WO2015014187A1 - Procédé de transmission de données et appareil qui prend en charge de multiples locataires - Google Patents

Procédé de transmission de données et appareil qui prend en charge de multiples locataires Download PDF

Info

Publication number
WO2015014187A1
WO2015014187A1 PCT/CN2014/080921 CN2014080921W WO2015014187A1 WO 2015014187 A1 WO2015014187 A1 WO 2015014187A1 CN 2014080921 W CN2014080921 W CN 2014080921W WO 2015014187 A1 WO2015014187 A1 WO 2015014187A1
Authority
WO
WIPO (PCT)
Prior art keywords
tenant
flow table
data packet
switch
forwarding
Prior art date
Application number
PCT/CN2014/080921
Other languages
English (en)
Chinese (zh)
Inventor
王蛟
宋昆鹏
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015014187A1 publication Critical patent/WO2015014187A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a data forwarding method and apparatus for supporting multi-tenancy.
  • BACKGROUND Multi-tenancy is a typical application scenario of a cloud network, and is also an important manifestation of network virtualization technology in a data center environment.
  • network virtualization mainly relies on methods such as virtual local area network (VLAN).
  • VLAN virtual local area network
  • the tenant's network is isolated by setting different VLANs.
  • a VLAN is a logical segment of a network user connected to a Layer 2 switch port. It is not restricted by the physical location of the network user. Network segmentation can be performed according to user requirements.
  • VLAN technology also has obvious drawbacks. For example: When a physical server or virtual server's network card, media access control (MAC, Media Access Control) address, Internet Protocol (IP, Internet Protocol) address, or physical location changes, it needs to be more in the entire network system. Related network devices are reconfigured. In medium-scale and above network environments, the application of virtual machine migration technology is becoming more and more popular. The configuration and maintenance cost of VLAN technology in this environment is huge, which cannot meet the needs of technology development.
  • MAC Media Access Control
  • IP Internet Protocol
  • SDN Software Defined Network
  • OpenFlow OpenFlow
  • Multi-stream table technology refers to the existence of multiple flow tables in OpenFlow switches, which are designed for the unused matching domains of switches and store different contents.
  • Flow rules For the received data packet, the flow rule is matched from the entry of the flow table (which can be TableO), and the subsequent flow table is queried according to the instruction set in the entry. The lookup order between the tables can only be jumped to the next flow table or the flow table with the next table number greater than the current table number. After the matching flow table is found, data conversion or discarding is performed according to the flow table.
  • the existing OpenFlow In the multi-flow table forwarding scheme of the switch, the forwarding service cannot be provided for each tenant network according to the requirements of different tenants. As a result, the tenant shared the flow table space in the multi-tenant environment, causing conflicts, and the forwarding performance is reduced. Each tenant cannot be flexible according to its own service.
  • the flow table program is customized.
  • a data forwarding method for supporting a multi-tenant includes: receiving a data packet, and performing tenant network identification on the received data packet;
  • the data packet is forwarded to the corresponding flow table group corresponding to the tenant for querying; wherein, the corresponding flow table group corresponding to the tenant includes: one or one upper flow table;
  • the data packet hit by the query is processed according to the corresponding flow table entry operation.
  • the performing the tenant network identification on the received data packet includes:
  • the matching field in the first flow table includes: a source media access control address and a virtual local area network identifier, or, in the first flow table, according to the second possible implementation manner
  • the matching fields include: source media access control address and tunnel identifier.
  • the method further includes: forwarding the data packet information of the query miss to the controller;
  • the data packet is forwarded to a flow table group that is specific to the tenant, and the flow table group corresponding to the tenant includes: one or more flows
  • the table specifically includes: When more than one flow table is included in the flow table group exclusive to the tenant, the data packets are sequentially queried according to the order of the flow table in the flow table group.
  • the method further includes: receiving, by the controller, a command for deleting a correspondence between the tenant and the tenant-specific flow table group;
  • the flow entry in each flow table in the tenant-specific flow table group is cleared according to the command to delete the corresponding relationship between the tenant and the tenant-specific flow table group.
  • the second aspect provides a data forwarding method for supporting a multi-tenant, including: obtaining, by using a user interface, a service-related flow table solution customized by a tenant;
  • the flow table solution is sent to the switch, so that the switch establishes the flow table group exclusive to the tenant according to the flow table solution, where the flow table group exclusive to the tenant includes: one or more flow tables.
  • the method further includes:
  • the method further includes:
  • a communication device including: a first receiving unit, an identifying unit, a querying unit, and a processing unit,
  • the first receiving unit is configured to receive a data packet
  • the identifying unit is configured to perform tenant network identification on the received data packet, and the querying unit is configured to forward the data packet to the corresponding according to the tenant network identification result
  • the query is performed by the tenant-specific flow table group.
  • the flow table group corresponding to the tenant includes: one or more flow tables;
  • the processing unit is configured to process the data packet hit by the query according to the corresponding flow entry operation.
  • the identifying unit is configured to perform, according to the matching field in the first flow table stored in the switch, a data packet, where, according to the first flow table, The matching domain determines the tenant network;
  • the identifying unit is specifically configured to determine, according to the tenant identifier included in the data packet, the tenant network to which the data packet belongs.
  • the matching field in the first flow table includes: a source media access control address and a virtual local area network identifier, or, in the first flow table, according to the first possible implementation manner.
  • the matching fields include: source media access control address and tunnel identifier.
  • the device further includes: a first sending unit, a second receiving unit, and a storage unit,
  • the first sending unit is configured to forward the data packet information of the query miss to the controller
  • the second receiving unit is configured to receive, by the controller, a forwarding policy corresponding to the tenant to which the data packet belongs;
  • the inquiry unit is configured for the flow table dedicated tenant group comprises more than one flow table, the data packet in accordance with The order of the flow tables in the flow table group is sequentially queried.
  • the device further includes: a third receiving unit, and a deleting unit,
  • the third receiving unit is configured to receive a command to delete the tenant flow table sent by the controller, where the deleting unit is configured to clear the tenant according to the command to delete the correspondence between the tenant and the tenant exclusive flow table group.
  • a communication device comprising: an acquisition unit, and a a sending unit,
  • the obtaining unit is configured to obtain, by using a user interface, a service-related flow table solution customized by the tenant;
  • the second sending unit is configured to send the flow table solution to the switch, so that the switch establishes the tenant-specific flow table group according to the flow table solution, where the flow table group exclusive to the tenant includes : One or more flow tables.
  • the device further includes: a fourth receiving unit, an acquiring policy unit, and a third sending unit,
  • the fourth receiving unit is configured to receive data packet information sent by the switch, where
  • the acquiring policy unit is configured to calculate forwarding path information of the data flow to which the data packet belongs according to the physical network topology and the virtual network topology of the tenant; and according to the flow table rule definition of the tenant to which the data packet belongs, Transmitting the forwarding path information into a forwarding policy conforming to the tenant flow table scheme;
  • the third sending unit is configured to send the forwarding policy to the switch, so that the forwarding policy is stored in a corresponding flow table of the tenant in the switch.
  • the acquiring a policy unit includes:
  • a routing module configured to carry a routing algorithm, perform path calculation on the flow to which the data packet belongs according to the physical network topology information included in the topology module, and the tenant virtual network topology information, and send the calculation result to the policy conversion module;
  • a topology module for storing a virtual network topology of a physical network topology and a tenant, and providing topology support for path calculation for the routing module;
  • the policy conversion module is configured to receive the path information from the routing module, and convert it into a forwarding policy conforming to the tenant flow table scheme according to the flow table rule definition of the tenant.
  • the apparatus further includes: a fourth sending unit ;
  • the fourth sending unit is configured to: when the tenant leaves, send a command to delete the correspondence between the tenant and the tenant-specific flow table group to the switch, so that the switch clears the flow entry in the tenant-specific flow table group.
  • the data packet is forwarded to the flow table in the corresponding tenant-specific flow table group for forwarding query according to the tenant network identification result, and the data packet hitting the query is processed according to the flow table entry in the flow table, because the tenant
  • the inter-forwarding rules are completely isolated by different flow tables, and the forwarding between tenants is not affected by different policy conflicts, and there is no interference between them.
  • FIG. 1 is a schematic flow chart of a data forwarding method for supporting multi-tenancy according to Embodiment 1 of the present invention
  • FIG. 2 is a schematic flowchart of a data forwarding method for supporting multi-tenancy according to Embodiment 2 of the present invention
  • Figure 3 is a flow table group with different tenants in the switch.
  • the switch stores the forwarding policy from the controller into the tenant-specific flow table group to process the schematic diagram.
  • Figure 4 is a schematic diagram of processing in the controller and the switch
  • FIG. 5 is a schematic diagram of processing of receiving data packet information sent by a switch in a controller
  • FIG. 6 is a schematic diagram of a communication device according to Embodiment 3 of the present invention.
  • FIG. 7 is a schematic diagram of a communication apparatus according to Embodiment 4 of the present invention.
  • FIG. 8 is a schematic diagram of a communication device according to Embodiment 5 of the present invention.
  • FIG. 9 is a schematic diagram of a communication apparatus according to Embodiment 6 of the present invention.
  • DETAILED DESCRIPTION OF THE EMBODIMENTS Embodiments of the present invention provide a data forwarding method, apparatus, and system for supporting multi-tenancy.
  • the solution can be built on the controller and the switch in the SDN environment, and the multi-flow table technology of the OpenFlow switch is used to dynamically implement a customized forwarding policy for different tenants, which can solve the service offloading and network refinement scheduling of different tenants.
  • using multi-flow meter technology Customize the forwarding rules for each tenant network. As the virtual servers in the tenant network migrate as needed, the changes in service deployment and configuration at the switch level are relative to existing ones.
  • the solution Based on the characteristics of the multi-flow meter technology in the SDN environment and the requirements of the multi-tenant network, the solution customizes its flow table rules according to the tenant, or uses the network default multi-flow table rules to perform the tenant of multiple flow tables of the switch. Divide, divide multiple flow tables into different tenant groups. The flow is divided according to the TableO of the flow table entry or other related tenant network detection units, and the flows of different tenants are transferred to the corresponding tenant flow table group, and are forwarded according to the flow rules defined by the tenant.
  • the embodiment of the invention provides a data forwarding method for supporting multi-tenancy. As shown in FIG. 1, the method includes:
  • Step 101 Receive a data packet, and perform tenant network identification on the received data packet.
  • the tenant network may be identified according to the first flow table (which may be TableO) in the multi-flow table, and the tenant network may be distinguished according to a predefined tenant ID (Tenant-ID), where The pre-defined here is predefined in the tenant network and has a uniform tenant ID in the tenant network.
  • the matching domain included in the first flow table TableO may be a source MAC address (ie, Src MAC) and a virtual local area network identifier (VLAN_ID), or the matching domain may be a tunnel identifier (Tunnel_ID).
  • the tunnel identifier includes, but is not limited to, the MPLS (Multi-Protocol Label Switching Lable), the VXLAN (Virtual Extensible VLAN, ID), and the Generic Routing Encapsulation (GRE). ), as well as other existing or custom tunnel technology tags.
  • Step 102 Forward, according to the tenant network identification result, the data packet to the corresponding flow meter group corresponding to the tenant, where the flow table group corresponding to the tenant includes: one or more flow tables;
  • the flow table group corresponding to the tenant in the step 102 includes one or more flow tables. It can be understood that when the switch is configured, the flow table is divided into independent flow tables according to different tenants, and belongs to different tenant networks.
  • the flow table can be a flow table or a set of flow tables (that is, more than one flow table). Therefore, each tenant can customize the required flow table (or multi-flow table) to the controller according to its own business requirements.
  • the controller can make routing decisions according to the virtual network to which the tenant belongs, and formulate a flow table suitable for the forwarding rules of the tenant network.
  • the controller sends the formulated flow table to the switch, and the switch stores one or a group of flow tables belonging to different tenants (the said set of flow tables can be understood as more than one flow table).
  • Step 103 Process the data packet that is queried by the query according to the corresponding flow entry operation.
  • the specific processing can be to discard the data packet or directly forward to the physical port of the switch.
  • the data forwarding method for supporting multi-tenancy is provided by the foregoing embodiment of the present invention.
  • the method forwards the data packet to one or more flow tables exclusive to the tenant according to the tenant network identification result, and forwards the query, and the query is hit.
  • the data packet is sent to the corresponding physical port or the data packet is discarded. Since the inter-tenant forwarding rules are completely isolated by different flow tables, the forwarding between tenants is not affected by different policy conflicts, and there is no interference between them.
  • the tenant network is relatively simple, the number of forwarding entries in the flow table is small for each tenant network. After the switch completes the identification of the tenant network, the traffic forwarding rules in the flow table of the tenant network can be quickly located, so Improve the efficiency of data forwarding.
  • the method may further include:
  • Step 104 Forward the packet information of the query miss to the controller.
  • the data packet in which the query is missed can be understood as the tenant network to which the data packet belongs does not store the flow table in the switch, or the flow to which the data packet belongs is not recorded in the flow table exclusively belonging to the tenant network. Therefore, the switch sends the packet to the controller, and the controller processes the packet to generate a forwarding policy for the tenant or the flow to which the packet belongs, and delivers the forwarding policy to the switch.
  • the method may further include:
  • Step 105 Receive a forwarding policy corresponding to the tenant sent by the controller, and store the forwarding policy in a flow table group corresponding to the tenant, where the flow table group may be a flow table or more than one flow table.
  • step 105 may also be preceded by step 101.
  • the forwarding policy in each subscriber's flow table is generated by the controller. Therefore, the switch can receive control before performing the data forwarding service.
  • the forwarding policy corresponding to the tenant sent by the device, and stores the flow table in the flow table corresponding to the tenant.
  • the forwarding policy corresponding to the tenant is customized by the tenant through the user interface and sent by the controller to the switch.
  • the flow table corresponding to the tenant can be dynamically added in the switch, and the switch stores the forwarding policy sent by the controller into one or a set of flow tables of the tenant corresponding amount.
  • the embodiment of the present invention provides a data forwarding method for supporting a multi-tenant.
  • the method is the same as the method provided in the first embodiment. The difference is that more controllers and switches cooperate in this embodiment. Work forwards packets for tenants. As shown in Figure 2, the method includes:
  • Step 201 The tenant joins the network, and the controller allocates a tenant ID (ID) to the new tenant.
  • the controller obtains a service-related flow table scheme customized by the tenant through the user interface, or obtains a default flow table scheme by the tenant.
  • the service-related flow table solution customized by the tenant may be implemented by using a single flow table solution or a multi-flow table solution in the switch.
  • Step 202 The controller sends the customized service-related flow table solution of the tenant to the tenant to use the default flow table solution, and sends the solution to the switch.
  • the flow table solution may further include the tenant ID.
  • Step 203 The switch receives the flow table solution delivered by the controller, and stores the flow table plan belonging to the tenant in the flow table group exclusive to the tenant, where the tenant-specific flow table group includes one or one meaning flow. table.
  • the forwarding policy belonging to tenant 0001 is sent to one or a group of flow tables Set 1 of the tenant 0001. If the tenant ID is n, the forwarding policy of tenant n is sent to one or a set of flow tables Set n.
  • the tenant customized forwarding policy is issued in the controller.
  • the flow table that belongs to different tenants in the switch is independently divided into a flow table or a set of flow tables. After the packet hits the corresponding flow table, it processes it according to the flow table entry operation. If the tenant selects the default forwarding policy as the forwarding policy, the controller sends the default policy to the shared flow table in the switch as the basis for data forwarding in the tenant network.
  • the forwarding policy is not used.
  • the corresponding flow table of the tenant you can also In Table O, a matching domain for identifying the tenant is stored, so that after receiving the data packet in the switch, according to the matching domain in the Table0, the jump to the corresponding tenant flow table is performed for matching.
  • Step 204 The switch receives the data packet, and performs the tenant network identification on the received data packet.
  • the performing the tenant network identification on the received data packet in step 204 may confirm the tenant network to which the data packet belongs by using the tenant ID (Tenant_ID) included in the data packet.
  • the Tenant-ID can be a new tag added by the packet at its server.
  • the function of encapsulating the tenant ID for the data packet can be added to the virtual host or the physical host to distinguish the tenant network to which the different data flows belong.
  • the encapsulated tenant ID, Tenant-ID can be used to distinguish between data flows between different tenants.
  • the tenant network identification of the received data packet in step 204 can be performed by setting TableO in the multi-flow table (ie, the first flow table at the switch entry), and confirming the tenant network to which the data packet belongs according to the matching field of the data packet.
  • the matching domain included in TableO can be a combination of source Mac address and VLAN-ID.
  • VLAN Take a VLAN as an example.
  • each tenant performs isolation in the first step through a VLAN.
  • Each tenant is divided into its own virtual network.
  • the virtual host or physical host of the tenant network may have overlapping MAC addresses.
  • the combination of the source MAC address and the VLAN ID is a unique identifier of the entire network. You can locate a host or a tenant network to which a data stream belongs.
  • TableO's matching domain can be the source Mac address and
  • Tunnel The combination of IDs. When other technologies are used, they may be customized according to requirements and technical features, and should not be construed as limiting the embodiments of the present invention.
  • Step 205 If the switch fails to identify the tenant network to which the data packet belongs, forward the data packet information to the controller requesting the forwarding policy.
  • the data packet information may specifically be a packet header of the data packet or a data packet itself, but the application does not limit the form of other data packet information.
  • the switch may perform the forwarding policy matching by the switch through Table O. If there is no hit, the switch receives the data packet to which the flow belongs for the first time. Forward its packet information to the controller request policy.
  • the switch fails to identify the tenant network to which the data packet belongs in step 205.
  • the specific implementation may be that the switch identifies the tenant ID of the data packet encapsulation, and the corresponding flow table is not stored in the switch, indicating that the switch first receives the data packet to which the flow belongs.
  • Step 206 The controller receives the data packet information sent by the switch, obtains the path information of the data packet according to the physical network topology and the virtual network topology of the tenant, and converts the path information according to the flow table rule definition of the tenant. To comply with the forwarding strategy of the tenant flow table scheme;
  • the detailed operation process in step 206 may include: a core decision module in the controller, receiving data packet information sent by the switch end, and transmitting the forwarding policy to the switch end;
  • the routing module in the controller is used to carry the routing algorithm, and performs path calculation on the flow to which the data packet belongs according to the physical network topology information included in the topology module and the tenant virtual network topology information, and sends the calculation result to the policy conversion module. ;
  • the topology module in the controller includes the physical network topology and the virtual network topology of the tenant, and provides topology support for path calculation for the routing module;
  • the policy conversion module in the controller receives the path information from the routing module, and converts it into a forwarding policy conforming to the tenant flow table scheme according to the flow table rule of the tenant; the rule storage module in the controller is used to store each tenant. Custom flow table scheme and default flow table scheme.
  • Step 207 The controller sends the forwarding policy obtained by the conversion to the switch.
  • Step 208 The switch receives the forwarding policy sent by the controller, and stores the forwarding policy in the flow table corresponding to the tenant. If the tenant is a new tenant, the flow table is not stored in the switch, and the flow table resource is allocated to the new tenant. The forwarding policy of the new tenant is stored in the flow table corresponding to the tenant in the form of a flow entry. If the forwarding policy is a new flow belonging to the tenant, the flow entry of the flow is added to the source flow table to which the tenant belongs.
  • Step 209 If the switch identifies the tenant network in step 204, forward the data packet to the corresponding tenant exclusive flow table group for forwarding query.
  • the specific operation of the switch to identify the tenant network may be: after the TableO is matched, the tenant network to which the data packet belongs is confirmed, and the matching result is redirected to one or a group of flow tables exclusive to the tenant, if the tenant has a set of flows The table then jumps to the first flow table in the tenant-specific flow table group to perform forwarding policy matching.
  • Step 210 Process the data packet that is queried by the query according to the corresponding flow entry operation. The specific processing can be to discard the data packet or directly forward to the physical port of the switch.
  • Step 211 When the controller learns that the tenant leaves the network, send a command to delete the corresponding relationship between the tenant and the tenant exclusive flow table group to the switch;
  • Step 212 The switch receives a command sent by the controller to delete the corresponding relationship between the tenant and the tenant-specific flow table group.
  • the command clears the tenant-specific flow according to the command for deleting the corresponding relationship between the tenant and the tenant-specific flow table group.
  • the rules belonging to the tenant are deleted, and the content of the switch-end flow table group belonging to the tenant is cleared, and the set of flow table resources is reclaimed by the switch, and belongs to the idle flow table resource, and is used for Subsequent new tenants join the network and redistribute.
  • the data forwarding method for supporting multi-tenancy is provided by the foregoing embodiment 2 of the present invention.
  • the method forwards the data packet to one or more flow tables exclusive to the tenant according to the tenant network identification result, and forwards the query, and the query is hit.
  • the data packets are processed according to the flow entry operation. Since the inter-tenant forwarding rules are completely isolated by different flow tables, the forwarding between tenants is not affected by different policy conflicts, and there is no interference between them.
  • the tenant network is relatively simple, the number of forwarding entries in the flow table is small for each tenant network. After the switch completes the identification of the tenant network, the traffic forwarding rules in the flow table of the tenant network can be quickly located, so Improve the efficiency of data forwarding.
  • the advantages of the solution include: The number of flow tables that can be stored is fixed when the resources in the switch are fixed. The number of flow tables required by the tenant network can be dynamically adjusted according to the tenant service. Therefore, the number of tenants supported by the switch can be dynamic. Adjustment.
  • each tenant in the solution can use the user interface in the controller to customize the flow table rule in the tenant-specific flow table set according to the tenant service, and set the flow table with higher priority to the tenant's key service.
  • the embodiment of the invention provides a communication device.
  • the communication device may be an Openflow switch, but is not limited to the switch.
  • the communication device includes: a first receiving unit 601, an identifying unit 602, a query unit 603, and a processing unit 604.
  • a first receiving unit 601 configured to receive a data packet
  • the identifying unit 602 is configured to perform tenant network identification on the received data packet.
  • the tenant network may be identified according to the first flow table (which may be TableO) in the multi-flow table, and the tenant network may be distinguished according to a predefined tenant ID (Tenant-ID), where The pre-defined here is predefined in the tenant network and has a uniform tenant ID in the tenant network.
  • the matching domain included in the first flow table TableO may be the source MAC address (ie,
  • Src MAC and the virtual local area network identifier (VLAN_ID), or the matching domain can be a tunnel ID ( Tunnel_ID).
  • the query unit 603 is configured to forward the data packet to the flow table group corresponding to the tenant according to the tenant network identification result, where the corresponding flow table group corresponding to the tenant includes: one or more flow tables;
  • the flow table group corresponding to the tenant in the query unit 603 includes one or more flow tables. It can be understood that when the switch is configured, the flow table is divided into independent flow tables according to different tenants, belonging to different tenants.
  • the flow table of the network can be a flow table or a set of flow tables (that is, more than one flow table).
  • each tenant can customize the required flow table to the controller according to its own business needs.
  • the controller can make routing decisions according to the virtual network to which the tenant belongs, and formulate a flow table suitable for the forwarding rules of the tenant network.
  • the controller sends the prepared flow table to the switch, and the switch stores the different tenants.
  • One or a set of flow tables (the said set of flow tables can be understood as more than one flow table).
  • the processing unit 604 is configured to process the data packet of the query hit, and the corresponding flow entry operation.
  • the identification unit 602 of the communication device forwards the data packet to one or more flow tables exclusive to the tenant according to the tenant network identification result, and the query unit 603 Forwarding the query, sending the data packet of the query hit to the corresponding physical port or discarding the data packet. Since the inter-tenant forwarding rules are completely isolated by different flow tables, the forwarding between tenants is not affected by different policy conflicts. There is no interference between them.
  • the identifying unit 602 is specifically configured to match the data packet according to the matching field in the first flow table stored in the switch, where the tenant network is determined according to the matching i in the first flow table;
  • the identifying unit is specifically configured to determine, according to the tenant identifier included in the data packet.
  • the matching field in the first flow table includes: a source media access control address and a virtual local area network identifier
  • the matching field in the first flow table includes: a source media access control address and a tunnel identifier.
  • the device further includes:
  • a first transmitting unit 605, a second receiving unit 606, and a storage unit 607 a first transmitting unit 605, a second receiving unit 606, and a storage unit 607,
  • the first sending unit 605 is configured to forward the packet information of the query miss to the controller;
  • the second receiving unit 606 is configured to receive, by the controller, a forwarding policy corresponding to the tenant to which the data packet belongs;
  • the inquiry unit 602 is specifically configured for the flow table dedicated tenant group comprises more than one flow table, the data packet stream in accordance with the order table in the flow table group , and then query.
  • the device further includes:
  • the third receiving unit 608 is configured to receive a command to delete a tenant flow table sent by the controller, where the deleting unit 609 is configured to clear the command according to the corresponding relationship between the tenant and the tenant exclusive flow table group. A flow entry in each flow table in the tenant-specific flow table group.
  • the embodiment of the present invention provides a communication device, which can be a controller in an SDN network.
  • the device includes: an obtaining unit 701, and a first sending unit 702, and an acquiring unit 701, configured to pass the user.
  • Interface obtaining a service-related flow table solution customized by the tenant;
  • the second sending unit 702 is configured to send the flow table solution to the switch, so that the switch establishes the flow table group that is exclusive to the tenant according to the flow table solution, where the flow table group that belongs to the tenant includes: One or more flow tables.
  • a communication device provided by the above embodiment of the present invention, the device is connected by a user And obtaining, by the switch, a flow table solution that is customized by the tenant, and sending the flow table solution to the switch, so that the switch establishes the flow table group exclusive to the tenant according to the flow table solution, where the exclusive
  • the flow table group includes: one or more flow tables. Since the inter-tenant forwarding rules are completely isolated by different flow tables, the forwarding between tenants is not affected by different policy conflicts, and there is no interference between them.
  • the device further includes:
  • the third sending unit 705 is configured to send the forwarding policy to the switch, so that the forwarding policy is stored in a corresponding flow table of the tenant in the switch.
  • the acquiring policy unit 704 specifically includes:
  • a routing module configured to carry a routing algorithm, perform path calculation on the flow to which the data packet belongs according to the physical network topology information included in the topology module, and the tenant virtual network topology information, and send the calculation result to the policy conversion module;
  • a topology module for storing a virtual network topology of a physical network topology and a tenant, and providing topology support for path calculation for the routing module;
  • the policy conversion module is configured to receive the path information from the routing module, and convert it into a forwarding policy conforming to the tenant flow table scheme according to the flow table rule definition of the tenant.
  • the device further includes: a fourth sending unit 705;
  • the fourth sending unit 705 is configured to: when the tenant leaves, send a command to delete the correspondence between the tenant and the tenant-specific flow table group to the switch, so that the switch clears the flow entry in the tenant-specific flow table group.
  • FIG. 8 Another embodiment of the present invention provides a communication device.
  • the structure is as shown in FIG. 8.
  • the memory 40, the processor 41, the input device 43, and the output device 44 are respectively connected to the bus, where:
  • the memory 40 is used to store data input from the input device 43, and may also store information such as necessary files processed by the processor 41;
  • the input device 43 and the output device 44 are ports for communication devices to communicate with other devices, and may further include output devices externally connected to the data analysis device such as a display, a keyboard, a mouse, a printer, and the like.
  • the input device 43 may include a mouse and a keyboard.
  • the output device 44 includes a display or the like;
  • the processor 41 is configured to perform the tenant network identification on the received data packet.
  • the data packet is forwarded to the corresponding flow meter group corresponding to the tenant according to the tenant network identification result, where the corresponding flow table group corresponding to the tenant is used.
  • the method includes: one or more flow tables; the data packets that are hit by the query are processed according to the corresponding flow table entry operations.
  • the data packet is forwarded to one or more flow tables exclusive to the tenant for forwarding query, and the data packet of the query hit is sent to the corresponding physical port or discarded. Packets, because the inter-tenant forwarding rules are completely isolated by different flow tables, the forwarding between tenants is not affected by different policy conflicts, and there is no interference between them.
  • the tenant network is relatively simple, the number of forwarding entries in the flow table is small for each tenant network. After the switch completes the identification of the tenant network, the traffic forwarding rules in the flow table of the tenant network can be quickly located, so Improve the efficiency of data forwarding.
  • the processor performs the tenant network identification on the received data packet, and is specifically configured to match the data packet according to the matching field in the first flow table stored in the switch, where, according to the matching domain in the first flow table Identify the tenant network;
  • the identifying unit is specifically configured to determine, according to the tenant identifier included in the data packet, the tenant network to which the data packet belongs.
  • the matching field in the first flow table in the processor includes: a source media access control address and a virtual local area network identifier,
  • the matching field in the first flow table includes: a source media access control address and a tunnel identifier.
  • the output device is further configured to forward the packet information of the query miss to the controller;
  • the input device is further configured to receive, by the controller, a forwarding policy corresponding to the tenant to which the data packet belongs; i ' , ⁇
  • the processor forwards the data packet to the flow table group corresponding to the tenant according to the tenant network identification result, where the corresponding flow table group corresponding to the tenant includes: one or more flow tables Specifically, when the flow table group exclusive to the tenant includes more than one flow table, the data packets are sequentially queried according to the order of the flow table in the flow table group.
  • the input device is further configured to receive a command to delete the tenant flow table sent by the controller, where the processor is further configured to clear the tenant according to the command to delete the correspondence between the tenant and the tenant exclusive flow table group A flow entry in each flow table in a dedicated flow table group.
  • FIG. 9 A schematic structural diagram is shown in FIG. 9.
  • a memory 50, a processor 51, an input device 53, and an output device 54 respectively connected to the bus are included, where:
  • the memory 50 is used to store data input from the input device 53, and may also store information such as necessary files for processing the data by the processor 51;
  • the input device 53 and the output device 54 are ports for communication devices to communicate with other devices, and may further include output devices externally connected to the data analysis device such as a display, a keyboard, a mouse, a printer, and the like.
  • the input device 53 may include a mouse and a keyboard.
  • the output device 54 includes a display or the like;
  • the input device is configured to obtain, by using a user interface, a service-related flow table solution customized by a tenant;
  • the output device is configured to send the flow table solution to the switch, so that the switch establishes the flow table group exclusive to the tenant according to the flow table solution, where the flow table group exclusive to the tenant includes: Or more than one flow table.
  • the device obtains a service-related flow table solution customized by the tenant through the user interface, and sends the flow table solution to the exchange.
  • the flow table group that is exclusive to the tenant includes: one or more flow tables, because the inter-tenant forwarding rules pass different flow tables, according to the flow table scheme. For complete isolation, the inter-tenant forwarding is not affected by different policy conflicts and there is no interference between them.
  • the input device is further configured to receive data packet information sent by the switch, where the processor is configured to calculate forwarding of the data flow to which the data packet belongs according to the physical network topology and the virtual network topology of the tenant. Path information; and converting the forwarding path information into a forwarding policy conforming to the tenant flow table scheme according to the flow table rule definition of the tenant to which the data packet belongs;
  • the output device is further configured to send the forwarding policy to the switch, so that the forwarding policy is stored in a corresponding flow table of the tenant in the switch.
  • the processor specifically includes:
  • a routing module configured to carry a routing algorithm, perform path calculation on the flow to which the data packet belongs according to the physical network topology information included in the topology module, and the tenant virtual network topology information, and send the calculation result to the policy conversion module;
  • a topology module for storing a virtual network topology of a physical network topology and a tenant, and providing topology support for path calculation for the routing module;
  • the policy conversion module is configured to receive the path information from the routing module, and convert it into a forwarding policy conforming to the tenant flow table scheme according to the flow table rule definition of the tenant.
  • the output device is further configured to: when the tenant leaves, send a command to delete the correspondence between the tenant and the tenant-specific flow table group to the switch, so that the switch clears the flow table in the tenant-specific flow table group. item.
  • a person of ordinary skill in the art may understand that all or part of the steps of implementing the above embodiments may be performed by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, the above mentioned storage medium. It can be a read-only memory, a disk or a disc, and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé de transmission de données et un appareil qui prend en charge de multiples locataires. Le procédé, dans un mode de réalisation de la présente invention, comprend : recevoir des paquets de données, et effectuer une identification de réseau de locataire sur les paquets de données reçus; transmettre, en fonction d'un résultat d'identification de réseau de locataire, les paquets de données à un groupe de tables de débit dédié à un locataire correspondant pour une requête, le groupe de tables de débit dédié au locataire correspondant comprenant une ou plusieurs tables de débit; et traiter, en fonction d'une opération d'entrée de table de débit correspondante, un paquet de données trouvé d'après la requête. Dans la solution technique fournie par les modes de réalisation de la présente invention, en fonction d'un résultat d'identification de réseau de locataire, des paquets de données sont transmis à une ou plusieurs tables de débit dédiées à un locataire correspondant pour transmettre une requête, et un paquet de données trouvé d'après la requête est traité en fonction d'une opération d'entrée de table de débit. Étant donné que les règles de transmission entre les locataires sont complètement isolées en utilisant différentes tables de débit, les transmissions entre les locataires ne sont pas affectées par un conflit entre différentes politiques, et les locataires n'interfèrent pas les uns avec les autres.
PCT/CN2014/080921 2013-07-31 2014-06-27 Procédé de transmission de données et appareil qui prend en charge de multiples locataires WO2015014187A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310328933.9 2013-07-31
CN201310328933.9A CN104348724B (zh) 2013-07-31 2013-07-31 一种支持多租户的数据转发方法和装置

Publications (1)

Publication Number Publication Date
WO2015014187A1 true WO2015014187A1 (fr) 2015-02-05

Family

ID=52430960

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/080921 WO2015014187A1 (fr) 2013-07-31 2014-06-27 Procédé de transmission de données et appareil qui prend en charge de multiples locataires

Country Status (2)

Country Link
CN (1) CN104348724B (fr)
WO (1) WO2015014187A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016137491A1 (fr) * 2015-02-27 2016-09-01 Hewlett Packard Enterprise Development Lp Dispositif de commande de réseau défini par logiciel pour mettre en œuvre une politique spécifique à un locataire
CN107592270A (zh) * 2016-07-07 2018-01-16 华为技术有限公司 FlowSpec消息的处理方法和装置以及系统
US10841375B2 (en) 2013-11-01 2020-11-17 Hewlett Packard Enterprise Development Lp Protocol agnostic storage access in a software defined network topology
CN113542128A (zh) * 2018-10-12 2021-10-22 华为技术有限公司 一种发送路由信息的方法和装置
CN114553762A (zh) * 2022-01-30 2022-05-27 阿里巴巴(中国)有限公司 一种对流表中的流表项处理的方法及装置

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104852923A (zh) * 2015-05-26 2015-08-19 汉柏科技有限公司 一种基于用户的路由隔离方法及系统
CN106330709B (zh) * 2015-06-30 2019-10-18 华为技术有限公司 流表项生成及接收方法、控制器以及交换机
CN106572021B (zh) * 2015-10-09 2021-07-06 中兴通讯股份有限公司 一种实现网络虚拟化叠加的方法与网络虚拟化边缘节点
CN106878178B (zh) * 2015-12-11 2019-11-01 中国电信股份有限公司 流表下发方法、系统及控制器
CN105577675A (zh) * 2015-12-31 2016-05-11 深圳前海微众银行股份有限公司 多租户资源管理的方法及装置
US20190044755A1 (en) * 2016-03-02 2019-02-07 Nec Corporation Network system, control apparatus, method and program for building virtual network function
CN107592208B (zh) * 2016-07-08 2022-07-29 中兴通讯股份有限公司 流量管理方法及装置
CN107733765B (zh) * 2016-08-12 2020-09-08 中国电信股份有限公司 映射方法、系统和相关设备
US10146953B1 (en) * 2017-07-14 2018-12-04 EMC IP Holding Company LLC System and method for physical data packets isolation for different tenants in a multi-tenant protection storage environment
CN110826307A (zh) * 2019-10-31 2020-02-21 北京字节跳动网络技术有限公司 业务对象的创建方法及设备
CN111736982B (zh) * 2020-05-12 2023-12-08 深圳震有科技股份有限公司 一种5g数据转发平面的数据转发处理方法和服务器

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120075991A1 (en) * 2009-12-15 2012-03-29 Nec Corporation Network system, control method thereof and controller
WO2012170016A1 (fr) * 2011-06-07 2012-12-13 Hewlett-Packard Development Company, L.P. Architecture de réseau partagé extensible pour centres de données virtualisés
CN102857416A (zh) * 2012-09-18 2013-01-02 中兴通讯股份有限公司 一种实现虚拟网络的方法和虚拟网络
CN103095701A (zh) * 2013-01-11 2013-05-08 中兴通讯股份有限公司 开放流表安全增强方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120075991A1 (en) * 2009-12-15 2012-03-29 Nec Corporation Network system, control method thereof and controller
WO2012170016A1 (fr) * 2011-06-07 2012-12-13 Hewlett-Packard Development Company, L.P. Architecture de réseau partagé extensible pour centres de données virtualisés
CN102857416A (zh) * 2012-09-18 2013-01-02 中兴通讯股份有限公司 一种实现虚拟网络的方法和虚拟网络
CN103095701A (zh) * 2013-01-11 2013-05-08 中兴通讯股份有限公司 开放流表安全增强方法及装置

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10841375B2 (en) 2013-11-01 2020-11-17 Hewlett Packard Enterprise Development Lp Protocol agnostic storage access in a software defined network topology
WO2016137491A1 (fr) * 2015-02-27 2016-09-01 Hewlett Packard Enterprise Development Lp Dispositif de commande de réseau défini par logiciel pour mettre en œuvre une politique spécifique à un locataire
CN107592270A (zh) * 2016-07-07 2018-01-16 华为技术有限公司 FlowSpec消息的处理方法和装置以及系统
CN107592270B (zh) * 2016-07-07 2021-10-15 华为技术有限公司 FlowSpec消息的处理方法和装置以及系统
US11290386B2 (en) 2016-07-07 2022-03-29 Huawei Technologies Co., Ltd. FlowSpec message processing method and system, and apparatus
US12010030B2 (en) 2016-07-07 2024-06-11 Huawei Technologies Co., Ltd. FlowSpec message processing method and system, and apparatus
CN113542128A (zh) * 2018-10-12 2021-10-22 华为技术有限公司 一种发送路由信息的方法和装置
US11374860B2 (en) 2018-10-12 2022-06-28 Huawei Technologies Co., Ltd. Method and apparatus for sending routing information for network nodes
US11863438B2 (en) 2018-10-12 2024-01-02 Huawei Technologies Co., Ltd. Method and apparatus for sending routing information for network nodes
CN114553762A (zh) * 2022-01-30 2022-05-27 阿里巴巴(中国)有限公司 一种对流表中的流表项处理的方法及装置
CN114553762B (zh) * 2022-01-30 2023-12-26 阿里巴巴(中国)有限公司 一种对流表中的流表项处理的方法及装置

Also Published As

Publication number Publication date
CN104348724B (zh) 2019-04-26
CN104348724A (zh) 2015-02-11

Similar Documents

Publication Publication Date Title
WO2015014187A1 (fr) Procédé de transmission de données et appareil qui prend en charge de multiples locataires
US11895154B2 (en) Method and system for virtual machine aware policy management
KR101623416B1 (ko) 통신 방법 및 시스템
EP3404878B1 (fr) Appareil de réseau virtuel, et procédé associé
EP2905930B1 (fr) Procédé de traitement, appareil et système destinés à la multidiffusion
US9871720B1 (en) Using packet duplication with encapsulation in a packet-switched network to increase reliability
EP2491684B1 (fr) Procédé et appareil pour informatique en nuage transparente avec infrastructure de réseau virtualisée
JP6043879B2 (ja) OpenFlow有効化クラウドコンピューティングにおいてMPLSを用いる場合のテナント固有データの分離のための装置及び方法
US10742697B2 (en) Packet forwarding apparatus for handling multicast packet
AU2014399458A1 (en) Flow Entry Configuration Method, Apparatus, and System
EP2907266A1 (fr) Procédé pour quitter un service de diffusion groupée ip pour réseautage en nuage privé virtuel fondé sur mpls
WO2014057402A1 (fr) Procédé pour se joindre à un service de diffusion groupée ip pour réseautage en nuage privé virtuel fondé sur mpls
WO2014176740A1 (fr) Classificateur de flux, déclencheur de routage de service, et procédé et système de traitement de message
WO2017133647A1 (fr) Procédé de traitement de paquets, classificateur de trafic et instance de fonction de services
WO2015149253A1 (fr) Système de centre de données et procédé de gestion de réseau virtuel d'un centre de données
WO2017107814A1 (fr) Procédé, appareil et système pour propager des politiques de qos
EP2548346B1 (fr) Noeud pour paquet permettant d' appliquer un acheminement de trajet de service à la couche mac
US11012412B2 (en) Method and system for network traffic steering towards a service device
JP2018515052A (ja) マルチキャストデータパケット転送
US20160006656A1 (en) Packet Processing Method and System, and Device
US9749240B2 (en) Communication system, virtual machine server, virtual network management apparatus, network control method, and program
US11523443B2 (en) Extraction, conversion, and transmission of user packet from encapsulated packet
US9853885B1 (en) Using packet duplication in a packet-switched network to increase reliability
US20210051076A1 (en) A node, control system, communication control method and program
WO2014067384A1 (fr) Procédé et dispositif pour générer une table d'acheminement

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14832095

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14832095

Country of ref document: EP

Kind code of ref document: A1