WO2017219272A1 - Packet forwarding method and device - Google Patents

Packet forwarding method and device Download PDF

Info

Publication number
WO2017219272A1
WO2017219272A1 PCT/CN2016/086696 CN2016086696W WO2017219272A1 WO 2017219272 A1 WO2017219272 A1 WO 2017219272A1 CN 2016086696 W CN2016086696 W CN 2016086696W WO 2017219272 A1 WO2017219272 A1 WO 2017219272A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
vlan
internal
network
virtual
Prior art date
Application number
PCT/CN2016/086696
Other languages
French (fr)
Chinese (zh)
Inventor
邹成钢
余劲锋
练海春
郭成绪
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2016/086696 priority Critical patent/WO2017219272A1/en
Publication of WO2017219272A1 publication Critical patent/WO2017219272A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • the present invention relates to the field of information communication technology ICT, and more particularly to a method and apparatus for forwarding messages.
  • VNF virtualized network function
  • NF Network Function
  • PF Physical Function
  • VLANID virtual local area network identifier
  • VLANID system's virtual local area network identifier
  • the VLAN ID of the virtual network inside the virtual network is uniformly planned with the VLAN ID of the external virtual network, that is, the system uses the same VLAN ID as the user, which not only affects the security of the network, but also increases The complexity of network maintenance.
  • the embodiment of the invention provides a method and a device for forwarding a packet, which can improve network security and reduce network operation and maintenance complexity.
  • the first aspect provides a method for forwarding a message, including:
  • the internal VLAN ID is included in the second packet to generate the second packet.
  • the second message is sent to the general purpose processing board GPU.
  • the universal interface board GIU receives the first packet, and the first packet carries the external virtual local area network identifier VLAN ID, and then determines the internal VLAN ID corresponding to the first packet.
  • the VLAN ID indicates the corresponding identifier of the first packet in the internal virtual network, and the internal VLAN ID is included in the second packet, and the second packet is generated, and the second packet is sent to the GPU of the general processing device, and the internal VLAN ID is used.
  • the external network ID isolates the internal network and the external network of the virtual network to improve the security of the network. This prevents users from planning the external network VLAN ID without being restricted by the internal VLAN ID specification, thus reducing the complexity of network maintenance.
  • the network type of the virtual network may be a VLAN virtual network or a trunk Trunk virtual network.
  • the first packet may be a packet carrying a VLAN ID.
  • the packet received by the port does not carry a VLANID packet (when the virtual network is a Flat virtual network)
  • the packet may be first The VLAN ID packet is carried as a VLAN ID packet, and then the subsequent action is performed.
  • the method for forwarding a packet in the embodiment of the present invention can improve the security of the network by determining the internal VLAN ID corresponding to the first packet and isolating the internal network and the external network of the virtual network according to the internal VLAN ID.
  • the method further includes:
  • the GPU strips the internal VLAN ID of the second packet to obtain the fourth packet, and then sends the fourth packet to the virtual machine VM in the GPU to obtain the data frame of the virtual machine, and the GPU uses the data.
  • the frame or untag packet (corresponding to the fourth packet) is tagged with the internal VLAN ID to obtain a third packet and sent to the GIU.
  • the GIU converts the third packet into the fifth packet, so that the fifth packet carries the external VLAN ID, and finally sends the fifth packet to the external port.
  • the packet is forwarded from the external network to the internal network, and then forwarded from the internal network to the external network.
  • the correspondence between the internal VLAN ID and the external VLAN ID can always be followed to complete the forwarding.
  • the isolation of the internal virtual network and the external virtual network is completed, and the security of the network is ensured.
  • the planning of the external VLAN ID is not limited by the internal VLAN ID, as long as there is a correspondence, the complexity of network maintenance is reduced.
  • the method after receiving the first packet of the virtual network, the method further includes:
  • the isolation rule includes an identifier corresponding to the identifier of the internal VLAN ID and the external VLAN ID;
  • the internal VLAN ID is included in the second packet, including:
  • the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated.
  • the GIU can determine the isolation rule according to different network types of the virtual network. For example, a VLAN virtual network and a trunk virtual network, the isolation rule includes the correspondence between the internal VLAN ID of the packet and the identifier of the external VLAN ID, and then includes the internal to the second according to the isolation rule. In the message, the second message is generated.
  • the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated, including:
  • the GIU can directly replace the external VLAN ID of the first packet with the first internal VLAN ID by using a virtual local area network mapping rule (VLAN mapping rule) to generate the second packet.
  • VLAN mapping rule virtual local area network mapping rule
  • the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated, including:
  • the GIU can add a first internal VLAN ID to obtain a second packet by adding a virtual local area network rule (QinQ rule).
  • QinQ rule virtual local area network rule
  • the second aspect provides a method for forwarding a message, including:
  • the GPU of the general-purpose processing board receives the second packet sent by the GIU, and the second packet is generated by the GIU after the internal VLAN ID corresponding to the first packet is included in the second packet. Then, the GPU processes the second packet to obtain a third packet, and sends the third packet to the GIU.
  • the second packet is processed to obtain a third packet, including:
  • the fourth packet is obtained, and the fourth packet is sent to the virtual machine VM.
  • the internal VLAN ID is added to the fourth packet to obtain the third packet.
  • the GPU After receiving the second packet, the GPU strips the internal VLAN ID of the second packet to the virtual machine, obtains the data frame of the VM, and adds the internal VLAN ID to the data frame of the VM.
  • the third message is configured to send the third message to the GIU.
  • the third aspect provides a method for forwarding a message, including:
  • the packet carrying the VLAN ID includes the first packet or the second packet, where the virtual local area network identifier of the first packet is the first VLAN ID.
  • the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
  • the virtual network is a Flat network.
  • the GIU converts the received packet that does not carry the VLAN ID of the virtual local area network into a packet carrying the VLAN ID.
  • the packet carrying the VLAN ID includes the first packet or the second packet, where the virtual local area network identifier corresponding to the first packet is the first VLAN ID, and the virtual local area network identifier corresponding to the second packet is the second VLAN ID.
  • the first VLAN ID is different from the second VLAN ID, and finally the first packet and the second packet are sent to the GPU.
  • the first VLAN ID and the second VLAN ID are VLAN IDs corresponding to different VMs. Therefore, different VMs in the Flat network are network-isolated by introducing the first VLAN ID and the second VLAN ID to satisfy Network isolation requirements between different VMs.
  • the first VLAN ID and the second VLAN ID may be determined by using VLAN Mapping.
  • VLANID For example, the first VM and the second VM are isolated by the first internal VLAN ID and the second internal VLAN ID.
  • the method further includes:
  • the fourth packet carries the first VLANID
  • the sixth packet carries the second VLAN ID, where the second VM is different from the first VM;
  • the GIU receives the fourth packet processed by the GPU and processes the third packet, and the third packet is sent by the GPU to the first VLAN ID and sent to the first virtual machine VM.
  • the packet carries the first VLAN ID. That is, the GPU obtains the third packet after the first packet is removed from the first packet, and sends the third packet to the internal VM, and then receives the corresponding data frame from the first VM (corresponding to the third packet).
  • the fourth packet obtained by marking the third packet with the first VLANID is forwarded to the GIU.
  • the GIU sends the fourth message to the external port.
  • the packet forwarding of the second VM is also processed correspondingly, except that the second VM corresponds to the second VLAN ID. Therefore, in the process of packet forwarding from the GPU to the GIU, network isolation between different VMs is also implemented.
  • the fourth aspect provides a method for forwarding a message, including:
  • the packet sent by the GIU that does not carry the VLAN ID of the virtual local area network is converted into the packet carrying the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the first packet is received.
  • the virtual local area network identifier is a first VLAN ID
  • the virtual local area network identifier of the second packet is a second VLAN ID
  • the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs
  • the fourth packet is obtained, and the third packet is a packet that is stripped of the first VLAN ID, and the fourth packet carries the first VLAN ID.
  • the sixth packet After processing the fifth packet, the sixth packet is obtained, and the fifth packet is stripped of the second packet.
  • the second VLANID packet where the sixth packet carries the second VLAN ID;
  • the GPU receives the packet carrying the VLAN ID, and the packet carrying the VLAN ID includes the first packet or the second packet, where the first packet is received by the GIU.
  • the second packet corresponds to the second VLAN ID, and the first VLAN ID is different from the second VLAN ID.
  • the GPU strips the first packet, the GPU obtains the third packet, and then processes the third packet to obtain the fourth packet.
  • the fourth packet carries the first VLAN ID, and the fourth packet carries the fourth packet.
  • the sixth packet is obtained in the same manner as the fourth packet, except that the sixth packet carries the second VLAN ID.
  • the method for forwarding a packet in the embodiment of the present invention isolates different VMs in the Flat network by introducing a first VLAN ID and a second VLAN ID to meet network isolation requirements between different VMs.
  • the fifth aspect provides an apparatus for forwarding a message, which is used to perform the method in any of the foregoing first aspect or any possible implementation manner of the first aspect, or to perform any of the foregoing third or third aspect
  • the apparatus comprises means for performing the method of any of the first aspect or the first aspect of the first aspect described above, or the apparatus comprises any possible implementation for performing the third or third aspect described above The unit of the method.
  • the sixth aspect provides an apparatus for forwarding a message, which is used to perform the method in any of the foregoing possible aspects of the second aspect or the second aspect, or to perform any of the foregoing fourth or fourth aspects
  • the apparatus comprises means for performing the method of any of the above-described second or second aspects of the second aspect, or the apparatus comprises any possible implementation for performing the fourth or fourth aspect described above The unit of the method in the way.
  • an apparatus for forwarding a message includes a processor, a memory, and a communication interface.
  • the processor is coupled to the memory and communication interface.
  • the memory is for storing instructions for the processor to execute, and the communication interface is for communicating with other network elements under the control of the processor.
  • the processor executes the instructions stored by the memory, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
  • a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • FIG. 1 is a schematic structural diagram of a specific networking scenario according to an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of an example of a conventional process of forwarding a message in a virtualization scenario.
  • FIG. 3 is a schematic flowchart of a method for forwarding a message according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a specific example in accordance with an embodiment of the present invention.
  • FIG. 5A is a schematic diagram of an example of forwarding messages by different mapping rules.
  • Figure 5B is a schematic illustration of another specific example in accordance with an embodiment of the present invention.
  • FIG. 6 is a schematic flowchart of a method for forwarding a message according to an embodiment of the present invention.
  • FIG. 7 is a schematic illustration of another specific example in accordance with an embodiment of the present invention.
  • FIG. 8 is a schematic block diagram of an apparatus for forwarding a message according to an embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of an apparatus for forwarding a message according to an embodiment of the present invention.
  • FIG. 10 is a structural diagram of an apparatus for forwarding a message according to an embodiment of the present invention.
  • FIG. 11 is a structural diagram of an apparatus for forwarding a message according to still another embodiment of the present invention.
  • the technical solution of the present invention can be applied to a scenario of a virtualization technology.
  • NFV network function virtualization
  • NFV borrows IT virtualization technology, and many types of network devices can be incorporated into industry standards such as servers, switches, and storage, which can be deployed in data centers, network nodes, or users' homes.
  • This requires network functions to be implemented in software and run on a range of industry-standard server hardware that can be migrated, instantiated, and deployed in different locations on the network as needed without the need to install new devices.
  • the ultimate goal of NFV is to replace those privately-owned network element devices of the communication network with industry-standard x86 servers, storage and switching equipment.
  • the IT equipment based on the x86 standard is low in cost, which can save the operator a huge investment cost, and on the other hand, an open application programming interface (Application Programming Interface (API) interface). It can also help operators gain more and more flexible network capabilities. Through software and hardware decoupling and functional abstraction, network device functions are no longer dependent on dedicated hardware. Resources can be fully and flexibly shared, enabling rapid development and deployment of new services, and automatic deployment, elastic scaling, and fault isolation based on actual business requirements. And self-healing.
  • API Application Programming Interface
  • FIG. 1 shows a schematic structural diagram of a specific networking scenario according to an embodiment of the present invention. It should be understood that only FIG. 1 is taken as an example here, but does not constitute a limitation of the present invention.
  • the data center (Data Center, referred to as "DC") includes DC1 and DC2.
  • DC1 and DC2 are different virtual centers or data centers.
  • DC1 includes two physical devices Host (that is, physically existing computers): Host1 and Host2, DC2 includes The three physical devices: Host1, Host2, and Host3;
  • the virtualized network function (VNF) includes VNF1 (corresponding to a virtual network) and VNF2.
  • the virtual network function VNF1 includes three virtual machines ( Virtual Machine (VM): VM1, VM2, and VM3.
  • VM Virtual Machine
  • VNF2 includes three virtual machines: VM4, VM5, and VM6.
  • VM1 is connected to VNF1-NET1, and VNF1-NET1 is connected to the external network through the GPU panel port.
  • External Network-DC1 is connected separately;
  • VXLAN Gateway1 is connected to VNF1-NET2,
  • VXLAN Gateway1 is connected to VXLAN-NET1-DC1,
  • VXLAN Gateway2 is connected to VXLAN-NET1-DC2,
  • VXLAN-NET1-DC1 and VXLAN-NET1-DC2 is connected to external network 2 (for example, External Network-DC12);
  • VM3 and VM4 are connected to Shared-Net1, which is connected to external network 3 (for example, External Network2-DC2);
  • VM4, VM5, VM6 are connected.
  • VNF2-Net3 VM6 is connected to VNF2-NET2
  • VNF2-NET2 is connected to an external network 4 (for example, External Network3-DC2) through a general processing unit ("GPU") panel port.
  • GPU General Interface Unit
  • VNF1-NET1 is in physical network 1, VNF1-NET2, VNF1-NET3, VNF2-NET2, VNF2-NET3, etc. in physical network 2.
  • the virtual network where VNF1-NET1 is located is not in the same physical network as the other virtual networks.
  • the virtual network where VNF1-NET1 is located may be a VLAN type or a Flat network type.
  • the lower end of each external network can continue to connect different network functions (“Network” (referred to as "NF”) (not shown), which is not limited.
  • the virtual network provides an interworking port of L2.
  • Each virtual network consists of a port (network function VF, port or sub-port corresponding to the physical function PF) connected to the virtual network, and a VLAN accessed by these ports.
  • the internal network of the virtual network can be understood as the internal network of the system, and the external network can be understood as the network planned by the user.
  • the VNF is composed of multiple components deployed on one or more VMs, and the network element functions in the traditional network, such as the Mobility Management Entity (MME) in the 3GPP EPC.
  • the service gateway (Serving GateWay, abbreviated as "S-GW”) and the PDN gateway (PDN GateWay, abbreviated as "P-GW”) are virtualized.
  • Virtual network functionality is a concept about network architecture. This function utilizes virtualization technology to split the functions of the network node level into several functional blocks, which are implemented in software, and the service deployment is converted into software deployment, which is no longer limited to the hardware architecture.
  • VNF can help organizations dynamically configure the network on demand, regardless of the underlying architecture, and the automation management and agility of the telecommunications network will be greatly enhanced.
  • the virtual network may be a different network type.
  • a virtual local area network Virtual Local Area Network, referred to as "VLAN”
  • VLAN virtual network is a network isolated by using a virtual network identifier VLAN ID in a physical network. That is, one physical network can correspond to multiple VLAN virtual networks.
  • the Flat virtual network corresponds to one physical network and does not use VLAN division. That is to say, one physical network can only correspond to one Flat virtual network.
  • the VxLAN virtual network is a network isolated by VxLAN.
  • VxLAN Open Virtual Switch
  • OVSwitch Open VSwitch
  • VxLAN cannot be used when using Netmap to drive through.
  • a trunk virtual network is a network that is isolated by using multiple VLAN IDs in a physical network. That is to say, one physical network may also correspond to multiple trunk virtual networks. Unlike a VLAN virtual network, a trunk virtual network uses multiple VLANID is isolated.
  • the type of the virtual network may be applied to a Huawei cloud operating system (Fusion Sphere, referred to as "FS") scenario or an embedded universal infrastructure management (Embedded Versatile Infrastructure Management, referred to as "EVM”. ”) in the scene.
  • the FS scenario is based on the OpenStack cloud operating system.
  • EVM is a software module that provides light-weight system virtualization management in a wireless deployment scenario with less than 5 nodes.
  • SR-IOV single root virtualization technology
  • PCIe Peripheral Component Interconnect Express
  • SR-IOV specification defines a new standard by which new devices are created that allow virtual machines to be directly connected to I/O devices.
  • the embodiment of the present invention can be applied to an Elastic Virtual Switch (“EVS").
  • EVS is a Huawei Virtual Unified Platform (UVP) development. It is an elastic virtual switch based on OVS forwarding technology that improves its IO performance and still conforms to the openflow protocol standard.
  • the IO performance improvement uses the Intel DPDK technology to take over the NIC data transmission and reception through the user state process, adopting the "IO exclusive core” technology, that is, each port is assigned a core dedicated to data forwarding.
  • This polling processing method is better than the middle segment type. The processing is more efficient, and thus the IO performance is significantly improved.
  • UVP is the key technology platform of Huawei's cloud-based data center solution.
  • the various scenarios or related technologies that may be involved in a virtualization scenario are described earlier.
  • the user VLAN such as the external network of the virtual network in Figure 1
  • the system VLAN such as the internal network of the virtual network in Figure 1.
  • the user VLAN ID and the system VLAN ID are planned in a unified manner, that is, the user VLAN ID and the system VLAN ID share the same VLAN ID.
  • the problem is that when the required isolation of the user VLAN ID and the system VLAN ID are not duplicated (that is, the external virtual network and the internal virtual network are not required to be duplicated), if the unified planning method of the prior art is also adopted, the internal and external network conflicts may be caused. Moreover, this requirement makes the user's external network VLANID planning limited, and the user needs to know and understand the internal network VLANID planning, thereby increasing the complexity of network maintenance. In addition, because the internal network will pre- A part of the VLAN ID is reserved. The reserved part of the VLAN ID does not allow the user to plan the network. Therefore, the user needs to consider the constraints of the internal network, which limits the application planning of the user VLAN ID and affects the user network planning.
  • Figure 2 shows a schematic diagram of an example of a conventional process of forwarding a message in a virtualized scenario.
  • the Multi-Function Middle-Scale Switch Board acts like a switch or route, and forwards the packets received from the GIU to the internal network.
  • the board GPU is processed to complete the packet forwarding process from the external network to the internal network.
  • the GIU receives the message or data frame through the physical port, and does not perform any processing, and directly transmits it to the MMX. Then the MMX sends the message or data frame sent by the GIU directly to the GPU, and then the GPU will send the message or the data frame. Uploaded to the virtual machine VM.
  • the internal VLAN ID of the packet in Figure 2 shares the same VLAN ID as the user VLAN ID, resulting in no isolation between the internal network and the external network. That is to say, in the prior art, the internal network VLAN ID planning of the virtual network is planned in a unified manner with the external network VLAN ID, which increases the complexity of the network planning, and preserves the existence of the address, thereby increasing the constraint of the networking planning. In addition, for the SR-IOV pass-through scenario, the VLAN ID of the VLAN network type does not support dynamic modification. Once the user network planning changes, it can only go online and offline again, which has a greater impact. Therefore, the present invention proposes a method for forwarding a message for these problems, so that the internal network of the virtual network can be automatically isolated from the external network.
  • FIG. 3 shows a schematic flowchart of a method 300 for forwarding a message according to an embodiment of the present invention.
  • the method 300 can be performed by a GIU. As shown in FIG. 3, the method 300 includes:
  • the first packet may be a packet of an external network of the virtual network received by the GIU.
  • the packets may be received in different forms for different scenarios of different virtual network types or different virtual network types.
  • the received packets are VLAN packets and no conversion is required.
  • the data frame needs to be converted into a VLAN packet on the GIU port. That is to say, there is no restriction on the form of the first message, as long as it can be reasonably obtained at the end is acceptable.
  • the GIU determines the internal VLAN ID corresponding to the first packet.
  • the so-called internal VLANID is the first report The internal VLAN ID corresponding to the external VLAN ID of the text. That is, the VLAN ID of the first packet on both the internal network and the external network, and the VLAN ID (first internal VLAN ID) of the internal network exists or satisfies the correspondence (or mapping relationship) with the VLAN ID of the external network. In this way, the VLAN ID of the internal network of the first packet and the VLAN ID of the external network do not have to be exactly the same, as long as there is a correspondence between them.
  • the first internal VLAN ID is included in the second packet, and the second packet is generated.
  • the GIU includes the internal VLAN ID in the second packet to generate the second packet, saying that the GIU covers the internal VLAN ID to the second packet by some form (for example, a replacement or a new form), so that the GIU
  • some form for example, a replacement or a new form
  • the GPU can know the internal VLAN ID.
  • the GIU determines the first internal VLAN ID corresponding to the first packet by receiving the first packet, and the first internal VLAN ID is included in the second packet to generate the second packet.
  • the second packet is sent to the GPU of the general-purpose processing board.
  • the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention.
  • the implementation process constitutes any limitation.
  • first and second in the embodiment of the present invention are only for distinguishing different objects, for example, distinguishing different messages, or virtual machine VMs, or VLAN IDs, and do not limit the present invention. .
  • the method further includes:
  • the GIU can receive the third packet sent by the GPU, where the third packet is the GPU that processes the fourth packet, and the fourth packet is the GPU strips the second packet.
  • the internal VLAN ID is sent to the VM VM.
  • the GPU does not consider the specific use or processing of the VM after receiving the second packet to remove the untag packet of the internal VLAN ID.
  • the GPU only needs to know that the data frame or the untagged packet obtained from the VM is a packet that strips the internal VLAN ID, that is, the GPU only needs to know that the fourth packet is obtained by stripping the internal VLAN ID.
  • the processing of the fourth packet by the GPU refers to: marking the fourth packet with the internal VLAN ID to obtain a third packet.
  • the GIU converts the received third packet into a fifth packet, so that the fifth packet carries an external VLAN ID.
  • the GIU can convert the third packet to the external VLAN ID to obtain the fifth packet, or obtain the outer VLAN ID after decapsulating the third packet.
  • Fifth message Finally, the fifth message is sent to the external port.
  • the method for forwarding a packet in the embodiment of the present invention by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
  • the method further includes:
  • the isolation rule includes an identifier corresponding to the identifier of the internal VLAN ID and the external VLAN ID;
  • the internal VLAN ID is included in the second packet, including:
  • the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated.
  • the GIU can automatically allocate the isolation rule according to the network type of the virtual network.
  • the network type of the virtual network can be the VLAN virtual network, the trunk virtual network, and the Flat virtual network described above, and the corresponding isolation is automatically determined according to different network types.
  • rule For example, for a VLAN virtual network and a flat virtual network, the isolation rule can adopt the VLAN mapping rule.
  • the isolation rule can use the Qinq rule. Of course, this is only an example, and the isolation rules are not limited to this.
  • the GIU includes the internal VLAN ID in the second packet according to the isolation rule to generate the second packet.
  • the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated, including:
  • the GIU can use the virtual local area network mapping rule to replace the external VLAN ID of the first packet with the internal VLAN ID to obtain the second packet, thereby realizing the replacement of the user VLAN ID and the internal system VLAN ID.
  • the GIU uses VLAN mapping to send the first packet.
  • the external VLAN ID is replaced with the internal VLAN ID to obtain the second packet, which can solve the isolation problem of the internal and external networks.
  • the VLAN ID of the virtual network can be dynamically modified. In this case, it can also solve the problem that the original OpenStack open source code cannot modify the VLANID.
  • VLAN mapping can solve the problem of isolation of internal and external networks, and can also dynamically modify the VLAN ID, which can be described as two things.
  • the GIU can use VLAN mapping rules to replace the internal VLAN ID and the external VLAN ID.
  • VLAN mapping also known as VLAN translation
  • VLAN translation is a flexible QinQ.
  • different user VLANs are replaced with different VLANs. That is, when a packet is forwarded, there is only one VLAN.
  • the method for forwarding a packet in the embodiment of the present invention when the virtual network is a VLAN network type is described in the following.
  • FIG. 4 shows a schematic diagram of a specific example according to an embodiment of the present invention. It should be noted that this is only to assist those skilled in the art to better understand the embodiments of the present invention and not to limit the scope of the embodiments of the present invention.
  • the small black frame in the figure is the physical port.
  • the virtual network is the VLAN network type.
  • the isolation rule is the VLAN mapping rule.
  • the GIU receives the first one at the physical port (the black circle in the figure).
  • the packet is a VLAN packet.
  • the first packet carries the external VLAN ID.
  • the GIU determines the internal VLAN ID of the first packet. When the first packet meets the VLAN mapping rule, the specific action is based on the VLAN mapping rule.
  • the external VLAN ID of the packet is directly replaced with the internal VLAN ID to obtain the second packet. If the first packet does not meet the VLAN mapping rule, the first packet is directly discarded. Then the second packet is forwarded through the MMX.
  • the GPU in the GPU sends the third packet to the VM, and then the third packet is sent to the VM.
  • the GPU forwards the packet to the GIU through the MMX
  • the GPU obtains the untag data frame of the VM (corresponding to the third packet), and then the third packet is tagged with the internal VLAN ID to obtain the fourth packet, which is forwarded to the GIU through the MMX.
  • the GIU When the GIU receives the fourth message, such as The fourth packet satisfies the rule Mapping VLAN, the interior of the fourth packets VLANID corresponding external replaced VLANID, the fifth packet is received and sent to the external port.
  • the system network and the user network are isolated by the internal VLAN ID and the external VLAN ID, which avoids limitation of the user network planning.
  • the number of the message here is very flexible, and is only for convenience of description, and there is no problem such as conflict or limitation with the message number of the context.
  • VLAN mapping rules in virtual networks is described above.
  • stack virtual local area network rules Qinq rules
  • An embodiment in which the virtual network is a trunk network type in the embodiment of the present invention will be specifically described below.
  • the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated, including:
  • the GIU may encapsulate the corresponding internal VLAN ID on the outer VLAN ID of the first packet, thereby obtaining the second packet.
  • the GIU may adopt a stacking virtual local area network rule, such as a QinQ rule, to encapsulate a new VLAN ID (internal VLAN ID) on the external VLAN ID of the first packet to obtain a second packet, which can solve the isolation problem of the internal and external networks.
  • the essence of the QinQ rule is to extend the VLAN protocol. That is, in a VLAN packet, a layer of VLAN is added to form a packet with 2 layers (or even multiple layers) of VLANs.
  • the purpose of QinQ was originally to solve the problem of insufficient VLAN space.
  • QinQ also brings three additional benefits: 1) users plan their own inner VLAN to improve deployment; 2) provide a simple Layer 2 VPN function; 3) inner VLAN is not visible, improve security Sex.
  • the frame format of QinQ adds a layer of VLAN tags based on the VLAN frame. The difference between QinQ and VLAN is mainly the “Type” information of the VLAN tag.
  • the value of the QinQ outer VLAN is 0x88a8.
  • the VLANs are encapsulated in different applications based on the QinQ technology.
  • Standard QinQ Port-based QinQ technology. The device encapsulates all the packets allowed on the port and encapsulates the default VLAN of the port. If the user packet does not carry a VLAN, only one layer of VLANs is encapsulated.
  • VLAN stacking is a flexible QinQ, which is based on the user VLAN to add different outer VLANs.
  • VLAN Mapping is a flexible QinQ. Instead of adding a VLAN, different user VLANs are replaced with different VLANs.
  • FIG. 5A is a schematic diagram showing an example of forwarding packets by different mapping rules, such as a schematic diagram of an example of a VLAN mapping rule and a QinQ rule. It should be noted that this is only to assist those skilled in the art to better understand the embodiments of the present invention and not to limit the scope of the embodiments of the present invention.
  • the left part of the figure is an example of a VLAN mapping rule, if a message is used (as shown in FIG. 5).
  • the packet is an example.
  • the external VLAN ID of the Payload can be understood as the payload or the data is Ctag: 1000, and the corresponding internal VLAN ID is Stag: 100.
  • the GIU determines the VLAN ID of the packet. Replace the internal VLAN ID with the external VLAN ID, that is, the Ctag: 1000 is directly replaced with the Stag: 100.
  • the STP: 100 packet is sent out (the host sends the message to the GIU.)
  • the right part of the figure is an example of QinQ, with Ctag100 and Ctag101 (also as shown in Figure 5). The packet is taken as an example.
  • the outer Stag:200 is added, that is, the inner Ctag is unchanged, and the outer Stag is added on the basis of the same, and the VM is sent to the Host.
  • the message stripping Stag: 200 is sent (the host does not show the process to the GIU transmission process), and the Ctag is reserved and sent to the VM.
  • the VLAN transparent transmission mode is adopted to implement the trunk network function.
  • the "VLAN transparent transmission" network requires: only receive data frames within the configured VLANID range and transparently forward them. In this way, the external data frame is transparently transmitted to the internal virtual network, and the internal network and the external network cannot be isolated.
  • the VLAN ID of the virtual network cannot be dynamically modified.
  • the embodiment of the present invention uses the QinQ rule to isolate the internal and external networks.
  • the virtual network of FIG. 5B is used to describe the packet forwarding process of the trunk network type.
  • FIG. 5B shows a schematic diagram of another example of message forwarding in accordance with an embodiment of the present invention. As shown in FIG.
  • the first packet received by the GIU at the entrance of the physical port is a VLAN packet, and the first packet carries an external VLAN ID; the GIU determines the internal VLAN ID of the first packet.
  • the quarantine rule for example, the quarantine rule used by the VRRP network type is the QinQ rule
  • the specific action is to encapsulate the outer VLAN ID of the first packet on the outer VLAN ID according to the QinQ rule.
  • the second packet if the first packet does not satisfy the QinQ rule, the first packet is directly discarded; then the second packet is forwarded to the virtual machine VM in the GPU through the MMX, and sent on the virtual machine VM.
  • the GPU decapsulates the newly encapsulated internal VLAN ID of the second packet (retains the external VLAN ID), obtains the third packet, and then sends the third packet to the VM; similarly, on the GPU
  • the GPU obtains the untag data frame of the VM (corresponding to the third packet), and then encapsulates the outer layer of the third packet with the internal VLAN ID to obtain the fourth packet, which is forwarded by the MMX.
  • the GIU when receiving the fourth packet, if the fourth packet satisfies the QinQ rule, the GIU decapsulates the internal VLAN ID of the fourth packet (retains the external VLAN ID), obtains the fifth packet, and sends the packet. To the external port. In this way, the system network and the user network are isolated by the internal VLAN ID and the external VLAN ID, which avoids limitation of the user network planning.
  • the QinQ rule can also be used for processing, and details are not described herein.
  • the difference between a virtual network and a VLAN network type is that the rules adopted by the trunk network type are different.
  • the VLAN network type uses the VLAN mapping rule (that is, direct replacement), and the trunk network type uses the QinQ rule (that is, the outer package encapsulates the new VLANID).
  • different isolation rules can be selected for the network types of different virtual networks.
  • the network type of the virtual network and the type of the quarantine rule are not limited, and the reasonable quarantine rule corresponding to the virtual network may be selected according to the actual situation, which is not limited by the present invention.
  • the method for forwarding a packet in the embodiment of the present invention can improve the security of the network by isolating the internal VLAN ID corresponding to the first packet and isolating the internal network and the external network of the virtual network according to the internal VLAN ID.
  • FIG. 6 shows a schematic diagram of a method of forwarding a message according to an embodiment of the present invention.
  • the method 600 is performed by a GPU, as shown in FIG. 6, the method 600 includes:
  • the internal VLAN ID is corresponding to the external VLAN ID of the first packet.
  • the second packet is processed to obtain a third packet, where the third packet carries the internal VLAN ID;
  • the GPU receives the second packet sent by the GIU, and the second packet is generated by the GIU after the internal VLAN ID corresponding to the first packet is included in the second packet. After receiving the second packet, the GPU processes the second packet to obtain a third packet, so that the first packet is obtained. The third packet carries the internal VLAN ID, and finally sends the third packet to the GIU.
  • the method for forwarding a packet in the embodiment of the present invention by determining an internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity.
  • the second packet is processed to obtain a third packet, including:
  • the fourth packet is obtained, and the fourth packet is sent to the virtual machine VM.
  • the internal VLAN ID is added to the fourth packet to obtain the third packet.
  • the GPU performs the stripping process on the received second VLAN ID, and then sends the obtained fourth packet to the virtual machine VM to obtain the data frame (untag message) of the VM. Should be the fourth message.
  • the GPU adds the internal VLAN ID to the fourth packet, and obtains the third packet, and sends the third packet to the GIU, so that the GIU processes the third packet and sends the packet to the external port.
  • the method for forwarding a packet in the embodiment of the present invention by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
  • Embodiments in which the internal network and the external network in the virtual network are isolated are described above.
  • the specific case when the virtual network is of the Flat network type in the embodiment of the present invention will be described below.
  • the virtual network is of the Flat network type, there is only one in the same physical network, so the default Flat internal network is interworking, but consider the existence of Flat network isolation between different VMs.
  • the internal network conflicts with the external network VLAN ID, and there is no problem of dynamically modifying the VLAN ID.
  • An embodiment of the isolation requirements between different virtual machines of the Flat virtual network will be described below.
  • the present invention further provides a method for forwarding a message, which may also be performed by a GIU, where the GIU may be a GIU corresponding to multiple VMs, and the number of GIUs is not limited. It is a VM corresponding to one GIU, or multiple VMs corresponding to one GIU.
  • the method can include:
  • the packet carrying the VLAN ID includes the first packet or the second packet, where the virtual local area network identifier of the first packet is the first VLAN ID.
  • the virtual local area network identifier of the second packet is a second VLAN ID.
  • the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
  • the GIU needs to convert the packet carrying the VLAN ID into a packet carrying the VLAN ID, such as the first packet, or the packet carrying the VLAN ID of the virtual virtual network. a second packet, where the GIU determines that the virtual local area network identifier of the first packet is the first VLAN ID, and the virtual local area network identifier of the second packet is the second VLAN ID, where the first VLAN ID is different from the second VLAN ID.
  • the virtual machine VM then sends the first message and the second message to the GPU to isolate different VMs.
  • the first packet carries the first VLAN ID and the second packet carries the second VLAN ID.
  • the first VLAN ID is different from the second VLAN ID.
  • the Flat network type considers the isolation request between different VMs, so different VMs need to be isolated by different VLAN IDs.
  • the default Flat internal network is interworking, but considering the existence of the Flat network isolation between different VMs, it is considered that the internal VLAN mapping is unified to solve the problem.
  • the data frame carrying the VLAN ID is discarded because the data frame without the VLAN ID is allowed to pass through to the VM. Therefore, there is no problem of dynamically modifying the virtual network VLAN ID and internal network conflicts in the EVM scenario. Only VLAN mapping rules need to be adopted internally to satisfy the requirements of Flat network isolation between different VMs.
  • the FS scenario there is no problem that the internal network conflicts with the external network VLANID.
  • VLAN mapping rules can also be used to satisfy the requirements of Flat network isolation between different VMs.
  • the method for forwarding a packet in the embodiment of the present invention isolates the network between different VMs by using the first VLAN ID and the second VLAN ID, thereby enhancing network security and reducing network operation and maintenance complexity.
  • the method may further include:
  • the fourth packet carries the first VLANID
  • the GPU strips the second packet and sends the second VLAN ID to the packet of the second virtual machine VM, where the sixth packet carries the second VLAN ID, and the second VM is different from the first VM.
  • the GIU may further receive the fourth packet processed by the GPU for the third packet, where the third packet is the GPU.
  • the packet is stripped of the first VLAN ID and sent to the first virtual machine VM.
  • the GPU processes the third packet to replace the third packet with the first VLAN ID to obtain the fourth packet.
  • the processing manner for the GPU of the second VM to forward the packet to the GIU is similar to that of the first VM. That is, the GIU can also receive the sixth packet processed by the GPU, and the fifth packet is sent by the GPU to the first VLAN ID and sent to the first virtual machine VM. Text.
  • the GPU processes the fifth packet, and then the third packet is tagged with the first VLAN ID to obtain the sixth packet.
  • the method for forwarding a packet in the embodiment of the present invention isolates networks between different VMs by using the first VLAN ID and the second VLAN ID, thereby enhancing network security.
  • the method is performed by a GPU, where the number of GPUs is not limited, and may be multiple or one.
  • the method includes:
  • the packet sent by the GIU that does not carry the VLAN ID of the virtual local area network is converted into the packet carrying the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the first packet is received.
  • the virtual local area network identifier is a first VLAN ID
  • the virtual local area network identifier of the second packet is a second VLAN ID
  • the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs
  • the fourth packet is obtained, and the third packet is a packet that is stripped of the first VLAN ID, and the fourth packet carries the first VLAN ID.
  • the sixth packet is obtained, and the fifth packet is used to strip the packet of the second VLAN ID, and the sixth packet carries the second VLAN ID;
  • the GPU receives the converted VLAN ID-enabled packet sent by the GIU, and the packet carrying the VLAN ID includes the first packet or the second packet, and the virtual local area network identifier of the first packet is the first VLAN ID.
  • the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs.
  • the GPU sends the third packet obtained by stripping the first VLAN ID to the first VM, and then the data frame of the first VM (ie, the third packet).
  • the fourth VLAN ID is sent to the GIU.
  • the processing of the second VM is similar to that of the first VM, and is not described here. The difference is that the second VM corresponds to the second VLAN ID.
  • the isolation requirements of different virtual machines can be isolated by using VLANID, which improves the security of the network.
  • the third packet is processed to obtain a fourth packet, including:
  • the fifth packet is processed to obtain a sixth packet, including:
  • the second VLAN ID is added to the fifth packet to obtain the sixth packet, where the second VLAN ID corresponds to the second VM.
  • the GPU needs to send the third packet to the VM first, and then obtain the data frame (untag packet) of the VM, that is, the third packet, and then The first VLAN ID is added to the third packet, and the fourth packet is sent to the GIU.
  • the fifth packet needs to be processed to obtain the sixth packet.
  • the method for forwarding a packet in the embodiment of the present invention isolates networks between different VMs by using the first VLAN ID and the second VLAN ID, thereby enhancing network security.
  • FIG. 7 shows a schematic diagram of another specific example according to an embodiment of the present invention. It should be noted that this is only to assist those skilled in the art to better understand the embodiments of the present invention and not to limit the scope of the embodiments of the present invention.
  • FIG. 7 adds related components of another virtual machine VM2, that is, the first virtual machine VM1 and the second virtual machine VM2 may have corresponding GIUs and GPUs respectively, but Not limited to this, multiple VMs may also correspond to the same components.
  • VM1 is first described.
  • the GPU strips the first packet, strips the first VLAN ID carried by the GPU, and then sends the third packet to the VM1 to forward the packet. .
  • the message it needs to be processed when it is sent from the GPU to the GIU.
  • the GPU obtains the data frame from VM1, it puts the first VLANID, and after obtaining the fourth message, it sends it to the GIU through the MMX, and the GIU will The fourth packet is sent to the external port.
  • the second VLAN ID is carried, and the fourth packet is sent to the VM2 to be forwarded to the VM2.
  • the GPU needs to process the data from the GPU. After the GPU obtains the data frame from the VM1, After the second VLAN ID is obtained, the sixth packet is sent to the GIU through the MMX, and the GIU sends the sixth packet to the external port.
  • VM2 has a VLAN ID of Y, where X and Y are different values.
  • X and Y are different values.
  • the Flat network of VM1 and the Flat network of VM2 are isolated by X and Y, thereby satisfying the isolation request between different VMs in the Flat network.
  • only two VMs are taken as an example here, and in practice, applications of multiple VMs can be extended, which is not limited.
  • the method for forwarding a message according to the embodiment of the present invention can isolate the internal network between different VMs in the virtual network according to the first VLAN ID and the second VLAN ID, thereby enhancing network security.
  • first VM and the second VM are taken as an example.
  • the number of VMs is not limited, and more VMs may be separated by more VLAN IDs, which is not limited. .
  • a Cloud EPS Distribute may be adopted.
  • the CED is used to implement automatic allocation of internal network VLAN IDs to implement automatic isolation of internal network VLAN IDs.
  • the CED can add internal and external network identification parameters to the network template of the VM.
  • the CED does not need to pay attention to the VLAN ID in the template.
  • the CED must input the VLAN ID of the external interconnection.
  • the CED automatically assigns an internal VLAN ID between 2 and 4094 for the internal network.
  • the VLAN ID of the external network the VLAN ID is automatically assigned to the internal VLAN ID.
  • HIM Hardware Infrastructure Manager
  • the HIM is used to generate the QinQ/VLAN mapping rules and the configurations are delivered to the hardware.
  • HIM can be integrated on the previous GIU or GPU, or other reasonable location.
  • CED can be considered as a data source for HIM.
  • the CED creates a virtual network according to the VNF module, and sends the information or data to the HIM according to the type of the external virtual network and the mapping relationship between the internal and external VLAN IDs.
  • the HIM generates the port based on the configured port VLAN, network type, and internal and external VLAN information.
  • the Qinq/VLAN mapping rule is used to perform the Qinq/VLAN mapping rule on the GIU or GPU port in order to implement the method for forwarding packets according to the embodiment of the present invention. It is to be understood that the description of the present invention is not to be construed as limiting the invention.
  • the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention.
  • the implementation process constitutes any limitation.
  • FIG. 8 shows a schematic block diagram of an apparatus 800 for forwarding a message in accordance with an embodiment of the present invention. As shown in FIG. 8, the apparatus 800 includes:
  • the receiving module 810 is configured to receive a first packet of the virtual network, where the first packet carries an external virtual local area network identifier (VLANID);
  • VLANID virtual local area network identifier
  • the determining module 820 is configured to determine an internal VLAN ID corresponding to the first packet received by the receiving module 810, where the internal VLAN ID indicates a corresponding identifier of the first packet in the internal virtual network, where the internal VLAN ID corresponds to the external VLAN ID. of;
  • the processing module 830 is configured to include the internal VLAN ID determined by the determining module 820 into the second packet, to generate the second packet.
  • the sending module 840 is configured to send the second packet to the universal processing board GPU.
  • the apparatus for forwarding a packet in the embodiment of the present invention by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the first internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
  • the receiving module 810 is further configured to receive a third packet sent by the GPU, where the third packet is a packet processed by the GPU for the fourth packet, where the fourth packet is the GPU.
  • the second The packet is stripped of the internal VLAN ID and sent to the virtual machine VM, and the third packet carries the internal VLAN ID.
  • the processing module 830 is further configured to convert the third packet into a fifth packet, where the fifth packet carries the external VLAN ID;
  • the sending module 840 is further configured to send the fifth packet to an external port.
  • the determining module 820 is specifically configured to:
  • the isolation rule includes an identifier corresponding to the identifier of the internal VLAN ID and the external VLAN ID;
  • the processing module 830 is further configured to:
  • the internal VLAN ID is included in the second packet according to the isolation rule determined by the determining module, and the second packet is generated.
  • processing module 830 is specifically configured to:
  • processing module 830 is specifically configured to:
  • the apparatus for forwarding a packet in the embodiment of the present invention by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the first internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
  • the apparatus 800 for forwarding a message according to an embodiment of the present invention may perform a method of forwarding a message according to an embodiment of the present invention, and the foregoing and other operations and/or functions of the respective modules in the apparatus 800 are respectively implemented to implement the foregoing methods.
  • the corresponding process, for the sake of brevity, will not be described here.
  • FIG. 9 shows a schematic block diagram of an apparatus 900 for forwarding a message in accordance with an embodiment of the present invention.
  • the apparatus 900 includes:
  • the receiving module 910 is configured to receive, by the universal interface board GIU, the second VLAN ID that is generated after the internal VLAN ID corresponding to the first packet is sent to the second packet, where the internal VLAN ID indicates that the first packet is in the internal virtual network.
  • the internal VLAN ID is corresponding to the external VLAN ID of the first packet;
  • the processing module 920 is configured to process the second packet to obtain a third packet, where the third packet carries the internal VLAN ID;
  • the sending module 930 is configured to send the third packet obtained by the processing module 920 to the GIU.
  • processing module 920 is specifically configured to:
  • the fourth packet is obtained, and the fourth packet is sent to the virtual machine VM.
  • the internal VLAN ID is added to the fourth packet to obtain the third packet.
  • the apparatus for forwarding a packet in the embodiment of the present invention by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the first internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
  • the apparatus 900 for forwarding a message according to an embodiment of the present invention may perform a method of forwarding a message according to an embodiment of the present invention, and the foregoing and other operations and/or functions of the respective modules in the apparatus 900 are respectively implemented to implement the foregoing methods.
  • the corresponding process, for the sake of brevity, will not be described here.
  • the embodiment of the present invention further provides a device for forwarding a message, where the device may be a GIU side, and the device includes:
  • a receiving module configured to receive a packet of a flat virtual network that does not carry a VLAN ID of the virtual local area network
  • the processing module is configured to convert the packet that does not carry the VLAN ID into the packet that carries the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the virtual local area network identifier of the first packet
  • the first VLAN ID, the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
  • a sending module configured to send the first packet and the second packet to a GPU of the general-purpose processing board.
  • the device for forwarding a packet in the embodiment of the present invention can satisfy the isolation request between different VMs by using the first VLAN ID and the second VLAN ID, and can enhance the security of the network.
  • the receiving module is further configured to:
  • the fourth packet carries the first VLANID
  • the receiving module is further configured to: receive the sixth packet processed by the GPU, and the fifth packet is sent by the GPU to the second VLAN ID and sent to the second VLAN ID. a packet of the second virtual machine VM, where the sixth packet carries the second VLAN ID, where the second VM is different from the first VM;
  • the processing module is further configured to: convert the fourth packet into a seventh packet, where the seventh packet carries the first VLANID;
  • the processing module is further configured to: convert the sixth packet into an eighth packet, where the eighth packet carries the second VLAN ID;
  • the sending module is also used to:
  • the seventh message and the eighth message are sent to an external port.
  • the device for forwarding a packet in the embodiment of the present invention can satisfy the isolation request between different VMs by using the first VLAN ID and the second VLAN ID, and can enhance the security of the network.
  • the embodiment of the present invention further provides a device for forwarding a message, where the device may be a GPU side, and the device includes:
  • the receiving module is configured to receive, by the GIU, the packet that carries the VLAN ID of the virtual local area network (VLAN ID) and the packet that carries the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where The virtual local area network identifier of the first packet is a first VLAN ID, and the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
  • VLAN ID virtual local area network
  • the first processing module is configured to process the third packet to obtain a fourth packet, where the third packet is a packet that is stripped of the first VLAN ID, where the fourth packet carries the first packet a VLANID;
  • a second processing module configured to process the fifth packet to obtain a sixth packet, where the fifth packet is used to strip the packet of the second VLAN ID, where the sixth packet carries the packet Two VLANID;
  • a sending module configured to send the fourth packet and the sixth packet to the GIU.
  • the device for forwarding packets in the embodiment of the present invention satisfies the isolation request between different VMs by using the first VLAN ID and the second VLAN ID, which can enhance network security and reduce network operation and maintenance complexity.
  • the first processing module is specifically configured to:
  • the second processing module is specifically configured to:
  • the second VLAN ID is added to the fifth packet to obtain the sixth packet, where the second VLAN ID corresponds to the second VM.
  • the device for forwarding a packet in the embodiment of the present invention can satisfy the isolation request between different VMs by using the first VLAN ID and the second VLAN ID, and can enhance the security of the network.
  • FIG. 10 shows a structure of an apparatus for forwarding a message according to still another embodiment of the present invention, comprising at least one processor 1002 (for example, a CPU), at least one network interface 1005 or other communication interface, a memory 1006, and at least one communication.
  • a bus 1003 is used to implement connection communication between these devices.
  • the processor 1002 is configured to execute executable modules, such as computer programs, stored in the memory 1006.
  • the memory 1006 may include a high speed random access memory (RAM), and may also include a non-volatile memory such as at least one disk memory.
  • a communication connection with at least one other network element is achieved by at least one network interface 1005, which may be wired or wireless.
  • the memory 1006 stores a program 10061, and the processor 1002 executes the program 10061 for performing the method of forwarding a message on the GIU side of the foregoing embodiment of the present invention.
  • FIG. 11 shows a structure of an apparatus for forwarding a message according to still another embodiment of the present invention, comprising at least one processor 1102 (for example, a CPU), at least one network interface 1105 or other communication interface, a memory 1106, and at least one communication.
  • a bus 1103 is used to implement connection communication between these devices.
  • the processor 1102 is configured to execute executable modules, such as computer programs, stored in the memory 1106.
  • the memory 1106 may include a high speed random access memory (RAM), and may also include a non-volatile memory such as at least one disk memory.
  • a communication connection with at least one other network element is achieved by at least one network interface 1105 (which may be wired or wireless).
  • the memory 1106 stores a program 11061
  • the processor 1102 executes a program 11061 for performing the method of forwarding a message on the GPU side of the foregoing embodiment of the present invention.
  • the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention.
  • the implementation process constitutes any limitation.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a packet forwarding method and device. The method comprises: receiving a first packet of a virtual network, the first packet carrying an external virtual local area network identifier (VLANID); determining an internal VLANID corresponding to the first packet, the internal VLANID indicating an identifier of the first packet in an internal virtual network, and the internal VLANID corresponding to the external VLANID; incorporating the internal VLANID into a second packet to generate the second packet; and sending the second packet to a general processing unit (GPU). The packet forwarding method and device of the embodiments of the present invention can improve network security and reduce the complexity of network operation and maintenance, thereby ensuring isolation within the network.

Description

转发报文的方法和装置Method and device for forwarding messages 技术领域Technical field
本发明涉及信息通信技术ICT领域,并且更具体地,涉及一种转发报文的方法和装置。The present invention relates to the field of information communication technology ICT, and more particularly to a method and apparatus for forwarding messages.
背景技术Background technique
电信功能虚拟化是当前运营商的强烈需求,代表着业务网络的演进趋势。而即使电信功能被虚拟化,对于电信设备(网元)的内部及电信设备之间的通信功能也是不可缺失的,比如,在虚拟网络功能模块(Virtualized Network Function,简称为“VNF”)内部,VNF之间,VNF与物理或实体网络功能模块(Physical Network Function,简称为“PNF”)之间,仍然需要通信功能,以实现不同的网络功能(Network Function,简称为“NF”)或物理功能(Physical Function,简称为“PF”)。在虚拟化的场景下,网元之间进行通信时,需要对用户虚拟局域网标识(VLANID)与系统虚拟局域网标识(VLANID)进行网络规划,以实现用户(外部虚拟网络)与系统(内部虚拟网络)之间的通信。The virtualization of telecommunications functions is a strong demand of current operators and represents the evolution of business networks. Even if the telecommunication function is virtualized, the communication function between the internal device of the telecommunication device (network element) and the telecommunication device is indispensable, for example, within the virtualized network function (VNF). Between the VNFs and the physical or physical network function modules (PNFs), communication functions are still required to implement different network functions (Network Function, referred to as "NF") or physical functions. (Physical Function, referred to as "PF"). In a virtualized scenario, when communicating between NEs, you need to network the user's virtual local area network identifier (VLANID) and the system's virtual local area network identifier (VLANID) to implement users (external virtual networks) and systems (internal virtual networks). ) Communication between.
但是,在现有技术中,对于不同的虚拟网络内部虚拟网络的VLANID与外部虚拟网络的VLANID是统一进行规划的,即系统与用户采用相同的VLANID,这样不但影响了网络的安全性,还增加了网络维护的复杂度。However, in the prior art, the VLAN ID of the virtual network inside the virtual network is uniformly planned with the VLAN ID of the external virtual network, that is, the system uses the same VLAN ID as the user, which not only affects the security of the network, but also increases The complexity of network maintenance.
发明内容Summary of the invention
本发明实施例提供了一种转发报文的方法和装置,能够提高网络的安全性,降低网络运维复杂度。The embodiment of the invention provides a method and a device for forwarding a packet, which can improve network security and reduce network operation and maintenance complexity.
第一方面,提供了一种转发报文的方法,包括:The first aspect provides a method for forwarding a message, including:
接收虚拟网络的第一报文,该第一报文携带外部虚拟局域网络标识VLANID;Receiving a first packet of the virtual network, where the first packet carries an external virtual local area network identifier VLANID;
确定该第一报文对应的内部VLANID,该内部VLANID表示该第一报文在内部虚拟网络中对应的标识,该内部VLANID与该外部VLANID是对应的;Determining an internal VLAN ID corresponding to the first packet, where the internal VLAN ID indicates an identifier corresponding to the first packet in the internal virtual network, where the internal VLAN ID corresponds to the external VLAN ID;
将该内部VLANID包括到第二报文中,生成该第二报文; The internal VLAN ID is included in the second packet to generate the second packet.
向通用处理板GPU发送该第二报文。The second message is sent to the general purpose processing board GPU.
本发明实施例的转发报文的方法,通用接口板GIU通过接收第一报文,该第一报文携带外部虚拟局域网络标识VLANID,然后确定出该第一报文对应的内部VLANID,该内部VLANID表示该第一报文在内部虚拟网络中对应的标识,将该内部VLANID包括到第二报文中,生成该第二报文,向通用处理板GPU发送该第二报文,通过内部VLANID和外部VLANID将虚拟网络的内部网络和外部网络进行隔离,能够提高网络的安全性,这样使得用户在规划外部网络VLANID时不受内部VLANID规格的限制,从而降低了网络维护的复杂度。In the method for forwarding a packet, the universal interface board GIU receives the first packet, and the first packet carries the external virtual local area network identifier VLAN ID, and then determines the internal VLAN ID corresponding to the first packet. The VLAN ID indicates the corresponding identifier of the first packet in the internal virtual network, and the internal VLAN ID is included in the second packet, and the second packet is generated, and the second packet is sent to the GPU of the general processing device, and the internal VLAN ID is used. The external network ID isolates the internal network and the external network of the virtual network to improve the security of the network. This prevents users from planning the external network VLAN ID without being restricted by the internal VLAN ID specification, thus reducing the complexity of network maintenance.
在本发明实施例中,虚拟网络的网络类型可以是VLAN虚拟网络或者中继Trunk虚拟网络。In the embodiment of the present invention, the network type of the virtual network may be a VLAN virtual network or a trunk Trunk virtual network.
在本发明实施例中,该第一报文可以是携带VLANID的报文,可选地,如果端口接收的报文为未携带VLANID报文(当虚拟网络为Flat虚拟网络),可先将未携带VLANID报文转化为携带VLANID报文,然后再进行后续动作。In the embodiment of the present invention, the first packet may be a packet carrying a VLAN ID. Optionally, if the packet received by the port does not carry a VLANID packet (when the virtual network is a Flat virtual network), the packet may be first The VLAN ID packet is carried as a VLAN ID packet, and then the subsequent action is performed.
本发明实施例的转发报文的方法,通过确定第一报文对应的内部VLANID,根据该内部VLANID隔离虚拟网络的内部网络与外部网络,能够增强网络的安全性。The method for forwarding a packet in the embodiment of the present invention can improve the security of the network by determining the internal VLAN ID corresponding to the first packet and isolating the internal network and the external network of the virtual network according to the internal VLAN ID.
在一些可能的实现方式中,可选地,该方法还包括:In some possible implementations, optionally, the method further includes:
接收该GPU发送的第三报文,该第三报文为该GPU对第四报文处理后得到的报文,该第四报文为该GPU将该第二报文剥除掉内部VLANID并上送至虚拟机VM的报文,该第三报文携带该内部VLANID;Receiving a third packet sent by the GPU, where the third packet is a packet obtained by the GPU after processing the fourth packet, where the fourth packet is used by the GPU to strip the second packet from the internal VLAN ID and a packet sent to the VM VM, where the third packet carries the internal VLAN ID;
将该第三报文转换成第五报文,该第五报文携带该外部VLANID;Converting the third packet into a fifth packet, where the fifth packet carries the external VLAN ID;
将该第五报文发送至外部端口。Send the fifth message to the external port.
这里,GPU将第二报文的内部VLANID进行剥除,以得到第四报文,然后将第四报文上送给GPU中的虚拟机VM,从而获取虚拟机的数据帧,GPU将该数据帧或untag报文(对应第四报文)打上该内部VLANID得到第三报文发送给GIU。GIU在接收到第三报文后,将该第三报文转换成第五报文,使得第五报文上携带该外部VLANID,最后将第五报文发送至外部端口。这样的话,报文从外部网络转发到内部网络,再从内部网络转发到外部网络,始终可以遵循内部VLANID与外部VLANID的对应关系来完成转发, 从而完成将内部虚拟网络和外部虚拟网络的隔离,保证了网络的安全性。并且,外部VLANID的规划不必受内部VLANID的限制,只要存在对应即可,减低了网络维护的复杂度。Here, the GPU strips the internal VLAN ID of the second packet to obtain the fourth packet, and then sends the fourth packet to the virtual machine VM in the GPU to obtain the data frame of the virtual machine, and the GPU uses the data. The frame or untag packet (corresponding to the fourth packet) is tagged with the internal VLAN ID to obtain a third packet and sent to the GIU. After receiving the third packet, the GIU converts the third packet into the fifth packet, so that the fifth packet carries the external VLAN ID, and finally sends the fifth packet to the external port. In this case, the packet is forwarded from the external network to the internal network, and then forwarded from the internal network to the external network. The correspondence between the internal VLAN ID and the external VLAN ID can always be followed to complete the forwarding. Thereby, the isolation of the internal virtual network and the external virtual network is completed, and the security of the network is ensured. Moreover, the planning of the external VLAN ID is not limited by the internal VLAN ID, as long as there is a correspondence, the complexity of network maintenance is reduced.
在一些可能的实现方式中,在接收虚拟网络的第一报文后,该方法还包括:In some possible implementations, after receiving the first packet of the virtual network, the method further includes:
根据该虚拟网络的网络类型确定隔离规则,该隔离规则包括该内部VLANID与外部VLANID的标识对应关系;Determining an isolation rule according to the network type of the virtual network, where the isolation rule includes an identifier corresponding to the identifier of the internal VLAN ID and the external VLAN ID;
其中,该将该内部VLANID包括到第二报文中,包括:The internal VLAN ID is included in the second packet, including:
根据该隔离规则将该内部VLANID包括到第二报文中,生成该第二报文。The internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated.
GIU可以根据虚拟网络的不同网络类型确定隔离规则,例如,VLAN虚拟网络、Trunk虚拟网络,隔离规则包括报文的内部VLANID与外部VLANID的标识对应关系,然后根据该隔离规则将内部包括到第二报文中,生成该第二报文。The GIU can determine the isolation rule according to different network types of the virtual network. For example, a VLAN virtual network and a trunk virtual network, the isolation rule includes the correspondence between the internal VLAN ID of the packet and the identifier of the external VLAN ID, and then includes the internal to the second according to the isolation rule. In the message, the second message is generated.
可选地,在一些可能的实现方式中,根据该隔离规则将该内部VLANID包括到第二报文中,生成该第二报文,包括:Optionally, in some possible implementations, the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated, including:
根据虚拟局域网络映射规则,将该第一报文的该外部VLANID替换为该内部VLANID,生成该第二报文,该虚拟局域网络映射规则为该隔离规则。And replacing the external VLAN ID of the first packet with the internal VLAN ID according to the WLAN mapping rule, and generating the second packet, where the virtual local area network mapping rule is the isolation rule.
这里,当虚拟网络为VLAN网络类型时,GIU可以通过虚拟局域网络映射规则(VLAN Mapping规则),将第一报文的外部VLANID直接替换为该第一内部VLANID,以生成该第二报文。Here, when the virtual network is a VLAN network type, the GIU can directly replace the external VLAN ID of the first packet with the first internal VLAN ID by using a virtual local area network mapping rule (VLAN mapping rule) to generate the second packet.
可选地,在一些可能的实现方式中,根据该隔离规则将该内部VLANID包括到第二报文中,生成该第二报文,包括:Optionally, in some possible implementations, the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated, including:
根据堆叠虚拟局域网络规则,将该内部VLANID添加到该第一报文中,生成该第二报文,该堆叠虚拟局域网络规则为该隔离规则。Adding the internal VLAN ID to the first packet according to the stacking virtual local area network rule, generating the second packet, where the stacking virtual local area network rule is the isolation rule.
这里,当虚拟网络为Trunk网络类型时,GIU可以通过堆叠虚拟局域网络规则(QinQ规则),在第一报文上添加第一内部VLANID得到第二报文。Here, when the virtual network is a trunk network type, the GIU can add a first internal VLAN ID to obtain a second packet by adding a virtual local area network rule (QinQ rule).
第二方面,提供了一种转发报文的方法,包括:The second aspect provides a method for forwarding a message, including:
接收通用接口板GIU发送的将第一报文对应的内部VLANID包括到第二报文后生成的该第二报文,该内部VLANID表示该第一报文在内部虚拟网络中对应的标识,该内部VLANID与该第一报文的外部VLANID是对应 的;Receiving, by the GIU of the universal interface board, the internal VLAN ID corresponding to the first packet, the second packet generated by the second packet, where the internal VLAN ID indicates the corresponding identifier of the first packet in the internal virtual network, where The internal VLAN ID corresponds to the external VLAN ID of the first packet. of;
对该第二报文进行处理得到第三报文,该第三报文携带该内部VLANID;Processing the second packet to obtain a third packet, where the third packet carries the internal VLAN ID;
向该GIU发送该第三报文。Sending the third message to the GIU.
本发明实施例的转发报文的方法,通用处理板GPU通过接收GIU发送的第二报文,该第二报文为GIU将第一报文对应的内部VLANID包括到第二报文后生成的,然后GPU对该第二报文进行处理,得到第三报文,并向GIU发送该第三报文。In the method for forwarding a packet, the GPU of the general-purpose processing board receives the second packet sent by the GIU, and the second packet is generated by the GIU after the internal VLAN ID corresponding to the first packet is included in the second packet. Then, the GPU processes the second packet to obtain a third packet, and sends the third packet to the GIU.
在一些可能的实现方式中,对该第二报文进行处理得到第三报文,包括:In some possible implementations, the second packet is processed to obtain a third packet, including:
将该第二报文剥除掉内部VLANID后得到第四报文,并将该第四报文上送至虚拟机VM;After the second packet is stripped of the internal VLAN ID, the fourth packet is obtained, and the fourth packet is sent to the virtual machine VM.
获取该VM的数据帧,该VM的数据帧对应该第四报文;Obtaining a data frame of the VM, where the data frame of the VM corresponds to the fourth message;
将该内部VLANID添加至该第四报文,得到该第三报文。The internal VLAN ID is added to the fourth packet to obtain the third packet.
GPU在接收到第二报文后,将第二报文的内部VLANID进行剥除后上送至虚拟机中,并获取该VM的数据帧,然后将内部VLANID添加至该VM的数据帧,得到该第三报文,以便于向GIU发送该第三报文。After receiving the second packet, the GPU strips the internal VLAN ID of the second packet to the virtual machine, obtains the data frame of the VM, and adds the internal VLAN ID to the data frame of the VM. The third message is configured to send the third message to the GIU.
第三方面,提供了一种转发报文的方法,包括:The third aspect provides a method for forwarding a message, including:
接收扁平虚拟网络的未携带虚拟局域网络标识VLANID的报文;Receiving a packet of the flat virtual network that does not carry the VLAN ID of the virtual local area network;
将该未携带VLANID的报文转换为携带VLANID的报文,该携带VLANID的报文包括第一报文或第二报文,其中,该第一报文的虚拟局域网络标识为第一VLANID,该第二报文的虚拟局域网络标识为第二VLANID,该第一VLANID与该第二VLANID对应不同的虚拟机VM;Transmitting the packet carrying the VLAN ID into the packet carrying the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the virtual local area network identifier of the first packet is the first VLAN ID. The virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
向通用处理板GPU发送该第一报文和该第二报文。Sending the first packet and the second packet to a general-purpose processing board GPU.
在本发明实施例中,虚拟网络为Flat网络,当Flat网络中的不同VM之间有隔离需求时,GIU将接收的未携带虚拟局域网络标识VLANID的报文,转换为携带VLANID的报文,该携带VLANID的报文包括第一报文或第二报文,其中,该第一报文对应的虚拟局域网络标识为第一VLANID,该第二报文对应的虚拟局域网络标识为第二VLANID,该第一VLANID与该第二VLANID不同,最后向GPU发送该第一报文和第二报文。其中,第一VLANID和第二VLANID是为不同的VM对应的VLANID。因此,通过引入第一VLANID和第二VLANID将Flat网络中的不同VM进行网络隔离,以满足 不同VM间的网络隔离需求。In the embodiment of the present invention, the virtual network is a Flat network. When there is an isolation requirement between different VMs in the Flat network, the GIU converts the received packet that does not carry the VLAN ID of the virtual local area network into a packet carrying the VLAN ID. The packet carrying the VLAN ID includes the first packet or the second packet, where the virtual local area network identifier corresponding to the first packet is the first VLAN ID, and the virtual local area network identifier corresponding to the second packet is the second VLAN ID. The first VLAN ID is different from the second VLAN ID, and finally the first packet and the second packet are sent to the GPU. The first VLAN ID and the second VLAN ID are VLAN IDs corresponding to different VMs. Therefore, different VMs in the Flat network are network-isolated by introducing the first VLAN ID and the second VLAN ID to satisfy Network isolation requirements between different VMs.
这里,第一VLANID与第二VLANID可以采用VLAN Mapping来确定。Here, the first VLAN ID and the second VLAN ID may be determined by using VLAN Mapping.
这里,考虑到Flat内部不同VM间的隔离诉求,通过VLANID进行内部隔离。例如,通过第一内部VLANID和第二内部VLANID将第一VM和第二VM隔离开。Here, considering the isolation request between different VMs inside Flat, internal isolation is performed by VLANID. For example, the first VM and the second VM are isolated by the first internal VLAN ID and the second internal VLAN ID.
在一些可能的实现方式中,可选地,该方法还包括:In some possible implementations, optionally, the method further includes:
接收该GPU发送的对第三报文处理后的第四报文,该第三报文为该GPU将该第一报文剥除掉该第一VLANID并上送至第一虚拟机VM的报文,该第四报文携带该第一VLANID;And receiving, by the GPU, a fourth packet processed by the third packet, where the third packet is sent by the GPU to the first VLAN ID and sent to the first virtual machine VM. The fourth packet carries the first VLANID;
接收该GPU发送的对第五报文处理后的第六报文,该第五报文为该GPU将该第二报文剥除掉该第二VLANID并上送至第二虚拟机VM的报文,该第六报文携带该第二VLANID,该第二VM与该第一VM不同;And receiving the sixth packet processed by the GPU, where the fifth packet is sent by the GPU to the second VLAN ID and sent to the second virtual machine VM. The sixth packet carries the second VLAN ID, where the second VM is different from the first VM;
将该第四报文和该第六报文发送至外部端口。Sending the fourth packet and the sixth packet to an external port.
GIU通过接收GPU发送的对第三报文处理后的第四报文,该第三报文为该GPU将该第一报文剥除掉该第一VLANID并上送至第一虚拟机VM的报文,该第四报文携带该第一VLANID。即GPU将第一报文剥除掉第一VLANID后得到第三报文,并上送至内部的第一VM,然后从第一VM接收该对应的数据帧(对应该第三报文),将第三报文打上该第一VLANID后得到的第四报文转发给GIU。GIU将该第四报文发送至外部端口。类似地,对于第二VM的报文转发也作相应的处理,区别在于第二VM对应的是第二VLANID。因此,在GPU向GIU的报文转发过程中,也实现了不同VM间的网络隔离。The GIU receives the fourth packet processed by the GPU and processes the third packet, and the third packet is sent by the GPU to the first VLAN ID and sent to the first virtual machine VM. The packet carries the first VLAN ID. That is, the GPU obtains the third packet after the first packet is removed from the first packet, and sends the third packet to the internal VM, and then receives the corresponding data frame from the first VM (corresponding to the third packet). The fourth packet obtained by marking the third packet with the first VLANID is forwarded to the GIU. The GIU sends the fourth message to the external port. Similarly, the packet forwarding of the second VM is also processed correspondingly, except that the second VM corresponds to the second VLAN ID. Therefore, in the process of packet forwarding from the GPU to the GIU, network isolation between different VMs is also implemented.
第四方面,提供了一种转发报文的方法,包括:The fourth aspect provides a method for forwarding a message, including:
接收通用接口板GIU发送的将未携带虚拟局域网络标识VLANID的报文转换为携带VLANID的报文,该携带VLANID的报文包括第一报文或第二报文,其中,该第一报文的虚拟局域网络标识为第一VLANID,该第二报文的虚拟局域网络标识为第二VLANID,该第一VLANID与该第二VLANID对应不同的虚拟机VM;Receiving, by the GIU, the packet sent by the GIU that does not carry the VLAN ID of the virtual local area network is converted into the packet carrying the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the first packet is received. The virtual local area network identifier is a first VLAN ID, and the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
对第三报文进行处理后得到第四报文,该第三报文为该第一报文剥除掉该第一VLANID的报文,该第四报文携带该第一VLANID;After the third packet is processed, the fourth packet is obtained, and the third packet is a packet that is stripped of the first VLAN ID, and the fourth packet carries the first VLAN ID.
对第五报文进行处理后得到第六报文,该第五报文为该第二报文剥除掉 该第二VLANID的报文,该第六报文携带该第二VLANID;After processing the fifth packet, the sixth packet is obtained, and the fifth packet is stripped of the second packet. The second VLANID packet, where the sixth packet carries the second VLAN ID;
向该GIU发送该第四报文和该第六报文。Sending the fourth packet and the sixth packet to the GIU.
在本发明实施例中,对于虚拟网络为Flat网络,GPU通过接收GIU发送的携带VLANID的报文,该携带VLANID的报文包括第一报文或第二报文,其中,该第一报文对应第一VLANID,该第二报文对应第二VLANID,该第一VLANID与该第二VLANID不同。GPU将第一报文剥除掉第一VLANID后得到第三报文,然后对第三报文处理后得到第四报文,该第四报文携带该第一VLANID,并将第四报文发送给GIU。类似地,第六报文的获取方式与第四报文相同,区别在于第六报文携带的是第二VLANID。In the embodiment of the present invention, for the virtual network is a Flat network, the GPU receives the packet carrying the VLAN ID, and the packet carrying the VLAN ID includes the first packet or the second packet, where the first packet is received by the GIU. Corresponding to the first VLAN ID, the second packet corresponds to the second VLAN ID, and the first VLAN ID is different from the second VLAN ID. After the GPU strips the first packet, the GPU obtains the third packet, and then processes the third packet to obtain the fourth packet. The fourth packet carries the first VLAN ID, and the fourth packet carries the fourth packet. Send to GIU. Similarly, the sixth packet is obtained in the same manner as the fourth packet, except that the sixth packet carries the second VLAN ID.
本发明实施例的转发报文的方法,通过引入第一VLANID和第二VLANID将Flat网络中的不同VM进行网络隔离,以满足不同VM间的网络隔离需求。The method for forwarding a packet in the embodiment of the present invention isolates different VMs in the Flat network by introducing a first VLAN ID and a second VLAN ID to meet network isolation requirements between different VMs.
第五方面,提供了一种转发报文的装置,用于执行上述第一方面或第一方面的任意可能的实现方式中的方法,或者用于执行上述第三方面或第三方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行上述第一方面或第一方面的任意可能的实现方式中的方法的单元,或者该装置包括用于执行上述第三方面或第三方面的任意可能的实现方式中的方法的单元。The fifth aspect provides an apparatus for forwarding a message, which is used to perform the method in any of the foregoing first aspect or any possible implementation manner of the first aspect, or to perform any of the foregoing third or third aspect The method in the implementation. In particular, the apparatus comprises means for performing the method of any of the first aspect or the first aspect of the first aspect described above, or the apparatus comprises any possible implementation for performing the third or third aspect described above The unit of the method.
第六方面,提供了一种转发报文的装置,用于执行上述第二方面或第二方面的任意可能的实现方式中的方法,或者用于执行上述第四方面或第四方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行上述第二方面或第二方面的任意可能的实现方式中的方法的单元,或者,该装置包括用于执行上述第四方面或第四方面的任意可能的实现方式中的方法的单元。The sixth aspect provides an apparatus for forwarding a message, which is used to perform the method in any of the foregoing possible aspects of the second aspect or the second aspect, or to perform any of the foregoing fourth or fourth aspects The method in the implementation. In particular, the apparatus comprises means for performing the method of any of the above-described second or second aspects of the second aspect, or the apparatus comprises any possible implementation for performing the fourth or fourth aspect described above The unit of the method in the way.
第七方面,提供了一种转发报文的装置。该装置包括处理器、存储器和通信接口。处理器与存储器和通信接口连接。存储器用于存储指令,处理器用于执行该指令,通信接口用于在处理器的控制下与其他网元进行通信。该处理器执行该存储器存储的指令时,该执行使得该处理器执行第一方面或第一方面的任意可能的实现方式中的方法。In a seventh aspect, an apparatus for forwarding a message is provided. The device includes a processor, a memory, and a communication interface. The processor is coupled to the memory and communication interface. The memory is for storing instructions for the processor to execute, and the communication interface is for communicating with other network elements under the control of the processor. When the processor executes the instructions stored by the memory, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
第八方面,提供了一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第一方面或第一方面的任意可能的实现方式中的方法的指令。 In an eighth aspect, a computer readable medium is provided for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例中所需要使用的附图作简单地介绍,显而易见地,下面所描述的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without paying any creative work.
图1是根据本发明实施例的具体的组网场景的示意性结构图。FIG. 1 is a schematic structural diagram of a specific networking scenario according to an embodiment of the present invention.
图2是虚拟化场景下转发报文的传统过程的例子的示意图。2 is a schematic diagram of an example of a conventional process of forwarding a message in a virtualization scenario.
图3是根据本发明实施例的转发报文的方法的示意性流程图。FIG. 3 is a schematic flowchart of a method for forwarding a message according to an embodiment of the present invention.
图4是根据本发明实施例的一个具体例子的示意图。4 is a schematic diagram of a specific example in accordance with an embodiment of the present invention.
图5A是不同映射规则转发报文的例子的示意图。FIG. 5A is a schematic diagram of an example of forwarding messages by different mapping rules.
图5B是根据本发明实施例的另一个具体例子的示意图。Figure 5B is a schematic illustration of another specific example in accordance with an embodiment of the present invention.
图6是根据本发明实施例的转发报文的方法的示意性流程图。FIG. 6 is a schematic flowchart of a method for forwarding a message according to an embodiment of the present invention.
图7是根据本发明实施例的另一个具体例子的示意图。Figure 7 is a schematic illustration of another specific example in accordance with an embodiment of the present invention.
图8是根据本发明实施例的转发报文的装置的示意性框图。FIG. 8 is a schematic block diagram of an apparatus for forwarding a message according to an embodiment of the present invention.
图9是根据本发明实施例的转发报文的装置的示意性框图。FIG. 9 is a schematic block diagram of an apparatus for forwarding a message according to an embodiment of the present invention.
图10是根据本发明实施例的转发报文的装置的结构图。FIG. 10 is a structural diagram of an apparatus for forwarding a message according to an embodiment of the present invention.
图11是本发明的又一实施例提供的转发报文的装置的结构图。FIG. 11 is a structural diagram of an apparatus for forwarding a message according to still another embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明的技术方案,可以应用于虚拟化技术的场景中。具体包括电信功能虚拟化中的网络功能虚拟化(Network Functions Virtualization,简称为“NFV”)技术。NFV通过借用IT的虚拟化技术,许多类型的网络设备可以合并入工业界标准中,如servers,switches和storage,可以部署在数据中心、网络节点或是用户家里。这需要网络功能以软件方式实现,并能在一系列的工业标准服务器硬件上运行,可以根据需要进行迁移、实例化、部署在网络的不同位置,而不需要安装新设备。NFV的最终目标是,通过基于行业标准的x86服务器、存储和交换设备,来取代通信网的那些私有专用的网元设备。 由此带来的好处是,一方面基于x86标准的IT设备成本低廉,能够为运营商节省巨大的投资成本,另一方面开放的应用程序编程接口(Application Programming Interface,简称为“API”)接口,也能帮助运营商获得更多、更灵活的网络能力。可以通过软硬件解耦及功能抽象,使网络设备功能不再依赖于专用硬件,资源可以充分灵活共享,实现新业务的快速开发和部署,并基于实际业务需求进行自动部署、弹性伸缩、故障隔离和自愈等。The technical solution of the present invention can be applied to a scenario of a virtualization technology. Specifically, it includes network function virtualization ("NFV") technology in the virtualization of telecommunications functions. NFV borrows IT virtualization technology, and many types of network devices can be incorporated into industry standards such as servers, switches, and storage, which can be deployed in data centers, network nodes, or users' homes. This requires network functions to be implemented in software and run on a range of industry-standard server hardware that can be migrated, instantiated, and deployed in different locations on the network as needed without the need to install new devices. The ultimate goal of NFV is to replace those privately-owned network element devices of the communication network with industry-standard x86 servers, storage and switching equipment. The advantage of this is that on the one hand, the IT equipment based on the x86 standard is low in cost, which can save the operator a huge investment cost, and on the other hand, an open application programming interface (Application Programming Interface (API) interface). It can also help operators gain more and more flexible network capabilities. Through software and hardware decoupling and functional abstraction, network device functions are no longer dependent on dedicated hardware. Resources can be fully and flexibly shared, enabling rapid development and deployment of new services, and automatic deployment, elastic scaling, and fault isolation based on actual business requirements. And self-healing.
例如,图1示出了根据本发明实施例的具体的组网场景的示意性结构图。应理解,这里仅以图1为例,但并不构成对本发明的限制。数据中心(Data Center,简称为“DC”)包括DC1和DC2,DC1和DC2为不同的虚拟中心或数据中心,DC1包括两个物理设备Host(即物理存在的计算机):Host1和Host2,DC2包括三个物理设备:Host1、Host2和Host3;虚拟网络功能模块(Virtualized Network Function,简称为“VNF”)包括VNF1(可对应一个虚拟网络)和VNF2,其中,虚拟网络功能VNF1包括3个虚拟机(Virtual Machine,简称为“VM”):VM1、VM2和VM3,VNF2包括3个虚拟机:VM4、VM5和VM6,其中,VM1与VNF1-NET1相连,VNF1-NET1通过GPU面板端口与外部网络1(例如External Network-DC1)单独连接;VM1、VM2、VXLAN Gateway1连接至VNF1-NET2,该VXLAN Gateway1连接至VXLAN-NET1-DC1,VM3、VXLAN Gateway2连接至VXLAN-NET1-DC2,VXLAN-NET1-DC1与VXLAN-NET1-DC2连接至外部网络2(例如External Network-DC12);VM3、VM4连接至Shared-Net1,该Shared-Net1与外部网络3(例如External Network2-DC2)连接;VM4、VM5、VM6连接至VNF2-Net3;VM6与VNF2-NET2相连,VNF2-NET2通过通用处理板(General Processing Unit,简称为“GPU”)面板端口与外部网络4(例如External Network3-DC2)连接。在图1中,当外部网络通过接口单板面板(General Interface Unit,简称为“GIU”)端口连接到对应的虚拟网络时,需要使用与对应虚拟网络相同的VLANID。VNF1-NET1在物理网络1中,VNF1-NET2、VNF1-NET3、VNF2-NET2、VNF2-NET3…等在物理网络2中。换言之,在图1中,VNF1-NET1所在的虚拟网络和其他几个虚拟网络不在同一个物理网络中,VNF1-NET1所在的虚拟网络可以是VLAN类型或者Flat网络类型。另外,各个外部网络下端可继续连接不同的网络功能(Network Function,简称为“NF”)(图中未示出),对此不作限制。 For example, FIG. 1 shows a schematic structural diagram of a specific networking scenario according to an embodiment of the present invention. It should be understood that only FIG. 1 is taken as an example here, but does not constitute a limitation of the present invention. The data center (Data Center, referred to as "DC") includes DC1 and DC2. DC1 and DC2 are different virtual centers or data centers. DC1 includes two physical devices Host (that is, physically existing computers): Host1 and Host2, DC2 includes The three physical devices: Host1, Host2, and Host3; the virtualized network function (VNF) includes VNF1 (corresponding to a virtual network) and VNF2. The virtual network function VNF1 includes three virtual machines ( Virtual Machine (VM): VM1, VM2, and VM3. VNF2 includes three virtual machines: VM4, VM5, and VM6. VM1 is connected to VNF1-NET1, and VNF1-NET1 is connected to the external network through the GPU panel port. For example, External Network-DC1) is connected separately; VM1, VM2, VXLAN Gateway1 is connected to VNF1-NET2, VXLAN Gateway1 is connected to VXLAN-NET1-DC1, VM3, VXLAN Gateway2 is connected to VXLAN-NET1-DC2, VXLAN-NET1-DC1 and VXLAN-NET1-DC2 is connected to external network 2 (for example, External Network-DC12); VM3 and VM4 are connected to Shared-Net1, which is connected to external network 3 (for example, External Network2-DC2); VM4, VM5, VM6 are connected. to VNF2-Net3; VM6 is connected to VNF2-NET2, and VNF2-NET2 is connected to an external network 4 (for example, External Network3-DC2) through a general processing unit ("GPU") panel port. In Figure 1, when the external network is connected to the corresponding virtual network through the interface of the General Interface Unit (GIU), you need to use the same VLAN ID as the corresponding virtual network. VNF1-NET1 is in physical network 1, VNF1-NET2, VNF1-NET3, VNF2-NET2, VNF2-NET3, etc. in physical network 2. In other words, in Figure 1, the virtual network where VNF1-NET1 is located is not in the same physical network as the other virtual networks. The virtual network where VNF1-NET1 is located may be a VLAN type or a Flat network type. In addition, the lower end of each external network can continue to connect different network functions ("Network" (referred to as "NF") (not shown), which is not limited.
在上述组网场景中,虚拟网络(L2网络)提供L2的互通端口。每个虚拟网络由连接虚拟网络的端口(网络功能VF、物理功能PF对应的端口或子端口),以及这些端口接入的VLAN构成。其中,虚拟网络的内部网络可以理解为系统内部网络,外部网络可以理解为用户规划的网络。In the above networking scenario, the virtual network (L2 network) provides an interworking port of L2. Each virtual network consists of a port (network function VF, port or sub-port corresponding to the physical function PF) connected to the virtual network, and a VLAN accessed by these ports. The internal network of the virtual network can be understood as the internal network of the system, and the external network can be understood as the network planned by the user.
在上述组网场景中,VNF由部署在一个或者多个VM上的多个组件组成,将传统网络中的网元功能,比如3GPP EPC中的网元(Mobility Management Entity,简称为“MME”)、服务网关(Serving GateWay,简称为“S-GW”)、PDN网关(PDN GateWay,简称为“P-GW”)虚拟化。虚拟网络功能是一个关于网络架构的概念。该功能利用虚拟化技术,将网络节点级别的功能分割成几个功能区块,分别以软件方式实现,业务部署均转化为软件部署,不再局限于硬件架构。VNF可以帮助企业机构按需动态配置网络,而与底层架构无关,电信网络的自动化管理和敏捷性将大为提升。In the networking scenario, the VNF is composed of multiple components deployed on one or more VMs, and the network element functions in the traditional network, such as the Mobility Management Entity (MME) in the 3GPP EPC. The service gateway (Serving GateWay, abbreviated as "S-GW") and the PDN gateway (PDN GateWay, abbreviated as "P-GW") are virtualized. Virtual network functionality is a concept about network architecture. This function utilizes virtualization technology to split the functions of the network node level into several functional blocks, which are implemented in software, and the service deployment is converted into software deployment, which is no longer limited to the hardware architecture. VNF can help organizations dynamically configure the network on demand, regardless of the underlying architecture, and the automation management and agility of the telecommunications network will be greatly enhanced.
应理解,对于涉及到需要隔离内外部网络的虚拟网络场景,都可以应用本发明的技术方案,对此不作限定。It should be understood that the technical solution of the present invention can be applied to a virtual network scenario in which an internal and external network needs to be isolated, which is not limited thereto.
本发明实施例中,虚拟网络可以是不同的网络类型。例如,虚拟局域网(Virtual Local Area Network,简称为“VLAN”)虚拟网络、Flat虚拟网络、扩展虚拟局域网VxLAN虚拟网络、或中继Trunk虚拟网络。其中,VLAN虚拟网络即在一个物理网络中使用虚拟网络标识VLANID隔离出来的网络,也就是说,一个物理网络上可以对应多个VLAN虚拟网络。Flat虚拟网络即对应一个物理网络,不使用VLAN划分,也就是说,一个物理网络只能对应一个Flat虚拟网络。VxLAN虚拟网络是通过VxLAN隔离出来的网络,该虚拟网络类型只有在Host使用开放虚拟交换标准(Open vSwitch,简称为“OVS”)接入的情况下才支持,使用netmap驱动直通时无法使用VxLAN虚拟网络;引入VxLAN是为了解决VLANID数量的限制,VLAN的ID数量最大支持4K个网络。Trunk虚拟网络是在一个物理网络中使用多个VLAN ID隔离出来的网络,也就是说,一个物理网络也可以是对应多个Trunk虚拟网络,与VLAN虚拟网络不同的是,Trunk虚拟网络采用多个VLANID进行隔离。In the embodiment of the present invention, the virtual network may be a different network type. For example, a virtual local area network (Virtual Local Area Network, referred to as "VLAN") virtual network, a Flat virtual network, an extended virtual local area network (VxLAN virtual network), or a trunked trunk virtual network. The VLAN virtual network is a network isolated by using a virtual network identifier VLAN ID in a physical network. That is, one physical network can correspond to multiple VLAN virtual networks. The Flat virtual network corresponds to one physical network and does not use VLAN division. That is to say, one physical network can only correspond to one Flat virtual network. The VxLAN virtual network is a network isolated by VxLAN. This virtual network type is only supported when the host accesses the Open Virtual Switch (Open VSwitch, or "OVS"). VxLAN cannot be used when using Netmap to drive through. Network; VxLAN is introduced to solve the limitation of the number of VLANIDs. The number of VLAN IDs supports up to 4K networks. A trunk virtual network is a network that is isolated by using multiple VLAN IDs in a physical network. That is to say, one physical network may also correspond to multiple trunk virtual networks. Unlike a VLAN virtual network, a trunk virtual network uses multiple VLANID is isolated.
在本发明实施例中,对于不同的虚拟网络的类型,可以应用到华为云操作系统(Fusion Sphere,简称为“FS”)场景或嵌入式通用基础设施管理(Embedded Versatile Infrastructure Management,简称为“EVM”)场景中。 其中,FS场景是基于OpenStack的云操作系统。EVM是一个软件模块,在小于5个节点的无线部署场景下,提供轻载化的系统虚拟化管理。In the embodiment of the present invention, the type of the virtual network may be applied to a Huawei cloud operating system (Fusion Sphere, referred to as "FS") scenario or an embedded universal infrastructure management (Embedded Versatile Infrastructure Management, referred to as "EVM". ") in the scene. The FS scenario is based on the OpenStack cloud operating system. EVM is a software module that provides light-weight system virtualization management in a wireless deployment scenario with less than 5 nodes.
在本发明实施例中,对于不同的虚拟网络类型,可能涉及到的虚拟化技术或者概念还有很多,对此不作限制。例如,本发明实施例可以应用到硬直通虚拟化技术(single root I/O virtualization,简称为“SR-IOV”)。其中,SR-IOV技术是一种基于硬件的虚拟化解决方案,可提高性能和可伸缩性。SR-IOV标准允许在虚拟机之间高效共享快速外设组件互连(Peripheral Component Interconnect Express,简称为“PCIe”)设备,并且它是在硬件中实现的,可以获得能够与本机性能媲美的I/O性能。SR-IOV规范定义了新的标准,根据该标准,创建的新设备可允许将虚拟机直接连接到I/O设备。In the embodiment of the present invention, there are many virtualization technologies or concepts that may be involved in different virtual network types, and no limitation is imposed thereon. For example, the embodiment of the present invention can be applied to a hard root virtualization technology (Single root I/O virtualization, abbreviated as "SR-IOV"). Among them, SR-IOV technology is a hardware-based virtualization solution that improves performance and scalability. The SR-IOV standard allows for the efficient sharing of Peripheral Component Interconnect Express ("PCIe") devices between virtual machines, and it is implemented in hardware to achieve performance comparable to native performance. I/O performance. The SR-IOV specification defines a new standard by which new devices are created that allow virtual machines to be directly connected to I/O devices.
又例如,本发明实施例可以应用到弹性虚拟交换机(Elastic Virtual Switch,简称为“EVS”)。EVS是华为统一虚拟化平台(Unified Virtualization Platform,简称为“UVP”)开发,基于OVS转发技术,提升了其IO性能的一种弹性化虚拟交换,仍然符合openflow协议标准。IO性能提升使用了Intel DPDK技术,通过用户态进程接管网卡数据收发,采用“IO独占核”技术,即每个端口分配一个核专门用于数据转发,这种轮询式的处理方式比中段式的处理更高效,因而IO性能方面有显著提升。其中,UVP是华为基于云计算的数据中心解决方案的关键技术平台,它通过对服务器物理资源的抽象,将CPU、内存、I/O等服务器物理资源转化为一组统一管理、可灵活调度、动态分配的逻辑资源,并基于这些逻辑资源在单个物理服务器上构建多个同时运行、相互隔离的虚拟机执行环境。For another example, the embodiment of the present invention can be applied to an Elastic Virtual Switch ("EVS"). EVS is a Huawei Virtual Unified Platform (UVP) development. It is an elastic virtual switch based on OVS forwarding technology that improves its IO performance and still conforms to the openflow protocol standard. The IO performance improvement uses the Intel DPDK technology to take over the NIC data transmission and reception through the user state process, adopting the "IO exclusive core" technology, that is, each port is assigned a core dedicated to data forwarding. This polling processing method is better than the middle segment type. The processing is more efficient, and thus the IO performance is significantly improved. Among them, UVP is the key technology platform of Huawei's cloud-based data center solution. It transforms the physical resources of the server, such as CPU, memory, I/O, into a unified management and flexible scheduling by abstracting the physical resources of the server. Dynamically allocated logical resources, and based on these logical resources, build multiple simultaneous, isolated virtual machine execution environments on a single physical server.
前面介绍了虚拟化场景中可能涉及到的各类场景或相关技术。当前的虚拟化场景下存在一些问题,具体表现为:用户VLAN(例如图1中的虚拟网络的外部网络)与系统VLAN(例如图1中的虚拟网络的内部网络)没有隔离。一般来讲,在进行虚拟局域网络标识VLANID规划时,用户VLANID与系统VLANID是统一进行规划的,即用户VLANID与系统VLANID共用相同的VLANID。这样带来的问题是,在要求隔离用户VLANID与系统VLANID不重复(即要求外部虚拟网络与内部虚拟网络不重复)时,如果还采用现有技术的统一规划方法的话,会导致内外网络冲突。并且,这种要求使得用户外部网络VLANID规划受限,同时用户需要知道并理解内部网络VLANID规划,从而也增加了网络维护的复杂度。另外,由于内部网络会预 留出部分VLANID,这些预留出的部分VLANID是不允许用户进行网络规划的,从而导致用户需要考虑内部网络的约束,使得用户VLANID应用规划受限,影响用户网络规划。例如,图2示出了虚拟化场景下转发报文的传统过程的例子的示意图。如图2所示,中规格多功能交换板(Multi-Function Middle-scale Switch Board,简称为“MMX”)的作用类似于交换机或路由,将从GIU接到的报文转发给内部网络对应的处理板GPU,从而完成外部网络到内部网络的报文转发过程。在图2中,GIU通过物理端口接收报文或者数据帧,不作任何处理,直接透传给MMX,然后MMX将GIU发送的报文或数据帧直接发送给GPU,然后GPU将报文或者数据帧上送至虚拟机VM。图2中报文的内部VLANID与用户VLANID共用相同的VLANID,导致内部网络和外部网络没有隔离。也就是说,在现有技术中虚拟网络的内部网络VLANID规划要与外部网络VLANID统一进行规划,增加了网络规划的复杂度,且保留地址的存在,增加了组网规划的约束。并且,对于SR-IOV直通场景,对于VLAN网络类型的VLANID不支持动态修改,一旦用户网络规划变更,只能重新上下线,影响较大。因此,本发明针对这些问题提出一种转发报文的方法,使得虚拟网络的内部网络与外部网络能够自动隔离。The various scenarios or related technologies that may be involved in a virtualization scenario are described earlier. There are some problems in the current virtualization scenario, such as: the user VLAN (such as the external network of the virtual network in Figure 1) is not isolated from the system VLAN (such as the internal network of the virtual network in Figure 1). Generally, in the VLAN ID planning of the virtual local area network, the user VLAN ID and the system VLAN ID are planned in a unified manner, that is, the user VLAN ID and the system VLAN ID share the same VLAN ID. The problem is that when the required isolation of the user VLAN ID and the system VLAN ID are not duplicated (that is, the external virtual network and the internal virtual network are not required to be duplicated), if the unified planning method of the prior art is also adopted, the internal and external network conflicts may be caused. Moreover, this requirement makes the user's external network VLANID planning limited, and the user needs to know and understand the internal network VLANID planning, thereby increasing the complexity of network maintenance. In addition, because the internal network will pre- A part of the VLAN ID is reserved. The reserved part of the VLAN ID does not allow the user to plan the network. Therefore, the user needs to consider the constraints of the internal network, which limits the application planning of the user VLAN ID and affects the user network planning. For example, Figure 2 shows a schematic diagram of an example of a conventional process of forwarding a message in a virtualized scenario. As shown in Figure 2, the Multi-Function Middle-Scale Switch Board (MMX) acts like a switch or route, and forwards the packets received from the GIU to the internal network. The board GPU is processed to complete the packet forwarding process from the external network to the internal network. In Figure 2, the GIU receives the message or data frame through the physical port, and does not perform any processing, and directly transmits it to the MMX. Then the MMX sends the message or data frame sent by the GIU directly to the GPU, and then the GPU will send the message or the data frame. Uploaded to the virtual machine VM. The internal VLAN ID of the packet in Figure 2 shares the same VLAN ID as the user VLAN ID, resulting in no isolation between the internal network and the external network. That is to say, in the prior art, the internal network VLAN ID planning of the virtual network is planned in a unified manner with the external network VLAN ID, which increases the complexity of the network planning, and preserves the existence of the address, thereby increasing the constraint of the networking planning. In addition, for the SR-IOV pass-through scenario, the VLAN ID of the VLAN network type does not support dynamic modification. Once the user network planning changes, it can only go online and offline again, which has a greater impact. Therefore, the present invention proposes a method for forwarding a message for these problems, so that the internal network of the virtual network can be automatically isolated from the external network.
图3示出了根据本发明实施例的转发报文的方法300的示意性流程图。该方法300可以由GIU执行。如图3所示,该方法300包括:FIG. 3 shows a schematic flowchart of a method 300 for forwarding a message according to an embodiment of the present invention. The method 300 can be performed by a GIU. As shown in FIG. 3, the method 300 includes:
S310,接收虚拟网络的第一报文,该第一报文携带外部虚拟局域网络标识VLANID;S310, receiving a first packet of the virtual network, where the first packet carries an external virtual local area network identifier VLANID;
第一报文可以是GIU接收的虚拟网络的外部网络的报文。对于不同的虚拟网络类型或不同虚拟网络类型下的不同场景,可能接收到的报文的形式不同。例如,对于VLAN虚拟网络类型,接收到的为VLAN报文,无需进行转换。又例如,对于Flat虚拟网络类型下的EVM场景,接收到的均为未携带VLANID的数据帧,因此需要先在GIU端口将数据帧转换为VLAN报文。也就是说,对于第一报文的形式是不作限制的,只要最后能够合理获取都是可以接受的。The first packet may be a packet of an external network of the virtual network received by the GIU. The packets may be received in different forms for different scenarios of different virtual network types or different virtual network types. For example, for a VLAN virtual network type, the received packets are VLAN packets and no conversion is required. For example, for an EVM scenario in the Flat virtual network type, data frames that do not carry a VLAN ID are received. Therefore, the data frame needs to be converted into a VLAN packet on the GIU port. That is to say, there is no restriction on the form of the first message, as long as it can be reasonably obtained at the end is acceptable.
S320,确定该第一报文对应的内部VLANID,该内部VLANID表示该第一报文在内部虚拟网络中对应的标识,该内部VLANID与该外部VLANID是对应的;S320, determining an internal VLAN ID corresponding to the first packet, where the internal VLAN ID indicates a corresponding identifier of the first packet in the internal virtual network, where the internal VLAN ID corresponds to the external VLAN ID;
GIU确定第一报文对应的内部VLANID。所谓内部VLANID即第一报 文的外部VLANID对应的内部VLANID。也就是说,第一报文的在内部网络和外部网络都有的VLANID,并且内部网络的VLANID(第一内部VLANID)与外部网络的VLANID存在或满足对应关系(或映射关系)。这样一来,第一报文的内部网络的VLANID与外部网络的VLANID不一定是必须完全相同的,只要是它们之间存在对应关系即可。The GIU determines the internal VLAN ID corresponding to the first packet. The so-called internal VLANID is the first report The internal VLAN ID corresponding to the external VLAN ID of the text. That is, the VLAN ID of the first packet on both the internal network and the external network, and the VLAN ID (first internal VLAN ID) of the internal network exists or satisfies the correspondence (or mapping relationship) with the VLAN ID of the external network. In this way, the VLAN ID of the internal network of the first packet and the VLAN ID of the external network do not have to be exactly the same, as long as there is a correspondence between them.
S330,将该第一内部VLANID包括到第二报文中,生成该第二报文;S330. The first internal VLAN ID is included in the second packet, and the second packet is generated.
GIU将该内部VLANID包括到第二报文中以生成该第二报文是说:GIU将该内部VLANID通过某种形式(例如替换或新增的形式)涵盖到第二报文中去,使得报文发送到内部网络(或通用处理板GPU)时,GPU能够获知该内部VLANID。The GIU includes the internal VLAN ID in the second packet to generate the second packet, saying that the GIU covers the internal VLAN ID to the second packet by some form (for example, a replacement or a new form), so that the GIU When the message is sent to the internal network (or general purpose processing board GPU), the GPU can know the internal VLAN ID.
S340,向通用处理板GPU发送该第二报文。S340. Send the second packet to a general-purpose processing board GPU.
在本发明实施例中,GIU通过接收第一报文,确定出第一报文对应的第一内部VLANID,并将该第一内部VLANID包括到第二报文中,生成该第二报文,向通用处理板GPU发送该第二报文,通过隔离虚拟网络的内部网络与外部网络,能够增强网络的安全性,降低网络运维复杂度。In the embodiment of the present invention, the GIU determines the first internal VLAN ID corresponding to the first packet by receiving the first packet, and the first internal VLAN ID is included in the second packet to generate the second packet. The second packet is sent to the GPU of the general-purpose processing board. By isolating the internal network and the external network of the virtual network, the security of the network can be enhanced and the network operation and maintenance complexity can be reduced.
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention. The implementation process constitutes any limitation.
还应理解,本发明实施例中的编号“第一”、“第二”…仅是为了区分不同的对象,例如区分不同的报文、或虚拟机VM、或VLANID,并不对本发明构成限定。It should also be understood that the numbers "first" and "second" in the embodiment of the present invention are only for distinguishing different objects, for example, distinguishing different messages, or virtual machine VMs, or VLAN IDs, and do not limit the present invention. .
可选地,该方法还包括:Optionally, the method further includes:
接收该GPU发送的第三报文,该第三报文为该GPU对第四报文处理后的报文,该第四报文为该GPU将该第二报文剥除掉内部VLANID并上送至虚拟机VM的报文,该第三报文携带该内部VLANID;Receiving a third packet sent by the GPU, where the third packet is a packet processed by the GPU for the fourth packet, where the fourth packet is used by the GPU to strip the second packet from the internal VLAN ID. a packet sent to the VM VM, where the third packet carries the internal VLAN ID;
将该第三报文转换成第五报文,该第五报文携带该外部VLANID;Converting the third packet into a fifth packet, where the fifth packet carries the external VLAN ID;
将该第五报文发送至外部端口。Send the fifth message to the external port.
具体而言,GIU可以接收GPU发送的第三报文,该第三报文为GPU对第四报文处理后的报文,该第四报文为GPU将该第二报文剥除掉该内部VLANID并上送至虚拟机VM的报文。应理解,这里GPU并不考虑VM接收到该第二报文剥除掉该内部VLANID的untag报文后的具体用途或处理, GPU只要知道从VM上获取的数据帧或untag报文为剥除掉该内部VLANID的报文即可,即GPU只要知道获取到该第四报文就是剥除掉该内部VLANID的报文即可。这里,GPU对第四报文的处理指的是:将该第四报文打上该内部VLANID以得到第三报文。GIU将接收到的第三报文转换成第五报文,使得第五报文携带外部VLANID。这里GIU对第三报文的转换可以是将第三报文的内部VLANID替换为外部VLANID以得到第五报文;或者是对第三报文的进行解封装后获取外层VLANID),以得到第五报文。最后,将该第五报文发送至外部端口。Specifically, the GIU can receive the third packet sent by the GPU, where the third packet is the GPU that processes the fourth packet, and the fourth packet is the GPU strips the second packet. The internal VLAN ID is sent to the VM VM. It should be understood that the GPU does not consider the specific use or processing of the VM after receiving the second packet to remove the untag packet of the internal VLAN ID. The GPU only needs to know that the data frame or the untagged packet obtained from the VM is a packet that strips the internal VLAN ID, that is, the GPU only needs to know that the fourth packet is obtained by stripping the internal VLAN ID. . Here, the processing of the fourth packet by the GPU refers to: marking the fourth packet with the internal VLAN ID to obtain a third packet. The GIU converts the received third packet into a fifth packet, so that the fifth packet carries an external VLAN ID. The GIU can convert the third packet to the external VLAN ID to obtain the fifth packet, or obtain the outer VLAN ID after decapsulating the third packet. Fifth message. Finally, the fifth message is sent to the external port.
因此,本发明实施例的转发报文的方法,通过确定第一报文对应的内部VLANID,根据该内部VLANID隔离虚拟网络的内部网络与外部网络,能够增强网络的安全性,降低网络运维复杂度。Therefore, the method for forwarding a packet in the embodiment of the present invention, by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
可选地,在接收虚拟网络的第一报文后,该方法还包括:Optionally, after receiving the first packet of the virtual network, the method further includes:
根据该虚拟网络的网络类型确定隔离规则,该隔离规则包括该内部VLANID与外部VLANID的标识对应关系;Determining an isolation rule according to the network type of the virtual network, where the isolation rule includes an identifier corresponding to the identifier of the internal VLAN ID and the external VLAN ID;
其中,该将该内部VLANID包括到第二报文中,包括:The internal VLAN ID is included in the second packet, including:
根据该隔离规则将该内部VLANID包括到第二报文中,生成该第二报文。The internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated.
具体而言,GIU可以根据虚拟网络的网络类型自动分配隔离规则,虚拟网络的网络类型可以是前文描述的VLAN虚拟网络、Trunk虚拟网络、Flat虚拟网络等,根据不同的网络类型自动确定相应的隔离规则。例如,对于VLAN虚拟网络和Flat虚拟网络,隔离规则可以采用VLAN Mapping映射规则;对于Trunk虚拟网络,隔离规则可以采用Qinq规则。当然,这只是举例说明,隔离规则并不限于此。然后,GIU根据该隔离规则将内部VLANID包括到第二报文中,生成该第二报文。Specifically, the GIU can automatically allocate the isolation rule according to the network type of the virtual network. The network type of the virtual network can be the VLAN virtual network, the trunk virtual network, and the Flat virtual network described above, and the corresponding isolation is automatically determined according to different network types. rule. For example, for a VLAN virtual network and a flat virtual network, the isolation rule can adopt the VLAN mapping rule. For the trunk virtual network, the isolation rule can use the Qinq rule. Of course, this is only an example, and the isolation rules are not limited to this. Then, the GIU includes the internal VLAN ID in the second packet according to the isolation rule to generate the second packet.
可选地,作为一个实施例,根据该隔离规则将该内部VLANID包括到第二报文中,生成该第二报文,包括:Optionally, as an embodiment, the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated, including:
根据虚拟局域网络映射规则,将该第一报文的该外部VLANID替换为该内部VLANID,生成该第二报文,该虚拟局域网络映射规则为该隔离规则。And replacing the external VLAN ID of the first packet with the internal VLAN ID according to the WLAN mapping rule, and generating the second packet, where the virtual local area network mapping rule is the isolation rule.
具体而言,GIU可以采用虚拟局域网络映射规则,将第一报文的外部VLANID替换为内部VLANID,能够得到第二报文,从而实现用户VLANID与内部系统VLANID的替换。例如GIU采用VLAN Mapping,将第一报文 的外部VLANID替换为内部VLANID,以得到第二报文,能够解决内外网络的隔离问题。另外,通过VLAN Mapping重新映射用户VLANID与内部系统VLANID,能够实现动态修改虚拟网络的VLANID。这样的话,还能够解决原来OpenStack的开源代码无法修改VLANID的问题。也就是说,将OpenStack的开源代码无法修改的问题转移到对外出接口通过VLAN Mapping映射,从而变相实现动态修改。在本发明实施例中,采用VLAN Mapping既能够解决内外网络的隔离问题,还能实现动态修改VLANID,可谓一举两得。Specifically, the GIU can use the virtual local area network mapping rule to replace the external VLAN ID of the first packet with the internal VLAN ID to obtain the second packet, thereby realizing the replacement of the user VLAN ID and the internal system VLAN ID. For example, the GIU uses VLAN mapping to send the first packet. The external VLAN ID is replaced with the internal VLAN ID to obtain the second packet, which can solve the isolation problem of the internal and external networks. In addition, by re-mapping the user VLAN ID and the internal system VLAN ID through VLAN Mapping, the VLAN ID of the virtual network can be dynamically modified. In this case, it can also solve the problem that the original OpenStack open source code cannot modify the VLANID. That is to say, the problem that OpenStack's open source code cannot be modified is transferred to the outbound interface through VLAN mapping mapping, thereby realizing dynamic modification in disguise. In the embodiment of the present invention, VLAN mapping can solve the problem of isolation of internal and external networks, and can also dynamically modify the VLAN ID, which can be described as two things.
例如,对于VLAN网络类型,无论是FS场景还是EVM场景,GIU都可以采用VLAN Mapping规则实现内部VLANID与外部VLANID的替换。For example, for a VLAN network type, whether it is an FS scenario or an EVM scenario, the GIU can use VLAN mapping rules to replace the internal VLAN ID and the external VLAN ID.
也就是说,在具体的实现过程中,当虚拟网络为VLAN网络类型时,其获取第二报文的方法就可以采用VLAN Mapping规则。VLAN Mapping(也可称作VLAN translation)属于灵活QinQ,不添加VLAN,而是对不同的用户VLAN使用不同的VLAN进行替换,即在报文转发时,只有一层VLAN。为了能够更直观得描述虚拟网络为VLAN网络类型时本发明实施例的转发报文的方法,下面将结合图4进行描述。That is to say, in the specific implementation process, when the virtual network is a VLAN network type, the method of obtaining the second packet can adopt the VLAN mapping rule. VLAN mapping (also known as VLAN translation) is a flexible QinQ. Instead of adding a VLAN, different user VLANs are replaced with different VLANs. That is, when a packet is forwarded, there is only one VLAN. The method for forwarding a packet in the embodiment of the present invention when the virtual network is a VLAN network type is described in the following.
图4示出了根据本发明实施例的具体例子的示意图。应注意,这只是为了帮助本领域技术人员更好地理解本发明实施例,而非限制本发明实施例的范围。如图4所示,图中的小黑框为物理端口,以虚拟网络为VLAN网络类型为例,其中隔离规则为VLAN Mapping规则,GIU在物理端口(图中黑色圆圈)入口处接收的第一报文为VLAN报文,该第一报文携带外部VLANID;GIU通过确定该第一报文的内部VLANID,在第一报文满足VLAN Mapping规则时,具体的动作为根据VLAN Mapping规则将第一报文的外部VLANID直接替换为内部VLANID,以得到第二报文,另外,若第一报文不满足VLAN Mapping规则时,则直接丢弃该第一报文;然后将第二报文通过MMX转发至GPU中的虚拟机VM,在上送给GPU中的VM时,GPU将第二报文的该内部VLANID进行剥除,得到第三报文,然后将第三报文上送给VM;类似地,在GPU通过MMX向GIU转发报文时,GPU获取VM的untag数据帧(对应第三报文),然后将该第三报文打上内部VLANID,得到第四报文,经过MMX转发给GIU,GIU在接收到该第四报文时,如果该第四报文满足VLAN Mapping规则,则将该第四报文的内部VLANID替换为对应的外部 VLANID,得到第五报文,并发送往外部端口。这样,通过内部VLANID和外部VLANID将系统网络和用户网络隔离开,避免了用户网络规划时受限。应理解,这里报文的编号是很灵活的,只是为了方便描述而引出的,并不存在与上下文的报文编号的冲突或限定等问题。FIG. 4 shows a schematic diagram of a specific example according to an embodiment of the present invention. It should be noted that this is only to assist those skilled in the art to better understand the embodiments of the present invention and not to limit the scope of the embodiments of the present invention. As shown in Figure 4, the small black frame in the figure is the physical port. The virtual network is the VLAN network type. The isolation rule is the VLAN mapping rule. The GIU receives the first one at the physical port (the black circle in the figure). The packet is a VLAN packet. The first packet carries the external VLAN ID. The GIU determines the internal VLAN ID of the first packet. When the first packet meets the VLAN mapping rule, the specific action is based on the VLAN mapping rule. The external VLAN ID of the packet is directly replaced with the internal VLAN ID to obtain the second packet. If the first packet does not meet the VLAN mapping rule, the first packet is directly discarded. Then the second packet is forwarded through the MMX. The GPU in the GPU sends the third packet to the VM, and then the third packet is sent to the VM. When the GPU forwards the packet to the GIU through the MMX, the GPU obtains the untag data frame of the VM (corresponding to the third packet), and then the third packet is tagged with the internal VLAN ID to obtain the fourth packet, which is forwarded to the GIU through the MMX. When the GIU receives the fourth message, such as The fourth packet satisfies the rule Mapping VLAN, the interior of the fourth packets VLANID corresponding external replaced VLANID, the fifth packet is received and sent to the external port. In this way, the system network and the user network are isolated by the internal VLAN ID and the external VLAN ID, which avoids limitation of the user network planning. It should be understood that the number of the message here is very flexible, and is only for convenience of description, and there is no problem such as conflict or limitation with the message number of the context.
上文描述了虚拟网络中关于VLAN Mapping映射规则的应用。当虚拟网络为Trunk网络类型时,可以采用堆叠虚拟局域网络规则(Qinq规则)来实现内部网络和外部网络的隔离。下面将具体对本发明实施例中虚拟网络为Trunk网络类型的实施例进行描述。The application of VLAN mapping rules in virtual networks is described above. When the virtual network is a trunk network type, stack virtual local area network rules (Qinq rules) can be used to isolate the internal network from the external network. An embodiment in which the virtual network is a trunk network type in the embodiment of the present invention will be specifically described below.
可选地,作为一个实施例,根据该隔离规则将该内部VLANID包括到第二报文中,生成该第二报文,包括:Optionally, as an embodiment, the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated, including:
根据堆叠虚拟局域网络规则,将该内部VLANID添加到该第一报文中,生成该第二报文,该堆叠虚拟局域网络规则为该隔离规则。Adding the internal VLAN ID to the first packet according to the stacking virtual local area network rule, generating the second packet, where the stacking virtual local area network rule is the isolation rule.
具体而言,GIU可以在第一报文的外部VLANID封装上对应的该内部VLANID,从而得到第二报文。这里,GIU可以采用堆叠虚拟局域网络规则,例如QinQ规则,在第一报文的外部VLANID上封装新的VLANID(内部VLANID),以得到第二报文,能够解决内外网络的隔离问题。Specifically, the GIU may encapsulate the corresponding internal VLAN ID on the outer VLAN ID of the first packet, thereby obtaining the second packet. Here, the GIU may adopt a stacking virtual local area network rule, such as a QinQ rule, to encapsulate a new VLAN ID (internal VLAN ID) on the external VLAN ID of the first packet to obtain a second packet, which can solve the isolation problem of the internal and external networks.
在本发明实施例中,QinQ规则的本质,是对VLAN协议进行了扩展。即在VLAN报文中,再加上一层VLAN,构成有2层(甚至多层)VLAN的报文。QinQ的目的,最初是为了解决VLAN空间不足的问题。同时,QinQ也带来了额外的三点好处:1)用户自己规划内层VLAN,提高部署的方便;2)提供了一种简单的二层VPN功能;3)内层VLAN不可见,提高安全性。QinQ的帧格式,就是在VLAN帧基础上,添加了一层VLAN Tag。QinQ和VLAN存在区别的地方主要在于:VLAN Tag的“Type”信息。按照IEEE802.1ad的描述,QinQ外层VLAN的Type取值是:0x88a8。对于QinQ端口,基于QinQ技术的不同应用,VLAN的封装也存在不同:(1)标准QinQ:基于端口的QinQ技术,设备对该端口允许接收的所有报文,封装该端口的缺省VLAN(如果用户报文不带VLAN,则实际只封装了一层VLAN);(2)VLAN Stacking:属于灵活QinQ,一般是基于用户VLAN来添加不同的外层VLAN;(3)VLAN Mapping:属于灵活QinQ,不添加VLAN,而是对不同的用户VLAN使用不同的VLAN进行替换,在报文转发时,只有一层VLAN。为了更直观得理解QinQ规则与VLAN Mapping的不同,下面结合图5A中 的例子进行说明。图5A示出了不同映射规则转发报文的例子的示意图,例如VLAN Mapping映射规则与QinQ规则的例子的示意图。应注意,这只是为了帮助本领域技术人员更好地理解本发明实施例,而非限制本发明实施例的范围。如图5A所示,图中左边的部分为VLAN Mapping映射规则的例子,假如当报文(以如图5中所示的
Figure PCTCN2016086696-appb-000001
报文为例,其中,Payload可以理解为有效载荷或数据)的外部VLANID为Ctag:1000,对应的内部VLANID为Stag:100,则在进行报文转发时,GIU在确定报文的VLANID时,将内部VLANID与外部VLANID进行替换,即将Ctag:1000直接替换为Stag:100,在发送给Host中的VM时,发送剥除Stag:100的报文(Host向GIU发送过程图中未示出);图中右边的部分为QinQ的例子,以Ctag100和Ctag101(也以如图5中所示的
Figure PCTCN2016086696-appb-000002
报文为例)为例,针对Ctag100和Ctag101,对其加封外层Stag:200,也就是说,内层Ctag不变,在其基础上增加外层Stag,同样,在发送给Host中的VM时,发送剥除Stag:200的报文(Host向GIU发送过程图中未示出),保留Ctag发送到VM中。In the embodiment of the present invention, the essence of the QinQ rule is to extend the VLAN protocol. That is, in a VLAN packet, a layer of VLAN is added to form a packet with 2 layers (or even multiple layers) of VLANs. The purpose of QinQ was originally to solve the problem of insufficient VLAN space. At the same time, QinQ also brings three additional benefits: 1) users plan their own inner VLAN to improve deployment; 2) provide a simple Layer 2 VPN function; 3) inner VLAN is not visible, improve security Sex. The frame format of QinQ adds a layer of VLAN tags based on the VLAN frame. The difference between QinQ and VLAN is mainly the “Type” information of the VLAN tag. According to the description of IEEE802.1ad, the value of the QinQ outer VLAN is 0x88a8. For QinQ ports, the VLANs are encapsulated in different applications based on the QinQ technology. (1) Standard QinQ: Port-based QinQ technology. The device encapsulates all the packets allowed on the port and encapsulates the default VLAN of the port. If the user packet does not carry a VLAN, only one layer of VLANs is encapsulated. (2) VLAN stacking: is a flexible QinQ, which is based on the user VLAN to add different outer VLANs. (3) VLAN Mapping: is a flexible QinQ. Instead of adding a VLAN, different user VLANs are replaced with different VLANs. When a packet is forwarded, there is only one VLAN. In order to understand the difference between QinQ rules and VLAN mapping more intuitively, the following description will be made with reference to the example in FIG. 5A. FIG. 5A is a schematic diagram showing an example of forwarding packets by different mapping rules, such as a schematic diagram of an example of a VLAN mapping rule and a QinQ rule. It should be noted that this is only to assist those skilled in the art to better understand the embodiments of the present invention and not to limit the scope of the embodiments of the present invention. As shown in FIG. 5A, the left part of the figure is an example of a VLAN mapping rule, if a message is used (as shown in FIG. 5).
Figure PCTCN2016086696-appb-000001
The packet is an example. The external VLAN ID of the Payload can be understood as the payload or the data is Ctag: 1000, and the corresponding internal VLAN ID is Stag: 100. When the packet is forwarded, the GIU determines the VLAN ID of the packet. Replace the internal VLAN ID with the external VLAN ID, that is, the Ctag: 1000 is directly replaced with the Stag: 100. When the VM is sent to the host, the STP: 100 packet is sent out (the host sends the message to the GIU.) The right part of the figure is an example of QinQ, with Ctag100 and Ctag101 (also as shown in Figure 5).
Figure PCTCN2016086696-appb-000002
The packet is taken as an example. For Ctag100 and Ctag101, the outer Stag:200 is added, that is, the inner Ctag is unchanged, and the outer Stag is added on the basis of the same, and the VM is sent to the Host. At the same time, the message stripping Stag: 200 is sent (the host does not show the process to the GIU transmission process), and the Ctag is reserved and sent to the VM.
例如,在虚拟网络为Trunk网络类型的FS场景下,采用的是“VLAN透传”模式实现Trunk网络功能。“VLAN透传”网络要求:只接收配置的VLANID范围内的数据帧,并透传转发。这种方式下由于外部数据帧透传到内部虚拟网络,导致内部网络和外部网络无法隔离,但是不存在虚拟网络的VLANID无法动态修改问题。在该场景下,本发明实施例采用QinQ规则来进行内外网的隔离。这里,结合图5B虚拟网络为Trunk网络类型的报文转发过程进行说明。图5B示出了根据本发明实施例的报文转发的另一个例子的示意图。如图5B所示,GIU在物理端口(图中黑色圆圈)入口处接收的第一报文为VLAN报文,该第一报文携带外部VLANID;GIU通过确定该第一报文的内部VLANID,在第一报文满足隔离规则(例如,虚拟网络为Trunk网络类型采用的隔离规则为QinQ规则)时,具体的动作为根据QinQ规则将第一报文的外部VLANID的外层封装上该内部VLANID,以得到第二报文,另外,若第一报文不满足QinQ规则时,则直接丢弃该第一报文;然后将第二报文通过MMX转发至GPU中的虚拟机VM,在上送给GPU的VM时,GPU将第二报文的新封装的内部VLANID进行解封装(保留外部VLANID),得到第三报文,然后将第三报文上送给VM;类似地,在GPU 通过MMX向GIU转发报文时,GPU获取VM的untag数据帧(对应第三报文),然后将该第三报文的外层再次封装上内部VLANID,得到第四报文,经过MMX转发给GIU,GIU在接收到该第四报文时,如果该第四报文满足QinQ规则,则对该第四报文的内部VLANID进行解封装(保留外部VLANID),得到第五报文,并发送往外部端口。这样,通过内部VLANID和外部VLANID将系统网络和用户网络隔离开,避免了用户网络规划时受限。For example, in the FS scenario where the virtual network is a trunk network type, the VLAN transparent transmission mode is adopted to implement the trunk network function. The "VLAN transparent transmission" network requires: only receive data frames within the configured VLANID range and transparently forward them. In this way, the external data frame is transparently transmitted to the internal virtual network, and the internal network and the external network cannot be isolated. However, the VLAN ID of the virtual network cannot be dynamically modified. In this scenario, the embodiment of the present invention uses the QinQ rule to isolate the internal and external networks. Here, the virtual network of FIG. 5B is used to describe the packet forwarding process of the trunk network type. FIG. 5B shows a schematic diagram of another example of message forwarding in accordance with an embodiment of the present invention. As shown in FIG. 5B, the first packet received by the GIU at the entrance of the physical port (the black circle in the figure) is a VLAN packet, and the first packet carries an external VLAN ID; the GIU determines the internal VLAN ID of the first packet. When the first packet satisfies the quarantine rule (for example, the quarantine rule used by the VRRP network type is the QinQ rule), the specific action is to encapsulate the outer VLAN ID of the first packet on the outer VLAN ID according to the QinQ rule. In order to obtain the second packet, if the first packet does not satisfy the QinQ rule, the first packet is directly discarded; then the second packet is forwarded to the virtual machine VM in the GPU through the MMX, and sent on the virtual machine VM. When the VM is given to the GPU, the GPU decapsulates the newly encapsulated internal VLAN ID of the second packet (retains the external VLAN ID), obtains the third packet, and then sends the third packet to the VM; similarly, on the GPU When the MMX forwards the packet to the GIU, the GPU obtains the untag data frame of the VM (corresponding to the third packet), and then encapsulates the outer layer of the third packet with the internal VLAN ID to obtain the fourth packet, which is forwarded by the MMX. The GIU, when receiving the fourth packet, if the fourth packet satisfies the QinQ rule, the GIU decapsulates the internal VLAN ID of the fourth packet (retains the external VLAN ID), obtains the fifth packet, and sends the packet. To the external port. In this way, the system network and the user network are isolated by the internal VLAN ID and the external VLAN ID, which avoids limitation of the user network planning.
另外,对于虚拟网络为Trunk网络类型的EVM场景,也可采用QinQ规则进行处理,对此不再赘述。In addition, for the EVM scenario in which the virtual network is a trunk network type, the QinQ rule can also be used for processing, and details are not described herein.
与虚拟网络为VLAN网络类型的区别在于,Trunk网络类型采用的规则是不同的。VLAN网络类型采用的是VLAN Mapping映射规则(即直接进行替换),而Trunk网络类型采用的是QinQ规则(即外层封装新的VLANID)。这里,对于不同的虚拟网络的网络类型,可以选择不同的隔离规则。当然,这里并不对虚拟网络的网络类型以及隔离规则的种类进行限制,可以根据实际情况选择虚拟网络对应的合理的隔离规则,本发明不作限定。The difference between a virtual network and a VLAN network type is that the rules adopted by the trunk network type are different. The VLAN network type uses the VLAN mapping rule (that is, direct replacement), and the trunk network type uses the QinQ rule (that is, the outer package encapsulates the new VLANID). Here, different isolation rules can be selected for the network types of different virtual networks. Certainly, the network type of the virtual network and the type of the quarantine rule are not limited, and the reasonable quarantine rule corresponding to the virtual network may be selected according to the actual situation, which is not limited by the present invention.
因此,本发明实施例的转发报文的方法,通过确定第一报文对应的内部VLANID,根据该内部VLANID隔离虚拟网络的内部网络与外部网络,能够增强网络的安全性。Therefore, the method for forwarding a packet in the embodiment of the present invention can improve the security of the network by isolating the internal VLAN ID corresponding to the first packet and isolating the internal network and the external network of the virtual network according to the internal VLAN ID.
下面结合图6从GPU侧描述本发明实施例的转发报文的方法。图6示出了根据本发明实施例的转发报文的方法的示意性示意图。该方法600由GPU执行,如图6所示,该方法600包括:A method for forwarding a message according to an embodiment of the present invention is described below from the GPU side in conjunction with FIG. FIG. 6 shows a schematic diagram of a method of forwarding a message according to an embodiment of the present invention. The method 600 is performed by a GPU, as shown in FIG. 6, the method 600 includes:
S610,接收通用接口板GIU发送的将第一报文对应的内部VLANID包括到第二报文后生成的该第二报文,该内部VLANID表示该第一报文在内部虚拟网络中对应的标识,该内部VLANID与该第一报文的外部VLANID是对应的;S610, the receiving, by the GIU, the internal VLAN ID corresponding to the first packet, and the second packet generated by the second packet, where the internal VLAN ID indicates the corresponding identifier of the first packet in the internal virtual network. The internal VLAN ID is corresponding to the external VLAN ID of the first packet.
S620,对该第二报文进行处理得到第三报文,该第三报文携带该内部VLANID;S620, the second packet is processed to obtain a third packet, where the third packet carries the internal VLAN ID;
S630,向该GIU发送该第三报文。S630. Send the third packet to the GIU.
在本发明实施例中,GPU通过接收GIU发送的第二报文,该第二报文是GIU将第一报文对应的内部VLANID包括到该第二报文后生成的。GPU在接收到该第二报文后,对该第二报文进行处理后得到第三报文,使得该第 三报文携带该内部VLANID,最后向该GIU发送该第三报文。In the embodiment of the present invention, the GPU receives the second packet sent by the GIU, and the second packet is generated by the GIU after the internal VLAN ID corresponding to the first packet is included in the second packet. After receiving the second packet, the GPU processes the second packet to obtain a third packet, so that the first packet is obtained. The third packet carries the internal VLAN ID, and finally sends the third packet to the GIU.
本发明实施例的转发报文的方法,通过确定第一报文对应的内部VLANID,根据该内部VLANID隔离虚拟网络的内部网络与外部网络,能够增强网络的安全性,降低网络运维复杂度。The method for forwarding a packet in the embodiment of the present invention, by determining an internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity.
可选地,对该第二报文进行处理后得到第三报文,包括:Optionally, the second packet is processed to obtain a third packet, including:
将该第二报文剥除掉内部VLANID后得到第四报文,并将该第四报文上送至虚拟机VM;After the second packet is stripped of the internal VLAN ID, the fourth packet is obtained, and the fourth packet is sent to the virtual machine VM.
获取该VM的数据帧,该VM的数据帧对应该第四报文;Obtaining a data frame of the VM, where the data frame of the VM corresponds to the fourth message;
将该内部VLANID添加至该第四报文,得到该第三报文。The internal VLAN ID is added to the fourth packet to obtain the third packet.
具体而言,GPU将接收到的第二报文进行内部VLANID的剥除处理,然后将得到的第四报文上送至虚拟机VM,获取到该VM的数据帧(untag报文)即对应该第四报文。GPU将该内部VLANID添加至该第四报文,从而得到第三报文,并将其发送给GIU,以便于GIU对第三报文处理后发送往外部端口。Specifically, the GPU performs the stripping process on the received second VLAN ID, and then sends the obtained fourth packet to the virtual machine VM to obtain the data frame (untag message) of the VM. Should be the fourth message. The GPU adds the internal VLAN ID to the fourth packet, and obtains the third packet, and sends the third packet to the GIU, so that the GIU processes the third packet and sends the packet to the external port.
因此,本发明实施例的转发报文的方法,通过确定第一报文对应的内部VLANID,根据该内部VLANID隔离虚拟网络的内部网络与外部网络,能够增强网络的安全性,降低网络运维复杂度。Therefore, the method for forwarding a packet in the embodiment of the present invention, by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
上文描述了虚拟网络中的内部网络和外部网络进行隔离的实施例。下面将描述本发明实施例中虚拟网络为Flat网络类型时的具体情况。当虚拟网络为Flat网络类型时,在同一物理网络只有一个,因此默认Flat内部网络是互通的,但是考虑存在不同VM之间Flat网络隔离的诉求。并且,不存在内部网络与外部网络VLANID冲突的问题,也不存在动态修改VLANID的问题。下面将描述对于Flat虚拟网络的不同虚拟机之间有隔离需求的实施例。Embodiments in which the internal network and the external network in the virtual network are isolated are described above. The specific case when the virtual network is of the Flat network type in the embodiment of the present invention will be described below. When the virtual network is of the Flat network type, there is only one in the same physical network, so the default Flat internal network is interworking, but consider the existence of Flat network isolation between different VMs. Moreover, there is no problem that the internal network conflicts with the external network VLAN ID, and there is no problem of dynamically modifying the VLAN ID. An embodiment of the isolation requirements between different virtual machines of the Flat virtual network will be described below.
可选地,作为一个实施例,本发明还提供了一种转发报文的方法,该方法也可以由GIU执行,这里的GIU可以是多个VM对应的GIU,对GIU的数目不作限制,可以是一个VM对应一个GIU,也可以是多个VM对应一个GIU。该方法可以包括:Optionally, as an embodiment, the present invention further provides a method for forwarding a message, which may also be performed by a GIU, where the GIU may be a GIU corresponding to multiple VMs, and the number of GIUs is not limited. It is a VM corresponding to one GIU, or multiple VMs corresponding to one GIU. The method can include:
接收扁平虚拟网络的未携带虚拟局域网络标识VLANID的报文;Receiving a packet of the flat virtual network that does not carry the VLAN ID of the virtual local area network;
将该未携带VLANID的报文转换为携带VLANID的报文,该携带VLANID的报文包括第一报文或第二报文,其中,该第一报文的虚拟局域网络标识为第一VLANID,该第二报文的虚拟局域网络标识为第二VLANID, 该第一VLANID与该第二VLANID对应不同的虚拟机VM;Transmitting the packet carrying the VLAN ID into the packet carrying the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the virtual local area network identifier of the first packet is the first VLAN ID. The virtual local area network identifier of the second packet is a second VLAN ID. The first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
向通用处理板GPU发送该第一报文和该第二报文。Sending the first packet and the second packet to a general-purpose processing board GPU.
具体而言,GIU在接收到扁平(Flat)虚拟网络的未携带虚拟局域网络标识VLANID的报文时,需要将该未携带VLANID的报文转换成携带VLANID的报文,例如第一报文或第二报文,其中,GIU确定第一报文的虚拟局域网络标识为第一VLANID,该第二报文的虚拟局域网络标识为第二VLANID,该第一VLANID与该第二VLANID对应不同的虚拟机VM,然后将该第一报文和第二报文发送给GPU,以便于对不同的VM进行隔离。Specifically, the GIU needs to convert the packet carrying the VLAN ID into a packet carrying the VLAN ID, such as the first packet, or the packet carrying the VLAN ID of the virtual virtual network. a second packet, where the GIU determines that the virtual local area network identifier of the first packet is the first VLAN ID, and the virtual local area network identifier of the second packet is the second VLAN ID, where the first VLAN ID is different from the second VLAN ID. The virtual machine VM then sends the first message and the second message to the GPU to isolate different VMs.
具体例如,当虚拟网络为Flat网络类型时,GIU在端口处按照端口虚拟局域网络标识号(Port-base Vlan ID,简称为“PVID”)PVID=1的方式将报文转换为携带VLANID的报文,在端口处根据VLAN Mapping规则处理使得第一报文携带第一VLANID,第二报文携带第二VLANID,第一VLANID与第二VLANID不同。与VLAN网络类型不同的是,Flat网络类型考虑不同VM间的隔离诉求,所以需要通过不同的VLANID将不同的VM隔离开。For example, when the virtual network is of the Flat network type, the GIU converts the packet into a packet carrying the VLAN ID in the manner of the port-base VLAN ID (PVID) PVID=1. The first packet carries the first VLAN ID and the second packet carries the second VLAN ID. The first VLAN ID is different from the second VLAN ID. Different from the VLAN network type, the Flat network type considers the isolation request between different VMs, so different VMs need to be isolated by different VLAN IDs.
在本发明实施例中,对于Flat网络类型,在同一物理网络只有一个,因此默认Flat内部网络是互通的,但是考虑存在不同VM之间Flat网络隔离的诉求,因此考虑内部采用VLAN Mapping统一进行解决。在EVM场景下,由于只允许不带VLANID的数据帧透传到VM,携带VLANID的数据帧均被丢弃,因此EVM这种场景下不存在动态修改虚拟网络VLANID的问题以及内部网络冲突问题。只需要在内部采用VLAN Mapping规则满足不同VM之间Flat网络隔离的诉求。在FS场景下,不存在内部网络与外部网络VLANID冲突的问题。在SR-IOV直通场景下,也可以通过VLAN Mapping规则满足不同VM之间Flat网络隔离的诉求。In the embodiment of the present invention, for the Flat network type, there is only one in the same physical network, so the default Flat internal network is interworking, but considering the existence of the Flat network isolation between different VMs, it is considered that the internal VLAN mapping is unified to solve the problem. . In the EVM scenario, the data frame carrying the VLAN ID is discarded because the data frame without the VLAN ID is allowed to pass through to the VM. Therefore, there is no problem of dynamically modifying the virtual network VLAN ID and internal network conflicts in the EVM scenario. Only VLAN mapping rules need to be adopted internally to satisfy the requirements of Flat network isolation between different VMs. In the FS scenario, there is no problem that the internal network conflicts with the external network VLANID. In the SR-IOV pass-through scenario, VLAN mapping rules can also be used to satisfy the requirements of Flat network isolation between different VMs.
因此,本发明实施例的转发报文的方法,通过第一VLANID和第二VLANID将不同的VM之间的网络进行隔离,能够增强网络的安全性,降低网络运维复杂度。Therefore, the method for forwarding a packet in the embodiment of the present invention isolates the network between different VMs by using the first VLAN ID and the second VLAN ID, thereby enhancing network security and reducing network operation and maintenance complexity.
可选地,该方法还可以包括:Optionally, the method may further include:
接收该GPU发送的对第三报文处理后的第四报文,该第三报文为该GPU将该第一报文剥除掉该第一VLANID并上送至第一虚拟机VM的报文,该第四报文携带该第一VLANID;And receiving, by the GPU, a fourth packet processed by the third packet, where the third packet is sent by the GPU to the first VLAN ID and sent to the first virtual machine VM. The fourth packet carries the first VLANID;
接收该GPU发送的对第五报文处理后的第六报文,该第五报文为该 GPU将该第二报文剥除掉该第二VLANID并上送至第二虚拟机VM的报文,该第六报文携带该第二VLANID,该第二VM与该第一VM不同;Receiving, by the GPU, a sixth packet processed by the fifth packet, where the fifth packet is the The GPU strips the second packet and sends the second VLAN ID to the packet of the second virtual machine VM, where the sixth packet carries the second VLAN ID, and the second VM is different from the first VM.
将该第四报文和该第六报文发送至外部端口。Sending the fourth packet and the sixth packet to an external port.
具体而言,在第一VM对应的GPU向GIU转发报文的流程中,GIU还可以接收GPU发送的对第三报文处理后的第四报文,该第三报文是GPU将第一报文剥除掉第一VLANID并上送至第一虚拟机VM的报文。这里GPU对第三报文的处理即将第三报文再打上该第一VLANID得到第四报文;类似地,对于第二VM的GPU向GIU转发报文的处理方式与第一VM的类似,即GIU还可以接收GPU发送的对第五报文处理后的第六报文,该第五报文是GPU将第一报文剥除掉第一VLANID并上送至第一虚拟机VM的报文。这里GPU对第五报文的处理即将第三报文再打上该第一VLANID得到第六报文Specifically, in a process in which the GPU corresponding to the first VM forwards the packet to the GIU, the GIU may further receive the fourth packet processed by the GPU for the third packet, where the third packet is the GPU. The packet is stripped of the first VLAN ID and sent to the first virtual machine VM. Here, the GPU processes the third packet to replace the third packet with the first VLAN ID to obtain the fourth packet. Similarly, the processing manner for the GPU of the second VM to forward the packet to the GIU is similar to that of the first VM. That is, the GIU can also receive the sixth packet processed by the GPU, and the fifth packet is sent by the GPU to the first VLAN ID and sent to the first virtual machine VM. Text. Here, the GPU processes the fifth packet, and then the third packet is tagged with the first VLAN ID to obtain the sixth packet.
因此,本发明实施例的转发报文的方法,通过第一VLANID和第二VLANID将不同的VM之间的网络进行隔离,能够增强网络的安全性。Therefore, the method for forwarding a packet in the embodiment of the present invention isolates networks between different VMs by using the first VLAN ID and the second VLAN ID, thereby enhancing network security.
下面将从GPU侧描述对于Flat虚拟网络的不同虚拟机之间有隔离需求的实施例。可选地,作为一个实施例,该方法由GPU执行,这里GPU的数目不作限制,可以是多个或一个,该方法包括:An embodiment of the isolation requirements between different virtual machines of the Flat virtual network will be described below from the GPU side. Optionally, as an embodiment, the method is performed by a GPU, where the number of GPUs is not limited, and may be multiple or one. The method includes:
接收通用接口板GIU发送的将未携带虚拟局域网络标识VLANID的报文转换为携带VLANID的报文,该携带VLANID的报文包括第一报文或第二报文,其中,该第一报文的虚拟局域网络标识为第一VLANID,该第二报文的虚拟局域网络标识为第二VLANID,该第一VLANID与该第二VLANID对应不同的虚拟机VM;Receiving, by the GIU, the packet sent by the GIU that does not carry the VLAN ID of the virtual local area network is converted into the packet carrying the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the first packet is received. The virtual local area network identifier is a first VLAN ID, and the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
对第三报文进行处理后得到第四报文,该第三报文为该第一报文剥除掉该第一VLANID的报文,该第四报文携带该第一VLANID;After the third packet is processed, the fourth packet is obtained, and the third packet is a packet that is stripped of the first VLAN ID, and the fourth packet carries the first VLAN ID.
对第五报文进行处理后得到第六报文,该第五报文为该第二报文剥除掉该第二VLANID的报文,该第六报文携带该第二VLANID;After the fifth packet is processed, the sixth packet is obtained, and the fifth packet is used to strip the packet of the second VLAN ID, and the sixth packet carries the second VLAN ID;
向该GIU发送该第四报文和该第六报文。Sending the fourth packet and the sixth packet to the GIU.
具体而言,GPU接收GIU发送的转换后的携带VLANID的报文,该携带VLANID的报文包括第一报文或第二报文,并且该第一报文的虚拟局域网络标识为第一VLANID,该第二报文的虚拟局域网络标识为第二VLANID,该第一VLANID与该第二VLANID对应不同的虚拟机VM。然 后,以第一VM为例,GPU将第一报文剥除掉第一VLANID后得到的第三报文上送至第一VM,随后将第一VM的数据帧(即第三报文)打上该第一VLANID得到第四报文,发送给GIU;第二VM的处理与第一VM的类似,这里不再赘述,区别在于第二VM对应的是第二VLANID。这样的话,在Flat虚拟网络中,对于不同的虚拟机的隔离诉求,能够采用VLANID进行隔离,提高了网络的安全性。Specifically, the GPU receives the converted VLAN ID-enabled packet sent by the GIU, and the packet carrying the VLAN ID includes the first packet or the second packet, and the virtual local area network identifier of the first packet is the first VLAN ID. The virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs. Of course After the first VM is used as an example, the GPU sends the third packet obtained by stripping the first VLAN ID to the first VM, and then the data frame of the first VM (ie, the third packet). The fourth VLAN ID is sent to the GIU. The processing of the second VM is similar to that of the first VM, and is not described here. The difference is that the second VM corresponds to the second VLAN ID. In this case, in the Flat virtual network, the isolation requirements of different virtual machines can be isolated by using VLANID, which improves the security of the network.
可选地,对第三报文进行处理得到第四报文,包括:Optionally, the third packet is processed to obtain a fourth packet, including:
将该第三报文上送至该第一VM;Sending the third message to the first VM;
获取该第一VM的数据帧,该第一VM的数据帧对应该第三报文;Obtaining a data frame of the first VM, where the data frame of the first VM corresponds to the third packet;
将该第一VLANID添加至该第三报文,得到该第四报文,该第一VLANID对应该第一VM;Adding the first VLAN ID to the third packet, to obtain the fourth packet, where the first VLAN ID corresponds to the first VM;
其中,该对第五报文进行处理得到第六报文,包括:The fifth packet is processed to obtain a sixth packet, including:
将该第五报文上送至该第二VM,该第二VM与该第一VM不同;Sending the fifth message to the second VM, where the second VM is different from the first VM;
获取该第二VM的数据帧,该第二VM的数据帧对应该第五报文;Obtaining a data frame of the second VM, where the data frame of the second VM corresponds to the fifth message;
将该第二VLANID添加至该第五报文,得到该第六报文,该第二VLANID对应该第二VM。The second VLAN ID is added to the fifth packet to obtain the sixth packet, where the second VLAN ID corresponds to the second VM.
这里,在对于第三报文的处理得到第四报文之前,GPU需要将第三报文先上送至VM,然后获取VM的数据帧(untag报文),即第三报文,然后在将将该第一VLANID添加至该第三报文,得到该第四报文发送给GIU;类似地,也需要对第五报文作处理以获得第六报文,为了简洁,不再赘述。Here, before the fourth packet is processed for the third packet, the GPU needs to send the third packet to the VM first, and then obtain the data frame (untag packet) of the VM, that is, the third packet, and then The first VLAN ID is added to the third packet, and the fourth packet is sent to the GIU. Similarly, the fifth packet needs to be processed to obtain the sixth packet. For brevity, details are not described herein.
因此,本发明实施例的转发报文的方法,通过第一VLANID和第二VLANID将不同的VM之间的网络进行隔离,能够增强网络的安全性。Therefore, the method for forwarding a packet in the embodiment of the present invention isolates networks between different VMs by using the first VLAN ID and the second VLAN ID, thereby enhancing network security.
下面将结合图7描述虚拟网络为Flat网络类型的具体例子,图7示出了根据本发明实施例的另一个具体例子的示意图。应注意,这只是为了帮助本领域技术人员更好地理解本发明实施例,而非限制本发明实施例的范围。A specific example in which the virtual network is a Flat network type will be described below with reference to FIG. 7, which shows a schematic diagram of another specific example according to an embodiment of the present invention. It should be noted that this is only to assist those skilled in the art to better understand the embodiments of the present invention and not to limit the scope of the embodiments of the present invention.
如图7所示,与图4不同的是,图7增加了另一虚拟机VM2的相关组件,也就是说第一虚拟机VM1和第二虚拟机VM2可以分别有对应的GIU和GPU,但是不限于此,多个VM也可对应相同的组件。这里先以VM1进行说明:在报文进入时,GIU在端口处需要先进行PVID=1处理,将未携带VLANID的报文转换为携带VLANID报文,例如VM1对应的是第一报文,然后根据VLAN Mapping规则,获得VM1的VLANID为X,将携带 VLANID=X的第一报文发送到GPU中,GPU将该第一报文进行剥除处理,剥掉其携带的第一VLANID,得到第三报文后上送至VM1,完成报文的转发。同样,在报文发出时,从GPU发送到GIU时也需要作处理,GPU从VM1获取到数据帧后,打上该第一VLANID,得到第四报文后,经过MMX发送给GIU,GIU将该第四报文发送到外部端口;同样地,对于VM2,在报文进入时,GIU在端口处需要先进行PVID=1处理,将未携带VLANID的报文转换为携带VLANID报文,例如VM2对应的是第二报文,然后根据VLAN Mapping规则,获得VM2的VLANID为Y,将携带VLANID=Y的第二报文发送到GPU中,GPU将该第二报文进行剥除处理,剥掉其携带的第二VLANID,得到第四报文后上送至VM2,完成报文的转发;同样,在报文发出时,从GPU发送到GIU时也需要作处理,GPU从VM1获取到数据帧后,打上该第二VLANID,得到第六报文后,经过MMX发送给GIU,GIU将该第六报文发送到外部端口。As shown in FIG. 7, different from FIG. 4, FIG. 7 adds related components of another virtual machine VM2, that is, the first virtual machine VM1 and the second virtual machine VM2 may have corresponding GIUs and GPUs respectively, but Not limited to this, multiple VMs may also correspond to the same components. Here, VM1 is first described. When the packet enters, the GIU needs to perform the PVID=1 processing on the port to convert the packet that does not carry the VLAN ID to the VLAN ID packet. For example, VM1 corresponds to the first packet, and then According to the VLAN mapping rule, the VLAN ID of VM1 is X, which will carry The first packet of the VLAN ID=X is sent to the GPU. The GPU strips the first packet, strips the first VLAN ID carried by the GPU, and then sends the third packet to the VM1 to forward the packet. . Similarly, when the message is sent, it needs to be processed when it is sent from the GPU to the GIU. After the GPU obtains the data frame from VM1, it puts the first VLANID, and after obtaining the fourth message, it sends it to the GIU through the MMX, and the GIU will The fourth packet is sent to the external port. Similarly, for the VM2, when the packet is sent, the GIU needs to perform the PVID=1 processing on the port to convert the packet that does not carry the VLAN ID to the VLAN ID packet, for example, VM2. The second packet is obtained, and then the VLAN ID of the VM2 is Y, and the second packet carrying the VLAN ID=Y is sent to the GPU according to the VLAN mapping rule, and the GPU strips the second packet and peels off the second packet. The second VLAN ID is carried, and the fourth packet is sent to the VM2 to be forwarded to the VM2. Similarly, when the packet is sent, the GPU needs to process the data from the GPU. After the GPU obtains the data frame from the VM1, After the second VLAN ID is obtained, the sixth packet is sent to the GIU through the MMX, and the GIU sends the sixth packet to the external port.
与VM1不同的是,VM2的VLANID为Y,其中X和Y是不同的值。这样,通过X和Y将VM1的Flat网络和VM2的Flat网络隔离开,从而满足了Flat网络中不同VM间的隔离诉求。当然,这里仅以两个VM为例进行说明,实际中可以扩展到多个VM的应用,对此不作限制。Unlike VM1, VM2 has a VLAN ID of Y, where X and Y are different values. In this way, the Flat network of VM1 and the Flat network of VM2 are isolated by X and Y, thereby satisfying the isolation request between different VMs in the Flat network. Of course, only two VMs are taken as an example here, and in practice, applications of multiple VMs can be extended, which is not limited.
因此,本发明实施例的转发报文的方法,根据第一VLANID和第二VLANID隔离虚拟网络中不同VM间的内部网络,能够增强网络的安全性。Therefore, the method for forwarding a message according to the embodiment of the present invention can isolate the internal network between different VMs in the virtual network according to the first VLAN ID and the second VLAN ID, thereby enhancing network security.
应理解,在本发明实施例中,仅以第一VM和第二VM为例进行说明,对于VM的数目不作限制,可以通过更多的VLANID的将更多的VM隔离开,对此不作限制。It should be understood that, in the embodiment of the present invention, only the first VM and the second VM are taken as an example. The number of VMs is not limited, and more VMs may be separated by more VLAN IDs, which is not limited. .
在本发明实施例中,在具体实现过程中,关于内部网络资源的分配,可以采用云化EPS模块(Cloud EPS Distribute,简称为“CED”)。CED用于实现内部网络VLANID的自动分配,实现内部网络VLANID的自动隔离。CED可在VM的网络模板中新增内外部网络标识参数,对于内部网络,CED无需关注模板中的VLANID,对于外部网络,CED须输入外部互联的VLANID。例如,由于内外部网络已经隔离开,所以在上线时,CED为内部网络自动在2~4094之间自动分配一个内部VLANID,对于外部网络的VLANID,自动分配VLANID与内部VLANID对应。具体比如,CED对于外部网络且网络类型为VLAN时,内部自动在2~4058(剩余位用于预留或检测)之间自动 分配一个内部VLANID与之对应。另外,硬件基础设施管理(Hardware Infrastructure Manager,简称为“HIM”)可以协同CED来执行。HIM用于完成相关端口Qinq/VLAN Mapping规则生成和配置下发到硬件生效。HIM作为一个模块,可以集成在前文GIU或GPU上,或其他合理的位置。CED可以认为是HIM的数据源。例如,CED根据VNF模块创建好虚拟网络,并根据外部虚拟网络的类型以及内外VLANID的映射关系,将这些信息或数据发送给HIM,HIM基于配置端口VLAN、网络类型、以及内外部VLAN信息,生成Qinq/VLAN Mapping规则,然后按照端口单向调用接口,在GIU或GPU端口处生效Qinq/VLAN Mapping规则,以便于实施本发明实施例的转发报文的方法。应理解,引入这段描述是为了让本领域技术人员更清楚地了解本发明实施例的方法,并不对本发明构成限定。In the embodiment of the present invention, in the specific implementation process, regarding the allocation of internal network resources, a Cloud EPS Distribute (CED) may be adopted. The CED is used to implement automatic allocation of internal network VLAN IDs to implement automatic isolation of internal network VLAN IDs. The CED can add internal and external network identification parameters to the network template of the VM. For the internal network, the CED does not need to pay attention to the VLAN ID in the template. For the external network, the CED must input the VLAN ID of the external interconnection. For example, since the internal and external networks are isolated, the CED automatically assigns an internal VLAN ID between 2 and 4094 for the internal network. For the VLAN ID of the external network, the VLAN ID is automatically assigned to the internal VLAN ID. Specifically, for example, when the CED is external to the network and the network type is VLAN, the internal automatically is automatically between 2 and 4058 (the remaining bits are reserved or detected). Assign an internal VLANID to it. In addition, Hardware Infrastructure Manager (HIM) can be implemented in conjunction with CED. The HIM is used to generate the QinQ/VLAN mapping rules and the configurations are delivered to the hardware. As a module, HIM can be integrated on the previous GIU or GPU, or other reasonable location. CED can be considered as a data source for HIM. For example, the CED creates a virtual network according to the VNF module, and sends the information or data to the HIM according to the type of the external virtual network and the mapping relationship between the internal and external VLAN IDs. The HIM generates the port based on the configured port VLAN, network type, and internal and external VLAN information. The Qinq/VLAN mapping rule is used to perform the Qinq/VLAN mapping rule on the GIU or GPU port in order to implement the method for forwarding packets according to the embodiment of the present invention. It is to be understood that the description of the present invention is not to be construed as limiting the invention.
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention. The implementation process constitutes any limitation.
上文中详细描述了根据本发明实施例的转发报文的方法,下面将描述根据本发明实施例的转发报文的装置。The method for forwarding a message according to an embodiment of the present invention is described in detail above, and an apparatus for forwarding a message according to an embodiment of the present invention will be described below.
图8示出了根据本发明实施例的转发报文的装置800的示意性框图。如图8所示,该装置800包括:FIG. 8 shows a schematic block diagram of an apparatus 800 for forwarding a message in accordance with an embodiment of the present invention. As shown in FIG. 8, the apparatus 800 includes:
接收模块810,用于接收虚拟网络的第一报文,该第一报文携带外部虚拟局域网络标识VLANID;The receiving module 810 is configured to receive a first packet of the virtual network, where the first packet carries an external virtual local area network identifier (VLANID);
确定模块820,用于确定该接收模块810接收的该第一报文对应的内部VLANID,该内部VLANID表示该第一报文在内部虚拟网络中对应的标识,该内部VLANID与该外部VLANID是对应的;The determining module 820 is configured to determine an internal VLAN ID corresponding to the first packet received by the receiving module 810, where the internal VLAN ID indicates a corresponding identifier of the first packet in the internal virtual network, where the internal VLAN ID corresponds to the external VLAN ID. of;
处理模块830,用于将该确定模块820确定的该内部VLANID包括到第二报文中,生成该第二报文;The processing module 830 is configured to include the internal VLAN ID determined by the determining module 820 into the second packet, to generate the second packet.
发送模块840,用于向通用处理板GPU发送该第二报文。The sending module 840 is configured to send the second packet to the universal processing board GPU.
本发明实施例的转发报文的装置,通过确定第一报文对应的内部VLANID,根据该第一内部VLANID隔离虚拟网络的内部网络与外部网络,能够增强网络的安全性,降低网络运维复杂度。The apparatus for forwarding a packet in the embodiment of the present invention, by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the first internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
可选地,该接收模块810还用于,接收该GPU发送的第三报文,该第三报文为该GPU对第四报文处理后的报文,该第四报文为该GPU将该第二 报文剥除掉该内部VLANID并上送至虚拟机VM的报文,该第三报文携带该内部VLANID;Optionally, the receiving module 810 is further configured to receive a third packet sent by the GPU, where the third packet is a packet processed by the GPU for the fourth packet, where the fourth packet is the GPU. The second The packet is stripped of the internal VLAN ID and sent to the virtual machine VM, and the third packet carries the internal VLAN ID.
该处理模块830还用于,将该第三报文转换成第五报文,该第五报文携带该外部VLANID;The processing module 830 is further configured to convert the third packet into a fifth packet, where the fifth packet carries the external VLAN ID;
该发送模块840还用于,将该第五报文发送至外部端口。The sending module 840 is further configured to send the fifth packet to an external port.
可选地,该确定模块820具体用于:Optionally, the determining module 820 is specifically configured to:
根据该虚拟网络的网络类型确定隔离规则,该隔离规则包括该内部VLANID与外部VLANID的标识对应关系;Determining an isolation rule according to the network type of the virtual network, where the isolation rule includes an identifier corresponding to the identifier of the internal VLAN ID and the external VLAN ID;
其中,该处理模块830还用于:The processing module 830 is further configured to:
根据该确定模块确定的该隔离规则将该内部VLANID包括到第二报文中,生成该第二报文。The internal VLAN ID is included in the second packet according to the isolation rule determined by the determining module, and the second packet is generated.
可选地,该处理模块830具体用于:Optionally, the processing module 830 is specifically configured to:
根据虚拟局域网络映射规则,将该第一报文的该外部VLANID替换为该内部VLANID,生成该第二报文,该虚拟局域网络映射规则为该隔离规则。And replacing the external VLAN ID of the first packet with the internal VLAN ID according to the WLAN mapping rule, and generating the second packet, where the virtual local area network mapping rule is the isolation rule.
可选地,该处理模块830具体用于:Optionally, the processing module 830 is specifically configured to:
根据堆叠虚拟局域网络规则,将该内部VLANID添加到该第一报文中,生成该第二报文,该堆叠虚拟局域网络规则为该隔离规则。Adding the internal VLAN ID to the first packet according to the stacking virtual local area network rule, generating the second packet, where the stacking virtual local area network rule is the isolation rule.
本发明实施例的转发报文的装置,通过确定第一报文对应的内部VLANID,根据该第一内部VLANID隔离虚拟网络的内部网络与外部网络,能够增强网络的安全性,降低网络运维复杂度。The apparatus for forwarding a packet in the embodiment of the present invention, by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the first internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
根据本发明实施例的转发报文的装置800可执行根据本发明实施例的转发报文的方法,并且该装置800中的各个模块的上述和其它操作和/或功能分别为了实现前述各个方法的相应流程,为了简洁,在此不再赘述。The apparatus 800 for forwarding a message according to an embodiment of the present invention may perform a method of forwarding a message according to an embodiment of the present invention, and the foregoing and other operations and/or functions of the respective modules in the apparatus 800 are respectively implemented to implement the foregoing methods. The corresponding process, for the sake of brevity, will not be described here.
图9示出了根据本发明实施例的转发报文的装置900的示意性框图。如图9所示,该装置900包括:FIG. 9 shows a schematic block diagram of an apparatus 900 for forwarding a message in accordance with an embodiment of the present invention. As shown in FIG. 9, the apparatus 900 includes:
接收模块910,用于接收通用接口板GIU发送的将第一报文对应的内部VLANID包括到第二报文后生成的该第二报文,该内部VLANID表示该第一报文在内部虚拟网络中对应的标识,该内部VLANID与该第一报文的外部VLANID是对应的;The receiving module 910 is configured to receive, by the universal interface board GIU, the second VLAN ID that is generated after the internal VLAN ID corresponding to the first packet is sent to the second packet, where the internal VLAN ID indicates that the first packet is in the internal virtual network. Corresponding identifier, the internal VLAN ID is corresponding to the external VLAN ID of the first packet;
处理模块920,用于对该第二报文进行处理得到第三报文,该第三报文携带该内部VLANID; The processing module 920 is configured to process the second packet to obtain a third packet, where the third packet carries the internal VLAN ID;
发送模块930,用于向该GIU发送该处理模块920得到的该第三报文。The sending module 930 is configured to send the third packet obtained by the processing module 920 to the GIU.
可选地,该处理模块920具体用于:Optionally, the processing module 920 is specifically configured to:
将该第二报文剥除掉内部VLANID后得到第四报文,并将该第四报文上送至虚拟机VM;After the second packet is stripped of the internal VLAN ID, the fourth packet is obtained, and the fourth packet is sent to the virtual machine VM.
获取该VM的数据帧,该数据帧对应该第四报文;Obtaining a data frame of the VM, where the data frame corresponds to the fourth message;
将该内部VLANID添加至该第四报文,得到该第三报文。The internal VLAN ID is added to the fourth packet to obtain the third packet.
本发明实施例的转发报文的装置,通过确定第一报文对应的内部VLANID,根据该第一内部VLANID隔离虚拟网络的内部网络与外部网络,能够增强网络的安全性,降低网络运维复杂度。The apparatus for forwarding a packet in the embodiment of the present invention, by determining the internal VLAN ID corresponding to the first packet, and isolating the internal network and the external network of the virtual network according to the first internal VLAN ID, can enhance network security and reduce network operation and maintenance complexity. degree.
根据本发明实施例的转发报文的装置900可执行根据本发明实施例的转发报文的方法,并且该装置900中的各个模块的上述和其它操作和/或功能分别为了实现前述各个方法的相应流程,为了简洁,在此不再赘述。The apparatus 900 for forwarding a message according to an embodiment of the present invention may perform a method of forwarding a message according to an embodiment of the present invention, and the foregoing and other operations and/or functions of the respective modules in the apparatus 900 are respectively implemented to implement the foregoing methods. The corresponding process, for the sake of brevity, will not be described here.
可选地,在虚拟网络为Flat网络时,本发明实施例还提供了一种转发报文的装置,该装置可以是GIU侧,该装置包括:Optionally, when the virtual network is a Flat network, the embodiment of the present invention further provides a device for forwarding a message, where the device may be a GIU side, and the device includes:
接收模块,用于接收扁平虚拟网络的未携带虚拟局域网络标识VLANID的报文;a receiving module, configured to receive a packet of a flat virtual network that does not carry a VLAN ID of the virtual local area network;
处理模块,用于将该未携带VLANID的报文转换为携带VLANID的报文,该携带VLANID的报文包括第一报文或第二报文,其中,该第一报文的虚拟局域网络标识为第一VLANID,该第二报文的虚拟局域网络标识为第二VLANID,该第一VLANID与该第二VLANID对应不同的虚拟机VM;The processing module is configured to convert the packet that does not carry the VLAN ID into the packet that carries the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the virtual local area network identifier of the first packet The first VLAN ID, the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
发送模块,用于向通用处理板GPU发送该第一报文和该第二报文。And a sending module, configured to send the first packet and the second packet to a GPU of the general-purpose processing board.
本发明实施例的转发报文的装置,通过第一VLANID和第二VLANID,满足不同的VM间的隔离诉求,能够增强网络的安全性。The device for forwarding a packet in the embodiment of the present invention can satisfy the isolation request between different VMs by using the first VLAN ID and the second VLAN ID, and can enhance the security of the network.
可选地,该接收模块还用于:Optionally, the receiving module is further configured to:
接收该GPU发送的对第三报文处理后的第四报文,该第三报文为该GPU将该第一报文剥除掉该第一VLANID并上送至第一虚拟机VM的报文,该第四报文携带该第一VLANID;And receiving, by the GPU, a fourth packet processed by the third packet, where the third packet is sent by the GPU to the first VLAN ID and sent to the first virtual machine VM. The fourth packet carries the first VLANID;
该接收模块还用于:接收该GPU发送的对第五报文处理后的第六报文,该第五报文为该GPU将该第二报文剥除掉该第二VLANID并上送至第二虚拟机VM的报文,该第六报文携带该第二VLANID,该第二VM与该第一VM不同; The receiving module is further configured to: receive the sixth packet processed by the GPU, and the fifth packet is sent by the GPU to the second VLAN ID and sent to the second VLAN ID. a packet of the second virtual machine VM, where the sixth packet carries the second VLAN ID, where the second VM is different from the first VM;
该处理模块还用于:将该第四报文转换成第七报文,该第七报文携带该第一VLANID;The processing module is further configured to: convert the fourth packet into a seventh packet, where the seventh packet carries the first VLANID;
该处理模块还用于:将该第六报文转换成第八报文,该第八报文携带该第二VLANID;The processing module is further configured to: convert the sixth packet into an eighth packet, where the eighth packet carries the second VLAN ID;
该发送模块还用于:The sending module is also used to:
将该第七报文和该第八报文发送至外部端口。The seventh message and the eighth message are sent to an external port.
本发明实施例的转发报文的装置,通过第一VLANID和第二VLANID,满足不同的VM间的隔离诉求,能够增强网络的安全性。The device for forwarding a packet in the embodiment of the present invention can satisfy the isolation request between different VMs by using the first VLAN ID and the second VLAN ID, and can enhance the security of the network.
可选地,在虚拟网络为Flat网络时,本发明实施例还提供了一种转发报文的装置,该装置可以是GPU侧,该装置包括:Optionally, when the virtual network is a Flat network, the embodiment of the present invention further provides a device for forwarding a message, where the device may be a GPU side, and the device includes:
接收模块,用于接收通用接口板GIU发送的将未携带虚拟局域网络标识VLANID的报文转换为携带VLANID的报文,该携带VLANID的报文包括第一报文或第二报文,其中,该第一报文的虚拟局域网络标识为第一VLANID,该第二报文的虚拟局域网络标识为第二VLANID,该第一VLANID与该第二VLANID对应不同的虚拟机VM;The receiving module is configured to receive, by the GIU, the packet that carries the VLAN ID of the virtual local area network (VLAN ID) and the packet that carries the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where The virtual local area network identifier of the first packet is a first VLAN ID, and the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
第一处理模块,用于对第三报文进行处理得到第四报文,该第三报文为该第一报文剥除掉该第一VLANID的报文,该第四报文携带该第一VLANID;The first processing module is configured to process the third packet to obtain a fourth packet, where the third packet is a packet that is stripped of the first VLAN ID, where the fourth packet carries the first packet a VLANID;
第二处理模块,用于对第五报文进行处理得到第六报文,该第五报文为该第二报文剥除掉该第二VLANID的报文,该第六报文携带该第二VLANID;a second processing module, configured to process the fifth packet to obtain a sixth packet, where the fifth packet is used to strip the packet of the second VLAN ID, where the sixth packet carries the packet Two VLANID;
发送模块,用于向该GIU发送该第四报文和该第六报文。And a sending module, configured to send the fourth packet and the sixth packet to the GIU.
本发明实施例的转发报文的装置,通过第一VLANID和第二VLANID,满足不同的VM间的隔离诉求,能够增强网络的安全性,降低网络运维复杂度。The device for forwarding packets in the embodiment of the present invention satisfies the isolation request between different VMs by using the first VLAN ID and the second VLAN ID, which can enhance network security and reduce network operation and maintenance complexity.
可选地,该第一处理模块具体用于:Optionally, the first processing module is specifically configured to:
将该第三报文上送至该第一VM;Sending the third message to the first VM;
获取该第一VM的数据帧,该第一VM的数据帧对应该第三报文;Obtaining a data frame of the first VM, where the data frame of the first VM corresponds to the third packet;
将该第一VLANID添加至该第三报文,得到该第四报文,该第一VLANID对应该第一VM;Adding the first VLAN ID to the third packet, to obtain the fourth packet, where the first VLAN ID corresponds to the first VM;
将该第二VLANID添加至该第二VM的数据帧,得到该第四报文; Adding the second VLAN ID to the data frame of the second VM to obtain the fourth packet;
其中,该第二处理模块具体用于:The second processing module is specifically configured to:
将该第五报文上送至该第二VM,该第二VM与该第一VM不同;Sending the fifth message to the second VM, where the second VM is different from the first VM;
获取该第二VM的数据帧,该第二VM的数据帧对应该第五报文;Obtaining a data frame of the second VM, where the data frame of the second VM corresponds to the fifth message;
将该第二VLANID添加至该第五报文,得到该第六报文,该第二VLANID对应该第二VM。The second VLAN ID is added to the fifth packet to obtain the sixth packet, where the second VLAN ID corresponds to the second VM.
本发明实施例的转发报文的装置,通过第一VLANID和第二VLANID,满足不同的VM间的隔离诉求,能够增强网络的安全性。The device for forwarding a packet in the embodiment of the present invention can satisfy the isolation request between different VMs by using the first VLAN ID and the second VLAN ID, and can enhance the security of the network.
图10示出了本发明的又一实施例提供的转发报文的装置的结构,包括至少一个处理器1002(例如CPU),至少一个网络接口1005或者其他通信接口,存储器1006,和至少一个通信总线1003,用于实现这些装置之间的连接通信。处理器1002用于执行存储器1006中存储的可执行模块,例如计算机程序。存储器1006可能包含高速随机存取存储器(RAM:Random Access Memory),也可能还包括非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。通过至少一个网络接口1005(可以是有线或者无线)实现与至少一个其他网元之间的通信连接。FIG. 10 shows a structure of an apparatus for forwarding a message according to still another embodiment of the present invention, comprising at least one processor 1002 (for example, a CPU), at least one network interface 1005 or other communication interface, a memory 1006, and at least one communication. A bus 1003 is used to implement connection communication between these devices. The processor 1002 is configured to execute executable modules, such as computer programs, stored in the memory 1006. The memory 1006 may include a high speed random access memory (RAM), and may also include a non-volatile memory such as at least one disk memory. A communication connection with at least one other network element is achieved by at least one network interface 1005, which may be wired or wireless.
在一些实施方式中,存储器1006存储了程序10061,处理器1002执行程序10061,用于执行前述本发明实施例的GIU侧的转发报文的方法。In some embodiments, the memory 1006 stores a program 10061, and the processor 1002 executes the program 10061 for performing the method of forwarding a message on the GIU side of the foregoing embodiment of the present invention.
图11示出了本发明的又一实施例提供的转发报文的装置的结构,包括至少一个处理器1102(例如CPU),至少一个网络接口1105或者其他通信接口,存储器1106,和至少一个通信总线1103,用于实现这些装置之间的连接通信。处理器1102用于执行存储器1106中存储的可执行模块,例如计算机程序。存储器1106可能包含高速随机存取存储器(RAM:Random Access Memory),也可能还包括非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。通过至少一个网络接口1105(可以是有线或者无线)实现与至少一个其他网元之间的通信连接。FIG. 11 shows a structure of an apparatus for forwarding a message according to still another embodiment of the present invention, comprising at least one processor 1102 (for example, a CPU), at least one network interface 1105 or other communication interface, a memory 1106, and at least one communication. A bus 1103 is used to implement connection communication between these devices. The processor 1102 is configured to execute executable modules, such as computer programs, stored in the memory 1106. The memory 1106 may include a high speed random access memory (RAM), and may also include a non-volatile memory such as at least one disk memory. A communication connection with at least one other network element is achieved by at least one network interface 1105 (which may be wired or wireless).
在一些实施方式中,存储器1106存储了程序11061,处理器1102执行程序11061,用于执行前述本发明实施例的GPU侧的转发报文的方法。In some embodiments, the memory 1106 stores a program 11061, and the processor 1102 executes a program 11061 for performing the method of forwarding a message on the GPU side of the foregoing embodiment of the present invention.
应理解,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。 It should be understood that the term "and/or" herein is merely an association relationship describing an associated object, indicating that there may be three relationships, for example, A and/or B, which may indicate that A exists separately, and A and B exist simultaneously. There are three cases of B alone. In addition, the character "/" in this article generally indicates that the contextual object is an "or" relationship.
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention. The implementation process constitutes any limitation.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前 述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including The instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. And before The storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store program codes.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims (22)

  1. 一种转发报文的方法,其特征在于,包括:A method for forwarding a message, comprising:
    接收虚拟网络的第一报文,所述第一报文携带外部虚拟局域网络标识VLANID;Receiving a first packet of the virtual network, where the first packet carries an external virtual local area network identifier VLANID;
    确定所述第一报文对应的内部VLANID,所述内部VLANID表示所述第一报文在内部虚拟网络中对应的标识,所述内部VLANID与所述外部VLANID是对应的;Determining an internal VLAN ID corresponding to the first packet, where the internal VLAN ID indicates an identifier corresponding to the first packet in the internal virtual network, where the internal VLAN ID is corresponding to the external VLAN ID;
    将所述内部VLANID包括到第二报文中,生成所述第二报文;And the internal VLAN ID is included in the second packet to generate the second packet.
    向通用处理板GPU发送所述第二报文。Sending the second message to a general purpose processing board GPU.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 further comprising:
    接收所述GPU发送的第三报文,所述第三报文为所述GPU对第四报文处理后的报文,所述第四报文为所述GPU将所述第二报文剥除掉所述内部VLANID并上送至虚拟机VM的报文,所述第三报文携带所述内部VLANID;Receiving a third packet sent by the GPU, where the third packet is a packet processed by the GPU for the fourth packet, and the fourth packet is the GPU stripping the second packet And deleting the internal VLAN ID and sending the packet to the virtual machine VM, where the third packet carries the internal VLAN ID;
    将所述第三报文转换成第五报文,所述第五报文携带所述外部VLANID;Converting the third packet into a fifth packet, where the fifth packet carries the external VLAN ID;
    将所述第五报文发送至外部端口。Sending the fifth message to an external port.
  3. 根据权利要求1或2所述的方法,其特征在于,在接收虚拟网络的第一报文后,所述方法还包括:The method according to claim 1 or 2, wherein after receiving the first packet of the virtual network, the method further comprises:
    根据所述虚拟网络的网络类型确定隔离规则,所述隔离规则包括所述内部VLANID与外部VLANID的标识对应关系;Determining an isolation rule according to the network type of the virtual network, where the isolation rule includes an identifier corresponding to the identifier of the internal VLAN ID and the external VLAN ID;
    其中,所述将所述内部VLANID包括到第二报文中,包括:The including the internal VLAN ID in the second packet includes:
    根据所述隔离规则将所述内部VLANID包括到第二报文中,生成所述第二报文。And the internal VLAN ID is included in the second packet according to the isolation rule, and the second packet is generated.
  4. 根据权利要求3所述的方法,其特征在于,所述根据所述隔离规则将所述内部VLANID包括到第二报文中,生成所述第二报文,包括:The method according to claim 3, wherein the initiating the internal VLAN ID according to the isolation rule into the second packet, and generating the second packet, includes:
    根据虚拟局域网络映射规则,将所述第一报文的所述外部VLANID替换为所述内部VLANID,生成所述第二报文,所述虚拟局域网络映射规则为所述隔离规则。The second packet is generated by replacing the external VLAN ID of the first packet with the internal VLAN ID according to a virtual local area network mapping rule, where the virtual local area network mapping rule is the isolation rule.
  5. 根据权利要求3所述的方法,其特征在于,所述根据所述隔离规则将所述内部VLANID包括到第二报文中,生成所述第二报文,包括:The method according to claim 3, wherein the initiating the internal VLAN ID according to the isolation rule into the second packet, and generating the second packet, includes:
    根据堆叠虚拟局域网络规则,将所述内部VLANID添加到所述第一报 文中,生成所述第二报文,所述堆叠虚拟局域网络规则为所述隔离规则。Adding the internal VLAN ID to the first report according to a stacked virtual local area network rule The second packet is generated, and the stacked virtual local area network rule is the isolation rule.
  6. 一种转发报文的方法,其特征在于,包括:A method for forwarding a message, comprising:
    接收通用接口板GIU发送的将第一报文对应的内部VLANID包括到第二报文后生成的所述第二报文,所述内部VLANID表示所述第一报文在内部虚拟网络中对应的标识,所述内部VLANID与所述第一报文的外部VLANID是对应的;Receiving, by the GIU, the internal VLAN ID corresponding to the first packet, the second packet generated by the second packet, where the internal VLAN ID indicates that the first packet corresponds to the internal virtual network. Identifying that the internal VLAN ID is corresponding to an external VLAN ID of the first packet;
    对所述第二报文进行处理后得到第三报文,所述第三报文携带所述内部VLANID;Processing the second packet to obtain a third packet, where the third packet carries the internal VLAN ID;
    向所述GIU发送所述第三报文。Sending the third message to the GIU.
  7. 根据权利要求6所述的方法,其特征在于,所述对所述第二报文进行处理后得到第三报文,包括:The method according to claim 6, wherein the processing the second packet to obtain a third packet comprises:
    将所述第二报文剥除掉内部VLANID后得到第四报文,并将所述第四报文上送至虚拟机VM;After the second packet is stripped of the internal VLAN ID, the fourth packet is obtained, and the fourth packet is sent to the virtual machine VM.
    获取所述VM的数据帧,所述VM的数据帧对应所述第四报文;Obtaining a data frame of the VM, where the data frame of the VM corresponds to the fourth packet;
    将所述内部VLANID添加至所述第四报文,得到所述第三报文。And adding the internal VLAN ID to the fourth packet to obtain the third packet.
  8. 一种转发报文的方法,其特征在于,包括:A method for forwarding a message, comprising:
    接收扁平虚拟网络的未携带虚拟局域网络标识VLANID的报文;Receiving a packet of the flat virtual network that does not carry the VLAN ID of the virtual local area network;
    将所述未携带VLANID的报文转换为携带VLANID的报文,所述携带VLANID的报文包括第一报文或第二报文,其中,所述第一报文的虚拟局域网络标识为第一VLANID,所述第二报文的虚拟局域网络标识为第二VLANID,所述第一VLANID与所述第二VLANID对应不同的虚拟机VM;Transmitting the packet carrying the VLAN ID into the packet carrying the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the virtual local area network identifier of the first packet is a VLAN ID, the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
    向通用处理板GPU发送所述第一报文和所述第二报文。Sending the first packet and the second packet to a general-purpose processing board GPU.
  9. 根据权利要求8所述的方法,其特征在于,所述方法还包括:The method of claim 8 further comprising:
    接收所述GPU发送的对第三报文处理后的第四报文,所述第三报文为所述GPU将所述第一报文剥除掉所述第一VLANID并上送至第一虚拟机VM的报文,所述第四报文携带所述第一VLANID;Receiving, by the GPU, the fourth packet processed by the third packet, where the third packet is sent by the GPU to the first VLAN ID and sent to the first packet a packet of the virtual machine VM, where the fourth packet carries the first VLANID;
    接收所述GPU发送的对第五报文处理后的第六报文,所述第五报文为所述GPU将所述第二报文剥除掉所述第二VLANID并上送至第二虚拟机VM的报文,所述第六报文携带所述第二VLANID,所述第二VM与所述第一VM不同;And receiving, by the GPU, a sixth packet processed by the fifth packet, where the fifth packet is sent by the GPU to the second VLAN ID by the GPU and sent to the second packet a packet of the virtual machine VM, where the sixth packet carries the second VLAN ID, and the second VM is different from the first VM;
    将所述第四报文和所述第六报文发送至外部端口。 Sending the fourth packet and the sixth packet to an external port.
  10. 一种转发报文的方法,其特征在于,包括:A method for forwarding a message, comprising:
    接收通用接口板GIU发送的将未携带虚拟局域网络标识VLANID的报文转换为携带VLANID的报文,所述携带VLANID的报文包括第一报文或第二报文,其中,所述第一报文的虚拟局域网络标识为第一VLANID,所述第二报文的虚拟局域网络标识为第二VLANID,所述第一VLANID与所述第二VLANID对应不同的虚拟机VM;And receiving, by the GIU, the packet that does not carry the virtual local area network identifier VLAN ID, and the packet that carries the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where the first The virtual local area network identifier of the packet is a first VLAN ID, and the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
    对第三报文进行处理后得到第四报文,所述第三报文为所述第一报文剥除掉所述第一VLANID的报文,所述第四报文携带所述第一VLANID;The third packet is processed to obtain a fourth packet, where the third packet is a packet that is stripped of the first VLAN ID, and the fourth packet carries the first packet. VLANID;
    对第五报文进行处理后得到第六报文,所述第五报文为所述第二报文剥除掉所述第二VLANID的报文,所述第六报文携带所述第二VLANID;After the fifth packet is processed, the sixth packet is obtained, where the fifth packet is used to strip the packet of the second VLANID, and the sixth packet carries the second packet. VLANID;
    向所述GIU发送所述第四报文和所述第六报文。Sending the fourth packet and the sixth packet to the GIU.
  11. 根据权利要求10所述的方法,其特征在于,所述对第三报文进行处理得到第四报文,包括:The method according to claim 10, wherein the processing the third packet to obtain the fourth packet comprises:
    将所述第三报文上送至所述第一VM;Sending the third packet to the first VM;
    获取所述第一VM的数据帧,所述第一VM的数据帧对应所述第三报文;Obtaining a data frame of the first VM, where the data frame of the first VM corresponds to the third packet;
    将所述第一VLANID添加至所述第三报文,得到所述第四报文,所述第一VLANID对应所述第一VM;Adding the first VLAN ID to the third packet, to obtain the fourth packet, where the first VLAN ID corresponds to the first VM;
    其中,所述对第五报文进行处理得到第六报文,包括:The processing the fifth packet to obtain the sixth packet includes:
    将所述第五报文上送至所述第二VM,所述第二VM与所述第一VM不同;And sending the fifth packet to the second VM, where the second VM is different from the first VM;
    获取所述第二VM的数据帧,所述第二VM的数据帧对应所述第五报文;Obtaining a data frame of the second VM, where the data frame of the second VM corresponds to the fifth packet;
    将所述第二VLANID添加至所述第五报文,得到所述第六报文,所述第二VLANID对应所述第二VM。Adding the second VLAN ID to the fifth packet to obtain the sixth packet, where the second VLAN ID corresponds to the second VM.
  12. 一种转发报文的装置,其特征在于,包括:An apparatus for forwarding a message, comprising:
    接收模块,用于接收虚拟网络的第一报文,所述第一报文携带外部虚拟局域网络标识VLANID;a receiving module, configured to receive a first packet of the virtual network, where the first packet carries an external virtual local area network identifier VLANID;
    确定模块,用于确定所述接收模块接收的所述第一报文对应的内部VLANID,所述内部VLANID表示所述第一报文在内部虚拟网络中对应的标识,所述内部VLANID与所述外部VLANID是对应的;a determining module, configured to determine an internal VLAN ID corresponding to the first packet received by the receiving module, where the internal VLAN ID indicates a corresponding identifier of the first packet in an internal virtual network, the internal VLAN ID and the The external VLAN ID is corresponding;
    处理模块,用于将所述确定模块确定的所述内部VLANID包括到第二报文中,生成所述第二报文; a processing module, configured to include the internal VLAN ID determined by the determining module into a second packet, to generate the second packet;
    发送模块,用于向通用处理板GPU发送所述第二报文。And a sending module, configured to send the second packet to a general-purpose processing board GPU.
  13. 根据权利要求12所述的装置,所述接收模块还用于,接收所述GPU发送的第三报文,所述第三报文为所述GPU对第四报文处理后的报文,所述第四报文为所述GPU将所述第二报文剥除掉所述内部VLANID并上送至虚拟机VM的报文,所述第三报文携带所述内部VLANID;The apparatus according to claim 12, wherein the receiving module is further configured to receive a third packet sent by the GPU, where the third packet is a packet processed by the GPU for the fourth packet, where The fourth packet is a message that the GPU strips the second packet from the internal VLAN ID and sends the packet to the virtual machine VM, where the third packet carries the internal VLAN ID.
    所述处理模块还用于,将所述第三报文转换成第五报文,所述第五报文携带所述外部VLANID;The processing module is further configured to: convert the third packet into a fifth packet, where the fifth packet carries the external VLAN ID;
    所述发送模块还用于,将所述第五报文发送至外部端口。The sending module is further configured to send the fifth packet to an external port.
  14. 根据权利要求12或13所述的装置,其特征在于,所述确定模块具体用于:The device according to claim 12 or 13, wherein the determining module is specifically configured to:
    根据所述虚拟网络的网络类型确定隔离规则,所述隔离规则包括所述内部VLANID与外部VLANID的标识对应关系;Determining an isolation rule according to the network type of the virtual network, where the isolation rule includes an identifier corresponding to the identifier of the internal VLAN ID and the external VLAN ID;
    其中,所述处理模块还用于:The processing module is further configured to:
    根据所述确定模块确定的所述隔离规则将所述内部VLANID包括到第二报文中,生成所述第二报文。The second VLAN is generated according to the isolation rule determined by the determining module, and the second VLAN is generated in the second packet.
  15. 根据权利要求14所述的装置,其特征在于,所述处理模块具体用于:The device according to claim 14, wherein the processing module is specifically configured to:
    根据虚拟局域网络映射规则,将所述第一报文的所述外部VLANID替换为所述内部VLANID,生成所述第二报文,所述虚拟局域网络映射规则为所述隔离规则。The second packet is generated by replacing the external VLAN ID of the first packet with the internal VLAN ID according to a virtual local area network mapping rule, where the virtual local area network mapping rule is the isolation rule.
  16. 根据权利要求14所述的装置,其特征在于,所述处理模块具体用于:The device according to claim 14, wherein the processing module is specifically configured to:
    根据堆叠虚拟局域网络规则,将所述内部VLANID添加到所述第一报文中,生成所述第二报文,所述堆叠虚拟局域网络规则为所述隔离规则。And adding the internal VLAN ID to the first packet according to the stacking virtual local area network rule to generate the second packet, where the stacked virtual local area network rule is the isolation rule.
  17. 一种转发报文的装置,其特征在于,包括:An apparatus for forwarding a message, comprising:
    接收模块,用于接收通用接口板GIU发送的将第一报文对应的内部VLANID包括到第二报文后生成的所述第二报文,所述内部VLANID表示所述第一报文在内部虚拟网络中对应的标识,所述内部VLANID与所述第一报文的外部VLANID是对应的;The receiving module is configured to receive, by the GIU, the second VLAN that is generated by the common interface board GIU, and the internal VLAN ID corresponding to the first packet is sent to the second packet, where the internal VLAN ID indicates that the first packet is internally Corresponding identifier in the virtual network, where the internal VLAN ID is corresponding to the external VLAN ID of the first packet;
    处理模块,用于对所述第二报文进行处理得到第三报文,所述第三报文携带所述内部VLANID;a processing module, configured to process the second packet to obtain a third packet, where the third packet carries the internal VLAN ID;
    发送模块,用于向所述GIU发送所述处理模块得到的所述第三报文。And a sending module, configured to send, to the GIU, the third packet obtained by the processing module.
  18. 根据权利要求17所述的装置,其特征在于,所述处理模块具体用于: The device according to claim 17, wherein the processing module is specifically configured to:
    将所述第二报文剥除掉内部VLANID后得到第四报文,并将所述第四报文上送至虚拟机VM;After the second packet is stripped of the internal VLAN ID, the fourth packet is obtained, and the fourth packet is sent to the virtual machine VM.
    获取所述VM的数据帧,所述数据帧对应所述第四报文;Obtaining a data frame of the VM, where the data frame corresponds to the fourth packet;
    将所述内部VLANID添加至所述第四报文,得到所述第三报文。And adding the internal VLAN ID to the fourth packet to obtain the third packet.
  19. 一种转发报文的装置,其特征在于,包括:An apparatus for forwarding a message, comprising:
    接收模块,用于接收扁平虚拟网络的未携带虚拟局域网络标识VLANID的报文;a receiving module, configured to receive a packet of a flat virtual network that does not carry a VLAN ID of the virtual local area network;
    处理模块,用于将所述未携带VLANID的报文转换为携带VLANID的报文,所述携带VLANID的报文包括第一报文或第二报文,其中,所述第一报文的虚拟局域网络标识为第一VLANID,所述第二报文的虚拟局域网络标识为第二VLANID,所述第一VLANID与所述第二VLANID对应不同的虚拟机VM;a processing module, configured to convert the packet that does not carry a VLAN ID into a packet that carries a VLAN ID, where the packet carrying the VLAN ID includes a first packet or a second packet, where the first packet is virtualized The local area network identifier is a first VLAN ID, and the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
    发送模块,用于向通用处理板GPU发送所述第一报文和所述第二报文。And a sending module, configured to send the first packet and the second packet to a GPU of a general-purpose processing board.
  20. 根据权利要求19所述的装置,其特征在于,所述接收模块还用于:The device according to claim 19, wherein the receiving module is further configured to:
    接收所述GPU发送的对第三报文处理后的第四报文,所述第三报文为所述GPU将所述第一报文剥除掉所述第一VLANID并上送至第一虚拟机VM的报文,所述第四报文携带所述第一VLANID;Receiving, by the GPU, the fourth packet processed by the third packet, where the third packet is sent by the GPU to the first VLAN ID and sent to the first packet a packet of the virtual machine VM, where the fourth packet carries the first VLANID;
    所述接收模块还用于:接收所述GPU发送的对第五报文处理后的第六报文,所述第五报文为所述GPU将所述第二报文剥除掉所述第二VLANID并上送至第二虚拟机VM的报文,所述第六报文携带所述第二VLANID,所述第二VM与所述第一VM不同;The receiving module is further configured to: receive a sixth packet that is processed by the GPU and that is processed by the GPU, where the fifth packet is used by the GPU to strip the second packet And sending, by the second VLAN ID, the packet sent to the second virtual machine VM, where the sixth packet carries the second VLAN ID, where the second VM is different from the first VM;
    所述处理模块还用于:将所述第四报文转换成第七报文,所述第七报文携带所述第一VLANID;The processing module is further configured to: convert the fourth packet into a seventh packet, where the seventh packet carries the first VLAN ID;
    所述处理模块还用于:将所述第六报文转换成第八报文,所述第八报文携带所述第二VLANID;The processing module is further configured to: convert the sixth packet into an eighth packet, where the eighth packet carries the second VLAN ID;
    所述发送模块还用于:The sending module is further configured to:
    将所述第七报文和所述第八报文发送至外部端口。Sending the seventh message and the eighth message to an external port.
  21. 一种转发报文的装置,其特征在于,包括:An apparatus for forwarding a message, comprising:
    接收模块,用于接收通用接口板GIU发送的将未携带虚拟局域网络标识VLANID的报文转换为携带VLANID的报文,所述携带VLANID的报文包括第一报文或第二报文,其中,所述第一报文的虚拟局域网络标识为第一 VLANID,所述第二报文的虚拟局域网络标识为第二VLANID,所述第一VLANID与所述第二VLANID对应不同的虚拟机VM;The receiving module is configured to receive, by the GIU, the packet that carries the VLAN ID of the virtual local area network (VLAN ID) and the packet that carries the VLAN ID, where the packet carrying the VLAN ID includes the first packet or the second packet, where The virtual local area network identifier of the first packet is first. a VLAN ID, the virtual local area network identifier of the second packet is a second VLAN ID, and the first VLAN ID and the second VLAN ID correspond to different virtual machine VMs;
    第一处理模块,用于对第三报文进行处理得到第四报文,所述第三报文为所述第一报文剥除掉所述第一VLANID的报文,所述第四报文携带所述第一VLANID;The first processing module is configured to process the third packet to obtain a fourth packet, where the third packet is a packet that is stripped of the first VLAN ID, and the fourth packet is Carrying the first VLANID;
    第二处理模块,用于对第五报文进行处理得到第六报文,所述第五报文为所述第二报文剥除掉所述第二VLANID的报文,所述第六报文携带所述第二VLANID;a second processing module, configured to process the fifth packet to obtain a sixth packet, where the fifth packet is used to strip the packet of the second VLANID, the sixth packet Carrying the second VLANID;
    发送模块,用于向所述GIU发送所述第四报文和所述第六报文。And a sending module, configured to send the fourth packet and the sixth packet to the GIU.
  22. 根据权利要求21所述的装置,其特征在于,所述第一处理模块具体用于:The device according to claim 21, wherein the first processing module is specifically configured to:
    将所述第三报文上送至所述第一VM;Sending the third packet to the first VM;
    获取所述第一VM的数据帧,所述第一VM的数据帧对应所述第三报文;Obtaining a data frame of the first VM, where the data frame of the first VM corresponds to the third packet;
    将所述第一VLANID添加至所述第三报文,得到所述第四报文,所述第一VLANID对应所述第一VM;Adding the first VLAN ID to the third packet, to obtain the fourth packet, where the first VLAN ID corresponds to the first VM;
    将所述第二VLANID添加至所述第二VM的数据帧,得到所述第四报文;Adding the second VLANID to the data frame of the second VM to obtain the fourth packet;
    其中,所述第二处理模块具体用于:The second processing module is specifically configured to:
    将所述第五报文上送至所述第二VM,所述第二VM与所述第一VM不同;And sending the fifth packet to the second VM, where the second VM is different from the first VM;
    获取所述第二VM的数据帧,所述第二VM的数据帧对应所述第五报文;Obtaining a data frame of the second VM, where the data frame of the second VM corresponds to the fifth packet;
    将所述第二VLANID添加至所述第五报文,得到所述第六报文,所述第二VLANID对应所述第二VM。 Adding the second VLAN ID to the fifth packet to obtain the sixth packet, where the second VLAN ID corresponds to the second VM.
PCT/CN2016/086696 2016-06-22 2016-06-22 Packet forwarding method and device WO2017219272A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/086696 WO2017219272A1 (en) 2016-06-22 2016-06-22 Packet forwarding method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/086696 WO2017219272A1 (en) 2016-06-22 2016-06-22 Packet forwarding method and device

Publications (1)

Publication Number Publication Date
WO2017219272A1 true WO2017219272A1 (en) 2017-12-28

Family

ID=60783639

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/086696 WO2017219272A1 (en) 2016-06-22 2016-06-22 Packet forwarding method and device

Country Status (1)

Country Link
WO (1) WO2017219272A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113852535A (en) * 2021-07-29 2021-12-28 浪潮软件科技有限公司 OpenStack vlan transparent transmission implementation method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878133A (en) * 2005-06-07 2006-12-13 日立通讯技术株式会社 Dynamic VLAN ID assignment and packet transfer apparatus
US20130329741A1 (en) * 2012-06-07 2013-12-12 Donald B. Grosser Methods systems and apparatuses for dynamically tagging vlans
CN103873374A (en) * 2014-03-27 2014-06-18 杭州华三通信技术有限公司 Message processing method and device in virtualized system
CN105681151A (en) * 2016-02-26 2016-06-15 上海斐讯数据通信技术有限公司 Method and system for implementing QinQ, OTL device and electronic device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878133A (en) * 2005-06-07 2006-12-13 日立通讯技术株式会社 Dynamic VLAN ID assignment and packet transfer apparatus
US20130329741A1 (en) * 2012-06-07 2013-12-12 Donald B. Grosser Methods systems and apparatuses for dynamically tagging vlans
CN103873374A (en) * 2014-03-27 2014-06-18 杭州华三通信技术有限公司 Message processing method and device in virtualized system
CN105681151A (en) * 2016-02-26 2016-06-15 上海斐讯数据通信技术有限公司 Method and system for implementing QinQ, OTL device and electronic device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113852535A (en) * 2021-07-29 2021-12-28 浪潮软件科技有限公司 OpenStack vlan transparent transmission implementation method and system

Similar Documents

Publication Publication Date Title
US10778532B2 (en) Overlay network movement operations
US10757072B2 (en) Packet transmission method, apparatus, and system
US10541836B2 (en) Virtual gateways and implicit routing in distributed overlay virtual environments
US9602307B2 (en) Tagging virtual overlay packets in a virtual networking system
EP3533189B1 (en) Rule-based network identifier mapping
CN112702252B (en) Message processing method, system and related equipment
US9178828B2 (en) Architecture for agentless service insertion
EP3281364B1 (en) Dynamic orchestration of overlay tunnels
Bakshi Considerations for software defined networking (SDN): Approaches and use cases
US9503313B2 (en) Network interface card having overlay gateway functionality
CN105612719B (en) Advanced network virtualization using metadata in encapsulation headers
US10476699B2 (en) VLAN to VXLAN translation using VLAN-aware virtual machines
CN110999265B (en) Managing network connectivity between cloud computing service endpoints and virtual machines
US9172557B2 (en) Load balancing overlay network traffic using a teamed set of network interface cards
WO2018032910A1 (en) Cross-network communication method and apparatus
US20140056302A1 (en) Hypervisor independent network virtualization
WO2020135542A1 (en) Cloud computing data center system, gateway, server, and message processing method
CN108337192B (en) Message communication method and device in cloud data center
WO2022063170A1 (en) Public cloud network configuration method, and related device
WO2015081534A1 (en) Data packet transmission system, transmission method and device thereof
WO2017219272A1 (en) Packet forwarding method and device
KR101621717B1 (en) Method, apparatus and computer program for virtualizing network resource of software defined data center
KR101621719B1 (en) Method, apparatus and computer program for providing multipoint communication service of software defined data center

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16905814

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16905814

Country of ref document: EP

Kind code of ref document: A1