broadcast route calculated by the route / action calculation unit 24. More specifically, in step S210, the processing rule management unit 26 generates a broadcast transfer rule. In step S211, the processing rule management unit 26 generates a packet-out rule.

  Thereafter, the processing rule management unit 26 registers the processing rules generated in steps S210 and S211 in the processing rule DB 27 and sets the processing rules in the corresponding switch 10 via the control message processing unit 23 and the node communication unit 32. (Step S212). For example, when the resource management information shown in FIG. 9B is registered, if the communication node 30-1 transmits a broadcast packet, the broadcast packet is transmitted from the switch 10-1 to the switch 10-2 as a broadcast transfer rule. Is generated and set in the switch 10-1.

  Also, as a packet out rule, a processing rule (packet out rule) for sending a broadcast packet from a port of the switch 10-1 that is connected to the communication node 30-2 is generated and set in the switch 10-1. Is done. Similarly, a processing rule (packet-out rule) for sending a broadcast packet from a port connected to the communication node 30-3 is set for the switch 10-2.

  In step S213, the processing rule management unit 26 returns the received packet to the switch 10 that has transmitted the packet. Note that various route search methods such as the Dijkstra method can be used for calculating the packet transfer routes (unicast route and broadcast route) in steps S202 and S208.

  FIG. 12 is a flowchart illustrating an example of the operation of the control device 20. FIG. 12 shows an operation example when the control device 20 is notified of the operation of the communication node 30 belonging to the tenant (group) by rewriting the resource management information.

  When the group and the operating communication node 30 are specified and the operation of the communication node 30 is notified, the broadcast range determination unit 28 determines whether or not a broadcast path exists in the specified tenant (step S221). . More specifically, the broadcast range determination unit 28 searches the packet transfer path DB 25 and confirms the existence of the broadcast path based on the presence / absence of an entry whose broadcast address is stored in the rule part field.

  If there is no broadcast path (step S221, No branch), the process is terminated. On the other hand, if a broadcast path exists (step S221, Yes branch), the broadcast range determination unit 28 searches the topology DB 22 to identify the switch 10 to which the designated communication node 30 is connected (step S222). . The broadcast range determination unit 28 designates the identified switch 10 and instructs the processing rule management unit 26 to generate a packet-out rule (processing rule).

  Next, the processing rule management unit 26 generates a packet-out rule to be set in the switch 10 designated in the previous step (step S223). As confirmed in step S221, the designated tenant already has a broadcast route. That is, the broadcast transfer rule is already set in the switch 10. Therefore, it is sufficient to generate a packet-out rule for the switch 10. Thereafter, the processing rule management unit 26 registers the processing rule generated in the previous step in the processing rule DB 27 and sets the processing rule in the corresponding switch 10 via the control message processing unit 23 and the node communication unit 32 ( Step S224).

  FIG. 13 is a flowchart illustrating an example of the operation of the control device 20. FIG. 13 shows an operation example when the control device 20 is notified of the addition of the communication node 30 to the tenant by rewriting the resource management information.

  When the group and the communication node are specified and the addition of the communication node 30 is notified, the broadcast range determination unit 28 determines whether or not a broadcast path exists in the specified tenant (step S231).

  If there is no broadcast route (step S231, No branch), the process is terminated. On the other hand, if a broadcast route exists (step S231, Yes branch), the broadcast range determination unit 28 searches the topology DB 22 to identify the switch 10 to which the designated communication node 30 is connected (step S232). .

  Thereafter, the broadcast range determining unit 28 determines whether another communication node 30 of the designated tenant is connected to the switch 10 specified in the previous step (step S233). More specifically, the broadcast range determination unit 28 searches the topology DB 22 so that another communication node 30 belonging to the same group as the designated tenant is already connected to the switch 10 specified in the previous step. It is determined whether or not.

  If another communication node 30 of the specified tenant has already been connected to the identified switch 10 (step S233, Yes branch), the process ends. This is because a broadcast route to the switch 10 to which the added communication node 30 is connected is formed. On the other hand, when the other communication node 30 of the tenant specified by the specified switch 10 is not connected (step S233, No branch), the broadcast range determination unit 28 determines the route / action calculation unit 24 Instructing the calculation of the broadcast route from the start point of the already existing broadcast route to the switch 10 specified in step S232 (step S234). The route / action calculation unit 24 calculates a broadcast route according to the instruction.

  Next, the processing rule management unit 26 generates a processing rule (broadcast transfer rule) that realizes the broadcast path calculated in the previous step (step S235). Thereafter, the processing rule management unit 26 registers the broadcast transfer rule generated in the previous step in the processing rule DB 27 and sets the broadcast transfer rule in the corresponding switch 10 via the control message processing unit 23 and the node communication unit 32. (Step S236).

  Here, for example, in the communication system shown in FIG. 2, the communication nodes 30-1 to 30-3 are assigned to the tenant A, and the broadcast path from the switch 10-1 to the switch 10-2 is set. A case where the communication node 30-4 is added to the tenant A will be considered. In this case, the broadcast route for the tenant A exists, but there is no broadcast route from the switch 10-2 to the switch 10-3. Therefore, the broadcast range determination unit 28 causes the route / action calculation unit 24 to calculate a broadcast route from the switch 10-2 to the switch 10-3. The processing rule management unit 26 sets a broadcast transfer rule in the switch 10-2 based on the calculated broadcast route. However, in a situation where the communication node 30 is simply added to the tenant, it is not necessary to transfer the broadcast packet to the newly added communication node 30. That is, there is no need to set a packet out rule in the switch 10-3.

  When the communication node 30 is added to the tenant, the added communication node 30 is likely to operate thereafter. Therefore, before the added communication node 30 is operated, a processing rule for realizing a broadcast route is set in the switch 10 in advance, thereby suppressing a delay in transferring a broadcast packet.

  FIG. 14 is a flowchart illustrating an example of the operation of the control device 20. FIG. 14 shows an operation example when the control device 20 is notified that the communication node 30 belonging to the tenant is stopped by rewriting the resource management information.

  When a group and a communication node are specified and a stop of the communication node is notified, the broadcast range determination unit 28 determines whether a broadcast path exists in the specified tenant (step S241).

  If the broadcast route does not exist (step S241, No branch), the process proceeds to step S244. On the other hand, if a broadcast route exists (step S241, Yes branch), the broadcast range determination unit 28 searches the topology DB 22 to identify the switch 10 to which the designated communication node 30 is connected (step S242). .

  Next, the broadcast range determination unit 28 instructs the processing rule management unit 26 to delete a packet-out rule having processing contents for transferring a broadcast packet from the specified switch 10 to the designated communication node 30 ( Step S243). Thereafter, the processing rule management unit 26 deletes a processing rule related to the designated communication node 30 (for example, a processing rule for realizing a unicast route) (step S244).

  The processing rule management unit 26 deletes a processing rule by transmitting a FlowMod (DLL) message to the corresponding switch 10 via the control message processing unit 23 and the node communication unit 32. More specifically, the MAC address of the communication node 30 notified of the stop to the source MAC address in the matching field is specified, and a wild card is specified in the other columns, and the processing rule is set using a FlowMod (DLL) message. Is deleted.

  FIG. 15 is a flowchart illustrating an example of the operation of the control device 20. FIG. 15 shows an operation example when the control device 20 is notified of the deletion of the communication node 30 belonging to the tenant by rewriting the resource management information.

  When a group and a communication node are specified and deletion of the communication node 30 is notified, the broadcast range determination unit 28 determines whether or not a broadcast path exists in the specified tenant (step S251).

  If there is no broadcast path (step S251, No branch), the process is terminated. On the other hand, if a broadcast route exists (step S251, Yes branch), the broadcast range determination unit 28 searches the topology DB 22 to identify the switch 10 to which the designated communication node 30 is connected (step S252). .

  Thereafter, the broadcast range determination unit 28 determines whether or not another communication node 30 of the tenant designated by the switch 10 specified in the previous step is connected (step S253). If another communication node 30 of the tenant specified by the identified switch 10 is already connected (step S253, Yes branch), the process ends.

  In step S254, the broadcast range determination unit 28 instructs the processing rule management unit 26 to delete the processing rules (broadcast transfer rule and packet out rule) set in the switch 10 specified in step S252. When the assignment of the communication node 30 to the tenant is completed, it is not necessary to transfer the broadcast packet to the deleted communication node 30. Therefore, a broadcast route that does not affect the deletion is deleted.

  FIG. 16 is a flowchart illustrating an example of the operation of the control device 20. FIG. 16 shows an operation example when the control device 20 is notified of deletion of a tenant by rewriting resource management information.

  When the tenant is designated and the deletion is notified, the broadcast range determination unit 28 determines whether or not a broadcast route exists in the designated tenant (step S261). If there is no broadcast path (step S261, No branch), the process is terminated.

  In step S262, the broadcast range determination unit 28 instructs the processing rule management unit 26 to delete the processing rule related to the tenant notified of the deletion. In this way, if the tenant itself is deleted, the broadcast route provided for the tenant is unnecessary, so the processing rule for realizing the broadcast route is deleted from the switch 10.

  17 to 24 are sequence diagrams illustrating an example of the operation of the communication system according to the present embodiment.

  FIG. 17 shows an operation example when a packet is transmitted from the communication node 30-1 to the communication node 30-2.

  Referring to FIG. 17, first, the communication node 30-1 transmits a packet (Message U1 in FIG. 17) toward the switch 10-1. The switch 10-1 that has received the packet from the communication node 30-1 adds the packet and requests the control device 20 to set a processing rule.

  The route / action calculation unit 24 of the control device 20 refers to the network header stored in the packet header and the topology DB 22 and calculates a packet transfer route. Thereafter, the processing rule management unit 26 generates a processing rule to be set in the switch 10 according to the calculated packet transfer path. The processing rule management unit 26 sets the generated processing rule in the switch 10-1 via the control message processing unit 23 and the node communication unit 32. More specifically, a new entry is added to the table DB 13 included in the switch 10-1 (the FlowMod (ADD) message in FIG. 17 is transmitted).

  After setting the processing rule in the switch 10-1, the control device 20 returns a packet (MessageU1) to the switch 10-1 (packets out).

  The switch 10-1 transfers the received packet to the communication node 30-2. Thereafter, the packet (Message U2 in FIG. 2) directed from the communication node 30-1 to the communication node 30-2 is processed according to the processing rule set in the switch 10-1, and transferred to the communication node 30-2.

  In FIG. 18, when the communication nodes 30-1 to 30-3 are assigned to the same tenant and the communication nodes 30-1 and 30-2 are in an operating state, a broadcast packet is transmitted from the communication node 30-1. An example of the operation is shown.

  Referring to FIG. 18, the communication node 30-1 transmits a broadcast packet (Message B1 in FIG. 18) toward the switch 10-1.

  The switch 10-1 that has received the broadcast packet from the communication node 30-1 requests the control device 20 to set a processing rule with the broadcast packet. The broadcast range determination unit 28 searches the resource information DB 31 and the topology DB 22 to determine a range for transferring a broadcast packet, and instructs the route / action calculation unit 24 to calculate a broadcast route. Here, a broadcast path including the switches 10-1 and 10-2 is calculated.

  Thereafter, the processing rule management unit 26 generates processing rules to be set in the switches 10-1 and 10-2 according to the calculated broadcast path. More specifically, for the switch 10-1, a processing rule whose processing content is to transfer a broadcast packet whose source MAC address has the MAC address of the communication node 30-1 to the switch 10-2. Set (set broadcast transfer rules). Further, a processing rule is set for the switch 10-1 whose processing content is to send a broadcast packet having a source MAC address of the communication node 10-1 to the communication node 30-2 (packet). Set out rules).

  Note that no processing rule is set for the switch 10-2. The communication node 30-3 is assigned to the tenant, but is in a stopped state. That is, it is not necessary to set a packet-out rule in the switch 10-2 and transfer the broadcast packet to the communication node 30-3.

  After setting the processing rule in the switch 10-1, the control device 20 returns a broadcast packet (MessageB1) to the switch 10-1. The switch 10-1 transfers the received packet to the communication node 30-2 and the switch 10-2 according to the set processing rule. Thereafter, the broadcast packet (Message B2) transmitted from the communication node 30-1 is transferred to the communication node 30-2 and the switch 10-2 according to the processing rule set in the switch 10-1.

  In FIG. 19, when communication nodes 30-1 to 30-3 are assigned to the same tenant and the communication nodes 30-1 to 30-3 are in an operating state, a broadcast packet is transmitted from the communication node 30-1. An example of the operation is shown.

  In this case, unlike the operation example shown in FIG. 18, a packet-out rule is set for the switch 10-2. As a result, the packets (Message B1 and B2) broadcast from the communication node 30-1 are processed according to the processing rules set in the switches 10-1 and 10-2, and are transmitted to the communication node 30-2 and the communication node 30-3. Transferred.

  FIG. 20 shows a case where the communication nodes 30-1 to 30-3 are assigned to the same tenant, and the communication nodes 30-1 and 30-2 are already in operation and the broadcast path is already set, the communication node 30 An example of operation when -3 transitions to the operating state is shown.

  In the operation example of FIG. 18, no packet out rule is set for the switch 10-2. The reason is that the communication node 30 assigned to the tenant is in a stopped state as described above. The operation example of FIG. 20 is an operation example in the case where the communication node 30-3 transitions to the operating state from the situation of FIG.

  Referring to FIG. 20, when the communication node 30-3 transitions to an operating state, the control device 20 additionally sets a packet-out rule in the switch 10-2. Since the processing rule for realizing the broadcast path from the switch 10-1 to the switch 10-2 is set in the switch 10-1, it is not necessary to set the broadcast transfer rule. That is, regarding the processing rule set in the switch 10-2, it is sufficient to add a processing rule for transferring a broadcast packet from the communication node 30-1 to the communication node 30-3.

  Thereafter, the control device 20 instructs the communication node 30-3 to transition to the operating state. After the communication node 30-3 transitions to the operating state, the broadcast packet transmitted by the communication node 30-1 is transferred to the communication nodes 30-2 and 30-3 via the switches 10-1 and 10-2. .

  FIG. 21 shows the case where the communication nodes 30-1 to 30-3 are assigned to the same tenant, and the communication nodes 30-1 to 30-3 are already in the operating state and the broadcast path is already set. -2 shows an operation example when transitioning to a stopped state.

  In this case, a processing rule (packet-out rule) whose processing content is to send a broadcast packet transmitted from the communication node 30-1 to the communication node 30-2 has already been set in the switch 10-1. Therefore, the control device 20 deletes the packet-out rule set in the switch 10-1. Thereafter, the control device 20 instructs the communication node 30-2 to transition to the stop state. In the operation example of FIG. 21, the broadcast transfer rule (processing rule for transferring a broadcast packet from the switch 10-1 to the switch 10-2) set in the switch 10-1 is not deleted. This is because the switch 10-2 needs to transfer the broadcast packet to the communication node 30-3.

  FIG. 22 shows that the tenant is deleted when the communication nodes 30-1 to 30-3 are assigned to the same tenant, and the communication nodes 30-1 to 30-3 are already in operation and the broadcast route is already set. An example of the operation is shown.

  In this case, the control device 20 deletes the processing rules (broadcast transfer rules and packet out rules) set in the switches 10-1 and 10-2. Thereafter, the control device 20 shifts the communication nodes 30-1 to 30-3 assigned to the tenant to be deleted to a stopped state.

  FIG. 23 shows communication to a tenant when communication nodes 30-1 and 30-2 are assigned to the same tenant and the communication nodes 30-1 and 30-2 are already in operation and a broadcast path is already set. An operation example in the case of adding the node 30-3 is shown.

  In this case, the control device 20 sets a processing rule (broadcast transfer rule) for transferring the broadcast packet transmitted by the communication node 30-1 to the switch 10-2 for the switch 10-1. Thereafter, the broadcast packet (Message B3 in FIG. 23) transmitted by the communication node 30-1 is transferred to the communication node 30-2 and the switch 10-2. In the operation example of FIG. 23, only the communication node 30 is added to the tenant, and since the operation of the communication node 30-3 is not instructed, no packet out rule is set for the switch 10-2.

  FIG. 24 shows communication from the tenant when the communication nodes 30-1 to 30-3 are assigned to the same tenant and the communication nodes 30-1 and 30-2 are already operating and the broadcast path is already set. An operation example in the case of deleting the node 30-3 is shown.

  In this case, the control device 20 sets a processing rule (broadcast transfer rule) that is a processing rule set in the switch 10-1 and forwards the broadcast packet transmitted from the communication node 30-1 to the switch 10-2. delete. Furthermore, the control device 20 also deletes the packet out rule set in the switch 10-2. Thereafter, the broadcast packet (Message B3 in FIG. 24) transmitted by the communication node 30-1 is transferred only to the communication node 30-2.

  As described above, the control device 20 according to the present embodiment determines a broadcast range in consideration of allocation of resources (communication node 30) to a tenant and an operation state, and generates a processing rule to be set in the switch 10. . As a result, the broadcast packet is transferred only to the communication nodes 30 belonging to the same group (tenant), and the security of the network is improved.

  The technique disclosed in Patent Document 1 is premised on applying to a specific domain (subnet) in a closed network that does not depend on layer 2 or layer 3. On the other hand, in the communication system according to the present embodiment, a network independent of layer 2 or layer 3 is generated in one domain (layer 2 subnet). In other words, a network formed of flow-based switches includes a plurality of tenants composed of a plurality of layer 2 subnets, makes each tenant independent, and does not transfer broadcast packets to switches not related to the tenant.

  In addition, the control device 20 considers the operation state of the communication node 30 and sets a processing rule so that the broadcast packet is transferred to the switch 10 to which the communication node 30 device that may operate in the future is connected. Set in advance. As a result, even when the communication node 30 in the stopped state shifts to the operating state and the broadcast packet needs to be transferred, the broadcast packet can be transferred with low delay.

[Second Embodiment]
Next, a second embodiment will be described in detail with reference to the drawings.

  FIG. 25 is a diagram illustrating an example of a communication system according to the second embodiment. In FIG. 25, the same constituent elements as those in FIG. The difference between FIG. 2 and FIG. 25 is that the operation of the control device 20a and the management device 40 are added.

  In the communication system according to the second embodiment, the management device 40 handles the resource management information described in the first embodiment. More specifically, the management device 40 adds and deletes tenants, adds and deletes resources to the tenant, and operates resources allocated to the tenant based on tenant management information input by a communication system administrator or the like. And stop. That is, the tenant management information is information that clearly indicates addition of a tenant and the like, and is information that is input from the outside of the management apparatus 40. When the management device 40 recognizes the change of the tenant management information, the management device 40 notifies the control device 20a that the resource management information has been changed, assuming that the operation status of the communication system has changed. The control device 20a that has received the resource management information change notification determines the presence / absence of a broadcast path in accordance with the notification, and sets processing rules in the switch 10 as appropriate.

  Further, when determining the broadcast range, the control device 20a makes a resource management information provision request to the management device 40. This resource management information provision request requests the management apparatus 40 to provide the resource management information described in the first embodiment. The control device 20a determines the broadcast range based on a response to the resource management information provision request.

  The management device 40 is a device that manages the communication nodes 30-1 to 30-5. Specifically, it manages the addition and deletion of tenants to the communication system, the addition and deletion of resources to the tenant, and the operation and stoppage of resources.

  FIG. 26 is a diagram illustrating an example of an internal configuration of the control device 20a. In FIG. 26, the same components as those in FIG. The difference between the control device 20 and the control device 20a is that the resource information DB 31 does not exist and the operations of the broadcast range determination unit 28a and the configuration change processing unit 29a are the broadcast range determination unit 28 and the configuration change processing unit 29, respectively. It is a different point.

  The broadcast range determination unit 28a makes a resource management information provision request to the management device 40 instead of searching the resource information DB 31. The broadcast range determination unit 28a determines the transfer range of the broadcast packet based on the response from the management device 40. More specifically, the broadcast range determination unit 28a makes a resource management information provision request to the management apparatus 40 when information corresponding to the resource management information in the first embodiment is required. Thereafter, the broadcast range is determined based on a response to the resource management information provision request from the management device 40. In addition, when receiving the above-described resource management information change notification, the broadcast range determination unit 28a sets processing rules (broadcast transfer rules and packet out rules) in the switch 10 as necessary. Further, the broadcast range determination unit 28a notifies the management device 40 that the processing rule has been set in the switch 10 by responding to the resource management information change notification.

  The configuration change processing unit 29a updates the topology DB 22 based on the resource management information change notification. Note that the control device 20 according to the first embodiment manages the operation state of the communication node 30 using the configuration change processing unit 29. In the second embodiment, the management device 40 controls and manages the communication node 30. Therefore, the configuration change processing unit 29a of the control device 20a does not have a function of controlling the operation state of the communication node 30.

  FIG. 27 is a diagram illustrating an example of the internal configuration of the management apparatus 40. The management device 40 includes a resource change processing unit 41, a resource management unit 42, a resource database (resource DB) 43, an allocation plan unit 44, an allocation resource database (allocation resource DB) 45, and an operating resource determination unit 46 A tenant resource database (tenant resource DB) 47, a release processing execution unit 48, and a communication unit 49 that communicates with the control device 20a, the communication node 30, and a terminal (not shown in FIG. 25). Is done.

  The resource change processing unit 41 receives tenant management information from the outside via the communication unit 49. More specifically, the administrator of the communication system inputs tenant management information to the management apparatus 40 using a terminal or the like not shown in FIG. The resource change processing unit 41 performs a process corresponding to the tenant management information (for example, addition of a resource to be allocated to the tenant), and then responds to the tenant management information via the communication unit 49. For example, when the tenant management information is a request related to addition of a resource to a tenant, the resource change processing unit 41 responds whether or not the request has been processed normally.

  The resource change processing unit 41 controls addition / deletion of tenants, addition / deletion of resources to / from each tenant, and operation / stop of resources allocated to the tenant according to the tenant management information. More specifically, the resource change processing unit 41 instructs one of the allocation planning unit 44, the operating resource determination unit 46, and the release processing execution unit 48 to add or delete resources. Further, the resource change processing unit 41 issues a resource management information change notification to the control device 20a based on tenant management information and a response to an instruction given to each unit (the allocation planning unit 44 and the like).

  Further, the resource change processing unit 41 instructs the resource management unit 42 to operate or stop the resource in response to the response from the tenant management information and the control device 20a.

  Furthermore, when the resource change processing unit 41 receives a resource management information provision request from the control device 20a via the communication unit 49, the resource change processing unit 41 searches various databases, and determines the resource allocation status and operating state. Responds to 20a.

  The resource management unit 42 is means for controlling and managing resources allocated to each tenant. The resource management unit 42 controls and manages the operation state of the communication node 30 based on an instruction from the resource change processing unit 41. More specifically, the resource management unit 42 transmits a control message to the communication node 30 to change the operation state of the communication node 30. After changing the operation state of the communication node 30, the resource management unit 42 responds to the resource change processing unit 41 that the control of the communication node 30 has ended.

  The resource DB 43 is a database that stores information related to the communication nodes 30 (system resources) included in the entire communication system.

  FIG. 28 is a diagram illustrating an example of entries in the resource DB 43. The entry of the resource DB 43 includes a resource ID field for storing an ID for uniquely identifying a resource included in the entire communication system, a resource type field indicating a resource type (for example, a computer, a virtual machine, etc.), and the resource Includes an allocation flag indicating whether or not the resource has already been allocated to the tenant, and a resource attribute field indicating other resource attributes. The resource attribute includes the MAC address of the resource. By including the MAC address in the resource attribute, the search of the MAC address can be omitted when the management device 40 notifies the control device 20a of the resource operation or the like. Alternatively, a MAC address may be used as an ID for identifying a resource.

  The entry in the resource DB 43 is updated in response to a change in resources (addition or deletion of resources) included in the entire communication system.

  The allocation planning unit 44 is means for determining a resource to be allocated to a tenant according to an instruction from the resource change processing unit 41. The allocation planning unit 44 responds to the resource change processing unit 41 as to whether or not the resource has been allocated to the designated tenant. If the allocation planning unit 44 searches the resource DB 43 and determines that there is a resource to be allocated to the tenant, the allocation planning unit 44 registers information on the resource in the allocation resource DB 45. In the following description, the process executed by the allocation planning unit 44 is referred to as a resource allocation plan.

  The allocation resource DB 45 is a database that stores resources allocated to tenants by the allocation planning unit 44.

  FIG. 29 is a diagram illustrating an example of entries in the allocation resource DB 45. The entry of the allocated resource DB 45 includes a tenant ID field that indicates a tenant to which resources are allocated, and a resource information field that indicates information related to the allocated resources. In the resource information field, a resource ID for identifying a resource and an operation state flag indicating the operation state (operating state or stopped state) of the resource are stored. For example, even if a resource is allocated to a tenant, if the resource is in a stopped state, the operation state flag corresponding to the resource is “false (stopped state)”.

  The operating resource determination unit 46 is a means for determining a resource to be operated from among resources allocated to the tenant in accordance with an instruction from the resource change processing unit 41. At that time, the resource change processing unit 41 designates the number of resources to be operated with the tenant to the operation resource determination unit 46. The operating resource determination unit 46 responds to the resource change processing unit 41 as to whether or not the specified number of resources can be operated. The operating resource determination unit 46 searches the allocated resource DB 45 and determines a resource to be operated from among resources allocated to the designated tenant. After determining the resource to be operated, the operating resource determination unit 46 registers the resource in the tenant resource DB 47.

  The tenant resource DB 47 is a database that is a resource belonging to the tenant and stores resources that are in operation.

  FIG. 30 is a diagram illustrating an example of entries in the tenant resource DB 47. The entry of the tenant resource DB 47 includes a tenant ID field indicating a tenant and a plurality of resource ID fields indicating resources that are allocated to the tenant and are operating.

  The release processing execution unit 48 is a means for stopping resources that are allocated to tenants and are in operation according to instructions from the resource change processing unit 41. At that time, the resource change processing unit 41 designates the number of resources to be stopped with the tenant to the release processing execution unit 48. Further, the release process execution unit 48 is a unit that unassigns resources already assigned to the tenant when receiving an instruction related to deletion of the tenant. In the following description, a process that is executed by the release process execution unit 48 and stops an active resource is referred to as a resource release plan.

  Note that each unit (processing unit) of the control device 20a and the management device 40 illustrated in FIGS. 26 and 27 is a computer program that causes a computer that configures these devices to execute each process described below using the hardware. Can also be realized.

  Next, the operation of the control device 20a will be described.

  The operation when the control device 20a receives a packet from the switch 10 does not differ from the operation described with reference to FIG.

  FIG. 31 is a flowchart illustrating an example of the operation of the control device 20a. FIG. 31 shows an operation example corresponding to the operation described with reference to FIG. The difference between FIG. 11 and FIG. 31 is the processing according to step S207a.

  In step S207a, the broadcast range determining unit 28a determines the switch 10 that forwards the received broadcast packet and its connection port (determines the broadcast range). The broadcast range determination unit 28a requests the management apparatus 40 to provide resource management information necessary for determining the broadcast range. The broadcast range determination unit 28a determines the broadcast range based on information obtained from the management device 40.

  FIG. 32 is a flowchart showing an example of the operation of the broadcast range determining unit 28a.

  In step S2071, the broadcast range determination unit 28a designates the tenant to which the communication node 30 that transmits the broadcast packet belongs to the management apparatus 40, makes a resource management information provision request regarding the tenant, and waits for a response ( Step S2072).

  The broadcast range determination unit 28a identifies the switch 10 used for forwarding the broadcast packet from the response to the resource management information provision request and the network topology stored in the topology DB 22 (step S2073). Thereafter, the broadcast range determining unit 28a specifies the switch 10 and its port to which the communication node 30 (resource) assigned to the tenant is connected by searching the topology DB 22 (step S2074). The switch 10 and its connection port specified in this step correspond to the broadcast range. The operation on the management apparatus 40 side in step S2072 will be described later.

  33 to 37 are flowcharts showing an example of the operation of the control device 20a corresponding to FIGS. 12 to 16, respectively. 33 to 37, the same step names are assigned to the same processes as those in FIGS. 12 to 16, and the description thereof is omitted. The difference between the corresponding drawings is that a response is made to the management apparatus 40 immediately before the processing shown in each drawing is finished.

  The management device 40 displays the changed contents according to the change in the operation status of the communication system (change in tenant management information; that is, addition and deletion of tenants, addition and deletion of resources to the tenant, operation and stop of resources). Notify the control device 20a (perform resource management information change notification). In accordance with the notification from the management device 40, the control device 20a performs appropriate processing (for example, setting of a broadcast transfer rule) and responds to the management device 40 that the processing has been completed. Upon receiving the response, the management device 40 controls and manages the resource (communication node 30) as necessary.

  Taking FIG. 33 as an example, differences between the drawings will be described. FIG. 33 shows an operation example of the control device 20a when the management device 40 notifies the operation of the communication node 30 assigned to the tenant. In this case, the control device 20a operates so that the broadcast packet is transferred to the communication node 30 that has been notified of the operation by executing the processes according to steps S221 to S224. More specifically, the control device 20 a sets a packet out rule in the switch 10.

  Thereafter, in step S225, the control device 20a responds to the management device 40 that the preparation for transferring the broadcast packet to the communication node 30 notified of the operation is completed. The resource management unit 42 of the management device 40 that has received the response transmits a control message to the communication node 30 and causes the communication node 30 to transition to the operating state. At this time, since processing rules (broadcast transfer rules and packet-out rules) for transferring broadcast packets are already set in the switch 10, the broadcast packets are transferred to the communication node 30 that has started operation.

  Next, the operation of the management device 40 will be described.

  38 to 44 are flowcharts illustrating an example of the operation of the management apparatus 40.

  FIG. 38 shows an operation example of the management apparatus 40 when registering a tenant.

  When a tenant is registered in the management apparatus 40, the tenant ID and the number (maximum value) of resources allocated to the tenant are specified by the tenant management information. Upon receiving such tenant management information, the resource change processing unit 41 causes the allocation planning unit 44 to execute a resource allocation plan (step S401). More specifically, the allocation planning unit 44 determines a resource to be allocated to a tenant from resources registered in the resource DB 43 (resources included in the entire communication system). The allocation planning unit 44 determines whether or not the requested resource can be allocated (step S402).

  For example, if a resource is registered in the resource DB 43 and the number of unallocated resources is less than the number of resources requested to be allocated, the resource cannot be allocated to the tenant (step S402). , No branch), the processing according to step S403 is executed. If resources can be allocated to the tenant (step S402, Yes branch), the processing according to steps S404 and 405 is executed.

  In step S403, the allocation planning unit 44 responds to the resource change processing unit 41 that resources cannot be allocated. The resource change processing unit 41 responds that the tenant cannot be registered via the communication unit 49 (for example, responds to the terminal that inputs tenant management information that the resource cannot be allocated).

  In step S404, the allocation planning unit 44 changes the allocation flag corresponding to the resource determined in step S401 in the entry of the resource DB 43 to “allocated”. Thereafter, the allocation planning unit 44 updates the tenant ID field and the resource information field of the allocation resource DB 45 based on the resource allocated to the tenant (step S405).

  In step S401, various methods are conceivable for the resource allocation plan executed by the allocation planning unit 44. For example, a method of randomly securing a specified number of resources, a method of allocating in units of resources connected to the same switch 10 in consideration of a network distance, a method of selecting and selecting a resource having a small number of network hops, a rack A method of allocating in units, a method of allocating to two or more racks in consideration of availability, and the like are conceivable. The allocation planning unit 44 determines a resource to be allocated to the tenant using any method or a method other than the above.

  FIG. 39 shows an operation example of the management apparatus 40 when operating resources. Resource operation is performed by specifying a tenant and a job.

  The resource change processing unit 41 designates a tenant and a job (service provided by the resource) and instructs the operating resource determination unit 46 to determine the operating resource.

  The operating resource determination unit 46 searches the allocated resource DB 45 and checks whether or not there is a resource whose operation state flag is “false” (resource is in a stopped state) in the designated tenant (step S411).

  If there is no resource that is allocated to the tenant and is in a stopped state (step S411, No branch), the processing according to step S412 is executed. On the other hand, if there is a stopped resource (step S411, Yes branch), the processing according to steps S413 to S418 is executed.

  In step S412, the operation resource determination unit 46 notifies the resource change processing unit 41 that there is no resource in the stopped state, so that the operation of the resource in the designated tenant is impossible, and ends the process. The resource change processing unit 41 responds via the communication unit 49 that the resource cannot be operated.

  In step S413, the operating resource determination unit 46 selects an operating resource from the resources whose operation status flag of the designated tenant is “false”.

  Next, the operating resource determination unit 46 changes the operating state flag of the allocated resource DB 45 corresponding to the resource determined in the previous step to “true” (the resource is operating) (step S414). In addition, the operating resource determination unit 46 adds the resource ID of the corresponding resource to the entry of the tenant resource DB 47 (step S415).

  The operating resource determination unit 46 responds to the resource change processing unit 41 with the tenant ID and the MAC address of the operating resource. Receiving the response, the resource change processing unit 41 notifies the control device 20a of resource management information change including the tenant ID and the MAC address of the operating resource (step S416). Thereafter, the resource change processing unit 41 waits for a response from the control device 20a (step S417), and instructs the resource management unit 42 to operate the resource determined in step S413 (step S418).

  FIG. 40 shows an operation example of the management apparatus 40 when stopping resources. The resource is stopped by specifying the tenant and the resource to be stopped.

  The resource change processing unit 41 notifies the control device 20a of resource management information change including the tenant and the resource to be stopped (step S421). Thereafter, the resource change processing unit 41 waits for a response from the control device 20a (step S422), and upon receiving the response, instructs the resource management unit 42 to stop the resource to be stopped (step S423). The resource management unit 42 transmits a control message to the resource to be stopped and instructs the transition to the stopped state.

  The resource management unit 42 waits until the resource stops (step S424), and then responds to the resource change processing unit 41 that the state change of the resource is completed.

  Receiving the response, the resource change processing unit 41 instructs the release processing execution unit 48 to delete the specified resource of the specified tenant (step S425). The release processing execution unit 48 deletes the specified resource of the specified tenant from the entry of the tenant resource DB 47. Thereafter, the release processing execution unit 48 changes the operation state flag of the resource information field corresponding to the designated resource, which is an entry of the allocated resource DB 45, to the stopped state (step S426).

  FIG. 41 shows an operation example of the management apparatus 40 when adding a resource to a tenant. By specifying the tenant and the number of resources to be added, resources are added.

  The resource change processing unit 41 designates the tenant and the number of resources to be added, and instructs the allocation planning unit 44 to add resources. Upon receiving the instruction, the allocation planning unit 44 selects the specified number of resources from the entries in the resource DB 43. At that time, the allocation planning unit 44 responds to the resource addition instruction by selecting a resource whose allocation flag is “unallocated” (step S431). The allocation planning unit 44 determines whether or not the requested resource can be allocated (step S432).

  When the specified number of resources cannot be allocated (step S432, No branch), the process according to step S433 is executed. On the other hand, when the designated number of servers can be assigned (step S432, Yes branch), the processing according to steps S434 to S437 is executed.

  In step S433, the allocation planning unit 44 responds to the resource change processing unit 41 that the resource cannot be added to the designated tenant. The resource change processing unit 41 responds via the communication unit 49 that the resource cannot be added.

  In step S434, the allocation planning unit 44 changes the allocation flag corresponding to the resource determined in step S431 to “allocated” (changes the resource DB 43). Thereafter, the allocation planning unit 44 stores the allocated resources in the tenant ID field and the resource information field of the allocated resource DB 45 (registered in the allocated resource DB 45; step S435).

  Next, the allocation planning unit 44 responds to the resource change processing unit 41 with the tenant ID and the MAC address of the resource to be added. The resource change processing unit 41 sends a resource management information change notification including the tenant ID and the MAC address of the resource to be added to the control device 20a (step S436). Thereafter, the resource change processing unit 41 waits for a response from the control device 20a (step S437).

  FIG. 42 shows an operation example of the management apparatus 40 when deleting a resource from a tenant.

  The resource change processing unit 41 designates a tenant and instructs the release processing execution unit 48 to delete the resource (step S441). The release process execution unit 48 executes the resource release plan and selects a resource to be deleted from the allocated resource DB 45 corresponding to the designated tenant. In this step, the release processing execution unit 48 selects a stopped server as a deletion target. The release processing execution unit 48 responds to the resource change processing unit 41 with the selected resource.

  The resource change processing unit 41 designates the tenant and the resource determined in the previous step, and sends a resource management information change notification to the control device 20a (step S442). Thereafter, the resource change processing unit 41 waits for a response from the control device 20a (step S443). The resource change processing unit 41 that has received the response instructs the release processing execution unit 48 to delete the resource information related to the resource determined in step S441 from the allocation resource DB 45 (step S444).

  Next, the release process execution unit 48 changes the resource allocation flag corresponding to the resource determined in step S441 to “unallocated” (change of the resource DB 43; step S445).

  FIG. 43 shows an operation example of the management apparatus 40 when deleting a tenant.

  In step S451, the resource change processing unit 41 notifies the control device 20a of resource management information change including the tenant to be deleted. Thereafter, the resource change processing unit 41 waits for a response from the control device 20a (step S452). The resource change processing unit 41 that has received the response instructs the release processing execution unit 48 to delete the resource of the designated tenant (step S453). At that time, the release process execution unit 48 deletes the entry related to the designated tenant, which is an entry in the allocated resource DB 45.

  Further, the release processing execution unit 48 changes the allocation flag of the resource DB 43 corresponding to the resource registered in the entry released in the previous step to “unallocated” (step S454).

  FIG. 44 shows an operation example of the management apparatus 40 when a resource management information provision request is received from the control apparatus 20a.

  In step S461, the resource change processing unit 41 searches the assigned resource DB 45 for the entry of the designated tenant, and checks the operation status flag of the resource included in the entry. Thereafter, the resource change processing unit 41 responds to the control device 20a with the operation state of the resource confirmed in the previous step. The response to the resource management information provision request includes the MAC address of the resource (communication node 30) assigned to the designated tenant.

  45 to 52 are sequence diagrams illustrating an example of the operation of the communication system according to the present embodiment. 45 to 52 are sequence diagrams illustrating examples of operations of the communication system corresponding to FIGS. 17 to 24, respectively. Therefore, in FIG. 45 to FIG. 52, description regarding FIG. 17 to FIG. 24 is omitted.

  FIG. 45 shows an operation example when a packet is transmitted from the communication node 30-1 to the communication node 30-2. In this case, since the operation of the communication system is completed by the switch 10, the control device 20, and the communication node 30, there is no difference from the operation example in FIG.

  In FIG. 46, when the communication nodes 30-1 to 30-3 are assigned to the same tenant and the communication nodes 30-1 and 30-2 are in an operating state, a broadcast packet is transmitted from the communication node 30-1. An example of the operation is shown.

  In this case, the control device 20a to which the broadcast packet is transferred from the switch 10-1 makes a resource management information provision request to the management device 40 in order to determine the broadcast range. Thereafter, the broadcast range is determined according to a response from the management device 40, and a processing rule is set in the switch 10-1.

  In FIG. 47, when the communication nodes 30-1 to 30-3 are assigned to the same tenant and the communication nodes 30-1 to 30-3 are in an operating state, a broadcast packet is transmitted from the communication node 30-1. An example of the operation is shown.

  Also in this case, the control device 20a determines the broadcast range based on the response from the management device 40.

  48 shows a case where the communication nodes 30-1 to 30-3 are assigned to the same tenant, and the communication nodes 30-1 and 30-2 are already operating and the broadcast path is already set, the communication node 30 An example of operation when -3 transitions to the operating state is shown.

  In this case, the management device 40 designates a tenant and notifies the control device 20a of resource management information change notification indicating resource operation. The control device 20a sets a packet out rule in the switch 10-2 according to the notification. Thereafter, the management device 40 waits for a response from the control device 20a, and shifts the communication node 30-3 to the operating state.

  49 shows a case where the communication nodes 30-1 to 30-3 are assigned to the same tenant, and the communication nodes 30-1 to 30-3 are already in operation and the broadcast path is already set. -2 shows an operation example when transitioning to a stopped state.

  In this case, the management device 40 notifies the control device 20a that the resource has been stopped. Upon receiving the resource stop notification, the control device 20a deletes the packet-out rule set in the switch 10-1. Thereafter, the management device 40 causes the communication node 30-2 to transition to a stopped state.

  FIG. 50 shows that the tenant is deleted when the communication nodes 30-1 to 30-3 are assigned to the same tenant and the communication nodes 30-1 to 30-3 are already in operation and the broadcast path is already set. An example of the operation is shown.

  In this case, the management device 40 notifies the control device 20a of the tenant deletion by designating the tenant. Upon receiving the resource management information change notification related to the tenant deletion notification, the control device 20a deletes the processing rules set in the switches 10-1 and 10-2. The management device 40 that has received a response indicating that the deletion of the processing rule has been completed from the control device 20a causes the communication nodes 30-1 to 30-3 to transition to a stopped state.

  FIG. 51 shows communication to the tenant when the communication nodes 30-1 and 30-2 are assigned to the same tenant and the communication nodes 30-1 and 30-2 are already in operation and the broadcast path is already set. An operation example in the case of adding the node 30-3 is shown.

  In this case, the management device 40 notifies the control device 20a that a resource will be added. In response to the notification, the control device 20a sets a processing rule (broadcast transfer rule) for realizing a broadcast path toward the switch 10-2 for the switch 10-1.

  FIG. 52 shows communication from the tenant when the communication nodes 30-1 to 30-3 are assigned to the same tenant and the communication nodes 30-1 and 30-2 are already operating and the broadcast path is already set. An operation example in the case of deleting the node 30-3 is shown.

  In this case, the management device 40 notifies the control device 20a that the resource is to be deleted. In response to the notification, the control device 20a deletes the processing rules set in the switches 10-1 and 10-2.

  As described above, in the communication system according to the present embodiment, the control device 20a determines the broadcast range based on information notified by the management device 40. Based on the determined broadcast range, the control device 20a can set a processing rule in the switch 10 and transfer the broadcast packet to an appropriate range. In addition, the management device 40 automatically determines a resource to be allocated to a tenant and a resource to be operated based on tenant management information input by a communication system administrator or the like. Therefore, the administrator does not need to finely manage resources allocated to individual tenants.

  The first and second embodiments described above are merely examples, and various modifications can be made. In the first and second embodiments, when the packet arrives at the switch 10 and does not match the matching rule stored in the table DB 13 of the switch 10, the control device 20 or the control device 20a generates a processing rule or the like. Do. However, for example, when a tenant is added to the communication system, a broadcast route may be calculated and a corresponding processing rule may be set in the switch 10. In that case, the response speed when the broadcast packet is transmitted first is improved.

  Further, the function of the management device 40 can be incorporated into the control device 20, or the function of the control device 20 can be incorporated into the management device 40. That is, the control device 20 and the management device 40 can be realized by the same device. Alternatively, the switch 10 and the communication node 30 may be a virtual machine. Furthermore, a virtual machine and a physical machine switch 10 and a communication node 30 may be mixed in the communication system. Furthermore, the resource included in the communication system may be a virtual resource such as a virtual machine or a virtual appliance. In this case, as shown in FIG. 53, it is preferable to prepare a device that manages the correspondence between the virtual resource and the physical machine on which the virtual resource operates, such as the logical / physical correspondence management device 50. At that time, the control device 20a and the management device 40 refer to the logical / physical correspondence management device 50 to resolve the correspondence between the virtual resource and the physical machine.

  Finally, the preferred form is summarized.

[Form 1]
The communication system according to the first aspect described above.
[Form 2]
Including a plurality of said switches;
A first communication node connected to a first switch of the plurality of switches is connected to a second switch of the plurality of switches and is in the same group as the first communication node. When the broadcast packet is transmitted to the second communication node to which it belongs,
The control device sets a first processing rule for transferring the broadcast packet to the second switch in the first switch, and is connected to the second communication node. The communication system of the form 1 which sets the 2nd processing rule for sending out from a port to the said 2nd switch.
[Form 3]
When a third communication node is added to the group and there is no switch to which another communication node belonging to the same group as the third communication node is connected,
The control device sets a processing rule for transferring the broadcast packet from the first switch to a third switch to which the third communication node is connected to at least one of the plurality of switches. The communication system of the form 2 to do.
[Form 4]
When the third communication node when added to the group is in a stopped state,
The communication system according to mode 3, wherein the control device does not set the second processing rule corresponding to the third communication node in the third switch.
[Form 5]
When the third communication node transitions from a stopped state to an operating state,
The communication system according to mode 4, wherein the control device sets the second processing rule corresponding to the third communication node in the third switch.
[Form 6]
When the second communication node transitions from an operating state to a stopped state,
The communication system according to any one of Embodiments 2 to 5, wherein the control device deletes the second processing rule from the second switch.
[Form 7]
When the second communication node is deleted from the group,
The communication system according to any one of Embodiments 2 to 6, wherein the control device deletes the first processing rule from the first switch and deletes the second processing rule from the second switch. .
[Form 8]
Management information indicating the identifier of the group, the identifier of the communication node belonging to the group, and the operating state of the communication node belonging to the group;
Any one of Embodiments 2 to 7 for specifying a switch for setting the first and / or second processing rule based on a network topology including connections between the plurality of switches and the plurality of communication nodes. The communication system according to 1.
[Form 9]
The communication according to any one of aspects 1 to 8, further comprising a management device that generates the management information based on tenant management information that associates a tenant of a communication system, a communication node assigned to the tenant, and an operation state of the communication node. system.
[Mode 10]
The communication method according to the second aspect described above.
[Form 11]
The communication system includes a plurality of the switches,
A first communication node connected to a first switch of the plurality of switches is connected to a second switch of the plurality of switches and is in the same group as the first communication node. Transmitting the broadcast packet toward a second communication node to which it belongs;
Setting a first processing rule for transferring the broadcast packet to the second switch in the first switch;
Setting a second processing rule for sending the broadcast packet from a port connected to the second communication node in the second switch;
The communication method according to mode 10, further comprising:
[Form 12]
Determining whether there is a switch to which another communication node belonging to the same group as the third communication node is connected when a third communication node is added to the group;
When there is no switch to which another communication node belonging to the same group as the third communication node is connected, the broadcast packet is transmitted from the first switch to the third communication node. Setting a processing rule for transferring to a switch of at least one of the plurality of switches;
The communication method according to mode 11, further comprising:
[Form 13]
It is as the control apparatus which concerns on the above-mentioned 3rd viewpoint.
[Form 14]
A plurality of the switches are controlled,
A first communication node connected to a first switch of the plurality of switches is connected to a second switch of the plurality of switches and is in the same group as the first communication node. When the broadcast packet is transmitted to the second communication node to which it belongs,
To set a first processing rule for transferring the broadcast packet to the second switch in the first switch and to send the broadcast packet from a port connected to the second communication node Item 14. The control device according to appendix 13, wherein the second processing rule is set in the second switch.
[Form 15]
When a third communication node is added to the group and there is no switch to which another communication node belonging to the same group as the third communication node is connected,
The control according to supplementary note 14, wherein a processing rule for transferring the broadcast packet from the first switch to the third switch to which the third communication node is connected is set in at least one of the plurality of switches. apparatus.
[Form 16]
When the third communication node when added to the group is in a stopped state,
The control device according to supplementary note 15, wherein the second processing rule corresponding to the third communication node is not set in the third switch.
[Form 17]
When the third communication node transitions from a stopped state to an operating state,
The control device according to appendix 16, wherein the second processing rule corresponding to the third communication node is set in the third switch.
[Form 18]
When the second communication node transitions from an operating state to a stopped state,
The control device according to any one of supplementary notes 14 to 17, wherein the second processing rule is deleted from the second switch.
[Form 19]
It is as the control method of the control apparatus which concerns on the above-mentioned 4th viewpoint.
[Mode 20]
It is as the program concerning the above-mentioned 5th viewpoint.
Note that the tenth, thirteenth, nineteenth, and twentieth forms can be developed into second to ninth forms as in the first form.

  Each disclosure of the cited patent documents and the like cited above is incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiments and examples can be changed and adjusted based on the basic technical concept. Various disclosed elements (including each element of each claim, each element of each embodiment or example, each element of each drawing, etc.) within the scope of the claims of the present invention, Selection is possible. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea. In particular, with respect to the numerical ranges described in this document, any numerical value or small range included in the range should be construed as being specifically described even if there is no specific description.

10 10-1 to 10-3, 102 Switch 11, 49 Communication unit 12 Table management unit 13 Table database (table DB)
14 Transfer processing units 20, 20a, 103 Control device 21 Topology management unit 22 Topology database (topology DB)
23 Control Message Processing Unit 24 Route / Action Calculation Unit 25 Packet Transfer Route Database (Packet Transfer Route DB)
26 processing rule management unit 27 processing rule database (processing rule DB)
28, 28a Broadcast range determination unit 29, 29a Configuration change processing unit 30 30-1 to 30-5, 101-1 to 101-4 Communication node 31 Resource information database (resource information DB)
32 node communication unit 40 management device 41 resource change processing unit 42 resource management unit 43 resource database (resource DB)
44 Allocation Planning Unit 45 Allocation Resource Database (Allocation Resource DB)
46 Operating resource determination unit 47 Tenant resource database (tenant resource DB)
48 Release processing execution unit 50 Logical / physical correspondence management device 141 Table search unit 142 Action execution unit

Claims (10)

A plurality of grouped communication nodes;
A switch that connects the plurality of communication nodes and processes a packet in accordance with a processing rule for processing the packet;
A control device for setting processing rules in the switch;
Including
The control device sets processing rules for transferring a broadcast packet transmitted to a plurality of other communication nodes belonging to the same group to the other plurality of communication nodes in the switch, A communication system in which a processing rule for transferring the broadcast packet to a communication node belonging to a group different from a communication node that is a transmission source of the broadcast packet is not set in the switch. Including a plurality of said switches;
A first communication node connected to a first switch of the plurality of switches is connected to a second switch of the plurality of switches and is in the same group as the first communication node. When the broadcast packet is transmitted to the second communication node to which it belongs,
The control device sets a first processing rule for transferring the broadcast packet to the second switch in the first switch, and is connected to the second communication node. The communication system according to claim 1, wherein a second processing rule for sending from a port is set in the second switch. When a third communication node is added to the group and there is no switch to which another communication node belonging to the same group as the third communication node is connected,
The control device sets a processing rule for transferring the broadcast packet from the first switch to a third switch to which the third communication node is connected to at least one of the plurality of switches. The communication system according to claim 2. When the third communication node when added to the group is in a stopped state,
The communication system according to claim 3, wherein the control device does not set the second processing rule corresponding to the third communication node in the third switch. When the third communication node transitions from a stopped state to an operating state,
The communication system according to claim 4, wherein the control device sets the second processing rule corresponding to the third communication node in the third switch. When the second communication node transitions from an operating state to a stopped state,
The communication system according to any one of claims 2 to 5, wherein the control device deletes the second processing rule from the second switch. A plurality of grouped communication nodes;
A communication method of a communication system including a switch that connects between the plurality of communication nodes and processes a packet according to a processing rule for processing the packet,
Transmitting a broadcast packet to a plurality of other communication nodes belonging to the same group;
Setting a processing rule in the switch for transferring the broadcast packet to the other plurality of communication nodes;
Including a communication method. A control device that sets a processing rule for processing a packet in a switch that connects a plurality of communication nodes grouped,
A processing rule for transferring a broadcast packet to be transmitted to a plurality of other communication nodes belonging to the same group to the other plurality of communication nodes is set in the switch, and the broadcast packet is A control device that does not set a processing rule for forwarding to a communication node belonging to a group different from a communication node that is a transmission source of a broadcast packet in the switch. A control method of a control device for setting a processing rule for processing a packet in a plurality of switches connecting a plurality of communication nodes grouped,
A first communication node connected to a first switch of the plurality of switches is connected to a second switch of the plurality of switches and is in the same group as the first communication node. When sending a broadcast packet to the second communication node to which it belongs,
Identifying the first and second switches based on management information indicating the correspondence between the group and the communication nodes belonging to the group, and the topology of the network comprising the connections between the plurality of switches and the plurality of communication nodes When,
Setting a first processing rule for transferring the broadcast packet to the second switch in the first switch;
Setting a second processing rule for sending the broadcast packet from a port connected to the second communication node in the second switch;
A control method for a control device including: A program that causes a computer that controls a control device to set a processing rule for processing a packet to a plurality of switches that connect a plurality of grouped communication nodes,
A first communication node connected to a first switch of the plurality of switches is connected to a second switch of the plurality of switches and is in the same group as the first communication node. When sending a broadcast packet to the second communication node to which it belongs,
Processing for identifying the first and second switches based on management information indicating the correspondence between the group and the communication nodes belonging to the group, and the topology of the network including the connections between the plurality of switches and the plurality of communication nodes When,
A process of setting a first processing rule for transferring the broadcast packet to the second switch in the first switch;
A process of setting a second processing rule for sending the broadcast packet from a port connected to the second communication node in the second switch;
A program that executes

Images