WO2018019270A1 - 数据流的处理 - Google Patents

数据流的处理 Download PDF

Info

Publication number
WO2018019270A1
WO2018019270A1 PCT/CN2017/094702 CN2017094702W WO2018019270A1 WO 2018019270 A1 WO2018019270 A1 WO 2018019270A1 CN 2017094702 W CN2017094702 W CN 2017094702W WO 2018019270 A1 WO2018019270 A1 WO 2018019270A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
identifier
service
gateway device
chain
Prior art date
Application number
PCT/CN2017/094702
Other languages
English (en)
French (fr)
Inventor
李捷
Original Assignee
新华三技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201610606047.1A external-priority patent/CN107666402B/zh
Priority claimed from CN201610606046.7A external-priority patent/CN107666447B/zh
Application filed by 新华三技术有限公司 filed Critical 新华三技术有限公司
Priority to US16/303,117 priority Critical patent/US10972384B2/en
Priority to EP17833573.3A priority patent/EP3493488B1/en
Priority to JP2019504773A priority patent/JP6850865B2/ja
Publication of WO2018019270A1 publication Critical patent/WO2018019270A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/56Routing software
    • H04L45/566Routing instructions carried by the data packet, e.g. active networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/302Route determination based on requested QoS
    • H04L45/306Route determination based on the nature of the carried application
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/68Pseudowire emulation, e.g. IETF WG PWE3
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]

Definitions

  • the service node here refers to a node that provides services for the data stream, such as a firewall node, an intrusion detection node, a load balancing node, and the like.
  • the service nodes that the data stream passes through during the transmission process form a service chain.
  • the WEB access APP needs to pass through a service chain consisting of a firewall node (FW) and a load balancing node (LB).
  • FW firewall node
  • LB load balancing node
  • the SDN controller serves as the control plane to deliver OpenFlow entries to the service node to guide the service node to forward the data stream, and to deliver the corresponding data to the service node.
  • the service forwarding policy guides the service node to provide services for data flow and perform forwarding processing, which increases the load on the SDN controller and requires high reliability for the SDN controller.
  • FIG. 1 is a flowchart of a method for processing a data stream provided by the present disclosure.
  • FIG. 2 is a schematic diagram of a VXLAN package provided by an embodiment of the present disclosure.
  • FIG. 3 is a networking diagram of an embodiment provided by the present disclosure.
  • FIG. 4 is another flow chart of a method for processing a data stream provided by the present disclosure.
  • FIG. 5 is a schematic diagram of an application of an embodiment provided by the present disclosure.
  • FIG. 6 is a schematic diagram of another application of an embodiment provided by the present disclosure.
  • FIG. 7 is a schematic diagram of another application of an embodiment provided by the present disclosure.
  • FIG. 8 is a hardware structural diagram of a gateway device provided by the present disclosure.
  • Figure 9 is a block diagram of the apparatus of Figure 8 provided by the present disclosure.
  • FIG. 10 is another structural diagram of the apparatus shown in FIG. 8 provided by the present disclosure.
  • FIG. 1 is a flowchart of a method for processing a data stream provided by the present disclosure.
  • the method is applied to a gateway device through which the head node accesses the tail node.
  • the path of the head node accessing the tail node is determined based on the routing protocol.
  • the path contains the gateway device described above and also contains a series of service nodes.
  • the foregoing gateway device may be a gateway device accessed by the first node or a gateway device accessed by the service node.
  • the gateway device accessed by the first node is not directly connected to the service node, and the gateway device connected to the service node may be connected to the service node.
  • the first node here may be a virtual machine (VM) in the EVPN
  • the tail node is another VM in the EVPN
  • the gateway device may be an EVPN distribution. Gateway device.
  • VM virtual machine
  • Step 203 describes the operations performed when the gateway device acts as the gateway device accessed by the first node, and step 204 describes the operations performed when the gateway device acts as the gateway device accessed by the serving node.
  • the processing method of the data stream may include the following steps:
  • Step 101 Detect whether the node corresponding to each node identifier on the node identifier chain is online.
  • the path of the head node accessing the tail node includes the above-described gateway device and one or more service nodes.
  • the node identifier of the head node, the node identifier of the service node through which the head node access tail node passes, and the node identifier chain chain of the tail node form a node identifier chain of the first node access tail node.
  • the node identifier of each node can uniquely represent the node, for example, the node's IP address, MAC address, etc. can be utilized as the node identifier.
  • the node identification chain of the head node accessing the tail node has a unique node identification chain identifier, and it matches the data flow of the head node access tail node.
  • the service node through which the data stream of the first node accessing the tail node passes may be regarded as a service chain, and the service nodes are numbered sequentially in the service chain.
  • ARP Address Resolution
  • ICMP Internet Control Message Protocol
  • Step 102 If it is detected that the node corresponding to each node identifier is online, when the gateway device is the gateway device accessed by the first node, step 103 is performed. When the gateway device is the gateway device accessed by the serving node, step 104 is performed.
  • Step 103 Deliver a first traffic classification policy associated with the node identifier chain to the hardware of the device.
  • Step 103 Deliver a first traffic classification policy associated with the node identifier chain to the hardware of the device.
  • the first flow classification policy may be pre-configured at the software layer of the device.
  • the first flow classification policy may be obtained in advance from the SDN controller and stored in the device software layer.
  • the device software layer may be a software unit such as a memory of the device; and the device hardware may be a hardware unit such as a forwarding chip. It should be noted that, this is only an example description of the device software layer and the device hardware, and the disclosure is not limited.
  • the data flow of the first node accessing the tail node according to the first flow classification policy is forwarded according to the node identifier chain:
  • step A1 the node identification chain matching the data flow of the first node access tail node is found.
  • an ACL rule may be preset, where the ACL rule includes a feature parameter of a data flow of a first node accessing a tail node and an identifier of a node identity chain of a first node access tail node.
  • the characteristic parameters here may be: a quintuple of the data stream (source IP address, destination IP address, source port number, destination port number, port protocol), source MAC address of the data stream, and destination MAC address, etc., the disclosure is not Specifically limited.
  • step A1 the ACL rule containing the keyword is found in all ACL rules by using the feature parameter carried by the data stream of the head node to access the tail node as a key, and the found ACL rule is found.
  • the node identification chain corresponding to the node identification chain identifier in the node is the node identification chain matching the data flow of the first node access tail node.
  • the matching node identification chain is the node identification chain of the first node accessing the tail node.
  • Step A2 encapsulating the identifier of the matched node identification chain for the data stream.
  • the identifier of the node identifier chain for the data stream may be implemented by using a scalable virtual local area network (VXLAN) encapsulation header, specifically: on the data stream.
  • VXLAN virtual local area network
  • the VXLAN encapsulation header is added, and one of the reserved fields in the VXLAN encapsulation header carries the identifier of the node identification chain, which implements an operation of encapsulating the node identification chain identifier for the data flow.
  • the reserved field 1 in the VXLAN encapsulation header shown in Figure 2 carries the identity of the node identification chain.
  • step A2 the data stream encapsulated with the node identifier chain identifier is redirected to the gateway device that meets the following conditions: the service node corresponding to the second node identifier on the node identifier chain is accessed.
  • the service node corresponding to the second node identifier on the node identifier chain is the first service node.
  • the data flow needs to be redirected to the gateway device accessed by the first service node.
  • the gateway device accessed by the first node needs to determine the local outgoing port.
  • the identifier of the first service node ie, the second node identifier on the node identifier chain
  • the node identifier may be an IP address or a MAC address.
  • the data stream encapsulating the node identifier chain identifier may be forwarded to the corresponding gateway device, that is, the gateway device accessed by the first serving node.
  • the gateway device accessed by the first node forwards the data stream encapsulating the node identifier chain identifier in step A2, the gateway device accessed by the first service node receives the encapsulated node identifier chain through the pseudowire (PW) port.
  • PW pseudowire
  • Step 104 Deliver a second traffic classification policy associated with the node identifier chain to the hardware of the device.
  • the first node accesses the data flow of the tail node according to the second flow classification policy. Forwarded according to the node identification chain.
  • the second flow classification policy may be pre-configured at the software layer of the device.
  • the second traffic classification policy may be obtained in advance from the SDN controller and stored in the device software layer.
  • forwarding, according to the second flow classification policy, the data flow of the first node accessing the tail node according to the second flow classification policy according to the node identification chain includes:
  • step B1 when the data flow of the first node accessing the tail node is received through the local PW port, step B2 is performed.
  • step B3 When the data flow of the first node accessing the tail node is received through the service port of the local connection service node, step B3 is performed.
  • Step B2 Find a node identifier chain corresponding to the node identifier chain identifier encapsulated by the data stream, decapsulate the data stream, and send the decapsulated data stream to the second node identifier corresponding to the found node identifier chain.
  • Service node Find a node identifier chain corresponding to the node identifier chain identifier encapsulated by the data stream, decapsulate the data stream, and send the decapsulated data stream to the second node identifier corresponding to the found node identifier chain.
  • the gateway device accessed by the serving node receives the data stream through the PW port, based on the description of step A2 above, it can be concluded that the data stream is from the gateway device accessed by the first node.
  • the data stream is decapsulated by VXLAN to obtain the original data stream sent by the first node.
  • the node identifier chain identifier based on the data stream encapsulation finds a node identifier chain corresponding to the node identifier chain identifier in all locally stored node identifier chains, and then sends the original data stream to the second node in the found node identifier chain. Identifies the corresponding service node. In this way, the original data stream of the access tail node sent by the first node can be introduced.
  • the service node sends the processed data stream to the gateway device it accesses.
  • the data stream received by the gateway device accessed by the service node may also carry the information of the service node, such as the number, IP address, or MAC address of the service node, in the data stream received by the PW port.
  • the gateway device accessed by the first node can determine the first service node that processes the data stream. Therefore, when the data stream is sent, the gateway device can encapsulate the information of the service node in the data stream.
  • the number of the service node may be carried in the reserved field 2 in the VXLAN encapsulation header shown in FIG. 2, for example. Of course, the number, address, and the like of the service node may also be sent by other means.
  • the gateway device accessed by the service node can determine the corresponding service node according to the information of the service node and the node identification chain, thereby introducing the data flow into the service node.
  • the data flow carries the number of the service node. If the number is 1, it indicates that the data flow needs to enter the first service node, and the gateway device accessed by the service node can find the identifier of the service node from the node identification chain.
  • the node identifier may be an IP address or a MAC address, and the port is searched for on the local device by using the IP address or the MAC address, and the original data stream is sent to the first service node through the egress port.
  • Step B3 when the data stream is received through the service port of the connection service node (as described in step B2 above, it means that the data stream is sent by the service node), and the node identification chain matching the data stream is found, according to the found
  • the node identification chain determines the next hop identifier.
  • the next hop identifier is the node identifier of the tail node
  • the data stream is redirected to the gateway device accessed by the tail node. Otherwise, the data stream is sent to the next hop identifier.
  • the service node, the next hop identifier is the next node identifier of the current service node identifier on the node identifier chain, and the current service node identifier is the identifier of the service node to which the service port is connected.
  • the above example is based on the case where the service nodes on the service chain all access the same gateway device. There is also a case where a service node on a service chain accesses multiple gateway devices.
  • the data stream received by the gateway device accessed by the service node through the PW port may also be a gateway device accessed from another service node. It can be understood that the information of the service node can also be carried in the data stream.
  • the gateway device may determine whether the node (service node) corresponding to the identifier accesses the device when determining the next hop node identifier, and if the service node corresponding to the next hop node identifier accesses other
  • the gateway device needs to send the data stream to the other gateway device. It can be understood that the manner of sending the data stream here is substantially the same as that of step A2. The only difference is that the data stream needs to be redirected to the determined next step.
  • the gateway device accessed by the hop service node.
  • the sent data stream may carry the information of the next hop service node, and the gateway device that receives the data stream is processed in the same manner as step B2.
  • the service node that the first node accesses the tail node only performs network service on the data flow, and does not encapsulate the data flow, thereby saving hardware entry resources.
  • FIG. 3 is a networking diagram of an embodiment provided by the present disclosure.
  • VM1 accesses VM2 as an example, and VM1 is the head node, and VM2 is the tail node.
  • VM1 accesses VM2, it is determined based on the routing protocol that VM1 accesses VM2 in turn via service nodes 1 through n.
  • the identifier of the VM1, the identifier of the service node 1 to n through which the VM1 accesses the VM2, and the identifier chain of the VM2 form a node identifier chain of the VM1 access VM2, where the string identifier of the string is formed.
  • the chain is labeled as chain 1.
  • the identifier of VM1 is the IP address of VM1 (denoted as IP0), and the identifier of VM2 is the IP address of VM2 (denoted as IP (2n+1)).
  • IP1 is the identifier of the ingress port of the access path of VM1 accessing VM2 on the service node 1
  • IP2 is the egress port of the access path of VM1 accessing VM2 on the service node 1.
  • the node ID of the service node 2 is [IP3, IP4], IP3 is the identifier of the ingress port of the access path of VM1 accessing VM2 on the service node 2, and IP4 is the identifier of the egress port of the access path of VM1 accessing VM2 on the service node 2.
  • the node identifier of the service node n is [IP(2n-1), IP(2n)], where IP(2n-1) is the identifier of the ingress port of the access path of VM1 accessing VM2 on the serving node n, IP (2n) is the identity of the egress port on VM1 that accesses VM2's access path on service node n.
  • the chain 1 is specifically:
  • the access path of the above VM1 accessing VM2 is also via the flow classification node 300, the proxy forwarding node 301, and the proxy forwarding node 302.
  • the traffic classification node 300, the proxy forwarding node 301, and the proxy forwarding node 302 are equivalent to EVPN distributed gateway devices.
  • the traffic classification node 300 can be a gateway device accessed by the first node VM1
  • the proxy forwarding node 301 can be a gateway device accessed by the service node
  • the proxy forwarding node 302 can be a gateway device accessed by the tail node.
  • the flow classification node 300 and the proxy forwarding node 301 preconfigure the chain 1.
  • the proxy forwarding node 302 accesses the last proxy forwarding node of the VM2 for the VM1, because the destination VM2 can directly forward the data stream to the destination VM2.
  • the proxy forwarding node 302 may not pre-configure chain 1.
  • the traffic classification node 300 and the proxy forwarding node 301 detect whether the VM1, the service nodes 1 to n, and the VM2 corresponding to the IP addresses on the chain 1 are all online. Initially, the devices corresponding to the IP addresses on the chain 1, that is, the VM1, the service nodes 1 to n, and the VM2 are not online.
  • the traffic classification node 300 When the traffic classification node 300 detects that the device corresponding to each IP address in the chain 1, that is, the VM1, the service nodes 1 to n, and the VM2 are online, the traffic classification policy associated with the chain 1 is delivered to the hardware of the node. The traffic classification policy that is delivered is recorded as the traffic classification policy 1, and the data flow for guiding the VM1 to access the VM2 is forwarded according to the chain 1.
  • the traffic classification policy 1 is: according to the VM1
  • the feature parameter source IP address and destination IP address carried by the data stream accessing VM2 are locally matched to the node identification chain of VM1 accessing VM2, and the identifier of the data stream encapsulation chain 1 of VM1 accessing VM2 is redirected to the proxy forwarding node satisfying the condition.
  • the condition is: the service node 1, which is the service node corresponding to the second node identifier in the chain 1, that is, IP1, is connected.
  • the proxy forwarding node that satisfies the condition is the proxy forwarding node 301.
  • the traffic classification policy associated with the chain 1 is delivered to the hardware of the node.
  • the traffic classification policy used to guide the VM1 to access the VM2 data stream is forwarded according to the chain 1, and specifically includes the traffic classification policy 2 and the traffic classification policy 3.
  • the traffic classification policy 2 is: when the VM1 accesses the VM2 data through the local PW port.
  • the traffic classification policy 3 is: when the data flow of the VM1 accessing the VM2 is received through the service port of the local connection service node, the characteristic parameters carried by the data flow accessed by the VM1 according to the VM1, such as the source IP address and the destination IP address, are matched to the VM1 accessing the VM2.
  • the node identification chain determines the next hop identifier according to the node identification chain of VM1 accessing VM2.
  • the next hop identifier is the node identifier of the tail node, such as IP (2n+1)
  • the data flow is redirected to the gateway device accessed by the tail node. That is, the proxy forwarding node 302, otherwise, sends the data stream to the service node corresponding to the next hop identifier, and the next hop identifier is the next node identifier of the current serving node identifier on the node identifier chain, and the current serving node identifier is The identifier of the service node to which the service port is connected.
  • IP0 which is the IP address of VM1
  • IP 2n+1 the IP address of VM2
  • the data stream of VM1 accessing VM2 is recorded as stream 1_1.
  • the stream classification node 300 receives the stream 1_1.
  • the traffic classification node 300 finds a matching node identification chain in the local node identification chain according to the characteristic parameters carried by the flow 1_1, such as the source IP address IP0 and the destination IP address IP (2n+1).
  • the found node identification chain is the above-mentioned chain 1 (IP0-IP1-IP2-IP3-IP4-...-IP(2n-1)-IP(2n)-IP(2n+1)).
  • Stream classification node 300 adds a VXLAN encapsulation header to stream 1_1.
  • the VXLAN encapsulation header is specifically shown in FIG. 3.
  • the reserved field 1 in the VXLAN encapsulation header carries the identifier of the found node identification chain, that is, the chain 1.
  • the stream 1_1 in which the VXLAN encapsulation header is added is recorded as stream 1_2.
  • the flow classification node 300 determines the outgoing port of the local forwarding flow 1_2.
  • the egress port is a port to which the flow classification node is locally connected to the following proxy forwarding node: a proxy forwarding node connected to the service node 1 corresponding to the found node identifier chain, that is, the first service node identifier IP1 in the chain 1 (the proxy forwarding node is substantially
  • the node is forwarded to the node 301) in FIG.
  • the identified out port is referred to as Port0.
  • the flow classification node 300 redirects the flow 1_2 to the determined outgoing port Port0 and forwards it.
  • the proxy forwarding node 301 receives the stream 1_2 through the local PW port (referred to as Port1).
  • the proxy forwarding node 301 determines the identifier of the node identifier chain carried by the VXLAN encapsulation header of the stream 1_2 according to the traffic classification policy 2, and finds the node identifier chain with the determined node identifier chain identifier in the local node identifier chain.
  • the found node identification chain is the above-mentioned chain 1 (IP0-IP1-IP2-IP3-IP4-...-IP(2n-1)-IP(2n)-IP(2n+1)).
  • the proxy forwarding node 301 performs VXLAN decapsulation on the stream 1_2, that is, the above stream 1_1 is restored.
  • the proxy forwarding node 301 sends the recovered stream 1_1 to the found node identifier chain, that is, the service node 1 corresponding to the first service node identifier IP1 in the chain 1.
  • the service node 1 receives the stream 1_1 sent by the proxy forwarding node 301 through the port corresponding to IP1 (denoted as Port1_1), and processes the stream 1_1 according to the local service policy.
  • the service node 1 transmits the processed stream 1_1 to the proxy forwarding node 301 through the port corresponding to IP2 (denoted as Port1_2).
  • the proxy forwarding node 301 receives the stream 1_1 through a port (referred to as Port1_12) that locally connects the above Port 1_2.
  • the proxy forwarding node 301 finds the node identifier chain matched by the feature parameters carried by the stream 1_1, such as the source IP address IP0 and the destination IP address IP (2n+1), according to the traffic classification policy 3.
  • the found node identification chain is the above-mentioned chain 1 (IP0-IP1-IP2-IP3-IP4-...-IP(2n-1)-IP(2n)-IP(2n+1)).
  • the proxy forwarding node 301 determines the next hop identifier according to the found chain 1 and by the following steps:
  • the proxy forwarding node 301 learns in advance the identifier corresponding to the port on the service node to which the local service port is connected.
  • the proxy forwarding node 301 determines an identifier corresponding to the port Port1_2 on the service node 1 based on the identifier corresponding to each learned port;
  • IP3 IP3-IP4-...-IP(2n-1)-IP(2n)-IP(2n+1) Mark for the next hop.
  • the proxy forwarding node 301 sends the stream 1_1 to the serving node (ie, the serving node 2) corresponding to the next hop identifier IP3.
  • the service node 2 receives the stream 1_1 sent by the proxy forwarding node 301 through the port corresponding to IP3 (denoted as Por2_3), and processes the stream 1_1 according to the local service policy.
  • the service node 2 transmits the processed stream 1_1 to the proxy forwarding node 301 through the port corresponding to IP4 (denoted as Port2_4).
  • the proxy forwarding node 301 receives the stream 1_1 by locally connecting to the port of Port 2_4 on the serving node 2 (denoted as Port 1_24).
  • the proxy forwarding node 301 finds the node identifier chain matched by the feature parameters carried by the stream 1_1, such as the source IP address IP0 and the destination IP address IP (2n+1), according to the traffic classification policy 3.
  • the found node identification chain is the above-mentioned chain 1 (IP0-IP1-IP2-IP3-IP4-...-IP(2n-1)-IP(2n)-IP(2n+1)).
  • the proxy forwarding node 301 determines the next hop identifier according to the found chain 1 and by the following steps:
  • the identifier corresponding to the port Port2_4 on the service node 2 connected to the local port Port1_24 is determined to be IP4;
  • IP5 of IP4 in the found chain 1 IP0-IP1-IP2-IP3-IP4-...-IP(2n-1)-IP(2n)-IP(2n+1)) as Next hop identification.
  • the proxy forwarding node 301 sends the stream 1_1 to the serving node corresponding to the next hop identifier IP5.
  • the final proxy forwarding node 1 will send stream 1_1 to the serving node n.
  • the serving node n receives the stream 1_1 sent by the proxy forwarding node 301 through the port corresponding to the IP (2n-1) (denoted as Porn_2n-1), and processes the received stream 1_1 according to the local service policy.
  • the serving node n sends the processed stream 1_1 to the proxy forwarding node 301 through the port corresponding to the IP (2n) (denoted as Portn_2n).
  • the proxy forwarding node 301 receives the stream 1_1 by locally connecting to the port of Portn_2n on the serving node n (denoted as Port1_n2n).
  • the proxy forwarding node 301 finds the node identifier chain in the local node identifier chain according to the characteristic parameters carried by the stream 1_1, such as the source IP address IP0 and the destination IP address IP (2n+1).
  • the found node identification chain is the above-mentioned chain 1 (IP0-IP1-IP2-IP3-IP4-...-IP(2n-1)-IP(2n)-IP(2n+1)).
  • the proxy forwarding node 301 determines the next hop identifier according to the found chain 1 and by the following steps:
  • IP (2n+1) is determined as the next hop identifier.
  • the proxy forwarding node 301 performs VXLAN encapsulation on the stream 1_1, where the VXLAN encapsulation no longer contains the identity of the chain 1, similar to the existing VXLAN encapsulation.
  • the VXLAN encapsulated stream 1_1 is recorded as stream 1_3.
  • the proxy forwarding node 301 transmits the stream 1_3 through the egress port of the connection proxy forwarding node 302 (the gateway device accessed by the tail node VM2).
  • the proxy forwarding node 302 receives the stream 1_3 sent by the proxy forwarding node 301, and performs VXLAN decapsulation on the stream 1_3, that is, restores the stream 1_1 described above.
  • the proxy forwarding node 302 forwards the recovered stream 1_1 directly to the VM2, and finally the VM2 receives the data stream accessed by the VM1.
  • the traffic classification node 300 and the proxy forwarding node 301 need further Whether the device corresponding to each IP address on the probe chain 1, that is, the VM1, the service nodes 1 to n, and the VM2 are offline, when the traffic classification node 300 detects the device corresponding to each IP address on the chain 1, that is, the VM1, the service nodes 1 to n, and the VM2 If there is at least one offline line, the first traffic classification policy in the local hardware is deleted.
  • the proxy forwarding node 302 detects that at least one of the VM1, the serving nodes 1 to n, and the VM2 corresponding to the IP addresses on the chain 1 is offline, the second traffic classification policy in the local hardware is deleted.
  • the data flow forwarding of the gateway device accessed by the first node is improved by the node identification chain and the first flow classification policy associated with the node identification chain;
  • the second flow classification policy associated with the identifier chain improves the data flow forwarding of the gateway device accessed by the service node, and finally the gateway device accessed by the first node and the gateway device accessed by the service node mutually combine to guide the first node to access the tail node.
  • the data flow is forwarded according to the node identification chain, instead of being controlled by the SDN controller to guide the forwarding of the data flow. This aspect reduces the load of the SDN controller, requires less reliability for the SDN controller, and avoids the SDN controller.
  • Each service node through which the data stream is delivered issues a defect caused by the service forwarding policy.
  • a corresponding service group is set for each service node, and the service group includes at least one standby service node in addition to the service node. Both the service node and the alternate service node can provide the same service and can back up the service policy with each other.
  • FIG. 4 is another flowchart of a method for processing a data stream provided by the present disclosure.
  • the processing method of the data stream can be applied to a gateway device accessed by each node on the service chain.
  • step 401 it is detected whether the service node corresponding to the node identifier in the node identifier chain of the first node accessing the tail node is faulty.
  • the priority static configuration of the service nodes in the above service groups is dynamically determined by the order of installation to the service group.
  • the node identifier of one of the service nodes in the service group on the node identifier chain in the step 401 is specifically: the node identifier of the service node with the highest priority selected from the service group according to the load balancing principle.
  • detecting in step 401 whether the service node corresponding to the node identifier in the node identifier chain is faulty may be executed in real time. Before detecting the service node failure corresponding to the node identifier in the node identification chain, the data flow of the first node accessing the tail node is forwarded according to the node identification chain. When it is detected that the service node corresponding to the node identifier in the node identifier chain is faulty, step 402 is performed.
  • Step 402 Select a non-faulty backup service node from the service group where the fault service node is located, and update the node identifier corresponding to the fault service node in the node identifier chain to the node identifier corresponding to the standby service node, so as to control the first node access.
  • the data flow of the tail node is switched from the faulty service node to the standby service node for network service processing.
  • selecting a non-faulty backup service node from the service group to which the fault service node belongs includes: the service from the fault service node according to the load balancing principle. Select a non-faulty and highest priority alternate service node in the group.
  • step 402 updating the node identifier corresponding to the fault service node in the node identifier chain to the node identifier corresponding to the standby service node includes:
  • step a1 it is determined whether the faulty service node and the standby service node are connected to the same gateway device. If yes, step a2 is performed, and if not, step a3 is performed.
  • step a2 when the gateway device is the gateway device that is connected to the fault service node and the standby service node, the node identifier corresponding to the fault service node in the node identifier chain is updated to the node identifier corresponding to the standby service node, otherwise, the fault service is triggered. And the node device that is accessed by the node and the standby service node updates the node identifier corresponding to the fault service node in the node identifier chain to the node identifier corresponding to the standby service node;
  • Step a3 The gateway device that controls the access of the standby service node and the gateway device associated with the fault service node update the node identifier corresponding to the fault service node in the node identifier chain to the node identifier corresponding to the standby service node.
  • the gateway device associated with the fault service node may determine that the last hop and the next hop of the faulty service node are determined according to the node identifier chain, when the last hop is the first node, and the next When the hop is the tail node, the gateway device associated with the fault service node is the gateway device accessed by the first node; when the last hop is the first node and the next hop is the service node, the fault service node is associated
  • the gateway device is a gateway device accessed by the first node and a gateway device accessed by the next hop; when the next hop is the tail node, and the last hop is a service node, the fault service
  • the gateway device associated with the service node is the gateway device accessed by the last hop.
  • the gateway device that performs the foregoing method may be: a gateway device elected from a gateway device accessed by a node corresponding to each node identifier in the node identifier chain. That is, in the specific implementation, the foregoing gateway device may be a gateway device accessed by the first node, or may be a gateway device accessed by the serving node through which the head node accesses the tail node, and may also be a gateway device accessed by the tail node.
  • FIG. 5 is a schematic diagram of a networking diagram of an embodiment provided by the present disclosure.
  • the service group corresponding to the service node 1 can provide an FW service, which is called an FW service group.
  • the service group corresponding to the service node 2 can provide an LB service, which is called an LB service group.
  • the FW service group contains three service nodes: FW1, FW2, and FW3. FW1, FW2, and FW3 back up the FW network service policies to each other, and can be used as alternate service nodes.
  • the LB service group contains three service nodes: LB1, LB2, and LB3. LB1, LB2, and LB3 back up the LB network service policies to each other and can be used as alternate service nodes.
  • each service node in the service group has a different priority.
  • the priorities of FW1, FW2, and FW3 can be determined according to the order in which FW1, FW2, and FW3 are installed to the FW service group. The priority of the installation is higher than the priority after installation. As another example, the priority of each service node in the service group may also be randomly assigned.
  • VM1 accesses VM2 as an example, VM1 is the head node, and VM2 is the tail node.
  • the access path of VM1 accessing VM2 is determined based on the routing protocol.
  • the access path is: VM1->Flow Classification Node 300->Proxy Forwarding Node 301->FW Service Group->LB Service Group->Proxy Forwarding Node 302->VM2.
  • the node identification chain here is: the identifier of VM1 - the node identifier of one serving node in the FW service group - the node identifier of the one serving node in the LB service group - the identifier of VM2.
  • the different service nodes in the FW service group described above have different priorities. Based on this, the node identifier of one service node in the FW service group described above may be: the highest priority service selected from the FW service group according to the load balancing principle. The node ID of the node, which reflects the load balancing of different service nodes in the same service group.
  • the node identification chain of VM1 accessing VM2 is specifically:
  • IP1 is the IP address of VM1 (denoted as IP1) and the ID of VM2 is the IP address of VM2 (denoted as IP2)
  • IP21 is the ingress port of the above access path on FW2.
  • the ID of Port 21 (specifically, the IP address of the ingress port), and IP22 is the identifier of the port 22 of the egress port on the FW2.
  • the port ID of the LB3 is IP31 and IP32.
  • the IP31 is the ID of the ingress port Port31 of the access path on LB3 (specifically, the ingress port IP address), and the IP32 is the outbound path of the access path on LB3.
  • the port ID of the port port 32 (specifically the outbound port IP address), the node ID chain of VM1 accessing VM2 is:
  • IP1-IP21-IP22-IP31-IP32-IP2 is referred to herein as the first chain.
  • the first link to the flow classification node 300 and the proxy forwarding node 301 are pre-configured.
  • the traffic classification node 300 acquires and delivers the first traffic classification policy to the hardware of the local node after the VM1, FW2, LB3, and VM2, which are devices corresponding to the IPs, are online.
  • the proxy forwarding node 301 acquires and delivers the second traffic classification policy to the hardware of the local node after the VM1, the FW2, the LB3, and the VM2, which are corresponding to each of the first links, are online.
  • the proxy forwarding node 301 via which the VM1 accesses the VM2 is elected to execute the flow shown in FIG. 4, and the election of the traffic classification node and the proxy forwarding node 302 are also similar.
  • the proxy forwarding node 301 After the FW2 and LB3, which are the service nodes corresponding to the node identifiers in the first chain, are forwarded, the proxy forwarding node 301 detects whether the service nodes corresponding to the node identifiers in the first chain, that is, FW2 and LB3, are faulty.
  • the VM1 accesses the data stream of the VM2 via the traffic classification node 300, and the traffic classification node 300 encapsulates the identifier of the first chain for the data flow according to the first traffic classification policy and encapsulates the data of the first chain identifier.
  • the flow is redirected to the proxy forwarding node 301 connected to the serving node FW2 corresponding to the first node identifier IP21 in the first chain.
  • the proxy forwarding node 301 receives the data stream encapsulating the first chain identifier through the local PW port, decapsulating the data stream to obtain the first chain identifier, and redirecting the decapsulated data stream according to the first chain identifier
  • the first node identifier in a chain that is, the service node corresponding to IP21, is FW2.
  • the FW2 provides the FW service processing on the received data stream according to the local FW service policy, and sends the processed data stream through the local port, that is, the port 22 corresponding to the IP22.
  • the proxy forwarding node 301 receives the data stream through the local service node port Port1_22 (connected to the port Port22 corresponding to the IP22 in the first chain), and redirects the data flow to the next node identifier of the IP22 in the first chain according to the second flow classification policy. That is, the service node corresponding to IP31 is LB3.
  • the LB3 provides the LB service processing for the received data stream according to the local LB service policy, and sends the processed data stream through the local port, that is, the port 32 corresponding to the IP32.
  • the proxy forwarding node 301 receives the data stream through the local service node port Port1_32 (connected to the port Port32 corresponding to the IP32 in the first chain), and redirects the received data stream to the proxy forwarding node connected to the tail node according to the third flow classification policy. 302.
  • the final proxy forwarding node 302 sends the received data stream to the tail node. That is, the data stream that VM1 accesses VM2 finally reaches VM2 via the FW service and the LB service.
  • the proxy forwarding node 301 When the proxy forwarding node 301 detects the FW2 fault, the proxy forwarding node 301 selects a non-faulty and highest priority serving node from the FW service group in which the FW2 is located according to the load balancing principle, where FW1 is taken as an example.
  • the proxy forwarding node 301 determines whether the fault FW2 and the selected non-failed FW1 are connected to the same gateway device;
  • the proxy forwarding node 301 finds that the FW2 and the FW1 are connected to the same gateway device and the gateway device is the node, and the IP21 and IP22 in the first chain stored locally are modified to IP11 and IP12, respectively.
  • the updated first chain is: IP1-IP11-IP12-IP31-IP32-IP2.
  • the proxy forwarding node 301 automatically updates the local second traffic classification policy associated with the fault FW2 based on the updated first chain.
  • the updated second flow classification policy is: when the VM1 accesses the data stream of the VM2 through the PW port, the data stream is decapsulated to obtain the first chain identifier, and the decapsulated data stream is heavy according to the first chain identifier.
  • the second node identifier in the first chain that is, the service node corresponding to IP11, that is, FW1; when the VM1 received through the local service node port Port1_12 accesses the data stream of VM2, the data stream is redirected to the IP12 in the first chain.
  • the next node identifier is the service node corresponding to IP31, which is LB3.
  • the forwarding path of the data flow of the last VM1 accessing VM2 is as shown in FIG. 6.
  • the proxy forwarding node 301 when the proxy forwarding node 301 finds that FW2 and FW1 are connected to the same gateway device but the gateway device is not the local node, the proxy forwarding node 301 triggers the gateway device accessed by FW2 and FW1 to connect the IP21 in the first chain. IP22 is modified to IP11 and IP12 respectively. Specifically, the triggering is as follows: sending an update notification to the faulty service node and the non-failed service node to access the gateway device, and the update notification is used to notify that the IP21 and IP22 in the first stored chain in the local are respectively modified to IP11, IP12.
  • the FW2 and the FW1 accessing the gateway device automatically acquires and delivers the traffic classification policy associated with the updated first chain based on the updated first chain (similar to the proxy forwarding node 301 sending the traffic classification policy, no longer Detailed description).
  • the proxy forwarding node 301 finds that the FW2 and the FW1 are connected to different gateway devices, the proxy forwarding node 301 stores the first gateway device (referred to as the proxy forwarding node 303, not shown in the figure) accessed by the FW1.
  • the triggering proxy forwarding node 303 modifies the stored node identifiers IP21, IP22 of the fault FW2 in the first chain to the node identifiers IP11, IP12 of the FW1, and when the proxy forwarding node 303 does not store the first chain, the first The node identifiers IP21 and IP22 of the fault FW2 are modified to the node identifiers IP11 and IP12 of the FW1, and the updated first chain is sent to the proxy forwarding node 303 for storage.
  • the proxy forwarding node 303 automatically obtains and delivers the traffic classification policy associated with the FW1 based on the updated first chain (similar to the proxy forwarding node 1 sending the traffic classification policy, which will not be described in detail).
  • the proxy forwarding node 301 determines the last hop and the next hop of FW2 on the first chain.
  • the proxy forwarding node 301 finds that the last hop is the node identifier IP1 of the first node, the next hop is the node identifier (IP31, IP32) corresponding to the LB3, and the node identifier IP2 that is not the tail node, triggers the next hop on the other hand (IP31, IP32)
  • the gateway device here, the proxy forwarding node 301 is taken as an example
  • the node identifiers IP21 and IP22 of the fault FW2 in the first chain stored locally are modified to be the node identifiers IP11 and IP12 of the FW1, and the traffic classification node 300 is notified on the other hand.
  • the node identifiers IP21 and IP22 corresponding to the fault FW2 on the first link are modified to the node identifiers IP11 and IP12 corresponding to the FW1.
  • the proxy forwarding node 301 will be based on the updated first chain.
  • the second flow classification policy locally associated with the fault FW2 is dynamically updated, as described above. After the traffic classification node 300 modifies the node identifiers IP21 and IP22 corresponding to the fault FW2 on the first link to the node identifiers IP11 and IP12 corresponding to the FW1, the traffic classification node 300 further updates the first traffic classification policy.
  • the updated first flow classification policy is: encapsulating the data stream of VM1 accessing VM2 with the identifier of the first chain and redirecting the proxy forwarding node connected to the service node corresponding to the first node identifier in the first chain, that is, IP11, that is, FW1.
  • the proxy forwarding node 301 detects whether the service nodes corresponding to the node identifiers in the updated first chain, that is, FW1 and LB3, are faulty.
  • the proxy forwarding node 301 When the proxy forwarding node 301 detects the LB3 fault, the proxy forwarding node 301 selects the non-faulty and highest priority serving node from the LB service group in which the LB3 is located according to the load balancing principle, where LB2 is taken as an example.
  • the proxy forwarding node 301 finds that the fault LB3 and the non-faulty LB2 are connected to the same gateway device, and the gateway device is the node, and directly modifies the node identifiers IP31 and IP32 corresponding to the fault LB3 stored in the first chain of the local storage to the node corresponding to the LB2. Identifies IP221 and IP222.
  • the updated first chain is: IP1-IP11-IP12-IP221-IP222-IP2.
  • the proxy forwarding node 301 updates the local traffic classification policy associated with the fault LB3.
  • the updated traffic classification policy is: when the VM1 received by the local service node port Port1_12 accesses the data stream of the VM2, the data flow is redirected to the next node identifier of the IP12 in the first chain, that is, the service node corresponding to the IP221, that is, the LB2.
  • the proxy forwarding node 302 which is the proxy forwarding node to which the tail node identifier IP2 is connected in the first chain.
  • the final proxy forwarding node 302 will send the data stream of VM1 accessing VM2 to VM2.
  • the path of VM1 accessing the data flow of VM2 is as shown in FIG. 7.
  • the proxy forwarding node 301 triggers the faulty LB3 and the non-failed LB2 to access the gateway device to be faulty on the first link.
  • the node identifiers IP31 and IP32 corresponding to LB3 are modified to the node identifiers IP221 and IP222 corresponding to LB2.
  • the faulty LB3 and the non-failed LB2 accessing the gateway device automatically acquires and delivers the traffic classification policy associated with the updated first chain based on the updated first chain (similar to the proxy forwarding node 301 sending the traffic classification policy). , no longer detailed in detail).
  • the proxy forwarding node 301 accesses the gateway device at the LB2 (referred to as the proxy forwarding node 304, not shown in the figure).
  • the proxy forwarding node 304 modifies the stored node identifiers IP31 and IP32 of the faulty LB3 in the first chain to the node identifiers IP221 and IP222 corresponding to the LB2, and the first chain is not stored in the proxy forwarding node 304.
  • the node identifiers IP31 and IP32 corresponding to the fault LB3 on the first link are modified to the node identifiers IP221 and IP222 corresponding to the LB2, and the updated first chain is sent to the proxy forwarding node 304 for storage.
  • the proxy forwarding node 304 automatically acquires and delivers the traffic classification policy associated with the FW2 based on the updated first chain (similar to the traffic classification policy sent by the proxy forwarding node 301). I will not repeat them in detail).
  • the data stream of VM1 accessing VM2 is finally forwarded according to the updated first chain (IP1-IP11-IP12-IP221-IP222-IP2).
  • the proxy forwarding node 301 determines the last hop and the next hop of the LB3 on the first chain.
  • the proxy forwarding node 301 finds that the next hop is the node identifier IP2 of the tail node, and the last hop is the node identifier IP11 and IP12 corresponding to the FW1, and only the gateway of the previous hop, that is, the node identifier (IP11, IP12) corresponding to the FW1 is accessed.
  • the device here, the proxy forwarding node 301 is taken as an example
  • the node identifiers IP31 and IP32 corresponding to the fault LB3 on the local first chain are modified to the node identifiers IP221 and IP222 corresponding to the LB2.
  • the proxy forwarding node 301 automatically updates the local traffic classification policy associated with the updated first chain.
  • the node identifier of the fault service node on the node identifier chain is updated as a node of a non-faulty standby service node in the service group where the fault service node is located.
  • the identification, the final control of the data flow of the first node accessing the tail node is switched from the faulty service node to the standby service node for network service processing, thereby ensuring the continuity of the network service.
  • FIG. 8 is a hardware structural diagram of a gateway device provided by the present disclosure. As shown in FIG. 8, the gateway device may include:
  • the processor 801 is a machine readable storage medium 802 that stores machine executable instructions.
  • Processor 801 and machine readable storage medium 802 can communicate via system bus 803. And, by reading and executing machine executable instructions in the machine readable storage medium 802 corresponding to the data stream processing logic, the processor 801 can perform the processing method of the data stream described above.
  • the machine-readable storage medium 802 referred to herein can be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like.
  • the machine-readable storage medium may be: RAM (Radom Access Memory), volatile memory, non-volatile memory, flash memory, storage drive (such as a hard disk drive), solid state drive, any type of storage disk. (such as a disc, dvd, etc.), or a similar storage medium, or a combination thereof.
  • the above data stream processing logic may include:
  • the detecting unit 901 is configured to detect whether a node corresponding to each node identifier on the node identifier chain is online, where the node identifier chain includes a node identifier of the head node, and a node identifier of one or more service nodes through which the head node access tail node passes in sequence And the node identification chain of the tail node;
  • the control unit 902 is configured to: when the detecting unit 901 detects that the node corresponding to each node identifier is online,
  • the gateway device is a gateway device that is accessed by the first node
  • the first flow component associated with the node identifier chain is delivered.
  • a class policy to the hardware of the device, when receiving the data flow of the first node accessing the tail node, forwarding the data flow according to the node identification chain according to the first flow classification policy;
  • the gateway device is a gateway device that is accessed by the service node, sending a second traffic classification policy associated with the node identity chain to the hardware of the device, when receiving the data flow of the first node accessing the tail node And forwarding, according to the second flow classification policy, the data flow according to the node identifier chain.
  • the first flow classification policy or the second flow classification policy is pre-configured at the software level of the device.
  • the first flow classification policy or the second flow classification policy is obtained in advance from a software custom network SDN controller and stored at the device software level.
  • control unit 902 forwarding the data flow according to the node identification chain according to the first flow classification policy includes:
  • the data flow encapsulating the node identification chain identifier is redirected to a second gateway device that meets the following conditions: accesses a service node corresponding to the second node identifier on the node identification chain.
  • controlling unit 902 forwarding the data flow according to the node identifier chain according to the second flow classification policy includes:
  • the node identifier chain corresponding to the node identifier chain identifier of the data stream encapsulation is locally found, the data stream is decapsulated, and the decapsulated data stream is obtained. Sending to a service node corresponding to the second node identifier in the node identifier chain;
  • the node identification chain matched by the data flow is locally found, and the next hop identifier is determined according to the node identification chain, when the next hop
  • the data stream is redirected to the gateway device accessed by the tail node; otherwise, the data stream is sent to the service node corresponding to the next hop identifier, and the next hop is the node Identifying a next node identifier of the current service node identifier on the chain, where the current service node identifier is an identifier of a service node to which the service port is connected.
  • the identifier of the data flow encapsulation node identification chain includes:
  • a VXLAN encapsulation header is added to the data stream, and one of the reserved fields in the VXLAN encapsulation header carries an identifier of the node identification chain.
  • the data stream processing logic may further include:
  • the determining unit 1001 is configured to determine whether the service node corresponding to the node identifier in the node identifier chain is faulty, where each service node belongs to a corresponding service group, and each service group further includes at least one non-faulty standby service node;
  • the control unit 902 is configured to: when the determining unit 1001 detects a fault, select a non-failed standby service node from the service group to which the faulty service node belongs, and correspond to the fault service node in the node identifier chain.
  • the node identifier is updated to the node identifier corresponding to the standby serving node, so as to control the data flow of the first node accessing the tail node to switch from the faulty service node to the standby serving node for network service processing.
  • control unit 902 updates the node identifier corresponding to the fault service node in the node identifier chain to the node identifier corresponding to the standby service node, including:
  • the gateway device that triggers the faulty service node and the standby service node to access the node identifier corresponding to the fault service node in the node identifier chain is updated to the node identifier corresponding to the standby service node;
  • the gateway device that controls the access of the standby service node and the gateway device associated with the fault service node update the node identifier corresponding to the fault service node in the node identifier chain to the node identifier corresponding to the standby service node.
  • control unit 902 determines the gateway device associated with the failed service node by the following steps:
  • the gateway device associated with the faulty service node is the gateway device accessed by the first node
  • the gateway device associated with the faulty service node is the gateway device accessed by the first node and the next hop accessing Gateway device
  • the gateway device associated with the faulty service node is the gateway device accessed by the last hop.
  • the gateway device is elected from a gateway device accessed by a node corresponding to each node identifier on the node identifier chain.
  • different service nodes in the same service group have different priorities
  • the selecting an alternate service node from the service group to which the faulty service node belongs includes:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

网关设备探测节点标识链上每一节点标识对应的节点是否上线。所述节点标识链包括首节点的节点标识、首节点访问尾节点依次经由的服务节点的节点标识、以及尾节点的节点标识。当所述每一节点标识对应的节点上线时,当所述网关设备为首节点接入的网关设备时,下发与所述节点标识链相关联的第一流分类策略至本设备硬件。当接收到首节点访问尾节点的数据流时,所述网关设备依据所述第一流分类策略将所述数据流按照所述节点标识链转发。当所述网关设备为服务节点接入的网关设备时,下发与所述节点标识链相关联的第二流分类策略至本设备硬件。当接收到首节点访问尾节点的数据流时,所述网关设备依据第二流分类策略将所述数据流按照所述节点标识链转发。

Description

数据流的处理
相关申请的交叉引用
本专利申请要求于2016年7月27日提交的、申请号为201610606046.7、发明名称为“数据流的处理方法和装置”的中国专利申请以及于2016年7月27日提交的、申请号为201610606047.1、发明名称为“网络服务控制方法和装置”的中国专利申请的优先权,这两个申请的全文以引用的方式并入本文中。
背景技术
数据流在网络中传输时,需要经过各种各样的服务节点,以实现安全、快速、稳定的传输。这里的服务节点,是指为数据流提供服务的节点,比如防火墙节点、入侵检测节点、负载均衡节点等。
数据流在传输过程中经由的服务节点组成了一个服务链(Service Chain)。例如,WEB访问APP需要依次经过防火墙节点(FW)和负载均衡节点(LB)等组成的服务链。
在软件定义网络(SDN:Software Defined Network)服务链中,SDN控制器作为控制平面既为服务节点下发开放流(Openflow)表项以指导服务节点转发数据流,又为服务节点下发对应的服务转发策略以指导服务节点为数据流提供服务和执行转发处理,这加大了SDN控制器的负荷,并且对SDN控制器的可靠性要求很高。
附图说明
图1为本公开提供的数据流的处理方法的流程图。
图2为本公开实施例提供的VXLAN封装示意图。
图3为本公开提供的实施例组网图。
图4为本公开提供的数据流的处理方法的另一流程图。
图5为本公开提供的实施例应用示意图。
图6为本公开提供的实施例另一应用示意图。
图7为本公开提供的实施例另一应用示意图。
图8为本公开提供的网关设备的硬件结构图。
图9为本公开提供的图8所示设备的结构图。
图10为本公开提供的图8所示设备的另一结构图。
具体实施方式
为了使本公开的目的、技术方案和优点更加清楚,下面结合附图和具体实施例对本公开进行详细描述。
参见图1,图1为本公开提供的数据流的处理方法的流程图。该方法应用于首节点访问尾节点所经由的网关设备。在本公开中,当首节点要访问尾节点时,会基于路由协议确定出首节点访问尾节点的路径。该路径包含上述的网关设备,也包含一系列的服务节点。
在本公开中,上述的网关设备可为首节点接入的网关设备或者服务节点接入的网关设备。其中,首节点接入的网关设备不直接连接服务节点,可通过服务节点接入的网关设备连接服务节点。例如,在以太网虚拟专用网络(EVPN:Ethernet Virtual Private Network)中,这里的首节点可为EVPN中的一个虚拟机(VM),尾节点为EVPN中的另一个VM,网关设备可以为EVPN分布式网关设备。
下文步骤203描述了网关设备作为首节点接入的网关设备时执行的操作,步骤204描述了网关设备作为服务节点接入的网关设备时执行的操作。
如图1所示,该数据流的处理方法可包括以下步骤:
步骤101,探测节点标识链上每一节点标识对应的节点是否上线。
如上描述,首节点访问尾节点的路径包含上述的网关设备和一个以上服务节点。基于此,在本公开中,将首节点的节点标识、首节点访问尾节点依次经由的服务节点的节点标识、以及尾节点的节点标识串链即形成了上述首节点访问尾节点的节点标识链。各节点的节点标识可唯一表征该节点,比如可以利用节点的IP地址、MAC地址等作为节点标识。在本公开中,首节点访问尾节点的节点标识链具有惟一的节点标识链标识,并且其与首节点访问尾节点的数据流匹配。其中,首节点访问尾节点的数据流依次经由的服务节点可以视为一个服务链,在服务链上服务节点按顺序编号。
作为一个实施例,在本公开中,可基于现有的地址解析协议(ARP:Address Resolution  Protocol)、或者Internet控制报文协议(ICMP:Internet Control Message Protocol)探测首节点访问尾节点的节点标识链上每一节点标识对应的节点是否上线,具体探测方式类似现有上线探测,不再详细描述。
步骤102,若探测到每一节点标识对应的节点上线,则当网关设备为首节点接入的网关设备时,执行步骤103,当网关设备为服务节点接入的网关设备时,执行步骤104。
步骤103,下发与节点标识链相关联的第一流分类策略至本设备硬件,当接收到首节点访问尾节点的数据流时,依据第一流分类策略将该数据流按照所述节点标识链转发。
在本公开中,作为一个实施例,第一流分类策略可预先配置在本设备的软件层。作为另一个实施例,第一流分类策略可预先从SDN控制器获取并存储在设备软件层。
作为一个实施例,上述的设备软件层可为设备的存储器等软件单元;而上述的设备硬件可为转发芯片等硬件单元。需要说明的是,这里只是对设备软件层、设备硬件的举例描述,本公开并不限定。
具体地,本步骤103中依据第一流分类策略将首节点访问尾节点的数据流按照节点标识链转发具体为:
步骤A1,找到首节点访问尾节点的数据流匹配的节点标识链。
作为一个实施例,可预先设定ACL规则,该ACL规则中包含了首节点访问尾节点的数据流的特征参数与首节点访问尾节点的节点标识链的标识。这里的特征参数可为:数据流的五元组(源IP地址、目的IP地址、源端口号、目的端口号、端口协议)、数据流的源MAC地址和目的MAC地址等,本公开并不具体限定。基于该举例描述,作为一个实施例,步骤A1中,以首节点访问尾节点的数据流携带的特征参数为关键字在所有ACL规则中找到包含该关键字的ACL规则,将该找到的ACL规则中的节点标识链标识所对应的节点标识链作为首节点访问尾节点的数据流匹配的节点标识链。该匹配的节点标识链即为上述首节点访问尾节点的节点标识链。
步骤A2,为数据流封装该匹配到的节点标识链的标识。
作为一个实施例,当本公开应用于EVPN中,则本步骤A1中,为数据流封装节点标识链的标识,可借助可扩展虚拟局域网络(VXLAN)封装头实现,具体为:在数据流上增加VXLAN封装头,VXLAN封装头中的其中一个预留字段携带了节点标识链的标识,这实现了为数据流封装节点标识链标识的操作。图2所示VXLAN封装头中的预留字段1携带了节点标识链的标识。
步骤A2,还将封装了节点标识链标识的数据流重定向至满足以下条件的网关设备:接入了节点标识链上第二个节点标识对应的服务节点。
上述节点标识链上第二个节点标识对应的服务节点即第一个服务节点。
对于首节点接入的网关设备而言,根据流分类策略,需要将数据流重定向到第一个服务节点接入的网关设备,此时,首节点接入的网关设备需要确定本地出端口,例如,可以通过节点标识链获知第一个服务节点的标识(即节点标识链上第二个节点标识),通过该第二个节点标识查询对应的出端口。该节点标识可以为IP地址或MAC地址,关于通过IP地址或MAC地址查询数据转发出端口的实现,已经有多种方案,本公开不再赘述。
查询到出端口后,可将封装了节点标识链标识的数据流通过该出端口转发给相应的网关设备、即第一个服务节点接入的网关设备。
当首节点接入的网关设备通过步骤A2转发封装了节点标识链标识的数据流后,第一个服务节点接入的网关设备就会通过伪线(PW)端口接收到该封装了节点标识链标识的数据流。
步骤104,下发与节点标识链相关联的第二流分类策略至本设备硬件,当接收到首节点访问尾节点的数据流时,依据第二流分类策略将首节点访问尾节点的数据流按照所述节点标识链转发。
在本公开中,作为一个实施例,第二流分类策略可预先配置在本设备的软件层。作为另一个实施例,第二流分类策略可预先从SDN控制器获取并存储在设备软件层。
具体地,本步骤104中依据第二流分类策略将首节点访问尾节点的数据流按照所述节点标识链转发包括:
步骤B1,当通过本地PW端口接收到首节点访问尾节点的数据流时,则执行步骤B2,当通过本地连接服务节点的服务端口接收到首节点访问尾节点的数据流时,执行步骤B3。
步骤B2,找到与数据流封装的节点标识链标识对应的节点标识链,对数据流进行解封装,并将解封装后的数据流发送至该找到的节点标识链中第二个节点标识对应的服务节点。
当服务节点接入的网关设备通过PW端口接收到数据流时,基于上述步骤A2的描述,可以得出该数据流来自首节点接入的网关设备。对该数据流进行VXLAN解封装,得到首节点发送的原始数据流。基于数据流封装的节点标识链标识在本地已存储的所有节点标识链中找到与该节点标识链标识对应的节点标识链,之后将原始数据流发送至该找到的节点标识链中第二个节点标识对应的服务节点。如此,可以将首节点发送的访问尾节点的原始数据流引入 至服务节点。当服务节点针对数据流执行完服务处理后,服务节点将处理后的数据流发送给其接入的网关设备。
其中,服务节点接入的网关设备通过PW端口接收到的数据流中还可以携带服务节点的信息,例如服务节点的编号、IP地址或MAC地址等信息。如上述步骤A1所述,首节点接入的网关设备能够确定出对数据流处理的第一个服务节点,因此,该网关设备在发送数据流时,可以将这个服务节点的信息封装在数据流中,例如图2所示的VXLAN封装头中的预留字段2中可以携带服务节点的编号。当然,也可以通过其他方式发送服务节点的编号、地址等信息。如此,服务节点接入的网关设备可以根据服务节点的信息和节点标识链确定相应的服务节点,从而把数据流引入服务节点。例如,数据流携带的是服务节点的编号,如果编号为1,说明需要把数据流进入第一个服务节点,那么服务节点接入的网关设备可以从节点标识链上找到该服务节点的标识,该节点标识可以为IP地址或MAC地址,通过IP地址或MAC地址在本设备上查找出端口,将所述的原始数据流通过该出端口发给第一个服务节点。
步骤B3,当通过连接服务节点的服务端口接收到数据流时(如上述步骤B2描述,则意味着该数据流是由服务节点发送过来的),查找数据流匹配的节点标识链,根据找到的节点标识链确定下一跳标识,当下一跳标识为尾节点的节点标识时,将数据流重定向至所述尾节点接入的网关设备,否则,将数据流发送至下一跳标识对应的服务节点,下一跳标识为所述节点标识链上当前服务节点标识的下一个节点标识,当前服务节点标识为所述服务端口连接的服务节点的标识。
需要说明的是,上述示例是基于服务链上的服务节点均接入同一个网关设备的情形。还存在一种情况,即服务链上的服务节点接入了多个网关设备。相应的,步骤B2中,服务节点接入的网关设备通过PW端口接收到的数据流还可以是来自其他服务节点接入的网关设备。可以理解的是,该数据流中也可以携带服务节点的信息。结合步骤B3的描述可知,网关设备在确定下一跳节点标识时可以确定该标识对应的节点(服务节点)是否接入了本设备,如果下一跳节点标识对应的服务节点接入的是其他网关设备,那么就需要把数据流发送给该其他网关设备,可以理解的是,这里发送数据流的方式和步骤A2大致相同,唯一不同的是,需要将数据流重定向至确定出的下一跳服务节点接入的网关设备。相应的,发出的数据流中可以携带该下一跳服务节点的信息,则接收到该数据流的网关设备的处理方式与步骤B2相同。
通过图1所示流程可以看出,首节点访问尾节点所经过的服务节点只对数据流进行网络服务,并不对数据流进行封装,节省硬件表项资源。
下面以EVPN为例对图1所示流程进行举例描述:
参见图3,图3为本公开提供的实施例组网图。在如图3所示的组网中以VM1访问VM2为例,则VM1为首节点,VM2为尾节点。
当VM1访问VM2时,基于路由协议确定VM1访问VM2时依次经由服务节点1至n。
基于此,在本实施例中,将VM1的标识、VM1访问VM2依次经由的服务节点1至n的标识、以及VM2的标识串链形成VM1访问VM2的节点标识链,这里该串成的节点标识链记为链1。
假如VM1的标识为VM1的IP地址(记为IP0)、VM2的标识为VM2的IP地址(记为IP(2n+1))。假如服务节点1的节点标识为[IP1,IP2],IP1为VM1访问VM2的访问路径在服务节点1上的入端口的标识,IP2为VM1访问VM2的访问路径在服务节点1上的出端口的标识。服务节点2的节点标识为[IP3,IP4],IP3为VM1访问VM2的访问路径在服务节点2上的入端口的标识,IP4为VM1访问VM2的访问路径在服务节点2上的出端口的标识。依次类推,服务节点n的节点标识为[IP(2n-1),IP(2n)],其中,IP(2n-1)为VM1访问VM2的访问路径在服务节点n上的入端口的标识,IP(2n)为VM1访问VM2的访问路径在服务节点n上的出端口的标识。则图3中,链1具体为:
IP0-IP1-IP2-IP3-IP4-……-IP(2n-1)-IP(2n)-IP(2n+1)。
在图3中,上述VM1访问VM2的访问路径还会经由流分类节点300、代理转发节点301和代理转发节点302。这里流分类节点300、代理转发节点301和代理转发节点302相当于EVPN分布式网关设备。其中,流分类节点300可为首节点VM1接入的网关设备,代理转发节点301可为服务节点接入的网关设备,代理转发节点302可为尾节点接入的网关设备。
在本实施例中,流分类节点300、代理转发节点301预先配置链1。在本实施例中,代理转发节点302,为VM1访问VM2的最后一个代理转发节点,因为直连目的端VM2,只要能够正常转发数据流给目的端VM2即可,在本实施例中代理转发节点302可以不预先配置链1。
流分类节点300、代理转发节点301探测链1上各IP地址对应的设备即VM1、服务节点1至n、VM2是否均上线。在初始,链1上各IP地址对应的设备即VM1、服务节点1至n、VM2并没有上线。
当流分类节点300探测链1上各IP地址对应的设备即VM1、服务节点1至n、VM2均上线,则下发与链1相关联的流分类策略至本节点的硬件。该下发的流分类策略记为流分类策略1,用于引导VM1访问VM2的数据流按照链1转发,具体地,流分类策略1为:依据VM1 访问VM2的数据流携带的特征参数源IP地址和目的IP地址在本地匹配到VM1访问VM2的节点标识链,对VM1访问VM2的数据流封装链1的标识并重定向至满足条件的代理转发节点。条件为:与链1中第二个节点标识即IP1对应的服务节点即服务节点1连接。这里满足条件的代理转发节点为代理转发节点301。
当代理转发节点301探测链1上各IP地址对应的设备即VM1、服务节点1至n、VM2均上线,则下发与链1相关联的流分类策略至本节点的硬件。这里的流分类策略用于引导VM1访问VM2的数据流按照链1转发,具体可包含流分类策略2和流分类策略3,流分类策略2为:当通过本地PW端口接收到VM1访问VM2的数据流时,找到与数据流封装的节点标识链标识对应的节点标识链,对数据流进行解封装,并将解封装后的数据流发送至节点标识链中第二个节点标识对应的服务节点即上述的服务节点1。流分类策略3为:当通过本地连接服务节点的服务端口接收到VM1访问VM2的数据流时,依据VM1访问VM2的数据流携带的特征参数比如源IP地址和目的IP地址匹配到VM1访问VM2的节点标识链,根据VM1访问VM2的节点标识链确定下一跳标识,当下一跳标识为尾节点的节点标识比如IP(2n+1)时,将数据流重定向至尾节点接入的网关设备即代理转发节点302,否则,将数据流发送至下一跳标识对应的服务节点,下一跳标识为所述节点标识链上当前服务节点标识的下一个节点标识,所述当前服务节点标识为所述服务端口连接的服务节点的标识。
当VM1上线后,VM1发送访问VM2的数据流。VM1发送的访问VM2的数据流的源IP地址为VM1的IP地址即IP0,目的IP地址为VM2的IP地址即IP(2n+1)。为便于描述,这里将VM1访问VM2的数据流记为流1_1。
流分类节点300接收到流1_1。
流分类节点300依据流1_1携带的特征参数比如源IP地址IP0和目的IP地址IP(2n+1)在本地节点标识链中找到匹配的节点标识链。该找到的节点标识链即为上述的链1(IP0-IP1-IP2-IP3-IP4-……-IP(2n-1)-IP(2n)-IP(2n+1))。
流分类节点300为流1_1增加VXLAN封装头。VXLAN封装头具体如图3所示,VXLAN封装头中的预留字段1携带了该找到的节点标识链即链1的标识。为便于描述,这里将增加了VXLAN封装头的流1_1记为流1_2。
流分类节点300确定本地转发流1_2的出端口。该出端口为流分类节点本地连接以下代理转发节点的端口:与该找到的节点标识链即链1中第一个服务节点标识IP1对应的服务节点1连接的代理转发节点(该代理转发节点实质为图4中的代理转发节点301)。为便于描 述,这里将该确定出的出端口记为Port0。
流分类节点300将流1_2重定向至该确定出的出端口Port0并转发。
代理转发节点301通过本地PW端口(记为Port1)接收到流1_2。
代理转发节点301依据流分类策略2确定流1_2的VXLAN封装头携带的节点标识链的标识,在本地节点标识链中找到具有所确定的节点标识链标识的节点标识链。该找到的节点标识链即为上述的链1(IP0-IP1-IP2-IP3-IP4-……-IP(2n-1)-IP(2n)-IP(2n+1))。
代理转发节点301对流1_2进行VXLAN解封装,即恢复了上述的流1_1。
代理转发节点301将恢复出的流1_1发送至该找到的节点标识链即链1中第一个服务节点标识IP1对应的服务节点1。
服务节点1通过IP1对应的端口(记为Port1_1)接收代理转发节点301发送的流1_1,并按照本地服务策略对流1_1进行处理。
服务节点1通过IP2对应的端口(记为Port1_2)发送处理后的流1_1给代理转发节点301。
代理转发节点301通过本地连接上述Port1_2的端口(记为Port1_12)接收流1_1。
代理转发节点301依据流分类策略3找到流1_1携带的特征参数比如源IP地址IP0和目的IP地址IP(2n+1)匹配的节点标识链。该找到的节点标识链即为上述的链1(IP0-IP1-IP2-IP3-IP4-……-IP(2n-1)-IP(2n)-IP(2n+1))。
代理转发节点301依据找到的链1并通过以下步骤确定下一跳标识:
确定本地端口Port1_12连接的服务节点1上端口Port1_2所对应的标识为IP2,在本实施例中,代理转发节点301会预先学习本地各服务端口所连接的服务节点上端口对应的标识,基于此,代理转发节点301基于已学习的各端口对应的标识确定服务节点1上端口Port1_2所对应的标识;
将找到的链1(IP0-IP1-IP2-IP3-IP4-……-IP(2n-1)-IP(2n)-IP(2n+1))中IP2的下一个节点标识(即IP3)确定为下一跳标识。
代理转发节点301向下一跳标识IP3对应的服务节点(即服务节点2)发送流1_1。
服务节点2通过IP3对应的端口(记为Por2_3)接收代理转发节点301发送的流1_1,并按照本地服务策略对流1_1进行处理。
服务节点2通过IP4对应的端口(记为Port2_4)发送处理后的流1_1给代理转发节点301。
代理转发节点301通过本地连接服务节点2上Port2_4的端口(记为Port1_24)接收流1_1。
代理转发节点301依据流分类策略3找到流1_1携带的特征参数比如源IP地址IP0和目的IP地址IP(2n+1)匹配的节点标识链。该找到的节点标识链即为上述的链1(IP0-IP1-IP2-IP3-IP4-……-IP(2n-1)-IP(2n)-IP(2n+1))。
代理转发节点301依据找到的链1并通过以下步骤确定下一跳标识:
确定本地端口Port1_24连接的服务节点2上端口Port2_4所对应的标识为IP4;
将找到的链1(IP0-IP1-IP2-IP3-IP4-……-IP(2n-1)-IP(2n)-IP(2n+1))中IP4的下一个服务节点标识即IP5确定为下一跳标识。
代理转发节点301向下一跳标识IP5对应的服务节点发送流1_1。依次类推,最终代理转发节点1会将流1_1发送给服务节点n。
服务节点n通过IP(2n-1)对应的端口(记为Porn_2n-1)接收代理转发节点301发送的流1_1,并按照本地服务策略对接收的流1_1进行处理。
服务节点n通过IP(2n)对应的端口(记为Portn_2n)发送处理后的流1_1给代理转发节点301。
代理转发节点301通过本地连接服务节点n上Portn_2n的端口(记为Port1_n2n)接收流1_1。
代理转发节点301依据流1_1携带的特征参数比如源IP地址IP0和目的IP地址IP(2n+1)在本地节点标识链中找到节点标识链。该找到的节点标识链即为上述的链1(IP0-IP1-IP2-IP3-IP4-……-IP(2n-1)-IP(2n)-IP(2n+1))。
代理转发节点301依据找到的链1并通过以下步骤确定下一跳标识:
确定本地端口Port1_n2n连接服务节点n上端口Portn_2n所对应的标识为IP(2n);
将找到的链1(IP0-IP1-IP2-IP3-IP4-……-IP(2n-1)-IP(2n)-IP(2n+1))中IP(2n)的下一个节点标识即IP(2n+1)确定为下一跳标识。
代理转发节点301对流1_1进行VXLAN封装,这里的VXLAN封装不再包含链1的标识,类似现有的VXLAN封装。VXLAN封装后的流1_1记为流1_3。
代理转发节点301通过连接代理转发节点302(尾节点VM2接入的网关设备)的出端口发送流1_3。
代理转发节点302接收到代理转发节点301发送的流1_3,对流1_3进行VXLAN解封装,即恢复上述的流1_1。
代理转发节点302将恢复出的流1_1直接转发给VM2,最终VM2会收到VM1访问的数据流。
需要说明的是,在上面描述的实施例中,是以服务链中的所有服务节点连接至同一代理转发节点为例,这只是为便于描述所举的特例,并非用于限定本公开,在实现本公开目的的前提下,通过扩展还可以不同服务节点连接不同代理转发节点等。
还需要说明的是,在图3所示实施例中,在链1上各IP地址对应的设备即VM1、服务节点1至n、VM2上线后,流分类节点300、代理转发节点301还需进一步探测链1上各IP地址对应的设备即VM1、服务节点1至n、VM2是否下线,当流分类节点300探测到链1上各IP地址对应的设备即VM1、服务节点1至n、VM2中有至少一个下线,则删除本地硬件中的第一流分类策略。
同样,当代理转发节点302探测到链1上各IP地址对应的设备即VM1、服务节点1至n、VM2中有至少一个下线,则删除本地硬件中的第二流分类策略。
由以上技术方案可以看出,本公开中,通过节点标识链、与节点标识链相关联的第一流分类策略对首节点接入的网关设备的数据流转发进行改进;通过节点标识链、与节点标识链相关联的第二流分类策略对服务节点接入的网关设备的数据流转发进行改进,最终由首节点接入的网关设备和服务节点接入的网关设备相互结合引导首节点访问尾节点的数据流按照节点标识链转发,而非由SDN控制器控制指导数据流的转发,这一方面减轻了SDN控制器的负荷,对SDN控制器的可靠性要求不高,也避免SDN控制器在数据流经由的各服务节点下发服务转发策略带来的缺陷。
在上文中,对于服务链上的数据处理方法进行了介绍。但是,当服务链上的服务节点出现故障时,会导致整个服务链失效,影响数据流的网络服务。
基于此,在本公开中,针对每一服务节点设置了对应的服务组,该服务组中除了该服务节点外还包含至少一个备用服务节点。服务节点和备用服务节点均可提供相同的服务,彼此之间可备份服务策略。
参见图4,图4为本公开提供的数据流的处理方法的另一流程图。该数据流的处理方法可以应用于服务链上的各节点接入的网关设备。
在步骤401,检测首节点访问尾节点的节点标识链中节点标识对应的服务节点是否故障。
同一服务组中不同服务节点具有不同优先级,其中,上述服务组中服务节点的优先级静态配置或者由安装至服务组的顺序动态确定。基于此,本步骤401中节点标识链上服务组中的其中一个服务节点的节点标识具体为:按照负载均衡原则从服务组中选择出的优先级最高的服务节点的节点标识。
作为一个实施例,步骤401中检测节点标识链中节点标识对应的服务节点是否故障可实时执行。在检测出节点标识链中节点标识对应的服务节点故障之前,首节点访问尾节点的数据流都是按照该节点标识链转发。而在检测出节点标识链中节点标识对应的服务节点故障时,则执行步骤402。
步骤402,从故障服务节点所处服务组中选取一个非故障的备用服务节点,将所述节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识,以控制首节点访问尾节点的数据流从故障服务节点切换至备用服务节点进行网络服务处理。
同一服务组中不同服务节点极可具有不同优先级,基于此,本步骤402中,从故障服务节点所属服务组中选取一个非故障的备用服务节点包括:按照负载均衡原则从故障服务节点所属服务组中选取一个非故障且优先级最高的备用服务节点。
作为一个实施例,步骤402中,将节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识包括:
步骤a1,判断故障服务节点和备用服务节点是否接入同一网关设备,如果是,执行步骤a2,如果否,执行步骤a3。
步骤a2,当本网关设备为故障服务节点和备用服务节点同接入的网关设备时,将节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识,否则,触发故障服务节点和所述备用服务节点同接入的网关设备将节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识;
步骤a3,控制备用服务节点接入的网关设备、以及故障服务节点相关联的网关设备将节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识。
作为一个实施例,这里的故障服务节点相关联的网关设备可通过以下步骤确定:依据节点标识链确定故障服务节点的上一跳和下一跳,当上一跳为所述首节点,下一跳为所述尾节点时,故障服务节点相关联的网关设备为所述首节点接入的网关设备;当上一跳为所述首节点,下一跳为服务节点时,故障服务节点相关联的网关设备为所述首节点接入的网关设备和所述下一跳接入的网关设备;当下一跳为所述尾节点,上一跳为服务节点时,所述故障服 务节点相关联的网关设备为所述上一跳接入的网关设备。
需要说明的是,作为一个实施例,执行上述方法的网关设备可为:从上述节点标识链上各节点标识对应的节点所接入的网关设备中选举出的网关设备。也即,其具体实现时,上述的网关设备可能为首节点接入的网关设备,也可能为首节点访问尾节点经由的服务节点接入的网关设备,还可能为尾节点接入的网关设备。
以下参考图5来对服务链上存在故障服务节点时数据流的处理方法进行描述。图5为本公开提供的实施例组网示意图。如图5所示,服务节点1对应的服务组可提供FW服务,称为FW服务组;服务节点2对应的服务组可提供LB服务,称为LB服务组。FW服务组中包含三个服务节点:FW1、FW2、FW3。FW1、FW2、FW3互相备份FW网络服务策略,均可以用作备用服务节点。LB服务组中包含三个服务节点:LB1、LB2、LB3。LB1、LB2、LB3互相备份LB网络服务策略,均可以用作备用服务节点。
在本实施例中,服务组中的各服务节点具有不同的优先级。以FW服务组为例,FW1、FW2、FW3的优先级可依据FW1、FW2、FW3安装至FW服务组的先后顺序确定,其中,安装在先的优先级高于安装在后的优先级。作为另一个实施例,服务组中的各服务节点的优先级也可随机指配。
在如图5所示的组网中以VM1访问VM2为例,VM1为首节点,VM2为尾节点。
当VM1访问VM2时,基于路由协议确定VM1访问VM2的访问路径。假如该访问路径为:VM1->流分类节点300->代理转发节点301->FW服务组->LB服务组->代理转发节点302->VM2。基于上述访问路径,可确定VM1访问VM2的节点标识链。这里的节点标识链为:VM1的标识-FW服务组中一个服务节点的节点标识-LB服务组中一个服务节点的节点标识-VM2的标识。
如上描述的FW服务组中不同服务节点具有不同优先级,基于此,上面描述的FW服务组中一个服务节点的节点标识可为:按照负载均衡原则从FW服务组选择出的优先级最高的服务节点的节点标识,这体现了同一服务组中不同服务节点的负载均衡分担。
作为一个举例,VM1访问VM2的节点标识链具体为:
VM1的标识-FW2的节点标识-LB3的节点标识-VM2的标识。
假如VM1的标识为VM1的IP地址(记为IP1)、VM2的标识为VM2的IP地址(记为IP2),假如FW2的节点标识为IP21、IP22,IP21为上述访问路径在FW2上的入端口Port21的标识(具体为入端口IP地址),IP22为上述访问路径在FW2上的出端口Port22的标识(具 体为出端口IP地址),LB3的节点标识为IP31、IP32,IP31为上述访问路径在LB3上的入端口Port31的标识(具体为入端口IP地址),IP32为上述访问路径在LB3上的出端口Port32的标识(具体为出端口IP地址),则VM1访问VM2的节点标识链为:
IP1-IP21-IP22-IP31-IP32-IP2。
在本实施例中,为便于描述,这里将IP1-IP21-IP22-IP31-IP32-IP2简称第一链。预先配置第一链至流分类节点300、代理转发节点301。
流分类节点300在第一链上各IP对应的设备即VM1、FW2、LB3、VM2均上线后,获取并下发第一流分类策略至本节点的硬件。代理转发节点301在第一链上各标识对应的设备即VM1、FW2、LB3、VM2均上线后,获取并下发第二流分类策略至本节点的硬件。
在本实施例中,假设选举出VM1访问VM2经由的代理转发节点301来执行图4所示流程,选举出流分类节点、代理转发节点302也类似。
代理转发节点301在第一链上各节点标识对应的服务节点即FW2、LB3上线后,实时检测第一链上各节点标识对应的服务节点即FW2、LB3是否故障。
当FW2、LB3未故障,则VM1访问VM2的数据流会经由流分类节点300,由流分类节点300依据第一流分类策略为数据流封装第一链的标识并将封装了第一链标识的数据流重定向至与第一链中第一个节点标识IP21对应的服务节点FW2连接的代理转发节点301。代理转发节点301通过本地PW端口收到封装了第一链标识的数据流时,对数据流进行解封装以获得第一链标识,并依据第一链标识将解封装的数据流重定向至第一链中第一个节点标识即IP21对应的服务节点即FW2。FW2依据本地的FW服务策略对接收的数据流提供FW服务处理,并通过本地端口即IP22对应的端口Port22发送处理后的数据流。代理转发节点301通过本地服务节点端口Port1_22(与第一链中IP22对应的端口Port22连接)收到数据流,依据第二流分类策略将数据流重定向至第一链中IP22的下一个节点标识即IP31对应的服务节点即LB3。LB3依据本地的LB服务策略对接收的数据流提供LB服务处理,并通过本地端口即IP32对应的端口Por32发送处理后的数据流。代理转发节点301通过本地服务节点端口Port1_32(与第一链中IP32对应的端口Port32连接)收到数据流,依据第三流分类策略将接收的数据流重定向至尾节点所连接的代理转发节点302。最终代理转发节点302将接收的数据流发送至尾节点。即,VM1访问VM2的数据流经由FW服务、LB服务最终到达VM2。
当代理转发节点301检测出FW2故障时,则,代理转发节点301按照负载均衡原则从FW2所处的FW服务组中选取一个非故障且优先级最高的服务节点,这里以FW1为例。
代理转发节点301判断故障FW2和选取的非故障的FW1是否连接同一个网关设备;
代理转发节点301发现FW2和FW1连接同一个网关设备且该网关设备为本节点,则将本地存储的第一链中的IP21、IP22分别修改为IP11、IP12。更新后的第一链为:IP1-IP11-IP12-IP31-IP32-IP2。同时,代理转发节点301会基于更新后的第一链自动更新本地与故障FW2相关联的第二流分类策略。更新后的第二流分类策略为:在通过PW端口收到VM1访问VM2的数据流时,对数据流进行解封装以获得第一链标识,并依据第一链标识将解封装的数据流重定向至第一链中第二个节点标识即IP11对应的服务节点即FW1;在通过本地服务节点端口Port1_12收到的VM1访问VM2的数据流时,将数据流重定向至第一链中IP12的下一个节点标识即IP31对应的服务节点即LB3。基于更新后的第二流分类策略,则最终VM1访问VM2的数据流的转发路径如图6所示。
需要说明的是,当代理转发节点301发现FW2和FW1连接同一个网关设备但该网关设备不为本节点,则代理转发节点301触发FW2和FW1同接入的网关设备将第一链中的IP21、IP22分别修改为IP11、IP12。具体地,该触发举例为:发送更新通知给故障服务节点和非故障服务节点同接入的网关设备,更新通知用于通知将本地已存储的第一链中的IP21、IP22分别修改为IP11、IP12。FW2和FW1同接入的网关设备会基于更新后的第一链自动获取并下发与更新后的第一链相关联的流分类策略(类似上述代理转发节点301下发流分类策略,不再详细赘述)。
还需要说明的是,当代理转发节点301发现FW2和FW1连接不同网关设备,则代理转发节点301在FW1接入的网关设备(记为代理转发节点303,图中未示出)存储了第一链时,触发代理转发节点303将已存储的第一链中故障FW2的节点标识IP21、IP22修改为FW1的节点标识IP11、IP12,而在代理转发节点303未存储第一链时,将第一链上故障FW2的节点标识IP21、IP22修改为FW1的节点标识IP11、IP12,将更新后的第一链发送给代理转发节点303存储。代理转发节点303会基于更新后的第一链自动获取并下发与FW1相关联的流分类策略(类似上述代理转发节点1下发流分类策略,不再详细赘述)。
并且,代理转发节点301确定第一链上FW2的上一跳和下一跳。代理转发节点301发现上一跳为首节点的节点标识IP1,下一跳为LB3对应的节点标识(IP31、IP32),不为尾节点的节点标识IP2,则一方面触发将下一跳(IP31、IP32)接入的网关设备(这里以代理转发节点301为例)本地存储的第一链中故障FW2的节点标识IP21、IP22修改为FW1的节点标识IP11、IP12,另一方面通知流分类节点300将第一链上故障FW2对应的节点标识IP21、IP22修改为FW1对应的节点标识IP11、IP12。代理转发节点301会基于更新后的第一链自 动更新本地与故障FW2相关联的第二流分类策略,具体如上描述。流分类节点300在将第一链上故障FW2对应的节点标识IP21、IP22修改为FW1对应的节点标识IP11、IP12后,还会进一步更新第一流分类策略。更新后的第一流分类策略为:将VM1访问VM2的数据流封装第一链的标识并重定向与第一链中第一个节点标识即IP11对应的服务节点即FW1连接的代理转发节点。
之后,代理转发节点301检测更新后的第一链中各节点标识对应的服务节点即FW1、LB3是否故障。
当代理转发节点301检测出LB3故障时,则,代理转发节点301按照负载均衡原则从LB3所处的LB服务组中选取非故障且优先级最高的服务节点,这里以LB2为例。
代理转发节点301发现故障LB3和非故障LB2连接同一个网关设备,且该网关设备为本节点,则直接将本地存储的第一链上故障LB3对应的节点标识IP31、IP32修改为LB2对应的节点标识IP221、IP222。更新后的第一链为:IP1-IP11-IP12-IP221-IP222-IP2。同时,代理转发节点301更新本地与故障LB3相关联的流分类策略。更新后的流分类策略为:在通过本地服务节点端口Port1_12收到的VM1访问VM2的数据流时,将数据流重定向至第一链中IP12的下一个节点标识即IP221对应的服务节点即LB2;在通过本地服务节点端口Port1_222收到的VM1访问VM2的数据流时,将数据流重定向第一链中尾节点标识IP2所连接的代理转发节点即代理转发节点302。最终代理转发节点302会将VM1访问VM2的数据流发送至VM2。基于更新后的流分类策略,则VM1访问VM2的数据流的路径如图7所示。
需要说明的是,假如故障LB3和非故障LB2连接同一个网关设备但该网关设备不为本节点,则代理转发节点301触发故障LB3和非故障LB2同接入的网关设备将第一链上故障LB3对应的节点标识IP31、IP32修改为LB2对应的节点标识IP221、IP222。故障LB3和非故障LB2同接入的网关设备会基于更新后的第一链自动获取并下发与更新后的第一链相关联的流分类策略(类似上述代理转发节点301下发流分类策略,不再详细赘述)。
还需要说明的是,当代理转发节点301发现故障LB3和非故障LB2连接不同网关设备,则,代理转发节点301在LB2接入的网关设备(记为代理转发节点304,图中未示出)存储了第一链时,触发代理转发节点304将已存储的第一链中故障LB3的节点标识IP31、IP32修改为LB2对应的节点标识IP221、IP222,而在代理转发节点304未存储第一链时,将第一链上故障LB3对应的节点标识IP31、IP32修改为LB2对应的节点标识IP221、IP222,将更新后的第一链发送给代理转发节点304存储。同时,代理转发节点304会基于更新后的第一链自动获取并下发与FW2相关联的流分类策略(类似上述代理转发节点301下发流分类策略, 不再详细赘述)。最终保证VM1访问VM2的数据流按照更新后的第一链(IP1-IP11-IP12-IP221-IP222-IP2)转发。
并且,代理转发节点301确定第一链上LB3的上一跳和下一跳。代理转发节点301发现下一跳为尾节点的节点标识IP2,上一跳为FW1对应的节点标识IP11、IP12,则仅将上一跳即FW1对应的节点标识(IP11、IP12)接入的网关设备(这里以代理转发节点301为例)本地第一链上故障LB3对应的节点标识IP31、IP32修改为LB2对应的节点标识IP221、IP222。代理转发节点301会自动更新本地与更新后的第一链相关联的流分类策略。
本公开示例中,当节点标识链上节点标识对应的服务节点故障时,及时更新该节点标识链上故障服务节点的节点标识为故障服务节点所处服务组中一个非故障的备用服务节点的节点标识,最终控制首节点访问尾节点的数据流从故障服务节点切换至备用服务节点进行网络服务处理,保证了网络服务的连续性。
以上对本公开提供的方法进行了描述。下面对本公开提供的装置进行描述。
参见图8,图8为本公开提供的网关设备的硬件结构图。如图8所示,该网关设备可包括:
处理器801、存储有机器可执行指令的机器可读存储介质802。处理器801与机器可读存储介质802可经由系统总线803通信。并且,通过读取并执行机器可读存储介质802中与数据流处理逻辑对应的机器可执行指令,处理器801可执行上文描述的数据流的处理方法。
本文中提到的机器可读存储介质802可以是任何电子、磁性、光学或其它物理存储装置,可以包含或存储信息,如可执行指令、数据,等等。例如,机器可读存储介质可以是:RAM(Radom Access Memory,随机存取存储器)、易失存储器、非易失性存储器、闪存、存储驱动器(如硬盘驱动器)、固态硬盘、任何类型的存储盘(如光盘、dvd等),或者类似的存储介质,或者它们的组合。
如图9所示,从功能上划分,上述数据流处理逻辑可以包括:
探测单元901,用于探测节点标识链上每一节点标识对应的节点是否上线,所述节点标识链包括首节点的节点标识、首节点访问尾节点依次经由的一个或多个服务节点的节点标识、以及尾节点的节点标识串链;
控制单元902,用于当探测单元901探测到每一节点标识对应的节点上线,则,
当所述网关设备为首节点接入的网关设备时,下发与所述节点标识链相关联的第一流分 类策略至本设备硬件,当接收到首节点访问尾节点的数据流时,依据第一流分类策略将所述数据流按照所述节点标识链转发;以及,
当所述网关设备为所述服务节点接入的网关设备时,下发与所述节点标识链相关联的第二流分类策略至本设备硬件,当接收到首节点访问尾节点的数据流时,依据第二流分类策略将所述数据流按照所述节点标识链转发。
在一个示例中,所述第一流分类策略或第二流分类策略预先配置在本设备软件层面;或者,
所述第一流分类策略或第二流分类策略预先从软件自定义网络SDN控制器获取并存储在本设备软件层面。
在一个示例中,控制单元902依据第一流分类策略将所述数据流按照节点标识链转发包括:
在本地找到所述数据流匹配的所述节点标识链;
为所述数据流封装所述节点标识链的标识;
将封装了节点标识链标识的数据流重定向至满足以下条件的第二网关设备:接入了所述节点标识链上第二个节点标识对应的服务节点。
在一个示例中,所述控制单元902依据第二流分类策略将所述数据流按照节点标识链转发包括:
当通过本地伪线PW端口接收到所述数据流时,在本地找到与数据流封装的节点标识链标识对应的所述节点标识链,对数据流进行解封装,并将解封装后的数据流发送至所述节点标识链中第二个节点标识对应的服务节点;
当通过本地连接服务节点的服务端口接收到所述数据流时,在本地找到所述数据流匹配的所述节点标识链,根据所述节点标识链确定下一跳标识,当所述下一跳标识为尾节点的节点标识时,将数据流重定向至所述尾节点接入的网关设备,否则,将数据流发送至下一跳标识对应的服务节点,所述下一跳为所述节点标识链上当前服务节点标识的下一个节点标识,所述当前服务节点标识为所述服务端口连接的服务节点的标识。
在一个示例中,所述为数据流封装节点标识链的标识包括:
在数据流上增加VXLAN封装头,所述VXLAN封装头中的其中一个预留字段携带了节点标识链的标识。
如图10所示,从功能上划分,上述数据流处理逻辑还可以包括:
确定单元1001,用于确定节点标识链中节点标识对应的服务节点是否故障,其中,每个服务节点属于相应的服务组,每个服务组还包括至少一个非故障的备用服务节点;
所述控制单元902,用于当所述确定单元1001检测到故障时,从故障服务节点所属服务组中选取一个非故障的备用服务节点,将所述节点标识链中所述故障服务节点对应的节点标识更新为所述备用服务节点对应的节点标识,以控制首节点访问尾节点的数据流从所述故障服务节点切换至所述备用服务节点进行网络服务处理。
在一个示例中,所述控制单元902将节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识包括:
判断所述故障服务节点和所述备用服务节点是否接入同一网关设备;
如果是,触发所述故障服务节点和所述备用服务节点同接入的网关设备将所述节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识;
如果否,控制所述备用服务节点接入的网关设备、以及所述故障服务节点相关联的网关设备将所述节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识。
在一个示例中,所述控制单元902通过以下步骤确定所述故障服务节点相关联的网关设备:
依据节点标识链确定所述故障服务节点的上一跳和下一跳;
当所述上一跳为所述首节点,所述下一跳为所述尾节点时,确定故障服务节点相关联的网关设备为所述首节点接入的网关设备;
当所述上一跳为所述首节点,所述下一跳为服务节点时,确定故障服务节点相关联的网关设备为所述首节点接入的网关设备和所述下一跳接入的网关设备;
当所述下一跳为所述尾节点,所述上一跳为服务节点时,确定所述故障服务节点相关联的网关设备为所述上一跳接入的网关设备。
在一个示例中,所述网关设备是从所述节点标识链上各节点标识对应的节点所接入的网关设备中选举出的。
在一个示例中,同一服务组中不同服务节点具有不同优先级;
所述从故障服务节点所属服务组中选取一个备用服务节点包括:
按照负载均衡原则从故障服务节点所属服务组中选取一个非故障且优先级最高的备用服务节点。
以上所述仅为本公开的较佳实施例而已,并不用以限制本公开,凡在本公开的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本公开保护的范围之内。

Claims (14)

  1. 一种数据流的处理方法,该方法包括:
    网关设备探测节点标识链上每一节点标识对应的节点是否上线,所述节点标识链包括首节点的节点标识、首节点访问尾节点依次经由的一个或多个服务节点的节点标识、以及尾节点的节点标识;
    当所述每一节点标识对应的节点上线,则,
    当所述网关设备为首节点接入的网关设备时,下发与所述节点标识链相关联的第一流分类策略至本设备硬件,当接收到首节点访问尾节点的数据流时,所述网关设备依据所述第一流分类策略将所述数据流按照所述节点标识链转发;
    当所述网关设备为所述服务节点接入的网关设备时,下发与所述节点标识链相关联的第二流分类策略至本设备硬件,当接收到首节点访问尾节点的数据流时,所述网关设备依据第二流分类策略将所述数据流按照所述节点标识链转发。
  2. 根据权利要求1所述的方法,其中,所述第一流分类策略或第二流分类策略预先配置在本设备软件层面;或者,
    从软件自定义网络SDN控制器获取所述第一流分类策略或第二流分类策略并存储在本设备软件层面。
  3. 根据权利要求1所述的方法,其中,所述依据第一流分类策略将所述数据流按照所述节点标识链转发包括:
    所述网关设备在本地找到所述数据流匹配的所述节点标识链;
    所述网关设备为所述数据流封装所述节点标识链的标识;
    所述网关设备将封装了节点标识链标识的数据流重定向至满足以下条件的网关设备:接入了所述节点标识链上第二个节点标识对应的服务节点。
  4. 根据权利要求1所述的方法,其中,所述依据第二流分类策略将所述数据流按照所述节点标识链转发包括:
    当通过本地伪线PW端口接收到所述数据流时,所述网关设备在本地找到与数据流封装的节点标识链标识对应的所述节点标识链,对数据流进行解封装,并将解封装后的数据流发送至所述节点标识链中第二个节点标识对应的服务节点;
    当通过本地连接服务节点的服务端口接收到所述数据流时,所述网关设备在本地找到所述数据流匹配的所述节点标识链,根据所述节点标识链确定下一跳标识,当所述下一跳标识为尾节点的节点标识时,将数据流重定向至所述尾节点接入的网关设备,否则,将数据流发 送至下一跳标识对应的服务节点。
  5. 根据权利要求1所述的方法,其中,每个所述服务节点属于相应的服务组,每个服务组还包括至少一个备用服务节点,
    所述方法还包括:
    所述网关设备在检测到所述节点标识链中节点标识对应的服务节点故障的情况时,从故障服务节点所属服务组中选取一个非故障的备用服务节点,将所述节点标识链上所述故障服务节点对应的节点标识更新为所述选取的备用服务节点对应的节点标识,以使首节点访问尾节点的数据流从所述故障服务节点切换至所述备用服务节点。
  6. 根据权利要求5所述的方法,其中,所述将故障服务节点对应的节点标识更新为所述选取的备用服务节点对应的节点标识包括:
    在所述故障服务节点和所述备用服务节点均接入相同的网关设备的情况下,所述网关设备触发所述故障服务节点和所述备用服务节点同接入的网关设备将所述节点标识链上所述故障服务节点对应的节点标识更新为所述备用服务节点对应的节点标识;
    在所述故障服务节点和所述备用服务节点接入不同的网关设备的情况下,所述网关设备控制所述非故障服务节点接入的网关设备、以及所述故障服务节点相关联的网关设备将所述节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识。
  7. 根据权利要求6所述的方法,所述方法还包括:
    所述网关设备依据所述节点标识链确定所述故障服务节点的上一跳和下一跳;
    当所述上一跳为所述首节点,所述下一跳为所述尾节点时,所述网关设备确定故障服务节点相关联的网关设备为所述首节点接入的网关设备;
    当所述上一跳为所述首节点,所述下一跳为服务节点时,所述网关设备确定故障服务节点相关联的网关设备为所述首节点接入的网关设备和所述下一跳接入的网关设备;
    当所述下一跳为所述尾节点,所述上一跳为服务节点时,所述网关设备确定所述故障服务节点相关联的网关设备为所述上一跳接入的网关设备。
  8. 一种网关设备,包括:
    处理器;
    存储介质,其存储有能够被所述处理器执行的机器可执行指令,所述处理器被所述机器可执行指令促使:
    探测节点标识链上每一节点标识对应的节点是否上线,所述节点标识链包括首节点的节点标识、首节点访问尾节点依次经由的一个或多个服务节点的节点标识、以及尾节点的节点 标识;
    当所述每一节点标识对应的节点上线,则,
    当所述网关设备为首节点接入的网关设备时,下发与所述节点标识链相关联的第一流分类策略至本设备硬件,当接收到首节点访问尾节点的数据流时,依据第一流分类策略将所述数据流按照所述节点标识链转发;
    当所述网关设备为所述服务节点接入的网关设备时,下发与所述节点标识链相关联的第二流分类策略至本设备硬件,当接收到首节点访问尾节点的数据流时,依据第二流分类策略将所述数据流按照所述节点标识链转发。
  9. 根据权利要求8所述的网关设备,其中,所述第一流分类策略或第二流分类策略预先配置在本设备软件层面;或者,
    从软件自定义网络SDN控制器获取所述第一流分类策略或第二流分类策略并存储在本设备软件层面。
  10. 根据权利要求8所述的网关设备,其中,在依据第一流分类策略将所述数据流按照所述节点标识链转发时,所述处理器被所述机器可执行指令促使:
    在本地找到所述数据流匹配的所述节点标识链;
    为所述数据流封装所述节点标识链的标识;
    将封装了节点标识链标识的数据流重定向至满足以下条件的网关设备:接入了所述节点标识链上第二个节点标识对应的服务节点。
  11. 根据权利要求8所述的网关设备,其中,在依据第二流分类策略将所述数据流按照所述节点标识链转发时,所述处理器被所述机器可执行指令促使:
    当通过本地伪线PW端口接收到所述数据流时,在本地找到与数据流封装的节点标识链标识对应的所述节点标识链,对数据流进行解封装,并将解封装后的数据流发送至所述节点标识链中第二个节点标识对应的服务节点;
    当通过本地连接服务节点的服务端口接收到所述数据流时,在本地找到所述数据流匹配的所述节点标识链,根据所述节点标识链确定下一跳标识,当所述下一跳标识为尾节点的节点标识时,将数据流重定向至所述尾节点接入的网关设备,否则,将数据流发送至下一跳标识对应的服务节点。
  12. 根据权利要求8所述的网关设备,其中,每个所述服务节点属于相应的服务组,每个服务组包括至少一个备用服务节点;
    所述处理器被所述机器可执行指令促使:
    在检测到所述节点标识链中节点标识对应的服务节点故障的情况下,从故障服务节点所属服务组中选取一个非故障的备用服务节点,将所述节点标识链上所述故障服务节点对应的节点标识更新为所述选取的备用服务节点对应的节点标识,以控制首节点访问尾节点的数据流从所述故障服务节点切换至所述备用服务节点。
  13. 根据权利要求12所述的网关设备,其中,在将故障服务节点对应的节点标识更新为所述选取的备用服务节点对应的节点标识时,所述处理器还被所述机器可执行指令促使:
    在所述故障服务节点和所述备用服务节点均接入相同的网关设备的情况下,
    触发所述故障服务节点和所述备用服务节点同接入的网关设备将所述节点标识链上所述故障服务节点对应的节点标识更新为所述备用服务节点对应的节点标识;
    在所述故障服务节点和所述备用服务节点接入不同的网关设备的情况下,
    控制所述非故障服务节点接入的网关设备、以及所述故障服务节点相关联的网关设备将所述节点标识链中故障服务节点对应的节点标识更新为备用服务节点对应的节点标识。
  14. 根据权利要求13所述的网关设备,其中,所述处理器还被所述机器可执行指令促使:
    依据所述节点标识链确定所述故障服务节点的上一跳和下一跳;
    当所述上一跳为所述首节点,所述下一跳为所述尾节点时,确定故障服务节点相关联的网关设备为所述首节点接入的网关设备;
    当所述上一跳为所述首节点,所述下一跳为服务节点时,确定故障服务节点相关联的网关设备为所述首节点接入的网关设备和所述下一跳接入的网关设备;
    当所述下一跳为所述尾节点,所述上一跳为服务节点时,确定所述故障服务节点相关联的网关设备为所述上一跳接入的网关设备。
PCT/CN2017/094702 2016-07-27 2017-07-27 数据流的处理 WO2018019270A1 (zh)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US16/303,117 US10972384B2 (en) 2016-07-27 2017-07-27 Processing of data stream
EP17833573.3A EP3493488B1 (en) 2016-07-27 2017-07-27 Processing of data stream
JP2019504773A JP6850865B2 (ja) 2016-07-27 2017-07-27 データストリームの処理方法および第1ゲートウェイ設備

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201610606047.1A CN107666402B (zh) 2016-07-27 2016-07-27 网络服务控制方法和装置
CN201610606046.7 2016-07-27
CN201610606047.1 2016-07-27
CN201610606046.7A CN107666447B (zh) 2016-07-27 2016-07-27 数据流的处理方法和装置

Publications (1)

Publication Number Publication Date
WO2018019270A1 true WO2018019270A1 (zh) 2018-02-01

Family

ID=61015864

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/094702 WO2018019270A1 (zh) 2016-07-27 2017-07-27 数据流的处理

Country Status (4)

Country Link
US (1) US10972384B2 (zh)
EP (1) EP3493488B1 (zh)
JP (1) JP6850865B2 (zh)
WO (1) WO2018019270A1 (zh)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10972384B2 (en) * 2016-07-27 2021-04-06 New H3C Technologies Co., Ltd. Processing of data stream
CN110324165B (zh) * 2018-03-30 2021-05-11 华为技术有限公司 网络设备的管理方法、装置及系统
CN113132235B (zh) * 2019-12-31 2023-03-31 中兴通讯股份有限公司 基于虚电路的数据报文处理方法、转发表项的构建方法
US11637812B2 (en) * 2020-10-13 2023-04-25 Microsoft Technology Licensing, Llc Dynamic forward proxy chaining
CN115242709B (zh) * 2022-07-18 2024-05-24 云合智网(上海)技术有限公司 L2vpn至l3vpn的接入方法、装置、设备及介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428771A (zh) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 通信方法、软件定义网络sdn交换机及通信系统
CN104243317A (zh) * 2014-09-26 2014-12-24 杭州华三通信技术有限公司 一种实现ip路由转发的方法和装置
WO2015197136A1 (en) * 2014-06-27 2015-12-30 Nokia Solutions And Networks Oy Ultra high-speed mobile network based on layer-2 switching
CN105681218A (zh) * 2016-04-11 2016-06-15 北京邮电大学 一种Openflow 网络中流量处理的方法及装置

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100527683C (zh) 2006-08-24 2009-08-12 华为技术有限公司 故障保护方法和系统
CN101729135B (zh) 2008-10-29 2013-03-27 上海华为技术有限公司 无线网状网的传输方法、通信设备及通信系统
US8363549B1 (en) * 2009-09-02 2013-01-29 Juniper Networks, Inc. Adaptively maintaining sequence numbers on high availability peers
CN102857423A (zh) 2011-07-01 2013-01-02 中兴通讯股份有限公司 一种分布式链路聚合系统中业务流转发方法及节点
CN102957559B (zh) 2011-08-31 2015-06-24 北京市翌晨通信技术研究所 一种链路故障时更新连接的方法及系统
US8730980B2 (en) * 2011-12-27 2014-05-20 Cisco Technology, Inc. Architecture for scalable virtual network services
CN102821099B (zh) 2012-07-24 2016-06-29 北京星网锐捷网络技术有限公司 报文转发方法、设备及系统
CN104426756B (zh) 2013-08-19 2019-03-15 中兴通讯股份有限公司 一种服务节点能力信息的获取方法及控制平台
JP6076275B2 (ja) 2014-02-18 2017-02-08 日本電信電話株式会社 通信ネットワークの経路制御連携システム及び方法
CN104869065B (zh) * 2014-02-26 2020-04-21 中兴通讯股份有限公司 数据报文处理方法及装置
CN104954274B (zh) * 2014-03-25 2018-03-16 华为技术有限公司 生成转发信息的方法、控制器和业务转发实体
EP3425860B1 (en) 2014-04-21 2021-08-25 Huawei Technologies Co., Ltd. Tunnel type selection methods and apparatuses
US20150317169A1 (en) * 2014-05-04 2015-11-05 Midfin Systems Inc. Constructing and operating high-performance unified compute infrastructure across geo-distributed datacenters
CN105453493B (zh) * 2014-07-23 2019-02-05 华为技术有限公司 业务报文转发方法及装置
JP6265427B2 (ja) 2014-08-20 2018-01-24 日本電信電話株式会社 ネットワーク機能の負荷分散システム及び方法
US20170230252A1 (en) 2014-10-24 2017-08-10 ZTE CORPORATION (CHINA) ZTE Plaza Method and system for deep stats inspection (dsi) based smart analytics for network/service function chaining
JP6507572B2 (ja) 2014-10-31 2019-05-08 富士通株式会社 管理サーバの経路制御方法、および管理サーバ
US9838286B2 (en) * 2014-11-20 2017-12-05 Telefonaktiebolaget L M Ericsson (Publ) Passive performance measurement for inline service chaining
CN104506513B (zh) 2014-12-16 2018-05-22 北京星网锐捷网络技术有限公司 防火墙流表备份方法、防火墙及防火墙系统
KR20170105582A (ko) * 2015-01-20 2017-09-19 후아웨이 테크놀러지 컴퍼니 리미티드 Nfv 및 sdn과 연동하기 위한 sdt를 위한 시스템들 및 방법들
KR102013232B1 (ko) * 2015-10-30 2019-08-23 후아웨이 테크놀러지 컴퍼니 리미티드 게이트웨이 구성 방법 및 게이트웨이 디바이스
US10972384B2 (en) * 2016-07-27 2021-04-06 New H3C Technologies Co., Ltd. Processing of data stream

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103428771A (zh) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 通信方法、软件定义网络sdn交换机及通信系统
WO2015197136A1 (en) * 2014-06-27 2015-12-30 Nokia Solutions And Networks Oy Ultra high-speed mobile network based on layer-2 switching
CN104243317A (zh) * 2014-09-26 2014-12-24 杭州华三通信技术有限公司 一种实现ip路由转发的方法和装置
CN105681218A (zh) * 2016-04-11 2016-06-15 北京邮电大学 一种Openflow 网络中流量处理的方法及装置

Also Published As

Publication number Publication date
EP3493488A1 (en) 2019-06-05
EP3493488B1 (en) 2020-12-30
EP3493488A4 (en) 2019-06-19
JP6850865B2 (ja) 2021-03-31
US20200169502A1 (en) 2020-05-28
JP2019526207A (ja) 2019-09-12
US10972384B2 (en) 2021-04-06

Similar Documents

Publication Publication Date Title
WO2018019270A1 (zh) 数据流的处理
US10116559B2 (en) Operations, administration and management (OAM) in overlay data center environments
US10320838B2 (en) Technologies for preventing man-in-the-middle attacks in software defined networks
US9621508B2 (en) System and method for sharing VXLAN table information with a network controller
WO2017114196A1 (zh) 一种报文处理方法、相关装置及nvo3网络系统
US9210074B2 (en) Low-cost flow matching in software defined networks without TCAMs
US20170168864A1 (en) Directing Data Traffic Between Intra-Server Virtual Machines
WO2017071547A1 (zh) 应用于vxlan的报文转发
EP3223476B1 (en) Method, system, and apparatus for preventing tromboning in inter-subnet traffic within data center architectures
US9838314B1 (en) Contextual service mobility in an enterprise fabric network environment
US20150172156A1 (en) Detecting end hosts in a distributed network environment
WO2015074394A1 (zh) 一种报文转发方法及装置
US10341223B2 (en) Multicast data packet forwarding
US10848457B2 (en) Method and system for cross-zone network traffic between different zones using virtual network identifiers and virtual layer-2 broadcast domains
US10855733B2 (en) Method and system for inspecting unicast network traffic between end points residing within a same zone
US11012412B2 (en) Method and system for network traffic steering towards a service device
WO2016177314A1 (en) Packet forwarding
US10313274B2 (en) Packet forwarding
US20170070473A1 (en) A switching fabric including a virtual switch
US11025539B1 (en) Overlay network hardware service chaining
CN106888166B (zh) 一种报文转发方法和装置
US20230379190A1 (en) Method to Build a Service Function Chain in an Overlay Network
CN107666447B (zh) 数据流的处理方法和装置
US10749789B2 (en) Method and system for inspecting broadcast network traffic between end points residing within a same zone

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17833573

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019504773

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2017833573

Country of ref document: EP

Effective date: 20190227