WO2016180181A1 - Service function deployment method and apparatus - Google Patents

Service function deployment method and apparatus Download PDF

Info

Publication number
WO2016180181A1
WO2016180181A1 PCT/CN2016/079667 CN2016079667W WO2016180181A1 WO 2016180181 A1 WO2016180181 A1 WO 2016180181A1 CN 2016079667 W CN2016079667 W CN 2016079667W WO 2016180181 A1 WO2016180181 A1 WO 2016180181A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual machine
information
indication information
resource
forwarding plane
Prior art date
Application number
PCT/CN2016/079667
Other languages
French (fr)
Chinese (zh)
Inventor
李忠良
李炀
王小威
左奇
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016180181A1 publication Critical patent/WO2016180181A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0895Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

Definitions

  • This document relates to, but is not limited to, the field of communications, and in particular, to a method and apparatus for deploying a service function SF.
  • NFV Network Function Virtualization
  • software processing that carries many functions can be carried out by using general-purpose hardware such as x86 and virtualization technology, thereby reducing the expensive equipment cost of the network.
  • general-purpose hardware such as x86 and virtualization technology
  • network device functions are no longer dependent on dedicated hardware. Resources can be fully and flexibly shared, enabling rapid development and deployment of new services, and automatic deployment, elastic scaling, and fault isolation based on actual business requirements. And self-healing.
  • SFC Service Function Chain
  • IP Internet Protocol
  • SFC proxy Service Function Forwarder
  • DPI Deep Packet Inspection
  • the SF receives a message from one or more SFFs and sends a message to one or more SFFs.
  • the SFF is responsible for sending the message or data frame received from the network to the SF according to the SFC encapsulation information.
  • the SFC control plane is responsible for the management and configuration of the SFC, including the discovery, management, and configuration of related nodes such as convection classification nodes, SF, SFF, and SFC agents.
  • SFC is an indispensable part of NFV technology. SFC users can create SF, SFF and other components required by SFC through virtual resources such as virtual machines and virtual switches created by NFV, including in the service chain.
  • SF is a representation of VNFI (Virtualized Network Function Instance).
  • SDN Software Defined Network
  • the administrator needs to create the network function to virtualize the underlying network resources of the NFV and provide them to the SFC.
  • the new SF is deployed on the basis of the existing network resources, and then the administrator selects the group to build the SFC.
  • the SFCs thus formed are relatively rigid, and it is not possible to adjust the SF according to changes in actual business needs, and it is not possible to make any changes to the underlying network resources.
  • An embodiment of the present invention provides a method and an apparatus for deploying a service function, so as to at least solve the problem that the related technologies need to manually create an underlying network resource and deploy an SF, thereby creating an underlying network resource and deploying SF rigidity, and cannot flexibly adjust the underlying network. Resources and SF issues.
  • a method for deploying a service function SF including:
  • the NFV information including resource indication information indicating an underlying network resource required for establishing a network function, and function indication information indicating an SF deployed on the underlying network resource ;
  • the creating the bottom network resource according to the resource indication information and the function indication information, and deploying the SF on the underlying network resource includes:
  • the resource indication information is delivered to the forwarding plane by using an interface between the forwarding plane and the forwarding plane, to indicate that the forwarding plane creates the underlying network on the forwarding plane according to the resource indication information.
  • Resources include:
  • the deployment of the SF includes:
  • the SF is load balancing, where the resource indication information includes: a first management network network protocol IP address, an IP address of the first service subnet, and first routing information, where the function indication information includes: load balancing Protocol information, member information of the load balancing resource pool, and load balancing algorithm information;
  • the virtual machines in the include:
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
  • the SF is a firewall
  • the resource indication information includes: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where the function indication information includes: a firewall rule and Strategy information;
  • the virtual machines in the include:
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
  • the rules and policies of the second virtual machine are configured as rules and policies corresponding to the firewall rules and policy information.
  • the SF is a virtual private network VPN
  • the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and third routing information, where the function indication information includes: Key exchange protocol IKE policy, IP layer security protocol IPSec policy, IPSec site information;
  • Transmitting, by the interface, the resource indication information to the forwarding plane to indicate Loading, by the forwarding plane, the parameter for creating the underlying network resource included in the resource indication information to the virtual machine in the forwarding plane includes:
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
  • Creating a VPN configuration file according to the function indication information transmitting the VPN configuration file to the third virtual machine by using the interface to communicate with the resident program, to instruct the third virtual machine to execute The following operations: configuring a protocol policy of the third virtual machine as the key exchange protocol IKE policy and the IP layer security protocol IPSec policy, and configuring a site of the third virtual machine to correspond to the IPSec site information Site.
  • the SF is a network element WEB protection
  • the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes: WEB Protection strategy and WEB application server or data center information that needs protection;
  • the virtual machines in the include:
  • the parameter configuration of the SF to the virtual machine includes:
  • the device performs the following steps: configuring the rules and policies of the fourth virtual machine as the WEB protection policy and rules, and configuring the server or data center of the fourth virtual machine as the WEB application server or data that needs to be protected.
  • the server or data center corresponding to the central information.
  • the obtaining the predetermined network function virtualization NFV information includes:
  • the obtaining the predetermined network function virtualization NFV information includes:
  • the method further includes:
  • updated NFV information includes updated resource indication information and/or updated function indication information
  • the updating the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information includes:
  • the deployed SF is changed, added, or deleted according to the updated function indication information.
  • the method further includes:
  • the forwarding plane reports the information of the underlying network resource to the control plane after the underlying network resource is created; and/or,
  • the forwarding plane reports the information about the SF to the control plane.
  • a deployment device for a service function SF comprising:
  • a first acquiring module configured to acquire predetermined network function virtualization NFV information, where the NFV information includes resource indication information used to indicate an underlying network resource required for establishing a network function, and is used to indicate on the underlying network resource Function indication information of the deployed SF;
  • a processing module configured to create the underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
  • the processing module includes:
  • a first transmitting unit configured to: pass the resource indication information to the forwarding plane by using an interface with a forwarding plane, to instruct the forwarding plane to create the bottom layer on the forwarding plane according to the resource indication information Internet resources;
  • a second delivery unit configured to: pass the deployment information determined according to the function indication information to the virtual machine by using the interface to communicate with a resident program in a virtual machine in the underlying network resource, to Instructing the virtual machine to deploy the SF.
  • the first delivery unit includes: a first delivery subunit, configured to: pass the resource indication information to the forwarding plane by using the interface, to indicate that the forwarding plane is to be in the resource indication information Included parameters for creating the underlying network resource are configured on a virtual machine in the forwarding plane;
  • the second delivery unit includes: a second delivery subunit configured to pass the deployment information to the virtual machine by using the interface to communicate with the resident program to indicate the virtual machine
  • the parameters for deploying the SF included in the function indication information are configured on the virtual machine.
  • the SF is load balancing, where the resource indication information includes: a first management network network protocol IP address, an IP address of the first service subnet, and first routing information, where the function indication information includes: load balancing Protocol information, member information of the load balancing resource pool, and load balancing algorithm information;
  • the first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations:
  • the IP address of the first virtual machine in the forwarding plane is configured as the IP address of the first management network, and the IP address of the first virtual machine on the service subnet is configured as the first service subnet.
  • the second delivery subunit instructs the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; and using the interface to communicate with the resident program
  • the load balancing configuration file is delivered to the first virtual machine to instruct the first virtual machine to perform the following operations: configuring a protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, and the A member of a virtual machine is configured as a member corresponding to the member information of the load balancing resource pool, and an algorithm of the first virtual machine is configured as an algorithm corresponding to the load balancing algorithm information.
  • the SF is a firewall
  • the resource indication information includes: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where the function indication information includes: a firewall rule and Strategy information;
  • the first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane by using the interface, to instruct the forwarding plane to perform the following operations: Configuring an IP address of the second virtual machine in the forwarding plane on the management network as the second management network IP address, and configuring an IP address of the second virtual machine on the service subnet as the second service sub Configuring the routing information of the second virtual machine as the second routing information;
  • the second delivery subunit instructs the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and using the interface to communicate with the resident program to use the firewall
  • the configuration file is delivered to the second virtual machine to instruct the second virtual machine to configure rules and policies of the second virtual machine as rules and policies corresponding to the firewall rule and policy information.
  • the SF is a virtual private network VPN
  • the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and third routing information, where the function is
  • the indication information includes: a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and an IPSec site information;
  • the first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations:
  • the IP address of the third virtual machine in the forwarding plane is configured as the IP address of the third management network, and the IP address of the third virtual machine on the service subnet is configured as the third service subnet.
  • the second delivery subunit instructs the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; and using the interface to communicate with the resident program to use the VPN
  • the configuration file is delivered to the third virtual machine to instruct the third virtual machine to perform the following operations: configuring a protocol policy of the third virtual machine as the key exchange protocol IKE policy and the IP layer security protocol
  • the IPSec policy configures the site of the third virtual machine as the site corresponding to the IPSec site information.
  • the SF is a network element WEB protection
  • the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes: WEB Protection strategy and WEB application server or data center information that needs protection;
  • the first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations:
  • the IP address of the fourth virtual machine in the forwarding plane is configured as the fourth management network IP address, and the IP address of the fourth virtual machine on the service subnet is configured as the fourth service subnet.
  • the second delivery subunit instructs the virtual machine to deploy the SF by: creating a WEB protection configuration file according to the function indication information; and using the interface to communicate with the resident program
  • the WEB protection profile is delivered to the fourth virtual machine to instruct the fourth virtual machine to perform the following operations: configuring the rules and policies of the fourth virtual machine as the WEB protection policy and rules, and the
  • the server or data center of the four virtual machines is configured as the server or data center corresponding to the WEB application server or data center information that needs to be protected.
  • the first obtaining module includes:
  • the first receiving unit is configured to receive the NFV information transmitted by the application plane.
  • the first obtaining module includes:
  • the second receiving unit is configured to receive the NFV information transmitted by the control plane, where the NFV information is transmitted to the control plane by the application plane.
  • the device further includes:
  • a second acquiring module configured to acquire the updated NFV information after the processing module creates the underlying network resource according to the resource indication information and the function indication information, and deploys the SF on the underlying network resource
  • the updated NFV information includes updated resource indication information and/or updated function indication information
  • an update module configured to update the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information.
  • the update module includes:
  • a first update unit configured to change, add, or delete the created underlying network resource according to the updated resource indication information
  • the second update unit is configured to change, add or delete the deployed SF according to the updated function indication information.
  • the device further includes:
  • the first reporting module is applied to the forwarding plane, and is configured to report the information of the underlying network resource to the control plane after the network resource is created;
  • the second reporting module is applied to the forwarding plane, and is configured to report the information of the deployed SF to the control plane after the SF is deployed.
  • a readable storage medium storing computer executable instructions for performing the above method.
  • the embodiments of the present invention solve the problem that the related technologies need to manually create the underlying network resources and deploy the SF, thereby creating the underlying network resources and deploying the SF rigid, and cannot be flexibly adjusted.
  • the underlying network resources and SF issues, in turn, achieve the effect of flexible adjustment of the underlying network resources and SF.
  • FIG. 1 is a flowchart of a method for deploying an SF according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of a deployment apparatus of an SF according to an embodiment of the present invention
  • FIG. 3 is a structural block diagram of a processing module 24 in a deployment apparatus of an SF according to an embodiment of the present invention
  • FIG. 4 is a structural block diagram of a first transfer unit 32 and a second transfer unit 34 in a deployment device of an SF according to an embodiment of the present invention
  • FIG. 5 is a structural block diagram 1 of a first obtaining module 22 in a deployment device of an SF according to an embodiment of the present invention
  • FIG. 6 is a second structural block diagram of the first obtaining module 22 in the SF deployment apparatus according to an embodiment of the present invention.
  • FIG. 7 is a block diagram showing a preferred structure of a deployment apparatus of an SF according to an embodiment of the present invention.
  • FIG. 8 is a structural block diagram of an update module 74 in a deployment apparatus of an SF according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of an SDN network architecture according to an embodiment of the present invention.
  • FIG. 10 is a flowchart 1 of a method for planning and deploying an SFC according to an embodiment of the present invention
  • FIG. 11 is a second flowchart of a method for planning and deploying an SFC according to an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of an SFC including a load balancing node according to an embodiment of the present invention.
  • FIG. 13 is a schematic diagram of an SFC including a firewall according to an embodiment of the present invention.
  • the terms “first”, “second” and the like in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a particular order or order.
  • the "application plane” in the specification and claims and the accompanying drawings may be a set of logic application functions consisting of software and/or hardware, which may be implemented by an application device, as such, the "control plane” may be A set of logical control functions consisting of software and/or hardware.
  • the logic control function can be implemented by a control device.
  • the "forwarding plane” can be a set of logical forwarding functions composed of software and/or hardware.
  • the logical forwarding function can be forwarded. Equipment implementation.
  • FIG. 1 is a flowchart of a method for deploying an SF according to an embodiment of the present invention. As shown in FIG. 1 , the process includes the following steps:
  • Step S102 acquiring predetermined NFV information, where the NFV information includes resource indication information for indicating an underlying network resource required for establishing a network function, and function indication information for indicating an SF deployed on the underlying network resource;
  • Step S104 Create an underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
  • the foregoing operation may be a resource management system, which can complete the deployment of the underlying network resources and the deployment of the SF by the resource management system without manual intervention, thereby solving the need for manual intervention to create the underlying network in the related art.
  • Resources and deployment of SF resulting in the creation of the underlying network resources and deployment of SF rigid, can not flexibly adjust the underlying network resources and SF issues, thereby achieving the flexibility to adjust the underlying network resources and SF.
  • creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource includes:
  • the manner in which the interface communicates with the resident program in the virtual machine in the underlying network resource passes the deployment information determined according to the function indication information to the virtual machine to instruct the virtual machine to deploy the SF.
  • the forwarding plane can be used to implement the creation of the underlying network resources and the deployment of the SF, thereby improving the flexibility of adjusting the underlying network resources and the SF without manual intervention.
  • the underlying network resource creation and SF can be performed by configuring parameters. Deployment, the following describes the way:
  • the deployment information is delivered to the virtual machine by communicating with the resident program by using the interface to instruct the virtual machine to configure parameters for deploying the SF included in the function indication information to the virtual machine.
  • the SF may be load balancing
  • the resource indication information includes: a first management network network protocol IP address, an IP address of the first service subnet, and first routing information, where the function indication
  • the information includes: load balancing protocol information, member information of a load balancing resource pool, and load balancing algorithm information;
  • Transmitting, by the interface, the resource indication information to the forwarding plane, to indicate that the forwarding plane loads the parameter for creating the underlying network resource included in the resource indication information into the virtual machine in the forwarding plane including: The interface forwards the resource indication information to the forwarding plane, to indicate that the forwarding plane performs the following operations: configuring the IP address of the first virtual machine in the forwarding plane on the management network as the IP address of the first management network, and placing the first virtual machine in The IP address of the service subnet is configured as the IP address of the first service subnet, and the routing information of the first virtual machine is configured as the first routing information.
  • the protocol of the first virtual machine is configured as a member corresponding to the member information of the load balancing resource pool, and the algorithm of the first virtual machine is configured as an algorithm corresponding to the load balancing algorithm information.
  • the SF may be a firewall
  • the resource indication information includes: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where the function
  • the indication information includes: firewall rules and policy information
  • the IP address is configured as the second service subnet IP address
  • the routing information of the second virtual machine is configured as the second routing information
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information to the virtual machine including:
  • the function indication information creates a firewall configuration file; the firewall configuration file is passed to the second virtual machine by using the interface to communicate with the resident program, to instruct the second virtual machine to configure the rules and policies of the second virtual machine to Rules and policies for firewall rules and policy information.
  • the SF is a VPN (Virtual Private Network)
  • the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and a third
  • the routing information includes: an IKE (Internet Key Management) policy, an IPSec (IP Security) policy, and an IPSec Site information;
  • Configuring the virtual machine to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information to the virtual machine includes: creating a VPN configuration file according to the function indication information; and communicating with the resident program by using the interface
  • the method forwards the VPN configuration file to the third virtual machine, to instruct the third virtual machine to perform the following operations: configuring the protocol policy of the third virtual machine as a key exchange protocol IKE policy and an IP layer security protocol IPSec policy, and the third The site of the virtual machine is configured as the site corresponding to the IPSec site information.
  • the SF is a network element WEB protection
  • the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where
  • the function indication information includes: a WEB protection policy and a WEB application server or data center information that needs to be protected;
  • the information is delivered to the forwarding plane to instruct the forwarding plane to perform the following operations: configuring the IP address of the fourth virtual machine in the forwarding plane on the management network as the fourth management network IP address, and the fourth virtual machine on the service subnet.
  • the IP address is configured as the fourth service subnet IP address
  • the routing information of the fourth virtual machine is configured as the fourth routing information;
  • Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information to the virtual machine including:
  • the function indication information creates a WEB protection configuration file;
  • the WEB protection configuration file is transmitted to the fourth virtual machine by using the interface to communicate with the resident program, to instruct the fourth virtual machine to perform the following operation: the fourth virtual machine is executed
  • the rules and policies are configured as the WEB protection policy and rules, and the server or data center of the fourth virtual machine is configured as a server or data center corresponding to the WEB application server or data center information that needs to be protected.
  • the manner of obtaining the NFV information may be multiple.
  • the acquiring the NFV information includes: receiving the NFV information delivered by the application plane.
  • the acquiring the NFV information comprises: receiving the NFV information transmitted in the control plane, wherein the NFV information is delivered to the control plane by an application plane.
  • the creating the underlying network resource according to the resource indication information and the function indication information, and after deploying the SF on the foregoing network resource further comprising: obtaining the updated NFV information, wherein the updating The updated NFV information includes updated resource indication information and/or updated function indication information; and the created underlying network resource and the deployed SF are updated according to the updated resource indication information and/or the updated function indication information.
  • the updating the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information includes:
  • the method further includes:
  • the forwarding plane reports the information of the underlying network resource to the control plane after the foregoing network resource is created; and/or the forwarding plane reports the information of the deployed SF to the control plane after the SF is deployed.
  • This embodiment can enable the control plane to discover and manage the created underlying network resources and deployed SFs.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in a form of a software product stored in a readable storage medium (such as ROM/RAM).
  • Computer-executable instructions stored in a readable storage medium for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the operations described in each embodiment of the present invention. method.
  • An apparatus for creating an SF is also provided in the embodiment of the present invention.
  • the apparatus is configured to implement the foregoing embodiments and optional implementations, and details are not described herein.
  • the term "module" can be a combination of software and/or hardware that implements a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 2 is a structural block diagram of an apparatus for deploying an SF according to an embodiment of the present invention. As shown in FIG. 2, the apparatus includes a first obtaining module 22 and a processing module 24. The apparatus will be described below.
  • the first obtaining module 22 is configured to obtain predetermined network function virtualization NFV information, where the NFV information includes resource indication information used to indicate an underlying network resource required for establishing a network function, and is used to indicate on the underlying network resource. Function indication information of the deployed SF;
  • the processing module 24 is connected to the first obtaining module 22, and is configured to create an underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
  • FIG. 3 is a structural block diagram of a processing module 24 in a deployment apparatus of an SF according to an embodiment of the present invention.
  • the processing module 24 includes a first delivery unit 32 and a second delivery unit 34, and the processing module is provided below. 24 for explanation.
  • the first delivery unit 32 is configured to: pass the resource indication information to the forwarding plane through an interface with the forwarding plane, to instruct the forwarding plane to create an underlying network resource on the forwarding plane according to the resource indication information;
  • a second transfer unit 34 coupled to the first transfer unit 32, configured to determine, according to the function indication information, by using the interface to communicate with a resident program in a virtual machine in an underlying network resource
  • the deployment information is passed to the virtual machine to instruct the virtual machine to deploy SF.
  • FIG. 4 is a structural block diagram of a first transfer unit 32 and a second transfer unit 34 in a deployment device of an SF according to an embodiment of the present invention.
  • the first transfer unit 32 includes a first transfer subunit 42.
  • the second transfer unit 34 includes a second transfer subunit 44, and the first transfer subunit 42 and the second transfer subunit 44 are described below.
  • the first delivery sub-unit 42 is configured to: pass the resource indication information to the forwarding plane through the interface, to indicate that the forwarding plane allocates parameters for creating the underlying network resource included in the resource indication information to the virtual machine in the forwarding plane. on.
  • the second delivery sub-unit 44 is configured to deliver the deployment information to the virtual machine by communicating with the resident program by using the interface, to indicate that the virtual machine configures parameters for deploying the SF included in the function indication information to On the virtual machine.
  • the SF may be load balancing
  • the information only information may include: a first management network network protocol IP address, an IP address of the first service subnet, and the first The routing information
  • the function indication information may include: load balancing protocol information, member information of a load balancing resource pool, and load balancing algorithm information;
  • the first delivery sub-unit 42 may indicate that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to indicate that the forwarding plane performs the following operation: the first in the forwarding plane
  • the IP address of the virtual machine on the management network is configured as the IP address of the first management network
  • the IP address of the first virtual machine on the service subnet is configured as the IP address of the first service subnet
  • the routing information of the first virtual machine is configured as the first a routing information
  • the second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; and transmitting the load balancing configuration file to the first manner by using the interface to communicate with the resident program.
  • the virtual machine is configured to instruct the first virtual machine to perform the following operations: configuring the protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, and configuring the member of the first virtual machine as a member corresponding to the member information of the load balancing resource pool And configuring the algorithm of the first virtual machine as an algorithm corresponding to the load balancing algorithm information.
  • the SF may be a firewall
  • the resource indication information may include: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where
  • the function indication information may include: firewall rules and policy information;
  • the first delivery sub-unit 42 may indicate that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane by using the interface, to instruct the forwarding plane to perform the following operation: performing the second operation in the forwarding plane
  • the IP address of the virtual machine on the management network is configured as the IP address of the second management network
  • the IP address of the second virtual machine on the service subnet is configured as the IP address of the second service subnet
  • the routing information of the second virtual machine is configured as the first Two routing information
  • the second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and transmitting the firewall configuration file to the second by using the interface to communicate with the resident program
  • the virtual machine is configured to instruct the second virtual machine to configure rules and policies of the second virtual machine as rules and policies corresponding to firewall rules and policy information.
  • the SF is a VPN
  • the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and third routing information, where the function indication information is Including: Key Exchange Protocol IKE Policy, IP Layer Security Protocol IPSec Policy, IPSec Site Information;
  • the first delivery sub-unit 42 may be configured to instruct the forwarding plane to configure the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operation: the third virtual machine in the forwarding plane is
  • the IP address of the management network is configured as the third management network IP address
  • the IP address of the third virtual machine on the service subnet is configured as the third service subnet IP address
  • the routing information of the third virtual machine is configured as the third routing information.
  • the second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; and transmitting the VPN configuration file to the third manner by using the interface to communicate with the resident program.
  • a virtual machine to instruct the third virtual machine to perform the following operations: configuring a protocol policy of the third virtual machine as a key exchange protocol IKE policy and an IP layer security protocol IPSec policy, and configuring a site of the third virtual machine as IPSec site information Corresponding site.
  • the SF is a network element WEB protection
  • the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where
  • the function indication information includes: a WEB protection policy and a WEB application server or data center information that needs to be protected;
  • the first delivery sub-unit 42 may indicate that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operation: the fourth virtual in the forwarding plane
  • the IP address of the management network is configured as the IP address of the fourth management network
  • the IP address of the fourth virtual machine on the service subnet is configured as the IP address of the fourth service subnet
  • the routing information of the fourth virtual machine is configured as the fourth. Routing information
  • the second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a WEB protection configuration file according to the function indication information; and transmitting the WEB protection configuration file by using the interface to communicate with the resident program a fourth virtual machine, to instruct the fourth virtual machine to perform the following operations: configuring rules and policies of the fourth virtual machine as the WEB protection policy and rules, and configuring the server or data center of the fourth virtual machine to be protected The server or data center corresponding to the WEB application server or data center information.
  • FIG. 5 is a block diagram of an optional structure of the first obtaining module 22 in the deployment device of the service function section SF according to the embodiment of the present invention.
  • the first acquiring module 22 may include a first receiving unit 52, The first receiving unit 52 will be described.
  • the first receiving unit 52 is configured to receive the NFV information transmitted by the application plane.
  • FIG. 6 is a block diagram 2 of an optional structure of the first acquiring module 22 in the SF deployment apparatus according to the embodiment of the present invention.
  • the first acquiring module 22 may include a second receiving unit 62.
  • the second receiving unit 62 will be described.
  • the second receiving unit 62 is configured to receive the NFV information transmitted by the control plane, wherein the NFV information is transmitted to the control plane by the application plane.
  • FIG. 7 is a block diagram showing an optional structure of an apparatus for deploying an SF according to an embodiment of the present invention. As shown in FIG. 7, the apparatus may include a second obtaining module 72 and an updating module 74 in addition to all the modules shown in FIG. The device will be described below.
  • the second obtaining module 72 is connected to the processing module 24, and is configured to obtain updated NFV information after the underlying network resource is created according to the resource indication information and the function indication information, and the SF is deployed on the underlying network resource, where
  • the updated NFV information includes updated resource indication information and/or updated function indication information;
  • the update module 74 is connected to the second obtaining module 72, and is configured to update the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information.
  • FIG. 8 is a block diagram showing an optional structure of an update module 74 in an SF creation apparatus according to an embodiment of the present invention.
  • the update module 74 may include a first update unit 82 and/or a second update unit 84.
  • the update module 74 will be described.
  • the first update unit 82 is configured to change, add, or delete the created underlying network resource according to the updated resource indication information
  • the second update unit 84 is configured to change, add or delete the deployed SF according to the updated node indication information.
  • the methods and apparatus in the described embodiments can be applied to a resource management system.
  • the SF creation device may further include a first reporting module and/or a second reporting module, where the first reporting module and the second reporting module may be applied to the forwarding plane.
  • the device is described below:
  • the first reporting module is applied to the forwarding plane, and is configured to report the information of the underlying network resource to the control plane after the underlying network resource is created;
  • the second reporting module is applied to the forwarding plane, and is configured to report the information of the deployed SF to the control plane after the SF is deployed.
  • the solution in the embodiment of the present invention has advantages over the technical solutions existing in the related art.
  • planning an SFC in an SDN network requires first creating an underlying network resource, deploying an SF on an existing network resource, and then planning an SFC. .
  • the "first resource, post-planning" approach causes the SFC to fail to customize the SF and automatically create the required network resources according to the actual business requirements, making the deployment of the SFC inflexible and also causing waste of resources.
  • the SDN support includes load balancing, firewall, carrier grade network address translation (CGN), IP service identification and control system DPI, and router according to the planned SFC customization.
  • CGN carrier grade network address translation
  • the functional SF automatically creates the required network resources and deploys the SF in the underlying network, and the control plane can discover and manage the newly created SF.
  • the use of this "first definition, after resource” way allows SFC to have flexible deployment features in SDN, while improving resource utilization and reducing manual maintenance costs.
  • the resource management system is used to create required network resources and deploy SF for the planned SFC automation in the SDN network architecture, and the related information of the SF is updated to the SFC controller, so that the SFC controller can Discover and manage newly created SFs for use with flat business applications.
  • FIG. 9 is a schematic diagram of an SDN network architecture according to an embodiment of the present invention.
  • the utility model mainly includes a resource management system, a network management system, and three levels, that is, an application plane and a control plane in a software-defined network SDN framework. And forwarding planes.
  • the application plane is divided into multiple applications (applications); the control plane includes an orchestrator and a controller; and the forwarding plane includes a flow classifier, an SF, and a forwarding device such as a switch.
  • the network management system is an important module to ensure the reliable operation of the network. It is set up to detect the running status of the network resources of the forwarding plane, fault diagnosis and alarm, and interact with the state of the network and the control plane.
  • the resource management system is configured to create network resources and deploy SFs on the forwarding plane for the newly planned SFC.
  • Figure 9 mainly includes five interfaces: the A-CPI interface is used for the interaction between the application plane and the control plane, and the interaction content includes the creation, modification, and configuration of the SFC by the application layer.
  • the B-CPI is used for the interaction between the application plane and the resource management system.
  • the interactive content includes information related to NFV; C-CPI is used to control the flat The interaction with the resource management system, the interaction content is the SF information of the SFC that needs to be created; the D-CPI is used to control the interaction between the plane and the SFC-supporting SF, and is used for control plane discovery, management, and configuration of SF; E-CPI is used for The interaction between the resource management system and the forwarding plane is used by the resource management system to create network resources on the forwarding plane. The locations of the five interfaces are as shown in FIG. 9.
  • the trigger resource management system creates two types of required network resources and deploys the SF solution according to the planned SFC.
  • the application plane directly transmits the related information of the planned NFV to the resource management system through the B-CPI interface, and triggers the resource management system.
  • the SF information is updated to the control plane through the D-CPI through the E-CPI interface.
  • the SFV information is transmitted to the control plane through the A-CPI interface through the control plane.
  • the SF-related information of the SFC that needs to be created is transmitted to the resource management system through the C-API interface, and the resource management system is triggered to create the required network resources and deploy the SF at the forwarding level through the E-CPI interface, and the SF information is updated by the D-CPI. Go to the SFC controller.
  • FIG. 10 is a flowchart 1 of the method for planning and deploying an SFC according to an embodiment of the present invention. The flowchart is shown in FIG. 10, and the process includes the following steps:
  • Step 1 New business applications need to be deployed to the cloud platform.
  • the application plane plans SFC according to the requirements of the business application, such as custom virtual machine specifications (CPU, memory, image files, etc.), SF IP address, network, routing, gateway, etc. SF related parameter settings, analogous to the SFC shown in Figure 12. (corresponding to step S1002 in Fig. 10)
  • Step 2 The application plane transmits the NFV and SF related information to the resource management system through the B-CPI interface.
  • the resource management system creates the required network resources, including routing and virtual, on the forwarding plane through the E-CPI interface according to the information of the SFC.
  • Machine using a custom image file containing modules such as resident programs), network, etc. (corresponding to steps S1004-S1006 in Fig. 10)
  • Step 3 The resource management system saves the information about the defined SF to the control forwarding interface adaptation module, and then the agent in the control forwarding interface communicates with the resident program of the virtual machine, and the information is delivered to the virtual machine.
  • the resident program completes the deployment and configuration of the SF function based on the received information. (corresponding to steps S1008-S1010 in Fig. 10)
  • Step 4 The forwarding plane updates the information about the NFV and its SF to the SFC controller through the D-CPI interface, so that the SFC controller can discover and manage the SF, and the service application can use the entire SFC. (corresponding to steps S1012-S1014 in Fig. 10)
  • FIG. 11 is a flowchart 2 of the method for planning and deploying an SFC according to an embodiment of the present invention. The process is as shown in FIG. 11. The process includes the following steps:
  • Step 1 New business applications need to be deployed to the cloud platform.
  • the application plane plans SFC according to the requirements of the business application, such as custom virtual machine specifications (CPU, memory, image files, etc.), SF IP address, network, routing, gateway, etc.
  • the SF related parameter settings are analogized to the SFC shown in FIG. 12, and the NFV and SF related information is transmitted to the control plane through the A-CPI interface. (corresponding to step S1102 in Fig. 11)
  • Step 2 The control plane transmits the SF-related information that needs to be created to the SFC to the resource management system through the C-CPI interface.
  • the resource management system creates the required network resources on the forwarding plane through the E-CPI interface according to the information about the SF, including Routing, virtual machines (using custom image files containing modules such as resident programs), networks, etc. (corresponding to steps S1104-S1108 in Fig. 11)
  • Step 3 Same as step 3 in scenario 1. (corresponding to step S1110 in Fig. 11)
  • Step 4 Same as step 4 in scenario 1. (corresponding to steps S1112-S1114 in Fig. 11)
  • FIG. 12 is a schematic diagram of an SFC including a load balancing node according to an embodiment of the present invention.
  • a scenario 1 is used to automatically deploy an SF with a load balancing function according to an SFC to provide load balancing for a backend service server.
  • the load balancing service is implemented based on Nginx, but is not limited to Nginx.
  • the load balancing products with high performance are applicable to the embodiments of the present invention.
  • the resource management system automatically creates and deploys a load balancing SF according to the planned SFC:
  • Step 1 The service capability of the application-oriented service application needs to be greatly improved. This requires the load balancing service for SDN. It is required to build a load balancer to provide load balancing for three service servers. Of course, it is also possible to build other numbers.
  • Business server provides load-balanced load
  • the equalizer in this embodiment, is described by taking as an example a load balancer that provides load balancing for three service servers.
  • Step 2 The application plane plans an SFC that includes the load balancing SF according to the service application requirements, as shown in FIG.
  • the IP address of the management network public in the SFC can be 10.46.178.0/24
  • the IP address of the service subnet vxlan can be 192.168.100.0/24
  • the floating IP address of the load balancing SF management network can be 10.46.178.27
  • load balancing SF The VIP in the service subnet can be 192.168.100.27
  • load balancing can be provided for three cloud hosts with IP addresses of 192.168.100.1, 192.168.100.2, and 192.168.100.3 in the service subnet.
  • the resource indication information may include an IP address of the virtual machine in the forwarding plane in the foregoing management network, an IP address in the service subnet, and routing information, where the function indication information may include load balancing protocol information and load balancing resources. Pool member information, load balancing algorithm information.
  • Step 3 The application plane transmits the related information of the SFC to the resource management system through the B-CPI interface, and the resource management system automatically creates the network resources required by step 2 of the embodiment according to the SFC of the application plan, including automatically creating the public, vxlan. Networks and routers, creating resource pools and active and standby virtual machines for load balancing SF automation (using custom virtual machine image files containing resident programs, Nginx, etc.) and assigning them floating IP and virtual terminal protocols (virtual terminal protocol, Referred to as VIP address, etc.
  • the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured.
  • the IP address of the virtual machine on the service subnet included in the resource indication information in the embodiment is configured, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment.
  • the load balancing SF and three cloud hosts are mounted in the vxlan, and the SF provides load balancing for the three cloud hosts. The entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
  • Step 4 The resource management system automatically creates a load balancing configuration file conf according to the function indication information in the SFC according to the function indication information in the planned SFC, and communicates with the resident program in the virtual machine by controlling the forwarding interface.
  • the conf configuration file is delivered to the virtual machine, and the load balancer (for example, Nginx) is automatically deployed according to the information contained in the function indication information of the embodiment, and the protocol (load balancing protocol), the member (resource pool member), and the Method (load) are configured. Equalization algorithm) and other load balancing strategies.
  • Step 5 The forwarding plane updates the SFC and all SF information to the SFC controller in the control plane through the D-API interface, so that related SFs such as load balancing can be discovered and managed by the SFC controller, and the SFC controller can also be made according to requirements.
  • the SFC is configured to be provisioned with a flat business application call.
  • the FW (FireWall) is dynamically created according to the SFC usage scheme 1:
  • FIG. 13 is a schematic diagram of an SFC including a firewall according to an embodiment of the present invention. As shown in FIG. 13 , the SF with firewall function is automatically deployed according to SFC to provide security protection for the back-end service network.
  • the resource management system automatically creates a firewall SF based on the planned SFC:
  • Step 1 The application plane requires the service network security of the service application, and the firewall needs to be built to provide security protection for the service network.
  • the requirements planning of the application plane service application includes the SFC of the firewall SF, as shown in FIG.
  • the IP of the management network public in the SFC can be 10.46.178.0/24
  • the IP address of the service network vxlan can be 192.168.168.0/24
  • router interface settings can be 10.46.178.0/24
  • firewall rules and policies including support protocols, IP versions, source addresses). , destination address, source port, destination port, action set, etc.
  • the resource indication information may include an IP address of the virtual machine in the forwarding plane in the foregoing management network, an IP address in the service subnet, and routing information, where the function indication information may include firewall rules and policy information. .
  • Step 3 The application plane transmits the related information of the SFC to the resource management system through the B-CPI interface.
  • the resource management system automatically creates the network resources required by step 2 of the embodiment, including the router, and deploys the firewall according to the SFC of the application plan. Need a virtual machine (using a custom virtual machine image file containing modules such as resident programs), add a business network, and so on. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured.
  • the IP address of the virtual machine on the service subnet included in the resource indication information in the embodiment is configured, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment.
  • the entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
  • Step 4 The resource manager saves the planned firewall rules and policies to the corresponding files according to the function indication information in the SFC according to the function requirements of the firewall SF in the planned SFC, and is associated with the corresponding virtual machine.
  • the resident program communication, the policy and the rule in the file are transmitted to the virtual machine, and the information contained in the function indication information in the embodiment indicates that the resident program in the virtual machine updates the policy and the rule to the firewall, and starts the protection. .
  • Step 5 The forwarding plane updates all relevant information of the SFC containing the firewall SF to the SFC controller through the D-API interface, so that related SFs such as firewalls can be discovered and managed by the SFC controller, and the SFC controller can also modify the firewall rules according to requirements. And strategy.
  • the VPN is dynamically created according to the SFC usage scheme 2, and the VPN service is provided for the network.
  • the resource management system automatically creates a VPN deployment according to the planned SFC:
  • Step 1 The application plane needs to provide a service network for the service application, and needs to construct a VPN to provide a VPN service for the service network.
  • Step 2 The application plane plans an SFC that includes the VPN function according to the requirements of the service application.
  • the IP address of the public network in the SFC can be 10.46.178.0/24
  • the IP address of the service network vxlan can be 192.168.168.0/24
  • the router interface is set, and the SFC related information is transmitted to the control plane through the A-CPI interface.
  • the resource indication information may include an IP address of the virtual machine in the forwarding plane in the foregoing management network, an IP address in the service subnet, and routing information
  • the function indication information may include a key exchange protocol IKE. Policy, IP layer security protocol IPSec policy, IPSec site information.
  • the control plane transmits the related information (VPN) of the SFC-enabled SF that needs to be created to the resource management system through the C-API interface, and triggers the resource management system to automatically create the required step 2 of the embodiment according to the planned SFC.
  • Network resources including routers (routers with special features, using custom virtual machine image files containing modules such as resident programs), adding service networks, and so on. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured.
  • the IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine are configured as the routing information included in the resource indication information in this embodiment.
  • the entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
  • Step 4 The resource manager saves the planned IKE Policy, IPSec PolicyIPSec Site, and the like to the configuration file corresponding to the VPN according to the function requirement of the VPN in the planned SFC, that is, according to the function indication information in this embodiment, and Corresponding to the resident program communication in the virtual machine, the configuration file is delivered to the virtual machine, so that the resident program in the virtual machine configures and starts the VPN according to the function indication information in this embodiment.
  • Step 5 The forwarding plane updates all relevant information of the SFC including the VPN to the SFC controller through the D-CPI, so that the related SF such as the VPN can be discovered and managed by the SFC controller, and the SFC controller can also modify the VPN policy according to requirements. .
  • the WEB protection SF is dynamically created to provide WEB security protection for the server, and the defense includes SQL (Structured Query Language) injection, file inclusion vulnerability, and XSS (Cross Site) Scripting, cross-site scripting attacks, XSRF (Cross-site request forgery), and directory traversal attacks.
  • SQL Structured Query Language
  • XSS Cross-site scripting attacks
  • XSRF Cross-site request forgery
  • Step 1 The service application of the application plane requires WEB security protection for the service server.
  • the WEB security protection SF needs to be built to provide security protection for the service server.
  • Step 2 The application plane plans an SFC that includes the WEB security protection SF according to the requirements of the service application. Plan the network in the SFC, where the planned network includes the management network and the service subnet, the WEB protection policy (which may include an Access Control List (ACL)), the IP blacklist, and the user data to be blocked. Disable dangerous methods (including OPTIONS, DELETE, etc.), anti-theft chain, hidden server version information, flow control, configuration for known attack signatures Etc.) A WEB application server or data center that needs to be protected, and the planned SFC related information is transmitted to the control plane through the A-CPI interface.
  • ACL Access Control List
  • Disable dangerous methods including OPTIONS, DELETE, etc.
  • a WEB application server or data center that needs to be protected, and the planned SFC related information is transmitted to the control plane through the A-CPI interface.
  • the resource indication information may include an IP address of the virtual machine in the management plane in the forwarding plane, an IP address in the service subnet, and routing information.
  • the function indication information may include the foregoing WEB protection policy and protection. WEB application server or data center information.
  • Step 3 The control plane transmits the related information (WEB security protection) of the SF to be created to the resource management system through the C-CPI interface, and triggers the resource management system to automatically create the step 2 of the embodiment according to the SFC of the application plane planning.
  • Network resources including the network, virtual machines required to deploy WEB Security SF (using a custom virtual machine image file containing resident programs, Naxsi, Nginx, SSL, etc.), adding a WEB application server, and so on. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured.
  • the IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine are configured as the routing information included in the resource indication information in this embodiment.
  • the entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
  • Step 4 The resource manager saves the planned security protection policy to the corresponding file according to the above-mentioned indication information according to the functional requirements of the WEB security protection SF in the planned SFC (the control node creates for each SF configuration information).
  • File the policy in the file is passed to the virtual machine, and the resident program in the virtual machine configures the policy and the rule to the WEB security module according to the function indication information in this embodiment. And start protection.
  • Step 5 The forwarding plane updates the information about the WEB security protection SF to the SFC controller through the D-CPI port, so that the SF can be discovered and managed by the SFC controller, and the SFC controller can also modify the security protection rules and policies according to requirements. .
  • the solution in the embodiment of the present invention automatically creates the underlying network resource through the resource management system for the SFC of the application plane planning, deploys the SF, and the related information of the SF is updated to the SFC controller, so that the SFC controller is implemented.
  • the solution of the invention realizes the purpose of dynamically creating the SF based on the SDN service chain, so that the SFC has the characteristics of flexible deployment in the SDN, and improves the resource utilization rate and the manual maintenance cost.
  • modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the modules are respectively located in multiple processes. In the device.
  • Embodiments of the present invention also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • NFV information includes resource indication information for indicating an underlying network resource required for establishing a network function, and a function for indicating an SF deployed on the underlying network resource. Indication information;
  • the foregoing storage medium may include, but is not limited to, a USB flash drive, a ROM (Read-Only Memory), a RAM (Random Access Memory), a mobile hard disk, and a magnetic device.
  • a USB flash drive a ROM (Read-Only Memory), a RAM (Random Access Memory), a mobile hard disk, and a magnetic device.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • mobile hard disk a magnetic device.
  • the processor performs the above steps S1-S2 according to the stored program code in the storage medium.
  • the support SDN can conveniently plan the SFC according to the service requirements of the application plane, without considering the underlying network resources.
  • the resource management system automatically creates the required underlying network resources according to the requirements of the SFC, configures and deploys the SF, and the SF information is updated to the SFC controller, so that the SFC controller can discover and manage the relevant SF nodes.
  • modules or steps can be implemented by a general computing device, which can be concentrated on a single computing device or distributed over a network of multiple computing devices, optionally They may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, The steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into an integrated circuit module, or a plurality of modules or steps thereof may be implemented as a single integrated circuit module.
  • embodiments of the invention are not limited to any specific combination of hardware and software.
  • the embodiments of the present invention solve the problems in the related art that require manual intervention to create an underlying network resource and deploy SF, thereby creating an underlying network resource and deploying SF rigidity, and cannot flexibly adjust the underlying network resource and SF, thereby achieving flexible adjustment of the underlying layer.

Abstract

A service function deployment method and apparatus. The method comprises: acquiring predetermined network function virtualization (NFV) information, wherein the NFV information comprises resource indication information for indicating an underlayer network resource required for establishing a network function and function indication information for indicating an SF deployed on the underlayer network resource; and creating, according to the resource indication information and the function indication information, the underlayer network resource and deploying the SF on the underlayer network resource.

Description

业务功能的部署方法及装置Business function deployment method and device 技术领域Technical field
本文涉及但不限于通信领域,尤其涉及一种业务功能SF的部署方法及装置。This document relates to, but is not limited to, the field of communications, and in particular, to a method and apparatus for deploying a service function SF.
背景技术Background technique
在NFV(Network Function Virtualization,网络功能虚拟化)技术中,可以通过使用x86等通用性硬件以及虚拟化技术,来承载很多功能的软件处理,从而降低网络昂贵的设备成本。可以通过软硬件解耦及功能抽象,使网络设备功能不再依赖于专用硬件,资源可以充分灵活共享,实现新业务的快速开发和部署,并基于实际业务需求进行自动部署、弹性伸缩、故障隔离和自愈等。In NFV (Network Function Virtualization) technology, software processing that carries many functions can be carried out by using general-purpose hardware such as x86 and virtualization technology, thereby reducing the expensive equipment cost of the network. Through software and hardware decoupling and functional abstraction, network device functions are no longer dependent on dedicated hardware. Resources can be fully and flexibly shared, enabling rapid development and deployment of new services, and automatic deployment, elastic scaling, and fault isolation based on actual business requirements. And self-healing.
SFC(Service Function Chain,业务功能链)是一个有序的业务功能的集合,其基于分类和策略对网络上的IP(Internet Protocol,网络协议)数据包、链路帧或者数据流进行一系列的业务处理。SFC可独立于具体的网络应用,用于固定、移动网络及数据中心等场景。SFC涉及流分类节点、SF(Service Function,业务功能)、SFF(Service Function Forwarder,业务转发节点)、SFC代理、DPI(Deep Packet Inspection,深度包检测)等。SF从一个或多个SFF接收报文,向一个或多个SFF发送报文。SFF负责根据SFC封装信息把从网络中收到的报文或数据帧送到SF。SFC控制面负责进行SFC的管理和配置,包括对流分类节点、SF、SFF、SFC代理等相关节点的发现、管理和配置等。SFC (Service Function Chain) is a collection of ordered service functions. It performs a series of IP (Internet Protocol) packets, link frames or data streams on the network based on classification and policy. Business processing. SFC can be used in fixed, mobile networks and data centers, independent of specific network applications. The SFC includes a traffic classification node, an SF (Service Function), an SFF (Service Function Forwarder), an SFC proxy, and a DPI (Deep Packet Inspection). The SF receives a message from one or more SFFs and sends a message to one or more SFFs. The SFF is responsible for sending the message or data frame received from the network to the SF according to the SFC encapsulation information. The SFC control plane is responsible for the management and configuration of the SFC, including the discovery, management, and configuration of related nodes such as convection classification nodes, SF, SFF, and SFC agents.
SFC是NFV技术中的不可或缺的组成部分,其中,SFC使用者可以通过由NFV所创建的虚拟机、虚拟交换机等虚拟资源创建SFC所需要的SF、SFF等组件,其中,在业务链中,SF为VNFI(Virtualized Network Function Instance,虚拟化的网络功能实例)的一种表现形式。SFC is an indispensable part of NFV technology. SFC users can create SF, SFF and other components required by SFC through virtual resources such as virtual machines and virtual switches created by NFV, including in the service chain. SF is a representation of VNFI (Virtualized Network Function Instance).
在相关技术中,SDN(Software Defined Network,软件定义网络)在规 划SFC时,需要管理员先创建网络功能虚拟化NFV的底层网络资源并提供给SFC使用,在已有网络资源的基础上部署新的SF,然后由管理员选择组建成SFC。这样组建的SFC比较僵化,不能够根据实际业务需求的变动调整SF,而且不能对底层的网络资源提出任何改变。In the related art, SDN (Software Defined Network) When SFC is mapped, the administrator needs to create the network function to virtualize the underlying network resources of the NFV and provide them to the SFC. The new SF is deployed on the basis of the existing network resources, and then the administrator selects the group to build the SFC. The SFCs thus formed are relatively rigid, and it is not possible to adjust the SF according to changes in actual business needs, and it is not possible to make any changes to the underlying network resources.
针对相关技术中存在的需要人工干预创建底层网络资源以及部署SF,从而造成创建底层网络资源以及部署SF僵化,不能灵活调整底层网络资源和SF的问题,目前尚未提出有效的解决方案。In view of the problems in the related art that require manual intervention to create the underlying network resources and deploy SF, thereby creating the underlying network resources and deploying SF rigidities, and not being able to flexibly adjust the underlying network resources and SF, no effective solution has been proposed yet.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本发明实施例提供一种业务功能的部署方法及装置,以至少解决相关技术中存在的需要人工干预创建底层网络资源以及部署SF,从而造成创建底层网络资源以及部署SF僵化,不能灵活调整底层网络资源和SF的问题。An embodiment of the present invention provides a method and an apparatus for deploying a service function, so as to at least solve the problem that the related technologies need to manually create an underlying network resource and deploy an SF, thereby creating an underlying network resource and deploying SF rigidity, and cannot flexibly adjust the underlying network. Resources and SF issues.
一种业务功能SF的部署方法,包括:A method for deploying a service function SF, including:
获取预定的网络功能虚拟化NFV信息,所述NFV信息包括用于指示建立网络功能所需的底层网络资源的资源指示信息,和用于指示在所述底层网络资源上部署的SF的功能指示信息;Obtaining predetermined network function virtualization NFV information, the NFV information including resource indication information indicating an underlying network resource required for establishing a network function, and function indication information indicating an SF deployed on the underlying network resource ;
根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF。And creating the SF resource according to the resource indication information and the function indication information, and deploying the SF on the underlying network resource.
可选地,所述根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF包括:Optionally, the creating the bottom network resource according to the resource indication information and the function indication information, and deploying the SF on the underlying network resource includes:
通过与转发平面之间的接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面根据所述资源指示信息在所述转发平面上创建所述底层网络资源;Transmitting the resource indication information to the forwarding plane by using an interface with the forwarding plane, to instruct the forwarding plane to create the underlying network resource on the forwarding plane according to the resource indication information;
通过利用所述接口与所述底层网络资源中的虚拟机中的驻留程序进行通信的方式,将根据所述功能指示信息确定的部署信息传递给所述虚拟机,以指示所述虚拟机部署所述SF。 Distributing deployment information determined according to the function indication information to the virtual machine to indicate the virtual machine deployment by using the interface to communicate with a resident program in a virtual machine in the underlying network resource The SF.
可选地,所述通过与转发平面之间的接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面根据所述资源指示信息在所述转发平面上创建所述底层网络资源包括:Optionally, the resource indication information is delivered to the forwarding plane by using an interface between the forwarding plane and the forwarding plane, to indicate that the forwarding plane creates the underlying network on the forwarding plane according to the resource indication information. Resources include:
通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数配置到所述转发平面中的虚拟机上;Transmitting, by the interface, the resource indication information to the forwarding plane, to indicate that the forwarding plane configures, by using the resource indication information, a parameter for creating the underlying network resource into the forwarding plane. On the virtual machine;
所述通过利用所述接口与所述底层网络资源中的虚拟机中的驻留程序进行通信的方式,将根据所述功能指示信息确定的部署信息传递给所述虚拟机,以指示所述虚拟机部署所述SF包括:Transmitting the deployment information determined according to the function indication information to the virtual machine by using the interface to communicate with a resident program in the virtual machine in the underlying network resource to indicate the virtual The deployment of the SF includes:
通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上。Passing the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to configure parameters for deploying SF included in the function indication information to On the virtual machine.
可选地,所述SF为负载均衡,所述资源指示信息包括:第一管理网网络协议IP地址、第一业务子网的IP地址和第一路由信息,所述功能指示信息包括:负载均衡协议信息、所述负载均衡的资源池的成员信息、负载均衡算法信息;Optionally, the SF is load balancing, where the resource indication information includes: a first management network network protocol IP address, an IP address of the first service subnet, and first routing information, where the function indication information includes: load balancing Protocol information, member information of the load balancing resource pool, and load balancing algorithm information;
所述通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数加载到所述转发平面中的虚拟机上包括:Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to load, by the forwarding plane, a parameter for creating the underlying network resource included in the resource indication information to the forwarding plane The virtual machines in the include:
通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第一虚拟机在管理网上的IP地址配置为所述第一管理网IP地址、将所述第一虚拟机在业务子网上的IP地址配置为所述第一业务子网IP地址、将所述第一虚拟机的路由信息配置为所述第一路由信息;Transmitting the resource indication information to the forwarding plane by using the interface, to instruct the forwarding plane to perform the following operations: configuring an IP address of the first virtual machine in the forwarding plane on the management network as the first Configuring the IP address of the network, configuring the IP address of the first virtual machine on the service subnet as the IP address of the first service subnet, and configuring the routing information of the first virtual machine as the first routing information;
所述通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上包括:Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
根据所述功能指示信息创建负载均衡配置文件;通过利用所述接口与所 述驻留程序进行通信的方式将所述负载均衡配置文件传递给所述第一虚拟机,以指示所述第一虚拟机执行以下操作:将所述第一虚拟机的协议配置为所述负载均衡协议信息对应的协议、将所述第一虚拟机的成员配置为所述负载均衡的资源池的成员信息对应的成员、将所述第一虚拟机的算法配置为所述负载均衡算法信息对应的算法。Creating a load balancing configuration file according to the function indication information; by using the interface and the Passing the load balancing configuration file to the first virtual machine to instruct the first virtual machine to perform the following operations: configuring a protocol of the first virtual machine as the load Configuring a protocol corresponding to the protocol information, configuring a member of the first virtual machine as a member corresponding to member information of the load balancing resource pool, and configuring an algorithm of the first virtual machine as the load balancing algorithm information Algorithm.
可选地,所述SF为防火墙,所述资源指示信息包括:第二管理网网络协议IP地址、第二业务子网的IP地址和第二路由信息,所述功能指示信息包括:防火墙规则和策略信息;Optionally, the SF is a firewall, and the resource indication information includes: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where the function indication information includes: a firewall rule and Strategy information;
所述通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数加载到所述转发平面中的虚拟机上包括:Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to load, by the forwarding plane, a parameter for creating the underlying network resource included in the resource indication information to the forwarding plane The virtual machines in the include:
通过与所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第二虚拟机在管理网上的IP地址配置为所述第二管理网IP地址、将所述第二虚拟机在业务子网上的IP地址配置为所述第二业务子网IP地址、将所述第二虚拟机的路由信息配置为所述第二路由信息;Passing the resource indication information to the forwarding plane with the interface, to instruct the forwarding plane to perform the following operations: configuring an IP address of the second virtual machine in the forwarding plane on the management network as the The second management network IP address, the IP address of the second virtual machine on the service subnet is configured as the second service subnet IP address, and the routing information of the second virtual machine is configured as the second routing information. ;
所述通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上包括:Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
根据所述功能指示信息创建防火墙配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述防火墙配置文件传递给所述第二虚拟机,以指示所述第二虚拟机将所述第二虚拟机的规则和策略配置为所述防火墙规则和策略信息对应的规则和策略。Creating a firewall configuration file according to the function indication information; transmitting the firewall configuration file to the second virtual machine by using the interface to communicate with the resident program, to indicate that the second virtual machine will The rules and policies of the second virtual machine are configured as rules and policies corresponding to the firewall rules and policy information.
可选地,所述SF为虚拟私有网络VPN,所述资源指示信息包括:第三管理网网络协议IP地址、第三业务子网IP地址和第三路由信息,所述功能指示信息包括:密钥交换协议IKE策略、IP层安全协议IPSec策略、IPSec站点信息;Optionally, the SF is a virtual private network VPN, and the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and third routing information, where the function indication information includes: Key exchange protocol IKE policy, IP layer security protocol IPSec policy, IPSec site information;
所述通过所述接口将所述资源指示信息传递给所述转发平面,以指示所 述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数加载到所述转发平面中的虚拟机上包括:Transmitting, by the interface, the resource indication information to the forwarding plane to indicate Loading, by the forwarding plane, the parameter for creating the underlying network resource included in the resource indication information to the virtual machine in the forwarding plane includes:
通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第三虚拟机在管理网上的IP地址配置为所述第三管理网IP地址、将所述第三虚拟机在业务子网上的IP地址配置为所述第三业务子网IP地址、将所述第三虚拟机的路由信息配置为所述第三路由信息;Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to perform the following operations: configuring an IP address of a third virtual machine in the forwarding plane on the management network as the third The management network IP address, the IP address of the third virtual machine on the service subnet is configured as the third service subnet IP address, and the routing information of the third virtual machine is configured as the third routing information;
所述通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上包括:Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
根据所述功能指示信息创建VPN配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述VPN配置文件传递给所述第三虚拟机,以指示所述第三虚拟机执行以下操作:将所述第三虚拟机的协议策略配置为所述密钥交换协议IKE策略和所述IP层安全协议IPSec策略、将所述第三虚拟机的站点配置为所述IPSec站点信息对应的站点。Creating a VPN configuration file according to the function indication information; transmitting the VPN configuration file to the third virtual machine by using the interface to communicate with the resident program, to instruct the third virtual machine to execute The following operations: configuring a protocol policy of the third virtual machine as the key exchange protocol IKE policy and the IP layer security protocol IPSec policy, and configuring a site of the third virtual machine to correspond to the IPSec site information Site.
可选地,所述SF为网元WEB防护,所述资源指示信息包括:第四管理网网络协议IP地址、第四业务子网IP地址和第四路由信息,所述功能指示信息包括:WEB防护策略和需要防护的WEB应用服务器或数据中心信息;Optionally, the SF is a network element WEB protection, and the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes: WEB Protection strategy and WEB application server or data center information that needs protection;
所述通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数加载到所述转发平面中的虚拟机上包括:Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to load, by the forwarding plane, a parameter for creating the underlying network resource included in the resource indication information to the forwarding plane The virtual machines in the include:
通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第四虚拟机在管理网上的IP地址配置为所述第四管理网IP地址、将所述第四虚拟机在业务子网上的IP地址配置为所述第四业务子网IP地址、将所述第四虚拟机的路由信息配置为所述第四路由信息;Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to perform the following operations: configuring an IP address of a fourth virtual machine in the forwarding plane on the management network as the fourth The management network IP address, the IP address of the fourth virtual machine on the service subnet is configured as the fourth service subnet IP address, and the routing information of the fourth virtual machine is configured as the fourth routing information;
所述通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部 署SF的参数配置到所述虚拟机上包括:Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to include the part included in the function indication information The parameter configuration of the SF to the virtual machine includes:
根据所述功能指示信息创建WEB防护配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述WEB防护配置文件传递给所述第四虚拟机,以指示所述第四虚拟机执行以下操作:将所述第四虚拟机的规则和策略配置为所述WEB防护策略及规则、将所述第四虚拟机的服务器或数据中心配置为所述需要防护的WEB应用服务器或数据中心信息对应的服务器或数据中心。Creating a WEB protection configuration file according to the function indication information; transmitting the WEB protection configuration file to the fourth virtual machine by using the interface to communicate with the resident program, to indicate the fourth virtual The device performs the following steps: configuring the rules and policies of the fourth virtual machine as the WEB protection policy and rules, and configuring the server or data center of the fourth virtual machine as the WEB application server or data that needs to be protected. The server or data center corresponding to the central information.
可选地,所述获取预定的网络功能虚拟化NFV信息包括:Optionally, the obtaining the predetermined network function virtualization NFV information includes:
接收应用平面传递的所述NFV信息。Receiving the NFV information delivered by the application plane.
可选地,所述获取预定的网络功能虚拟化NFV信息包括:Optionally, the obtaining the predetermined network function virtualization NFV information includes:
接收控制平面传递的所述NFV信息,所述NFV信息为应用平面传递给所述控制平面的。And receiving, by the control plane, the NFV information, where the NFV information is delivered to the control plane.
可选地,所述根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF之后,还包括:Optionally, after the creating the MME and the SF on the underlying network resource according to the resource indication information and the function indication information, the method further includes:
获取更新后的NFV信息,所述更新后的NFV信息中包括更新后的资源指示信息和/或更新后的功能指示信息;Obtaining updated NFV information, where the updated NFV information includes updated resource indication information and/or updated function indication information;
根据所述更新后的资源指示信息和/或更新后的功能指示信息更新创建的所述底层网络资源和部署的所述SF。And updating the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information.
可选地,所述根据更新后的资源指示信息和/或更新后的功能指示信息更新创建的所述底层网络资源和部署的所述SF包括:Optionally, the updating the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information includes:
根据所述更新后的资源指示信息变更、增加或删除创建的所述底层网络资源;和/或,Changing, adding, or deleting the created underlying network resource according to the updated resource indication information; and/or,
根据所述更新后的功能指示信息变更、增加或删除部署的所述SF。The deployed SF is changed, added, or deleted according to the updated function indication information.
可选地,所述根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF之后,还包括:Optionally, after the creating the MME and the SF on the underlying network resource according to the resource indication information and the function indication information, the method further includes:
所述转发平面在创建完所述底层网络资源后将所述底层网络资源的信息上报给控制平面;和/或, The forwarding plane reports the information of the underlying network resource to the control plane after the underlying network resource is created; and/or,
所述转发平面在部署完所述SF后,将部署的所述SF的信息上报给控制平面。After the SF is deployed, the forwarding plane reports the information about the SF to the control plane.
一种业务功能SF的部署装置,包括:A deployment device for a service function SF, comprising:
第一获取模块,设置成获取预定的网络功能虚拟化NFV信息,所述NFV信息包括用于指示建立网络功能所需的底层网络资源的资源指示信息,和用于指示在所述底层网络资源上部署的SF的功能指示信息;a first acquiring module, configured to acquire predetermined network function virtualization NFV information, where the NFV information includes resource indication information used to indicate an underlying network resource required for establishing a network function, and is used to indicate on the underlying network resource Function indication information of the deployed SF;
处理模块,设置成根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF。And a processing module, configured to create the underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
可选地,所述处理模块包括:Optionally, the processing module includes:
第一传递单元,设置成通过与转发平面之间的接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面根据所述资源指示信息在所述转发平面上创建所述底层网络资源;a first transmitting unit, configured to: pass the resource indication information to the forwarding plane by using an interface with a forwarding plane, to instruct the forwarding plane to create the bottom layer on the forwarding plane according to the resource indication information Internet resources;
第二传递单元,设置成通过利用所述接口与所述底层网络资源中的虚拟机中的驻留程序进行通信的方式将根据所述功能指示信息确定的部署信息传递给所述虚拟机,以指示所述虚拟机部署所述SF。a second delivery unit configured to: pass the deployment information determined according to the function indication information to the virtual machine by using the interface to communicate with a resident program in a virtual machine in the underlying network resource, to Instructing the virtual machine to deploy the SF.
可选地,所述第一传递单元包括:第一传递子单元,设置成通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数配置到所述转发平面中的虚拟机上;Optionally, the first delivery unit includes: a first delivery subunit, configured to: pass the resource indication information to the forwarding plane by using the interface, to indicate that the forwarding plane is to be in the resource indication information Included parameters for creating the underlying network resource are configured on a virtual machine in the forwarding plane;
所述第二传递单元包括:第二传递子单元,设置成通过利用所述接口与所述驻留程序进行通信的方式,将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上。The second delivery unit includes: a second delivery subunit configured to pass the deployment information to the virtual machine by using the interface to communicate with the resident program to indicate the virtual machine The parameters for deploying the SF included in the function indication information are configured on the virtual machine.
可选地,所述SF为负载均衡,所述资源指示信息包括:第一管理网网络协议IP地址、第一业务子网的IP地址和第一路由信息,所述功能指示信息包括:负载均衡协议信息、所述负载均衡的资源池的成员信息、负载均衡算法信息; Optionally, the SF is load balancing, where the resource indication information includes: a first management network network protocol IP address, an IP address of the first service subnet, and first routing information, where the function indication information includes: load balancing Protocol information, member information of the load balancing resource pool, and load balancing algorithm information;
所述第一传递子单元通过如下方式指示所述转发平面配置所述底层网络资源:通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第一虚拟机在管理网上的IP地址配置为所述第一管理网IP地址、将所述第一虚拟机在业务子网上的IP地址配置为所述第一业务子网IP地址、将所述第一虚拟机的路由信息配置为所述第一路由信息;The first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations: The IP address of the first virtual machine in the forwarding plane is configured as the IP address of the first management network, and the IP address of the first virtual machine on the service subnet is configured as the first service subnet. An IP address, configured to configure routing information of the first virtual machine as the first routing information;
所述第二传递子单元通过如下方式指示所述虚拟机部署所述SF:根据所述功能指示信息创建负载均衡配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述负载均衡配置文件传递给所述第一虚拟机,以指示所述第一虚拟机执行以下操作:将所述第一虚拟机的协议配置为所述负载均衡协议信息对应的协议、将所述第一虚拟机的成员配置为所述负载均衡的资源池的成员信息对应的成员、将所述第一虚拟机的算法配置为所述负载均衡算法信息对应的算法。The second delivery subunit instructs the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; and using the interface to communicate with the resident program The load balancing configuration file is delivered to the first virtual machine to instruct the first virtual machine to perform the following operations: configuring a protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, and the A member of a virtual machine is configured as a member corresponding to the member information of the load balancing resource pool, and an algorithm of the first virtual machine is configured as an algorithm corresponding to the load balancing algorithm information.
可选地,所述SF为防火墙,所述资源指示信息包括:第二管理网网络协议IP地址、第二业务子网的IP地址和第二路由信息,所述功能指示信息包括:防火墙规则和策略信息;Optionally, the SF is a firewall, and the resource indication information includes: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where the function indication information includes: a firewall rule and Strategy information;
所述第一传递子单元通过如下方式指示所述转发平面配置所述底层网络资源:通过与所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第二虚拟机在管理网上的IP地址配置为所述第二管理网IP地址、将所述第二虚拟机在业务子网上的IP地址配置为所述第二业务子网IP地址、将所述第二虚拟机的路由信息配置为所述第二路由信息;The first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane by using the interface, to instruct the forwarding plane to perform the following operations: Configuring an IP address of the second virtual machine in the forwarding plane on the management network as the second management network IP address, and configuring an IP address of the second virtual machine on the service subnet as the second service sub Configuring the routing information of the second virtual machine as the second routing information;
所述第二传递子单元通过如下方式指示所述虚拟机部署所述SF:根据所述功能指示信息创建防火墙配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述防火墙配置文件传递给所述第二虚拟机,以指示所述第二虚拟机将所述第二虚拟机的规则和策略配置为所述防火墙规则和策略信息对应的规则和策略。The second delivery subunit instructs the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and using the interface to communicate with the resident program to use the firewall The configuration file is delivered to the second virtual machine to instruct the second virtual machine to configure rules and policies of the second virtual machine as rules and policies corresponding to the firewall rule and policy information.
可选地,所述SF为虚拟私有网络VPN,所述资源指示信息包括:第三管理网网络协议IP地址、第三业务子网IP地址和第三路由信息,所述功能 指示信息包括:密钥交换协议IKE策略、IP层安全协议IPSec策略、IPSec站点信息;Optionally, the SF is a virtual private network VPN, and the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and third routing information, where the function is The indication information includes: a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and an IPSec site information;
所述第一传递子单元通过如下方式指示所述转发平面配置所述底层网络资源:通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第三虚拟机在管理网上的IP地址配置为所述第三管理网IP地址、将所述第三虚拟机在业务子网上的IP地址配置为所述第三业务子网IP地址、将所述第三虚拟机的路由信息配置为所述第三路由信息;The first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations: The IP address of the third virtual machine in the forwarding plane is configured as the IP address of the third management network, and the IP address of the third virtual machine on the service subnet is configured as the third service subnet. An IP address, configured to configure routing information of the third virtual machine as the third routing information;
所述第二传递子单元通过如下方式指示所述虚拟机部署所述SF:根据所述功能指示信息创建VPN配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述VPN配置文件传递给所述第三虚拟机,以指示所述第三虚拟机执行以下操作:将所述第三虚拟机的协议策略配置为所述密钥交换协议IKE策略和所述IP层安全协议IPSec策略、将所述第三虚拟机的站点配置为所述IPSec站点信息对应的站点。The second delivery subunit instructs the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; and using the interface to communicate with the resident program to use the VPN The configuration file is delivered to the third virtual machine to instruct the third virtual machine to perform the following operations: configuring a protocol policy of the third virtual machine as the key exchange protocol IKE policy and the IP layer security protocol The IPSec policy configures the site of the third virtual machine as the site corresponding to the IPSec site information.
可选地,所述SF为网元WEB防护,所述资源指示信息包括:第四管理网网络协议IP地址、第四业务子网IP地址和第四路由信息,所述功能指示信息包括:WEB防护策略和需要防护的WEB应用服务器或数据中心信息;Optionally, the SF is a network element WEB protection, and the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where the function indication information includes: WEB Protection strategy and WEB application server or data center information that needs protection;
所述第一传递子单元通过如下方式指示所述转发平面配置所述底层网络资源:通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第四虚拟机在管理网上的IP地址配置为所述第四管理网IP地址、将所述第四虚拟机在业务子网上的IP地址配置为所述第四业务子网IP地址、将所述第四虚拟机的路由信息配置为所述第四路由信息;The first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations: The IP address of the fourth virtual machine in the forwarding plane is configured as the fourth management network IP address, and the IP address of the fourth virtual machine on the service subnet is configured as the fourth service subnet. An IP address, configured to configure routing information of the fourth virtual machine as the fourth routing information;
所述第二传递子单元通过如下方式指示所述虚拟机部署所述SF:根据所述功能指示信息创建WEB防护配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述WEB防护配置文件传递给所述第四虚拟机,以指示所述第四虚拟机执行以下操作:将所述第四虚拟机的规则和策略配置为所述WEB防护策略及规则、将所述第四虚拟机的服务器或数据中心配置为所述需要防护的WEB应用服务器或数据中心信息对应的服务器或数据中心。 The second delivery subunit instructs the virtual machine to deploy the SF by: creating a WEB protection configuration file according to the function indication information; and using the interface to communicate with the resident program The WEB protection profile is delivered to the fourth virtual machine to instruct the fourth virtual machine to perform the following operations: configuring the rules and policies of the fourth virtual machine as the WEB protection policy and rules, and the The server or data center of the four virtual machines is configured as the server or data center corresponding to the WEB application server or data center information that needs to be protected.
可选地,所述第一获取模块包括:Optionally, the first obtaining module includes:
第一接收单元,设置成接收应用平面传递的所述NFV信息。The first receiving unit is configured to receive the NFV information transmitted by the application plane.
可选地,所述第一获取模块包括:Optionally, the first obtaining module includes:
第二接收单元,设置成接收控制平面传递的所述NFV信息,其中,所述NFV信息为应用平面传递给所述控制平面的。The second receiving unit is configured to receive the NFV information transmitted by the control plane, where the NFV information is transmitted to the control plane by the application plane.
可选地,所述的装置还包括:Optionally, the device further includes:
第二获取模块,设置成在所述处理模块根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF之后,获取更新后的NFV信息,所述更新后的NFV信息中包括更新后的资源指示信息和/或更新后的功能指示信息;a second acquiring module, configured to acquire the updated NFV information after the processing module creates the underlying network resource according to the resource indication information and the function indication information, and deploys the SF on the underlying network resource The updated NFV information includes updated resource indication information and/or updated function indication information;
更新模块,设置成根据所述更新后的资源指示信息和/或更新后的功能指示信息更新创建的所述底层网络资源和部署的所述SF。And an update module, configured to update the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information.
可选地,所述更新模块包括:Optionally, the update module includes:
第一更新单元,设置成根据所述更新后的资源指示信息变更、增加或删除创建的所述底层网络资源;和/或,a first update unit, configured to change, add, or delete the created underlying network resource according to the updated resource indication information; and/or,
第二更新单元,设置成根据所述更新后的功能指示信息变更、增加或删除部署的所述SF。The second update unit is configured to change, add or delete the deployed SF according to the updated function indication information.
可选地,所述的装置还包括:Optionally, the device further includes:
第一上报模块,应用于所述转发平面中,设置成在创建完所述底层网络资源后将所述底层网络资源的信息上报给控制平面;和/或,The first reporting module is applied to the forwarding plane, and is configured to report the information of the underlying network resource to the control plane after the network resource is created; and/or
第二上报模块,应用于所述转发平面中,设置成在部署完所述SF后,将部署的所述SF的信息上报给控制平面。The second reporting module is applied to the forwarding plane, and is configured to report the information of the deployed SF to the control plane after the SF is deployed.
一种可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行上述方法。A readable storage medium storing computer executable instructions for performing the above method.
本发明实施例解决了相关技术中存在的需要人工干预创建底层网络资源以及部署SF,从而造成创建底层网络资源以及部署SF僵化,不能灵活调整 底层网络资源和SF的问题,进而达到了灵活调整底层网络资源和SF的效果。The embodiments of the present invention solve the problem that the related technologies need to manually create the underlying network resources and deploy the SF, thereby creating the underlying network resources and deploying the SF rigid, and cannot be flexibly adjusted. The underlying network resources and SF issues, in turn, achieve the effect of flexible adjustment of the underlying network resources and SF.
在阅读并理解了附图和详细描述后,可以明白其它方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1是根据本发明实施例的SF的部署方法的流程图;1 is a flowchart of a method for deploying an SF according to an embodiment of the present invention;
图2是根据本发明实施例的SF的部署装置的结构框图;2 is a structural block diagram of a deployment apparatus of an SF according to an embodiment of the present invention;
图3是根据本发明实施例的SF的部署装置中处理模块24的结构框图;3 is a structural block diagram of a processing module 24 in a deployment apparatus of an SF according to an embodiment of the present invention;
图4是根据本发明实施例的SF的部署装置中第一传递单元32和第二传递单元34的结构框图;4 is a structural block diagram of a first transfer unit 32 and a second transfer unit 34 in a deployment device of an SF according to an embodiment of the present invention;
图5是根据本发明实施例的SF的部署装置中第一获取模块22的结构框图一;FIG. 5 is a structural block diagram 1 of a first obtaining module 22 in a deployment device of an SF according to an embodiment of the present invention;
图6是根据本发明实施例的SF的部署装置中第一获取模块22的结构框图二;FIG. 6 is a second structural block diagram of the first obtaining module 22 in the SF deployment apparatus according to an embodiment of the present invention;
图7是根据本发明实施例的SF的部署装置的优选结构框图;7 is a block diagram showing a preferred structure of a deployment apparatus of an SF according to an embodiment of the present invention;
图8是根据本发明实施例的SF的部署装置中更新模块74的结构框图;FIG. 8 is a structural block diagram of an update module 74 in a deployment apparatus of an SF according to an embodiment of the present invention;
图9是根据本发明实施例的SDN网络架构示意图;9 is a schematic diagram of an SDN network architecture according to an embodiment of the present invention;
图10是根据本发明实施例的规划并部署SFC的方法流程图一;10 is a flowchart 1 of a method for planning and deploying an SFC according to an embodiment of the present invention;
图11是根据本发明实施例的规划并部署SFC的方法流程图二;11 is a second flowchart of a method for planning and deploying an SFC according to an embodiment of the present invention;
图12是根据本发明实施例的包含负载均衡节点的SFC的示意图;12 is a schematic diagram of an SFC including a load balancing node according to an embodiment of the present invention;
图13是根据本发明实施例的包含防火墙的SFC的示意图。FIG. 13 is a schematic diagram of an SFC including a firewall according to an embodiment of the present invention.
本发明的实施方式Embodiments of the invention
需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。在本申请的 说明书和权利要求书及附图中的“应用平面”可以是由软件和/或硬件构成的一组逻辑应用功能,该逻辑应用功能可以由应用设备实现,同样地,“控制平面”可以是由软件和/或硬件构成的一组逻辑控制功能,该逻辑控制功能可以由控制设备实现,“转发平面”可以是由软件和/或硬件构成的一组逻辑转发功能,该逻辑转发功能可以由转发设备实现。The terms "first", "second" and the like in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a particular order or order. In the present application The "application plane" in the specification and claims and the accompanying drawings may be a set of logic application functions consisting of software and/or hardware, which may be implemented by an application device, as such, the "control plane" may be A set of logical control functions consisting of software and/or hardware. The logic control function can be implemented by a control device. The "forwarding plane" can be a set of logical forwarding functions composed of software and/or hardware. The logical forwarding function can be forwarded. Equipment implementation.
在本发明实施例中提供了一种SF的部署方法,图1是根据本发明实施例的SF的部署方法的流程图,如图1所示,该流程包括如下步骤:In the embodiment of the present invention, a method for deploying an SF is provided. FIG. 1 is a flowchart of a method for deploying an SF according to an embodiment of the present invention. As shown in FIG. 1 , the process includes the following steps:
步骤S102,获取预定的NFV信息,其中,该NFV信息包括用于指示建立网络功能所需的底层网络资源的资源指示信息,和用于指示在该底层网络资源上部署的SF的功能指示信息;Step S102, acquiring predetermined NFV information, where the NFV information includes resource indication information for indicating an underlying network resource required for establishing a network function, and function indication information for indicating an SF deployed on the underlying network resource;
步骤S104,根据所述资源指示信息和功能指示信息创建底层网络资源并在该底层网络资源上部署SF。Step S104: Create an underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
其中,执行上述操作的可以是资源管理系统,可以在无需人工干预的情况下,由资源管理系统完成底层网络资源的部署和SF的部署,从而解决了相关技术中存在的需要人工干预创建底层网络资源以及部署SF,从而造成创建底层网络资源以及部署SF僵化,不能灵活调整底层网络资源和SF的问题,进而达到了灵活调整底层网络资源和SF的效果。The foregoing operation may be a resource management system, which can complete the deployment of the underlying network resources and the deployment of the SF by the resource management system without manual intervention, thereby solving the need for manual intervention to create the underlying network in the related art. Resources and deployment of SF, resulting in the creation of the underlying network resources and deployment of SF rigid, can not flexibly adjust the underlying network resources and SF issues, thereby achieving the flexibility to adjust the underlying network resources and SF.
在一个可选的实施例中,根据所述资源指示信息和功能指示信息创建所述底层网络资源并在底层网络资源上部署SF包括:In an optional embodiment, creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource includes:
通过与用于部署底层网络资源和SF的转发平面之间的接口将资源指示信息传递给转发平面,以指示该转发平面根据所述资源指示信息在转发平面上创建底层网络资源;通过利用所述接口与底层网络资源中的虚拟机中的驻留程序进行通信的方式将根据所述功能指示信息确定的部署信息传递给虚拟机,以指示虚拟机部署SF。Passing the resource indication information to the forwarding plane through an interface between the forwarding plane for deploying the underlying network resource and the SF, to indicate that the forwarding plane creates the underlying network resource on the forwarding plane according to the resource indication information; The manner in which the interface communicates with the resident program in the virtual machine in the underlying network resource passes the deployment information determined according to the function indication information to the virtual machine to instruct the virtual machine to deploy the SF.
通过上述实施例,可以利用转发平面实现底层网络资源的创建以及SF的部署,从而无需人工干预,提高底层网络资源和SF的调整的灵活度。Through the foregoing embodiment, the forwarding plane can be used to implement the creation of the underlying network resources and the deployment of the SF, thereby improving the flexibility of adjusting the underlying network resources and the SF without manual intervention.
创建所述底层网络资源和在底层网络资源上部署SF的方式有多种,在一个可选的实施例中,可以通过配置参数的方式进行底层网络资源的创建和SF 的部署,下面对该方式进行说明:There are various ways to create the underlying network resource and deploy the SF on the underlying network resource. In an optional embodiment, the underlying network resource creation and SF can be performed by configuring parameters. Deployment, the following describes the way:
所述通过与所述转发平面之间的接口将资源指示信息传递给转发平面,以指示该转发平面根据资源指示信息在转发平面上创建底层网络资源包括:Transmitting, by the interface with the forwarding plane, the resource indication information to the forwarding plane, to indicate that the forwarding plane creates the underlying network resource on the forwarding plane according to the resource indication information, including:
通过所述接口将资源指示信息传递给转发平面,以指示转发平面将资源指示信息中包含的用于创建底层网络资源的参数配置到转发平面中的虚拟机上;Passing the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to configure the parameter for creating the underlying network resource included in the resource indication information to the virtual machine in the forwarding plane;
所述通过利用所述接口与底层网络资源中的虚拟机中的驻留程序进行通信的方式将根据功能指示信息确定的部署信息传递给虚拟机,以指示该虚拟机部署SF包括:And transmitting, by using the interface, the deployment information determined according to the function indication information to the virtual machine by using the interface to communicate with the resident program in the virtual machine in the underlying network resource, to indicate that the virtual machine deploying the SF includes:
通过利用接口与驻留程序进行通信的方式将部署信息传递给虚拟机,以指示该虚拟机将功能指示信息中包含的用于部署SF的参数配置到虚拟机上。The deployment information is delivered to the virtual machine by communicating with the resident program by using the interface to instruct the virtual machine to configure parameters for deploying the SF included in the function indication information to the virtual machine.
上述的创建底层网络资源和部署SF的方案可以应用于多种场景中,几种典型的场景如下:The above scheme for creating the underlying network resources and deploying SF can be applied to multiple scenarios. Several typical scenarios are as follows:
在一个可选的实施例中,所述SF可以为负载均衡,所述资源指示信息包括:第一管理网网络协议IP地址、第一业务子网的IP地址和第一路由信息,该功能指示信息包括:负载均衡协议信息、负载均衡的资源池的成员信息、负载均衡算法信息;In an optional embodiment, the SF may be load balancing, and the resource indication information includes: a first management network network protocol IP address, an IP address of the first service subnet, and first routing information, where the function indication The information includes: load balancing protocol information, member information of a load balancing resource pool, and load balancing algorithm information;
所述通过所述接口将资源指示信息传递给转发平面,以指示该转发平面将资源指示信息中包含的用于创建底层网络资源的参数加载到所述转发平面中的虚拟机上包括:通过所述接口将资源指示信息传递给转发平面,以指示该转发平面执行以下操作:将转发平面中的第一虚拟机在管理网上的IP地址配置为第一管理网IP地址、将第一虚拟机在业务子网上的IP地址配置为第一业务子网IP地址、将第一虚拟机的路由信息配置为第一路由信息;Transmitting, by the interface, the resource indication information to the forwarding plane, to indicate that the forwarding plane loads the parameter for creating the underlying network resource included in the resource indication information into the virtual machine in the forwarding plane, including: The interface forwards the resource indication information to the forwarding plane, to indicate that the forwarding plane performs the following operations: configuring the IP address of the first virtual machine in the forwarding plane on the management network as the IP address of the first management network, and placing the first virtual machine in The IP address of the service subnet is configured as the IP address of the first service subnet, and the routing information of the first virtual machine is configured as the first routing information.
所述通过利用所述接口与驻留程序进行通信的方式将部署信息传递给虚拟机,以指示该虚拟机将功能指示信息中包含的用于部署SF的参数配置到虚拟机上包括:根据功能指示信息创建负载均衡配置文件;通过利用所述接口与驻留程序进行通信的方式将负载均衡配置文件传递给第一虚拟机,以指示第一虚拟机执行以下操作:将第一虚拟机的协议配置为负载均衡协议信息对 应的协议、将第一虚拟机的成员配置为负载均衡的资源池的成员信息对应的成员、将第一虚拟机的算法配置为负载均衡算法信息对应的算法。Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to indicate that the virtual machine configures parameters for deploying the SF included in the function indication information to the virtual machine, including: according to the function Instructing information to create a load balancing configuration file; communicating the load balancing configuration file to the first virtual machine by using the interface to communicate with the resident program, to instruct the first virtual machine to perform the following operation: protocol of the first virtual machine Configured as a load balancing protocol information pair The protocol of the first virtual machine is configured as a member corresponding to the member information of the load balancing resource pool, and the algorithm of the first virtual machine is configured as an algorithm corresponding to the load balancing algorithm information.
在另一个可选的实施例中,所述SF可以为防火墙,所述资源指示信息包括:第二管理网网络协议IP地址、第二业务子网的IP地址和第二路由信息,所述功能指示信息包括:防火墙规则和策略信息;In another optional embodiment, the SF may be a firewall, and the resource indication information includes: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where the function The indication information includes: firewall rules and policy information;
所述通过所述接口将资源指示信息传递给转发平面,以指示转发平面将资源指示信息中包含的用于创建底层网络资源的参数加载到转发平面中的虚拟机上包括:通过与所述接口将资源指示信息传递给转发平面,以指示转发平面执行以下操作:将转发平面中的第二虚拟机在管理网上的IP地址配置为第二管理网IP地址、将第二虚拟机在业务子网上的IP地址配置为第二业务子网IP地址、将第二虚拟机的路由信息配置为第二路由信息;Transmitting, by the interface, the resource indication information to the forwarding plane, to indicate that the forwarding plane loads the parameter for creating the underlying network resource included in the resource indication information into the virtual machine in the forwarding plane, including: Passing the resource indication information to the forwarding plane to instruct the forwarding plane to perform the following operations: configuring the IP address of the second virtual machine in the forwarding plane on the management network as the second management network IP address, and placing the second virtual machine on the service subnet The IP address is configured as the second service subnet IP address, and the routing information of the second virtual machine is configured as the second routing information;
所述通过利用所述接口与驻留程序进行通信的方式将部署信息传递给虚拟机,以指示虚拟机将功能指示信息中包含的用于部署SF的参数配置到虚拟机上包括:根据所述功能指示信息创建防火墙配置文件;通过利用所述接口与驻留程序进行通信的方式将防火墙配置文件传递给第二虚拟机,以指示该第二虚拟机将第二虚拟机的规则和策略配置为防火墙规则和策略信息对应的规则和策略。Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information to the virtual machine, including: The function indication information creates a firewall configuration file; the firewall configuration file is passed to the second virtual machine by using the interface to communicate with the resident program, to instruct the second virtual machine to configure the rules and policies of the second virtual machine to Rules and policies for firewall rules and policy information.
在另一个可选的实施例中,所述SF为VPN(Virtual Private Network,虚拟私有网络),所述资源指示信息包括:第三管理网网络协议IP地址、第三业务子网IP地址和第三路由信息,所述功能指示信息包括:IKE(Internet Key Management,密钥交换协议)Policy(策略)、IPSec(IP Security,IP层安全协议)Policy、IPSec Site(站点)信息;In another optional embodiment, the SF is a VPN (Virtual Private Network), and the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and a third The routing information includes: an IKE (Internet Key Management) policy, an IPSec (IP Security) policy, and an IPSec Site information;
所述通过该接口将资源指示信息传递给转发平面,以指示转发平面将资源指示信息中包含的用于创建底层网络资源的参数加载到转发平面中的虚拟机上包括:通过接口将资源指示信息传递给转发平面,以指示转发平面执行以下操作:将转发平面中的第三虚拟机在管理网上的IP地址配置为第三管理网IP地址、将第三虚拟机在业务子网上的IP地址配置为第三业务子网IP地址、将第三虚拟机的路由信息配置为第三路由信息;Transmitting, by the interface, the resource indication information to the forwarding plane, to indicate that the forwarding plane loads the parameter for creating the underlying network resource, which is included in the resource indication information, into the virtual machine in the forwarding plane, including: Passing to the forwarding plane to instruct the forwarding plane to perform the following operations: configuring the IP address of the third virtual machine in the forwarding plane on the management network as the third management network IP address, and configuring the IP address of the third virtual machine on the service subnet Configure the routing information of the third virtual machine as the third routing information for the IP address of the third service subnet;
所述通过利用所述接口与驻留程序进行通信的方式将部署信息传递给虚 拟机,以指示虚拟机将功能指示信息中包含的用于部署SF的参数配置到虚拟机上包括:根据所述功能指示信息创建VPN配置文件;通过利用所述接口与驻留程序进行通信的方式将VPN配置文件传递给第三虚拟机,以指示该第三虚拟机执行以下操作:将第三虚拟机的协议策略配置为密钥交换协议IKE策略和IP层安全协议IPSec策略、将第三虚拟机的站点配置为IPSec站点信息对应的站点。Passing the deployment information to the virtual by communicating with the resident program using the interface Configuring the virtual machine to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information to the virtual machine includes: creating a VPN configuration file according to the function indication information; and communicating with the resident program by using the interface The method forwards the VPN configuration file to the third virtual machine, to instruct the third virtual machine to perform the following operations: configuring the protocol policy of the third virtual machine as a key exchange protocol IKE policy and an IP layer security protocol IPSec policy, and the third The site of the virtual machine is configured as the site corresponding to the IPSec site information.
在另一个可选的实施例中,所述SF为网元WEB防护,所述资源指示信息包括:第四管理网网络协议IP地址、第四业务子网IP地址和第四路由信息,所述功能指示信息包括:WEB防护策略和需要防护的WEB应用服务器或数据中心信息;In another optional embodiment, the SF is a network element WEB protection, and the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where The function indication information includes: a WEB protection policy and a WEB application server or data center information that needs to be protected;
所述通过所述接口将资源指示信息传递给转发平面,以指示转发平面将资源指示信息中包含的用于创建底层网络资源的参数加载到转发平面中的虚拟机上包括:通过接口将资源指示信息传递给转发平面,以指示转发平面执行以下操作:将所述转发平面中的第四虚拟机在管理网上的IP地址配置为第四管理网IP地址、将第四虚拟机在业务子网上的IP地址配置为第四业务子网IP地址、将第四虚拟机的路由信息配置为第四路由信息;Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to load the parameter for creating the underlying network resource included in the resource indication information to the virtual machine in the forwarding plane, including: indicating the resource through the interface The information is delivered to the forwarding plane to instruct the forwarding plane to perform the following operations: configuring the IP address of the fourth virtual machine in the forwarding plane on the management network as the fourth management network IP address, and the fourth virtual machine on the service subnet. The IP address is configured as the fourth service subnet IP address, and the routing information of the fourth virtual machine is configured as the fourth routing information;
所述通过利用所述接口与驻留程序进行通信的方式将部署信息传递给虚拟机,以指示虚拟机将功能指示信息中包含的用于部署SF的参数配置到虚拟机上包括:根据所述功能指示信息创建WEB防护配置文件;通过利用所述接口与驻留程序进行通信的方式将WEB防护配置文件传递给第四虚拟机,以指示该第四虚拟机执行以下操作:将第四虚拟机的规则和策略配置为所述WEB防护策略及规则、将第四虚拟机的服务器或数据中心配置为需要防护的WEB应用服务器或数据中心信息对应的服务器或数据中心。Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to configure the parameter for deploying the SF included in the function indication information to the virtual machine, including: The function indication information creates a WEB protection configuration file; the WEB protection configuration file is transmitted to the fourth virtual machine by using the interface to communicate with the resident program, to instruct the fourth virtual machine to perform the following operation: the fourth virtual machine is executed The rules and policies are configured as the WEB protection policy and rules, and the server or data center of the fourth virtual machine is configured as a server or data center corresponding to the WEB application server or data center information that needs to be protected.
对于上述的四个场景下的实施例,在后文的实施例中会进行详细的描述。For the embodiments in the above four scenarios, a detailed description will be given in the following embodiments.
上述的获取NFV信息的方式可以为多种,在一个可选的实施例中,所述获取NFV信息包括:接收应用平面传递的NFV信息。The manner of obtaining the NFV information may be multiple. In an optional embodiment, the acquiring the NFV information includes: receiving the NFV information delivered by the application plane.
在另一个可选的实施例中,所述获取NFV信息包括:接收控制平面中传递的所述NFV信息,其中,该NFV信息为应用平面传递给所述控制平面的。 In another optional embodiment, the acquiring the NFV information comprises: receiving the NFV information transmitted in the control plane, wherein the NFV information is delivered to the control plane by an application plane.
在一个可选的实施例中,所述根据资源指示信息和功能指示信息创建底层网络资源并在上述底层网络资源上部署SF之后,还包括:获取更新后的NFV信息,其中,所述更新后的NFV信息中包括更新后的资源指示信息和/或更新后的功能指示信息;根据更新后的资源指示信息和/或更新后的功能指示信息更新创建的底层网络资源和部署的SF。In an optional embodiment, the creating the underlying network resource according to the resource indication information and the function indication information, and after deploying the SF on the foregoing network resource, further comprising: obtaining the updated NFV information, wherein the updating The updated NFV information includes updated resource indication information and/or updated function indication information; and the created underlying network resource and the deployed SF are updated according to the updated resource indication information and/or the updated function indication information.
可选地,所述根据更新后的资源指示信息和/或更新后的功能指示信息更新创建的底层网络资源和部署的SF包括:Optionally, the updating the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information includes:
根据所述更新后的资源指示信息变更、增加或删除创建的底层网络资源;和/或,根据所述更新后的功能指示信息变更、增加或删除部署的SF。Changing, adding, or deleting the created underlying network resource according to the updated resource indication information; and/or changing, adding, or deleting the deployed SF according to the updated function indication information.
在一个可选的实施例中,所述根据所述资源指示信息和功能指示信息创建底层网络资源并在该底层网络资源上部署SF之后,还包括:In an optional embodiment, after the creating the underlying network resource according to the resource indication information and the function indication information, and deploying the SF on the underlying network resource, the method further includes:
所述转发平面在创建完上述底层网络资源后将底层网络资源的信息上报给控制平面;和/或,所述转发平面在部署完上述SF后,将部署的SF的信息上报给控制平面。本实施例可以使得控制平面能够发现和管理创建的底层网络资源和部署的SF。The forwarding plane reports the information of the underlying network resource to the control plane after the foregoing network resource is created; and/or the forwarding plane reports the information of the deployed SF to the control plane after the SF is deployed. This embodiment can enable the control plane to discover and manage the created underlying network resources and deployed SFs.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个可读存储介质(如ROM/RAM、磁碟、光盘)中,可读存储介质中存储的计算机可执行指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明每个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in a form of a software product stored in a readable storage medium (such as ROM/RAM). Computer-executable instructions stored in a readable storage medium for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the operations described in each embodiment of the present invention. method.
在本发明实施例中还提供了一种SF的创建装置,该装置设置成实现上述实施例及可选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以为实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。 An apparatus for creating an SF is also provided in the embodiment of the present invention. The apparatus is configured to implement the foregoing embodiments and optional implementations, and details are not described herein. As used below, the term "module" can be a combination of software and/or hardware that implements a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图2是根据本发明实施例的SF的部署装置的结构框图,如图2所示,该装置包括第一获取模块22和处理模块24,下面对该装置进行说明。2 is a structural block diagram of an apparatus for deploying an SF according to an embodiment of the present invention. As shown in FIG. 2, the apparatus includes a first obtaining module 22 and a processing module 24. The apparatus will be described below.
第一获取模块22,设置成获取预定的网络功能虚拟化NFV信息,其中,该NFV信息包括用于指示建立网络功能所需的底层网络资源的资源指示信息,和用于指示在底层网络资源上部署的SF的功能指示信息;The first obtaining module 22 is configured to obtain predetermined network function virtualization NFV information, where the NFV information includes resource indication information used to indicate an underlying network resource required for establishing a network function, and is used to indicate on the underlying network resource. Function indication information of the deployed SF;
处理模块24,连接至所述第一获取模块22,设置成根据所述资源指示信息和功能指示信息创建底层网络资源并在底层网络资源上部署SF。The processing module 24 is connected to the first obtaining module 22, and is configured to create an underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
图3是根据本发明实施例的SF的部署装置中处理模块24的结构框图,如图3所示,该处理模块24包括第一传递单元32和第二传递单元34,下面对该处理模块24进行说明。3 is a structural block diagram of a processing module 24 in a deployment apparatus of an SF according to an embodiment of the present invention. As shown in FIG. 3, the processing module 24 includes a first delivery unit 32 and a second delivery unit 34, and the processing module is provided below. 24 for explanation.
第一传递单元32,设置成通过与转发平面之间的接口将资源指示信息传递给转发平面,以指示转发平面根据所述资源指示信息在所述转发平面上创建底层网络资源;The first delivery unit 32 is configured to: pass the resource indication information to the forwarding plane through an interface with the forwarding plane, to instruct the forwarding plane to create an underlying network resource on the forwarding plane according to the resource indication information;
第二传递单元34,连接至所述第一传递单元32,设置成通过利用所述接口与底层网络资源中的虚拟机中的驻留程序进行通信的方式,将根据所述功能指示信息确定的部署信息传递给虚拟机,以指示虚拟机部署SF。a second transfer unit 34, coupled to the first transfer unit 32, configured to determine, according to the function indication information, by using the interface to communicate with a resident program in a virtual machine in an underlying network resource The deployment information is passed to the virtual machine to instruct the virtual machine to deploy SF.
图4是根据本发明实施例的SF的部署装置中第一传递单元32和第二传递单元34的结构框图,如图4所示,该第一传递单元32包括第一传递子单元42,该第二传递单元34包括第二传递子单元44,下面对第一传递子单元42和第二传递子单元44进行说明。4 is a structural block diagram of a first transfer unit 32 and a second transfer unit 34 in a deployment device of an SF according to an embodiment of the present invention. As shown in FIG. 4, the first transfer unit 32 includes a first transfer subunit 42. The second transfer unit 34 includes a second transfer subunit 44, and the first transfer subunit 42 and the second transfer subunit 44 are described below.
第一传递子单元42,设置成通过所述接口将资源指示信息传递给转发平面,以指示该转发平面将资源指示信息中包含的用于创建底层网络资源的参数配置到转发平面中的虚拟机上。The first delivery sub-unit 42 is configured to: pass the resource indication information to the forwarding plane through the interface, to indicate that the forwarding plane allocates parameters for creating the underlying network resource included in the resource indication information to the virtual machine in the forwarding plane. on.
第二传递子单元44,设置成通过利用所述接口与驻留程序进行通信的方式将部署信息传递给虚拟机,以指示该虚拟机将功能指示信息中包含的用于部署SF的参数配置到虚拟机上。The second delivery sub-unit 44 is configured to deliver the deployment information to the virtual machine by communicating with the resident program by using the interface, to indicate that the virtual machine configures parameters for deploying the SF included in the function indication information to On the virtual machine.
在一个可选的实施例中,所述的SF可以是负载均衡,所述的资源只是信息可以包括:第一管理网网络协议IP地址、第一业务子网的IP地址和第一 路由信息,所述的功能指示信息可以包括:负载均衡协议信息、负载均衡的资源池的成员信息、负载均衡算法信息;In an optional embodiment, the SF may be load balancing, and the information only information may include: a first management network network protocol IP address, an IP address of the first service subnet, and the first The routing information, the function indication information may include: load balancing protocol information, member information of a load balancing resource pool, and load balancing algorithm information;
所述的第一传递子单元42可以通过如下方式指示转发平面配置底层网络资源:通过所述接口将资源指示信息传递给转发平面,以指示该转发平面执行以下操作:将转发平面中的第一虚拟机在管理网上的IP地址配置为第一管理网IP地址、将第一虚拟机在业务子网上的IP地址配置为第一业务子网IP地址、将第一虚拟机的路由信息配置为第一路由信息;The first delivery sub-unit 42 may indicate that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to indicate that the forwarding plane performs the following operation: the first in the forwarding plane The IP address of the virtual machine on the management network is configured as the IP address of the first management network, the IP address of the first virtual machine on the service subnet is configured as the IP address of the first service subnet, and the routing information of the first virtual machine is configured as the first a routing information;
所述第二传递子单元44可以通过如下方式指示虚拟机部署SF:根据功能指示信息创建负载均衡配置文件;通过利用所述接口与驻留程序进行通信的方式将负载均衡配置文件传递给第一虚拟机,以指示第一虚拟机执行以下操作:将第一虚拟机的协议配置为负载均衡协议信息对应的协议、将第一虚拟机的成员配置为负载均衡的资源池的成员信息对应的成员、将第一虚拟机的算法配置为负载均衡算法信息对应的算法。The second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; and transmitting the load balancing configuration file to the first manner by using the interface to communicate with the resident program. The virtual machine is configured to instruct the first virtual machine to perform the following operations: configuring the protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, and configuring the member of the first virtual machine as a member corresponding to the member information of the load balancing resource pool And configuring the algorithm of the first virtual machine as an algorithm corresponding to the load balancing algorithm information.
在另一个可选的实施例中,所述SF可以为防火墙,所述资源指示信息可以包括:第二管理网网络协议IP地址、第二业务子网的IP地址和第二路由信息,所述功能指示信息可以包括:防火墙规则和策略信息;In another optional embodiment, the SF may be a firewall, and the resource indication information may include: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, where The function indication information may include: firewall rules and policy information;
所述的第一传递子单元42可以通过如下方式指示转发平面配置底层网络资源:通过与所述接口将资源指示信息传递给转发平面,以指示转发平面执行以下操作:将转发平面中的第二虚拟机在管理网上的IP地址配置为第二管理网IP地址、将第二虚拟机在业务子网上的IP地址配置为第二业务子网IP地址、将第二虚拟机的路由信息配置为第二路由信息;The first delivery sub-unit 42 may indicate that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane by using the interface, to instruct the forwarding plane to perform the following operation: performing the second operation in the forwarding plane The IP address of the virtual machine on the management network is configured as the IP address of the second management network, the IP address of the second virtual machine on the service subnet is configured as the IP address of the second service subnet, and the routing information of the second virtual machine is configured as the first Two routing information;
所述第二传递子单元44可以通过如下方式指示虚拟机部署SF:根据所述功能指示信息创建防火墙配置文件;通过利用所述接口与驻留程序进行通信的方式将防火墙配置文件传递给第二虚拟机,以指示该第二虚拟机将第二虚拟机的规则和策略配置为防火墙规则和策略信息对应的规则和策略。The second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and transmitting the firewall configuration file to the second by using the interface to communicate with the resident program The virtual machine is configured to instruct the second virtual machine to configure rules and policies of the second virtual machine as rules and policies corresponding to firewall rules and policy information.
在另一个可选的实施例中,所述SF为VPN,所述资源指示信息包括:第三管理网网络协议IP地址、第三业务子网IP地址和第三路由信息,所述功能指示信息包括:密钥交换协议IKE策略、IP层安全协议IPSec策略、IPSec站点信息; In another optional embodiment, the SF is a VPN, and the resource indication information includes: a third management network network protocol IP address, a third service subnet IP address, and third routing information, where the function indication information is Including: Key Exchange Protocol IKE Policy, IP Layer Security Protocol IPSec Policy, IPSec Site Information;
所述的第一传递子单元42可以通过如下方式指示转发平面配置底层网络资源:通过接口将资源指示信息传递给转发平面,以指示转发平面执行以下操作:将转发平面中的第三虚拟机在管理网上的IP地址配置为第三管理网IP地址、将第三虚拟机在业务子网上的IP地址配置为第三业务子网IP地址、将第三虚拟机的路由信息配置为第三路由信息;The first delivery sub-unit 42 may be configured to instruct the forwarding plane to configure the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operation: the third virtual machine in the forwarding plane is The IP address of the management network is configured as the third management network IP address, the IP address of the third virtual machine on the service subnet is configured as the third service subnet IP address, and the routing information of the third virtual machine is configured as the third routing information. ;
所述第二传递子单元44可以通过如下方式指示虚拟机部署SF:根据所述功能指示信息创建VPN配置文件;通过利用所述接口与驻留程序进行通信的方式将VPN配置文件传递给第三虚拟机,以指示该第三虚拟机执行以下操作:将第三虚拟机的协议策略配置为密钥交换协议IKE策略和IP层安全协议IPSec策略、将第三虚拟机的站点配置为IPSec站点信息对应的站点。The second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; and transmitting the VPN configuration file to the third manner by using the interface to communicate with the resident program. a virtual machine, to instruct the third virtual machine to perform the following operations: configuring a protocol policy of the third virtual machine as a key exchange protocol IKE policy and an IP layer security protocol IPSec policy, and configuring a site of the third virtual machine as IPSec site information Corresponding site.
在另一个可选的实施例中,所述SF为网元WEB防护,所述资源指示信息包括:第四管理网网络协议IP地址、第四业务子网IP地址和第四路由信息,所述功能指示信息包括:WEB防护策略和需要防护的WEB应用服务器或数据中心信息;In another optional embodiment, the SF is a network element WEB protection, and the resource indication information includes: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, where The function indication information includes: a WEB protection policy and a WEB application server or data center information that needs to be protected;
所述的第一传递子单元42可以通过如下方式指示转发平面配置底层网络资源:通过接口将资源指示信息传递给转发平面,以指示转发平面执行以下操作:将所述转发平面中的第四虚拟机在管理网上的IP地址配置为第四管理网IP地址、将第四虚拟机在业务子网上的IP地址配置为第四业务子网IP地址、将第四虚拟机的路由信息配置为第四路由信息;The first delivery sub-unit 42 may indicate that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operation: the fourth virtual in the forwarding plane The IP address of the management network is configured as the IP address of the fourth management network, the IP address of the fourth virtual machine on the service subnet is configured as the IP address of the fourth service subnet, and the routing information of the fourth virtual machine is configured as the fourth. Routing information;
所述第二传递子单元44可以通过如下方式指示虚拟机部署SF:根据所述功能指示信息创建WEB防护配置文件;通过利用所述接口与驻留程序进行通信的方式将WEB防护配置文件传递给第四虚拟机,以指示该第四虚拟机执行以下操作:将第四虚拟机的规则和策略配置为所述WEB防护策略及规则、将第四虚拟机的服务器或数据中心配置为需要防护的WEB应用服务器或数据中心信息对应的服务器或数据中心。The second delivery sub-unit 44 may instruct the virtual machine to deploy the SF by: creating a WEB protection configuration file according to the function indication information; and transmitting the WEB protection configuration file by using the interface to communicate with the resident program a fourth virtual machine, to instruct the fourth virtual machine to perform the following operations: configuring rules and policies of the fourth virtual machine as the WEB protection policy and rules, and configuring the server or data center of the fourth virtual machine to be protected The server or data center corresponding to the WEB application server or data center information.
图5是根据本发明实施例的业务功能节SF的部署装置中第一获取模块22的可选结构框图一,如图5所示,该第一获取模块22可以包括第一接收单元52,下面对该第一接收单元52进行说明。FIG. 5 is a block diagram of an optional structure of the first obtaining module 22 in the deployment device of the service function section SF according to the embodiment of the present invention. As shown in FIG. 5, the first acquiring module 22 may include a first receiving unit 52, The first receiving unit 52 will be described.
第一接收单元52,设置成接收应用平面传递的所述NFV信息。 The first receiving unit 52 is configured to receive the NFV information transmitted by the application plane.
图6是根据本发明实施例的SF的部署装置中第一获取模块22的可选结构框图二,如图6所示,该第一获取模块22可以包括第二接收单元62,下面对该第二接收单元62进行说明。FIG. 6 is a block diagram 2 of an optional structure of the first acquiring module 22 in the SF deployment apparatus according to the embodiment of the present invention. As shown in FIG. 6, the first acquiring module 22 may include a second receiving unit 62. The second receiving unit 62 will be described.
第二接收单元62,设置成接收控制平面传递的NFV信息,其中,该NFV信息为应用平面传递给控制平面的。The second receiving unit 62 is configured to receive the NFV information transmitted by the control plane, wherein the NFV information is transmitted to the control plane by the application plane.
图7是根据本发明实施例的SF的部署装置的可选结构框图,如图7所示,该装置除包括图2所示的所有模块外,还可以包括第二获取模块72和更新模块74,下面对该装置进行说明。FIG. 7 is a block diagram showing an optional structure of an apparatus for deploying an SF according to an embodiment of the present invention. As shown in FIG. 7, the apparatus may include a second obtaining module 72 and an updating module 74 in addition to all the modules shown in FIG. The device will be described below.
第二获取模块72,连接至所述处理模块24,设置成在根据所述资源指示信息和功能指示信息创建底层网络资源并在该底层网络资源上部署SF之后,获取更新后的NFV信息,该更新后的NFV信息中包括更新后的资源指示信息和/或更新后的功能指示信息;The second obtaining module 72 is connected to the processing module 24, and is configured to obtain updated NFV information after the underlying network resource is created according to the resource indication information and the function indication information, and the SF is deployed on the underlying network resource, where The updated NFV information includes updated resource indication information and/or updated function indication information;
更新模块74,连接至所述第二获取模块72,设置成根据所述更新后的资源指示信息和/或更新后的功能指示信息更新创建的底层网络资源和部署的SF。The update module 74 is connected to the second obtaining module 72, and is configured to update the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information.
图8是根据本发明实施例的SF的创建装置中更新模块74的可选结构框图,如图8所示,该更新模块74可以包括第一更新单元82和/或第二更新单元84,下面对该更新模块74进行说明。FIG. 8 is a block diagram showing an optional structure of an update module 74 in an SF creation apparatus according to an embodiment of the present invention. As shown in FIG. 8, the update module 74 may include a first update unit 82 and/or a second update unit 84. The update module 74 will be described.
第一更新单元82,设置成根据所述更新后的资源指示信息变更、增加或删除创建的底层网络资源;The first update unit 82 is configured to change, add, or delete the created underlying network resource according to the updated resource indication information;
第二更新单元84,设置成根据所述更新后的节点指示信息变更、增加或删除部署的SF。The second update unit 84 is configured to change, add or delete the deployed SF according to the updated node indication information.
所述的实施例中的方法和装置都可以应用于资源管理系统中。The methods and apparatus in the described embodiments can be applied to a resource management system.
在一个可选的实施例中,所述SF的创建装置还可以包括第一上报模块和/第二上报模块,该第一上报模块和该第二上报模块都可以应用于所述转发平面中,下面对装置进行说明:In an optional embodiment, the SF creation device may further include a first reporting module and/or a second reporting module, where the first reporting module and the second reporting module may be applied to the forwarding plane. The device is described below:
第一上报模块,应用于所述转发平面中,设置成在创建完底层网络资源后将底层网络资源的信息上报给控制平面; The first reporting module is applied to the forwarding plane, and is configured to report the information of the underlying network resource to the control plane after the underlying network resource is created;
第二上报模块,应用于所述转发平面中,设置成在部署完SF后,将部署的SF的信息上报给控制平面。The second reporting module is applied to the forwarding plane, and is configured to report the information of the deployed SF to the control plane after the SF is deployed.
本发明实施例中的方案相对于相关技术中存在的技术方案更有优势,在相关技术中,SDN网络中规划SFC需要先创建底层网络资源,在已有的网络资源上部署SF,然后规划SFC。这种“先资源,后规划“的方式导致SFC不能根据实际业务需求的变动,自定义SF和自动化创建所需的网络资源,使得SFC的部署不灵活,同时也造成资源的浪费。而本发明实施例中,使SDN支持根据所规划的SFC自定义包括负载均衡、防火墙、运营商级网络地址转换(Carrier grade Network Address Translation,简称为CGN)、IP业务识别与控制系统DPI、路由器等功能的SF,在底层网络中自动化创建所需的网络资源和部署SF,控制平面能够发现和管理新创建的SF。使用这种”先定义,后资源“的方式让SFC在SDN中具备灵活部署的特点,同时提高了资源利用率,降低了人工维护成本。The solution in the embodiment of the present invention has advantages over the technical solutions existing in the related art. In the related art, planning an SFC in an SDN network requires first creating an underlying network resource, deploying an SF on an existing network resource, and then planning an SFC. . The "first resource, post-planning" approach causes the SFC to fail to customize the SF and automatically create the required network resources according to the actual business requirements, making the deployment of the SFC inflexible and also causing waste of resources. In the embodiment of the present invention, the SDN support includes load balancing, firewall, carrier grade network address translation (CGN), IP service identification and control system DPI, and router according to the planned SFC customization. The functional SF automatically creates the required network resources and deploys the SF in the underlying network, and the control plane can discover and manage the newly created SF. The use of this "first definition, after resource" way allows SFC to have flexible deployment features in SDN, while improving resource utilization and reducing manual maintenance costs.
在本发明实施例中,主要是在SDN网络架构中利用资源管理系统为规划的SFC自动化创建所需的网络资源和部署SF,SF的相关信息会更新到SFC控制器中,使得SFC控制器能够发现和管理新创建的SF,供应用平面的业务应用使用。In the embodiment of the present invention, the resource management system is used to create required network resources and deploy SF for the planned SFC automation in the SDN network architecture, and the related information of the SF is updated to the SFC controller, so that the SFC controller can Discover and manage newly created SFs for use with flat business applications.
此处对上述实施例中的技术方案进行描述:The technical solutions in the above embodiments are described here:
图9是根据本发明实施例的SDN网络架构示意图,如图9所示,主要包括资源管理系统、网管系统和三个层面,该三个层面即软件定义网络SDN框架中的应用平面、控制平面和转发平面。其中应用平面分为多种业务功能的APP(Application,应用);控制平面包括编排器和控制器;转发平面包括流分类器、SF以及交换机等转发设备。网管系统是保障网络可靠运行的重要模块,设置成负责对转发平面的网络资源的运行状态进行检测,故障诊断及报警等,并将网络的状态和控制平面交互。资源管理系统设置成负责为新规划的SFC在转发平面创建网络资源和部署SF。FIG. 9 is a schematic diagram of an SDN network architecture according to an embodiment of the present invention. As shown in FIG. 9, the utility model mainly includes a resource management system, a network management system, and three levels, that is, an application plane and a control plane in a software-defined network SDN framework. And forwarding planes. The application plane is divided into multiple applications (applications); the control plane includes an orchestrator and a controller; and the forwarding plane includes a flow classifier, an SF, and a forwarding device such as a switch. The network management system is an important module to ensure the reliable operation of the network. It is set up to detect the running status of the network resources of the forwarding plane, fault diagnosis and alarm, and interact with the state of the network and the control plane. The resource management system is configured to create network resources and deploy SFs on the forwarding plane for the newly planned SFC.
图9中主要包括5个接口:A-CPI接口用于应用平面与控制平面交互,交互内容包括应用层面对SFC的创建、修改和配置等;B-CPI用于应用平面和资源管理系统的交互,交互内容包括NFV的相关信息;C-CPI用于控制平 面与资源管理系统交互,交互内容是需要创建的组建SFC的SF信息;D-CPI用于控制平面与支持SFC的SF的交互,用于控制平面发现、管理和配置SF;E-CPI用于资源管理系统与转发平面的交互,用于资源管理系统在转发平面创建网络资源,5个接口的位置如图9中所示。Figure 9 mainly includes five interfaces: the A-CPI interface is used for the interaction between the application plane and the control plane, and the interaction content includes the creation, modification, and configuration of the SFC by the application layer. The B-CPI is used for the interaction between the application plane and the resource management system. The interactive content includes information related to NFV; C-CPI is used to control the flat The interaction with the resource management system, the interaction content is the SF information of the SFC that needs to be created; the D-CPI is used to control the interaction between the plane and the SFC-supporting SF, and is used for control plane discovery, management, and configuration of SF; E-CPI is used for The interaction between the resource management system and the forwarding plane is used by the resource management system to create network resources on the forwarding plane. The locations of the five interfaces are as shown in FIG. 9.
触发资源管理系统根据规划的SFC创建所需网络资源和部署SF方案有两种:方案一,应用平面直接将规划的NFV的相关信息通过B-CPI接口传递给资源管理系统,并触发资源管理系统通过E-CPI接口在转发平面创建所需网络资源并部署SF,SF信息通过D-CPI更新到控制平面;方案二,应用平面将NFV相关信息通过A-CPI接口传递给控制平面,由控制平面将需要创建的组建SFC的SF相关信息通过C-API接口传递给资源管理系统,并触发资源管理系统通过E-CPI接口在转发层面创建所需网络资源并部署SF,SF信息通过D-CPI更新到SFC控制器。The trigger resource management system creates two types of required network resources and deploys the SF solution according to the planned SFC. In the first solution, the application plane directly transmits the related information of the planned NFV to the resource management system through the B-CPI interface, and triggers the resource management system. The SF information is updated to the control plane through the D-CPI through the E-CPI interface. The SFV information is transmitted to the control plane through the A-CPI interface through the control plane. The SF-related information of the SFC that needs to be created is transmitted to the resource management system through the C-API interface, and the resource management system is triggered to create the required network resources and deploy the SF at the forwarding level through the E-CPI interface, and the SF information is updated by the D-CPI. Go to the SFC controller.
图10是根据本发明实施例的规划并部署SFC的方法流程图一(该流程为方案一),如图10所示,该流程包括如下步骤:FIG. 10 is a flowchart 1 of the method for planning and deploying an SFC according to an embodiment of the present invention. The flowchart is shown in FIG. 10, and the process includes the following steps:
步骤1.新的业务应用需要部署到云平台,应用平面根据业务应用的需求规划SFC,如定制虚拟机规格(CPU、内存、镜像文件等)、SF的IP地址、网络、路由、网关等与SF相关的参数设定,类比图12所示的SFC。(对应于图10中的步骤S1002)Step 1. New business applications need to be deployed to the cloud platform. The application plane plans SFC according to the requirements of the business application, such as custom virtual machine specifications (CPU, memory, image files, etc.), SF IP address, network, routing, gateway, etc. SF related parameter settings, analogous to the SFC shown in Figure 12. (corresponding to step S1002 in Fig. 10)
步骤2.应用平面将NFV以及SF的相关信息通过B-CPI接口传递给资源管理系统,资源管理系统根据SFC的相关信息通过E-CPI接口在转发平面创建所需的网络资源,包括路由、虚拟机(使用包含驻留程序等模块的定制镜像文件),网络等。(对应于图10中的步骤S1004-S1006)Step 2. The application plane transmits the NFV and SF related information to the resource management system through the B-CPI interface. The resource management system creates the required network resources, including routing and virtual, on the forwarding plane through the E-CPI interface according to the information of the SFC. Machine (using a custom image file containing modules such as resident programs), network, etc. (corresponding to steps S1004-S1006 in Fig. 10)
步骤3.资源管理系统将定义的SF的相关信息保存到控制转发接口适配模块,然后由控制转发接口中的代理程序与虚拟机的中驻留程序通信,将该信息传递到虚拟机中。驻留程序会根据接收到的信息,完成对SF功能的部署和配置。(对应于图10中的步骤S1008-S1010)Step 3. The resource management system saves the information about the defined SF to the control forwarding interface adaptation module, and then the agent in the control forwarding interface communicates with the resident program of the virtual machine, and the information is delivered to the virtual machine. The resident program completes the deployment and configuration of the SF function based on the received information. (corresponding to steps S1008-S1010 in Fig. 10)
步骤4.转发平面通过D-CPI接口向SFC控制器更新NFV及其SF的相关信息,使得SFC控制器能够发现和管理SF,业务应用可使用整条SFC。(对应于图10中的步骤S1012-S1014) Step 4. The forwarding plane updates the information about the NFV and its SF to the SFC controller through the D-CPI interface, so that the SFC controller can discover and manage the SF, and the service application can use the entire SFC. (corresponding to steps S1012-S1014 in Fig. 10)
图11是根据本发明实施例的规划并部署SFC的方法流程图二(该流程为方案二),如图11所示,该流程包括如下步骤:FIG. 11 is a flowchart 2 of the method for planning and deploying an SFC according to an embodiment of the present invention. The process is as shown in FIG. 11. The process includes the following steps:
步骤1.新的业务应用需要部署到云平台,应用平面根据业务应用的需求规划SFC,如定制虚拟机规格(CPU、内存、镜像文件等)、SF的IP地址、网络、路由、网关等与SF相关的参数设定,类比图12所示的SFC,并将该NFV及SF相关信息通过A-CPI接口传递到控制平面。(对应于图11中的步骤S1102)Step 1. New business applications need to be deployed to the cloud platform. The application plane plans SFC according to the requirements of the business application, such as custom virtual machine specifications (CPU, memory, image files, etc.), SF IP address, network, routing, gateway, etc. The SF related parameter settings are analogized to the SFC shown in FIG. 12, and the NFV and SF related information is transmitted to the control plane through the A-CPI interface. (corresponding to step S1102 in Fig. 11)
步骤2.控制平面将需要创建的支持SFC的SF相关信息通过C-CPI接口传递到资源管理系统,资源管理系统根据SF的相关信息通过E-CPI接口在转发平面创建所需的网络资源,包括路由、虚拟机(使用包含驻留程序等模块的定制镜像文件),网络等。(对应于图11中的步骤S1104-S1108)Step 2. The control plane transmits the SF-related information that needs to be created to the SFC to the resource management system through the C-CPI interface. The resource management system creates the required network resources on the forwarding plane through the E-CPI interface according to the information about the SF, including Routing, virtual machines (using custom image files containing modules such as resident programs), networks, etc. (corresponding to steps S1104-S1108 in Fig. 11)
步骤3.同方案一中步骤3。(对应于图11中的步骤S1110)Step 3. Same as step 3 in scenario 1. (corresponding to step S1110 in Fig. 11)
步骤4.同方案一中步骤4。(对应于图11中的步骤S1112-S1114)Step 4. Same as step 4 in scenario 1. (corresponding to steps S1112-S1114 in Fig. 11)
下面对上述的不同场景下的实施例进行详细说明:The following describes the embodiments in different scenarios as described above:
实施例一Embodiment 1
当上述的SF为负载均衡时,根据SFC使用方案一,动态创建LB(Load Balancing,负载均衡器):When the SF is load balancing, dynamically create an LB (Load Balancing) according to SFC usage scheme 1:
图12是根据本发明实施例的包含负载均衡节点的SFC的示意图,如图12所示,使用方案一根据SFC自动化部署具有负载均衡功能的SF,为后端业务服务器提供负载均衡。负载均衡服务是基于Nginx实现的,但是不限于Nginx,具有高性能的负载均衡产品均适用本发明实施例。FIG. 12 is a schematic diagram of an SFC including a load balancing node according to an embodiment of the present invention. As shown in FIG. 12, a scenario 1 is used to automatically deploy an SF with a load balancing function according to an SFC to provide load balancing for a backend service server. The load balancing service is implemented based on Nginx, but is not limited to Nginx. The load balancing products with high performance are applicable to the embodiments of the present invention.
资源管理系统根据规划的SFC,自动化创建部署负载均衡SF的步骤如下:The resource management system automatically creates and deploys a load balancing SF according to the planned SFC:
步骤1.应用平面的业务应用的服务能力需要大幅度提升,这对SDN提出了负载均衡服务的需求,要求构建一个负载均衡器对三台业务服务器提供负载均衡,当然,也可以构建对其他数量的业务服务器提供负载均衡的负载 均衡器,在该实施例中,是以构建对三台业务服务器提供负载均衡的负载均衡器为例进行说明的。Step 1. The service capability of the application-oriented service application needs to be greatly improved. This requires the load balancing service for SDN. It is required to build a load balancer to provide load balancing for three service servers. Of course, it is also possible to build other numbers. Business server provides load-balanced load The equalizer, in this embodiment, is described by taking as an example a load balancer that provides load balancing for three service servers.
步骤2.应用平面根据业务应用需求规划包含负载均衡SF的SFC,如图12所示。在SFC中管理网public的IP地址可以为10.46.178.0/24,业务子网vxlan的IP地址可以为192.168.100.0/24,负载均衡SF的管理网浮动IP可以为10.46.178.27,负载均衡SF的在业务子网内的VIP可以为192.168.100.27,并且,可以为业务子网内IP地址分别为192.168.100.1、192.168.100.2、192.168.100.3的三台云主机提供负载均衡等,在该场景下,资源指示信息中可以包括转发平面中的虚拟机在上述管理网中的IP地址、在上述业务子网中的IP地址以及路由信息,功能指示信息中可以包括负载均衡协议信息、负载均衡的资源池的成员信息、负载均衡算法信息。Step 2. The application plane plans an SFC that includes the load balancing SF according to the service application requirements, as shown in FIG. The IP address of the management network public in the SFC can be 10.46.178.0/24, the IP address of the service subnet vxlan can be 192.168.100.0/24, and the floating IP address of the load balancing SF management network can be 10.46.178.27, load balancing SF The VIP in the service subnet can be 192.168.100.27, and load balancing can be provided for three cloud hosts with IP addresses of 192.168.100.1, 192.168.100.2, and 192.168.100.3 in the service subnet. The resource indication information may include an IP address of the virtual machine in the forwarding plane in the foregoing management network, an IP address in the service subnet, and routing information, where the function indication information may include load balancing protocol information and load balancing resources. Pool member information, load balancing algorithm information.
步骤3.应用平面将SFC的相关信息通过B-CPI接口传递给资源管理系统,资源管理系统根据应用平面规划的SFC,自动化创建本实施例步骤2所需的网络资源,包括自动化创建public、vxlan网络和路由器,为负载均衡SF自动化创建资源池和主备虚拟机(使用包含驻留程序、Nginx等模块的定制虚拟机镜像文件),并为其分配浮动IP和虚拟终端协议(virtual terminal protocol,简称为VIP)地址等。即,利用转发平面将转发平面中的虚拟机在管理网上的IP地址配置为本实施例中的资源指示信息中包括的虚拟机在管理网上的IP地址,将虚拟机在业务子网上的IP地址配置为本实施例中的资源指示信息中包括的虚拟机在业务子网上的IP地址,以及将虚拟机的路由信息配置为本实施例中的资源指示信息中包括的路由信息。vxlan中挂载负载均衡SF和三台云主机,SF为三台云主机提供负载均衡。整个过程都是由资源管理系统调用控制转发接口完成,无需云管理员手动创建虚拟机和配置网络。Step 3: The application plane transmits the related information of the SFC to the resource management system through the B-CPI interface, and the resource management system automatically creates the network resources required by step 2 of the embodiment according to the SFC of the application plan, including automatically creating the public, vxlan. Networks and routers, creating resource pools and active and standby virtual machines for load balancing SF automation (using custom virtual machine image files containing resident programs, Nginx, etc.) and assigning them floating IP and virtual terminal protocols (virtual terminal protocol, Referred to as VIP address, etc. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured. The IP address of the virtual machine on the service subnet included in the resource indication information in the embodiment is configured, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment. The load balancing SF and three cloud hosts are mounted in the vxlan, and the SF provides load balancing for the three cloud hosts. The entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
步骤4.资源管理系统根据所规划SFC中负载均衡SF的需求,即,可以根据本实施例的功能指示信息自动创建负载均衡配置文件conf,并通过控制转发接口与虚拟机中驻留程序通信,将conf配置文件传递给虚拟机,根据本实施例的功能指示信息中包含的信息自动部署负载均衡器(比如为Nginx),配置Protocol(负载均衡协议)、Member(资源池成员)、Method(负载均衡算法)等负载均衡策略。 Step 4. The resource management system automatically creates a load balancing configuration file conf according to the function indication information in the SFC according to the function indication information in the planned SFC, and communicates with the resident program in the virtual machine by controlling the forwarding interface. The conf configuration file is delivered to the virtual machine, and the load balancer (for example, Nginx) is automatically deployed according to the information contained in the function indication information of the embodiment, and the protocol (load balancing protocol), the member (resource pool member), and the Method (load) are configured. Equalization algorithm) and other load balancing strategies.
步骤5.转发平面将SFC及所有SF信息通过D-API接口更新到控制平面中的SFC控制器中,使得负载均衡等相关SF能够被SFC控制器发现和管理,也能够让SFC控制器根据需求对SFC进行配置,供应用平面的业务应用调用。Step 5. The forwarding plane updates the SFC and all SF information to the SFC controller in the control plane through the D-API interface, so that related SFs such as load balancing can be discovered and managed by the SFC controller, and the SFC controller can also be made according to requirements. The SFC is configured to be provisioned with a flat business application call.
实施例二Embodiment 2
当上述的SF为防火墙时,根据SFC使用方案一,动态创建FW(FireWall,防火墙):When the SF is a firewall, the FW (FireWall) is dynamically created according to the SFC usage scheme 1:
图13是根据本发明实施例的包含防火墙的SFC的示意图,如图13所示,使用方案一根据SFC自动化部署具有防火墙功能的SF,为后端业务网络提供安全防护。FIG. 13 is a schematic diagram of an SFC including a firewall according to an embodiment of the present invention. As shown in FIG. 13 , the SF with firewall function is automatically deployed according to SFC to provide security protection for the back-end service network.
资源管理系统根据规划的SFC,自动化创建部署防火墙SF的步骤如下:The resource management system automatically creates a firewall SF based on the planned SFC:
步骤1.应用平面对业务应用的业务网络安全性提出要求,需要构建防火墙为业务网络提供安全防护。Step 1. The application plane requires the service network security of the service application, and the firewall needs to be built to provide security protection for the service network.
步骤2.应用平面业务应用的需求规划包含防火墙SF的SFC,如图13所示。在SFC中管理网public的IP可以为10.46.178.0/24,业务网络vxlan的IP地址可以为192.168.168.0/24,路由器接口设置、防火墙,防火墙规则和策略(包括支持协议、IP版本、源地址、目的地址、源端口、目的端口、动作集等)等。在该场景下,资源指示信息中可以包括转发平面中的虚拟机在上述管理网中的IP地址、在上述业务子网中的IP地址以及路由信息,功能指示信息中可以包括防火墙规则和策略信息。Step 2. The requirements planning of the application plane service application includes the SFC of the firewall SF, as shown in FIG. The IP of the management network public in the SFC can be 10.46.178.0/24, and the IP address of the service network vxlan can be 192.168.168.0/24, router interface settings, firewall, firewall rules and policies (including support protocols, IP versions, source addresses). , destination address, source port, destination port, action set, etc.). In this scenario, the resource indication information may include an IP address of the virtual machine in the forwarding plane in the foregoing management network, an IP address in the service subnet, and routing information, where the function indication information may include firewall rules and policy information. .
步骤3.应用平面将SFC的相关信息通过B-CPI接口传递给资源管理系统,资源管理系统根据应用平面规划的SFC,自动化创建本实施例步骤2所需的网络资源,包括路由器,部署防火墙所需的虚拟机(使用包含驻留程序等模块的定制虚拟机镜像文件),添加业务网络等。即,利用转发平面将转发平面中的虚拟机在管理网上的IP地址配置为本实施例中的资源指示信息中包括的虚拟机在管理网上的IP地址,将虚拟机在业务子网上的IP地址配置为本实施例中的资源指示信息中包含的虚拟机在业务子网上的IP地址,以及将虚拟机的路由信息配置为本实施例中的资源指示信息中包含的路由信息。 整个过程都是由资源管理系统调用控制转发接口完成,无需云管理员手动创建虚拟机和配置网络。Step 3. The application plane transmits the related information of the SFC to the resource management system through the B-CPI interface. The resource management system automatically creates the network resources required by step 2 of the embodiment, including the router, and deploys the firewall according to the SFC of the application plan. Need a virtual machine (using a custom virtual machine image file containing modules such as resident programs), add a business network, and so on. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured. The IP address of the virtual machine on the service subnet included in the resource indication information in the embodiment is configured, and the routing information of the virtual machine is configured as the routing information included in the resource indication information in this embodiment. The entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
步骤4.资源管理器根据所规划SFC中防火墙SF的功能需求,即,可以根据本实施例中的功能指示信息把规划的防火墙规则及策略保存到与其对应的文件中,并与对应虚拟机中的驻留程序通信,将文件中的策略及规则传递给虚拟机,根据本实施例中的功能指示信息中包含的信息指示虚机中的驻留程序将策略及规则更新到防火墙,并启动防护。Step 4. The resource manager saves the planned firewall rules and policies to the corresponding files according to the function indication information in the SFC according to the function requirements of the firewall SF in the planned SFC, and is associated with the corresponding virtual machine. The resident program communication, the policy and the rule in the file are transmitted to the virtual machine, and the information contained in the function indication information in the embodiment indicates that the resident program in the virtual machine updates the policy and the rule to the firewall, and starts the protection. .
步骤5.转发平面将包含防火墙SF的SFC所有相关信息通过D-API接口更新到SFC控制器,使得防火墙等相关SF能够被SFC控制器发现和管理,也能够让SFC控制器根据需求修改防火墙规则和策略。Step 5. The forwarding plane updates all relevant information of the SFC containing the firewall SF to the SFC controller through the D-API interface, so that related SFs such as firewalls can be discovered and managed by the SFC controller, and the SFC controller can also modify the firewall rules according to requirements. And strategy.
实施例三Embodiment 3
当上述SF为VPN时,根据SFC使用方案二,动态创建VPN,为网络提供VPN服务。When the SF is a VPN, the VPN is dynamically created according to the SFC usage scheme 2, and the VPN service is provided for the network.
资源管理系统根据规划的SFC,自动化创建部署VPN的步骤如下:The resource management system automatically creates a VPN deployment according to the planned SFC:
步骤1.应用平面对业务应用的业务网络提出需求,需要构建VPN为业务网络提供VPN服务。Step 1. The application plane needs to provide a service network for the service application, and needs to construct a VPN to provide a VPN service for the service network.
步骤2.应用平面根据业务应用的需求规划包含VPN功能的SFC。在SFC中管理网public的IP地址可以为10.46.178.0/24,业务网络vxlan的IP地址可以为192.168.168.0/24,路由器接口设置等,并通过A-CPI接口将SFC相关信息传递给控制平面。在该场景下,资源指示信息中可以包括转发平面中的虚拟机在上述管理网中的IP地址、在上述业务子网中的IP地址以及路由信息,功能指示信息中可以包括密钥交换协议IKE策略、IP层安全协议IPSec策略、IPSec站点信息。Step 2. The application plane plans an SFC that includes the VPN function according to the requirements of the service application. The IP address of the public network in the SFC can be 10.46.178.0/24, the IP address of the service network vxlan can be 192.168.168.0/24, the router interface is set, and the SFC related information is transmitted to the control plane through the A-CPI interface. . In this scenario, the resource indication information may include an IP address of the virtual machine in the forwarding plane in the foregoing management network, an IP address in the service subnet, and routing information, and the function indication information may include a key exchange protocol IKE. Policy, IP layer security protocol IPSec policy, IPSec site information.
步骤3.控制平面将需要创建的支持SFC的SF的相关信息(VPN)通过C-API接口传递给资源管理系统,并触发资源管理系统根据规划的SFC,自动化创建本实施例步骤2所需的网络资源,包括路由器(具有特殊功能的路由器,使用包含驻留程序等模块的定制虚拟机镜像文件),添加业务网络等。 即,利用转发平面将转发平面中的虚拟机在管理网上的IP地址配置为本实施例中资源指示信息中包括的虚拟机在管理网上的IP地址,将虚拟机在业务子网上的IP地址配置为本实施例中资源指示信息中包括的虚拟机在业务子网上的IP地址,以及将虚拟机的路由信息配置为本实施例中的资源指示信息中包括的路由信息。整个过程都是由资源管理系统调用控制转发接口完成,无需云管理员手动创建虚拟机和配置网络。Step 3. The control plane transmits the related information (VPN) of the SFC-enabled SF that needs to be created to the resource management system through the C-API interface, and triggers the resource management system to automatically create the required step 2 of the embodiment according to the planned SFC. Network resources, including routers (routers with special features, using custom virtual machine image files containing modules such as resident programs), adding service networks, and so on. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured. The IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine are configured as the routing information included in the resource indication information in this embodiment. The entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
步骤4.资源管理器根据所规划SFC中VPN的功能需求,即,根据本实施例中的功能指示信息把规划的IKE Policy、IPSec PolicyIPSec Site等配置保存到该VPN对应的配置文件中,并与对应虚拟机中的驻留程序通信,将该配置文件传递给虚拟机,以使虚机中的驻留程序根据本实施例中的功能指示信息配置并启动VPN。Step 4. The resource manager saves the planned IKE Policy, IPSec PolicyIPSec Site, and the like to the configuration file corresponding to the VPN according to the function requirement of the VPN in the planned SFC, that is, according to the function indication information in this embodiment, and Corresponding to the resident program communication in the virtual machine, the configuration file is delivered to the virtual machine, so that the resident program in the virtual machine configures and starts the VPN according to the function indication information in this embodiment.
步骤5.转发平面将包含VPN的SFC所有相关信息通过D-CPI更新到SFC控制器,使得VPN等相关SF能够被SFC控制器发现和管理,也能够让SFC控制器根据需求修改VPN的策略等。Step 5. The forwarding plane updates all relevant information of the SFC including the VPN to the SFC controller through the D-CPI, so that the related SF such as the VPN can be discovered and managed by the SFC controller, and the SFC controller can also modify the VPN policy according to requirements. .
实施例四Embodiment 4
当上述SF为WEB防护时,根据SFC使用方案二,动态创建WEB防护SF,为服务器提供WEB安全防护,抵御包括SQL(Structured Query Language,结构化查询语言)注入、文件包含漏洞、XSS(Cross Site Scripting,跨站脚本攻击)、XSRF(Cross-site request forgery,跨站请求伪造)和目录遍历等攻击。When the SF is WEB protection, according to the SFC usage scheme 2, the WEB protection SF is dynamically created to provide WEB security protection for the server, and the defense includes SQL (Structured Query Language) injection, file inclusion vulnerability, and XSS (Cross Site) Scripting, cross-site scripting attacks, XSRF (Cross-site request forgery), and directory traversal attacks.
步骤1.应用平面的业务应用要求为业务服务器提供WEB安全防护,需要构建WEB安全防护SF为业务服务器提供安全防护。Step 1. The service application of the application plane requires WEB security protection for the service server. The WEB security protection SF needs to be built to provide security protection for the service server.
步骤2.应用平面根据业务应用的需求规划包含WEB安全防护SF的SFC。在SFC中规划网络,其中,规划的网络包括管理网和业务子网,WEB防护策略(可以包括访问控制类表(Access Control List,简称为ACL)),IP黑名单,需要屏蔽的用户数据,禁用危险方法(包括OPTIONS、DELETE等),防盗链、隐藏服务器版本信息、流量控制、针对已知攻击特征的配置 等),需要防护的WEB应用服务器或数据中心等,并将规划的SFC相关信息通过A-CPI接口传递给控制平面。在该场景下,资源指示信息中可以包括转发平面中的虚拟机在管理网中的IP地址、在业务子网中的IP地址以及路由信息,功能指示信息中可以包括上述WEB防护策略和需要防护的WEB应用服务器或数据中心信息。Step 2. The application plane plans an SFC that includes the WEB security protection SF according to the requirements of the service application. Plan the network in the SFC, where the planned network includes the management network and the service subnet, the WEB protection policy (which may include an Access Control List (ACL)), the IP blacklist, and the user data to be blocked. Disable dangerous methods (including OPTIONS, DELETE, etc.), anti-theft chain, hidden server version information, flow control, configuration for known attack signatures Etc.) A WEB application server or data center that needs to be protected, and the planned SFC related information is transmitted to the control plane through the A-CPI interface. In this scenario, the resource indication information may include an IP address of the virtual machine in the management plane in the forwarding plane, an IP address in the service subnet, and routing information. The function indication information may include the foregoing WEB protection policy and protection. WEB application server or data center information.
步骤3.控制平面将需要创建的SF的相关信息(WEB安全防护)通过C-CPI接口传递给资源管理系统,并触发资源管理系统根据应用平面规划的SFC,自动化创建本实施例步骤2所需的网络资源,包括网络,部署WEB安全防护SF所需的虚拟机(使用包含驻留程序、Naxsi、Nginx、SSL等模块的定制虚拟机镜像文件),添加WEB应用服务器等。即,利用转发平面将转发平面中的虚拟机在管理网上的IP地址配置为本实施例中资源指示信息中包括的虚拟机在管理网上的IP地址,将虚拟机在业务子网上的IP地址配置为本实施例中资源指示信息中包括的虚拟机在业务子网上的IP地址,以及将虚拟机的路由信息配置为本实施例中的资源指示信息中包括的路由信息。整个过程都是由资源管理系统调用控制转发接口完成,无需云管理员手动创建虚拟机和配置网络。Step 3. The control plane transmits the related information (WEB security protection) of the SF to be created to the resource management system through the C-CPI interface, and triggers the resource management system to automatically create the step 2 of the embodiment according to the SFC of the application plane planning. Network resources, including the network, virtual machines required to deploy WEB Security SF (using a custom virtual machine image file containing resident programs, Naxsi, Nginx, SSL, etc.), adding a WEB application server, and so on. That is, the IP address of the virtual machine in the forwarding plane is configured on the management network by using the forwarding plane as the IP address of the virtual machine included in the resource indication information in the embodiment, and the IP address of the virtual machine on the service subnet is configured. The IP address of the virtual machine on the service subnet included in the resource indication information in this embodiment, and the routing information of the virtual machine are configured as the routing information included in the resource indication information in this embodiment. The entire process is completed by the resource management system call control forwarding interface, without the need for the cloud administrator to manually create virtual machines and configure the network.
步骤4.资源管理器根据所规划SFC中WEB安全防护SF的功能需求,即,可以根据上述的指示信息把规划的安全防护策略保存到与其对应的文件中(控制节点为每个SF配置信息创建文件),并与对应虚拟机中的驻留程序通信,将文件中的策略传递给虚拟机,虚机中的驻留程序根据本实施例中的功能指示信息将策略及规则配置到WEB安全模块,并启动防护。Step 4. The resource manager saves the planned security protection policy to the corresponding file according to the above-mentioned indication information according to the functional requirements of the WEB security protection SF in the planned SFC (the control node creates for each SF configuration information). File), and communicate with the resident program in the corresponding virtual machine, the policy in the file is passed to the virtual machine, and the resident program in the virtual machine configures the policy and the rule to the WEB security module according to the function indication information in this embodiment. And start protection.
步骤5.转发平面将包含WEB安全防护SF的相关信息通过D-CPI口更新到SFC控制器,使得SF能够被SFC控制器发现和管理,也能够让SFC控制器根据需求修改安全防护规则和策略。Step 5. The forwarding plane updates the information about the WEB security protection SF to the SFC controller through the D-CPI port, so that the SF can be discovered and managed by the SFC controller, and the SFC controller can also modify the security protection rules and policies according to requirements. .
通过上述实施例可以得出,本发明实施例中的方案通过资源管理系统为应用平面规划的SFC,自动化创建底层网络资源,部署SF,SF的相关信息会更新到SFC控制器,使得SFC控制器能够发现和管理新增SF。本发明方案实现了基于SDN业务链动态创建SF的目的,使得SFC在SDN中具备了灵活部署的特点,同时提高了资源利用率,降低了人工维护成本。 According to the foregoing embodiment, it can be found that the solution in the embodiment of the present invention automatically creates the underlying network resource through the resource management system for the SFC of the application plane planning, deploys the SF, and the related information of the SF is updated to the SFC controller, so that the SFC controller is implemented. Ability to discover and manage new SFs. The solution of the invention realizes the purpose of dynamically creating the SF based on the SDN service chain, so that the SFC has the characteristics of flexible deployment in the SDN, and improves the resource utilization rate and the manual maintenance cost.
需要说明的是,上述模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述模块分别位于多个处理器中。It should be noted that the above modules may be implemented by software or hardware. For the latter, the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the modules are respectively located in multiple processes. In the device.
本发明的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:Embodiments of the present invention also provide a storage medium. Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
S1,获取预定的网络功能虚拟化NFV信息,其中,该NFV信息包括用于指示建立网络功能所需的底层网络资源的资源指示信息,和用于指示在该底层网络资源上部署的SF的功能指示信息;S1. Acquire a predetermined network function virtualization NFV information, where the NFV information includes resource indication information for indicating an underlying network resource required for establishing a network function, and a function for indicating an SF deployed on the underlying network resource. Indication information;
S2,根据上述资源指示信息和功能指示信息创建底层网络资源并在该底层网络资源上部署SF。S2. Create an underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、ROM(Read-Only Memory,只读存储器)、RAM(Random Access Memory,随机存取存储器)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but is not limited to, a USB flash drive, a ROM (Read-Only Memory), a RAM (Random Access Memory), a mobile hard disk, and a magnetic device. A variety of media that can store program code, such as a disc or a disc.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行上述步骤S1-S2。Optionally, in the embodiment, the processor performs the above steps S1-S2 according to the stored program code in the storage medium.
可选地,本实施例中的示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。For example, the examples in this embodiment may refer to the examples described in the foregoing embodiments and the optional embodiments, and details are not described herein again.
在相关技术方案中,SDN创建SFC时,需要管理员先创建SFC所需的底层网络资源,在已有网络资源的基础上部署新的SF,然后组建成SFC。本发明实施例的方案中,支持SDN可以根据应用平面的业务需求,便捷的规划出SFC,而不用考虑底层网络资源。资源管理系统根据会SFC的需求,自动化的创建所需要的底层网络资源,配置和部署SF,SF的信息会更新到SFC控制器,使得SFC控制器能够发现和管理相关SF节点。本专利提高了SDN中SFC的灵活性和扩展性,降低了人工维护成本。In the related technical solution, when an SDN creates an SFC, the administrator needs to create the underlying network resources required by the SFC, deploy a new SF based on the existing network resources, and then form an SFC. In the solution of the embodiment of the present invention, the support SDN can conveniently plan the SFC according to the service requirements of the application plane, without considering the underlying network resources. The resource management system automatically creates the required underlying network resources according to the requirements of the SFC, configures and deploys the SF, and the SF information is updated to the SFC controller, so that the SFC controller can discover and manage the relevant SF nodes. This patent improves the flexibility and scalability of SFC in SDN and reduces the cost of manual maintenance.
显然,本领域的技术人员应该明白,上述的模块或步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下, 可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明实施例不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above modules or steps can be implemented by a general computing device, which can be concentrated on a single computing device or distributed over a network of multiple computing devices, optionally They may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, The steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into an integrated circuit module, or a plurality of modules or steps thereof may be implemented as a single integrated circuit module. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
工业实用性Industrial applicability
本发明实施例解决了相关技术中存在的需要人工干预创建底层网络资源以及部署SF,从而造成创建底层网络资源以及部署SF僵化,不能灵活调整底层网络资源和SF的问题,进而达到了灵活调整底层网络资源和SF的效果。 The embodiments of the present invention solve the problems in the related art that require manual intervention to create an underlying network resource and deploy SF, thereby creating an underlying network resource and deploying SF rigidity, and cannot flexibly adjust the underlying network resource and SF, thereby achieving flexible adjustment of the underlying layer. The effect of network resources and SF.

Claims (24)

  1. 一种业务功能SF的部署方法,包括:A method for deploying a service function SF, including:
    获取预定的网络功能虚拟化NFV信息,所述NFV信息包括用于指示建立网络功能所需的底层网络资源的资源指示信息,和用于指示在所述底层网络资源上部署的SF的功能指示信息;Obtaining predetermined network function virtualization NFV information, the NFV information including resource indication information indicating an underlying network resource required for establishing a network function, and function indication information indicating an SF deployed on the underlying network resource ;
    根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF。And creating the SF resource according to the resource indication information and the function indication information, and deploying the SF on the underlying network resource.
  2. 根据权利要求1所述的方法,其中,所述根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF包括:The method of claim 1, wherein the creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource comprises:
    通过与转发平面之间的接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面根据所述资源指示信息在所述转发平面上创建所述底层网络资源;Transmitting the resource indication information to the forwarding plane by using an interface with the forwarding plane, to instruct the forwarding plane to create the underlying network resource on the forwarding plane according to the resource indication information;
    通过利用所述接口与所述底层网络资源中的虚拟机中的驻留程序进行通信的方式,将根据所述功能指示信息确定的部署信息传递给所述虚拟机,以指示所述虚拟机部署所述SF。Distributing deployment information determined according to the function indication information to the virtual machine to indicate the virtual machine deployment by using the interface to communicate with a resident program in a virtual machine in the underlying network resource The SF.
  3. 根据权利要求2所述的方法,其中,所述通过与转发平面之间的接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面根据所述资源指示信息在所述转发平面上创建所述底层网络资源包括:The method of claim 2, wherein the resource indication information is communicated to the forwarding plane through an interface with a forwarding plane to indicate that the forwarding plane is forwarded according to the resource indication information Creating the underlying network resources on a plane includes:
    通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数配置到所述转发平面中的虚拟机上;Transmitting, by the interface, the resource indication information to the forwarding plane, to indicate that the forwarding plane configures, by using the resource indication information, a parameter for creating the underlying network resource into the forwarding plane. On the virtual machine;
    所述通过利用所述接口与所述底层网络资源中的虚拟机中的驻留程序进行通信的方式,将根据所述功能指示信息确定的部署信息传递给所述虚拟机,以指示所述虚拟机部署所述SF包括:Transmitting the deployment information determined according to the function indication information to the virtual machine by using the interface to communicate with a resident program in the virtual machine in the underlying network resource to indicate the virtual The deployment of the SF includes:
    通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF 的参数配置到所述虚拟机上。Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to include the SF included in the function indication information for deploying SF The parameters are configured to the virtual machine.
  4. 根据权利要求3所述的方法,其中,所述SF为负载均衡,所述资源指示信息包括:第一管理网网络协议IP地址、第一业务子网的IP地址和第一路由信息,所述功能指示信息包括:负载均衡协议信息、所述负载均衡的资源池的成员信息、负载均衡算法信息;The method according to claim 3, wherein the SF is load balancing, and the resource indication information comprises: a first management network network protocol IP address, an IP address of a first service subnet, and first routing information, The function indication information includes: load balancing protocol information, member information of the load balancing resource pool, and load balancing algorithm information;
    所述通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数加载到所述转发平面中的虚拟机上包括:Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to load, by the forwarding plane, a parameter for creating the underlying network resource included in the resource indication information to the forwarding plane The virtual machines in the include:
    通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第一虚拟机在管理网上的IP地址配置为所述第一管理网IP地址、将所述第一虚拟机在业务子网上的IP地址配置为所述第一业务子网IP地址、将所述第一虚拟机的路由信息配置为所述第一路由信息;Transmitting the resource indication information to the forwarding plane by using the interface, to instruct the forwarding plane to perform the following operations: configuring an IP address of the first virtual machine in the forwarding plane on the management network as the first Configuring the IP address of the network, configuring the IP address of the first virtual machine on the service subnet as the IP address of the first service subnet, and configuring the routing information of the first virtual machine as the first routing information;
    所述通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上包括:Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
    根据所述功能指示信息创建负载均衡配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述负载均衡配置文件传递给所述第一虚拟机,以指示所述第一虚拟机执行以下操作:将所述第一虚拟机的协议配置为所述负载均衡协议信息对应的协议、将所述第一虚拟机的成员配置为所述负载均衡的资源池的成员信息对应的成员、将所述第一虚拟机的算法配置为所述负载均衡算法信息对应的算法。And generating a load balancing configuration file according to the function indication information, and transmitting the load balancing configuration file to the first virtual machine by using the interface to communicate with the resident program, to indicate the first virtual The device performs the following operations: configuring the protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, and configuring a member of the first virtual machine as a member corresponding to the member information of the load balancing resource pool. And configuring an algorithm of the first virtual machine as an algorithm corresponding to the load balancing algorithm information.
  5. 根据权利要求3所述的方法,其中,所述SF为防火墙,所述资源指示信息包括:第二管理网网络协议IP地址、第二业务子网的IP地址和第二路由信息,所述功能指示信息包括:防火墙规则和策略信息;The method according to claim 3, wherein the SF is a firewall, and the resource indication information comprises: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, the function The indication information includes: firewall rules and policy information;
    所述通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数加载到所述转发平面中的虚拟机上包括: Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to load, by the forwarding plane, a parameter for creating the underlying network resource included in the resource indication information to the forwarding plane The virtual machines in the include:
    通过与所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第二虚拟机在管理网上的IP地址配置为所述第二管理网IP地址、将所述第二虚拟机在业务子网上的IP地址配置为所述第二业务子网IP地址、将所述第二虚拟机的路由信息配置为所述第二路由信息;Passing the resource indication information to the forwarding plane with the interface, to instruct the forwarding plane to perform the following operations: configuring an IP address of the second virtual machine in the forwarding plane on the management network as the The second management network IP address, the IP address of the second virtual machine on the service subnet is configured as the second service subnet IP address, and the routing information of the second virtual machine is configured as the second routing information. ;
    所述通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上包括:Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
    根据所述功能指示信息创建防火墙配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述防火墙配置文件传递给所述第二虚拟机,以指示所述第二虚拟机将所述第二虚拟机的规则和策略配置为所述防火墙规则和策略信息对应的规则和策略。Creating a firewall configuration file according to the function indication information; transmitting the firewall configuration file to the second virtual machine by using the interface to communicate with the resident program, to indicate that the second virtual machine will The rules and policies of the second virtual machine are configured as rules and policies corresponding to the firewall rules and policy information.
  6. 根据权利要求3所述的方法,其中,所述SF为虚拟私有网络VPN,所述资源指示信息包括:第三管理网网络协议IP地址、第三业务子网IP地址和第三路由信息,所述功能指示信息包括:密钥交换协议IKE策略、IP层安全协议IPSec策略、IPSec站点信息;The method according to claim 3, wherein the SF is a virtual private network VPN, and the resource indication information comprises: a third management network network protocol IP address, a third service subnet IP address, and third routing information, The function indication information includes: a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and an IPSec site information;
    所述通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数加载到所述转发平面中的虚拟机上包括:Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to load, by the forwarding plane, a parameter for creating the underlying network resource included in the resource indication information to the forwarding plane The virtual machines in the include:
    通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第三虚拟机在管理网上的IP地址配置为所述第三管理网IP地址、将所述第三虚拟机在业务子网上的IP地址配置为所述第三业务子网IP地址、将所述第三虚拟机的路由信息配置为所述第三路由信息;Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to perform the following operations: configuring an IP address of a third virtual machine in the forwarding plane on the management network as the third The management network IP address, the IP address of the third virtual machine on the service subnet is configured as the third service subnet IP address, and the routing information of the third virtual machine is configured as the third routing information;
    所述通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上包括:Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
    根据所述功能指示信息创建VPN配置文件;通过利用所述接口与所述驻 留程序进行通信的方式将所述VPN配置文件传递给所述第三虚拟机,以指示所述第三虚拟机执行以下操作:将所述第三虚拟机的协议策略配置为所述密钥交换协议IKE策略和所述IP层安全协议IPSec策略、将所述第三虚拟机的站点配置为所述IPSec站点信息对应的站点。Creating a VPN configuration file according to the function indication information; by using the interface and the resident Passing the VPN configuration file to the third virtual machine to instruct the third virtual machine to perform the following operations: configuring a protocol policy of the third virtual machine as the key exchange The protocol IKE policy and the IP layer security protocol IPSec policy are configured to configure the site of the third virtual machine as the site corresponding to the IPSec site information.
  7. 根据权利要求3所述的方法,其中,所述SF为网元WEB防护,所述资源指示信息包括:第四管理网网络协议IP地址、第四业务子网IP地址和第四路由信息,所述功能指示信息包括:WEB防护策略和需要防护的WEB应用服务器或数据中心信息;The method according to claim 3, wherein the SF is a network element WEB protection, and the resource indication information comprises: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, The function indication information includes: a WEB protection policy and a WEB application server or data center information that needs to be protected;
    所述通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数加载到所述转发平面中的虚拟机上包括:Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to load, by the forwarding plane, a parameter for creating the underlying network resource included in the resource indication information to the forwarding plane The virtual machines in the include:
    通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第四虚拟机在管理网上的IP地址配置为所述第四管理网IP地址、将所述第四虚拟机在业务子网上的IP地址配置为所述第四业务子网IP地址、将所述第四虚拟机的路由信息配置为所述第四路由信息;Transmitting, by the interface, the resource indication information to the forwarding plane, to instruct the forwarding plane to perform the following operations: configuring an IP address of a fourth virtual machine in the forwarding plane on the management network as the fourth The management network IP address, the IP address of the fourth virtual machine on the service subnet is configured as the fourth service subnet IP address, and the routing information of the fourth virtual machine is configured as the fourth routing information;
    所述通过利用所述接口与所述驻留程序进行通信的方式将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上包括:Transmitting the deployment information to the virtual machine by using the interface to communicate with the resident program, to instruct the virtual machine to use parameters included in the function indication information for deploying SF Configuring to the virtual machine includes:
    根据所述功能指示信息创建WEB防护配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述WEB防护配置文件传递给所述第四虚拟机,以指示所述第四虚拟机执行以下操作:将所述第四虚拟机的规则和策略配置为所述WEB防护策略及规则、将所述第四虚拟机的服务器或数据中心配置为所述需要防护的WEB应用服务器或数据中心信息对应的服务器或数据中心。Creating a WEB protection configuration file according to the function indication information; transmitting the WEB protection configuration file to the fourth virtual machine by using the interface to communicate with the resident program, to indicate the fourth virtual The device performs the following steps: configuring the rules and policies of the fourth virtual machine as the WEB protection policy and rules, and configuring the server or data center of the fourth virtual machine as the WEB application server or data that needs to be protected. The server or data center corresponding to the central information.
  8. 根据权利要求1所述的方法,其中,所述获取预定的网络功能虚拟化NFV信息包括:The method of claim 1, wherein the obtaining the predetermined network function virtualization NFV information comprises:
    接收应用平面传递的所述NFV信息。 Receiving the NFV information delivered by the application plane.
  9. 根据权利要求1所述的方法,其中,所述获取预定的网络功能虚拟化NFV信息包括:The method of claim 1, wherein the obtaining the predetermined network function virtualization NFV information comprises:
    接收控制平面传递的所述NFV信息,所述NFV信息为应用平面传递给所述控制平面的。And receiving, by the control plane, the NFV information, where the NFV information is delivered to the control plane.
  10. 根据权利要求1所述的方法,其中,所述根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF之后,还包括:The method of claim 1, wherein the creating the underlying network resource according to the resource indication information and the function indication information and deploying the SF on the underlying network resource further comprises:
    获取更新后的NFV信息,所述更新后的NFV信息中包括更新后的资源指示信息和/或更新后的功能指示信息;Obtaining updated NFV information, where the updated NFV information includes updated resource indication information and/or updated function indication information;
    根据所述更新后的资源指示信息和/或更新后的功能指示信息更新创建的所述底层网络资源和部署的所述SF。And updating the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information.
  11. 根据权利要求10所述的方法,其中,所述根据更新后的资源指示信息和/或更新后的功能指示信息更新创建的所述底层网络资源和部署的所述SF包括:The method according to claim 10, wherein the updating the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information comprises:
    根据所述更新后的资源指示信息变更、增加或删除创建的所述底层网络资源;和/或,Changing, adding, or deleting the created underlying network resource according to the updated resource indication information; and/or,
    根据所述更新后的功能指示信息变更、增加或删除部署的所述SF。The deployed SF is changed, added, or deleted according to the updated function indication information.
  12. 根据权利要求2所述的方法,其中,所述根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF之后,还包括:The method according to claim 2, wherein after the creating the MME and the SF on the underlying network resource according to the resource indication information and the function indication information, the method further includes:
    所述转发平面在创建完所述底层网络资源后将所述底层网络资源的信息上报给控制平面;和/或,The forwarding plane reports the information of the underlying network resource to the control plane after the underlying network resource is created; and/or,
    所述转发平面在部署完所述SF后,将部署的所述SF的信息上报给控制平面。After the SF is deployed, the forwarding plane reports the information about the SF to the control plane.
  13. 一种业务功能SF的部署装置,包括:A deployment device for a service function SF, comprising:
    第一获取模块,设置成获取预定的网络功能虚拟化NFV信息,所述NFV信息包括用于指示建立网络功能所需的底层网络资源的资源指示信息,和用于指示在所述底层网络资源上部署的SF的功能指示信息; a first acquiring module, configured to acquire predetermined network function virtualization NFV information, where the NFV information includes resource indication information used to indicate an underlying network resource required for establishing a network function, and is used to indicate on the underlying network resource Function indication information of the deployed SF;
    处理模块,设置成根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF。And a processing module, configured to create the underlying network resource according to the resource indication information and the function indication information, and deploy the SF on the underlying network resource.
  14. 根据权利要求13所述的装置,其中,所述处理模块包括:The apparatus of claim 13 wherein said processing module comprises:
    第一传递单元,设置成通过与转发平面之间的接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面根据所述资源指示信息在所述转发平面上创建所述底层网络资源;a first transmitting unit, configured to: pass the resource indication information to the forwarding plane by using an interface with a forwarding plane, to instruct the forwarding plane to create the bottom layer on the forwarding plane according to the resource indication information Internet resources;
    第二传递单元,设置成通过利用所述接口与所述底层网络资源中的虚拟机中的驻留程序进行通信的方式将根据所述功能指示信息确定的部署信息传递给所述虚拟机,以指示所述虚拟机部署所述SF。a second delivery unit configured to: pass the deployment information determined according to the function indication information to the virtual machine by using the interface to communicate with a resident program in a virtual machine in the underlying network resource, to Instructing the virtual machine to deploy the SF.
  15. 根据权利要求14所述的装置,其中:The device of claim 14 wherein:
    所述第一传递单元包括:第一传递子单元,设置成通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面将所述资源指示信息中包含的用于创建所述底层网络资源的参数配置到所述转发平面中的虚拟机上;The first delivery unit includes: a first delivery subunit, configured to: pass the resource indication information to the forwarding plane by using the interface, to indicate that the forwarding plane uses the information included in the resource indication information Creating a parameter of the underlying network resource to be configured on the virtual machine in the forwarding plane;
    所述第二传递单元包括:第二传递子单元,设置成通过利用所述接口与所述驻留程序进行通信的方式,将所述部署信息传递给所述虚拟机,以指示所述虚拟机将所述功能指示信息中包含的用于部署SF的参数配置到所述虚拟机上。The second delivery unit includes: a second delivery subunit configured to pass the deployment information to the virtual machine by using the interface to communicate with the resident program to indicate the virtual machine The parameters for deploying the SF included in the function indication information are configured on the virtual machine.
  16. 根据权利要求15所述的装置,其中,所述SF为负载均衡,所述资源指示信息包括:第一管理网网络协议IP地址、第一业务子网的IP地址和第一路由信息,所述功能指示信息包括:负载均衡协议信息、所述负载均衡的资源池的成员信息、负载均衡算法信息;The device according to claim 15, wherein the SF is load balancing, and the resource indication information comprises: a first management network network protocol IP address, an IP address of a first service subnet, and first routing information, The function indication information includes: load balancing protocol information, member information of the load balancing resource pool, and load balancing algorithm information;
    所述第一传递子单元通过如下方式指示所述转发平面配置所述底层网络资源:通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第一虚拟机在管理网上的IP地址配置为所述第一管理网IP地址、将所述第一虚拟机在业务子网上的IP地址配置为所述第一业务子网IP地址、将所述第一虚拟机的路由信息配置为所述第一路由信息; The first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations: The IP address of the first virtual machine in the forwarding plane is configured as the IP address of the first management network, and the IP address of the first virtual machine on the service subnet is configured as the first service subnet. An IP address, configured to configure routing information of the first virtual machine as the first routing information;
    所述第二传递子单元通过如下方式指示所述虚拟机部署所述SF:根据所述功能指示信息创建负载均衡配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述负载均衡配置文件传递给所述第一虚拟机,以指示所述第一虚拟机执行以下操作:将所述第一虚拟机的协议配置为所述负载均衡协议信息对应的协议、将所述第一虚拟机的成员配置为所述负载均衡的资源池的成员信息对应的成员、将所述第一虚拟机的算法配置为所述负载均衡算法信息对应的算法。The second delivery subunit instructs the virtual machine to deploy the SF by: creating a load balancing configuration file according to the function indication information; and using the interface to communicate with the resident program The load balancing configuration file is delivered to the first virtual machine to instruct the first virtual machine to perform the following operations: configuring a protocol of the first virtual machine as a protocol corresponding to the load balancing protocol information, and the A member of a virtual machine is configured as a member corresponding to the member information of the load balancing resource pool, and an algorithm of the first virtual machine is configured as an algorithm corresponding to the load balancing algorithm information.
  17. 根据权利要求15所述的装置,其中,所述SF为防火墙,所述资源指示信息包括:第二管理网网络协议IP地址、第二业务子网的IP地址和第二路由信息,所述功能指示信息包括:防火墙规则和策略信息;The device according to claim 15, wherein the SF is a firewall, and the resource indication information comprises: a second management network network protocol IP address, an IP address of the second service subnet, and second routing information, the function The indication information includes: firewall rules and policy information;
    所述第一传递子单元通过如下方式指示所述转发平面配置所述底层网络资源:通过与所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第二虚拟机在管理网上的IP地址配置为所述第二管理网IP地址、将所述第二虚拟机在业务子网上的IP地址配置为所述第二业务子网IP地址、将所述第二虚拟机的路由信息配置为所述第二路由信息;The first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane by using the interface, to instruct the forwarding plane to perform the following operations: Configuring an IP address of the second virtual machine in the forwarding plane on the management network as the second management network IP address, and configuring an IP address of the second virtual machine on the service subnet as the second service sub Configuring the routing information of the second virtual machine as the second routing information;
    所述第二传递子单元通过如下方式指示所述虚拟机部署所述SF:根据所述功能指示信息创建防火墙配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述防火墙配置文件传递给所述第二虚拟机,以指示所述第二虚拟机将所述第二虚拟机的规则和策略配置为所述防火墙规则和策略信息对应的规则和策略。The second delivery subunit instructs the virtual machine to deploy the SF by: creating a firewall configuration file according to the function indication information; and using the interface to communicate with the resident program to use the firewall The configuration file is delivered to the second virtual machine to instruct the second virtual machine to configure rules and policies of the second virtual machine as rules and policies corresponding to the firewall rule and policy information.
  18. 根据权利要求15所述的装置,其中,所述SF为虚拟私有网络VPN,所述资源指示信息包括:第三管理网网络协议IP地址、第三业务子网IP地址和第三路由信息,所述功能指示信息包括:密钥交换协议IKE策略、IP层安全协议IPSec策略、IPSec站点信息;The device according to claim 15, wherein the SF is a virtual private network VPN, and the resource indication information comprises: a third management network network protocol IP address, a third service subnet IP address, and third routing information, The function indication information includes: a key exchange protocol IKE policy, an IP layer security protocol IPSec policy, and an IPSec site information;
    所述第一传递子单元通过如下方式指示所述转发平面配置所述底层网络资源:通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第三虚拟机在管理网上的IP地址配置为所述第三管理网IP地址、将所述第三虚拟机在业务子网上的IP地 址配置为所述第三业务子网IP地址、将所述第三虚拟机的路由信息配置为所述第三路由信息;The first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations: The IP address of the third virtual machine in the forwarding plane is configured as the IP address of the third management network, and the IP address of the third virtual machine on the service subnet. The address is configured as the third service subnet IP address, and the routing information of the third virtual machine is configured as the third routing information;
    所述第二传递子单元通过如下方式指示所述虚拟机部署所述SF:根据所述功能指示信息创建VPN配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述VPN配置文件传递给所述第三虚拟机,以指示所述第三虚拟机执行以下操作:将所述第三虚拟机的协议策略配置为所述密钥交换协议IKE策略和所述IP层安全协议IPSec策略、将所述第三虚拟机的站点配置为所述IPSec站点信息对应的站点。The second delivery subunit instructs the virtual machine to deploy the SF by: creating a VPN configuration file according to the function indication information; and using the interface to communicate with the resident program to use the VPN The configuration file is delivered to the third virtual machine to instruct the third virtual machine to perform the following operations: configuring a protocol policy of the third virtual machine as the key exchange protocol IKE policy and the IP layer security protocol The IPSec policy configures the site of the third virtual machine as the site corresponding to the IPSec site information.
  19. 根据权利要求15所述的装置,其中,所述SF为网元WEB防护,所述资源指示信息包括:第四管理网网络协议IP地址、第四业务子网IP地址和第四路由信息,所述功能指示信息包括:WEB防护策略和需要防护的WEB应用服务器或数据中心信息;The device according to claim 15, wherein the SF is a network element WEB protection, and the resource indication information comprises: a fourth management network network protocol IP address, a fourth service subnet IP address, and fourth routing information, The function indication information includes: a WEB protection policy and a WEB application server or data center information that needs to be protected;
    所述第一传递子单元通过如下方式指示所述转发平面配置所述底层网络资源:通过所述接口将所述资源指示信息传递给所述转发平面,以指示所述转发平面执行以下操作:将所述转发平面中的第四虚拟机在管理网上的IP地址配置为所述第四管理网IP地址、将所述第四虚拟机在业务子网上的IP地址配置为所述第四业务子网IP地址、将所述第四虚拟机的路由信息配置为所述第四路由信息;The first delivery sub-unit indicates that the forwarding plane configures the underlying network resource by: transmitting the resource indication information to the forwarding plane through the interface, to instruct the forwarding plane to perform the following operations: The IP address of the fourth virtual machine in the forwarding plane is configured as the fourth management network IP address, and the IP address of the fourth virtual machine on the service subnet is configured as the fourth service subnet. An IP address, configured to configure routing information of the fourth virtual machine as the fourth routing information;
    所述第二传递子单元通过如下方式指示所述虚拟机部署所述SF:根据所述功能指示信息创建WEB防护配置文件;通过利用所述接口与所述驻留程序进行通信的方式将所述WEB防护配置文件传递给所述第四虚拟机,以指示所述第四虚拟机执行以下操作:将所述第四虚拟机的规则和策略配置为所述WEB防护策略及规则、将所述第四虚拟机的服务器或数据中心配置为所述需要防护的WEB应用服务器或数据中心信息对应的服务器或数据中心。The second delivery subunit instructs the virtual machine to deploy the SF by: creating a WEB protection configuration file according to the function indication information; and using the interface to communicate with the resident program The WEB protection profile is delivered to the fourth virtual machine to instruct the fourth virtual machine to perform the following operations: configuring the rules and policies of the fourth virtual machine as the WEB protection policy and rules, and the The server or data center of the four virtual machines is configured as the server or data center corresponding to the WEB application server or data center information that needs to be protected.
  20. 根据权利要求13所述的装置,其中,所述第一获取模块包括:The apparatus of claim 13, wherein the first obtaining module comprises:
    第一接收单元,设置成接收应用平面传递的所述NFV信息。The first receiving unit is configured to receive the NFV information transmitted by the application plane.
  21. 根据权利要求13所述的装置,其中,所述第一获取模块包括:The apparatus of claim 13, wherein the first obtaining module comprises:
    第二接收单元,设置成接收控制平面传递的所述NFV信息,其中,所述 NFV信息为应用平面传递给所述控制平面的。a second receiving unit configured to receive the NFV information transmitted by the control plane, where The NFV information is passed to the control plane for the application plane.
  22. 根据权利要求13所述的装置,还包括:The apparatus of claim 13 further comprising:
    第二获取模块,设置成在所述处理模块根据所述资源指示信息和所述功能指示信息创建所述底层网络资源并在所述底层网络资源上部署所述SF之后,获取更新后的NFV信息,所述更新后的NFV信息中包括更新后的资源指示信息和/或更新后的功能指示信息;a second acquiring module, configured to acquire the updated NFV information after the processing module creates the underlying network resource according to the resource indication information and the function indication information, and deploys the SF on the underlying network resource The updated NFV information includes updated resource indication information and/or updated function indication information;
    更新模块,设置成根据所述更新后的资源指示信息和/或更新后的功能指示信息更新创建的所述底层网络资源和部署的所述SF。And an update module, configured to update the created underlying network resource and the deployed SF according to the updated resource indication information and/or the updated function indication information.
  23. 根据权利要求22所述的装置,其中,所述更新模块包括:The apparatus of claim 22 wherein said updating module comprises:
    第一更新单元,设置成根据所述更新后的资源指示信息变更、增加或删除创建的所述底层网络资源;和/或,a first update unit, configured to change, add, or delete the created underlying network resource according to the updated resource indication information; and/or,
    第二更新单元,设置成根据所述更新后的功能指示信息变更、增加或删除部署的所述SF。The second update unit is configured to change, add or delete the deployed SF according to the updated function indication information.
  24. 根据权利要求14所述的装置,还包括:The apparatus of claim 14 further comprising:
    第一上报模块,应用于所述转发平面中,设置成在创建完所述底层网络资源后将所述底层网络资源的信息上报给控制平面;和/或,The first reporting module is applied to the forwarding plane, and is configured to report the information of the underlying network resource to the control plane after the network resource is created; and/or
    第二上报模块,应用于所述转发平面中,设置成在部署完所述SF后,将部署的所述SF的信息上报给控制平面。 The second reporting module is applied to the forwarding plane, and is configured to report the information of the deployed SF to the control plane after the SF is deployed.
PCT/CN2016/079667 2015-08-28 2016-04-19 Service function deployment method and apparatus WO2016180181A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510543835.6A CN106487556B (en) 2015-08-28 2015-08-28 Service function SF deployment method and device
CN201510543835.6 2015-08-28

Publications (1)

Publication Number Publication Date
WO2016180181A1 true WO2016180181A1 (en) 2016-11-17

Family

ID=57247747

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/079667 WO2016180181A1 (en) 2015-08-28 2016-04-19 Service function deployment method and apparatus

Country Status (2)

Country Link
CN (1) CN106487556B (en)
WO (1) WO2016180181A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108574582A (en) * 2017-03-07 2018-09-25 中兴通讯股份有限公司 Fault detection method and device
CN109922002A (en) * 2017-12-13 2019-06-21 中国电信股份有限公司 Business datum retransmission method and Overlay system based on SFC
US10715353B2 (en) 2017-05-15 2020-07-14 Ciena Corporation Virtual local area network identifiers for service function chaining fault detection and isolation
US10740134B2 (en) 2018-08-20 2020-08-11 Interwise Ltd. Agentless personal network firewall in virtualized datacenters

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109117243B (en) * 2017-06-23 2023-07-07 中兴通讯股份有限公司 Service deployment method, device, client device and computer readable storage medium
CN107332913B (en) * 2017-07-04 2020-03-27 电子科技大学 Optimized deployment method of service function chain in 5G mobile network
CN108200207A (en) * 2018-02-11 2018-06-22 中国联合网络通信集团有限公司 The method and system of cloud computing system security service, secure cloud management platform
CN108566308B (en) * 2018-04-28 2020-11-06 电子科技大学 Reliability enhancing method based on shared protection service function chain
CN109361675B (en) * 2018-10-30 2021-08-13 深信服科技股份有限公司 Information security protection method, system and related components
CN109842528B (en) * 2019-03-19 2020-10-27 西安交通大学 Service function chain deployment method based on SDN and NFV
CN112751768B (en) * 2019-10-29 2023-11-21 华为技术有限公司 Service message forwarding method and device and computer storage medium
CN112887330B (en) * 2021-02-26 2022-05-31 浪潮云信息技术股份公司 Device and method for realizing network ACL isolation floating IP

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104050045A (en) * 2014-06-27 2014-09-17 华为技术有限公司 Method and device for distributing virtual resources based on disk IO
CN104219127A (en) * 2014-08-30 2014-12-17 华为技术有限公司 Creation method and device of virtual network instance
KR101495069B1 (en) * 2012-12-14 2015-02-26 한국전자통신연구원 Method for virtual desktop service based on iov nic and apparatus thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104253866B (en) * 2014-09-20 2018-03-27 华为技术有限公司 Software deployment method, system and the relevant device of virtual network function network element

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101495069B1 (en) * 2012-12-14 2015-02-26 한국전자통신연구원 Method for virtual desktop service based on iov nic and apparatus thereof
CN104050045A (en) * 2014-06-27 2014-09-17 华为技术有限公司 Method and device for distributing virtual resources based on disk IO
CN104219127A (en) * 2014-08-30 2014-12-17 华为技术有限公司 Creation method and device of virtual network instance

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108574582A (en) * 2017-03-07 2018-09-25 中兴通讯股份有限公司 Fault detection method and device
CN108574582B (en) * 2017-03-07 2022-05-13 中兴通讯股份有限公司 Fault detection method and device
US10715353B2 (en) 2017-05-15 2020-07-14 Ciena Corporation Virtual local area network identifiers for service function chaining fault detection and isolation
CN109922002A (en) * 2017-12-13 2019-06-21 中国电信股份有限公司 Business datum retransmission method and Overlay system based on SFC
US10740134B2 (en) 2018-08-20 2020-08-11 Interwise Ltd. Agentless personal network firewall in virtualized datacenters
US11526373B2 (en) 2018-08-20 2022-12-13 Interwise Ltd. Agentless personal network firewall in virtualized datacenters

Also Published As

Publication number Publication date
CN106487556A (en) 2017-03-08
CN106487556B (en) 2020-05-22

Similar Documents

Publication Publication Date Title
WO2016180181A1 (en) Service function deployment method and apparatus
CN107409089B (en) Method implemented in network engine and virtual network function controller
US10320687B2 (en) Policy enforcement for upstream flood traffic
US10523514B2 (en) Secure cloud fabric to connect subnets in different network domains
US11025647B2 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
US10498765B2 (en) Virtual infrastructure perimeter regulator
US20180063087A1 (en) Managed forwarding element executing in separate namespace of public cloud data compute node than workload application
CN106464534B (en) Sheet for provisioning and managing customer premises equipment devices
US9967346B2 (en) Passing data over virtual links
US20150229641A1 (en) Migration of a security policy of a virtual machine
EP3479532B1 (en) A data packet forwarding unit in software defined networks
US11469998B2 (en) Data center tenant network isolation using logical router interconnects for virtual network route leaking
US20190222511A1 (en) Randomized vnf hopping in software defined networks
US9967140B2 (en) Virtual links for network appliances
WO2017162030A1 (en) Method and apparatus for generating virtual network
CN108234211B (en) Network control method, system and storage medium
WO2017143695A1 (en) Sub-network intercommunication method and device
EP3817293B1 (en) Bulk discovery of devices behind a network address translation device
CN103281406B (en) The message forwarding method and NAT servers and network migrated between VM clouds
US11228603B1 (en) Learning driven dynamic threat treatment for a software defined networking environment
US9794146B2 (en) Methods and systems for a monitoring device to execute commands on an attached switch
CN117203938A (en) System and method for partitioning transit capabilities within a multi-cloud architecture
CN117222995A (en) System and method for restricting communication between virtual private cloud networks through a security domain
Nainwal et al. Application Aware Routing in Sdn
Tripathi et al. Antimicrobial Activity of Metal Nanoparticles on Seelcted Microbial Strains

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16792031

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16792031

Country of ref document: EP

Kind code of ref document: A1