WO2015027924A1 - Method, apparatus, and controller for controlling flow table update - Google Patents

Method, apparatus, and controller for controlling flow table update Download PDF

Info

Publication number
WO2015027924A1
WO2015027924A1 PCT/CN2014/085324 CN2014085324W WO2015027924A1 WO 2015027924 A1 WO2015027924 A1 WO 2015027924A1 CN 2014085324 W CN2014085324 W CN 2014085324W WO 2015027924 A1 WO2015027924 A1 WO 2015027924A1
Authority
WO
WIPO (PCT)
Prior art keywords
switch
filtering
flow table
filter
switches
Prior art date
Application number
PCT/CN2014/085324
Other languages
French (fr)
Chinese (zh)
Inventor
李勇
牛小兵
金德鹏
柳嘉强
刘彬
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015027924A1 publication Critical patent/WO2015027924A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the present invention relates to the field of the Internet, and in particular, to a method, a device, and a controller for controlling flow table update.
  • SDN Software Defined Network refers to separating the data plane from the control plane.
  • the data plane consists of a packet forwarding device with a unified interface.
  • the control plane consists of a centralized controller.
  • the controller controls the packet forwarding function by configuring the forwarding rules of the data plane forwarding device. Due to the large scale of network nodes, strong dynamic traffic between nodes, and high requirements for continuous connectivity and reliability of the network, the data center needs flexible and fine control of packet forwarding.
  • the software-defined network receives data because it meets this requirement. The focus of the central network designer.
  • OpenFlow protocol is the most widely used protocol for control plane and data plane communication in SDN networks.
  • An OpenFlow switch refers to a forwarding device that supports the OpenFlow protocol. It processes incoming packets through flow table rules configured by the controller. In particular, because the OpenFlow protocol supports packet loss operations, you can configure flow table rules on the OpenFlow switch to implement packet filtering. However, because the number of flow tables and the access bandwidth of the switch are limited, in order to cope with large-scale data traffic, multiple switches need to be used for filtering at the same time, and the load of each switch is the same as possible to improve resources. Utilization and filtering performance. After considering these factors, Figure 1 shows a typical two-layer structure for packet filtering based on OpenFlow switches.
  • the first layer switch S implements packet classification and equalization functions
  • the second layer switch F implements filtering rules for each type of data packet. For example, for the file access service, the switch S divides the data packet into an authorized user data packet and an unauthorized user data packet according to the source IP address, and the second layer switch filters the access of the unauthorized user to the specific file server according to the destination IP address, and Ensure that authorized users can access normally.
  • S is called an ingress switch
  • F is called a filtering switch.
  • the data stream can be defined by a typical 5-tuple, ie (source MAC address, destination MAC address, source IP address, destination IP address, protocol), each type of data
  • a package consists of several data streams.
  • filtering rules for such packets. Different types of packets have different filtering rules.
  • the filtering rules implemented by the filtering switch should be consistent with the type of the data packet forwarded to it, that is, if S forwards the packet of the jth class, then the filtering of the jth class packet should be implemented in ⁇ ; rule.
  • the controller needs to modify the flow tables in S and F to achieve new equalization, so that the traffic forwarded to each filter switch is as equal as possible.
  • the so-called violation filter rule refers to forwarding the k-th packet to F j ⁇ k when the flow table in the middle implements the j-type packet filtering rule. Therefore, a flow table update scheme is required to ensure that the flow table update process does not violate the filter rules.
  • the flow table before and after the update is regarded as two sets of different flow tables, which are respectively referred to as the old flow table and the new flow table.
  • a new flow table is written at the ingress switch, and the cached packets are returned to the ingress switch for processing.
  • the embodiment of the present invention provides a method, a device, and a controller for controlling flow table update, to solve the technical problem of how to implement flow table update that does not violate the filtering rule.
  • the embodiment of the present invention provides a method for controlling flow table update, which is used for a controller in a data center network, where the data center network further includes an ingress switch and multiple filter switches, and the method includes:
  • a first control operation the controlling the ingress switch to stop forwarding, to the any first filtering switch, a data packet of a corresponding data packet type, where the corresponding data packet type is in a filtering switch mapping rule of the old flow table The type of the packet corresponding to any of the first filter switches;
  • a third control operation after modifying the filtering rule in any one of the first filtering switches, modifying a forwarding rule for the any first filtering switch in the ingress switch according to a forwarding rule of the new flow table .
  • the first control operation comprises:
  • the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table.
  • the data flow corresponding to any of the first filter switches.
  • the first control operation comprises:
  • the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is described in a forwarding rule of the old flow table.
  • the data flow corresponding to any first filter switch.
  • controlling operations on all the first filter switches include: performing control operations on all the first filter switches in sequence.
  • the step of performing control operations on all the first filter switches includes: a selecting step, selecting one of the to-be-processed filter switches from all the pending filter switches according to the preset first selection policy;
  • the filter switch to be processed is a filter switch that has not modified the filtering rule in all the first filter switches; a controlling step of performing a control operation on the selected one of the to-be-processed filter switches; a returning step, after the selected control operation of the one to be processed filter switch is completed, being present in all the first filter switches When the filter switch is to be processed, the selection step is returned.
  • the selecting step comprises:
  • the reciprocal of the quantity is used as an update cost of each of the to-be-processed filter switches; according to a preset second selection policy, the one to be processed is selected from the to-be-processed filter switches whose calculated update cost is the smallest Process the filter switch.
  • the second selection policy comprises a random selection policy.
  • the embodiment of the present invention further provides a flow table update control device, which is used for a controller in a data center network, where the data center network further includes an ingress switch and a plurality of filter switches, and the device includes:
  • the determining module is configured to: when the old flow table needs to be updated to the new flow table, determine, according to the filter switch mapping rule of the old flow table and the filter switch mapping rule of the new flow table, that the filtering rule needs to be modified in the plurality of filtering switches All first filter switches;
  • the control module is configured to perform control operations only on all the first filter switches, where the control operations for any of the first filter switches include:
  • a first control operation the controlling the ingress switch to stop forwarding, to the any first filtering switch, a data packet of a corresponding data packet type, where the corresponding data packet type is in a filtering switch mapping rule of the old flow table The type of the packet corresponding to any of the first filter switches;
  • a third control operation after modifying the filtering rule in any one of the first filtering switches, modifying a forwarding rule for the any first filtering switch in the ingress switch according to a forwarding rule of the new flow table .
  • the first control operation comprises: Determining, by the plurality of filter switches, whether a second filter switch corresponding to the corresponding packet type in the filter switch mapping rule of the old flow table is obtained, and obtaining a determination result;
  • the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table.
  • the data flow corresponding to any of the first filter switches.
  • the first control operation comprises:
  • the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is described in a forwarding rule of the old flow table.
  • the data flow corresponding to any first filter switch.
  • control module is configured to sequentially perform control operations on all of the first filter switches.
  • control module is configured to perform the following steps to control the sequence of all the first filter switches:
  • a controlling step of performing a control operation on the selected one of the to-be-processed filter switches a returning step, after the selected control operation of the one to be processed filter switch is completed, being present in all the first filter switches When the filter switch is to be processed, the selection step is returned.
  • Embodiments of the present invention also provide a controller of a control device including the flow table update described above.
  • Embodiments of the present invention also provide a computer program comprising program instructions that, when executed by a controller, cause the controller to perform the method as described above.
  • Embodiments of the present invention also provide a carrier carrying the computer program.
  • the embodiment of the present invention has at least the following beneficial effects: In the process of modifying the filtering rules of the filtering switch that needs to modify the filtering rule, the ingress switch does not forward the data packet to the filtering switch, so the process does not cause the problem of violating the filtering rule.
  • the above method is only The filtering switch that needs to modify the filtering rule performs the control operation.
  • the foregoing method does not need to stop the forwarding and filtering processing of the data packets corresponding to the other filtering switches, thereby avoiding such a Unnecessary latency of the packet.
  • Figure 1 shows a schematic diagram of a two-layer structure for implementing packet filtering based on an OpenFlow switch
  • FIG. 2 is a flow chart showing the steps of a flow table update control method according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a flow table update control device according to an embodiment of the present invention.
  • the flow table update scheme indicated in the prior art needs to update the flow table in all the filter switches, and does not let the ingress switch forward the data packets to any one of the filter switches during the flow table update process.
  • there may be a filtering switch whose filtering rules in the new and old flow tables are of the same type, and in the process of writing a new flow table to such a filtering switch, let the ingress switch forward the corresponding to it. Packets do not cause problems with violations of filtering rules. Therefore, in the background, stopping the ingress switch to forward the corresponding data packet to such a filter switch is unnecessary for avoiding the violation of the filtering rule, but the packet is caused by buffering the part of the data packet. Unnecessary waiting delay.
  • Step 201 When the controller needs to update the old flow table to the new flow table, determine, according to the filter switch mapping rule of the old flow table and the filter switch mapping rule of the new flow table, that the filter rule needs to be modified in the plurality of filter switches. All first filter switches;
  • Step 202 The controller performs control operations on all the first filter switches, where the control operation for any first filter switch is performed as follows:
  • the controller controls the ingress switch to stop forwarding a data packet of a corresponding data packet type to the any first filtering switch, where the corresponding data packet type is a filtering switch mapping rule of the old flow table The data packet type corresponding to any one of the first filter switches; the second control operation, after the controller stops forwarding the data packet of the corresponding data packet type to the any first filter switch, according to the Filtering switch mapping rules of the new flow table, and modifying the filtering rules in any of the first filtering switches;
  • the controller After the third control operation, the controller, after modifying the filtering rule in any one of the first filtering switches, modify the ingress switch for any one of the first filtering switches according to the forwarding rule of the new flow table. Forwarding rules.
  • the ingress switch does not forward the data packet to the filtering switch, so that the process does not cause violation of the filtering rule.
  • the foregoing method since the foregoing method only controls the filtering switch that needs to modify the filtering rule, the foregoing method does not need to stop the data packet corresponding to the other filtering switch for other filtering switches that do not need to modify the filtering rule. Forwarding and filtering processing, thereby avoiding unnecessary waiting delays of such packets.
  • the above method does not need to write a new flow table to the filter switch that does not need to modify the filtering rule, thereby reducing the number of flow table writes required for the update process.
  • the above method can be realized by a set of flow meters.
  • the switch is for example: OpenFlow switch.
  • the old flow table includes an initial flow table, or a flow table after the flow table is updated according to the related art.
  • the filter switch mapping rule of the old flow table may be parsed by the controller from the old flow table;
  • the filter switch mapping rule of the new flow table may be parsed by the controller from the new flow table;
  • the forwarding rule of the new flow table may be parsed by the controller from the new flow table.
  • a filter switch that needs to modify the filter rule is a filter switch that has a different packet type in the filter switch mapping rule of the old flow table and the filter switch mapping rule of the new flow table.
  • the modifying the filtering rule in any one of the first filtering switches according to the filtering switch mapping rule of the new flow table may include:
  • the filtering rule in any one of the first filtering switches is modified to the filtering rule corresponding to any one of the first filtering switches in the filtering switch mapping rule of the new flow table.
  • the modifying the forwarding rule for the any one of the first filtering switches in the ingress switch according to the forwarding rule of the new flow table may include:
  • the forwarding rule for the any one of the first filter switches in the ingress switch is modified to be a forwarding rule corresponding to any one of the first filter switches in the forwarding rule of the new flow table.
  • the first control operation may include:
  • the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table.
  • the data flow corresponding to any of the first filter switches.
  • the forwarding target device for the first data stream refers to that the ingress switch forwards the received data packet of the first data stream to the received data packet according to the self flow table after receiving the data packet of the first data stream to device of.
  • the first control operation may include:
  • the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is described in a forwarding rule of the old flow table.
  • the data flow corresponding to any first filter switch.
  • the forwarding rule of the old flow table may be parsed by the controller from the old flow table.
  • the forwarding target device for the first data stream refers to the device to which the ingress switch forwards the received data packet of the first data stream according to its own flow table after receiving the data packet of the first data stream. .
  • the first control operation may include:
  • the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table. a data flow corresponding to any one of the first filter switches;
  • the forwarding target device for the second data flow in the ingress switch is modified to be the controller, so that the controller can modify the ingress switch in the ingress switch respectively.
  • the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is the The data flow corresponding to any of the first filter switches in the forwarding rule of the old flow table.
  • control operations in the step of performing control operations on all the first filter switches, the control operations may be sequentially performed on all the first filter switches.
  • control operations may be performed on all the first filter switches in the following manner:
  • a controlling step of performing a control operation on the selected one of the to-be-processed filter switches a returning step, after the selected control operation of the one to be processed filter switch is completed, being present in all the first filter switches When the filter switch is to be processed, the selection step is returned.
  • the selecting step may include:
  • the reciprocal of the quantity is used as an update cost of each of the to-be-processed filter switches; according to a preset second selection policy, the one to be processed is selected from the to-be-processed filter switches whose calculated update cost is the smallest Process the filter switch.
  • the second selection policy includes a random selection policy.
  • the preferred embodiment provides a flow table update method for guaranteeing security rules in an SDN, wherein the old flow table is an initial flow table, and the flow table update method for ensuring security rules in the SDN includes the following steps:
  • Step A The controller obtains initial data: includes an analysis flow table, and obtains initial and new forwarding rules and switch mapping rules, where the forwarding rules refer to a scheme for forwarding different data flows to different filtering switches; It refers to a scheme of assigning different filter switches to different types of data and executing corresponding filtering rules.
  • Step B The controller compares the initial filter switch mapping rule M ⁇ and the new filter switch mapping rule M 2 to obtain a filter switch set F c that needs to modify the filtering rule, that is, a switch set with different initial filtering rules and new filtering rules;
  • step C the controller selects the filter switch F with the lowest update cost from the set of filter switches F c that need to be modified.
  • the update cost may be defined according to different goals and needs; the update cost may be measured by different methods, for example, by the reciprocal of the number of switches implementing the same type of filtering rule, and the embodiment of the present invention is not limited to a specific update. Cost measurement method; When selecting the filter switch with the least cost, if the update cost of multiple filter switches is equal and at the same time, the filter switch F with the lowest cost as the final update is randomly selected. ;
  • step D the controller analyzes the current filter switch mapping rule to obtain and F. Have the same filtering a collection of other filter switches of the rule;
  • Step E If not, the controller modifies the flow table of the ingress switch S according to the initial forwarding rule, and forwards it to F.
  • the data stream is forwarded to the filter switch in ⁇ ; if ⁇ is empty, the controller modifies the flow table in the ingress switch and forwards it to F.
  • the data stream is forwarded to the controller cache;
  • Step F the controller is updated with F.
  • Related flow tables including first modifying F. Filtering rules to meet the new filter switch mapping rules; then, according to the new forwarding rules, modify the flow table in the ingress switch to forward the corresponding data stream to F. Finally, remove F from F c . ;
  • Step G if not empty, return to step C to execute; otherwise, perform step H;
  • step H the controller modifies the flow table in the ingress switch S to implement the forwarding rule FW 2 of the new flow table.
  • step I the controller sends the data packet buffered by the controller to the ingress switch for processing.
  • the preferred embodiment ensures that the security rules are not corrupted during the update process.
  • the security rule is not corrupted.
  • the filtering rule implemented by the filtering switch in the flow table update process is consistent with the type of data packet forwarded to it.
  • Steps A, B, C, and D do not involve flow table updates, so they do not break the security rules
  • Step E involves modifying the flow table in the ingress switch S. Since the filter switch in ⁇ has the same forwarding rules, the switch that forwards the data stream forwarded to it does not break the filter rule; when it is empty, it is forwarded to F. Forwarding the data stream to the controller cache does not break the security rules;
  • Step F involves modifying the flow table in the ingress switch S and the filter switch F.
  • the filtering rules are safe; after modifying the filtering rules, F.
  • the filtering rules satisfy the new switch mapping rules. Therefore, according to the new forwarding rules, the flow table in S is modified to forward the corresponding data stream to F. Is safe;
  • Step G does not involve flow table updates, so it does not break the security rules
  • the modification of the filtering rules of all the filtering switches is complete. That is, all the filtering switches meet the filtering rules of the filtering switch corresponding to the new flow table. Therefore, it is safe to modify the flow table in S according to the new forwarding rules.
  • the flow table of all switches has been updated from the initial flow table to the new flow table.
  • the flow entry of the switch is set to comply with the security rules, so the data packet buffered during the update process is sent to the ingress switch S for processing. It is safe.
  • the preferred embodiment is directed to a flow table update in a packet filtering scenario based on an OpenFlow switch in a software-defined data center network, and a new flow table update scheme that does not destroy the filtering rule is provided, which is guaranteed in the flow table update process.
  • the filtering rules deployed by the filtering switch are the same as the packet types forwarded to it.
  • the scheme based on the intermediate flow table pointed out in the background is a flow table update scheme in a general scenario, mainly focusing on the consistency of the flow table update process, and also considering the flow table before and after the update as two sets of different flow tables, respectively
  • For the old flow table and the new flow table, in the update process for each data packet, or according to the old flow table, or according to the new flow table, it cannot be processed according to the old flow table in some network devices. In other network devices, it is processed according to the new flow table.
  • VLAN Virtual Local Area Network
  • the network device processes incoming packets with flow table rules having the same VLAN tag.
  • the VLAN tag-based scheme includes both old and new flow tables in the update process, and needs to occupy more flow table resources.
  • VLANs are used as labels, global VLAN allocation and management are required.
  • the middle is used.
  • the scheme of the flow table uploads the data packet to the controller during the update process, so the controller interface bandwidth and processing capability will become the bottleneck affecting the network performance.
  • the above two schemes update the flow table in all the switches in parallel, although The time required for the flow table update is reduced, but it will cause a sudden increase in control network traffic and affect network performance.
  • the preferred embodiment uses only one set of flow table resources in the update process, which reduces the requirement of the flow table resource in the update process, and since the VLAN tag is not used, the preferred embodiment is The scenario shown in Figure 1 is more versatile; compared to the intermediate flow table based update method, the preferred embodiment avoids uploading all data packets involved in the update process to the controller for processing, reducing the load on the controller.
  • the preferred embodiment uses a sequential update scheme, in which the controller updates only one or a few switch flow tables at each time, compared to the parallel scheme, the flow control information caused by the flow table update task The increase is less, so that the preferred embodiment effectively reduces the control traffic jitter while ensuring that the flow table update process does not violate the security rules.
  • the preferred embodiment ensures that the flow table update process does not compromise the security defined by the data center network. Filter rules, and reduce the number of flow tables required during the update process, reducing the jitter of network traffic during the update process.
  • the update cost is measured according to the reciprocal of the number of switches that can be used to implement the same filtering rule, and the related flow is preferentially performed on the filter switch with the smallest number of switches currently available to implement the same filtering rule.
  • the table update helps to reduce the packet traffic that needs to be uploaded to the controller during the update process.
  • Preferred embodiments of the preferred embodiment are set forth below, and how the preferred embodiment is applied to the flow table update process is illustrated.
  • the preferred embodiment assumes two types of data packets; three filter switches, ⁇ and four data streams, and wherein data streams 1-2 form a first type of data packet, and data stream 3-4 constitutes a second type of data packet.
  • the mapping rule of the initial filter switch is ⁇ , ⁇ 2 ⁇ , ⁇ ?), that is, F 2 implements the filtering rule of the first type of data packet, and F 3 implements the second type.
  • the filtering rules for the packet are forwarded to the new stream table, stream 3 Forward to F 2 , data stream 4 is forwarded to F 3 ;
  • step D Since the filtering rules of the first type of data packets are implemented, the F is obtained in step D.
  • Switch set with the same filtering rules ⁇ ;
  • step F the filter switch F is first modified.
  • step F After the step F is executed, the F c is already an empty set, so the step H is directly executed, and the current forwarding rule has been corresponding to the forwarding rule FW 2 corresponding to the new flow table, the current filter switch mapping rule, and the new flow table.
  • the filter switch mapping rule M 2 is completely the same, so the flow table does not need to be modified in step H; and the data packet is not uploaded to the controller during the update process, so step 1 is not required, so in the preferred embodiment
  • the flow table update process ends here.
  • an embodiment of the present invention further provides a flow table update control device, which is used for a controller in a data center network, where the data center network further includes an ingress switch and a plurality of filter switches, where the device includes :
  • the determining module is configured to: when the old flow table needs to be updated to the new flow table, determine, according to the filter switch mapping rule of the old flow table and the filter switch mapping rule of the new flow table, that the filtering rule needs to be modified in the plurality of filtering switches All first filter switches;
  • the control module is configured to perform control operations only on all the first filter switches, where the control operations for any of the first filter switches are performed as follows:
  • a first control operation the controlling the ingress switch to stop forwarding, to the any first filtering switch, a data packet of a corresponding data packet type, where the corresponding data packet type is in a filtering switch mapping rule of the old flow table The type of the packet corresponding to any of the first filter switches;
  • a third control operation after modifying the filtering rule in any one of the first filtering switches, modifying a forwarding rule for the any first filtering switch in the ingress switch according to a forwarding rule of the new flow table .
  • the ingress switch does not forward the data packet to the filtering switch, so that the process does not cause a violation of the filtering rule; Because the foregoing method only controls the filtering switch that needs to modify the filtering rule, the foregoing method does not need to stop the forwarding and filtering processing of the data packet corresponding to the other filtering switch for other filtering switches that do not need to modify the filtering rule. , thus avoiding unnecessary waiting delays of such packets.
  • the first control operation may include:
  • the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table.
  • the first control operation may include:
  • the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is described in a forwarding rule of the old flow table.
  • the data flow corresponding to any first filter switch.
  • control operations may be sequentially performed on all the first filter switches.
  • all the first filter switches may be sequentially controlled in the following manner:
  • a controlling step of performing a control operation on the selected one of the to-be-processed filter switches a returning step, after the selected control operation of the one to be processed filter switch is completed, being present in all the first filter switches When the filter switch is to be processed, the selection step is returned.
  • the embodiment of the invention further provides a controller, which includes the control device for updating the flow table described above.
  • the ingress switch in the process of modifying the filtering rule of the filtering switch that needs to modify the filtering rule, does not forward the data packet to the filtering switch, so that the process does not cause a violation of the filtering rule;
  • the technical solution only controls the filtering switch that needs to modify the filtering rule.
  • the foregoing method does not need to stop the forwarding and filtering processing of the data packet corresponding to the other filtering switch. Unnecessary waiting delays for such packets are avoided.

Abstract

A method, an apparatus, and a controller for controlling flow table update. The method comprises: when an old flow table needs to be updated with a new flow table, according to a filter switch mapping rule of the old flow table and a filter switch mapping rule of the new flow table, determining all first filter switches whose filter rule needs to be modified among multiple filter switches; and performing a control operation only on the all first filter switches, where the control operation on any first filter switch is performed in the following manner: a first control operation; a second control operation; and a third control operation. The foregoing technical solution provides a new manner that implements flow table update without violating a filter rule.

Description

一种流表更新的控制方法、 装置及控制器  Control method, device and controller for flow table update
技术领域 Technical field
本发明涉及互联网领域, 尤其涉及一种流表更新的控制方法、 装置及控 制器。  The present invention relates to the field of the Internet, and in particular, to a method, a device, and a controller for controlling flow table update.
背景技术 Background technique
软件定义网络(Software Defined Network, SDN )指将数据平面与控制 平面分离, 数据平面由具有统一接口的数据包转发设备组成, 控制平面由集 中式控制器组成。 控制器通过配置数据平面转发设备的转发规则实现对数据 包转发功能的控制。 数据中心因网络节点规模大、 节点间流量动态性强、 对 网络持续连接性及可靠性要求高,需要对数据包转发进行灵活和精细的控制, 软件定义网络因满足这一需求而受到了数据中心网络设计者的广泛关注。  Software Defined Network (SDN) refers to separating the data plane from the control plane. The data plane consists of a packet forwarding device with a unified interface. The control plane consists of a centralized controller. The controller controls the packet forwarding function by configuring the forwarding rules of the data plane forwarding device. Due to the large scale of network nodes, strong dynamic traffic between nodes, and high requirements for continuous connectivity and reliability of the network, the data center needs flexible and fine control of packet forwarding. The software-defined network receives data because it meets this requirement. The focus of the central network designer.
OpenFlow协议是目前 SDN网络中应用最广泛的控制平面和数据平面通 信的协议。 OpenFlow交换机即指支持 OpenFlow协议的转发设备, 它通过由 控制器配置的流表规则对进入的数据包进行处理。特别是, 由于 OpenFlow协 议支持丟包操作,因而可以在 OpenFlow交换机中配置流表规则实现数据包过 滤功能。 然而, 由于交换机的流表数量以及接入带宽都是有限的, 为了应对 大规模的数据流量, 需要同时釆用多个交换机实现过滤功能, 且尽可能保证 每个交换机的负载相同, 以提高资源利用率和过滤性能。 考虑这些因素后, 图 1给出了一种典型的基于 OpenFlow交换机实现数据包过滤的两层结构。该 结构中, 第一层交换机 S实现数据包分类和均衡功能, 第二层交换机 F实现 每类数据包的过滤规则。 例如, 针对文件访问服务, 交换机 S根据源 IP地址 将数据包分为授权用户数据包和非授权用户数据包, 第二层交换机根据目的 IP地址过滤掉非授权用户对特定文件服务器的访问, 而保证授权用户可以正 常访问。 为了方便描述, 将 S称为入口交换机, F称为过滤交换机。 并用若 干数据流来抽象所有进入 S的数据包,数据流可由典型的 5元组定义,即 (源 MAC地址, 目的 MAC地址, 源 IP地址, 目的 IP地址, 协议) , 每类数据 包由其中的若干数据流组成。 根据安全规则, 需要过滤掉某些流对应的数据 包, 我们将其称为该类数据包的过滤规则。 不同类型的数据包具有不同的过 滤规则。 The OpenFlow protocol is the most widely used protocol for control plane and data plane communication in SDN networks. An OpenFlow switch refers to a forwarding device that supports the OpenFlow protocol. It processes incoming packets through flow table rules configured by the controller. In particular, because the OpenFlow protocol supports packet loss operations, you can configure flow table rules on the OpenFlow switch to implement packet filtering. However, because the number of flow tables and the access bandwidth of the switch are limited, in order to cope with large-scale data traffic, multiple switches need to be used for filtering at the same time, and the load of each switch is the same as possible to improve resources. Utilization and filtering performance. After considering these factors, Figure 1 shows a typical two-layer structure for packet filtering based on OpenFlow switches. In this structure, the first layer switch S implements packet classification and equalization functions, and the second layer switch F implements filtering rules for each type of data packet. For example, for the file access service, the switch S divides the data packet into an authorized user data packet and an unauthorized user data packet according to the source IP address, and the second layer switch filters the access of the unauthorized user to the specific file server according to the destination IP address, and Ensure that authorized users can access normally. For convenience of description, S is called an ingress switch, and F is called a filtering switch. And use several data streams to abstract all packets entering S, the data stream can be defined by a typical 5-tuple, ie (source MAC address, destination MAC address, source IP address, destination IP address, protocol), each type of data A package consists of several data streams. According to security rules, packets corresponding to certain flows need to be filtered out, which we refer to as filtering rules for such packets. Different types of packets have different filtering rules.
为了保证安全, 过滤交换机 实现的过滤规则应和转发至它的数据包的 类型一致, 也即, 若 S将第 j类的数据包转发至 , 则^;中应实现第 j类数据 包的过滤规则。 另外, 当不同类型数据流量发生变换时, 控制器需要通过修 改 S和 F中的流表来达到新的均衡, 使转发至每个过滤交换机的流量尽可能 相同。  In order to ensure security, the filtering rules implemented by the filtering switch should be consistent with the type of the data packet forwarded to it, that is, if S forwards the packet of the jth class, then the filtering of the jth class packet should be implemented in ^; rule. In addition, when different types of data traffic are transformed, the controller needs to modify the flow tables in S and F to achieve new equalization, so that the traffic forwarded to each filter switch is as equal as possible.
然而, 由于不能保证修改后 S和 F中的流表在同一时刻生效, 因此流表 更新过程可能违反过滤规则。 所谓违反过滤规则, 是指在 中的流表实现了 第 j类数据包过滤规则的情况下, 将第 k类数据包转发至 F j≠k、。 因此, 需 要一种流表更新方案, 保证流表更新过程不会违反过滤规则。  However, since the flow tables in the modified S and F cannot be guaranteed to take effect at the same time, the flow table update process may violate the filtering rules. The so-called violation filter rule refers to forwarding the k-th packet to F j≠k when the flow table in the middle implements the j-type packet filtering rule. Therefore, a flow table update scheme is required to ensure that the flow table update process does not violate the filter rules.
目前的流表更新方案, 将更新前后的流表看作两套不同的流表, 分别称 之为旧流表和新流表。 先在入口交换机处写入中间流表, 使得入口交换机将 更新过程中的数据包上传到控制器緩存;然后在各过滤交换机中写入新流表, 等所有过滤交换机中新流表有效后再在入口交换机处写入新流表, 同时将緩 存的数据包返回入口交换机进行处理。 发明内容  In the current flow table update scheme, the flow table before and after the update is regarded as two sets of different flow tables, which are respectively referred to as the old flow table and the new flow table. First write the intermediate flow table at the ingress switch, so that the ingress switch uploads the data packet in the update process to the controller cache; then writes a new flow table in each filter switch, and then waits for the new flow table in all the filter switches to be valid. A new flow table is written at the ingress switch, and the cached packets are returned to the ingress switch for processing. Summary of the invention
有鉴于此, 本发明实施例提供了一种流表更新的控制方法、 装置及控制 器, 以解决如何实现不违反过滤规则的流表更新的技术问题。  In view of this, the embodiment of the present invention provides a method, a device, and a controller for controlling flow table update, to solve the technical problem of how to implement flow table update that does not violate the filtering rule.
为解决上述技术问题, 本发明实施例提供方案如下:  To solve the above technical problem, the solution provided by the embodiment of the present invention is as follows:
本发明实施例提供一种流表更新的控制方法, 用于数据中心网络中的控 制器, 所述数据中心网络还包括入口交换机和多个过滤交换机, 所述方法包 括:  The embodiment of the present invention provides a method for controlling flow table update, which is used for a controller in a data center network, where the data center network further includes an ingress switch and multiple filter switches, and the method includes:
在需要将旧流表更新为新流表时, 根据旧流表的过滤交换机映射规则和 新流表的过滤交换机映射规则, 确定所述多个过滤交换机中需要修改过滤规 则的所有第一过滤交换机; 仅对所述所有第一过滤交换机进行控制操作, 其中, 针对任一第一过滤 交换机的控制操作包括: When the old flow table needs to be updated to the new flow table, all the first filter switches that need to modify the filtering rule are determined according to the filter switch mapping rule of the old flow table and the filter switch mapping rule of the new flow table. ; Control operations are performed only on all the first filter switches, where the control operations for any of the first filter switches include:
第一控制操作, 控制所述入口交换机停止向所述任一第一过滤交换机转 发相应数据包类型的数据包; 其中, 所述相应数据包类型为所述旧流表的过 滤交换机映射规则中所述任一第一过滤交换机对应的数据包类型;  a first control operation, the controlling the ingress switch to stop forwarding, to the any first filtering switch, a data packet of a corresponding data packet type, where the corresponding data packet type is in a filtering switch mapping rule of the old flow table The type of the packet corresponding to any of the first filter switches;
第二控制操作, 在所述入口交换机停止向所述任一第一过滤交换机转发 相应数据包类型的数据包之后, 根据所述新流表的过滤交换机映射规则, 修 改所述任一第一过滤交换机中的过滤规则;  a second control operation, after the ingress switch stops forwarding the data packet of the corresponding data packet type to the any first filtering switch, modifying any one of the first filtering according to the filtering switch mapping rule of the new flow table Filtering rules in the switch;
第三控制操作, 在修改完所述任一第一过滤交换机中的过滤规则之后, 根据所述新流表的转发规则, 修改所述入口交换机中针对所述任一第一过滤 交换机的转发规则。  a third control operation, after modifying the filtering rule in any one of the first filtering switches, modifying a forwarding rule for the any first filtering switch in the ingress switch according to a forwarding rule of the new flow table .
优选地, 所述第一控制操作包括:  Preferably, the first control operation comprises:
判断所述多个过滤交换机中是否有在所述旧流表的过滤交换机映射规则 中对应所述相应数据包类型的第二过滤交换机, 获取判断结果;  Determining, by the plurality of filter switches, a second filter switch corresponding to the corresponding packet type in a filter switch mapping rule of the old flow table, and obtaining a determination result;
当所述判断结果为是时, 将所述入口交换机中针对第一数据流的转发目 标设备修改为所述第二过滤交换机; 其中, 所述第一数据流为所述旧流表的 转发规则中所述任一第一过滤交换机对应的数据流。  When the result of the determination is YES, the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table. The data flow corresponding to any of the first filter switches.
优选地, 所述第一控制操作包括:  Preferably, the first control operation comprises:
将所述入口交换机中针对第二数据流的转发目标设备修改为所述控制 器, 使得所述控制器能够在所述入口交换机修改完所述入口交换机中分别针 对所述所有第一过滤交换机的转发规则之后, 将从所述入口交换机接收到的 所述第二数据流的数据包, 返回给所述入口交换机; 其中, 所述第二数据流 为所述旧流表的转发规则中所述任一第一过滤交换机对应的数据流。  Modifying, in the ingress switch, a forwarding target device for the second data flow to the controller, so that the controller is capable of modifying the ingress switch for each of the first filtering switches, respectively, in the ingress switch After forwarding the rule, the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is described in a forwarding rule of the old flow table. The data flow corresponding to any first filter switch.
优选地, 所述仅对所述所有第一过滤交换机进行控制操作包括: 对所述 所有第一过滤交换机顺序进行控制操作。  Preferably, the controlling operations on all the first filter switches include: performing control operations on all the first filter switches in sequence.
优选地, 所述仅对所述所有第一过滤交换机进行控制操作的步骤包括: 选择步骤, 根据预设的第一选择策略, 从所有待处理过滤交换机中, 选 择一个所述待处理过滤交换机; 其中, 所述待处理过滤交换机为所述所有第 一过滤交换机中尚未修改过滤规则的过滤交换机; 控制步骤, 对选择出的所述一个待处理过滤交换机进行控制操作; 返回步骤, 在所述选择出的所述一个待处理过滤交换机的控制操作完成 之后, 在所述所有第一过滤交换机中存在待处理过滤交换机时, 返回所述选 择步骤。 Preferably, the step of performing control operations on all the first filter switches includes: a selecting step, selecting one of the to-be-processed filter switches from all the pending filter switches according to the preset first selection policy; The filter switch to be processed is a filter switch that has not modified the filtering rule in all the first filter switches; a controlling step of performing a control operation on the selected one of the to-be-processed filter switches; a returning step, after the selected control operation of the one to be processed filter switch is completed, being present in all the first filter switches When the filter switch is to be processed, the selection step is returned.
优选地, 所述选择步骤包括:  Preferably, the selecting step comprises:
确定当前在所述旧流表的过滤交换机映射规则中与每个所述待处理过滤 交换机对应相同数据包类型的过滤交换机的数量;  Determining, in the filter switch mapping rule of the old flow table, the number of the filter switches corresponding to the same data packet type as each of the to-be-processed filter switches;
将所述数量的倒数, 作为每个所述待处理过滤交换机的更新代价; 按照预设的第二选择策略, 从计算出的更新代价最小的所述待处理过滤 交换机中, 选择所述一个待处理过滤交换机。  The reciprocal of the quantity is used as an update cost of each of the to-be-processed filter switches; according to a preset second selection policy, the one to be processed is selected from the to-be-processed filter switches whose calculated update cost is the smallest Process the filter switch.
优选地, 所述第二选择策略包括随机选择策略。  Preferably, the second selection policy comprises a random selection policy.
本发明实施例还提供一种流表更新的控制装置, 用于数据中心网络中的 控制器, 所述数据中心网络还包括入口交换机和多个过滤交换机, 所述装置 包括:  The embodiment of the present invention further provides a flow table update control device, which is used for a controller in a data center network, where the data center network further includes an ingress switch and a plurality of filter switches, and the device includes:
确定模块, 设置为在需要将旧流表更新为新流表时, 根据旧流表的过滤 交换机映射规则和新流表的过滤交换机映射规则, 确定所述多个过滤交换机 中需要修改过滤规则的所有第一过滤交换机;  The determining module is configured to: when the old flow table needs to be updated to the new flow table, determine, according to the filter switch mapping rule of the old flow table and the filter switch mapping rule of the new flow table, that the filtering rule needs to be modified in the plurality of filtering switches All first filter switches;
控制模块, 设置为仅对所述所有第一过滤交换机进行控制操作, 其中, 针对任一第一过滤交换机的控制操作包括:  The control module is configured to perform control operations only on all the first filter switches, where the control operations for any of the first filter switches include:
第一控制操作, 控制所述入口交换机停止向所述任一第一过滤交换机转 发相应数据包类型的数据包; 其中, 所述相应数据包类型为所述旧流表的过 滤交换机映射规则中所述任一第一过滤交换机对应的数据包类型;  a first control operation, the controlling the ingress switch to stop forwarding, to the any first filtering switch, a data packet of a corresponding data packet type, where the corresponding data packet type is in a filtering switch mapping rule of the old flow table The type of the packet corresponding to any of the first filter switches;
第二控制操作, 在所述入口交换机停止向所述任一第一过滤交换机转发 相应数据包类型的数据包之后, 根据所述新流表的过滤交换机映射规则, 修 改所述任一第一过滤交换机中的过滤规则;  a second control operation, after the ingress switch stops forwarding the data packet of the corresponding data packet type to the any first filtering switch, modifying any one of the first filtering according to the filtering switch mapping rule of the new flow table Filtering rules in the switch;
第三控制操作, 在修改完所述任一第一过滤交换机中的过滤规则之后, 根据所述新流表的转发规则, 修改所述入口交换机中针对所述任一第一过滤 交换机的转发规则。  a third control operation, after modifying the filtering rule in any one of the first filtering switches, modifying a forwarding rule for the any first filtering switch in the ingress switch according to a forwarding rule of the new flow table .
优选地, 所述第一控制操作包括: 判断所述多个过滤交换机中是否有在所述旧流表的过滤交换机映射规则 中对应所述相应数据包类型的第二过滤交换机, 获取判断结果; Preferably, the first control operation comprises: Determining, by the plurality of filter switches, whether a second filter switch corresponding to the corresponding packet type in the filter switch mapping rule of the old flow table is obtained, and obtaining a determination result;
当所述判断结果为是时, 将所述入口交换机中针对第一数据流的转发目 标设备修改为所述第二过滤交换机; 其中, 所述第一数据流为所述旧流表的 转发规则中所述任一第一过滤交换机对应的数据流。  When the result of the determination is YES, the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table. The data flow corresponding to any of the first filter switches.
优选地, 所述第一控制操作包括:  Preferably, the first control operation comprises:
将所述入口交换机中针对第二数据流的转发目标设备修改为所述控制 器, 使得所述控制器能够在所述入口交换机修改完所述入口交换机中分别针 对所述所有第一过滤交换机的转发规则之后, 将从所述入口交换机接收到的 所述第二数据流的数据包, 返回给所述入口交换机; 其中, 所述第二数据流 为所述旧流表的转发规则中所述任一第一过滤交换机对应的数据流。  Modifying, in the ingress switch, a forwarding target device for the second data flow to the controller, so that the controller is capable of modifying the ingress switch for each of the first filtering switches, respectively, in the ingress switch After forwarding the rule, the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is described in a forwarding rule of the old flow table. The data flow corresponding to any first filter switch.
优选地, 所述控制模块, 是设置为对所述所有第一过滤交换机顺序进行 控制操作。  Preferably, the control module is configured to sequentially perform control operations on all of the first filter switches.
优选地, 所述控制模块, 是设置为执行以下步骤对所述所有第一过滤交 换机顺序进行控制操作:  Preferably, the control module is configured to perform the following steps to control the sequence of all the first filter switches:
选择步骤, 根据预设的第一选择策略, 从所有待处理过滤交换机中, 选 择一个所述待处理过滤交换机; 其中, 所述待处理过滤交换机为所述所有第 一过滤交换机中尚未修改过滤规则的过滤交换机;  Selecting, according to the preset first selection policy, selecting one of the pending filtering switches from all the pending filtering switches; wherein the to-be-processed filtering switch is a filtering rule that has not been modified in all the first filtering switches. Filter switch;
控制步骤, 对选择出的所述一个待处理过滤交换机进行控制操作; 返回步骤, 在所述选择出的所述一个待处理过滤交换机的控制操作完成 之后, 在所述所有第一过滤交换机中存在待处理过滤交换机时, 返回所述选 择步骤。  a controlling step of performing a control operation on the selected one of the to-be-processed filter switches; a returning step, after the selected control operation of the one to be processed filter switch is completed, being present in all the first filter switches When the filter switch is to be processed, the selection step is returned.
本发明实施例还提供一种包括以上所述的流表更新的控制装置的控制 器。  Embodiments of the present invention also provide a controller of a control device including the flow table update described above.
本发明实施例还提供一种计算机程序, 包括程序指令, 当该程序指令被 控制器执行时 , 使得该控制器可执行如上所述的方法。  Embodiments of the present invention also provide a computer program comprising program instructions that, when executed by a controller, cause the controller to perform the method as described above.
本发明实施例还提供一种载有所述计算机程序的载体。 从以上所述可以看出, 本发明实施例至少具有如下有益效果: 在需要修改过滤规则的过滤交换机修改自身过滤规则的过程中, 入口交 换机不会向这种过滤交换机转发数据包, 从而该过程不会引起违反过滤规则 的问题; 另一方面, 由于上述方式仅对需要修改过滤规则的过滤交换机进行 控制操作, 则对于不需要修改过滤规则的其它过滤交换机, 上述方式并不需 要停止这种其它过滤交换机所对应的数据包的转发和过滤处理, 从而避免了 这种数据包的不必要的等待时延。 附图概述 Embodiments of the present invention also provide a carrier carrying the computer program. As can be seen from the above, the embodiment of the present invention has at least the following beneficial effects: In the process of modifying the filtering rules of the filtering switch that needs to modify the filtering rule, the ingress switch does not forward the data packet to the filtering switch, so the process does not cause the problem of violating the filtering rule. On the other hand, since the above method is only The filtering switch that needs to modify the filtering rule performs the control operation. For other filtering switches that do not need to modify the filtering rules, the foregoing method does not need to stop the forwarding and filtering processing of the data packets corresponding to the other filtering switches, thereby avoiding such a Unnecessary latency of the packet. BRIEF abstract
图 1表示典型的基于 OpenFlow交换机实现数据包过滤的两层结构示意 图;  Figure 1 shows a schematic diagram of a two-layer structure for implementing packet filtering based on an OpenFlow switch;
图 2表示本发明实施例提供的一种流表更新的控制方法的步骤流程图; 图 3表示本发明实施例提供的一种流表更新的控制装置结构示意图。 本发明的较佳实施方式  2 is a flow chart showing the steps of a flow table update control method according to an embodiment of the present invention; and FIG. 3 is a schematic structural diagram of a flow table update control device according to an embodiment of the present invention. Preferred embodiment of the invention
下面将结合附图及具体实施例对本发明实施例进行详细描述。 在不冲突 的情况下, 本发明实施例及实施例中的特征可以相互任意组合。  The embodiments of the present invention will be described in detail below with reference to the drawings and specific embodiments. The features of the embodiments of the present invention and the embodiments may be arbitrarily combined with each other without conflict.
背景技术中指出的流表更新方案, 需要更新所有过滤交换机中的流表, 并且在流表更新过程中不会让入口交换机进行数据包到任何一个过滤交换机 的转发。 然而, 可能存在这样的过滤交换机, 其在新旧流表中的过滤规则所 针对的数据包类型相同, 则在向这样的过滤交换机写入新流表的过程中, 让 入口交换机向其转发对应的数据包, 并不会引起违反过滤规则的问题。 由此, 背景技术中使入口交换机停止将对应数据包转发到这样的过滤交换机对于避 免引起过滤规则的违反来说就是不必要的, 反而因为对这部分数据包进行緩 存而造成了这部分数据包不必要的等待时延。  The flow table update scheme indicated in the prior art needs to update the flow table in all the filter switches, and does not let the ingress switch forward the data packets to any one of the filter switches during the flow table update process. However, there may be a filtering switch whose filtering rules in the new and old flow tables are of the same type, and in the process of writing a new flow table to such a filtering switch, let the ingress switch forward the corresponding to it. Packets do not cause problems with violations of filtering rules. Therefore, in the background, stopping the ingress switch to forward the corresponding data packet to such a filter switch is unnecessary for avoiding the violation of the filtering rule, but the packet is caused by buffering the part of the data packet. Unnecessary waiting delay.
图 2表示本发明实施例提供的一种流表更新的控制方法的步骤流程图, 参照图 2 , 本发明实施例提供一种流表更新的控制方法, 用于数据中心网络 中的控制器, 所述数据中心网络还包括入口交换机和多个过滤交换机, 所述 方法包括如下步骤: 步骤 201 , 控制器在需要将旧流表更新为新流表时, 根据旧流表的过滤 交换机映射规则和新流表的过滤交换机映射规则, 确定所述多个过滤交换机 中需要修改过滤规则的所有第一过滤交换机; 2 is a flow chart showing the steps of a flow table update control method according to an embodiment of the present invention. Referring to FIG. 2, an embodiment of the present invention provides a flow table update control method for a controller in a data center network. The data center network further includes an ingress switch and a plurality of filtering switches, and the method includes the following steps: Step 201: When the controller needs to update the old flow table to the new flow table, determine, according to the filter switch mapping rule of the old flow table and the filter switch mapping rule of the new flow table, that the filter rule needs to be modified in the plurality of filter switches. All first filter switches;
步骤 202 , 控制器仅对所述所有第一过滤交换机进行控制操作, 其中, 针对任一第一过滤交换机的控制操作通过如下方式进行:  Step 202: The controller performs control operations on all the first filter switches, where the control operation for any first filter switch is performed as follows:
第一控制操作, 控制器控制所述入口交换机停止向所述任一第一过滤交 换机转发相应数据包类型的数据包; 其中, 所述相应数据包类型为所述旧流 表的过滤交换机映射规则中所述任一第一过滤交换机对应的数据包类型; 第二控制操作, 控制器在所述入口交换机停止向所述任一第一过滤交换 机转发相应数据包类型的数据包之后, 根据所述新流表的过滤交换机映射规 则, 修改所述任一第一过滤交换机中的过滤规则;  a first control operation, the controller controls the ingress switch to stop forwarding a data packet of a corresponding data packet type to the any first filtering switch, where the corresponding data packet type is a filtering switch mapping rule of the old flow table The data packet type corresponding to any one of the first filter switches; the second control operation, after the controller stops forwarding the data packet of the corresponding data packet type to the any first filter switch, according to the Filtering switch mapping rules of the new flow table, and modifying the filtering rules in any of the first filtering switches;
第三控制操作, 控制器在修改完所述任一第一过滤交换机中的过滤规则 之后, 根据所述新流表的转发规则, 修改所述入口交换机中针对所述任一第 一过滤交换机的转发规则。  After the third control operation, the controller, after modifying the filtering rule in any one of the first filtering switches, modify the ingress switch for any one of the first filtering switches according to the forwarding rule of the new flow table. Forwarding rules.
可见, 通过上述方式实现的流表更新, 在需要修改过滤规则的过滤交换 机修改自身过滤规则的过程中, 入口交换机不会向这种过滤交换机转发数据 包, 从而该过程不会引起违反过滤规则的问题; 另一方面, 由于上述方式仅 对需要修改过滤规则的过滤交换机进行控制操作, 则对于不需要修改过滤规 则的其它过滤交换机, 上述方式并不需要停止这种其它过滤交换机所对应的 数据包的转发和过滤处理, 从而避免了这种数据包的不必要的等待时延。 此 夕卜, 上述方式不需要对不需要修改过滤规则的过滤交换机写入新流表, 从而 减少了更新过程所需的流表写入次数。 此外, 上述方式通过一套流表即可实 现。  It can be seen that, in the process of updating the flow table in the above manner, in the process of modifying the filtering rule of the filtering switch that needs to modify the filtering rule, the ingress switch does not forward the data packet to the filtering switch, so that the process does not cause violation of the filtering rule. On the other hand, since the foregoing method only controls the filtering switch that needs to modify the filtering rule, the foregoing method does not need to stop the data packet corresponding to the other filtering switch for other filtering switches that do not need to modify the filtering rule. Forwarding and filtering processing, thereby avoiding unnecessary waiting delays of such packets. In addition, the above method does not need to write a new flow table to the filter switch that does not need to modify the filtering rule, thereby reducing the number of flow table writes required for the update process. In addition, the above method can be realized by a set of flow meters.
其中, 交换机例如: OpenFlow交换机。  Among them, the switch is for example: OpenFlow switch.
所述旧流表包括初始流表, 或者, 根据相关技术进行流表更新后的流表。 所述旧流表的过滤交换机映射规则可以由所述控制器从所述旧流表中解 析得到;  The old flow table includes an initial flow table, or a flow table after the flow table is updated according to the related art. The filter switch mapping rule of the old flow table may be parsed by the controller from the old flow table;
所述新流表的过滤交换机映射规则可以由所述控制器从所述新流表中解 析得到; 所述新流表的转发规则可以由所述控制器从所述新流表中解析得到。 需要修改过滤规则的过滤交换机, 是指在旧流表的过滤交换机映射规则 中和在新流表的过滤交换机映射规则中对应的数据包类型不同的过滤交换 机。 The filter switch mapping rule of the new flow table may be parsed by the controller from the new flow table; The forwarding rule of the new flow table may be parsed by the controller from the new flow table. A filter switch that needs to modify the filter rule is a filter switch that has a different packet type in the filter switch mapping rule of the old flow table and the filter switch mapping rule of the new flow table.
所述根据所述新流表的过滤交换机映射规则, 修改所述任一第一过滤交 换机中的过滤规则可以包括:  The modifying the filtering rule in any one of the first filtering switches according to the filtering switch mapping rule of the new flow table may include:
将所述任一第一过滤交换机中的过滤规则修改为所述新流表的过滤交换 机映射规则中所述任一第一过滤交换机对应的过滤规则。  The filtering rule in any one of the first filtering switches is modified to the filtering rule corresponding to any one of the first filtering switches in the filtering switch mapping rule of the new flow table.
所述根据所述新流表的转发规则, 修改所述入口交换机中针对所述任一 第一过滤交换机的转发规则可以包括:  The modifying the forwarding rule for the any one of the first filtering switches in the ingress switch according to the forwarding rule of the new flow table may include:
将所述入口交换机中针对所述任一第一过滤交换机的转发规则修改为所 述新流表的转发规则中所述任一第一过滤交换机对应的转发规则。  The forwarding rule for the any one of the first filter switches in the ingress switch is modified to be a forwarding rule corresponding to any one of the first filter switches in the forwarding rule of the new flow table.
在本发明实施例中, 所述第一控制操作可以包括:  In the embodiment of the present invention, the first control operation may include:
判断所述多个过滤交换机中是否有在所述旧流表的过滤交换机映射规则 中对应所述相应数据包类型的第二过滤交换机, 获取判断结果;  Determining, by the plurality of filter switches, a second filter switch corresponding to the corresponding packet type in a filter switch mapping rule of the old flow table, and obtaining a determination result;
当所述判断结果为是时, 将所述入口交换机中针对第一数据流的转发目 标设备修改为所述第二过滤交换机; 其中, 所述第一数据流为所述旧流表的 转发规则中所述任一第一过滤交换机对应的数据流。  When the result of the determination is YES, the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table. The data flow corresponding to any of the first filter switches.
其中, 针对第一数据流的转发目标设备是指所述入口交换机在收到所述 第一数据流的数据包后按照自身流表来将接收到的所述第一数据流的数据包 转发至的设备。  The forwarding target device for the first data stream refers to that the ingress switch forwards the received data packet of the first data stream to the received data packet according to the self flow table after receiving the data packet of the first data stream to device of.
或者, 所述第一控制操作可以包括:  Alternatively, the first control operation may include:
将所述入口交换机中针对第二数据流的转发目标设备修改为所述控制 器, 使得所述控制器能够在所述入口交换机修改完所述入口交换机中分别针 对所述所有第一过滤交换机的转发规则之后, 将从所述入口交换机接收到的 所述第二数据流的数据包, 返回给所述入口交换机; 其中, 所述第二数据流 为所述旧流表的转发规则中所述任一第一过滤交换机对应的数据流。  Modifying, in the ingress switch, a forwarding target device for the second data flow to the controller, so that the controller is capable of modifying the ingress switch for each of the first filtering switches, respectively, in the ingress switch After forwarding the rule, the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is described in a forwarding rule of the old flow table. The data flow corresponding to any first filter switch.
其中, 所述旧流表的转发规则可以由所述控制器从所述旧流表中解析得 到。 针对第一数据流的转发目标设备是指所述入口交换机在收到所述第一数 据流的数据包后按照自身流表来将接收到的所述第一数据流的数据包转发至 的设备。 The forwarding rule of the old flow table may be parsed by the controller from the old flow table. The forwarding target device for the first data stream refers to the device to which the ingress switch forwards the received data packet of the first data stream according to its own flow table after receiving the data packet of the first data stream. .
当然, 上述所述第一控制操作的具体方式也可以相结合, 例如, 所述第 一控制操作可以包括:  Certainly, the specific manner of the foregoing first control operation may also be combined. For example, the first control operation may include:
判断所述多个过滤交换机中是否有在所述旧流表的过滤交换机映射规则 中对应所述相应数据包类型的第二过滤交换机, 获取判断结果;  Determining, by the plurality of filter switches, a second filter switch corresponding to the corresponding packet type in a filter switch mapping rule of the old flow table, and obtaining a determination result;
当所述判断结果为是时, 将所述入口交换机中针对第一数据流的转发目 标设备修改为所述第二过滤交换机; 其中, 所述第一数据流为所述旧流表的 转发规则中所述任一第一过滤交换机对应的数据流;  When the result of the determination is YES, the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table. a data flow corresponding to any one of the first filter switches;
当所述判断结果为否时, 将所述入口交换机中针对第二数据流的转发目 标设备修改为所述控制器, 使得所述控制器能够在所述入口交换机修改完所 述入口交换机中分别针对所述所有第一过滤交换机的转发规则之后, 将从所 述入口交换机接收到的所述第二数据流的数据包, 返回给所述入口交换机; 其中, 所述第二数据流为所述旧流表的转发规则中所述任一第一过滤交换机 对应的数据流。  When the result of the determination is no, the forwarding target device for the second data flow in the ingress switch is modified to be the controller, so that the controller can modify the ingress switch in the ingress switch respectively. After the forwarding rule of all the first filtering switches, the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is the The data flow corresponding to any of the first filter switches in the forwarding rule of the old flow table.
在本发明实施例中, 所述仅对所述所有第一过滤交换机进行控制操作的 步骤中, 可以对所述所有第一过滤交换机顺序进行控制操作。  In the embodiment of the present invention, in the step of performing control operations on all the first filter switches, the control operations may be sequentially performed on all the first filter switches.
可选地, 所述仅对所述所有第一过滤交换机进行控制操作的步骤中, 可 以按照如下方式顺序对所述所有第一过滤交换机进行控制操作:  Optionally, in the step of performing control operations on all the first filter switches, the control operations may be performed on all the first filter switches in the following manner:
选择步骤, 根据预设的第一选择策略, 从所有待处理过滤交换机中, 选 择一个所述待处理过滤交换机; 其中, 所述待处理过滤交换机为所述所有第 一过滤交换机中尚未修改过滤规则的过滤交换机;  Selecting, according to the preset first selection policy, selecting one of the pending filtering switches from all the pending filtering switches; wherein the to-be-processed filtering switch is a filtering rule that has not been modified in all the first filtering switches. Filter switch;
控制步骤, 对选择出的所述一个待处理过滤交换机进行控制操作; 返回步骤, 在所述选择出的所述一个待处理过滤交换机的控制操作完成 之后, 在所述所有第一过滤交换机中存在待处理过滤交换机时, 返回所述选 择步骤。  a controlling step of performing a control operation on the selected one of the to-be-processed filter switches; a returning step, after the selected control operation of the one to be processed filter switch is completed, being present in all the first filter switches When the filter switch is to be processed, the selection step is returned.
其中, 所述选择步骤可以包括:  The selecting step may include:
确定当前在所述旧流表的过滤交换机映射规则中与每个所述待处理过滤 交换机对应相同数据包类型的过滤交换机的数量; Determining, in the filter switch mapping rule of the old flow table, each of the pending filtering The number of filter switches corresponding to the same packet type on the switch;
将所述数量的倒数, 作为每个所述待处理过滤交换机的更新代价; 按照预设的第二选择策略, 从计算出的更新代价最小的所述待处理过滤 交换机中, 选择所述一个待处理过滤交换机。  The reciprocal of the quantity is used as an update cost of each of the to-be-processed filter switches; according to a preset second selection policy, the one to be processed is selected from the to-be-processed filter switches whose calculated update cost is the smallest Process the filter switch.
其中, 所述第二选择策略包括随机选择策略。  The second selection policy includes a random selection policy.
为将本发明实施例阐述得更加清楚明白, 下面提供本发明实施例的较佳 实施方式。  In order to make the embodiments of the present invention more clear, the preferred embodiments of the embodiments of the present invention are provided below.
本较佳实施方式提供一种 SDN中保证安全规则的流表更新方法, 其中, 所述旧流表为初始流表,该 SDN中保证安全规则的流表更新方法包括以下步 骤:  The preferred embodiment provides a flow table update method for guaranteeing security rules in an SDN, wherein the old flow table is an initial flow table, and the flow table update method for ensuring security rules in the SDN includes the following steps:
步骤 A, 控制器获取初始数据: 包括分析流表, 获取初始和新的转发规 则以及交换机映射规则, 所谓转发规则, 是指将不同数据流转发至不同过滤 交换机的方案; 所谓过滤交换机映射规则, 是指将不同过滤交换机分配给不 同类型数据并执行相应过滤规则的方案。 具体包括分析初始流表, 获取初始 转发规则 = { ^ ,l≤/≤J}, Ff = «表示初始时将数据流 /转发至第 n个过滤 交换机, 获取初始过滤交换机映射规则 M = ¾",1≤n≤N} , Mx n = m表示初始时 第 n个过滤交换机实现了第 m类数据包的过滤规则; 分析新流表, 获取新的 转发规则 FW2 = {FW,1≤!≤L ; 以 及新 的 过滤 交换机映射规则 M2 = {w2",l≤w≤N}。 Step A: The controller obtains initial data: includes an analysis flow table, and obtains initial and new forwarding rules and switch mapping rules, where the forwarding rules refer to a scheme for forwarding different data flows to different filtering switches; It refers to a scheme of assigning different filter switches to different types of data and executing corresponding filtering rules. Specifically, it includes analyzing the initial flow table, obtaining the initial forwarding rule = { ^ , l ≤ / ≤ J}, Ff = « indicates that the data stream is initially forwarded/forwarded to the nth filter switch, and the initial filter switch mapping rule is obtained M = 3⁄4" , 1 n ≤ N} , M x n = m means that the nth filter switch implements the filtering rule of the mth type packet at the initial time; analyzes the new flow table, and obtains a new forwarding rule FW 2 = {FW, 1 ≤ ! ≤ L ; and the new filter switch mapping rule M 2 = {w 2 ", l ≤ w ≤ N}.
步骤 B , 控制器比较初始过滤交换机映射规则 M\和新的过滤交换机映射 规则 M2 ,得到需要修改过滤规则的过滤交换机集合 Fc , 也即初始过滤规则和 新的过滤规则不同的交换机集合; Step B: The controller compares the initial filter switch mapping rule M\ and the new filter switch mapping rule M 2 to obtain a filter switch set F c that needs to modify the filtering rule, that is, a switch set with different initial filtering rules and new filtering rules;
步骤 C, 控制器从当前需要修改的过滤交换机集合 Fc中选出更新代价最 小的过滤交换机 F。; 所述更新代价可以根据不同目标和需要定义; 所述更新 代价可用不同的方法来衡量, 例如可用实现同类过滤规则的交换机数量的倒 数来衡量, 本发明实施例不局限于某一具体的更新代价衡量方法; 在选择更 新代价最小的过滤交换机时,若多个过滤交换机的更新代价相等且同时最小 , 则随机选择一个作为最终更新代价最小的过滤交换机 F。; In step C, the controller selects the filter switch F with the lowest update cost from the set of filter switches F c that need to be modified. The update cost may be defined according to different goals and needs; the update cost may be measured by different methods, for example, by the reciprocal of the number of switches implementing the same type of filtering rule, and the embodiment of the present invention is not limited to a specific update. Cost measurement method; When selecting the filter switch with the least cost, if the update cost of multiple filter switches is equal and at the same time, the filter switch F with the lowest cost as the final update is randomly selected. ;
步骤 D, 控制器分析当前过滤交换机映射规则, 得到与 F。具有相同过滤 规则的其他过滤交换机组成的集合 ; In step D, the controller analyzes the current filter switch mapping rule to obtain and F. Have the same filtering a collection of other filter switches of the rule;
步骤 E, 若 非空, 控制器根据初始转发规则, 修改入口交换机 S的流 表, 将转发至 F。的数据流转发至^ 中的过滤交换机; 若^为空, 控制器修改 入口交换机中的流表, 将转发至 F。的数据流转发至控制器緩存;  Step E: If not, the controller modifies the flow table of the ingress switch S according to the initial forwarding rule, and forwards it to F. The data stream is forwarded to the filter switch in ^; if ^ is empty, the controller modifies the flow table in the ingress switch and forwards it to F. The data stream is forwarded to the controller cache;
步骤 F, 控制器更新与 F。相关的流表, 包括首先修改 F。的过滤规则, 使 其满足新的过滤交换机映射规则; 然后根据新的转发规则, 修改入口交换机 中的流表, 将对应的数据流转发至 F。; 最后从 Fc中删除 F。; Step F, the controller is updated with F. Related flow tables, including first modifying F. Filtering rules to meet the new filter switch mapping rules; then, according to the new forwarding rules, modify the flow table in the ingress switch to forward the corresponding data stream to F. Finally, remove F from F c . ;
步骤 G, 若 不为空, 则返回步骤 C执行; 否则, 执行步骤 H;  Step G, if not empty, return to step C to execute; otherwise, perform step H;
步骤 H,控制器修改入口交换机 S中的流表,实现新流表的转发规则 FW2; 步骤 I, 控制器将控制器緩存的数据包发送到入口交换机处理。 In step H, the controller modifies the flow table in the ingress switch S to implement the forwarding rule FW 2 of the new flow table. In step I, the controller sends the data packet buffered by the controller to the ingress switch for processing.
下面, 从逻辑推理的角度阐述本较佳实施方式是如何保证更新过程中安 全规则不被破坏的。 所述安全规则不被破坏指在流表更新过程中过滤交换机 实现的过滤规则和转发至它的数据包类型一致。  In the following, from the perspective of logical reasoning, it is explained how the preferred embodiment ensures that the security rules are not corrupted during the update process. The security rule is not corrupted. The filtering rule implemented by the filtering switch in the flow table update process is consistent with the type of data packet forwarded to it.
步骤 A、 B、 C、 D不涉及流表更新, 因此不会破坏安全规则;  Steps A, B, C, and D do not involve flow table updates, so they do not break the security rules;
步骤 E中涉及修改入口交换机 S中的流表。 由于^ 中的过滤交换机和^ 具有相同的转发规则, 因此将转发至 中的数据流转发至 中的交换机不会 破坏过滤规则; 当 为空时, 将转发至 F。中的数据流转发至控制器緩存也不 会破坏安全规则;  Step E involves modifying the flow table in the ingress switch S. Since the filter switch in ^ has the same forwarding rules, the switch that forwards the data stream forwarded to it does not break the filter rule; when it is empty, it is forwarded to F. Forwarding the data stream to the controller cache does not break the security rules;
步骤 F中涉及修改入口交换机 S和过滤交换机 F中的流表。 由与步骤 E 结束后, 已没有数据流转发至过滤交换机 F。, 因此修改 F。的过滤规则是安全 的; 修改过滤规则后, F。的过滤规则满足新的交换机映射规则, 因此根据新 的转发规则, 修改 S中的流表将对应的数据流转发至 F。是安全的;  Step F involves modifying the flow table in the ingress switch S and the filter switch F. After the end of step E, no data stream has been forwarded to filter switch F. , so modify F. The filtering rules are safe; after modifying the filtering rules, F. The filtering rules satisfy the new switch mapping rules. Therefore, according to the new forwarding rules, the flow table in S is modified to forward the corresponding data stream to F. Is safe;
步骤 G不涉及流表更新, 因此不会破坏安全规则;  Step G does not involve flow table updates, so it does not break the security rules;
步骤 H执行之前, 已完成对所有过滤交换机过滤规则的修改, 也即所有 过滤交换机均满足新流表对应的过滤交换机映射规则, 因此根据新的转发规 则修改 S中的流表是安全的;  Before the step H is executed, the modification of the filtering rules of all the filtering switches is complete. That is, all the filtering switches meet the filtering rules of the filtering switch corresponding to the new flow table. Therefore, it is safe to modify the flow table in S according to the new forwarding rules.
步骤 I执行之前, 所有交换机的流表已从初始流表更新为新流表, 此时 交换机中流表项的设置是符合安全规则的, 因此将更新过程中緩存的数据包 送到入口交换机 S处理是安全的。 本较佳实施方式针对软件定义数据中心网络中基于 OpenFlow 交换机进 行数据包过滤场景下的流表更新, 给出了新的、 不会破坏过滤规则的流表更 新方案, 保证在流表更新过程中过滤交换机部署的过滤规则和转发至它的数 据包类型一致。 Before the execution of step I, the flow table of all switches has been updated from the initial flow table to the new flow table. In this case, the flow entry of the switch is set to comply with the security rules, so the data packet buffered during the update process is sent to the ingress switch S for processing. It is safe. The preferred embodiment is directed to a flow table update in a packet filtering scenario based on an OpenFlow switch in a software-defined data center network, and a new flow table update scheme that does not destroy the filtering rule is provided, which is guaranteed in the flow table update process. The filtering rules deployed by the filtering switch are the same as the packet types forwarded to it.
背景技术中指出的基于中间流表的方案是通用场景下的流表更新方案, 主要关注流表更新过程的一致性, 也即将更新前后的流表看作两套不同的流 表, 分别称之为旧流表和新流表, 在更新过程中, 对于每一个数据包, 或者 根据旧流表来处理, 或者根据新流表来处理, 不能在某些网络设备中根据旧 流表来处理, 而在另外一些网络设备中根据新流表来处理。 为了实现一致性 的目的, 还可以有另一种方案: 釆用虚拟局域网 ( VLAN )标签来区分新旧 两套流表, 同时, 在入口交换机处对进入网络的数据包也设置 VLAN标签, 每个网络设备用具有相同 VLAN标签的流表规则对进入的数据包进行处理。  The scheme based on the intermediate flow table pointed out in the background is a flow table update scheme in a general scenario, mainly focusing on the consistency of the flow table update process, and also considering the flow table before and after the update as two sets of different flow tables, respectively For the old flow table and the new flow table, in the update process, for each data packet, or according to the old flow table, or according to the new flow table, it cannot be processed according to the old flow table in some network devices. In other network devices, it is processed according to the new flow table. For consistency purposes, there is another option: Use the Virtual Local Area Network (VLAN) tag to distinguish between the old and new sets of flow tables. At the same time, set the VLAN tag for each packet entering the network at the ingress switch. The network device processes incoming packets with flow table rules having the same VLAN tag.
上述两种方案虽然可以用于图 1所示场景下的流表更新, 但存在几个主 要问题。首先,基于 VLAN标签的方案在更新过程中同时包含新旧两套流表, 需要占用更多流表资源, 另外, 由于使用了 VLAN作为标签, 因此需要全局 的 VLAN分配和管理; 其次, 釆用中间流表的方案在更新过程中将数据包上 传给控制器, 因此控制器接口带宽及处理能力将成为影响网络性能的瓶颈; 最后, 上述两个方案均并行更新所有交换机中的流表, 虽然减小了流表更新 所需时间, 但会导致控制网络流量突增, 影响网络性能。  Although the above two schemes can be used for the flow table update in the scenario shown in Figure 1, there are several main problems. First, the VLAN tag-based scheme includes both old and new flow tables in the update process, and needs to occupy more flow table resources. In addition, since VLANs are used as labels, global VLAN allocation and management are required. Second, the middle is used. The scheme of the flow table uploads the data packet to the controller during the update process, so the controller interface bandwidth and processing capability will become the bottleneck affecting the network performance. Finally, the above two schemes update the flow table in all the switches in parallel, although The time required for the flow table update is reduced, but it will cause a sudden increase in control network traffic and affect network performance.
与基于 VLAN标签的更新方法相比, 本较佳实施方式在更新过程中只使 用一套流表资源, 降低了更新过程对流表资源的需求, 同时由于没有使用 VLAN标签, 本较佳实施方式在图 1所示场景下更具通用性; 与基于中间流 表的更新方法相比, 本较佳实施方式避免了将所有更新过程涉及的数据包上 传到控制器处理, 降低了控制器的负载。 除了上述优点之外, 本较佳实施方 式釆用了顺序更新方案, 控制器在每个时刻只更新一个或少数几个交换机的 流表, 相比并行方案, 流表更新任务导致的控制流量的增加较少, 使得本较 佳实施方式在保证流表更新过程不违反安全规则的同时有效降低了控制流量 抖动。  Compared with the VLAN tag-based update method, the preferred embodiment uses only one set of flow table resources in the update process, which reduces the requirement of the flow table resource in the update process, and since the VLAN tag is not used, the preferred embodiment is The scenario shown in Figure 1 is more versatile; compared to the intermediate flow table based update method, the preferred embodiment avoids uploading all data packets involved in the update process to the controller for processing, reducing the load on the controller. In addition to the above advantages, the preferred embodiment uses a sequential update scheme, in which the controller updates only one or a few switch flow tables at each time, compared to the parallel scheme, the flow control information caused by the flow table update task The increase is less, so that the preferred embodiment effectively reduces the control traffic jitter while ensuring that the flow table update process does not violate the security rules.
本较佳实施方式保证了流表更新过程不会破坏数据中心网络定义的安全 过滤规则, 且减少了更新过程中所需流表数量、 降低了更新过程中网络流量 的抖动。 The preferred embodiment ensures that the flow table update process does not compromise the security defined by the data center network. Filter rules, and reduce the number of flow tables required during the update process, reducing the jitter of network traffic during the update process.
在本较佳实施方式中, 对于按照可用实现同类过滤规则的交换机数量的 倒数来衡量所述更新代价的情况, 优先对当前可用实现同类过滤规则的交换 机数量的倒数最小的过滤交换机进行相关的流表更新, 有利于减 d、更新过程 中需要上传到控制器的数据包流量。  In the preferred embodiment, the update cost is measured according to the reciprocal of the number of switches that can be used to implement the same filtering rule, and the related flow is preferentially performed on the filter switch with the smallest number of switches currently available to implement the same filtering rule. The table update helps to reduce the packet traffic that needs to be uploaded to the controller during the update process.
下面给出本较佳实施方式的较优实施例, 据此说明如何将本较佳实施方 式应用到流表更新过程中。  Preferred embodiments of the preferred embodiment are set forth below, and how the preferred embodiment is applied to the flow table update process is illustrated.
本较优实施例假设有两类数据包; 3个过滤交换机 、 ^和 ; 4条数据 流, 且其中数据流 1-2组成第一类数据包, 数据流 3-4组成第二类数据包。 并 假设初始转发规则为 FW1 = {FWI = FW^ = 2,FW,3 = 3,FW,4 = 3}, 即将数据流 1转 发至 ^ ,将数据流 2转发至 F2 , 将数据流 3和数据流 4转发至 F3; 初始过滤交 换机的映射规则为 ^^^^,^2^, ^?), 即 、 F2实现第一类数据包的过 滤规则, F3实现第二类数据包的过滤规则。 新的转发规则为 FW2= {FW = 1, FW2 2 = 1, FW = 2, FW2 4 =3}, 即新的流表中将数据流 1 和数据流 2 转发至 , 数据流 3转发至 F2 , 数据流 4转发至 F3; 新的过滤交换机映射规 则为 M2 = =
Figure imgf000015_0001
= 2, 2 3 =2}, 即新的流表中^;实现第一类数据包的过滤规 则, 和 实现第二类数据包的过滤规则。 The preferred embodiment assumes two types of data packets; three filter switches, ^ and four data streams, and wherein data streams 1-2 form a first type of data packet, and data stream 3-4 constitutes a second type of data packet. . And assume that the initial forwarding rule is FW 1 = {FWI = FW^ = 2, FW, 3 = 3, FW, 4 = 3}, that is, data stream 1 is forwarded to ^, data stream 2 is forwarded to F 2 , and the data stream is forwarded. 3 and data stream 4 is forwarded to F 3 ; the mapping rule of the initial filter switch is ^^^^, ^ 2 ^, ^?), that is, F 2 implements the filtering rule of the first type of data packet, and F 3 implements the second type. The filtering rules for the packet. The new forwarding rule is FW 2 = {FW = 1, FW 2 2 = 1, FW = 2, FW 2 4 = 3}, ie, data stream 1 and stream 2 are forwarded to the new stream table, stream 3 Forward to F 2 , data stream 4 is forwarded to F 3 ; new filter switch mapping rule is M 2 = =
Figure imgf000015_0001
= 2, 2 3 = 2}, that is, the new flow table ^; the filtering rules for the first type of data packets, and the filtering rules for the second type of data packets.
在步骤 B中通过比较 和 2,得到需要修改的过滤交换机集合 Fc ={Fj; 在步骤 C中选出更新代价最小的交换机 = F2In step B, by comparing and 2 , the filter switch set F c ={Fj needs to be modified; in step C, the switch with the lowest update cost is selected = F 2 ;
由于 中实现了第一类数据包的过滤规则, 因此步骤 D中得到与 F。具有 相同过滤规则的交换机集合 = };  Since the filtering rules of the first type of data packets are implemented, the F is obtained in step D. Switch set with the same filtering rules = };
由于 非空, 在步骤 E中,修改 S中的流表, 将转发至 =^2的数据流 2 改为转发至 中的过滤交换机 ; Since it is not empty, in step E, the flow table in S is modified, and the data stream 2 forwarded to =^ 2 is changed to the filter switch forwarded to;
由于 M2 2=2 , 因此在步骤 F中, 首先修改过滤交换机 F。=F2中的流表, 使 其实现第二类数据包的过滤规则; 然后根据转发规则 Ff 2 , 修改 S中的流表, 将数据流 3转发至过滤交换机 F2; 最后将 ^=^从 中删除; Since M 2 2 = 2, in step F, the filter switch F is first modified. The flow table in =F 2 is used to implement the filtering rule of the second type of data packet; then, according to the forwarding rule Ff 2 , the flow table in S is modified, and the data stream 3 is forwarded to the filter switch F 2 ; finally ^=^ Remove from it;
执行完步骤 F后 Fc已经为空集, 因此直接执行步骤 H, 而当前转发规则 已和新流表对应的转发规则 FW2、 当前过滤交换机映射规则和新流表对应的 过滤交换机映射规则 M2已完全相同, 因此步骤 H中不需要修改流表; 且更新 过程中没有将数据包被上传到控制器, 因此也不需要执行步骤 I, 所以本较优 实施例中的流表更新过程到此结束。 After the step F is executed, the F c is already an empty set, so the step H is directly executed, and the current forwarding rule has been corresponding to the forwarding rule FW 2 corresponding to the new flow table, the current filter switch mapping rule, and the new flow table. The filter switch mapping rule M 2 is completely the same, so the flow table does not need to be modified in step H; and the data packet is not uploaded to the controller during the update process, so step 1 is not required, so in the preferred embodiment The flow table update process ends here.
如图 3所示, 本发明实施例还提供一种流表更新的控制装置, 用于数据 中心网络中的控制器, 所述数据中心网络还包括入口交换机和多个过滤交换 机, 所述装置包括:  As shown in FIG. 3, an embodiment of the present invention further provides a flow table update control device, which is used for a controller in a data center network, where the data center network further includes an ingress switch and a plurality of filter switches, where the device includes :
确定模块, 设置为在需要将旧流表更新为新流表时, 根据旧流表的过滤 交换机映射规则和新流表的过滤交换机映射规则, 确定所述多个过滤交换机 中需要修改过滤规则的所有第一过滤交换机;  The determining module is configured to: when the old flow table needs to be updated to the new flow table, determine, according to the filter switch mapping rule of the old flow table and the filter switch mapping rule of the new flow table, that the filtering rule needs to be modified in the plurality of filtering switches All first filter switches;
控制模块, 设置为仅对所述所有第一过滤交换机进行控制操作, 其中, 针对任一第一过滤交换机的控制操作通过如下方式进行:  The control module is configured to perform control operations only on all the first filter switches, where the control operations for any of the first filter switches are performed as follows:
第一控制操作, 控制所述入口交换机停止向所述任一第一过滤交换机转 发相应数据包类型的数据包; 其中, 所述相应数据包类型为所述旧流表的过 滤交换机映射规则中所述任一第一过滤交换机对应的数据包类型;  a first control operation, the controlling the ingress switch to stop forwarding, to the any first filtering switch, a data packet of a corresponding data packet type, where the corresponding data packet type is in a filtering switch mapping rule of the old flow table The type of the packet corresponding to any of the first filter switches;
第二控制操作, 在所述入口交换机停止向所述任一第一过滤交换机转发 相应数据包类型的数据包之后, 根据所述新流表的过滤交换机映射规则, 修 改所述任一第一过滤交换机中的过滤规则;  a second control operation, after the ingress switch stops forwarding the data packet of the corresponding data packet type to the any first filtering switch, modifying any one of the first filtering according to the filtering switch mapping rule of the new flow table Filtering rules in the switch;
第三控制操作, 在修改完所述任一第一过滤交换机中的过滤规则之后, 根据所述新流表的转发规则, 修改所述入口交换机中针对所述任一第一过滤 交换机的转发规则。  a third control operation, after modifying the filtering rule in any one of the first filtering switches, modifying a forwarding rule for the any first filtering switch in the ingress switch according to a forwarding rule of the new flow table .
可见, 通过上述装置, 在需要修改过滤规则的过滤交换机修改自身过滤 规则的过程中, 入口交换机不会向这种过滤交换机转发数据包, 从而该过程 不会引起违反过滤规则的问题; 另一方面, 由于上述方式仅对需要修改过滤 规则的过滤交换机进行控制操作, 则对于不需要修改过滤规则的其它过滤交 换机, 上述方式并不需要停止这种其它过滤交换机所对应的数据包的转发和 过滤处理, 从而避免了这种数据包的不必要的等待时延。  It can be seen that, in the process of modifying the filtering rule by the filtering switch that needs to modify the filtering rule, the ingress switch does not forward the data packet to the filtering switch, so that the process does not cause a violation of the filtering rule; Because the foregoing method only controls the filtering switch that needs to modify the filtering rule, the foregoing method does not need to stop the forwarding and filtering processing of the data packet corresponding to the other filtering switch for other filtering switches that do not need to modify the filtering rule. , thus avoiding unnecessary waiting delays of such packets.
其中, 所述第一控制操作可以包括:  The first control operation may include:
判断所述多个过滤交换机中是否有在所述旧流表的过滤交换机映射规则 中对应所述相应数据包类型的第二过滤交换机, 获取判断结果; 当所述判断结果为是时, 将所述入口交换机中针对第一数据流的转发目 标设备修改为所述第二过滤交换机; 其中, 所述第一数据流为所述旧流表的 转发规则中所述任一第一过滤交换机对应的数据流。 Determining, by the plurality of filter switches, whether a second filter switch corresponding to the corresponding packet type in the filter switch mapping rule of the old flow table is obtained, and obtaining a determination result; When the result of the determination is YES, the forwarding target device for the first data flow in the ingress switch is modified to the second filtering switch; wherein the first data flow is a forwarding rule of the old flow table. The data flow corresponding to any of the first filter switches.
或者, 所述第一控制操作可以包括:  Alternatively, the first control operation may include:
将所述入口交换机中针对第二数据流的转发目标设备修改为所述控制 器, 使得所述控制器能够在所述入口交换机修改完所述入口交换机中分别针 对所述所有第一过滤交换机的转发规则之后, 将从所述入口交换机接收到的 所述第二数据流的数据包, 返回给所述入口交换机; 其中, 所述第二数据流 为所述旧流表的转发规则中所述任一第一过滤交换机对应的数据流。  Modifying, in the ingress switch, a forwarding target device for the second data flow to the controller, so that the controller is capable of modifying the ingress switch for each of the first filtering switches, respectively, in the ingress switch After forwarding the rule, the data packet of the second data stream received from the ingress switch is returned to the ingress switch; wherein the second data stream is described in a forwarding rule of the old flow table. The data flow corresponding to any first filter switch.
在本发明实施例中, 所述控制模块中, 可以对所述所有第一过滤交换机 顺序进行控制操作。  In the embodiment of the present invention, in the control module, the control operations may be sequentially performed on all the first filter switches.
可选地, 所述控制模块中, 可以按照如下方式顺序对所述所有第一过滤 交换机进行控制操作:  Optionally, in the control module, all the first filter switches may be sequentially controlled in the following manner:
选择步骤, 根据预设的第一选择策略, 从所有待处理过滤交换机中, 选 择一个所述待处理过滤交换机; 其中, 所述待处理过滤交换机为所述所有第 一过滤交换机中尚未修改过滤规则的过滤交换机;  Selecting, according to the preset first selection policy, selecting one of the pending filtering switches from all the pending filtering switches; wherein the to-be-processed filtering switch is a filtering rule that has not been modified in all the first filtering switches. Filter switch;
控制步骤, 对选择出的所述一个待处理过滤交换机进行控制操作; 返回步骤, 在所述选择出的所述一个待处理过滤交换机的控制操作完成 之后, 在所述所有第一过滤交换机中存在待处理过滤交换机时, 返回所述选 择步骤。  a controlling step of performing a control operation on the selected one of the to-be-processed filter switches; a returning step, after the selected control operation of the one to be processed filter switch is completed, being present in all the first filter switches When the filter switch is to be processed, the selection step is returned.
本发明实施例还提供一种控制器, 所述控制器包括以上所述的流表更新 的控制装置。  The embodiment of the invention further provides a controller, which includes the control device for updating the flow table described above.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。 以上所述仅是本发明实施例的实施方式, 应当指出, 对于本技术领域的 普通技术人员来说, 在不脱离本发明实施例原理的前提下, 还可以作出若干 改进和润饰, 这些改进和润饰也应视为本发明实施例的保护范围。 One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct the associated hardware, such as a read only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may be implemented in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software. The above is only an embodiment of the present invention. It should be noted that those skilled in the art can make some improvements and refinements without departing from the principles of the embodiments of the present invention. Retouching should also be considered as the scope of protection of the embodiments of the present invention.
工业实用性 Industrial applicability
上述技术方案在需要修改过滤规则的过滤交换机修改自身过滤规则的过 程中, 入口交换机不会向这种过滤交换机转发数据包, 从而该过程不会引起 违反过滤规则的问题; 另一方面, 由于上述技术方案仅对需要修改过滤规则 的过滤交换机进行控制操作,则对于不需要修改过滤规则的其它过滤交换机, 上述方式并不需要停止这种其它过滤交换机所对应的数据包的转发和过滤处 理, 从而避免了这种数据包的不必要的等待时延。  In the above technical solution, in the process of modifying the filtering rule of the filtering switch that needs to modify the filtering rule, the ingress switch does not forward the data packet to the filtering switch, so that the process does not cause a violation of the filtering rule; The technical solution only controls the filtering switch that needs to modify the filtering rule. For other filtering switches that do not need to modify the filtering rule, the foregoing method does not need to stop the forwarding and filtering processing of the data packet corresponding to the other filtering switch. Unnecessary waiting delays for such packets are avoided.

Claims

权 利 要 求 书 claims
1、 一种流表更新的控制方法, 用于数据中心网络中的控制器, 所述数据 中心网络还包括入口交换机和多个过滤交换机, 所述方法包括: 1. A flow table update control method for a controller in a data center network. The data center network also includes an ingress switch and multiple filter switches. The method includes:
在需要将旧流表更新为新流表时, 根据旧流表的过滤交换机映射规则和 新流表的过滤交换机映射规则, 确定所述多个过滤交换机中需要修改过滤规 则的所有第一过滤交换机; When the old flow table needs to be updated to a new flow table, all first filtering switches among the plurality of filtering switches that need to modify the filtering rules are determined based on the filtering switch mapping rules of the old flow table and the filtering switch mapping rules of the new flow table. ;
仅对所述所有第一过滤交换机进行控制操作, 其中, 针对任一第一过滤 交换机的控制操作包括: Only control operations are performed on all the first filtering switches, where the control operations on any first filtering switch include:
第一控制操作, 控制所述入口交换机停止向所述任一第一过滤交换机转 发相应数据包类型的数据包; 其中, 所述相应数据包类型为所述旧流表的过 滤交换机映射规则中所述任一第一过滤交换机对应的数据包类型; The first control operation is to control the ingress switch to stop forwarding data packets of a corresponding data packet type to any first filtering switch; wherein the corresponding data packet type is the filtering switch mapping rule of the old flow table. Describe the data packet type corresponding to any first filtering switch;
第二控制操作, 在所述入口交换机停止向所述任一第一过滤交换机转发 相应数据包类型的数据包之后, 根据所述新流表的过滤交换机映射规则, 修 改所述任一第一过滤交换机中的过滤规则; The second control operation is to modify the any first filtering according to the filtering switch mapping rules of the new flow table after the ingress switch stops forwarding data packets of the corresponding data packet type to the any first filtering switch. Filtering rules in the switch;
第三控制操作, 在修改完所述任一第一过滤交换机中的过滤规则之后, 根据所述新流表的转发规则, 修改所述入口交换机中针对所述任一第一过滤 交换机的转发规则。 The third control operation is to modify the forwarding rules of the ingress switch for any first filtering switch according to the forwarding rules of the new flow table after modifying the filtering rules in any first filtering switch. .
2、 如权利要求 1所述的方法, 其中, 所述第一控制操作包括: 判断所述多个过滤交换机中是否有在所述旧流表的过滤交换机映射规则 中对应所述相应数据包类型的第二过滤交换机, 获取判断结果; 2. The method of claim 1, wherein the first control operation includes: determining whether any of the plurality of filter switches corresponds to the corresponding data packet type in the filter switch mapping rule of the old flow table. The second filtering switch obtains the judgment result;
当所述判断结果为是时, 将所述入口交换机中针对第一数据流的转发目 标设备修改为所述第二过滤交换机; 其中, 所述第一数据流为所述旧流表的 转发规则中所述任一第一过滤交换机对应的数据流。 When the judgment result is yes, modify the forwarding target device for the first data flow in the ingress switch to the second filtering switch; wherein, the first data flow is the forwarding rule of the old flow table The data flow corresponding to any first filtering switch described in .
3、 如权利要求 1所述的方法, 其中, 所述第一控制操作包括: 将所述入口交换机中针对第二数据流的转发目标设备修改为所述控制 器, 使得所述控制器能够在所述入口交换机修改完所述入口交换机中分别针 对所述所有第一过滤交换机的转发规则之后, 将从所述入口交换机接收到的 所述第二数据流的数据包, 返回给所述入口交换机; 其中, 所述第二数据流 为所述旧流表的转发规则中所述任一第一过滤交换机对应的数据流。 3. The method of claim 1, wherein the first control operation includes: modifying the forwarding target device for the second data flow in the ingress switch to the controller, so that the controller can After the ingress switch modifies the forwarding rules in the ingress switch for all the first filtering switches, the data packet of the second data flow received from the ingress switch is returned to the ingress switch. ; Wherein, the second data stream is the data flow corresponding to any first filtering switch in the forwarding rule of the old flow table.
4、 如权利要求 1所述的方法, 其中, 所述仅对所述所有第一过滤交换机 进行控制操作包括: 4. The method according to claim 1, wherein the controlling operation only on all the first filtering switches includes:
对所述所有第一过滤交换机顺序进行控制操作。 Control operations are sequentially performed on all first filter switches.
5、 如权利要求 4所述的方法, 其中, 所述仅对所述所有第一过滤交换机 顺序进行控制操作的步骤包括: 5. The method of claim 4, wherein the step of sequentially controlling only all first filter switches includes:
选择步骤, 根据预设的第一选择策略, 从所有待处理过滤交换机中, 选 择一个所述待处理过滤交换机; 其中, 所述待处理过滤交换机为所述所有第 一过滤交换机中尚未修改过滤规则的过滤交换机; The selection step is to select one of the filtering switches to be processed from all the filtering switches to be processed according to the preset first selection strategy; wherein the filtering switch to be processed is one of all the first filtering switches that has not yet modified the filtering rules. filter switch;
控制步骤, 对选择出的所述一个待处理过滤交换机进行控制操作; 返回步骤, 在所述选择出的所述一个待处理过滤交换机的控制操作完成 之后, 在所述所有第一过滤交换机中存在待处理过滤交换机时, 返回所述选 择步骤。 Control step: perform a control operation on the selected filter switch to be processed; return step: after the control operation of the selected filter switch to be processed is completed, there are When a filter switch is pending, return to the selection steps described.
6、 如权利要求 5所述的方法, 其中, 所述选择步骤包括: 6. The method of claim 5, wherein the selecting step includes:
确定当前在所述旧流表的过滤交换机映射规则中与每个所述待处理过滤 交换机对应相同数据包类型的过滤交换机的数量; Determine the number of filter switches currently corresponding to the same data packet type as each of the pending filter switches in the filter switch mapping rules of the old flow table;
将所述数量的倒数, 作为每个所述待处理过滤交换机的更新代价; 按照预设的第二选择策略, 从计算出的更新代价最小的所述待处理过滤 交换机中, 选择所述一个待处理过滤交换机。 The reciprocal of the number is used as the update cost of each filter switch to be processed; according to the preset second selection strategy, select the filter switch to be processed from the filter switches to be processed with the smallest calculated update cost. Handle filter switches.
7、 如权利要求 6所述的方法, 其中, 所述第二选择策略包括随机选择策 略。 7. The method of claim 6, wherein the second selection strategy includes a random selection strategy.
8、 一种流表更新的控制装置, 用于数据中心网络中的控制器, 所述数据 中心网络还包括入口交换机和多个过滤交换机, 所述装置包括: 8. A flow table update control device, used for a controller in a data center network. The data center network also includes an ingress switch and a plurality of filter switches. The device includes:
确定模块, 设置为在需要将旧流表更新为新流表时, 根据旧流表的过滤 交换机映射规则和新流表的过滤交换机映射规则, 确定所述多个过滤交换机 中需要修改过滤规则的所有第一过滤交换机; The determination module is configured to determine, according to the filtering switch mapping rules of the old flow table and the filtering switch mapping rules of the new flow table, which of the plurality of filtering switches need to modify the filtering rules when the old flow table needs to be updated to the new flow table. All first filter switches;
控制模块, 设置为仅对所述所有第一过滤交换机进行控制操作, 其中, 针对任一第一过滤交换机的控制操作包括: 第一控制操作, 控制所述入口交换机停止向所述任一第一过滤交换机转 发相应数据包类型的数据包; 其中, 所述相应数据包类型为所述旧流表的过 滤交换机映射规则中所述任一第一过滤交换机对应的数据包类型; The control module is configured to only perform control operations on all first filter switches, where the control operations for any first filter switch include: The first control operation is to control the ingress switch to stop forwarding data packets of a corresponding data packet type to any first filtering switch; wherein the corresponding data packet type is the filtering switch mapping rule of the old flow table. Describe the data packet type corresponding to any first filtering switch;
第二控制操作, 在所述入口交换机停止向所述任一第一过滤交换机转发 相应数据包类型的数据包之后, 根据所述新流表的过滤交换机映射规则, 修 改所述任一第一过滤交换机中的过滤规则; The second control operation is to modify the any first filtering according to the filtering switch mapping rules of the new flow table after the ingress switch stops forwarding data packets of the corresponding data packet type to the any first filtering switch. Filtering rules in the switch;
第三控制操作, 在修改完所述任一第一过滤交换机中的过滤规则之后, 根据所述新流表的转发规则, 修改所述入口交换机中针对所述任一第一过滤 交换机的转发规则。 The third control operation is to modify the forwarding rules of the ingress switch for any first filtering switch according to the forwarding rules of the new flow table after modifying the filtering rules in any first filtering switch. .
9、 如权利要求 8所述的装置, 其中, 所述第一控制操作包括: 判断所述多个过滤交换机中是否有在所述旧流表的过滤交换机映射规则 中对应所述相应数据包类型的第二过滤交换机, 获取判断结果; 9. The device of claim 8, wherein the first control operation includes: determining whether any of the plurality of filter switches corresponds to the corresponding data packet type in the filter switch mapping rule of the old flow table The second filtering switch obtains the judgment result;
当所述判断结果为是时, 将所述入口交换机中针对第一数据流的转发目 标设备修改为所述第二过滤交换机; 其中, 所述第一数据流为所述旧流表的 转发规则中所述任一第一过滤交换机对应的数据流。 When the judgment result is yes, modify the forwarding target device for the first data flow in the ingress switch to the second filtering switch; wherein, the first data flow is the forwarding rule of the old flow table The data flow corresponding to any first filtering switch described in .
10、 如权利要求 8所述的装置, 其中, 所述第一控制操作包括: 将所述入口交换机中针对第二数据流的转发目标设备修改为所述控制 器, 使得所述控制器能够在所述入口交换机修改完所述入口交换机中分别针 对所述所有第一过滤交换机的转发规则之后, 将从所述入口交换机接收到的 所述第二数据流的数据包, 返回给所述入口交换机; 其中, 所述第二数据流 为所述旧流表的转发规则中所述任一第一过滤交换机对应的数据流。 10. The apparatus of claim 8, wherein the first control operation includes: modifying the forwarding target device for the second data flow in the ingress switch to the controller, so that the controller can After the ingress switch modifies the forwarding rules of the ingress switch for all the first filtering switches, the data packet of the second data flow received from the ingress switch is returned to the ingress switch. ; Wherein, the second data flow is a data flow corresponding to any first filtering switch in the forwarding rules of the old flow table.
11、 如权利要求 8所述的装置, 其中, 所述控制模块中, 是设置为对所 述所有第一过滤交换机顺序进行控制操作。 11. The device according to claim 8, wherein the control module is configured to sequentially control all the first filter switches.
12、 如权利要求 11所述的装置, 其中, 所述控制模块, 是设置为执行以 下步骤对所述所有第一过滤交换机顺序进行控制操作: 12. The device according to claim 11, wherein the control module is configured to perform the following steps to sequentially control all the first filter switches:
选择步骤, 根据预设的第一选择策略, 从所有待处理过滤交换机中, 选 择一个所述待处理过滤交换机; 其中, 所述待处理过滤交换机为所述所有第 一过滤交换机中尚未修改过滤规则的过滤交换机; 控制步骤, 对选择出的所述一个待处理过滤交换机进行控制操作; 返回步骤, 在所述选择出的所述一个待处理过滤交换机的控制操作完成 之后, 在所述所有第一过滤交换机中存在待处理过滤交换机时, 返回所述选 择步骤。 The selection step is to select one of the filtering switches to be processed from all the filtering switches to be processed according to the preset first selection strategy; wherein the filtering switch to be processed is one of all the first filtering switches that has not yet modified the filtering rules. filter switch; Control step: perform a control operation on the selected filter switch to be processed; return step: after the control operation of the selected filter switch to be processed is completed, there are When a filter switch is pending, return to the selection steps described.
13、 一种控制器, 其中, 包括如权利要求 8至 12中任一项所述的流表更 新的控制装置。 13. A controller, which includes the flow table updating control device according to any one of claims 8 to 12.
14、 一种计算机程序, 包括程序指令, 当该程序指令被控制器执行时, 使得该控制器可执行权利要求 \〜Ί中任一项所述的方法。 14. A computer program, including program instructions. When the program instructions are executed by a controller, the controller can execute the method described in any one of claims 1 to 1.
15、 一种载有权利要求 14所述计算机程序的载体。 15. A carrier carrying the computer program of claim 14.
PCT/CN2014/085324 2013-09-02 2014-08-27 Method, apparatus, and controller for controlling flow table update WO2015027924A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310392538.7A CN104426813A (en) 2013-09-02 2013-09-02 Method, device and controller for controlling flow table updating
CN201310392538.7 2013-09-02

Publications (1)

Publication Number Publication Date
WO2015027924A1 true WO2015027924A1 (en) 2015-03-05

Family

ID=52585602

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/085324 WO2015027924A1 (en) 2013-09-02 2014-08-27 Method, apparatus, and controller for controlling flow table update

Country Status (2)

Country Link
CN (1) CN104426813A (en)
WO (1) WO2015027924A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850616A (en) * 2017-01-24 2017-06-13 南京理工大学 The method that distributed fire wall network consistent updates are solved using SDN technologies
CN113612691A (en) * 2021-08-06 2021-11-05 浙江工商大学 Path conversion method, storage medium and terminal equipment
CN116232997A (en) * 2023-02-10 2023-06-06 中国联合网络通信集团有限公司 Data forwarding method, device and storage medium

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104954261B (en) * 2015-05-26 2018-01-16 上海斐讯数据通信技术有限公司 Utilize the method and system of flow table forwarding data
CN104935604B (en) * 2015-06-29 2018-10-30 南京邮电大学 A kind of SDN firewall systems and method based on OpenFlow agreements
CN108011827A (en) * 2016-10-28 2018-05-08 中国电信股份有限公司 A kind of data forwarding method based on SDN, system and controller
CN106656822A (en) * 2017-02-13 2017-05-10 北京邮电大学 Method and apparatus for updating software defined network flow table

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102549970A (en) * 2009-10-07 2012-07-04 日本电气株式会社 Computer system, and maintenance method of computer system
CN102946365A (en) * 2012-11-09 2013-02-27 清华大学 Flow table updating consistency maintaining method based on software defined network
CN103119900A (en) * 2010-06-23 2013-05-22 日本电气株式会社 Communication system, control apparatus, node control method and program

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1708029A (en) * 2004-06-08 2005-12-14 华为技术有限公司 Method for establizing retransmission flow table
JP5408243B2 (en) * 2009-03-09 2014-02-05 日本電気株式会社 OpenFlow communication system and OpenFlow communication method
CN103023826B (en) * 2012-12-26 2015-06-10 华中科技大学 Routing control method for OpenFlow controller

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102549970A (en) * 2009-10-07 2012-07-04 日本电气株式会社 Computer system, and maintenance method of computer system
CN103119900A (en) * 2010-06-23 2013-05-22 日本电气株式会社 Communication system, control apparatus, node control method and program
CN102946365A (en) * 2012-11-09 2013-02-27 清华大学 Flow table updating consistency maintaining method based on software defined network

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850616A (en) * 2017-01-24 2017-06-13 南京理工大学 The method that distributed fire wall network consistent updates are solved using SDN technologies
CN106850616B (en) * 2017-01-24 2019-10-18 南京理工大学 The method for solving distributed fire wall network consistent updates using SDN technology
CN113612691A (en) * 2021-08-06 2021-11-05 浙江工商大学 Path conversion method, storage medium and terminal equipment
CN116232997A (en) * 2023-02-10 2023-06-06 中国联合网络通信集团有限公司 Data forwarding method, device and storage medium
CN116232997B (en) * 2023-02-10 2024-04-09 中国联合网络通信集团有限公司 Data forwarding method, device and storage medium

Also Published As

Publication number Publication date
CN104426813A (en) 2015-03-18

Similar Documents

Publication Publication Date Title
WO2015027924A1 (en) Method, apparatus, and controller for controlling flow table update
US10135714B2 (en) Servers, switches, and systems with switching module implementing a distributed network operating system
US10404622B2 (en) Servers, switches, and systems with virtual interface to external network connecting hardware and integrated networking driver
US10075396B2 (en) Methods and systems for managing distributed media access control address tables
US9680714B2 (en) Methods, systems, and fabrics implementing a distributed network operating system
US9742697B2 (en) Integrated server with switching capabilities and network operating system
US9800502B2 (en) Quantized congestion notification for computing environments
US20160330281A1 (en) Systems and methods to improve read/write performance in object storage applications
US9304782B2 (en) Network switch, systems, and servers implementing boot image delivery
US10581734B2 (en) Methods, systems, and fabrics implementing a distributed network operating system
US9007962B2 (en) Deadlock-free routing using edge-disjoint sub-networks
EP3069484A1 (en) Shortening of service paths in service chains in a communications network
US10992553B2 (en) Method and apparatus for tap aggregation and network data truncation
US9246827B1 (en) Method and apparatus for controlling the flow of packets in a data network
CN105122747A (en) Control device and control method in software defined network (sdn)
Yan et al. A survey of low-latency transmission strategies in software defined networking
US9258254B2 (en) Virtual router and switch
Cao et al. A study on application-towards bandwidth guarantee based on SDN
US8804521B1 (en) Quality of service for inbound network traffic flows during slow-start phases
Al-Haddad et al. QoSVisor: QoS framework for SDN
Velazquez 2nd et al. QoSVisor: QoS Framework for SDN

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14838985

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14838985

Country of ref document: EP

Kind code of ref document: A1