WO2014094287A1 - Configuration method of virtual machine control policy and exchange - Google Patents

Configuration method of virtual machine control policy and exchange Download PDF

Info

Publication number
WO2014094287A1
WO2014094287A1 PCT/CN2012/087123 CN2012087123W WO2014094287A1 WO 2014094287 A1 WO2014094287 A1 WO 2014094287A1 CN 2012087123 W CN2012087123 W CN 2012087123W WO 2014094287 A1 WO2014094287 A1 WO 2014094287A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual machine
control policy
mac address
control
policy
Prior art date
Application number
PCT/CN2012/087123
Other languages
French (fr)
Chinese (zh)
Inventor
张恒梁
宋哲炫
李金成
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2012/087123 priority Critical patent/WO2014094287A1/en
Priority to CN201280002960.0A priority patent/CN103229489B/en
Publication of WO2014094287A1 publication Critical patent/WO2014094287A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and a switch for configuring a virtual machine control policy. Background technique
  • Virtualization is the most important technical foundation for implementing cloud computing. Virtualization technology can improve resource utilization and enable rapid and flexible resource deployment based on changes in user business needs. Server virtualization enables well-separated workloads to share hardware again, dramatically reducing physical server footprint and power and cooling consumption, terminating server sprawl, and greatly speeding server provisioning.
  • a virtual switch that supports a virtual network card tag VN-Tag (a virtual network card used to identify a virtual machine) is configured to connect to a virtual network card of a virtual machine, and the virtual network card of the virtual machine has data entry.
  • VN-Tag virtual network card used to identify a virtual machine
  • the virtual switch adds VN-Tag to the data and forwards it to implement policy control at the virtual machine level.
  • the disadvantage of the prior art is that the implementation of the solution requires the virtual switch, the access switch, and even the core network switch to support the technology at the same time. Therefore, the device that does not support the VNTag technology needs to be upgraded, which makes the application of the technical solution have limitations. Sex, and the cost of upgrading equipment is also high. Summary of the invention
  • the method for configuring a virtual machine control policy by using the VN-tag technology in the prior art has a high requirement and a high cost.
  • the embodiment of the present invention provides a method and a switch for configuring a virtual machine control policy.
  • an embodiment of the present invention provides a method for configuring a virtual machine control policy, where the method includes:
  • the method further includes: receiving an address change message for the virtual machine, where the address change message carries an update MAC address; and replacing the updated MAC address
  • the MAC address in the second control policy obtains a third control policy.
  • the method further includes: receiving a first update control policy for the virtual machine, where the first update control policy includes Defining the virtual machine identifier of the virtual machine; obtaining the MAC address corresponding to the virtual machine identifier, replacing the virtual machine identifier in the first update control policy with the MAC address, to obtain a second update control policy And replacing the second control policy with the second update control policy.
  • the method before the acquiring the MAC address of the virtual machine according to the virtual machine identifier in the first control policy, the method further includes: receiving the virtual machine identifier, And N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to L
  • the replacing, by using a MAC address of the virtual machine, the virtual machine identifier in the first control policy, The second control policy is specifically: replacing the first control policy one by one by using the N MAC addresses
  • the N virtual machine identifiers are obtained, and N second control policies are obtained, where the N second control policies respectively correspond to the N MAC addresses.
  • the method further includes: receiving, according to the second control policy, the destination address or source by using the MAC address The address of the packet is processed.
  • the receiving, by the second control policy, the destination address or the source address The processing of the data packet specifically includes: receiving a data packet with the MAC address as a destination address or a source address; forwarding the data packet or rejecting forwarding the data packet according to the second control policy.
  • a control strategy includes at least one of the following control policies: an access control policy, a resource reservation policy, a traffic priority policy, a maximum traffic delay policy, a maximum traffic loss rate policy, and a maximum traffic jitter policy.
  • an embodiment of the present invention provides a switch, including a control module, where the control module includes a receiving submodule, an obtaining submodule, and a conversion submodule, and the receiving submodule is configured to receive a first for a virtual machine.
  • a control sub-module configured to acquire a MAC address of the virtual machine according to the virtual machine identifier in the first control policy, where the conversion sub-module is configured to replace the MAC address of the virtual machine
  • the virtual machine identifier in the first control policy obtains a second control policy.
  • the receiving submodule is further configured to: receive an address change message for the virtual machine, where the address change message carries an updated MAC address;
  • the update MAC address replaces the MAC address in the second control policy to obtain a third control policy.
  • the switch further includes a replacement submodule, where the receiving submodule is further configured to receive a first update control policy for the virtual machine,
  • the first update control policy includes the virtual machine identifier of the virtual machine, and the conversion sub-module is further configured to acquire the MAC address corresponding to the virtual machine identifier, and replace the MAC address with the MAC address.
  • the first update control policy is used to replace the virtual machine identifier to obtain a second update control policy; and the replacement submodule is configured to replace the second control policy by using the second update control policy.
  • the receiving sub-module is further configured to: receive the virtual machine identifier, and the N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
  • the converting submodule is specifically configured to replace, by using the N MAC addresses, one of the first control policies
  • the virtual machine identifier is obtained, and N second control policies are obtained, where the N second control policies respectively correspond to the N MAC addresses.
  • the switch further includes a switching module, where the switching module is connected to the control module, and the switching module is configured to receive, by the control module, the And a second control policy, and according to the second control policy, forwarding or rejecting the forwarding process of the received data packet with the MAC address as the destination address or the source address.
  • control policy includes but not It is limited to one or any combination of the following: access control policy, resource reservation policy, traffic priority policy, maximum traffic delay policy, maximum traffic loss rate policy, maximum traffic jitter policy.
  • the switch acquires a first control policy for the virtual machine from the network management center; acquires a MAC address of the virtual machine according to the virtual machine identifier in the first control policy; and uses the MAC address of the virtual machine The address replaces the virtual machine identifier in the first control policy to obtain a second control policy. Therefore, the embodiment of the present invention implements the configuration and management of the control policy of the MAC address level, and solves the problem that the method for configuring the virtual machine control policy by using the VN-tag technology in the prior art has high requirements on equipment and high cost. It saves a lot of economic costs and makes virtual machine level policy control easier to implement.
  • FIG. 1 is a schematic diagram of an application architecture of a method for configuring a virtual machine control policy according to an embodiment of the present disclosure
  • FIG. 2 is a flowchart of a method for configuring a virtual machine control policy according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a switch according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of another switch according to an embodiment of the present invention. detailed description
  • FIG. 1 is a schematic diagram of an application architecture of a method for configuring a virtual machine control policy according to an embodiment of the present invention.
  • the network management center can obtain the virtual MAC address corresponding to each network port of the virtual machine, and can associate the MAC address of the virtual network port of the virtual machine with the virtual machine (the corresponding relationship can be through the virtual machine).
  • the virtual machine identifier (the virtual machine identifier in the present application refers to the virtual machine ID) and the corresponding relationship of the virtual machine's MAC address), and the control module sent to the data center access switch for the control policy of the virtual machine
  • the switch may be an OpenFlow OpenF ow switch; after receiving the correspondence between the MAC address of the virtual network port and the virtual machine, and the control policy for the virtual machine, the control module may convert the control policy for the virtual machine.
  • the control policy for the MAC address when the switch receives a certain MAC address from the virtual machine or sends a packet to a MAC address of the virtual machine, according to the control policy for the MAC address, the data packet can be processed accordingly.
  • policy control for the virtual machine is achieved.
  • FIG. 2 is a flowchart of a method for configuring a virtual machine control policy according to an embodiment of the present invention.
  • the execution body of the embodiment is a switch, and the method for converting the control policy for the virtual machine into the control policy for the MAC address after the switch obtains the control policy for the virtual machine from the network management center is described in detail. As shown in FIG. 2, this embodiment includes the following steps:
  • Step 201 Receive a first control policy for a virtual machine.
  • the switch includes a control module and a switch module, and the exchange module and the control module exchange information through the interface.
  • the switch and the network management center can communicate through the management interface.
  • the network management center can actively send the virtual MAC address corresponding to each network port of the virtual machine to the controller component, and the control policy for the virtual machine.
  • the first control policy obtained by the switch from the network management center is a control policy for the virtual machine
  • the control policy package may include at least one of the following control policies: an access control policy, a resource reservation policy, and a traffic priority policy.
  • an access control policy for a virtual machine can be defined as denying forwarding of packets sent to a virtual machine.
  • the user can update the control policy of the virtual machine through the network management center.
  • the network management center can send the updated control policy to the switch.
  • the MAC address of the virtual machine also changes correspondingly.
  • the management center may also actively send the updated update MAC address to the switch.
  • Step 202 Acquire a MAC address of the virtual machine according to the virtual machine identifier in the first control policy.
  • the switch After the network management center sends the virtual machine ID of the virtual machine and the MAC address corresponding to the virtual machine ID to the switch, the switch can save the virtual machine identifier and the virtual machine MAC address in the local database.
  • a virtual machine may have one or more network ports, and each network port corresponds to one virtual MAC address. Therefore, one virtual machine may have one or more virtual MAC addresses, and the switch may obtain the one or more from the network management center. MAC address. After the network management center receives the first control policy of the virtual machine, after the switch extracts the virtual machine identifier of the virtual machine from the first control policy, the switch can query the corresponding MAC address in the local database according to the virtual machine identifier.
  • Step 203 Replace the virtual machine identifier in the first control policy by using a MAC address of the virtual machine to obtain a second control policy.
  • the virtual machine ID in the first control policy of the virtual machine is directly replaced with the MAC address, and the second control policy for the MAC address is obtained.
  • the virtual machine has multiple network ports, that is, multiple MAC addresses MAC1, MAC 2, MAC 3, ... MACn, the virtual machine identifier in the first control policy is replaced with MAC1, and then the MAC1 is obtained.
  • a second control policy of the address after replacing the virtual machine identifier in the first control policy with MAC2, the second control policy for the MAC 2 address is obtained; and the first control is replaced by each of the n MAC addresses After the virtual machine ID in the policy, you can get n second control policies.
  • the virtual machine 1 has only one network port, that is, only one MAC address MAC1. If the first control policy is to refuse to forward all data packets sent to the virtual machine 1, the second control policy is to refuse to forward all the data packets sent to the MAC1. . If the virtual machine has multiple network ports, that is, multiple MAC addresses MAC1, MAC2, MAC 3, ... MACn, then if the first control policy is to refuse to forward all packets sent to the virtual machine 1, then the second The control policy is to refuse to forward all packets sent to MAC1, MAC2, MAC3... MACn.
  • the second control policy may be sent to the switching module, where the switching module is configured according to the second control policy. Processing packets originating from or sent to the MAC address.
  • the switching module may locally query the corresponding second control policy according to the source MAC address or the destination MAC address of the data packet, thereby The package is processed accordingly.
  • the control module may The second control policy is delivered to the switch component. If there is no corresponding second control policy in the control module, the first control policy for the virtual machine corresponding to the second control policy and the corresponding virtual machine MAC address may be obtained from the network management center, and the first control policy is converted. After being the second control policy, it is delivered to the switch module.
  • the method further includes: receiving an address change message for the virtual machine, where the address change message carries an update MAC address; Updating the MAC address to replace the MAC address in the second control policy, to obtain a third control policy.
  • the MAC address of the virtual machine changes correspondingly.
  • the network management center may also actively send the updated MAC address to the switch through the address change message, and the switch may use the switch.
  • the updated MAC address is substituted for the MAC address in the saved second control policy to obtain a third control policy. If the number of updated MAC addresses is m, then each of the m MAC addresses is used to replace the original MAC address in the second control policy, so that m third control policies are obtained.
  • the virtual machine identifier corresponding to the MAC address may also obtain the first control policy for the virtual machine from the network management center, and replace each MAC address of the m MAC addresses.
  • the virtual machine identifier in the first control policy can obtain m second control policies.
  • the second control policy for the original MAC address is also converted from the first control policy for the corresponding virtual machine identifier, after the MAC address of the virtual machine is changed,
  • the second control policy deletion for the original MAC address can save space on the one hand, and prevent the other virtual machines from generating errors after the MAC address of other virtual machines becomes the original MAC address. Policy control.
  • the method further includes: receiving a first update control policy for the virtual machine, where the first update control policy includes the virtual machine identifier of the virtual machine; And the MAC address corresponding to the virtual machine identifier, the virtual machine identifier in the first update control policy is replaced by using the MAC address, to obtain a second update control policy;
  • the second update control policy replaces the second control policy.
  • the network management center may send the updated control policy to the switch, and after receiving the updated control policy, the switch may perform the updated control.
  • the policy is converted into a control policy for the corresponding MAC address, and the previously saved second control policy is replaced by the updated control policy for the MAC address, thereby realizing the configuration of the dynamic control policy.
  • the switch acquires a first control policy for the virtual machine from the network management center; acquires a MAC address of the virtual machine according to the virtual machine identifier in the first control policy; and uses the MAC address of the virtual machine The address replaces the virtual machine identifier in the first control policy to obtain a second control policy. Therefore, the embodiment of the present invention implements the configuration and management of the control policy of the MAC address level, and solves the problem that the method for configuring the virtual machine control policy by using the VN-tag technology in the prior art has high requirements on equipment and high cost. It saves a lot of economic costs and makes virtual machine level policy control easier to implement.
  • the network interface adaptation module (physical network card) of the physical host where the virtual machine is located supports the Promi scuous Mode
  • the working state of the physical network card needs to be set to the hybrid mode.
  • the physical NIC does not modify the source MAC address of the sent data packet, so that the source MAC address of the data packet sent by the virtual network port of the virtual machine is not changed;
  • the destination MAC address is not filtered.
  • the physical NIC of the switch does not support the hybrid mode, you need to upgrade the physical NIC so that the physical NIC does not modify the source MAC address when forwarding the data packets from the virtual machine.
  • the target MAC address will not be filtered.
  • FIG. 3 is a schematic diagram of a switch according to an embodiment of the present invention.
  • the switch includes a control module 31 0
  • the control module 31 0 includes a receiving submodule 31 1 , an obtaining submodule 31 2 , and a transforming submodule 31 .
  • the switch also includes a switch module 320.
  • the switching module 320 and the control module 31 0 can be connected through an interface.
  • control The module 31 0 and the switch module 320 can be connected through an OpenF ow interface.
  • the receiving submodule 31 1 is configured to receive a first control policy for the virtual machine.
  • the receiving submodule 312 is further configured to receive the virtual machine identifier and the N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
  • the first control policy obtained by the switch from the network management center is a control policy for the virtual machine
  • the control policy package may include at least one of the following control policies: an access control policy, a resource reservation policy, and a traffic priority policy.
  • an access control policy for a virtual machine can be defined as denying forwarding of packets sent to a virtual machine.
  • the obtaining submodule 31 2 is configured to obtain a MAC address of the virtual machine according to the virtual machine identifier in the first control policy.
  • the switch After the network management center sends the virtual machine ID of the virtual machine and the MAC address corresponding to the virtual machine ID to the switch, the switch can save the virtual machine identifier and the virtual machine MAC address in the local database.
  • a virtual machine may have one or more network ports, and each network port corresponds to one virtual MAC address. Therefore, one virtual machine may have one or more virtual MAC addresses, and the switch may obtain the one or more from the network management center. MAC address.
  • the switch After the network management center receives the first control policy of the virtual machine, after the switch extracts the virtual machine identifier of the virtual machine from the first control policy, the switch can query the corresponding MAC address in the local database according to the virtual machine identifier.
  • the conversion sub-module 31 3 is configured to replace the virtual machine identifier in the first control policy by using a MAC address of the virtual machine to obtain a second control policy.
  • the conversion sub-module 31 is specifically configured to replace the virtual machine identifiers in the first control policy one by one by using the N MAC addresses, to obtain N second control policies, where the N second control policies respectively The N MAC addresses - corresponding. If the virtual machine has only one network port, that is, only one MAC address, the virtual machine ID in the first control policy of the virtual machine is directly replaced with the MAC address, and the second control policy for the MAC address is obtained. If the virtual machine has multiple network ports, that is, multiple MAC addresses MAC1, MAC 2, MAC 3, ... MACn, the virtual machine identifier in the first control policy is replaced with MAC1, and then the MAC1 is obtained.
  • the second control policy may be sent to the switch module, and the switch module 320 is configured according to the second The control policy processes packets originating or sent to the MAC address.
  • the switching module 320 is configured to receive the second control policy from the control module, and forward or reject the received data packet with the MAC address as the destination address or the source address according to the second control policy. Forward processing.
  • the control module 310 may use the second control policy. Issued to the switch module 320. If there is no corresponding second control policy in the control module 310, the first control policy for the virtual machine corresponding to the second control policy and the corresponding virtual machine MAC address may be obtained from the network management center, and the first control policy is used. After being converted into the second control policy, the method is delivered to the switching module 320.
  • the receiving sub-module 311 is further configured to: receive an address change message for the virtual machine, where the address change message carries an updated MAC address; and the transformation sub-module 313 is further configured to use
  • the update MAC address replaces the MAC address in the second control policy to obtain a third control policy.
  • the network management center may also actively send the updated MAC address to the switch through the address change message, and the switch may use the switch.
  • the updated MAC address is substituted for the MAC address in the saved second control policy to obtain a third control policy. Its If there are m updated MAC addresses, then each of the m MAC addresses is used to replace the original MAC address in the second control policy, so that m third control policies are obtained.
  • the virtual machine identifier corresponding to the MAC address may also obtain the first control policy for the virtual machine from the network management center, and replace each MAC address of the m MAC addresses.
  • the virtual machine identifier in the first control policy can obtain m second control policies.
  • the second control policy for the original MAC address is also converted from the first control policy for the corresponding virtual machine identifier, after the MAC address of the virtual machine is changed,
  • the second control policy deletion for the original MAC address can save space on the one hand, and prevent the other virtual machines from generating errors after the MAC address of other virtual machines becomes the original MAC address. Policy control.
  • the switch further includes a replacement submodule 314.
  • the receiving submodule 311 is further configured to receive a first update control policy for the virtual machine, where the first update control policy is The virtual machine identifier of the virtual machine is included; the transformation sub-module 313 is further configured to acquire the MAC address corresponding to the virtual machine identifier, and replace the first update control policy with the MAC address.
  • the virtual machine identifier is obtained to obtain a second update control policy; and the replacement submodule 314 is configured to replace the second control policy by using the second update control policy.
  • the network management center may send the updated control policy to the switch, and after receiving the updated control policy, the switch may perform the updated control.
  • the policy is converted into a control policy for the corresponding MAC address, and the previously saved second control policy is replaced by the updated control policy for the MAC address, thereby realizing the configuration of the dynamic control policy.
  • an embodiment of the present invention implements the configuration and management of the control policy of the MAC address level, and solves the problem that the method for configuring the virtual machine control policy by using the VN-tag technology in the prior art has high requirements on equipment and high cost. It saves a lot of economic costs and makes virtual machine level policy control easier to implement.
  • an embodiment of the present invention further provides a switch
  • FIG. 4 is a schematic diagram of another switch according to an embodiment of the present invention.
  • the switch provided in this embodiment includes a network interface 401, a processor 402, and a memory 403.
  • System bus 404 is used to connect network interface 401, processor 402, and memory 403.
  • the network interface 401 can be used to communicate with the physical management host where the network management center and the virtual machine are located, respectively.
  • Memory 403 can be a persistent storage, such as a hard drive and flash memory, with software modules and device drivers in memory 403, and a database for storing control policies.
  • the software modules are capable of executing the various functional modules of the above described method of the present invention; the device drivers can be network and interface drivers.
  • the first control policy includes at least one of the following control policies: an access control policy, a resource reservation policy, a traffic priority policy, a maximum traffic delay policy, a maximum traffic loss rate policy, and a maximum traffic jitter policy.
  • the switch After the network management center sends the virtual machine ID of the virtual machine and the MAC address corresponding to the virtual machine ID to the switch, the switch can save the virtual machine identifier and the virtual machine MAC address in the local database.
  • a virtual machine may have one or more network ports, and each network port corresponds to one virtual MAC address. Therefore, one virtual machine may have one or more virtual MAC addresses, and the switch may obtain the one or more from the network management center. MAC address.
  • the switch After the network management center receives the first control policy of the virtual machine, after the switch extracts the virtual machine identifier of the virtual machine from the first control policy, the switch may be based on the virtual machine identifier in the local database. Query the corresponding MAC address.
  • the processor 402 accesses the software component of the memory 403, and executes an instruction of the following process:
  • the MAC address of the virtual machine changes accordingly.
  • the network management center can also actively send the updated MAC address to the switch through the address change message.
  • the switch can be used.
  • the updated MAC address is substituted for the MAC address in the saved second control policy to obtain a third control policy. If there are m MAC addresses after the update, the original MAC address in the second control policy is replaced by each of the m MAC addresses, and the m third control policy is obtained.
  • the virtual machine identifier corresponding to the MAC address may also obtain the first control policy for the virtual machine from the network management center, and replace each MAC address of the m MAC addresses.
  • the virtual machine identifier in the first control policy can obtain m second control policies.
  • the second control policy for the original MAC address is also converted from the first control policy for the corresponding virtual machine identifier, after the MAC address of the virtual machine is changed,
  • the second control policy deletion for the original MAC address can save space on the one hand, and prevent the other virtual machines from generating errors after the MAC address of other virtual machines becomes the original MAC address. Policy control.
  • the processor 402 accesses the software component of the memory 403, and executes an instruction of the following process:
  • the second control policy is replaced with the second update control policy.
  • the network management center may send the updated control policy to the switch, and after receiving the updated control policy, the switch may perform the updated control.
  • the policy is converted into a control policy for the corresponding MAC address, and the previously saved second control policy is replaced by the updated control policy for the MAC address, thereby realizing the configuration of the dynamic control policy.
  • the processor 402 accesses the software component of the memory 403 according to the virtual machine identifier in the first control policy, and after querying the MAC address of the virtual machine, the processor 402 executes an instruction of the following process: The virtual machine identifier, and the N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
  • the processor 402 performs the process of replacing the virtual machine identifier in the first control policy by using the MAC address of the virtual machine, and the process of obtaining the second control policy is specifically: replacing the one of the N MAC addresses one by one
  • the virtual machine identifier in the first control policy obtains N second control policies, where the N second control policies respectively correspond to the N MAC addresses.
  • the switch receives the data packet through the network interface 401
  • the processor 402 accesses the software component of the memory 403, the processor 402 executes an instruction of: following the second control policy, the received and the MAC address Processing packets for the destination address or source address. Specifically, the data packet with the MAC address as the destination address or the source address is received; according to the second control policy, the data packet is forwarded or the data packet is refused to be forwarded.
  • the embodiment of the present invention implements the configuration and management of the control policy of the MAC address level, and solves the problem that the method for configuring the virtual machine control policy by using the VN-tag technology in the prior art has high requirements on equipment and high cost. It saves a lot of economic costs and makes virtual machine level policy control easier to implement.
  • RAM random access memory
  • ROM read-only memory
  • EEPROM electrically programmable ROM
  • EEPROM electrically erasable programmable ROM
  • registers hard disk, removable disk, CD-ROM, or technical field Any other form of storage medium known.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides a configuration method of virtual machine control policy and an exchange. The method includes receiving a first control policy for a virtual machine; obtaining a MAC address of the virtual machine according to a virtual machine identifier in the first control policy; replacing the virtual machine identifier in the first control policy by using the MAC address of the virtual machine to get a second control policy. Therefore, the embodiment of the present invention realizes the configuration and management of control policy in MAC address level, and makes the implementation of policy control in MAC address level easier.

Description

虚拟机控制策略的配置方法和交换机 技术领域  Virtual machine control strategy configuration method and switch
本发明涉及通信领域, 尤其涉及一种虚拟机控制策略的配置方法和交换 机。 背景技术  The present invention relates to the field of communications, and in particular, to a method and a switch for configuring a virtual machine control policy. Background technique
虚拟化是实现云计算最重要的技术基础, 虚拟化技术可以提高资源的利 用率, 并能够根据用户业务需求的变化, 快速、 灵活地进行资源部署。 服务 器虚拟化使得分隔良好的工作负荷能够再次共用硬件, 大幅减少了实体服务 器对空间的占用以及在电力和散热方面的消耗, 终止了服务器蔓延, 而且还 大大加快了服务器设置的速度。  Virtualization is the most important technical foundation for implementing cloud computing. Virtualization technology can improve resource utilization and enable rapid and flexible resource deployment based on changes in user business needs. Server virtualization enables well-separated workloads to share hardware again, dramatically reducing physical server footprint and power and cooling consumption, terminating server sprawl, and greatly speeding server provisioning.
由于服务器应用场景的不同以及服务器类型的不同, 因此要实现服务器 虚拟化就要使用综合性虚拟化软件平台, 而且也需要拥有多核心、 高密度、 可靠的内存, 以及具有可扩展性的 输入 /输出 (Input/Output , I /O ) 吞吐 量的硬件平台。 但是通用的服务器虚拟化技术无法在虚拟机级别进行保护和 执行策略, 也无法使策略随虚拟机移动。  Due to different server application scenarios and different server types, it is necessary to use a comprehensive virtualization software platform to achieve server virtualization, and also need to have multi-core, high-density, reliable memory, and scalable input / Output (Input/Output, I / O ) throughput of the hardware platform. However, common server virtualization technologies cannot protect and enforce policies at the virtual machine level, nor can they move policies with virtual machines.
在现有技术下,支持虚拟网卡标记 VN-Tag (用来标识虚拟机的虚拟网卡) 的虚拟交换机建立艮多的端口用来和虚拟机的虚拟网卡对应, 当虚拟机的虚 拟网卡有数据进入虚拟交换机时, 虚拟交换机就会对该数据添加 VN-Tag再转 发, 实现了虚拟机级别的策略控制。 但是现有技术的缺点是该方案的实现需 要虚拟交换机、 接入交换机、 甚至核心网交换机同时支持该技术, 因此需要 对不支持 VNTag技术的设备进行升级, 这就使得该技术方案的应用具有局限 性, 而且需要升级设备成本也高。 发明内容 In the prior art, a virtual switch that supports a virtual network card tag VN-Tag (a virtual network card used to identify a virtual machine) is configured to connect to a virtual network card of a virtual machine, and the virtual network card of the virtual machine has data entry. In the case of a virtual switch, the virtual switch adds VN-Tag to the data and forwards it to implement policy control at the virtual machine level. However, the disadvantage of the prior art is that the implementation of the solution requires the virtual switch, the access switch, and even the core network switch to support the technology at the same time. Therefore, the device that does not support the VNTag technology needs to be upgraded, which makes the application of the technical solution have limitations. Sex, and the cost of upgrading equipment is also high. Summary of the invention
鉴于现有技术中利用 VN - tag技术进行虚拟机控制策略配置的方法对设 备要求高, 成本大的问题, 本发明实施例提供了一种虚拟机控制策略的配置 方法和交换机。  In the prior art, the method for configuring a virtual machine control policy by using the VN-tag technology in the prior art has a high requirement and a high cost. The embodiment of the present invention provides a method and a switch for configuring a virtual machine control policy.
第一方面, 本发明实施例提供了一种虚拟机控制策略的配置方法, 所述 方法包括:  In a first aspect, an embodiment of the present invention provides a method for configuring a virtual machine control policy, where the method includes:
接收针对虚拟机的第一控制策略;  Receiving a first control policy for the virtual machine;
根据所述第一控制策略中的虚拟机标识, 获取所述虚拟机的 MAC地址; 使用所述虚拟机的 MAC地址替换所述第一控制策略中的所述虚拟机标识 , 得到第二控制策略。  Obtaining a MAC address of the virtual machine according to the virtual machine identifier in the first control policy, and replacing the virtual machine identifier in the first control policy by using a MAC address of the virtual machine to obtain a second control policy. .
在第一种可能的实现方式中, 所述得到第二控制策略之后, 还包括: 接 收针对所述虚拟机的地址变更消息, 所述地址变更消息携带更新 MAC地址; 使用所述更新 MAC地址替换所述第二控制策略中的所述 MAC地址, 得到第三 控制策略。  In a first possible implementation manner, after the obtaining the second control policy, the method further includes: receiving an address change message for the virtual machine, where the address change message carries an update MAC address; and replacing the updated MAC address The MAC address in the second control policy obtains a third control policy.
结合第一方面, 在第二种可能的实现方式中, 所述得到第二控制策略之 后, 还包括: 接收针对所述虚拟机的第一更新控制策略, 所述第一更新控制 策略中包括所述虚拟机的所述虚拟机标识; 获取所述虚拟机标识对应的所述 MAC地址,使用所述 MAC地址替换所述第一更新控制策略中的所述虚拟机标识, 得到第二更新控制策略; 使用所述第二更新控制策略替换所述第二控制策略。  With reference to the first aspect, in a second possible implementation, after the obtaining the second control policy, the method further includes: receiving a first update control policy for the virtual machine, where the first update control policy includes Defining the virtual machine identifier of the virtual machine; obtaining the MAC address corresponding to the virtual machine identifier, replacing the virtual machine identifier in the first update control policy with the MAC address, to obtain a second update control policy And replacing the second control policy with the second update control policy.
结合第一方面, 在第三种可能的实现方式中, 所述根据所述第一控制策 略中的虚拟机标识, 获取所述虚拟机的 MAC地址之前, 还包括: 接收所述虚 拟机标识, 以及所述虚拟机标识对应的 N个 MAC地址, 其中, N大于或者等于 L  With reference to the first aspect, in a third possible implementation manner, before the acquiring the MAC address of the virtual machine according to the virtual machine identifier in the first control policy, the method further includes: receiving the virtual machine identifier, And N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to L
结合第一方面的第三种可能的实现方式, 在第四种可能的实现方式中, 所述使用所述虚拟机的 MAC地址替换所述第一控制策略中的所述虚拟机标识, 得到第二控制策略具体为: 使用所述 N个 MAC地址逐一替换所述第一控制策 略中的所述虚拟机标识, 得到 N条第二控制策略, 所述 N条第二控制策略分 别与所述 N个 MAC地址——对应。 With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation, the replacing, by using a MAC address of the virtual machine, the virtual machine identifier in the first control policy, The second control policy is specifically: replacing the first control policy one by one by using the N MAC addresses The N virtual machine identifiers are obtained, and N second control policies are obtained, where the N second control policies respectively correspond to the N MAC addresses.
结合第一方面, 在第五种可能的实现方式中, 所述得到第二控制策略之 后, 还包括: 根据所述第二控制策略, 对接收到的并且以所述 MAC地址为目 的地址或源地址的数据包进行处理。  With reference to the first aspect, in a fifth possible implementation, after the obtaining the second control policy, the method further includes: receiving, according to the second control policy, the destination address or source by using the MAC address The address of the packet is processed.
结合第一方面的第五种可能的实现方式, 在第六种可能的实现方式中, 所述根据所述第二控制策略, 对接收到的并且以所述 MAC地址为目的地址或 源地址的数据包进行处理具体包括: 接收以所述 MAC地址为目的地址或源地 址的数据包; 根据所述第二控制策略, 转发所述数据包或拒绝转发所述数据 包。  With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation, the receiving, by the second control policy, the destination address or the source address The processing of the data packet specifically includes: receiving a data packet with the MAC address as a destination address or a source address; forwarding the data packet or rejecting forwarding the data packet according to the second control policy.
结合第一方面或者第一方面的第一种、 第二种、 第三种、 第四种、 第五 种、 第六种可能的实现方式, 在第七种可能的实现方式中, 所述第一控制策 略包括以下控制策略中的至少一种: 访问控制策略, 资源预留策略, 流量优 先级策略, 最大流量延时策略, 最大流量丟包率策略, 最大流量抖动策略。  With reference to the first aspect, or the first, second, third, fourth, fifth, and sixth possible implementation manners of the first aspect, in a seventh possible implementation manner, A control strategy includes at least one of the following control policies: an access control policy, a resource reservation policy, a traffic priority policy, a maximum traffic delay policy, a maximum traffic loss rate policy, and a maximum traffic jitter policy.
第二方面, 本发明实施例提供了一种交换机, 包括控制模块, 所述控制 模块包括接收子模块、 获取子模块、 转化子模块; 所述接收子模块, 用于 接收针对虚拟机的第一控制策略; 所述获取子模块, 用于根据所述第一控制 策略中的虚拟机标识, 获取所述虚拟机的 MAC地址; 所述转化子模块, 用于 使用所述虚拟机的 MAC地址替换所述第一控制策略中的所述虚拟机标识, 得 到第二控制策略。  In a second aspect, an embodiment of the present invention provides a switch, including a control module, where the control module includes a receiving submodule, an obtaining submodule, and a conversion submodule, and the receiving submodule is configured to receive a first for a virtual machine. a control sub-module, configured to acquire a MAC address of the virtual machine according to the virtual machine identifier in the first control policy, where the conversion sub-module is configured to replace the MAC address of the virtual machine The virtual machine identifier in the first control policy obtains a second control policy.
在第一种可能的实现方式中, 所述接收子模块还用于, 接收针对所述虚 拟机的地址变更消息, 所述地址变更消息携带更新 MAC地址; 所述转化子模 块还用于, 使用所述更新 MAC地址替换所述第二控制策略中的所述 MAC地址, 得到第三控制策略。  In a first possible implementation manner, the receiving submodule is further configured to: receive an address change message for the virtual machine, where the address change message carries an updated MAC address; The update MAC address replaces the MAC address in the second control policy to obtain a third control policy.
结合第二方面, 在第二种可能的实现方式中, 所述交换机还包括替换子 模块; 所述接收子模块, 还用于接收针对所述虚拟机的第一更新控制策略, 所述第一更新控制策略中包括所述虚拟机的所述虚拟机标识; 所述转化子模 块, 还用于获取所述虚拟机标识对应的所述 MAC地址, 使用所述 MAC地址替 换所述第一更新控制策略中的所述虚拟机标识, 得到第二更新控制策略; 所 述替换子模块, 用于使用所述第二更新控制策略替换所述第二控制策略。 With reference to the second aspect, in a second possible implementation, the switch further includes a replacement submodule, where the receiving submodule is further configured to receive a first update control policy for the virtual machine, The first update control policy includes the virtual machine identifier of the virtual machine, and the conversion sub-module is further configured to acquire the MAC address corresponding to the virtual machine identifier, and replace the MAC address with the MAC address. The first update control policy is used to replace the virtual machine identifier to obtain a second update control policy; and the replacement submodule is configured to replace the second control policy by using the second update control policy.
结合第二方面, 在第三种可能的实现方式中, 所述接收子模块还用于, 接收所述虚拟机标识, 以及所述虚拟机标识对应的 N个 MAC地址, 其中, N大 于或者等于 1。  With reference to the second aspect, in a third possible implementation, the receiving sub-module is further configured to: receive the virtual machine identifier, and the N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
结合第二方面的第三种可能的实现方式, 在第四种可能的实现方式中, 所述转化子模块具体用于, 使用所述 N个 MAC地址逐一替换所述第一控制策 略中的所述虚拟机标识, 得到 N条第二控制策略, 所述 N条第二控制策略分 别与所述 N个 MAC地址——对应。  With reference to the third possible implementation manner of the second aspect, in a fourth possible implementation, the converting submodule is specifically configured to replace, by using the N MAC addresses, one of the first control policies The virtual machine identifier is obtained, and N second control policies are obtained, where the N second control policies respectively correspond to the N MAC addresses.
结合第二方面, 在第五种可能的实现方式中, 所述交换机还包括交换模 块, 所述交换模块与所述控制模块连接; 所述交换模块, 用于从所述控制模 块接收所述第二控制策略, 并且根据所述第二控制策略, 对接收到的并且以 所述 MAC地址为目的地址或源地址的数据包进行转发或拒绝转发处理。  With reference to the second aspect, in a fifth possible implementation, the switch further includes a switching module, where the switching module is connected to the control module, and the switching module is configured to receive, by the control module, the And a second control policy, and according to the second control policy, forwarding or rejecting the forwarding process of the received data packet with the MAC address as the destination address or the source address.
结合第二方面或者第二方面的第一种、 第二种、 第三种、 第四种、 第五 种可能的实现方式, 在第六种可能的实现方式中, 所述控制策略包括但不限 于下面一项或任意项的组合: 访问控制策略, 资源预留策略, 流量优先级策 略, 最大流量延时策略, 最大流量丟包率策略, 最大流量抖动策略。  With reference to the second aspect, or the first, second, third, fourth, and fifth possible implementation manners of the second aspect, in a sixth possible implementation manner, the control policy includes but not It is limited to one or any combination of the following: access control policy, resource reservation policy, traffic priority policy, maximum traffic delay policy, maximum traffic loss rate policy, maximum traffic jitter policy.
本发明实施例中, 交换机从网络管理中心获取针对虚拟机的第一控制策 略; 根据所述第一控制策略中的虚拟机标识, 获取所述虚拟机的 MAC地址; 使用所述虚拟机的 MAC地址替换所述第一控制策略中的所述虚拟机标识, 得 到第二控制策略。 由此, 本发明实施例实现了 MAC地址级别的控制策略的配 置和管理, 而且解决了现有技术中利用 VN - tag技术进行虚拟机控制策略配 置的方法对设备要求高, 成本大的问题, 节省了大量的经济成本, 使得虚拟 机级别的策略控制更加容易实现。 附图说明 In the embodiment of the present invention, the switch acquires a first control policy for the virtual machine from the network management center; acquires a MAC address of the virtual machine according to the virtual machine identifier in the first control policy; and uses the MAC address of the virtual machine The address replaces the virtual machine identifier in the first control policy to obtain a second control policy. Therefore, the embodiment of the present invention implements the configuration and management of the control policy of the MAC address level, and solves the problem that the method for configuring the virtual machine control policy by using the VN-tag technology in the prior art has high requirements on equipment and high cost. It saves a lot of economic costs and makes virtual machine level policy control easier to implement. DRAWINGS
图 1 为本发明实施例提供的一种虚拟机控制策略的配置方法的应用架构 示意图;  FIG. 1 is a schematic diagram of an application architecture of a method for configuring a virtual machine control policy according to an embodiment of the present disclosure;
图 2为本发明实施例提供的一种虚拟机控制策略的配置方法流程图; 图 3为本发明实施例提供的一种交换机示意图;  2 is a flowchart of a method for configuring a virtual machine control policy according to an embodiment of the present invention; FIG. 3 is a schematic diagram of a switch according to an embodiment of the present invention;
图 4为本发明实施例提供的另一交换机示意图。 具体实施方式  FIG. 4 is a schematic diagram of another switch according to an embodiment of the present invention. detailed description
为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本发 明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 针对 本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提下所获 得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art without departing from the inventive scope are intended to be within the scope of the invention.
图 1 为本发明实施例提供的一种虚拟机控制策略的配置方法的应用架构 示意图。 如图 1 所示, 网络管理中心可以获得虚拟机的每个网口对应的虚拟 MAC地址, 并且可将虚拟机的虚拟网口的 MAC地址和虚拟机的对应关系(该对 应关系可通过虚拟机的虚拟机标识(本申请文件中的虚拟机标识指的是虚拟 机的 ID )和虚拟机的 MAC地址的对应关系体现) , 以及针对虚拟机的控制策 略发送到数据中心接入交换机的控制模块, 其中该交换机可以为开放流 OpenF l ow交换机; 控制模块在接收到虚拟网口的 MAC地址和虚拟机的对应关 系, 以及针对虚拟机的控制策略后, 可将该针对虚拟机的控制策略转换为针 对 MAC地址的控制策略; 交换机在接收到来自虚拟机的某个 MAC地址或者发 送至虚拟机的某个 MAC地址的数据包时, 根据针对 MAC地址的控制策略, 可 以对数据包进行相应处理, 从而实现了针对该虚拟机的策略控制。  FIG. 1 is a schematic diagram of an application architecture of a method for configuring a virtual machine control policy according to an embodiment of the present invention. As shown in Figure 1, the network management center can obtain the virtual MAC address corresponding to each network port of the virtual machine, and can associate the MAC address of the virtual network port of the virtual machine with the virtual machine (the corresponding relationship can be through the virtual machine). The virtual machine identifier (the virtual machine identifier in the present application refers to the virtual machine ID) and the corresponding relationship of the virtual machine's MAC address), and the control module sent to the data center access switch for the control policy of the virtual machine The switch may be an OpenFlow OpenF ow switch; after receiving the correspondence between the MAC address of the virtual network port and the virtual machine, and the control policy for the virtual machine, the control module may convert the control policy for the virtual machine. The control policy for the MAC address; when the switch receives a certain MAC address from the virtual machine or sends a packet to a MAC address of the virtual machine, according to the control policy for the MAC address, the data packet can be processed accordingly. Thus, policy control for the virtual machine is achieved.
图 2为本发明实施例提供的一种虚拟机控制策略的配置方法流程图。 该 实施例的执行主体是交换机, 其中详细描述了交换机从网络管理中心获取针 对虚拟机的控制策略后, 将针对虚拟机的控制策略转换为针对 MAC地址的控 制策略的方法。 如图 2所示, 该实施例包括以下步骤: FIG. 2 is a flowchart of a method for configuring a virtual machine control policy according to an embodiment of the present invention. The The execution body of the embodiment is a switch, and the method for converting the control policy for the virtual machine into the control policy for the MAC address after the switch obtains the control policy for the virtual machine from the network management center is described in detail. As shown in FIG. 2, this embodiment includes the following steps:
步骤 201 , 接收针对虚拟机的第一控制策略。  Step 201: Receive a first control policy for a virtual machine.
为了实现本发明的技术方案, 交换机包括控制模块和交换模块, 交换模 块和控制模块通过接口进行信息交互。 交换机与网络管理中心之间可以通过 管理接口进行通信, 网络管理中心可主动向控制器部件发送虚拟机的每个网 口对应的虚拟 MAC地址, 以及针对虚拟机的控制策略。  In order to implement the technical solution of the present invention, the switch includes a control module and a switch module, and the exchange module and the control module exchange information through the interface. The switch and the network management center can communicate through the management interface. The network management center can actively send the virtual MAC address corresponding to each network port of the virtual machine to the controller component, and the control policy for the virtual machine.
其中, 交换机从网络管理中心获取的第一控制策略为针对虚拟机的控制 策略, 该控制策略包可以包括以下控制策略中的至少一种: 访问控制策略, 资源预留策略, 流量优先级策略, 最大流量延时策略, 最大流量丟包率策略, 最大流量抖动策略。  The first control policy obtained by the switch from the network management center is a control policy for the virtual machine, and the control policy package may include at least one of the following control policies: an access control policy, a resource reservation policy, and a traffic priority policy. Maximum traffic delay policy, maximum traffic loss rate policy, maximum traffic jitter policy.
例如, 针对虚拟机的访问控制策略可以定义为拒绝转发发送至某台虚拟 机的数据包。  For example, an access control policy for a virtual machine can be defined as denying forwarding of packets sent to a virtual machine.
当然, 用户可以通过网络管理中心更新虚拟机的控制策略, 此时网络管 理中心可以向交换机发送该更新后的控制策略; 而虚拟机发生迁移后, 虚拟 机的 MAC地址也会对应发生变化, 网络管理中心获取到该迁移信息后, 也可 主动将更新后的更新 MAC地址发送给交换机。  Of course, the user can update the control policy of the virtual machine through the network management center. At this time, the network management center can send the updated control policy to the switch. After the virtual machine is migrated, the MAC address of the virtual machine also changes correspondingly. After obtaining the migration information, the management center may also actively send the updated update MAC address to the switch.
步骤 202 , 根据所述第一控制策略中的虚拟机标识, 获取所述虚拟机的 MAC地址。  Step 202: Acquire a MAC address of the virtual machine according to the virtual machine identifier in the first control policy.
网络管理中心将虚拟机的虚拟机标识和该虚拟机标识对应的 MAC地址发 送给交换机后, 交换机可在本地数据库中保存该虚拟机标识和虚拟机 MAC地 址。  After the network management center sends the virtual machine ID of the virtual machine and the MAC address corresponding to the virtual machine ID to the switch, the switch can save the virtual machine identifier and the virtual machine MAC address in the local database.
其中, 一个虚拟机可以有一个或者多个网口,每个网口对应一个虚拟 MAC 地址, 因此一台虚拟机可以有一个或者多个虚拟 MAC地址, 交换机可以从网 络管理中心获取该一个或多个 MAC地址。 当网络管理中心接收到虚拟机的第一控制策略后, 交换机从第一控制策 略中提取到虚拟机的虚拟机标识后, 可以根据该虚拟机标识, 在本地数据库 中查询对应的 MAC地址。 A virtual machine may have one or more network ports, and each network port corresponds to one virtual MAC address. Therefore, one virtual machine may have one or more virtual MAC addresses, and the switch may obtain the one or more from the network management center. MAC address. After the network management center receives the first control policy of the virtual machine, after the switch extracts the virtual machine identifier of the virtual machine from the first control policy, the switch can query the corresponding MAC address in the local database according to the virtual machine identifier.
步骤 203 ,使用所述虚拟机的 MAC地址替换所述第一控制策略中的所述虚 拟机标识, 得到第二控制策略。  Step 203: Replace the virtual machine identifier in the first control policy by using a MAC address of the virtual machine to obtain a second control policy.
如果虚拟机只有一个网口, 即只有一个 MAC地址, 则将针对虚拟机的第 一控制策略中的虚拟机标识直接替换为该 MAC地址, 即可得到针对该 MAC地 址的第二控制策略。 如果虚拟机有多个网口, 即多个 MAC地址 MAC1、 MAC 2 , MAC 3... ... MACn, 则将第一控制策略中的虚拟机标识替换为 MAC1后, 即可得到 针对 MAC1地址的第二控制策略;将第一控制策略中的虚拟机标识替换为 MAC2 后,即可得到针对 MAC 2地址的第二控制策略;使用 n个 MAC地址中的每个 MAC 地址替换第一控制策略中的虚拟机标识后, 即可得到 n条第二控制策略。  If the virtual machine has only one network port, that is, there is only one MAC address, the virtual machine ID in the first control policy of the virtual machine is directly replaced with the MAC address, and the second control policy for the MAC address is obtained. If the virtual machine has multiple network ports, that is, multiple MAC addresses MAC1, MAC 2, MAC 3, ... MACn, the virtual machine identifier in the first control policy is replaced with MAC1, and then the MAC1 is obtained. a second control policy of the address; after replacing the virtual machine identifier in the first control policy with MAC2, the second control policy for the MAC 2 address is obtained; and the first control is replaced by each of the n MAC addresses After the virtual machine ID in the policy, you can get n second control policies.
例如, 虚拟机 1只有一网口, 即只有一个 MAC地址 MAC1 , 如果第一控制 策略为拒绝转发所有发送至虚拟机 1 的数据包, 则第二控制策略为拒绝转发 所有发送至 MAC1的数据包。如果虚拟机有多个网口,即有多个 MAC地址 MAC1、 MAC2、 MAC 3... ... MACn, 则如果第一控制策略为拒绝转发所有发送至虚拟机 1 的数据包则第二控制策略为拒绝转发所有发送至 MAC1、 MAC2、 MAC 3…… MACn 的数据包。  For example, the virtual machine 1 has only one network port, that is, only one MAC address MAC1. If the first control policy is to refuse to forward all data packets sent to the virtual machine 1, the second control policy is to refuse to forward all the data packets sent to the MAC1. . If the virtual machine has multiple network ports, that is, multiple MAC addresses MAC1, MAC2, MAC 3, ... MACn, then if the first control policy is to refuse to forward all packets sent to the virtual machine 1, then the second The control policy is to refuse to forward all packets sent to MAC1, MAC2, MAC3... MACn.
当交换机中的控制模块将针对虚拟机的第一控制策略转换为针对 MAC地 址的第二控制策略后, 即可将该第二控制策略发送至交换模块, 用以交换模 块根据该第二控制策略对源自或发送至该 MAC地址的数据包进行处理。  After the control module in the switch converts the first control policy for the virtual machine to the second control policy for the MAC address, the second control policy may be sent to the switching module, where the switching module is configured according to the second control policy. Processing packets originating from or sent to the MAC address.
具体地, 交换模块接收到以所述 MAC地址为目的地址或源地址的数据包 时, 即可根据数据包的源 MAC地址或者目的 MAC地址在本地查询对应的第二 控制策略, 从而对该数据包进行相应的处理。  Specifically, when receiving the data packet with the MAC address as the destination address or the source address, the switching module may locally query the corresponding second control policy according to the source MAC address or the destination MAC address of the data packet, thereby The package is processed accordingly.
当然, 如果交换模块在接收到以所述 MAC地址为目的地址或源地址的数 据包后, 在本地查询确定本地没有配置有对应第二控制策略, 则控制模块可 将该第二控制策略下发至交换机部件。 如果控制模块内没有对应的第二控制 策略, 则可从网络管理中心获取该第二控制策略对应的针对虚拟机的第一控 制策略以及对应的虚拟机 MAC 地址, 并将该第一控制策略转化为第二控制策 略后下发至交换模块。 Of course, if the switching module receives the data packet with the MAC address as the destination address or the source address, and the local query determines that the corresponding second control policy is not configured locally, the control module may The second control policy is delivered to the switch component. If there is no corresponding second control policy in the control module, the first control policy for the virtual machine corresponding to the second control policy and the corresponding virtual machine MAC address may be obtained from the network management center, and the first control policy is converted. After being the second control policy, it is delivered to the switch module.
在本发明实施例的一种可选的实现方式中, 在得到第二控制策略后, 还 包括: 接收针对所述虚拟机的地址变更消息, 所述地址变更消息携带更新 MAC 地址; 使用所述更新 MAC地址替换所述第二控制策略中的所述 MAC地址, 得 到第三控制策略。 具体地, 虚拟机发生迁移后, 虚拟机的 MAC地址也会对应 发生变化, 网络管理中心获取到该迁移信息后, 也可主动通过地址变更消息 将更新后的 MAC地址发送至交换机, 交换机可使用更新后的 MAC地址来替换 所保存的第二控制策略中的 MAC地址, 以得到第三控制策略。 其中, 如果更 新后的 MAC地址有 m个, 则使用 m个 MAC地址中的每个 MAC地址替换第二控 制策略中的原有的 MAC地址, 即可得到 m条第三控制策略。  In an optional implementation manner of the embodiment of the present invention, after obtaining the second control policy, the method further includes: receiving an address change message for the virtual machine, where the address change message carries an update MAC address; Updating the MAC address to replace the MAC address in the second control policy, to obtain a third control policy. Specifically, after the virtual machine is migrated, the MAC address of the virtual machine changes correspondingly. After the network management center obtains the migration information, the network management center may also actively send the updated MAC address to the switch through the address change message, and the switch may use the switch. The updated MAC address is substituted for the MAC address in the saved second control policy to obtain a third control policy. If the number of updated MAC addresses is m, then each of the m MAC addresses is used to replace the original MAC address in the second control policy, so that m third control policies are obtained.
可选的, 在得到更新后的 MAC地址后, 也可以 居 MAC地址对应的虚拟 机标识从网络管理中心获取针对虚拟机的第一控制策略, 并使用 m个 MAC地 址中的每个 MAC地址替换第一控制策略中的虚拟机标识, 即可得到 m条第二 控制策略。  Optionally, after obtaining the updated MAC address, the virtual machine identifier corresponding to the MAC address may also obtain the first control policy for the virtual machine from the network management center, and replace each MAC address of the m MAC addresses. The virtual machine identifier in the first control policy can obtain m second control policies.
这里需要说明的是, 由于针对原有的 MAC地址的第二控制策略也是从针 对对应的虚拟机标识的第一控制策略转化而来, 因此, 在虚拟机的 MAC地址 发生更改后, 便可将针对原有的 MAC地址的第二控制策略删除, 一方面可以 节省空间, 另一方面可防止在其他虚拟机的 MAC地址变为该原有的 MAC地址 后, 对相应的其他虚拟机产生错误的策略控制。  It should be noted here that since the second control policy for the original MAC address is also converted from the first control policy for the corresponding virtual machine identifier, after the MAC address of the virtual machine is changed, The second control policy deletion for the original MAC address can save space on the one hand, and prevent the other virtual machines from generating errors after the MAC address of other virtual machines becomes the original MAC address. Policy control.
相应地, 在得到第二控制策略之后, 还包括: 接收针对所述虚拟机的第 一更新控制策略, 所述第一更新控制策略中包括所述虚拟机的所述虚拟机标 识; 获取所述虚拟机标识对应的所述 MAC地址, 使用所述 MAC地址替换所述 第一更新控制策略中的所述虚拟机标识, 得到第二更新控制策略; 使用所述 第二更新控制策略替换所述第二控制策略。 具体地, 如果用户通过网络管理 中心更新了针对虚拟机的控制策略, 网络管理中心可以向交换机发送该更新 后的控制策略, 交换机接收到该更新后的控制策略后, 可以将该更新后的控 制策略转换为针对对应的 MAC地址的控制策略, 并使用该更新后的针对 MAC 地址的控制策略替换之前保存的第二控制策略, 实现了动态控制策略的配置。 Correspondingly, after obtaining the second control policy, the method further includes: receiving a first update control policy for the virtual machine, where the first update control policy includes the virtual machine identifier of the virtual machine; And the MAC address corresponding to the virtual machine identifier, the virtual machine identifier in the first update control policy is replaced by using the MAC address, to obtain a second update control policy; The second update control policy replaces the second control policy. Specifically, if the user updates the control policy for the virtual machine through the network management center, the network management center may send the updated control policy to the switch, and after receiving the updated control policy, the switch may perform the updated control. The policy is converted into a control policy for the corresponding MAC address, and the previously saved second control policy is replaced by the updated control policy for the MAC address, thereby realizing the configuration of the dynamic control policy.
本发明实施例中, 交换机从网络管理中心获取针对虚拟机的第一控制策 略; 根据所述第一控制策略中的虚拟机标识, 获取所述虚拟机的 MAC地址; 使用所述虚拟机的 MAC地址替换所述第一控制策略中的所述虚拟机标识, 得 到第二控制策略。 由此, 本发明实施例实现了 MAC地址级别的控制策略的配 置和管理, 而且解决了现有技术中利用 VN - tag技术进行虚拟机控制策略配 置的方法对设备要求高, 成本大的问题, 节省了大量的经济成本, 使得虚拟 机级别的策略控制更加容易实现。  In the embodiment of the present invention, the switch acquires a first control policy for the virtual machine from the network management center; acquires a MAC address of the virtual machine according to the virtual machine identifier in the first control policy; and uses the MAC address of the virtual machine The address replaces the virtual machine identifier in the first control policy to obtain a second control policy. Therefore, the embodiment of the present invention implements the configuration and management of the control policy of the MAC address level, and solves the problem that the method for configuring the virtual machine control policy by using the VN-tag technology in the prior art has high requirements on equipment and high cost. It saves a lot of economic costs and makes virtual machine level policy control easier to implement.
需要说明的是, 如果虚拟机所处的物理主机的的网络接口适配模块(物 理网卡) 支持混合模式 (Promi scuous Mode ) , 则需要将物理网卡的工作状 态设置为该混合模式。 在混合模式下, 物理网卡不会对发送出去的数据包进 行源 MAC地址的修改,从而可以保证虚拟机的虚拟网口发送的数据包的源 MAC 地址不会被改变; 并且在接收到发送给该网卡的数据包时, 不会对目标 MAC 地址进行过滤操作。 如果交换机的物理网卡不支持混合模式, 则需要对物理 网卡进行功能升级, 使得物理网卡在转发来自虚拟机的数据包的时候, 不修 改源 MAC地址, 在接收到发送给该网卡的数据包时, 不会对目标 MAC地址进 行过滤操作。  It should be noted that if the network interface adaptation module (physical network card) of the physical host where the virtual machine is located supports the Promi scuous Mode, the working state of the physical network card needs to be set to the hybrid mode. In the hybrid mode, the physical NIC does not modify the source MAC address of the sent data packet, so that the source MAC address of the data packet sent by the virtual network port of the virtual machine is not changed; When the NIC's packets are not filtered, the destination MAC address is not filtered. If the physical NIC of the switch does not support the hybrid mode, you need to upgrade the physical NIC so that the physical NIC does not modify the source MAC address when forwarding the data packets from the virtual machine. When receiving the data packet sent to the NIC. , the target MAC address will not be filtered.
相应地, 本发明实施例还提供了一种交换机, 该交换机可以为 OpenF l ow 交换机。 图 3为本发明实施例提供的一种交换机示意图, 如图 3所示, 交换 机包括控制模块 31 0 , 所述控制模块 31 0包括接收子模块 31 1、获取子模块 31 2、 转化子模块 31 3 ; 交换机还包括交换模块 320。 其中, 交换模块 320 和控制模块 31 0可以通过接口进行连接。例如对于 OpenF l ow交换机,控制 模块 31 0和交换模块 320可以通过 OpenF l ow接口相连接。 其中, 接收子模块 31 1 , 用于接收针对虚拟机的第一控制策略。 Correspondingly, an embodiment of the present invention further provides a switch, which may be an OpenF ow switch. FIG. 3 is a schematic diagram of a switch according to an embodiment of the present invention. As shown in FIG. 3, the switch includes a control module 31 0 , and the control module 31 0 includes a receiving submodule 31 1 , an obtaining submodule 31 2 , and a transforming submodule 31 . The switch also includes a switch module 320. The switching module 320 and the control module 31 0 can be connected through an interface. For example, for OpenF ow switches, control The module 31 0 and the switch module 320 can be connected through an OpenF ow interface. The receiving submodule 31 1 is configured to receive a first control policy for the virtual machine.
接收子模块 312还用于, 接收所述虚拟机标识, 以及所述虚拟机标识对 应的 N个 MAC地址, 其中, N大于或者等于 1。  The receiving submodule 312 is further configured to receive the virtual machine identifier and the N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
其中, 交换机从网络管理中心获取的第一控制策略为针对虚拟机的控制 策略, 该控制策略包可以包括以下控制策略中的至少一种: 访问控制策略, 资源预留策略, 流量优先级策略, 最大流量延时策略, 最大流量丟包率策略, 最大流量抖动策略。  The first control policy obtained by the switch from the network management center is a control policy for the virtual machine, and the control policy package may include at least one of the following control policies: an access control policy, a resource reservation policy, and a traffic priority policy. Maximum traffic delay policy, maximum traffic loss rate policy, maximum traffic jitter policy.
例如, 针对虚拟机的访问控制策略可以定义为拒绝转发发送至某台虚拟 机的数据包。  For example, an access control policy for a virtual machine can be defined as denying forwarding of packets sent to a virtual machine.
获取子模块 31 2 , 用于根据所述第一控制策略中的虚拟机标识, 获取所述 虚拟机的 MAC地址。  The obtaining submodule 31 2 is configured to obtain a MAC address of the virtual machine according to the virtual machine identifier in the first control policy.
网络管理中心将虚拟机的虚拟机标识和该虚拟机标识对应的 MAC地址发 送给交换机后, 交换机可在本地数据库中保存该虚拟机标识和虚拟机 MAC地 址。  After the network management center sends the virtual machine ID of the virtual machine and the MAC address corresponding to the virtual machine ID to the switch, the switch can save the virtual machine identifier and the virtual machine MAC address in the local database.
其中, 一个虚拟机可以有一个或者多个网口,每个网口对应一个虚拟 MAC 地址, 因此一台虚拟机可以有一个或者多个虚拟 MAC地址, 交换机可以从网 络管理中心获取该一个或多个 MAC地址。  A virtual machine may have one or more network ports, and each network port corresponds to one virtual MAC address. Therefore, one virtual machine may have one or more virtual MAC addresses, and the switch may obtain the one or more from the network management center. MAC address.
当网络管理中心接收到虚拟机的第一控制策略后, 交换机从第一控制策 略中提取到虚拟机的虚拟机标识后, 可以根据该虚拟机标识, 在本地数据库 中查询对应的 MAC地址。  After the network management center receives the first control policy of the virtual machine, after the switch extracts the virtual machine identifier of the virtual machine from the first control policy, the switch can query the corresponding MAC address in the local database according to the virtual machine identifier.
转化子模块 31 3 ,用于使用所述虚拟机的 MAC地址替换所述第一控制策略 中的所述虚拟机标识, 得到第二控制策略。  The conversion sub-module 31 3 is configured to replace the virtual machine identifier in the first control policy by using a MAC address of the virtual machine to obtain a second control policy.
转化子模块 31 3具体用于, 使用所述 N个 MAC地址逐一替换所述第一控 制策略中的所述虚拟机标识, 得到 N条第二控制策略, 所述 N条第二控制策 略分别与所述 N个 MAC地址——对应。 如果虚拟机只有一个网口, 即只有一个 MAC地址, 则将针对虚拟机的第 一控制策略中的虚拟机标识直接替换为该 MAC地址, 即可得到针对该 MAC地 址的第二控制策略。 如果虚拟机有多个网口, 即多个 MAC地址 MAC1、 MAC 2 , MAC 3... ... MACn, 则将第一控制策略中的虚拟机标识替换为 MAC1后, 即可得到 针对 MAC1地址的第二控制策略;将第一控制策略中的虚拟机标识替换为 MAC2 后,即可得到针对 MAC 2地址的第二控制策略;使用 n个 MAC地址中的每个 MAC 地址替换第一控制策略中的虚拟机标识后, 即可得到 n条第二控制策略。 The conversion sub-module 31 is specifically configured to replace the virtual machine identifiers in the first control policy one by one by using the N MAC addresses, to obtain N second control policies, where the N second control policies respectively The N MAC addresses - corresponding. If the virtual machine has only one network port, that is, only one MAC address, the virtual machine ID in the first control policy of the virtual machine is directly replaced with the MAC address, and the second control policy for the MAC address is obtained. If the virtual machine has multiple network ports, that is, multiple MAC addresses MAC1, MAC 2, MAC 3, ... MACn, the virtual machine identifier in the first control policy is replaced with MAC1, and then the MAC1 is obtained. a second control policy of the address; after replacing the virtual machine identifier in the first control policy with MAC2, the second control policy for the MAC 2 address is obtained; and the first control is replaced by each of the n MAC addresses After the virtual machine ID in the policy, you can get n second control policies.
当交换机中的控制模块 310将针对虚拟机的第一控制策略转换为针对 MAC 地址的第二控制策略后, 即可将该第二控制策略发送至交换模块, 用以交换 模块 320根据该第二控制策略对源自或发送至该 MAC地址的数据包进行处理。  After the control module 310 in the switch converts the first control policy for the virtual machine to the second control policy for the MAC address, the second control policy may be sent to the switch module, and the switch module 320 is configured according to the second The control policy processes packets originating or sent to the MAC address.
交换模块 320用于从所述控制模块接收所述第二控制策略, 并且根据所 述第二控制策略, 对接收到的并且以所述 MAC地址为目的地址或源地址的数 据包进行转发或拒绝转发处理。  The switching module 320 is configured to receive the second control policy from the control module, and forward or reject the received data packet with the MAC address as the destination address or the source address according to the second control policy. Forward processing.
当然, 如果交换模块 320在接收到以所述 MAC地址为目的地址或源地址 的数据包后, 在本地查询确定本地没有配置有对应第二控制策略, 则控制模 块 310可将该第二控制策略下发至交换模块 320。如果控制模块 310内没有对 应的第二控制策略, 则可从网络管理中心获取该第二控制策略对应的针对虚 拟机的第一控制策略以及对应的虚拟机 MAC 地址, 并将该第一控制策略转化 为第二控制策略后下发至交换模块 320。  Of course, if the switching module 320 receives the data packet with the MAC address as the destination address or the source address, and the local query determines that the corresponding second control policy is not configured locally, the control module 310 may use the second control policy. Issued to the switch module 320. If there is no corresponding second control policy in the control module 310, the first control policy for the virtual machine corresponding to the second control policy and the corresponding virtual machine MAC address may be obtained from the network management center, and the first control policy is used. After being converted into the second control policy, the method is delivered to the switching module 320.
优选地, 在虚拟机的地址发生变更时, 接收子模块 311还用于, 接收针 对所述虚拟机的地址变更消息, 所述地址变更消息携带更新 MAC地址; 转化 子模块 313还用于, 使用所述更新 MAC地址替换所述第二控制策略中的所述 MAC地址, 得到第三控制策略。 具体地, 虚拟机发生迁移后, 虚拟机的 MAC地 址也会对应发生变化, 网络管理中心获取到该迁移信息后, 也可主动通过地 址变更消息将更新后的 MAC地址发送至交换机, 交换机可使用更新后的 MAC 地址来替换所保存的第二控制策略中的 MAC 地址, 以得到第三控制策略。 其 中, 如果更新后的 MAC地址有 m个, 则使用 m个 MAC地址中的每个 MAC地址 替换第二控制策略中的原有的 MAC地址, 即可得到 m条第三控制策略。 Preferably, when the address of the virtual machine is changed, the receiving sub-module 311 is further configured to: receive an address change message for the virtual machine, where the address change message carries an updated MAC address; and the transformation sub-module 313 is further configured to use The update MAC address replaces the MAC address in the second control policy to obtain a third control policy. Specifically, after the virtual machine is migrated, the MAC address of the virtual machine changes correspondingly. After the network management center obtains the migration information, the network management center may also actively send the updated MAC address to the switch through the address change message, and the switch may use the switch. The updated MAC address is substituted for the MAC address in the saved second control policy to obtain a third control policy. Its If there are m updated MAC addresses, then each of the m MAC addresses is used to replace the original MAC address in the second control policy, so that m third control policies are obtained.
可选的, 在得到更新后的 MAC地址后, 也可以 居 MAC地址对应的虚拟 机标识从网络管理中心获取针对虚拟机的第一控制策略, 并使用 m个 MAC地 址中的每个 MAC地址替换第一控制策略中的虚拟机标识, 即可得到 m条第二 控制策略。  Optionally, after obtaining the updated MAC address, the virtual machine identifier corresponding to the MAC address may also obtain the first control policy for the virtual machine from the network management center, and replace each MAC address of the m MAC addresses. The virtual machine identifier in the first control policy can obtain m second control policies.
这里需要说明的是, 由于针对原有的 MAC地址的第二控制策略也是从针 对对应的虚拟机标识的第一控制策略转化而来, 因此, 在虚拟机的 MAC地址 发生更改后, 便可将针对原有的 MAC地址的第二控制策略删除, 一方面可以 节省空间, 另一方面可防止在其他虚拟机的 MAC地址变为该原有的 MAC地址 后, 对相应的其他虚拟机产生错误的策略控制。  It should be noted here that since the second control policy for the original MAC address is also converted from the first control policy for the corresponding virtual machine identifier, after the MAC address of the virtual machine is changed, The second control policy deletion for the original MAC address can save space on the one hand, and prevent the other virtual machines from generating errors after the MAC address of other virtual machines becomes the original MAC address. Policy control.
优选地, 交换机还包括替换子模块 314 , 在针对虚拟机的控制策略发生变 更后, 接收子模块 311 , 还用于接收针对所述虚拟机的第一更新控制策略, 所 述第一更新控制策略中包括所述虚拟机的所述虚拟机标识; 转化子模块 313 , 还用于获取所述虚拟机标识对应的所述 MAC地址, 使用所述 MAC地址替换所 述第一更新控制策略中的所述虚拟机标识, 得到第二更新控制策略; 替换子 模块 314 , 用于使用所述第二更新控制策略替换所述第二控制策略。 具体地, 如果用户通过网络管理中心更新了针对虚拟机的控制策略, 网络管理中心可 以向交换机发送该更新后的控制策略, 交换机接收到该更新后的控制策略后 , 可以将该更新后的控制策略转换为针对对应的 MAC地址的控制策略, 并使用 该更新后的针对 MAC地址的控制策略替换之前保存的第二控制策略, 实现了 动态控制策略的配置。  Preferably, the switch further includes a replacement submodule 314. After the control policy for the virtual machine is changed, the receiving submodule 311 is further configured to receive a first update control policy for the virtual machine, where the first update control policy is The virtual machine identifier of the virtual machine is included; the transformation sub-module 313 is further configured to acquire the MAC address corresponding to the virtual machine identifier, and replace the first update control policy with the MAC address. The virtual machine identifier is obtained to obtain a second update control policy; and the replacement submodule 314 is configured to replace the second control policy by using the second update control policy. Specifically, if the user updates the control policy for the virtual machine through the network management center, the network management center may send the updated control policy to the switch, and after receiving the updated control policy, the switch may perform the updated control. The policy is converted into a control policy for the corresponding MAC address, and the previously saved second control policy is replaced by the updated control policy for the MAC address, thereby realizing the configuration of the dynamic control policy.
由此, 本发明实施例实现了 MAC地址级别的控制策略的配置和管理, 而 且解决了现有技术中利用 VN - tag技术进行虚拟机控制策略配置的方法对设 备要求高, 成本大的问题, 节省了大量的经济成本, 使得虚拟机级别的策略 控制更加容易实现。 相应地, 本发明实施例还提供了一种交换机, 图 4为本发明实施例提供 的另一交换机示意图。如图 4所示,本实施例提供的交换机包括网络接口 401、 处理器 402和存储器 403。 系统总线 404用于连接网络接口 401、 处理器 402 和存储器 403。 Therefore, the embodiment of the present invention implements the configuration and management of the control policy of the MAC address level, and solves the problem that the method for configuring the virtual machine control policy by using the VN-tag technology in the prior art has high requirements on equipment and high cost. It saves a lot of economic costs and makes virtual machine level policy control easier to implement. Correspondingly, an embodiment of the present invention further provides a switch, and FIG. 4 is a schematic diagram of another switch according to an embodiment of the present invention. As shown in FIG. 4, the switch provided in this embodiment includes a network interface 401, a processor 402, and a memory 403. System bus 404 is used to connect network interface 401, processor 402, and memory 403.
网络接口 401可分别用于与网络管理中心和虚拟机所在的物理主机通信。 存储器 403可以是永久存储器, 例如硬盘驱动器和闪存, 存储器 403中 具有软件模块和设备驱动程序, 还还可以保存有用来存储控制策略的数据库。 软件模块能够执行本发明上述方法的各种功能模块; 设备驱动程序可以是网 络和接口驱动程序。  The network interface 401 can be used to communicate with the physical management host where the network management center and the virtual machine are located, respectively. Memory 403 can be a persistent storage, such as a hard drive and flash memory, with software modules and device drivers in memory 403, and a database for storing control policies. The software modules are capable of executing the various functional modules of the above described method of the present invention; the device drivers can be network and interface drivers.
在启动时, 这些软件组件被加载到存储器 403中, 然后被处理器 402访 问并执行如下指令:  At startup, these software components are loaded into memory 403 and then accessed by processor 402 and executed as follows:
接收针对虚拟机的第一控制策略;  Receiving a first control policy for the virtual machine;
根据所述第一控制策略中的虚拟机标识, 获取所述虚拟机的 MAC地址; 使用所述虚拟机的 MAC地址替换所述第一控制策略中的所述虚拟机标识 , 得到第二控制策略。  Obtaining a MAC address of the virtual machine according to the virtual machine identifier in the first control policy, and replacing the virtual machine identifier in the first control policy by using a MAC address of the virtual machine to obtain a second control policy. .
其中, 第一控制策略包括以下控制策略中的至少一种: 访问控制策略, 资源预留策略, 流量优先级策略, 最大流量延时策略, 最大流量丟包率策略, 最大流量抖动策略。  The first control policy includes at least one of the following control policies: an access control policy, a resource reservation policy, a traffic priority policy, a maximum traffic delay policy, a maximum traffic loss rate policy, and a maximum traffic jitter policy.
网络管理中心将虚拟机的虚拟机标识和该虚拟机标识对应的 MAC地址发 送给交换机后, 交换机可在本地数据库中保存该虚拟机标识和虚拟机 MAC地 址。  After the network management center sends the virtual machine ID of the virtual machine and the MAC address corresponding to the virtual machine ID to the switch, the switch can save the virtual machine identifier and the virtual machine MAC address in the local database.
其中,一个虚拟机可以有一个或者多个网口,每个网口对应一个虚拟 MAC 地址, 因此一台虚拟机可以有一个或者多个虚拟 MAC地址, 交换机可以从网 络管理中心获取该一个或多个 MAC地址。  A virtual machine may have one or more network ports, and each network port corresponds to one virtual MAC address. Therefore, one virtual machine may have one or more virtual MAC addresses, and the switch may obtain the one or more from the network management center. MAC address.
当网络管理中心接收到虚拟机的第一控制策略后, 交换机从第一控制策 略中提取到虚拟机的虚拟机标识后, 可以根据该虚拟机标识, 在本地数据库 中查询对应的 MAC地址。 After the network management center receives the first control policy of the virtual machine, after the switch extracts the virtual machine identifier of the virtual machine from the first control policy, the switch may be based on the virtual machine identifier in the local database. Query the corresponding MAC address.
进一步的, 在得到第二控制策略后, 所述处理器 402访问存储器 403的 软件组件后, 执行以下过程的指令:  Further, after obtaining the second control policy, the processor 402 accesses the software component of the memory 403, and executes an instruction of the following process:
接收针对所述虚拟机的地址变更消息, 所述地址变更消息携带更新 MAC 地址;  Receiving an address change message for the virtual machine, where the address change message carries an updated MAC address;
使用所述更新 MAC地址替换所述第二控制策略中的所述 MAC地址, 得到 第三控制策略。  And replacing the MAC address in the second control policy with the updated MAC address to obtain a third control policy.
具体地, 虚拟机发生迁移后, 虚拟机的 MAC地址也会对应发生变化, 网 络管理中心获取到该迁移信息后,也可主动通过地址变更消息将更新后的 MAC 地址发送至交换机, 交换机可使用更新后的 MAC地址来替换所保存的第二控 制策略中的 MAC地址, 以得到第三控制策略。 其中, 如果更新后的 MAC地址 有 m个, 则使用 m个 MAC地址中的每个 MAC地址替换第二控制策略中的原有 的 MAC地址, 即可得到 m条第三控制策略。  Specifically, after the virtual machine is migrated, the MAC address of the virtual machine changes accordingly. After the network management center obtains the migration information, the network management center can also actively send the updated MAC address to the switch through the address change message. The switch can be used. The updated MAC address is substituted for the MAC address in the saved second control policy to obtain a third control policy. If there are m MAC addresses after the update, the original MAC address in the second control policy is replaced by each of the m MAC addresses, and the m third control policy is obtained.
可选的, 在得到更新后的 MAC地址后, 也可以 居 MAC地址对应的虚拟 机标识从网络管理中心获取针对虚拟机的第一控制策略, 并使用 m个 MAC地 址中的每个 MAC地址替换第一控制策略中的虚拟机标识, 即可得到 m条第二 控制策略。  Optionally, after obtaining the updated MAC address, the virtual machine identifier corresponding to the MAC address may also obtain the first control policy for the virtual machine from the network management center, and replace each MAC address of the m MAC addresses. The virtual machine identifier in the first control policy can obtain m second control policies.
这里需要说明的是, 由于针对原有的 MAC地址的第二控制策略也是从针 对对应的虚拟机标识的第一控制策略转化而来, 因此, 在虚拟机的 MAC地址 发生更改后, 便可将针对原有的 MAC地址的第二控制策略删除, 一方面可以 节省空间, 另一方面可防止在其他虚拟机的 MAC地址变为该原有的 MAC地址 后, 对相应的其他虚拟机产生错误的策略控制。  It should be noted here that since the second control policy for the original MAC address is also converted from the first control policy for the corresponding virtual machine identifier, after the MAC address of the virtual machine is changed, The second control policy deletion for the original MAC address can save space on the one hand, and prevent the other virtual machines from generating errors after the MAC address of other virtual machines becomes the original MAC address. Policy control.
进一步的, 在得到第二控制策略后, 所述处理器 402访问存储器 403的 软件组件后, 执行以下过程的指令:  Further, after obtaining the second control policy, the processor 402 accesses the software component of the memory 403, and executes an instruction of the following process:
接收针对所述虚拟机的第一更新控制策略, 所述第一更新控制策略中包 括所述虚拟机的所述虚拟机标识; 获取所述虚拟机标识对应的所述 MAC地址, 使用所述 MAC地址替换所述 第一更新控制策略中的所述虚拟机标识, 得到第二更新控制策略; Receiving a first update control policy for the virtual machine, where the first update control policy includes the virtual machine identifier of the virtual machine; Obtaining the MAC address corresponding to the virtual machine identifier, and replacing the virtual machine identifier in the first update control policy with the MAC address, to obtain a second update control policy;
使用所述第二更新控制策略替换所述第二控制策略。  The second control policy is replaced with the second update control policy.
具体地, 如果用户通过网络管理中心更新了针对虚拟机的控制策略, 网 络管理中心可以向交换机发送该更新后的控制策略, 交换机接收到该更新后 的控制策略后, 可以将该更新后的控制策略转换为针对对应的 MAC地址的控 制策略, 并使用该更新后的针对 MAC地址的控制策略替换之前保存的第二控 制策略, 实现了动态控制策略的配置。  Specifically, if the user updates the control policy for the virtual machine through the network management center, the network management center may send the updated control policy to the switch, and after receiving the updated control policy, the switch may perform the updated control. The policy is converted into a control policy for the corresponding MAC address, and the previously saved second control policy is replaced by the updated control policy for the MAC address, thereby realizing the configuration of the dynamic control policy.
进一步的, 在所述根据所述第一控制策略中的虚拟机标识, 查询所述虚 拟机的 MAC地址之前, 所述处理器 402访问存储器 403的软件组件后, 执行 以下过程的指令: 接收所述虚拟机标识, 以及所述虚拟机标识对应的 N个 MAC 地址, 其中, N大于或者等于 1。  Further, after the processor 402 accesses the software component of the memory 403 according to the virtual machine identifier in the first control policy, and after querying the MAC address of the virtual machine, the processor 402 executes an instruction of the following process: The virtual machine identifier, and the N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
其中, 处理器 402执行使用所述虚拟机的 MAC地址替换所述第一控制策 略中的所述虚拟机标识, 得到第二控制策略的过程具体为: 使用所述 N个 MAC 地址逐一替换所述第一控制策略中的所述虚拟机标识, 得到 N条第二控制策 略, 所述 N条第二控制策略分别与所述 N个 MAC地址——对应。  The processor 402 performs the process of replacing the virtual machine identifier in the first control policy by using the MAC address of the virtual machine, and the process of obtaining the second control policy is specifically: replacing the one of the N MAC addresses one by one The virtual machine identifier in the first control policy obtains N second control policies, where the N second control policies respectively correspond to the N MAC addresses.
进一步的, 在交换机通过网络接口 401接收到数据包后, 处理器 402访 问存储器 403的软件组件后, 执行以下过程的指令: 根据所述第二控制策略, 对接收到的并且以所述 MAC地址为目的地址或源地址的数据包进行处理。 具 体地, 接收以所述 MAC地址为目的地址或源地址的数据包; 根据所述第二控 制策略, 转发所述数据包或拒绝转发所述数据包。  Further, after the switch receives the data packet through the network interface 401, after the processor 402 accesses the software component of the memory 403, the processor 402 executes an instruction of: following the second control policy, the received and the MAC address Processing packets for the destination address or source address. Specifically, the data packet with the MAC address as the destination address or the source address is received; according to the second control policy, the data packet is forwarded or the data packet is refused to be forwarded.
由此, 本发明实施例实现了 MAC地址级别的控制策略的配置和管理, 而 且解决了现有技术中利用 VN - tag技术进行虚拟机控制策略配置的方法对设 备要求高, 成本大的问题, 节省了大量的经济成本, 使得虚拟机级别的策略 控制更加容易实现。  Therefore, the embodiment of the present invention implements the configuration and management of the control policy of the MAC address level, and solves the problem that the method for configuring the virtual machine control policy by using the VN-tag technology in the prior art has high requirements on equipment and high cost. It saves a lot of economic costs and makes virtual machine level policy control easier to implement.
专业人员应该还可以进一步意识到, 结合本文中所公开的实施例描述的 各示例的单元及算法步骤, 能够以电子硬件、 计算机软件或者二者的结合来 实现, 为了清楚地说明硬件和软件的可互换性, 在上述说明中已经按照功能 一般性地描述了各示例的组成及步骤。 这些功能究竟以硬件还是软件方式来 执行, 取决于技术方案的特定应用和设计约束条件。 专业技术人员可以对每 个特定的应用来使用不同方法来实现所描述的功能, 但是这种实现不应认为 超出本发明的范围。 A person skilled in the art should further appreciate that it is described in connection with the embodiments disclosed herein. The example units and algorithm steps can be implemented in electronic hardware, computer software, or a combination of both. In order to clearly illustrate the interchangeability of hardware and software, the examples have been generally described in terms of function in the above description. Composition and steps. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
结合本文中所公开的实施例描述的方法或算法的步骤可以用硬件、 处理 器执行的软件模块, 或者二者的结合来实施。 软件模块可以置于随机存储器 ( RAM ) 、 内存、 只读存储器(ROM ) 、 电可编程 R0M、 电可擦除可编程 R0M、 寄存器、 硬盘、 可移动磁盘、 CD-R0M、 或技术领域内所公知的任意其它形式 的存储介质中。  The steps of a method or algorithm described in connection with the embodiments disclosed herein can be implemented in hardware, a software module executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or technical field Any other form of storage medium known.
以上所述的具体实施方式, 对本发明的目的、 技术方案和有益效果进行 了进一步详细说明, 所应理解的是, 以上所述仅为本发明的具体实施方式而 已, 并不用于限定本发明的保护范围, 凡在本发明的精神和原则之内, 所做 的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  The above described embodiments of the present invention are further described in detail, and the embodiments of the present invention are intended to be illustrative only. The scope of the protection, any modifications, equivalents, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要 求 书 claims
1、 一种虚拟机控制策略的配置方法, 其特征在于, 所述方法包括: 接收针对虚拟机的第一控制策略; 1. A method for configuring a virtual machine control policy, characterized in that the method includes: receiving a first control policy for the virtual machine;
根据所述第一控制策略中的虚拟机标识, 获取所述虚拟机的 MAC地址; 使用所述虚拟机的 MAC地址替换所述第一控制策略中的所述虚拟机标识, 得到第二控制策略。 According to the virtual machine identifier in the first control policy, obtain the MAC address of the virtual machine; use the MAC address of the virtual machine to replace the virtual machine identifier in the first control policy to obtain a second control policy .
2、 根据权利要求 1所述的虚拟机控制策略的配置方法,其特征在于,所 述得到第二控制策略之后, 还包括: 2. The configuration method of a virtual machine control policy according to claim 1, characterized in that after obtaining the second control policy, it further includes:
接收针对所述虚拟机的地址变更消息, 所述地址变更消息携带更新 MAC 地址; Receive an address change message for the virtual machine, where the address change message carries an updated MAC address;
使用所述更新 MAC地址替换所述第二控制策略中的所述 MAC地址, 得到 第三控制策略。 Use the updated MAC address to replace the MAC address in the second control policy to obtain a third control policy.
3、 根据权利要求 1所述的虚拟机控制策略的配置方法,其特征在于,所 述得到第二控制策略之后, 还包括: 3. The configuration method of a virtual machine control policy according to claim 1, characterized in that, after obtaining the second control policy, it further includes:
接收针对所述虚拟机的第一更新控制策略, 所述第一更新控制策略中包 括所述虚拟机的所述虚拟机标识; Receive a first update control policy for the virtual machine, where the first update control policy includes the virtual machine identification of the virtual machine;
获取所述虚拟机标识对应的所述 MAC地址, 使用所述 MAC地址替换所述 第一更新控制策略中的所述虚拟机标识, 得到第二更新控制策略; Obtain the MAC address corresponding to the virtual machine identification, use the MAC address to replace the virtual machine identification in the first update control policy, and obtain a second update control policy;
使用所述第二更新控制策略替换所述第二控制策略。 The second control policy is replaced with the second updated control policy.
4、 根据权利要求 1所述的虚拟机控制策略的配置方法,其特征在于,所 述根据所述第一控制策略中的虚拟机标识, 获取所述虚拟机的 MAC地址之前, 还包括: 接收所述虚拟机标识, 以及所述虚拟机标识对应的 N个 MAC地址, 其中, N大于或者等于 1。 4. The method for configuring a virtual machine control policy according to claim 1, wherein before obtaining the MAC address of the virtual machine according to the virtual machine identifier in the first control policy, the method further includes: receiving The virtual machine identifier, and N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
5、 根据权利要求 4所述的虚拟机控制策略的配置方法,其特征在于,所 述使用所述虚拟机的 MAC地址替换所述第一控制策略中的所述虚拟机标识, 得到第二控制策略具体为: 使用所述 N个 MAC地址逐一替换所述第一控制策略中的所述虚拟机标识 , 得到 N条第二控制策略, 所述 N条第二控制策略分别与所述 N个 MAC地址一 一对应。 5. The configuration method of a virtual machine control policy according to claim 4, wherein the virtual machine identifier in the first control policy is replaced with the MAC address of the virtual machine to obtain the second control policy. The specific strategies are: Use the N MAC addresses to replace the virtual machine identifiers in the first control policy one by one to obtain N second control policies. The N second control policies correspond one-to-one to the N MAC addresses respectively. .
6、 根据权利要求 1所述的虚拟机控制策略的配置方法,其特征在于,所 述得到第二控制策略之后, 还包括: 根据所述第二控制策略, 对接收到的并 且以所述 MAC地址为目的地址或源地址的数据包进行处理。 6. The method for configuring a virtual machine control policy according to claim 1, characterized in that after obtaining the second control policy, further comprising: according to the second control policy, Packets whose address is the destination address or source address are processed.
7、 根据权利要求 6所述的虚拟机控制策略的配置方法,其特征在于,所 述根据所述第二控制策略, 对接收到的并且以所述 MAC地址为目的地址或源 地址的数据包进行处理具体包括: 7. The configuration method of a virtual machine control policy according to claim 6, characterized in that, according to the second control policy, the received data packet with the MAC address as the destination address or source address The specific processing includes:
接收以所述 MAC地址为目的地址或源地址的数据包; Receive data packets with the MAC address as the destination address or source address;
根据所述第二控制策略, 转发所述数据包或拒绝转发所述数据包。 According to the second control policy, the data packet is forwarded or the data packet is refused to be forwarded.
8、 根据权利要求 1-7任一项所述的虚拟机控制策略的配置方法,其特征 在于, 所述第一控制策略包括以下控制策略中的至少一种: 访问控制策略, 资源预留策略, 流量优先级策略, 最大流量延时策略, 最大流量丟包率策略, 最大流量抖动策略。 8. The configuration method of a virtual machine control policy according to any one of claims 1 to 7, characterized in that the first control policy includes at least one of the following control policies: access control policy, resource reservation policy , traffic priority strategy, maximum traffic delay strategy, maximum traffic packet loss rate strategy, maximum traffic jitter strategy.
9、 一种交换机, 其特征在于, 所述交换机包括控制模块, 所述控制 模块包括接收子模块、 获取子模块、 转化子模块; 9. A switch, characterized in that the switch includes a control module, and the control module includes a receiving sub-module, an obtaining sub-module, and a converting sub-module;
所述接收子模块, 用于接收针对虚拟机的第一控制策略; The receiving submodule is used to receive the first control policy for the virtual machine;
所述获取子模块, 用于根据所述第一控制策略中的虚拟机标识, 获取所 述虚拟机的 MAC地址; The acquisition sub-module is used to acquire the MAC address of the virtual machine according to the virtual machine identification in the first control policy;
所述转化子模块, 用于使用所述虚拟机的 MAC地址替换所述第一控制策 略中的所述虚拟机标识, 得到第二控制策略。 The conversion submodule is used to replace the virtual machine identifier in the first control policy with the MAC address of the virtual machine to obtain a second control policy.
10、 根据权利要求 9所述的交换机, 其特征在于, 所述接收子模块还用 于, 接收针对所述虚拟机的地址变更消息, 所述地址变更消息携带更新 MAC 地址; 10. The switch according to claim 9, wherein the receiving sub-module is further configured to receive an address change message for the virtual machine, the address change message carrying an updated MAC address;
所述转化子模块还用于, 使用所述更新 MAC地址替换所述第二控制策略 中的所述 MAC地址, 得到第三控制策略。 The conversion sub-module is also used to replace the second control policy with the updated MAC address. The MAC address in , the third control policy is obtained.
1 1、 根据权利要求 9所述的交换机, 其特征在于, 所述交换机还包括替 换子模块; 11. The switch according to claim 9, characterized in that the switch further includes a replacement sub-module;
所述接收子模块, 还用于接收针对所述虚拟机的第一更新控制策略, 所 述第一更新控制策略中包括所述虚拟机的所述虚拟机标识; The receiving sub-module is further configured to receive a first update control policy for the virtual machine, where the first update control policy includes the virtual machine identification of the virtual machine;
所述转化子模块, 还用于获取所述虚拟机标识对应的所述 MAC地址, 使 用所述 MAC地址替换所述第一更新控制策略中的所述虚拟机标识, 得到第二 更新控制策略; The conversion sub-module is also configured to obtain the MAC address corresponding to the virtual machine identifier, use the MAC address to replace the virtual machine identifier in the first update control policy, and obtain a second update control policy;
所述替换子模块, 用于使用所述第二更新控制策略替换所述第二控制策 略。 The replacement sub-module is used to replace the second control strategy with the second update control strategy.
12、 根据权利要求 9所述的交换机, 其特征在于, 所述接收子模块还用 于, 接收所述虚拟机标识, 以及所述虚拟机标识对应的 N个 MAC地址, 其中, N大于或者等于 1。 12. The switch according to claim 9, wherein the receiving sub-module is further configured to receive the virtual machine identifier and N MAC addresses corresponding to the virtual machine identifier, wherein N is greater than or equal to 1.
1 3、 根据权利要求 12所述的交换机, 其特征在于, 所述转化子模块具 体用于, 使用所述 N个 MAC地址逐一替换所述第一控制策略中的所述虚拟机 标识, 得到 N条第二控制策略, 所述 N条第二控制策略分别与所述 N个 MAC 地址 对应。 13. The switch according to claim 12, wherein the conversion sub-module is specifically configured to use the N MAC addresses to replace the virtual machine identifiers in the first control policy one by one to obtain N There are two second control strategies, and the N second control strategies respectively correspond to the N MAC addresses.
14、 根据权利要求 9所述的交换机, 其特征在于, 所述交换机还包括交 换模块, 所述交换模块与所述控制模块连接; 14. The switch according to claim 9, characterized in that, the switch further includes a switching module, and the switching module is connected to the control module;
所述交换模块, 用于从所述控制模块接收所述第二控制策略, 并且根据 所述第二控制策略, 对接收到的并且以所述 MAC地址为目的地址或源地址的 数据包进行转发或拒绝转发处理。 The switching module is configured to receive the second control policy from the control module, and forward the received data packets with the MAC address as the destination address or source address according to the second control policy. or refuse forwarding processing.
15、 根据权利要求 9-14任一项所述的交换机, 其特征在于, 所述控 制策略包括但不限于下面一项或任意项的组合: 访问控制策略, 资源预留策 略, 流量优先级策略, 最大流量延时策略, 最大流量丟包率策略, 最大流量 抖动策略。 15. The switch according to any one of claims 9-14, characterized in that the control policy includes but is not limited to one or a combination of the following: access control policy, resource reservation policy, traffic priority policy , maximum traffic delay strategy, maximum traffic packet loss rate strategy, maximum traffic jitter strategy.
PCT/CN2012/087123 2012-12-21 2012-12-21 Configuration method of virtual machine control policy and exchange WO2014094287A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2012/087123 WO2014094287A1 (en) 2012-12-21 2012-12-21 Configuration method of virtual machine control policy and exchange
CN201280002960.0A CN103229489B (en) 2012-12-21 2012-12-21 The collocation method of virtual machine control strategy and switch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/087123 WO2014094287A1 (en) 2012-12-21 2012-12-21 Configuration method of virtual machine control policy and exchange

Publications (1)

Publication Number Publication Date
WO2014094287A1 true WO2014094287A1 (en) 2014-06-26

Family

ID=48838364

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/087123 WO2014094287A1 (en) 2012-12-21 2012-12-21 Configuration method of virtual machine control policy and exchange

Country Status (2)

Country Link
CN (1) CN103229489B (en)
WO (1) WO2014094287A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3468236A1 (en) * 2017-10-09 2019-04-10 Comcast Cable Communications LLC Policy control for ethernet packet data
US10812629B2 (en) 2017-10-20 2020-10-20 Comcast Cable Communications, Llc Radio resource control capability information

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104426760A (en) * 2013-08-23 2015-03-18 中兴通讯股份有限公司 Stream mapping processing method and device
CN104717181B (en) * 2013-12-13 2018-10-23 中国电信股份有限公司 The security strategy of Virtual Security Gateway configures System and method for
CN104735000A (en) * 2013-12-23 2015-06-24 中兴通讯股份有限公司 OpenFlow signaling control method and device
CN105577548B (en) 2014-10-10 2018-10-09 新华三技术有限公司 Message processing method and device in a kind of software defined network
CN104699522B (en) * 2015-03-17 2017-10-13 成都麦进斗科技有限公司 A kind of dynamic migration of virtual machine method
CN107566319B (en) * 2016-06-30 2021-01-26 中央大学 Virtual machine instant transfer method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101909054A (en) * 2010-07-15 2010-12-08 华中科技大学 Method for aggregating multiple network interface cards in virtualized environment
CN101916207A (en) * 2010-08-28 2010-12-15 华为技术有限公司 Energy saving method, device and system under desktop virtual environment
CN102137169A (en) * 2011-01-30 2011-07-27 华为技术有限公司 Method, network card and communication system for binding physical internet ports
CN102202049A (en) * 2010-03-23 2011-09-28 思杰系统有限公司 Network policy implementation for multi-virtual machine appliance

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102136931B (en) * 2010-09-20 2013-12-04 华为技术有限公司 Method for configuring virtual port network strategies, network management center and related equipment
CN102571698B (en) * 2010-12-17 2017-03-22 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN102413183B (en) * 2011-11-22 2014-07-16 中国联合网络通信集团有限公司 Cloud intelligence switch and processing method and system thereof
CN102739645B (en) * 2012-04-23 2016-03-16 杭州华三通信技术有限公司 The moving method of secure virtual machine strategy and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202049A (en) * 2010-03-23 2011-09-28 思杰系统有限公司 Network policy implementation for multi-virtual machine appliance
CN101909054A (en) * 2010-07-15 2010-12-08 华中科技大学 Method for aggregating multiple network interface cards in virtualized environment
CN101916207A (en) * 2010-08-28 2010-12-15 华为技术有限公司 Energy saving method, device and system under desktop virtual environment
CN102137169A (en) * 2011-01-30 2011-07-27 华为技术有限公司 Method, network card and communication system for binding physical internet ports

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3468236A1 (en) * 2017-10-09 2019-04-10 Comcast Cable Communications LLC Policy control for ethernet packet data
US10938583B2 (en) 2017-10-09 2021-03-02 Comcast Cable Communications, Llc Ethernet type packet data unit session communications
US10951427B2 (en) 2017-10-09 2021-03-16 Comcast Cable Communications, Llc Ethernet type packet data unit session communications
US11743061B2 (en) 2017-10-09 2023-08-29 Comcast Cable Communications, Llc Ethernet type packet data unit session communications
US10812629B2 (en) 2017-10-20 2020-10-20 Comcast Cable Communications, Llc Radio resource control capability information
US10855814B2 (en) 2017-10-20 2020-12-01 Comcast Cable Communications, Llc Non-access stratum capability information
US11582330B2 (en) 2017-10-20 2023-02-14 Comcast Cable Communications, Llc Wireless device capability information
US11849009B2 (en) 2017-10-20 2023-12-19 Comcast Cable Communications, Llc Wireless device capability information

Also Published As

Publication number Publication date
CN103229489B (en) 2016-05-25
CN103229489A (en) 2013-07-31

Similar Documents

Publication Publication Date Title
WO2014094287A1 (en) Configuration method of virtual machine control policy and exchange
US11962501B2 (en) Extensible control plane for network management in a virtual infrastructure environment
JP6335363B2 (en) Provision of virtual security appliance architecture for virtual cloud infrastructure
US9413554B2 (en) Virtual network overlays
US9893977B2 (en) System and method for supporting live migration of virtual machines in a virtualization environment
EP2831729B1 (en) System and method for supporting live migration of virtual machines based on an extended host channel adaptor (hca) model
US7996569B2 (en) Method and system for zero copy in a virtualized network environment
KR101969194B1 (en) Offloading packet processing for networking device virtualization
TWI766893B (en) Virtual private network and rule table generation method, device and routing method
US20130124702A1 (en) Method and System For Network Configuration And/Or Provisioning Based On Metadata
JP2019527988A (en) Packet transmission
EP3125504B1 (en) Resource allocation method, packet communication method and device
EP3327994A1 (en) Virtual network management
JP2011198200A (en) Service providing system, virtual machine server, method and program for providing service
US10951438B1 (en) Acceleration proxy device, acceleration proxy method, and content management system
WO2015014187A1 (en) Data forwarding method and apparatus that support multiple tenants
US20170351639A1 (en) Remote memory access using memory mapped addressing among multiple compute nodes
WO2011078861A1 (en) A computer platform providing hardware support for virtual inline appliances and virtual machines
US20140279885A1 (en) Data replication for a virtual networking system
EP2924926B1 (en) Lookup table creation method and query method, and controller, forwarding device and system therefor
CN112242952B (en) Data forwarding method, cabinet top type switch and storage medium
CN113709052A (en) Network message processing method and device, electronic equipment and storage medium
US20130077530A1 (en) Scaling IPv6 on Multiple Devices Virtual Switching System with Port or Device Level Aggregation
WO2016173196A1 (en) Method and apparatus for learning address mapping relationship
US10791088B1 (en) Methods for disaggregating subscribers via DHCP address translation and devices thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12890568

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12890568

Country of ref document: EP

Kind code of ref document: A1