WO2017071624A1 - 防火墙集群 - Google Patents

防火墙集群 Download PDF

Info

Publication number
WO2017071624A1
WO2017071624A1 PCT/CN2016/103665 CN2016103665W WO2017071624A1 WO 2017071624 A1 WO2017071624 A1 WO 2017071624A1 CN 2016103665 W CN2016103665 W CN 2016103665W WO 2017071624 A1 WO2017071624 A1 WO 2017071624A1
Authority
WO
WIPO (PCT)
Prior art keywords
vfw
service flow
flow
vfw node
node
Prior art date
Application number
PCT/CN2016/103665
Other languages
English (en)
French (fr)
Inventor
谢东
管树发
Original Assignee
新华三技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 新华三技术有限公司 filed Critical 新华三技术有限公司
Priority to EP16859059.4A priority Critical patent/EP3358807B1/en
Priority to JP2018521874A priority patent/JP6619096B2/ja
Priority to US15/768,454 priority patent/US10715490B2/en
Publication of WO2017071624A1 publication Critical patent/WO2017071624A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/80Responding to QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

Definitions

  • SDN Software Defined Network
  • OpenFlow OpenFlow
  • the SDN controller implements network topology collection, route calculation, flow table generation and delivery, network management and control functions, and network layer devices are responsible for traffic forwarding and policy enforcement.
  • NFV Network Functions Virtualization
  • ISG Industry Specification Group
  • ETSI European Telecommunication Standards Institute
  • NFV cloud computing and virtualization technology.
  • COTS commercial off-the-shelf
  • the common commercial off-the-shelf (COTS) computing/storage/network hardware devices can be decomposed into multiple virtual resources through virtualization technology for various upper layers.
  • Application use At the same time, through the virtualization technology, the application and hardware can be decoupled, so that the supply speed of resources is greatly improved.
  • the firewall stacking technology logically forms a firewall device after stacking multiple physical firewall devices.
  • FIG. 1 is a flowchart of a method for implementing a firewall cluster according to an embodiment of the present application
  • FIG. 2 is a flowchart of a method for deploying a firewall cluster according to an embodiment of the present application
  • FIG. 3 is a schematic diagram of a firewall cluster provided by an embodiment of the present application.
  • FIG. 4 is a flowchart of a method for forwarding a service flow packet from an internal network to an external network when a firewall with no NAT service and no VPN service is provided according to an embodiment of the present disclosure
  • FIG. 5 is a flowchart of a method for forwarding a service flow packet from an external network to an internal network when a firewall with no NAT service and no VPN service is provided according to an embodiment of the present disclosure
  • FIG. 6 is a flowchart of a method for forwarding a service flow packet from an internal network to an external network when a firewall having a NAT service and a VPN service is provided according to an embodiment of the present disclosure
  • FIG. 7 is a flowchart of a method for forwarding a service flow packet from an external network to an internal network when a firewall having a NAT service and a VPN service is implemented according to an embodiment of the present disclosure
  • FIG. 8 is a flowchart of a method for expanding a firewall cluster when a firewall with no NAT service and no VPN service is provided according to an embodiment of the present disclosure
  • FIG. 9 is a flowchart of a method for shrinking a firewall cluster when a firewall with no NAT service and no VPN service is provided according to an embodiment of the present disclosure
  • FIG. 10 is a schematic structural diagram of a device for implementing a firewall cluster according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of hardware of an SDN controller according to an embodiment of the present application.
  • FIG. 1 is a flowchart of a method for implementing a firewall cluster according to an embodiment of the present application. As shown in Figure 1, the method steps are as follows:
  • Step 101 The SDN controller monitors each virtual firewall in the firewall cluster in real time.
  • vFW Virtual FireWall
  • Step 102 Create a new vFW node when the SDN controller detects that the load of one or more vFW nodes is higher than a preset first threshold.
  • Step 103 The SDN controller selects a first service flow to be migrated from a service flow that flows through the monitored vFW node, updates a first flow entry corresponding to the first service flow, and updates the first flow entry.
  • the first-class entry is sent to the switch, and the updated first flow entry indicates that the switch sends the received first service flow to the new vFW node.
  • the method before the updating the first flow entry corresponding to the first service flow, the method further includes:
  • the updating the first flow entry corresponding to the first service flow includes:
  • the method further includes:
  • the SDN controller detects that the load of one or more vFW nodes is lower than a preset second threshold, selecting a pending return from the vFW node whose load is lower than a preset second threshold
  • the outgoing vFW node determines the second service flow that flows through the vFW node to be exited as the service flow to be migrated, and determines the destination vFW node that the second service flow migrates;
  • the SDN controller updates the second flow entry corresponding to the second service flow, and sends the updated second flow entry to the switch, where the updated second flow entry is used to indicate
  • the switch sends the received second service flow to the destination vFW node.
  • the method before updating the second flow entry corresponding to the second service flow, the method further includes:
  • the SDN controller sends the identifier of the second service flow and the identifier of the destination vFW node to the vFW node to be exited;
  • the SDN controller receives the second notification message sent by the vFW node to be exited, and the second notification message is that the vFW node to be exited synchronizes the session information corresponding to the second service flow to the destination Sent after the vFW node.
  • the updating the second flow entry corresponding to the second service flow includes:
  • the method when each vFW node in the firewall cluster does not have a network address translation (NAT) service and a virtual private network (VPN) service function, the method further includes:
  • the SDN controller When receiving the service flow packet sent by the switch, the SDN controller selects a vFW node from the vFW nodes by using a HASH algorithm, and notifies the switch, so that the switch sends the service flow packet. Forward to the selected vFW node.
  • the method when each vFW node in the firewall cluster has a NAT service and a VPN service function, the method further includes:
  • the SDN controller allocates a NAT address in the NAT address pool to each vFW section. point;
  • the SDN controller When receiving the service flow packet sent by the switch, the SDN controller parses the VPN packet from the service flow packet, and searches for the corresponding vFW node according to the destination address of the VPN packet, where the destination is The address is a NAT address, and a flow entry is generated and sent to the switch, where the generated flow entry indicates that the switch forwards the VPN packet to the found vFW node.
  • FIG. 2 is a flowchart of a method for deploying a firewall cluster according to an embodiment of the present application. As shown in Figure 2, the method steps are as follows:
  • Step 201 Deploy an SDN controller (SDN Controller) in the network where the firewall cluster is located, and the SDN Controller enables the flow manager (Flow Manager) and the NFV Manager (NFV Manager) function.
  • SDN Controller SDN Controller
  • Step 202 The NFV Manager uses the NFV technology to create multiple vFW nodes according to the performance of the configured firewall cluster.
  • the uplink port and the downlink port of each vFW node are bound to the switch, and each vFW node is equivalent to the switch.
  • One hop, and the switch enables the function of the SDN network device.
  • the functions of the SDN network device include the OpenFlow forwarding function.
  • the number of vFW nodes is determined according to the performance of the firewall cluster.
  • FIG. 3 is a schematic diagram of a firewall cluster according to an embodiment of the present application.
  • the firewall cluster includes: an SDN controller, n vFW nodes, and a switch, where n is a positive integer.
  • the switch connects the internal network and the external network, and each vFW node is an equivalent next hop of the switch.
  • the SDN Controller enables the flow manager and NFV manager functions.
  • the firewalls in the firewall cluster can be divided into two categories:
  • the first type no NAT service, no firewall for VPN services.
  • a firewall with no NAT service and no VPN service mainly dealing with firewall attack prevention. Services such as inter-domain policies, and the switch can forward bidirectional packets of the same flow to the same vFW node.
  • the second category is a firewall with a NAT service and a VPN service.
  • a firewall with a VPN service and a VPN service needs to divide the NAT service and VPN service into each vFW node.
  • FIG. 4 is a flowchart of a method for forwarding a service flow packet from an internal network to an external network when a firewall with no NAT service and no VPN service is provided according to an embodiment of the present disclosure. As shown in Figure 4, the method steps are as follows:
  • Step 400 Each vFW node in the firewall cluster sends its own uplink and downlink routes to the switch through the Equal-Cost Multi-Path Routing (ECMP) technology.
  • the switch receives the vFW nodes.
  • each vFW node sends the information of the equivalent next hop in the uplink and downlink directions of the switch to the SDN Controller.
  • ECMP Equal-Cost Multi-Path Routing
  • the service flow is first sent to the firewall cluster.
  • Each vFW node in the firewall cluster is equivalent to the upstream and downstream directions of the switch. Next hop.
  • Step 401 The switch receives the service flow packet from the intranet.
  • the source IP address of the service flow packet is IP_A
  • the destination IP address is IP_B.
  • the switch searches for the corresponding flow table according to the destination IP address of the service flow packet. If the entry is not found, the service flow packet is encapsulated into a Packet in packet and sent to the SDN Controller.
  • the source address of the Packet in packet is the address of the switch, and the destination address is the address of the SDN Controller.
  • Step 402 The SDN controller receives the packet in packet, and finds that the source address of the packet in packet is the address of the switch, and each vFW node of the firewall cluster according to its own record is the equivalent of the upstream and downstream directions of the switch. Jump the message, confirm the If the switch has an equivalent next hop, the original service flow packet is parsed from the packet in the packet. According to the default HASH algorithm, the HASH operation is performed on the number of vFW nodes in the IP_A, IP_B, and firewall clusters.
  • the result is mapped to a vFW node in the firewall cluster, and the vFW node is used as a next hop to forward the service flow packet, and a flow entry is generated for the service flow packet, and the flow entry is encapsulated into a Packet out report.
  • the text is sent to the switch.
  • IP_A and IP_B in the HASH algorithm are filled in order.
  • the content of the flow entry includes: the destination IP address of the service flow packet (that is, IP_B) and the next hop information.
  • Step 403 The switch receives the packet out packet, parses and saves the flow entry sent by the SDN controller, and sends the service flow packet to the vFW node corresponding to the next hop according to the next hop in the flow entry. .
  • Step 404 The vFW node receives the service flow packet, performs firewall service processing on the service flow packet, generates session information corresponding to the service flow packet, and if the service flow packet is not filtered, the service is performed. The flow message is sent back to the switch.
  • the session information includes: source IP address, source IP port number, destination IP address, destination IP port number, protocol number, and status of the service flow packet.
  • Step 405 The switch receives the service flow packet sent by the vFW node, and forwards the service flow packet to the external network.
  • FIG. 5 is a flowchart of a method for forwarding a service flow packet from an external network to an internal network when a firewall with no NAT service and no VPN service is provided according to an embodiment of the present disclosure. As shown in Figure 5, the method steps are as follows:
  • Step 500 Each vFW node in the firewall cluster sends its own uplink and downlink routes to the switch through ECMP technology, and the switch receives each vFW node. In the uplink and downlink directions, each vFW node sends the information of the equivalent next hop in the uplink and downlink directions of the switch to the SDN Controller.
  • Step 501 The switch receives the service flow packet from the external network.
  • the source IP address of the service flow packet is IP_B
  • the destination IP address is IP_A.
  • the switch searches for the corresponding flow according to the destination IP address of the service flow packet. If the entry is not found, the service flow packet is encapsulated into a packet in packet and sent to the SDN Controller.
  • Step 502 The SDN controller receives the packet in packet, and finds that the source address of the packet in packet is the address of the switch, and each vFW node of the firewall cluster according to its own record is the equivalent of the upstream and downstream directions of the switch. After the information of the hop is confirmed, the switch has the equivalent next hop, and the original service flow packet is parsed from the packet in the packet, and the number of vFW nodes in the IP_A, IP_B, and firewall cluster is performed according to the preset HASH algorithm.
  • mapping the HASH operation result to a vFW node in the firewall cluster using the vFW node as the next hop to forward the service flow packet, and generating a flow entry for the service flow packet, the flow table
  • the item is encapsulated into a Packet out message and sent to the switch.
  • IP_A and IP_B in the HASH algorithm are filled in order.
  • the HASH operation in the step 502 is the same as the HASH operation in the step 402, so that the HASH operations of the two steps are the same, thereby ensuring that the forward and reverse messages of the same service flow can be forwarded to the same vFW node. .
  • Step 503 The switch receives the packet out packet, parses and saves the flow entry sent by the SDN controller, and sends the service flow packet to the vFW node corresponding to the next hop according to the next hop in the flow entry. .
  • Step 504 The vFW node receives the service flow packet, performs firewall service processing on the service flow packet, and generates session information corresponding to the service flow packet, and if the service flow report If the packet is not filtered, the service flow packet is sent back to the switch.
  • Step 505 The switch receives the service flow packet sent by the vFW node, and forwards the service flow packet to the intranet.
  • FIG. 6 is a flowchart of a method for forwarding a service flow packet from an internal network to an external network when a firewall having a NAT service and a VPN service is implemented according to an embodiment of the present disclosure. As shown in Figure 6, the method steps are as follows:
  • Step 600 Establish a VPN tunnel between the vFW node in the firewall cluster and the external network partner corresponding to the vFW node.
  • a partner refers to a VPN in the external network.
  • Each vFW node can establish a VPN tunnel with one or more partners.
  • the higher the performance of a vFW node the more VPN tunnels it can establish.
  • a partner can only establish a VPN tunnel with a vFW node.
  • Step 601 Configure a NAT address pool on the SDN Controller in advance.
  • the NFV Manager of the SDN Controller divides and allocates the NAT address pool resources to each vFW node in the firewall cluster, and sends the allocated NAT address pool resources to the corresponding vFW node.
  • Configure Policy-based Routing (PBR) based on the NAT address pool resources assigned to each vFW node.
  • the NAT address pool resources can be divided and allocated according to the performance of each vFW node. The higher the performance of the vFW node, the more NAT addresses are allocated in the NAT address pool.
  • the PBR includes a NAT address and next hop information corresponding to the NAT address, where the next hop corresponding to the NAT address is the vFW node to which the NAT address is assigned.
  • Step 602 The switch receives the service flow packet sent by the internal network.
  • the source IP address of the service flow packet is IP_A
  • the destination IP address is IP_NAT_B.
  • the switch searches for the corresponding flow entry according to the destination IP address of the packet. If not found, the service flow packet is encapsulated into a Packet in packet and sent to the SDN Controller.
  • IP_NAT_B is the address obtained after NAT is applied to IP_B.
  • Step 603 The Flow Manager of the SDN Controller receives the packet in packet, parses the original service flow packet from the Packet in packet, and queries the NFV Manager for the next hop corresponding to the destination IP address IP_NAT_B of the service flow packet.
  • the service flow packet generates a flow entry, and the flow entry is encapsulated into a Packet Out packet and sent to the switch.
  • the NFV Manager finds the next hop corresponding to IP_NAT_B in the PBR configured by itself, and the next hop points to a vFW node.
  • Step 604 The switch receives the packet out packet, parses and saves the flow entry from the packet out packet, and sends the service flow packet to the next hop according to the next hop in the flow entry. vFW node.
  • Step 605 The vFW node receives the service flow packet, performs NAT processing on the packet according to its own NAT address pool, and performs firewall processing on the service flow packet. If the service flow packet is not filtered, The service flow packet is encapsulated in a VPN tunnel, and the encapsulated service flow packet is sent back to the switch.
  • Step 606 The switch receives the service flow packet sent by the vFW node, and forwards the service flow packet to the external network.
  • FIG. 7 is a flowchart of a method for forwarding a service flow packet from an external network to an internal network when a firewall having a NAT service and a VPN service is implemented according to an embodiment of the present disclosure. As shown in Figure 7, the method steps are as follows:
  • Step 700 Establish a VPN tunnel between the vFW node in the firewall cluster and the external network partner corresponding to the vFW node.
  • a partner refers to a VPN in the external network.
  • Each vFW node can establish a VPN tunnel with one or more partners.
  • the higher the performance of a vFW node the more VPN tunnels it can establish.
  • one cooperation A partner can only establish a VPN tunnel with a vFW node.
  • Step 701 Configure a NAT address pool on the SDN Controller in advance.
  • the NFV Manager of the SDN Controller divides and allocates the NAT address pool resources to each vFW node in the firewall cluster, and sends the allocated NAT address pool resources to the corresponding vFW node.
  • Configure PBR based on the NAT address pool resources allocated to each vFW node.
  • the NAT address pool resources can be divided and allocated according to the performance of each vFW node. The higher the performance of the vFW node, the more NAT addresses are allocated in the NAT address pool.
  • the PBR includes a NAT address and next hop information corresponding to the NAT address, where the next hop corresponding to the NAT address is the vFW node to which the NAT address is assigned.
  • Step 702 The partner of the external network sends a service flow packet to the intranet, the source IP address of the service flow packet is IP_B, the destination IP address is IP_NAT_A, and the service flow packet reaches the VPN gateway of the external network, and the VPN gateway
  • the service flow packet is encapsulated by the VPN tunnel, and then the service flow packet encapsulated in the VPN tunnel (referred to as the VPN packet) arrives at the switch, and the switch searches for the corresponding flow entry according to the destination IP address of the VPN packet. If not found, the VPN packet is encapsulated into a Packet in packet and sent to the SDN Controller.
  • IP_NAT_A is the NAT address, that is, the IP address obtained by IP_A after NAT.
  • Step 703 The Flow Manager of the SDN Controller receives the packet in packet, parses the VPN packet from the packet, and queries the NFV Manager for the next hop corresponding to the destination IP address IP_NAT_A of the VPN packet to generate a flow entry.
  • the flow entry is encapsulated into a Packet Out packet and sent to the switch.
  • Step 704 The switch receives the packet out packet, parses and saves the flow entry from the packet, and sends the VPN packet to the vFW corresponding to the next hop according to the next hop in the flow entry. node.
  • Step 705 The vFW node receives the VPN packet, performs VPN tunnel decapsulation on the VPN packet, obtains the original service flow packet, performs NAT processing on the original service flow packet, and performs firewall processing on the service flow packet. If the service flow packet is not filtered, the service flow packet is sent back to the switch.
  • Step 706 The switch receives the service flow packet, and forwards the service flow packet to the intranet.
  • FIG. 8 is a flowchart of a method for expanding a firewall cluster when a firewall with no NAT service and no VPN service is provided according to an embodiment of the present disclosure. As shown in Figure 8, the method steps are as follows:
  • Step 801 The NFV Manager of the SDN Controller monitors the load of each vFW node in the firewall cluster in real time.
  • the NFV Manager of the SDN Controller can monitor the load of the vFW node by monitoring one or any combination of the CPU, memory, bandwidth, and number of connections of the vFW node.
  • Step 802 When the NFV Manager of the SDN Controller detects that the load of one or more vFW nodes is higher than a preset first threshold, the NFV technology is used to create a new vFW node, and the new vFW node is added to the firewall cluster.
  • Step 803 The Flow Manager of the SDN Controller determines, according to the preset service flow migration rule, that the service flow that is migrated from the monitored vFW node in the firewall cluster to the new vFW node (referred to as the first service flow) needs to be migrated.
  • the identity of the first traffic flow eg, source IP address + destination IP address
  • the identity of the new vFW node notify all monitored vFW nodes.
  • the service flow to be migrated may be selected in the service flow on the monitored vFW node according to the preset hash algorithm.
  • Step 804 The vFW node that the first service flow that needs to be migrated passes the session information of the first service flow according to the identifier of the first service flow sent by the SDN Controller. Synchronize to the new vFW node. After the synchronization is complete, send a session synchronization completion notification message (called the first notification message) to the SDN Controller.
  • the first notification message a session synchronization completion notification message
  • Step 805 The Flow Manager of the SDN Controller receives the first notification message sent by the vFW node that the first service flow that needs to be migrated, and updates the flow entry of the first service flow that needs to be migrated, and the updated flow entry is updated. Send to the switch.
  • the flow entry of the first service flow that needs to be migrated is updated, and the next hop of the flow entry of the first service flow that needs to be migrated is changed to a new vFW node.
  • the switch can send the first service flow that needs to be migrated to the new vFW node.
  • FIG. 9 is a flowchart of a firewall cluster shrinking method when a firewall with no NAT service and no VPN service is provided according to an embodiment of the present disclosure. As shown in Figure 9, the method steps are as follows:
  • Step 901 The NFV Manager of the SDN Controller monitors the load of each vFW node in the firewall cluster in real time.
  • the NFV Manager of the SDN Controller can monitor the load of the vFW node by monitoring one or any combination of the CPU, memory, bandwidth, and number of connections of the vFW node.
  • Step 902 When the NFV Manager of the SDN Controller detects that the load of one or more vFW nodes is lower than the preset second threshold, select a vFW node from the vFW node whose load is lower than the preset second threshold as the vFW node to be exited. .
  • the vFW node with the lowest load is selected as the vFW node to exit.
  • Step 903 The Flow Manager of the SDN Controller determines that the service flow of the vFW node to be exited (referred to as the second service flow) is migrated to another vFW node (ie, the destination vFW node) in the firewall cluster, and the second service flow is The identifier and the identifier of the destination vFW node to which the second service flow is to be migrated are sent to the vFW node to be exited.
  • the second service flow the service flow of the vFW node to be exited
  • the firewall may be configured according to a preset HASH algorithm.
  • the above-mentioned destination vFW node is selected among the remaining vFW nodes except the vFW node to be exited.
  • Step 904 The vFW node to be exited synchronizes the session information of the second service flow to the destination according to the identifier of the second service flow sent by the SDN Controller and the destination vFW node identifier to which the second service flow is to be migrated. After the synchronization is completed, the vFW node sends a session synchronization completion notification message (called a second notification message) to the SDN Controller.
  • a session synchronization completion notification message called a second notification message
  • Step 905 The Flow Manager of the SDN Controller receives the second notification message sent by the vFW node to be logged out, updates the flow entry of the second service flow to be migrated, and sends the updated flow entry to the switch.
  • the flow entry of the second service flow that needs to be migrated is changed, and the next hop of the flow entry of the second service flow that needs to be migrated is changed to the destination vFW node to be migrated.
  • the NFV technology is used to create a new vFW node, thereby realizing the automatic deployment of the firewall cluster.
  • the upper and lower interfaces of the vFW node are bound to the SDN network device, so that each vFW node acts as a vFW node.
  • An equivalent next hop in the uplink and downlink directions of the SDN network device, so that the uplink and downlink packets can be uniformly forwarded to each vFW node by the SDN network device.
  • the SDN controller monitors the load of each vFW node in the firewall cluster in real time, and when detecting that the load of one or more vFW nodes is higher than a preset first threshold, create a new vFW node and join the firewall.
  • the cluster selects the first service flow to be migrated from the service flows of all the monitored vFW nodes, and migrates the first service flow to the new vFW node, thereby realizing the automatic expansion of the firewall cluster.
  • a vFW node is selected to exit the firewall cluster, thereby realizing automatic shrinkage of the firewall cluster.
  • FIG. 10 is a schematic structural diagram of a device for implementing a firewall cluster according to an embodiment of the present disclosure.
  • the device is located on the SDN Controller, and the SDN Controller and the one or more vFW nodes and the switch together form a firewall cluster, and each vFW node is an equivalent next hop of the switch.
  • the device mainly includes: an NFV management module 1001 and a flow management module 1002, wherein:
  • the NFV management module 1001 is configured to monitor the load of each vFW node in the firewall cluster in real time, and create a new vFW node when detecting that the load of one or more vFW nodes is higher than a preset first threshold.
  • the flow management module 1002 is configured to: after the NFV management module 1001 creates a new vFW node, select a first service flow to be migrated from the service flows of all the monitored vFW nodes, and update the first flow table corresponding to the first service flow. And sending, to the switch, the updated first flow entry, the updated first flow entry instructing the switch to send the received first service flow to the new vFW node.
  • the flow management module 1002 before the flow management module 1002 updates the first flow entry corresponding to the first service flow, the flow management module 1002 is further configured to:
  • the NFV management module 1001 is further configured to: when detecting that the load of one or more vFW nodes is lower than a preset second threshold, select from the vFW nodes that are lower than a preset second threshold. The vFW node to be exited;
  • the flow management module 1002 is further configured to: after the NFV management module 1001 selects the vFW node to be exited, determine the second service flow on the vFW node to be exited as the service flow to be migrated, and determine the first The destination vFW node of the second service flow migration; the second flow entry corresponding to the second service flow is updated, and the updated second flow entry is sent to the switch, and the updated second flow entry And configured to instruct the switch to send the received second service flow to the destination vFW node.
  • the flow management module 1002 before the flow management module 1002 updates the second flow entry corresponding to the second service flow, the flow management module 1002 is further configured to:
  • the vFW node that is to be queried synchronizes the session information corresponding to the second service flow to the destination vFW node and sends the session information.
  • the flow management module 1002 when the flow management module 1002 updates the second flow entry corresponding to the second service flow, the flow management module 1002 is configured to:
  • the flow management module 1002 when each vFW node in the firewall cluster does not have the NAT service and the VPN service function, the flow management module 1002 is further used,
  • the NFV management module 1001 is further configured to allocate a NAT address in the NAT address pool to each vFW node;
  • the flow management module 1002 is further configured to: when receiving the service flow message sent by the switch, parsing the VPN message from the service flow message, according to the VPN message
  • the destination address is a corresponding vFW node, and the destination address is a NAT address, and a corresponding flow entry is generated and sent to the switch, where the generated flow entry indicates that the switch forwards the VPN packet to the The vFW node found.
  • FIG. 11 is a schematic structural diagram of hardware of an SDN controller according to an embodiment of the present application.
  • the SDN controller together with one or more vFW nodes and switches form a firewall cluster, and each vFW node is an equivalent next hop of the switch.
  • the SDN controller includes a processor 1101, a nonvolatile memory 1102, a network interface 1103, and an internal bus 1104.
  • the non-volatile memory 1102 can be a non-transitory machine-readable storage medium.
  • a non-volatile memory 1102 is configured to store logic instructions that implement a firewall cluster, the logic instructions being machine readable instructions that are executable by the processor 1101.
  • the processor 1101 is configured to execute the machine readable instructions to implement the following operations:
  • the load of each vFW node in the firewall cluster is monitored in real time, and when a load of one or more vFW nodes is detected to be higher than a preset first threshold, a new vFW node is created;
  • the updated first flow entry indicates that the switch sends the received first service flow to the new vFW node.
  • the processor 1101 executes the machine readable instruction to implement the following operations:
  • the first notification message is a vFW node through which the first service flow flows And synchronizing the session information corresponding to the first service flow to the new vFW node.
  • the processor 1101 executes the machine readable instructions to implement the following operations:
  • the processor 1101 when detecting that the load of one or more vFW nodes is lower than a preset second threshold, the processor 1101 executes the machine readable instructions to implement the following operations:
  • the processor 1101 executes the machine readable instruction to implement the following operations:
  • the vFW node that is to be queried synchronizes the session information corresponding to the second service flow to the destination vFW node and sends the session information.
  • the processor 1101 executes the machine readable instruction to implement the following operations:
  • each vFW node does not have a NAT service and a VPN service.
  • the processor 1101 executes the machine readable instructions to:
  • the processor 1101 executes the machine readable instructions to implement the following operations:
  • the VPN message When receiving the service flow packet sent by the switch, the VPN message is parsed from the service flow packet, and the corresponding vFW node is searched according to the destination address of the VPN packet, and the destination address is a NAT address. And generating a corresponding flow entry to the switch, where the generated flow entry instructs the switch to forward the VPN packet to the found vFW node.
  • the network interface 1103 is used to connect other hardware devices, such as a switch.
  • the internal bus 1104 is used to connect the processor 1101, the non-volatile memory 1102, and the network interface 1103.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

SDN控制器实时监控防火墙集群中的各vFW节点的负载。当SDN控制器检测到一个或多个vFW节点的负载高于预设第一阈值时,创建新vFW节点。SDN控制器从所有被监控的vFW节点的业务流中选取待迁移的第一业务流,更新第一业务流对应的第一流表项,并将更新后的第一流表项发送给交换机。所述更新后的第一流表项指示所述交换机将接收的所述第一业务流发送至新vFW节点。

Description

防火墙集群
发明背景
软件定义网络(Software Defined Network,SDN)是一种新型网络架构,其核心技术开放流(OpenFlow)通过将网络设备控制面与数据面分离开来,从而实现网络流量的灵活控制。
SDN控制器实现网络拓扑的收集、路由的计算、流表的生成及下发、网络的管理与控制等功能,网络层设备负责流量的转发及策略的执行。
网络功能虚拟化(Network Functions Virtualization,NFV)是欧洲电信标准协会(European Telecommunication Standards Institute,ETSI)的一个工业规范组(Industry Specification Group,ISG)。在NFV方法中,各种网元变成了独立的应用,可以灵活部署在基于标准的服务器、存储器、交换机构建的平台上。
NFV的技术基础是云计算和虚拟化技术,通用的商用现成品(Commercial Off-The-Shelf,COTS)计算/存储/网络硬件设备通过虚拟化技术可以分解为多种虚拟资源,供上层各种应用使用。同时,通过虚拟化技术,可以使得应用与硬件解耦,使得资源的供给速度大大提高。
防火墙堆叠技术是通过堆叠技术将多台物理防火墙设备进行堆叠后,逻辑上形成一台防火墙设备。
附图简要说明
图1为本申请实施例提供的防火墙集群实现方法流程图;
图2为本申请实施例提供的部署防火墙集群的方法流程图;
图3为本申请实施例提供的防火墙集群的示意图;
图4为本申请实施例提供的实现无NAT业务、无VPN业务的防火墙时业务流报文由内网到外网的转发方法流程图;
图5为本申请实施例提供的实现无NAT业务、无VPN业务的防火墙时业务流报文由外网到内网的转发方法流程图;
图6为本申请实施例提供的实现有NAT业务、有VPN业务的防火墙时业务流报文由内网到外网的转发方法流程图;
图7为本申请实施例提供的实现有NAT业务、有VPN业务的防火墙时业务流报文由外网到内网的转发方法流程图;
图8为本申请实施例提供的实现无NAT业务、无VPN业务的防火墙时的防火墙集群扩容方法流程图;
图9为本申请实施例提供的实现无NAT业务、无VPN业务的防火墙时的防火墙集群缩容方法流程图;
图10为本申请实施例提供的防火墙集群实现装置的组成示意图;
图11为本申请实施例提供的SDN控制器的硬件组成示意图。
实施本发明的方式
通过堆叠技术将多台物理防火墙设备进行堆叠进而构建逻辑防火墙设备时,要提前考虑物理防火墙设备的台数及放置这些物理防火墙设备的机房空间。而且,在增加、删除堆叠成员过程中,要修改堆叠口的配置,例如:增加、删除堆叠口的配置。
下面结合附图对本申请实施例进行描述。
图1为本申请实施例提供的防火墙集群实现方法流程图。如图1所示,该方法步骤如下:
步骤101:SDN控制器实时监控防火墙集群中的各虚拟防火墙 (Virtual FireWall,vFW)节点的负载,其中,防火墙集群包括:SDN控制器、一个或多个vFW节点和交换机,各个vFW节点为所述交换机的等价下一跳。
步骤102:当所述SDN控制器检测到一个或多个vFW节点的负载高于预设第一阈值时,创建新vFW节点。
步骤103:所述SDN控制器从流经所述被监控vFW节点的业务流中选取待迁移的第一业务流,更新所述第一业务流对应的第一流表项,并将更新后的第一流表项发送给所述交换机,所述更新后的第一流表项指示所述交换机将接收的所述第一业务流发送至所述新vFW节点。
在本申请实施例中,所述更新所述第一业务流对应的第一流表项之前,该方法还包括:
所述SDN控制器将所述第一业务流的标识及新vFW节点的标识发送给所述被监控的vFW节点;
所述SDN控制器接收所述第一业务流流经的vFW节点发送的第一通知消息,所述第一通知消息为所述第一业务流流经的vFW节点将所述第一业务流对应的会话信息同步至所述新vFW节点后发送的。
在本申请实施例中,所述更新所述第一业务流对应的第一流表项,包括:
将所述第一流表项的下一跳更新为所述新vFW节点。
在本申请实施例中,所述SDN控制器实时监控防火墙集群中的各vFW节点的负载后,该方法进一步包括:
当所述SDN控制器检测到一个或多个vFW节点的负载低于预设第二阈值时,从所述负载低于预设第二阈值的vFW节点中选择待退 出的vFW节点,将流经所述待退出的vFW节点的第二业务流确定为待迁移的业务流,并确定所述第二业务流迁移的目的vFW节点;
所述SDN控制器更新所述第二业务流对应的第二流表项,并将更新后的第二流表项发送给所述交换机,所述更新后的第二流表项用于指示所述交换机将接收的所述第二业务流发送至所述目的vFW节点。
在本申请实施例中,更新所述第二业务流对应的第二流表项之前,该方法还包括:
所述SDN控制器将所述第二业务流的标识和所述目的vFW节点的标识发送给所述待退出的vFW节点;
所述SDN控制器接收所述待退出的vFW节点发送的第二通知消息,所述第二通知消息为所述待退出的vFW节点将所述第二业务流对应的会话信息同步至所述目的vFW节点后发送的。
在本申请实施例中,所述更新所述第二业务流对应的第二流表项,包括:
将所述第二流表项的下一跳更新为所述目的vFW节点。
在本申请实施例中,当防火墙集群中的各vFW节点不具备网络地址转换(Network Address Translation,NAT)业务和虚拟专用网络(Virtual Private Network,VPN)业务功能时,所述方法进一步包括:
当接收到交换机发来的业务流报文时,所述SDN控制器通过HASH算法从所述各vFW节点中选择一个vFW节点并通知给所述交换机,以使所述交换机将该业务流报文转发至选择的vFW节点。
在本申请实施例中,当防火墙集群中的各vFW节点具备NAT业务和VPN业务功能时,所述方法进一步包括:
所述SDN控制器将NAT地址池中的NAT地址分配给各vFW节 点;
当接收到交换机发来的业务流报文时,所述SDN控制器从所述业务流报文中解析出VPN报文,根据所述VPN报文的目的地址查找对应的vFW节点,所述目的地址为NAT地址,并生成流表项发送给所述交换机,所述生成的流表项指示所述交换机将所述VPN报文转发至所述查找到的vFW节点。
图2为本申请实施例提供的部署防火墙集群的方法流程图。如图2所示,该方法步骤如下:
步骤201:在防火墙集群所在网络中部署SDN控制器(SDN Controller),SDN Controller使能流管理者(Flow Manager)和NFV管理者(NFV Manager)功能。
步骤202:NFV Manager根据配置的防火墙集群的性能,采用NFV技术创建多个vFW节点,其中,每个vFW节点的上行口和下行口均绑定在交换机上,各个vFW节点为交换机的等价下一跳,且交换机使能SDN网络设备的功能。SDN网络设备的功能包括OpenFlow转发功能。
在本申请实施例中,vFW节点的数目根据防火墙集群的性能确定。
图3为本申请实施例提供的防火墙集群的示意图。如图3所示,该防火墙集群包括:SDN控制器、n个vFW节点和交换机,其中,n为正整数。交换机连接内网和外网,各个vFW节点为所述交换机的等价下一跳。SDN Controller使能流管理者和NFV管理者功能。
在本申请实施例中,按照防火墙集群提供的业务,防火墙集群中的防火墙可划分为两类:
第一类、无NAT业务、无VPN业务的防火墙。
无NAT业务、无VPN业务的防火墙,主要处理防火墙攻击防范、 域间策略等业务,并且交换机能够将同一条流的双向报文均转发至同一个vFW节点。
第二类、有NAT业务、有VPN业务的防火墙。
有NAT业务、有VPN业务的防火墙,需要将NAT业务、VPN业务划分到各个vFW节点上。
图4为本申请实施例提供的实现无NAT业务、无VPN业务的防火墙时业务流报文由内网到外网的转发方法流程图。如图4所示,该方法步骤如下:
步骤400:防火墙集群中的每个vFW节点通过等价多路径路由(Equal-Cost Multi-Path routing,ECMP)技术将自身的上、下行方向的路由发送到交换机,交换机接收各vFW节点发来的上、下行方向的路由,将各vFW节点为本交换机的上、下行方向的等价下一跳的信息发送至SDN Controller。
对于交换机来说,无论是收到上行方向的业务流还是下行方向的业务流,都要将该业务流首先发送给防火墙集群,防火墙集群中的各个vFW节点为交换机的上、下行方向的等价下一跳。
步骤401:交换机接收来自内网的业务流报文,该业务流报文的源IP地址为IP_A,目的IP地址为IP_B,交换机根据业务流报文的目的IP地址,在自身查找对应的流表项,若未查找到,则将该业务流报文封装到Packet in报文中发送给SDN Controller。
其中,Packet in报文的源地址为交换机的地址,目的地址为SDN Controller的地址。
步骤402:SDN Controller接收该Packet in报文,发现该Packet in报文的源地址为交换机的地址,且根据自身记录的防火墙集群的各vFW节点为该交换机的上、下行方向的等价下一跳的信息,确认该 交换机存在等价下一跳,则从Packet in报文中解析出原始业务流报文,根据预设HASH算法,对“IP_A、IP_B、防火墙集群中的vFW节点数目”进行HASH运算,将HASH运算结果映射到防火墙集群中的一vFW节点上,将该vFW节点作为转发该业务流报文的下一跳,并为该业务流报文生成流表项,将该流表项封装到Packet out报文中发送给该交换机。
在本申请实施例中,HASH算法中的两个关键参数IP_A和IP_B为按序填入。
流表项的内容包括:业务流报文的目的IP地址(即IP_B)以及下一跳信息。
步骤403:交换机接收该Packet out报文,解析出并保存SDN Controller发送的流表项,根据该流表项中的下一跳,将上述业务流报文发送给该下一跳对应的vFW节点。
步骤404:vFW节点接收该业务流报文,对该业务流报文进行防火墙业务处理,生成该业务流报文对应的会话信息,且若该业务流报文未被过滤掉,则将该业务流报文回送到该交换机。
会话信息包括:业务流报文的源IP地址、源IP端口号、目的IP地址、目的IP端口号、协议号、状态等信息。
步骤405:交换机接收vFW节点发回的业务流报文,将该业务流报文转发至外网。
图5为本申请实施例提供的实现无NAT业务、无VPN业务的防火墙时业务流报文由外网到内网的转发方法流程图。如图5所示,该方法步骤如下:
步骤500:防火墙集群中的每个vFW节点通过ECMP技术将自身的上、下行方向的路由发送到交换机,交换机接收各vFW节点发来 的上、下行方向的路由,将各vFW节点为本交换机的上、下行方向的等价下一跳的信息发送至SDN Controller。
步骤501:交换机接收来自外网的业务流报文,该业务流报文的源IP地址为IP_B,目的IP地址为IP_A,交换机根据该业务流报文的目的IP地址,在自身查找对应的流表项,若未查找到,则将该业务流报文封装到Packet in报文中发送给SDN Controller。
步骤502:SDN Controller接收该Packet in报文,发现该Packet in报文的源地址为交换机的地址,且根据自身记录的防火墙集群的各vFW节点为该交换机的上、下行方向的等价下一跳的信息,确认该交换机存在等价下一跳,则从Packet in报文中解析出原始业务流报文,根据预设HASH算法,对“IP_A、IP_B、防火墙集群中的vFW节点数目”进行HASH运算,将HASH运算结果映射到防火墙集群中的一vFW节点上,将该vFW节点作为转发该业务流报文的下一跳,并为该业务流报文生成流表项,将该流表项封装到Packet out报文中发送给该交换机。
在本申请实施例中,HASH算法中的两个关键参数IP_A和IP_B为按序填入。
本步骤502中的HASH运算与步骤402中的HASH运算完全相同,这样,该两个步骤的HASH运算结果相同,从而保证了同一业务流的正、反向报文能够被转发到同一vFW节点上。
步骤503:交换机接收该Packet out报文,解析出并保存SDN Controller发送的流表项,根据该流表项中的下一跳,将上述业务流报文发送给该下一跳对应的vFW节点。
步骤504:vFW节点接收该业务流报文,对该业务流报文进行防火墙业务处理,生成该业务流报文对应的会话信息,且若该业务流报 文未被过滤掉,则将该业务流报文回送到该交换机。
步骤505:交换机接收vFW节点发回的业务流报文,将该业务流报文转发至内网。
图6为本申请实施例提供的实现有NAT业务、有VPN业务的防火墙时业务流报文由内网到外网的转发方法流程图。如图6所示,该方法步骤如下:
步骤600:预先在防火墙集群中的vFW节点与该vFW节点对应的外网合作伙伴间建立VPN隧道。
一个合作伙伴指的是外网中的一个VPN。
每个vFW节点可以与一个或多个合作伙伴建立VPN隧道。通常,vFW节点的性能越高,其所能建立的VPN隧道越多。其中,一个合作伙伴只能与一个vFW节点建立VPN隧道。
步骤601:预先在SDN Controller上配置NAT地址池,SDN Controller的NFV Manager将NAT地址池资源进行划分并分配给防火墙集群中的各vFW节点,将分配的NAT地址池资源发送到对应的vFW节点,根据为各vFW节点分配的NAT地址池资源,配置基于策略的路由(Policy Basic Routing,PBR)。
可根据各vFW节点的性能进行NAT地址池资源的划分和分配,性能越高的vFW节点,所分配到的NAT地址池中的NAT地址越多。
PBR包括NAT地址以及该NAT地址对应的下一跳信息,其中NAT地址对应的下一跳即该NAT地址被分配到的vFW节点。
步骤602:交换机接收内网发来的业务流报文,该业务流报文的源IP地址为IP_A,目的IP地址为IP_NAT_B,交换机根据报文的目的IP地址,在自身查找对应的流表项,若未查找到,则将该业务流报文封装到Packet in报文中发送给SDN Controller。
其中,IP_NAT_B为对IP_B进行NAT后得到的地址。
步骤603:SDN Controller的Flow Manager接收该Packet in报文,从该Packet in报文中解析出原始业务流报文,向NFV Manager查询业务流报文的目的IP地址IP_NAT_B对应的下一跳,为该业务流报文生成流表项,将该流表项封装到Packet Out报文中发送给交换机。
当Flow Manager向NFV Manager查询业务流报文的目的IP地址IP_NAT_B对应的下一跳时,NFV Manager在自身配置的PBR中查找到IP_NAT_B对应的下一跳,该下一跳指向一个vFW节点。
步骤604:交换机接收该Packet out报文,从该Packet out报文中解析出并保存流表项,根据该流表项中的下一跳,将该业务流报文发送给该下一跳对应的vFW节点。
步骤605:vFW节点接收该业务流报文,根据自身的NAT地址池,对报文进行NAT处理,并对该业务流报文进行防火墙处理,若该业务流报文未被过滤掉,则对该业务流报文进行VPN隧道封装,将封装后的业务流报文回送至交换机。
步骤606:交换机接收vFW节点发回的业务流报文,将该业务流报文转发至外网。
图7为本申请实施例提供的实现有NAT业务、有VPN业务的防火墙时业务流报文由外网到内网的转发方法流程图。如图7所示,该方法步骤如下:
步骤700:预先在防火墙集群中的vFW节点与该vFW节点对应的外网合作伙伴间建立VPN隧道。
一个合作伙伴指的是外网中的一个VPN。
每个vFW节点可以与一个或多个合作伙伴建立VPN隧道。通常,vFW节点的性能越高,其所能建立的VPN隧道越多。其中,一个合作 伙伴只能与一个vFW节点建立VPN隧道。
步骤701:预先在SDN Controller上配置NAT地址池,SDN Controller的NFV Manager将NAT地址池资源进行划分并分配给防火墙集群中的各vFW节点,将分配的NAT地址池资源发送到对应的vFW节点,根据为各vFW节点分配的NAT地址池资源,配置PBR。
可根据各vFW节点的性能进行NAT地址池资源的划分和分配,性能越高的vFW节点,所分配到的NAT地址池中的NAT地址越多。
PBR包括NAT地址以及该NAT地址对应的下一跳信息,其中NAT地址对应的下一跳即该NAT地址被分配到的vFW节点。
步骤702:外网的合作伙伴发出访问内网的业务流报文,该业务流报文的源IP地址为IP_B,目的IP地址为IP_NAT_A,该业务流报文到达外网的VPN网关,VPN网关对该业务流报文进行VPN隧道封装,之后该经VPN隧道封装的业务流报文(简称VPN报文)到达交换机,交换机根据该VPN报文的目的IP地址,在自身查找对应的流表项,若未查找到,则将该VPN报文封装到Packet in报文中发送给SDN Controller。
其中,IP_NAT_A为NAT地址,即IP_A经NAT后得到的IP地址。
步骤703:SDN Controller的Flow Manager接收该Packet in报文,从报文中解析出VPN报文,向NFV Manager查询该VPN报文的目的IP地址IP_NAT_A对应的下一跳,生成流表项,将该流表项封装到Packet Out报文中发送给交换机。
步骤704:交换机接收该Packet out报文,从该报文中解析出并保存该流表项,根据该流表项中的下一跳,将该VPN报文发送给该下一跳对应的vFW节点。
步骤705:vFW节点接收该VPN报文,对该VPN报文进行VPN隧道解封装,得到原始业务流报文,对原始业务流报文进行NAT处理,并对该业务流报文进行防火墙处理,若该业务流报文未被过滤掉,则将该业务流报文回送到交换机。
步骤706:交换机接收该业务流报文,将该业务流报文转发至内网。
图8为本申请实施例提供的实现无NAT业务、无VPN业务的防火墙时的防火墙集群扩容方法流程图。如图8所示,该方法步骤如下:
步骤801:SDN Controller的NFV Manager实时监控防火墙集群中的各vFW节点的负载。
在本申请实施例中,SDN Controller的NFV Manager可通过监控vFW节点的CPU、内存、带宽、连接数之一或任意组合来监控vFW节点的负载。
步骤802:SDN Controller的NFV Manager检测到一个或多个vFW节点的负载高于预设第一阈值时,采用NFV技术创建新的vFW节点,并将新的vFW节点加入防火墙集群。
步骤803:SDN Controller的Flow Manager根据预设业务流迁移规则,确定从防火墙集群中的被监控的vFW节点上迁移至新vFW节点上的业务流(称为第一业务流),将需要迁移的第一业务流的标识(例如:源IP地址+目的IP地址)及新vFW节点的标识通知所有被监控的vFW节点。
在本申请实施例中,可以按照预设Hash算法,在被监控的vFW节点上的业务流中选择需要迁移的业务流。
步骤804:需要迁移的第一业务流流经的vFW节点根据SDN Controller发来的第一业务流的标识,将对应第一业务流的会话信息 同步至新vFW节点,同步完成后,向SDN Controller发送会话同步完成通知消息(称为第一通知消息)。
步骤805:SDN Controller的Flow Manager收到需要迁移的第一业务流流经的vFW节点发来的第一通知消息,更新需要迁移的第一业务流的流表项,将更新后的流表项发送给交换机。
在本申请实施例中,更新需要迁移的第一业务流的流表项为,将需要迁移的第一业务流的流表项的下一跳更改为新vFW节点。这样,交换机接收到需要迁移的第一业务流时,就可将该需要迁移的第一业务流发往新vFW节点。
图9为本申请实施例提供的实现无NAT业务、无VPN业务的防火墙时的防火墙集群缩容方法流程图。如图9所示,该方法步骤如下:
步骤901:SDN Controller的NFV Manager实时监控防火墙集群中的各vFW节点的负载。
在本申请实施例中,SDN Controller的NFV Manager可通过监控vFW节点的CPU、内存、带宽、连接数之一或任意组合来监控vFW节点的负载。
步骤902:SDN Controller的NFV Manager检测到一个或多个vFW节点的负载低于预设第二阈值时,从负载低于预设第二阈值的vFW节点中选择一个vFW节点作为待退出的vFW节点。
通常,选择负载最低的vFW节点作为要退出的vFW节点。
步骤903:SDN Controller的Flow Manager确定将待退出的vFW节点的业务流(称为第二业务流)迁移到防火墙集群中的其它vFW节点(即目的vFW节点)上,将该第二业务流的标识及该第二业务流要迁移到的目的vFW节点的标识发送给待退出的vFW节点。
在本申请实施例中,可以按照预设HASH算法,从防火墙集群 中除待退出vFW节点之外的剩余vFW节点中选择上述的目的vFW节点。
步骤904:待退出的vFW节点根据SDN Controller发来的该第二业务流的标识及该第二业务流要迁移到的目的vFW节点标识,将该第二业务流的会话信息同步至所述目的vFW节点,同步完成后,向SDN Controller发送会话同步完成通知消息(称为第二通知消息)。
步骤905:SDN Controller的Flow Manager收到待退出的vFW节点发来的第二通知消息,更新需要迁移的第二业务流的流表项,将更新后的流表项发送给交换机。
在本申请实施例中,更新需要迁移的第二业务流的流表项为,将需要迁移的第二业务流的流表项的下一跳更改为要迁移到的目的vFW节点。
在本申请实施例中,采用NFV技术创建新的vFW节点,从而实现了防火墙集群的自动部署;同时,通过将vFW节点的上、下行口均绑定在SDN网络设备上,使得各vFW节点作为SDN网络设备的上、下行方向上的等价下一跳,从而使得上、下行报文能均匀地被SDN网络设备转发到各vFW节点上。
在本申请实施例中,SDN控制器实时监控防火墙集群中的各vFW节点的负载,当检测到一个或多个vFW节点的负载高于预设第一阈值时,创建新的vFW节点并加入防火墙集群,从所有被监控的vFW节点的业务流中选取待迁移的第一业务流,将第一业务流迁移至新vFW节点,从而实现了防火墙集群的自动扩容。当检测到一个或多个vFW的负载低于预设第二阈值时,选择一个vFW节点退出防火墙集群,从而实现了防火墙集群的自动缩容。
图10为本申请实施例提供的防火墙集群实现装置的组成示意图。 该装置位于SDN Controller上,SDN Controller与一个或多个vFW节点以及交换机共同组成防火墙集群,各个vFW节点为所述交换机的等价下一跳。如图10所示,该装置主要包括:NFV管理模块1001和流管理模块1002,其中:
NFV管理模块1001:用于实时监控防火墙集群中的各vFW节点的负载,当检测到一个或多个vFW节点的负载高于预设第一阈值时,创建新vFW节点。
流管理模块1002:用于当NFV管理模块1001创建新vFW节点后,从所有被监控的vFW节点的业务流中选取待迁移的第一业务流,更新所述第一业务流对应的第一流表项,并将更新后的第一流表项发送给所述交换机,所述更新后的第一流表项指示所述交换机将接收的所述第一业务流发送至所述新vFW节点。
在本申请实施例中,流管理模块1002更新所述第一业务流对应的第一流表项之前,还用于:
将所述第一业务流的标识及新vFW节点的标识发送给所述所有被监控的vFW节点,接收所述第一业务流流经的vFW节点发送的第一通知消息,所述第一通知消息为所述第一业务流流经的vFW节点将所述第一业务流对应的会话信息同步至所述新vFW节点后发送的。
在本申请实施例中,流管理模块1002在更新所述第一业务流的对应的第一流表项时,用于
将所述第一流表项的下一跳更新为所述新vFW节点。
在本申请实施例中,NFV管理模块1001进一步用于,当检测到一个或多个vFW节点的负载低于预设第二阈值时,从所述低于预设第二阈值的vFW节点中选择待退出的vFW节点;
且,流管理模块1002进一步用于,当NFV管理模块1001选择待退出的vFW节点后,将所述待退出的vFW节点上的第二业务流确定为待迁移的业务流,并确定所述第二业务流迁移的目的vFW节点;更新所述第二业务流对应的第二流表项,并将更新后的第二流表项发送给所述交换机,所述更新后的第二流表项用于指示所述交换机将接收的所述第二业务流发送至所述目的vFW节点。
在本申请实施例中,流管理模块1002更新所述第二业务流对应的第二流表项之前,还用于:
将所述第二业务流的标识和所述目的vFW节点的标识发送给所述待退出的vFW节点;接收所述待退出的vFW节点发送的第二通知消息,所述第二通知消息为所述待退出的vFW节点将所述第二业务流对应的会话信息同步至所述目的vFW节点后发送的。
在本申请实施例中,流管理模块1002在更新所述第二业务流对应的第二流表项时,用于:
将所述第二流表项的下一跳更新为所述目的vFW节点。
在本申请实施例中,当防火墙集群中的各vFW节点不具备NAT业务和VPN业务功能时,流管理模块1002进一步用于,
当接收到交换机发来的业务流报文时,通过HASH算法从所述各vFW节点中选择一个vFW节点并通知给所述交换机,以使所述交换机将该业务流报文转发至选择的vFW节点。
在本申请实施例中,当防火墙集群中的各vFW节点具备NAT业务和VPN业务功能时,NFV管理模块1001进一步用于,将NAT地址池中的NAT地址分配给各vFW节点;
流管理模块1002进一步用于,当接收到交换机发来的业务流报文时,从所述业务流报文中解析出VPN报文,根据所述VPN报文的 目的地址查找对应的vFW节点,所述目的地址为NAT地址,并生成相应的流表项发送给所述交换机,所述生成的流表项指示所述交换机将所述VPN报文转发至所述查找到的vFW节点。
本申请实施例还提供了一种SDN控制器的硬件结构。图11为本申请实施例提供的SDN控制器的硬件组成示意图。所述SDN控制器与一个或多个vFW节点以及交换机共同组成防火墙集群,且各个vFW节点为所述交换机的等价下一跳。如图11所示,该SDN控制器包括:处理器1101、非易失性存储器1102、网络接口1103和内部总线1104。非易失性存储器1102可以为非易失性机器可读存储介质。
在本发明实施例中,非易失性存储器1102,用于存储实现防火墙集群的逻辑指令,该逻辑指令为可以由处理器1101执行的机器可读指令。
在本发明实施例中,处理器1101用于执行所述机器可读指令,以实现如下操作:
实时监控防火墙集群中的各vFW节点的负载,当检测到一个或多个vFW节点的负载高于预设第一阈值时,创建新vFW节点;
从所有被监控的vFW节点的业务流中选取待迁移的第一业务流,更新所述第一业务流对应的第一流表项,并将更新后的第一流表项发送给所述交换机,所述更新后的第一流表项指示所述交换机将接收的所述第一业务流发送至所述新vFW节点。
在本发明实施例中,在更新所述第一业务流对应的第一流表项之前,所述处理器1101执行所述机器可读指令以实现如下操作:
将所述第一业务流的标识及新vFW节点的标识发送给所述所有被监控的vFW节点,接收所述第一业务流流经的vFW节点发送的第一通知消息,所述第一通知消息为所述第一业务流流经的vFW节点 将所述第一业务流对应的会话信息同步至所述新vFW节点后发送的。
在本发明实施例中,为了更新所述第一业务流对应的第一流表项,所述处理器1101执行所述机器可读指令以实现如下操作:
将所述第一流表项的下一跳更新为所述新vFW节点。
在本发明实施例中,当检测到一个或多个vFW节点的负载低于预设第二阈值时,所述处理器1101执行所述机器可读指令以实现如下操作:
从所述低于预设第二阈值的vFW节点中选择待退出的vFW节点;
将所述待退出的vFW节点上的第二业务流确定为待迁移的业务流,并确定所述第二业务流迁移的目的vFW节点;更新所述第二业务流对应的第二流表项,并将更新后的第二流表项发送给所述交换机,所述更新后的第二流表项用于指示所述交换机将接收的所述第二业务流发送至所述目的vFW节点。
在本发明实施例中,更新所述第二业务流对应的第二流表项之前,所述处理器1101执行所述机器可读指令以实现如下操作:
将所述第二业务流的标识和所述目的vFW节点的标识发送给所述待退出的vFW节点;接收所述待退出的vFW节点发送的第二通知消息,所述第二通知消息为所述待退出的vFW节点将所述第二业务流对应的会话信息同步至所述目的vFW节点后发送的。
在本发明实施例中,为了更新所述第二业务流对应的第二流表项,所述处理器1101执行所述机器可读指令以实现如下操作:
将所述第二流表项的下一跳更新为所述目的vFW节点。
在本发明实施例中,各vFW节点不具备NAT业务和VPN业务 功能时,所述处理器1101执行所述机器可读指令以实现如下操作:
当接收到交换机发来的业务流报文时,通过HASH算法从所述各vFW节点中选择一个vFW节点并通知给所述交换机,以使所述交换机将该业务流报文转发至选择的vFW节点。
在本发明实施例中,各vFW节点具备NAT业务和VPN业务功能时,所述处理器1101执行所述机器可读指令以实现如下操作:
将NAT地址池中的NAT地址分配给各vFW节点;
当接收到交换机发来的业务流报文时,从所述业务流报文中解析出VPN报文,根据所述VPN报文的目的地址查找对应的vFW节点,所述目的地址为NAT地址,并生成相应的流表项发送给所述交换机,所述生成的流表项指示所述交换机将所述VPN报文转发至所述查找到的vFW节点。
在本发明实施例中,所述网络接口1103用于连接其它硬件设备,例如交换机。所述内部总线1104用于连接处理器1101、非易失性存储器1102和网络接口1103。
以上所述仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。

Claims (16)

  1. 一种防火墙集群实现方法,其特征在于,该方法包括:
    SDN控制器实时监控防火墙集群中的各虚拟防火墙vFW节点的负载;
    当所述SDN控制器检测到一个或多个vFW节点的负载高于预设第一阈值时,创建新vFW节点;
    所述SDN控制器从流经所有被监控vFW节点的业务流中选取待迁移的第一业务流,更新所述第一业务流对应的第一流表项,并将更新后的第一流表项发送给交换机,所述更新后的第一流表项指示所述交换机将接收的所述第一业务流发送至所述新vFW节点。
  2. 根据权利要求1所述的方法,其特征在于,所述更新所述第一业务流对应的第一流表项之前,该方法还包括:
    所述SDN控制器将所述第一业务流的标识及新vFW节点的标识发送给所述所有被监控的vFW节点;
    所述SDN控制器接收所述第一业务流流经的vFW节点发送的第一通知消息,所述第一通知消息为所述第一业务流流经的vFW节点将所述第一业务流对应的会话信息同步至所述新vFW节点后发送的。
  3. 根据权利要求1所述的方法,其特征在于,所述更新所述第一业务流对应的第一流表项,包括:
    将所述第一流表项的下一跳更新为所述新vFW节点。
  4. 根据权利要求1所述的方法,其特征在于,当所述SDN控制器检测到一个或多个vFW节点的负载低于预设第二阈值时,该方法还包括:
    从所述低于预设第二阈值的vFW节点中选择待退出的vFW节点,将流经所述待退出的vFW节点的第二业务流确定为待迁移的业务流,并确定所述第二业务流迁移的目的vFW节点;
    所述SDN控制器更新所述第二业务流对应的第二流表项,并将更新后的第二流表项发送给所述交换机,所述更新后的第二流表项用于指示所述交换机将接收的所述第二业务流发送至所述目的vFW节点。
  5. 根据权利要求4所述的方法,其特征在于,更新所述第二业务流对应的第二流表项之前,该方法还包括:
    所述SDN控制器将所述第二业务流的标识和所述目的vFW节点的标识发送给所述待退出的vFW节点;
    所述SDN控制器接收所述待退出的vFW节点发送的第二通知消息,所述第二通知消息为所述待退出的vFW节点将所述第二业务流对应的会话信息同步至所述目的vFW节点后发送的。
  6. 根据权利要求4所述的方法,其特征在于,所述更新所述第二业务流对应的第二流表项,包括:
    将所述第二流表项的下一跳更新为所述目的vFW节点。
  7. 根据权利要求1所述的方法,其特征在于,当防火墙集群中的各vFW节点不具备网络地址转换NAT业务和虚拟专用网络VPN业务功能时,所述方法还包括:
    当接收到交换机发来的业务流报文时,所述SDN控制器通过HASH算法从所述各vFW节点中选择一个vFW节点并通知给所述交换机,以使所述交换机将该业务流报文转发至选择的vFW节点。
  8. 根据权利要求1所述的方法,其特征在于,当防火墙集群中的各vFW节点具备NAT业务和VPN业务功能时,所述方法还包括:
    所述SDN控制器将NAT地址池中的NAT地址分配给各vFW节点;
    当接收到交换机发来的业务流报文时,所述SDN控制器从所述业务流报文中解析出VPN报文,根据所述VPN报文的目的地址查找对应的vFW节点,所述目的地址为NAT地址,并生成相应的流表项发送给所述交换机,所述生成的流表项指示所述交换机将所述VPN报文转发至所述查找到的vFW节点。
  9. 一种SDN控制器,其特征在于,包括:处理器和非易失性机器可读存储介质;所述非易失性机器可读存储介质中存储由所述处理器执行机器可读指令,以实现如下操作:
    实时监控防火墙集群中的各vFW节点的负载,当检测到一个或多个vFW节点的负载高于预设第一阈值时,创建新vFW节点;
    从流经所有被监控vFW节点的业务流中选取待迁移的第一业务流,更新所述第一业务流对应的第一流表项,并将更新后的第一流表项发送给所述交换机,所述更新后的第一流表项指示所述交换机将接收的所述第一业务流发送至所述新vFW节点。
  10. 根据权利要求9所述的SDN控制器,其特征在于,更新所述第一业务流对应的第一流表项之前,所述处理器执行所述机器可读指令以实现如下操作:
    将所述第一业务流的标识及新vFW节点的标识发送给所述所有被监控的vFW节点,接收所述第一业务流流经的vFW节点发送的第一通知消息,所述第一通知消息为所述第一业务流流经的vFW节点将所述第一业务流对应的会话信息同步至所述新vFW节点后发送的。
  11. 根据权利要求9所述的SDN控制器,其特征在于,为了更 新所述第一业务流对应的第一流表项,所述处理器执行所述机器可读指令以实现如下操作:
    将所述第一流表项的下一跳更新为所述新vFW节点。
  12. 根据权利要求9所述的SDN控制器,其特征在于,当检测到一个或多个vFW节点的负载低于预设第二阈值时,所述处理器执行所述机器可读指令以实现如下操作:
    从所述低于预设第二阈值的vFW节点中选择待退出的vFW节点;
    将流经所述待退出的vFW节点的第二业务流确定为待迁移的业务流,并确定所述第二业务流迁移的目的vFW节点;更新所述第二业务流对应的第二流表项,并将更新后的第二流表项发送给所述交换机,所述更新后的第二流表项用于指示所述交换机将接收的所述第二业务流发送至所述目的vFW节点。
  13. 根据权利要求12所述的SDN控制器,其特征在于,更新所述第二业务流对应的第二流表项之前,所述处理器执行所述机器可读指令以实现如下操作:
    将所述第二业务流的标识和所述目的vFW节点的标识发送给所述待退出的vFW节点;接收所述待退出的vFW节点发送的第二通知消息,所述第二通知消息为所述待退出的vFW节点将所述第二业务流对应的会话信息同步至所述目的vFW节点后发送的。
  14. 根据权利要求12所述的SDN控制器,其特征在于,为了更新所述第二业务流对应的第二流表项,所述处理器执行所述机器可读指令以实现如下操作:
    将所述第二流表项的下一跳更新为所述目的vFW节点。
  15. 根据权利要求9所述的SDN控制器,其特征在于,当防火 墙集群中的各vFW节点不具备NAT业务和VPN业务功能时,所述处理器执行所述机器可读指令以实现如下操作:
    当接收到交换机发来的业务流报文时,通过HASH算法从所述各vFW节点中选择一个vFW节点并通知给所述交换机,以使所述交换机将该业务流报文转发至选择的vFW节点。
  16. 根据权利要求9所述的SDN控制器,其特征在于,当防火墙集群中的各vFW节点具备NAT业务和VPN业务功能时,所述处理器执行所述机器可读指令以实现如下操作:
    将NAT地址池中的NAT地址分配给各vFW节点;
    当接收到交换机发来的业务流报文时,从所述业务流报文中解析出VPN报文,根据所述VPN报文的目的地址查找对应的vFW节点,所述目的地址为NAT地址,并生成相应的流表项发送给所述交换机,所述生成的流表项指示所述交换机将所述VPN报文转发至所述查找到的vFW节点。
PCT/CN2016/103665 2015-10-28 2016-10-28 防火墙集群 WO2017071624A1 (zh)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP16859059.4A EP3358807B1 (en) 2015-10-28 2016-10-28 Firewall cluster
JP2018521874A JP6619096B2 (ja) 2015-10-28 2016-10-28 ファイアウォールクラスタ
US15/768,454 US10715490B2 (en) 2015-10-28 2016-10-28 Firewall cluster

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510712149.7 2015-10-28
CN201510712149.7A CN106656905B (zh) 2015-10-28 2015-10-28 防火墙集群实现方法及装置

Publications (1)

Publication Number Publication Date
WO2017071624A1 true WO2017071624A1 (zh) 2017-05-04

Family

ID=58631297

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/103665 WO2017071624A1 (zh) 2015-10-28 2016-10-28 防火墙集群

Country Status (5)

Country Link
US (1) US10715490B2 (zh)
EP (1) EP3358807B1 (zh)
JP (1) JP6619096B2 (zh)
CN (1) CN106656905B (zh)
WO (1) WO2017071624A1 (zh)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107193638A (zh) * 2017-05-30 2017-09-22 南京邮电大学 一种基于多维环境感知的网络功能快速自适应迁移方法
CN107579963A (zh) * 2017-08-24 2018-01-12 南京南瑞集团公司 一种高性能的防火墙集群
CN107689992A (zh) * 2017-08-24 2018-02-13 南京南瑞集团公司 一种高性能的防火墙集群实现方法
CN107547551B (zh) * 2017-09-06 2020-09-25 新华三信息安全技术有限公司 报文过滤方法、装置、设备及存储介质
CN109525497B (zh) * 2017-09-18 2021-08-03 华为技术有限公司 一种流量分组方法、数据中心网络系统以及控制器
CN107733800A (zh) * 2017-11-29 2018-02-23 郑州云海信息技术有限公司 一种sdn网络报文传输方法及其装置
CN110324165B (zh) * 2018-03-30 2021-05-11 华为技术有限公司 网络设备的管理方法、装置及系统
US10999251B2 (en) * 2018-09-28 2021-05-04 Juniper Networks, Inc. Intent-based policy generation for virtual networks
CN111224821B (zh) * 2019-12-31 2022-12-09 北京山石网科信息技术有限公司 安全服务部署系统、方法及装置
CN112671669A (zh) * 2020-12-24 2021-04-16 浪潮云信息技术股份公司 一种基于OpenFlow虚拟化网络Qos的实现方法及系统
US20230104568A1 (en) 2021-10-04 2023-04-06 Juniper Networks, Inc. Cloud native software-defined network architecture for multiple clusters

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014091431A1 (en) * 2012-12-11 2014-06-19 Telefonaktiebolaget L M Ericsson (Publ) Hybrid firewall for data center security
CN104378299A (zh) * 2014-11-20 2015-02-25 杭州华三通信技术有限公司 流表项处理方法以及装置
CN104468353A (zh) * 2014-12-26 2015-03-25 深圳市新格林耐特通信技术有限公司 基于sdn的数据中心网络流量管理方法

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011159247A (ja) * 2010-02-04 2011-08-18 Nec Corp ネットワークシステム、コントローラ、ネットワーク制御方法
JP2012037935A (ja) * 2010-08-03 2012-02-23 Fujitsu Ltd 情報処理装置
US8776207B2 (en) 2011-02-16 2014-07-08 Fortinet, Inc. Load balancing in a network with session information
JP5910811B2 (ja) * 2011-07-27 2016-04-27 日本電気株式会社 スイッチ装置の制御システム、その構成制御装置および構成制御方法
US9088584B2 (en) * 2011-12-16 2015-07-21 Cisco Technology, Inc. System and method for non-disruptive management of servers in a network environment
JP5682070B2 (ja) 2012-02-28 2015-03-11 日本電信電話株式会社 統合制御装置及び統合制御方法
US10333827B2 (en) * 2012-04-11 2019-06-25 Varmour Networks, Inc. Adaptive session forwarding following virtual machine migration detection
WO2014166603A1 (en) * 2013-04-12 2014-10-16 Alcatel Lucent Flow migration between virtual network appliances in a cloud computing network
CN103491129B (zh) 2013-07-05 2017-07-14 华为技术有限公司 一种业务节点配置方法、业务节点池注册器及系统
WO2015099036A1 (ja) * 2013-12-27 2015-07-02 株式会社Nttドコモ 管理システム、全体管理ノード及び管理方法
CN104869065B (zh) * 2014-02-26 2020-04-21 中兴通讯股份有限公司 数据报文处理方法及装置
US9882814B2 (en) * 2014-09-25 2018-01-30 Intel Corporation Technologies for bridging between coarse-grained and fine-grained load balancing
US10757024B2 (en) * 2014-12-24 2020-08-25 Ntt Communications Corporation Load distribution apparatus, load distribution method and program
US9807016B1 (en) * 2015-09-29 2017-10-31 Juniper Networks, Inc. Reducing service disruption using multiple virtual IP addresses for a service load balancer

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014091431A1 (en) * 2012-12-11 2014-06-19 Telefonaktiebolaget L M Ericsson (Publ) Hybrid firewall for data center security
CN104378299A (zh) * 2014-11-20 2015-02-25 杭州华三通信技术有限公司 流表项处理方法以及装置
CN104468353A (zh) * 2014-12-26 2015-03-25 深圳市新格林耐特通信技术有限公司 基于sdn的数据中心网络流量管理方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3358807A4 *

Also Published As

Publication number Publication date
EP3358807B1 (en) 2020-07-15
EP3358807A1 (en) 2018-08-08
JP2018536345A (ja) 2018-12-06
US10715490B2 (en) 2020-07-14
CN106656905B (zh) 2020-02-21
JP6619096B2 (ja) 2019-12-11
US20180302371A1 (en) 2018-10-18
EP3358807A4 (en) 2018-10-03
CN106656905A (zh) 2017-05-10

Similar Documents

Publication Publication Date Title
WO2017071624A1 (zh) 防火墙集群
EP3509256A1 (en) Determining routing decisions in a software-defined wide area network
US10116559B2 (en) Operations, administration and management (OAM) in overlay data center environments
US10938748B2 (en) Packet processing method, computing device, and packet processing apparatus
EP3249865B1 (en) Method and devices for constructing label and forwarding label packet
US9065768B2 (en) Apparatus for a high performance and highly available multi-controllers in a single SDN/OpenFlow network
US9100281B2 (en) Systems and methods for equal-cost multi-path virtual private LAN service
US20180351858A1 (en) Virtual machine migration
US20200396162A1 (en) Service function chain sfc-based communication method, and apparatus
CN109660442B (zh) Overlay网络中组播复制的方法及装置
WO2015131560A1 (zh) 一种分配分段路由标记的方法和分段路由节点
EP3342108B1 (en) Method and apparatus for supporting high availability
CN105745883B (zh) 转发表同步的方法、网络设备和系统
EP3573292A1 (en) Forwarding detection of an aggregated interface
WO2018113792A1 (zh) 广播报文的处理方法和处理装置、控制器和交换机
US9832121B1 (en) Next hop instruction associations for forwarding unit programming within a network device
WO2015170204A1 (en) Implementing a 3g packet core in a cloud computer with openflow data and control planes
JP2011160363A (ja) コンピュータシステム、コントローラ、スイッチ、及び通信方法
JP7077367B2 (ja) Sfcネットワークにおけるトポロジー情報を同期させるための方法、およびルーティングネットワーク要素
WO2021042674A1 (zh) 一种端口状态的配置方法及网络设备
Vaghani et al. A comparison of data forwarding schemes for network resiliency in software defined networking
WO2017000562A1 (zh) 环形组网的快速重路由方法及装置
CN112953832B (zh) 一种mac地址表项的处理方法及装置
US9647924B2 (en) Propagating LDP MAC flush as TCN
CN109688062B (zh) 一种路由方法和路由设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16859059

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 15768454

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: 2018521874

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2016859059

Country of ref document: EP