WO2021043314A1 - 混合云环境中的通信方法及网关、管理方法及装置 - Google Patents
混合云环境中的通信方法及网关、管理方法及装置 Download PDFInfo
- Publication number
- WO2021043314A1 WO2021043314A1 PCT/CN2020/113850 CN2020113850W WO2021043314A1 WO 2021043314 A1 WO2021043314 A1 WO 2021043314A1 CN 2020113850 W CN2020113850 W CN 2020113850W WO 2021043314 A1 WO2021043314 A1 WO 2021043314A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- gateway
- message
- mac address
- address
- layer
- Prior art date
Links
- 230000006854 communication Effects 0.000 title claims abstract description 94
- 238000004891 communication Methods 0.000 title claims abstract description 93
- 238000000034 method Methods 0.000 title claims abstract description 84
- 238000007726 management method Methods 0.000 title claims abstract description 27
- 230000004044 response Effects 0.000 claims abstract description 110
- 238000004590 computer program Methods 0.000 claims description 11
- 238000006243 chemical reaction Methods 0.000 claims description 8
- 101100244969 Arabidopsis thaliana PRL1 gene Proteins 0.000 description 29
- 102100039558 Galectin-3 Human genes 0.000 description 29
- 101100454448 Homo sapiens LGALS3 gene Proteins 0.000 description 29
- 101150051246 MAC2 gene Proteins 0.000 description 29
- 101100079127 Arabidopsis thaliana NAC082 gene Proteins 0.000 description 26
- 238000010586 diagram Methods 0.000 description 26
- 238000005538 encapsulation Methods 0.000 description 20
- 230000006870 function Effects 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 9
- 230000002452 interceptive effect Effects 0.000 description 9
- 230000003993 interaction Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000009471 action Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 5
- 206010047289 Ventricular extrasystoles Diseases 0.000 description 3
- 230000005012 migration Effects 0.000 description 3
- 238000013508 migration Methods 0.000 description 3
- 238000005129 volume perturbation calorimetry Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- PWHVEHULNLETOV-UHFFFAOYSA-N Nic-1 Natural products C12OC2C2(O)CC=CC(=O)C2(C)C(CCC2=C3)C1C2=CC=C3C(C)C1OC(O)C2(C)OC2(C)C1 PWHVEHULNLETOV-UHFFFAOYSA-N 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/64—Routing or path finding of packets in data switching networks using an overlay routing layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/66—Layer 2 routing, e.g. in Ethernet based MAN's
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/35—Switches specially adapted for specific applications
- H04L49/354—Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2596—Translation of addresses of the same type other than IP, e.g. translation from MAC to MAC addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/58—Caching of addresses or names
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/59—Network arrangements, protocols or services for addressing or naming using proxies for addressing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/668—Internet protocol [IP] address subnets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Definitions
- This application relates to the field of cloud technology, and in particular to a communication method and gateway, management method and device in a hybrid cloud environment.
- the present application provides a communication method, gateway, management method and device in a hybrid cloud environment, which can effectively solve the technical problem that the cloud data center and the cloud data center cannot communicate at the second layer.
- this application provides a communication method in a hybrid cloud environment.
- the method is used for communication between a first data center and a second data center.
- the hybrid cloud environment includes a first data center and a second data center.
- the first data center is used to provide non-public cloud services
- the second data center is used to provide public cloud services
- the second data center is provided with a second-tier gateway
- the second-tier gateway and the first subnet of the first data center pass through a second-tier communication tunnel Connect remotely and connect to the second subnet of the second data center.
- the first subnet and the second subnet have the same private network segment.
- the method includes the following steps: the second layer gateway receives the first subnet in the first subnet A first address resolution protocol ARP request message sent by a device, the first ARP request message is used to request the MAC address of the second device in the second network, and the Layer 2 gateway sends the first ARP response message to the first device, The first ARP response message carries the first MAC address of the Layer 2 gateway.
- the first ARP request message is a broadcast message from the first data center.
- the Layer 2 gateway of the second data center intercepts the first ARP request message, which can prevent the first ARP request message from being broadcast in the second data center. Ensure the security of the second data center.
- a large number of broadcast messages from the first data center can also be avoided in the second data center, thereby preventing the broadcast messages generated by the second data center from causing network problems to the first data center. burden.
- the layer 2 gateway performs a benign MAC address spoofing on the first device by returning a first ARP response message carrying the first MAC address of the layer 2 gateway to the first device, so that the first device thinks the MAC address of the second device It is the first MAC address of the Layer 2 gateway. From the perspective of the first device, the MAC address of the second device is the first MAC address of the Layer 2 gateway. Since the first ARP response message sent by the broadcast is answered, Therefore, the first device confirms that the first device and the second device are located in the same local area network. The first device can access the second device by accessing the first MAC address of the Layer 2 gateway, so that the first device and the second device can be realized Interoperability on the second floor.
- the source of the first ARP request message and the first ARP response message are transmitted in the layer 2 communication tunnel, the source of the first ARP request message and the first ARP response message
- the MAC address, destination MAC address, source IP address, and destination IP address remain unchanged.
- the Layer 2 gateway obtains and records the first correspondence between the private network address and the MAC address of the second device in the second subnet. After the first device obtains the first MAC address of the layer 2 gateway, when accessing the second device through the layer 2 gateway, the layer 2 gateway changes the destination MAC address of the message sent by the first device from the first MAC address of the layer 2 gateway according to the first correspondence. One MAC address is modified to the MAC address of the second device, so that the message can reach the second device. Therefore, the Layer 2 gateway can open the first subnet and the second subnet by learning and recording the first correspondence.
- the Layer 2 gateway may receive the first correspondence between the private network address and the MAC address of the second device in the second subnet sent by the control platform of the second data center, And the first corresponding relationship is recorded in the local ARP table entry.
- the control platform has management authority to the equipment in the second data center. After the second equipment is created in the second data center, the control platform records the first correspondence between the private network address of the second equipment and the MAC address.
- the above method further includes the following steps: the layer 2 gateway receives the first packet sent by the first device through the layer 2 communication tunnel, specifically, the destination IP of the first packet
- the address includes the private network address of the second device
- the destination MAC address includes the first MAC address of the layer 2 gateway
- the source IP address includes the private network address of the first device
- the source MAC address includes the MAC address of the first device.
- the private network address of the second device carried in the first packet obtains the MAC address of the second device from the first correspondence recorded above, and modifies the destination MAC address of the first packet to the MAC address of the second device.
- the source MAC address of the message is modified to the second MAC address of the Layer 2 gateway, and the Layer 2 gateway sends the modified first message to the second device.
- the first device After the first device receives the first ARP response message, it considers that the MAC address of the second device is the first MAC address of the layer 2 gateway carried in the first ARP response message, and the first device constructs it according to the first MAC address of the layer 2 gateway
- the layer 2 gateway modifies the MAC address of the first packet so that the modified destination MAC of the first packet
- the address is the MAC address of the second device, and the Layer 2 gateway sends the modified first message to the second device, thereby realizing the cross-data center transmission of the first message from the first device to the second device.
- the Layer 2 gateway can connect the first device and the second device, so that both the first device and the second device think that each other is in the same local area network as itself.
- the source IP address of the first ARP request packet includes the private network address of the first device
- the source MAC address includes the MAC address of the first device.
- the above method further includes the following steps : The Layer 2 gateway learns and records the second correspondence between the private network address of the first device and the MAC address of the first device.
- the layer 2 gateway modifies the destination MAC address of the message sent by the second device according to the second correspondence, so that the message can reach the first device.
- the layer 2 gateway receives the second device sent Wherein the destination IP address of the second packet includes the private network address of the first device, the destination MAC address includes the second MAC address of the Layer 2 gateway, and the source IP address includes the private network address of the first device, The source MAC address includes the MAC address of the second device, and the Layer 2 gateway obtains the MAC address of the first device from the second correspondence according to the private network address of the first device carried in the second packet, and converts the destination MAC address of the second packet Modify to the MAC address of the first device, modify the source MAC address of the second packet to the first MAC address of the layer 2 gateway, and the layer 2 gateway sends the modified second packet to the first device through the layer 2 communication tunnel .
- the layer 2 gateway After the layer 2 gateway receives the second message sent by the second device for the layer 2 gateway, it modifies the MAC address of the second message so that the destination MAC address of the modified second message is the MAC address of the first device, The Layer 2 gateway sends the modified first message to the first device, so as to realize the cross-data center transmission of the second message from the second device to the first device.
- the second device before the layer 2 gateway receives the second message sent by the second device, the second device confirms the MAC address corresponding to the private network address of the first device in the following manner: Layer 2 The gateway receives a second ARP request message sent by the second device, the second ARP request message is used to request the MAC address of the first device in the first subnet, and the layer 2 gateway sends a second ARP response message to the second device The second ARP response message carries the second MAC address of the Layer 2 gateway.
- the Layer 2 gateway responds to the second ARP request message sent by the second device, so that the second device thinks that the MAC address corresponding to the private network address of the first device is the second MAC address of the Layer 2 gateway.
- the second data center further includes a device manager connected to the second device.
- the second device Before the Layer 2 gateway receives the second packet sent by the second device, the second device needs to Confirm the MAC address corresponding to the private network address of the first device: the device manager receives the second ARP request message sent by the second device, and the second ARP request message is used to request the MAC address of the first device in the first subnet , The device manager sends a second ARP response message to the second device, where the second ARP response message carries the second MAC address of the layer 2 gateway.
- the device manager responds to the second ARP request message sent by the second device, so that the second device thinks that the MAC address corresponding to the private network address of the first device is the second MAC address of the Layer 2 gateway.
- the device manager connected to the second device intercepts the second ARP request message sent by the second device, which can minimize the number of times the second ARP request message is broadcast in the second data center.
- the device manager and the second device are set in the same computing node.
- this application provides a method for managing a hybrid cloud environment.
- the hybrid cloud environment includes a first data center and a second data center.
- the first data center is used to provide non-public cloud services
- the second data center is used to provide public cloud services.
- the configuration of the first subnet of the first data center and the second subnet of the second data center has the same private network segment.
- the method includes the following steps: creating a second-tier gateway, where the second-tier gateway is located in the second In the data center, the Layer 2 gateway is remotely connected to the first subnet of the first data center through a Layer 2 communication tunnel, and the Layer 2 gateway is connected to the second subnet of the second data center.
- the interception module is configured on the Layer 2 gateway.
- This interception The module is used to intercept the first address resolution protocol ARP request message from the first device in the first subnet to the second device in the second subnet, and return a first ARP response message to the first device, where the first The ARP response message carries the first MAC address of the Layer 2 gateway.
- the first ARP request message can be prevented from being broadcast on the second subnet of the second data center, thereby ensuring the security of the second data center. It is also possible to avoid a large number of broadcast messages from the first data center in the second data center, thereby avoiding the broadcast messages generated by the second data center from causing a network burden on the first data center.
- the above method further includes the following steps: configuring a learning module on the Layer 2 gateway, where the learning module is used to learn and record the information of the first device carried in the first ARP request message. Correspondence between IP address and MAC address.
- the layer 2 gateway After the first device obtains the first MAC address of the layer 2 gateway, when accessing the second device through the layer 2 gateway, the layer 2 gateway changes the destination MAC address of the message sent by the first device from the layer 2 according to the learned first correspondence.
- the first MAC address of the gateway is modified to the MAC address of the second device, so that the message can reach the second device.
- the above method further includes the following steps: configuring a response module on the Layer 2 gateway, and the response module is used to receive the second device from the second subnet to the first device. 2. An ARP request message, and a second ARP response message returned to the second device, the second ARP response message carrying the second MAC address of the Layer 2 gateway.
- the second device By configuring the layer 2 gateway to answer the second ARP request message sent by the second device, the second device thinks that the MAC address corresponding to the private network address of the first device is the second MAC address of the layer 2 gateway, so that the The second device performs good faith deception, so that the second device believes that the first device and the second device are located in the same local area network.
- the above method further includes the following steps: configuring the device manager to receive a second ARP request message from the second device for the first device, and returning the second device to the second device
- the ARP response message, the second ARP response message carries the second MAC address of the Layer 2 gateway, where the device manager is connected to the second device.
- the device manager responds to the second ARP request message sent by the second device, so that the second device thinks that the MAC address corresponding to the private network address of the first device is the second MAC address of the Layer 2 gateway.
- the device manager connected to the second device intercepts the second ARP request message sent by the second device, which can minimize the number of times the second ARP request message is broadcast in the second data center.
- the present application provides a layer 2 gateway in a hybrid cloud environment, including the first aspect and any possible implementation of the first aspect provided in the hybrid cloud environment with the layer 2 gateway as the execution subject.
- the function module of the communication method includes
- the present application provides a management device for a hybrid cloud environment, including a functional module capable of executing the foregoing second aspect and the management method in a hybrid cloud environment provided in any possible implementation manner of the second aspect.
- the present application provides a Layer 2 gateway in a hybrid cloud environment, including a first network interface, a second network interface, a memory, and a processor.
- the memory stores program instructions
- the processor runs the program instructions to be able to execute the first.
- aspects and possible implementations of the first aspect provide a communication method in a hybrid cloud environment with a Layer 2 gateway as the execution subject.
- the present application provides a management device for a hybrid cloud environment, including a network interface, a memory, and a processor.
- the memory stores program instructions
- the processor runs the program instructions to execute the foregoing second aspect and possible implementations of the second aspect.
- the management method in the hybrid cloud environment provided in the method.
- the present application provides a computer program product, including program code, and instructions included in the program code are executed by a computer to execute the foregoing first aspect and the layer-2 gateway provided in the possible implementation of the first aspect.
- the present application provides a computer-readable storage medium, including program instructions, which when the computer program instructions run on a computer, cause the computer to execute the first aspect and the second aspect provided in the possible implementation manners of the first aspect.
- the layer gateway is the communication method in the hybrid cloud environment of the executive body.
- this application provides a computer program product, including program code, and instructions included in the program code are executed by a computer to execute the above-mentioned second aspect and the management in the hybrid cloud environment provided in the possible implementation of the second aspect method.
- the present application provides a computer-readable storage medium, including program instructions, which when the computer program instructions run on a computer, cause the computer to execute the above-mentioned second aspect and the hybrid cloud provided in the possible implementation of the second aspect Management methods in the environment.
- this application provides a communication configuration method in a hybrid cloud environment, characterized in that the hybrid cloud environment includes a first data center and a second data center, and the first data center is used to provide non-public cloud services , The second data center is used to provide public cloud services, the configuration of the first subnet of the first data center and the second subnet of the second data center have the same private network segment, and the method includes: providing configuration Page, the configuration page prompts the user to create a gateway in the second data center, and prompts the user to enter the information of the first subnet that the gateway needs to connect to, and the local tunnel information and peer tunnel information of the communication tunnel that the gateway needs to connect to, According to the information on the configuration page, the gateway is created, and after the gateway is successfully created, a prompt page is provided, and the prompt page is changed to prompt the address of the virtual tunnel terminal VTEP device connected to the gateway.
- the local tunnel information includes the information of the remote connection gateway of the second data center, and the opposite tunnel information includes the tunnel identifier and the tunnel identifier of the second subnet of the first data center.
- FIG. 1 is a data format diagram of a Virtual Extensible Local Area Network (VXLAN) message
- Figure 2 is a schematic diagram of the system structure of a hybrid cloud communication system
- Fig. 3 is a flowchart of a configuration method in a hybrid cloud environment according to an embodiment of the present invention
- FIG. 4 is a schematic diagram of the system structure of a hybrid cloud environment according to an embodiment of the present invention.
- Figure 5 is a data interaction diagram of a communication method in a hybrid cloud environment according to an embodiment of the present invention.
- FIG. 6 is another data interaction diagram of a communication method in a hybrid cloud environment according to an embodiment of the present invention.
- FIG. 7 is a schematic diagram of another system structure of a hybrid cloud environment according to an embodiment of the present invention.
- FIGS. 8a-8c show schematic diagrams of interactive interfaces provided by a control platform according to an embodiment of the present invention.
- Fig. 9 is a packet flow diagram of a layer 2 gateway picking up a physical machine according to an embodiment of the present invention.
- FIG. 10 is a message flow diagram of a physical machine actively sending a message to a virtual machine according to an embodiment of the present invention
- FIG. 11 is a message flow diagram for a virtual machine to respond to a physical machine according to an embodiment of the present invention.
- FIG. 12 is a packet flow diagram of a device manager according to an embodiment of the present invention for picking up a virtual machine
- FIG. 13 is a schematic diagram of the device structure of a layer 2 gateway in a hybrid cloud environment according to an embodiment of the present invention.
- FIG. 14 is a schematic diagram of the device structure of a management device in a hybrid cloud environment according to an embodiment of the present invention.
- FIG. 15 is a schematic diagram of another device structure of a Layer 2 gateway according to an embodiment of the present invention.
- FIG. 16 is a schematic diagram of another device structure of a management device in a hybrid cloud environment according to an embodiment of the present invention.
- Public cloud services Infrastructure as a Service (IaaS), which refers to the provision of infrastructure provided by public cloud service providers through the Internet as a service.
- IaaS Infrastructure as a Service
- users do not need to build a data center by themselves, but use infrastructure such as servers, storage, and networks by renting them.
- Public cloud services are realized by providing virtual environments (such as virtual machines).
- the core attribute of public clouds is that multiple users share cloud infrastructure and isolate users.
- Non-public cloud services infrastructure dedicated to individual users, such as private cloud services and local deployment services.
- Private Clouds (Private Clouds) business A single user owns infrastructure such as servers, storage, and networks, and can fully control this infrastructure. Private cloud business is realized by providing virtual environments (such as virtual machines). The core attribute of private cloud business is single User exclusive infrastructure.
- On-premises services A single user builds infrastructure such as servers, storage, and networks locally, and the user exclusively enjoys the self-built infrastructure, and local deployment services are implemented through physical machines.
- Cloud data center A data center that provides public cloud services.
- Cloud data center a data center that provides non-public cloud services.
- the cloud data center provides local deployment services
- the cloud data center includes multiple physical machines
- the cloud data center provides private cloud services Under the cloud
- the data center includes multiple virtual machines.
- the public network address is managed by the Internet Network Information Center (Internet NIC).
- the public network address is an IP address that can be addressed on the Internet.
- Private network address An IP address that cannot be addressed on the Internet, but can only be addressed in a local area network. Private network addresses are prohibited from appearing on the Internet.
- a private network address is a reserved IP address.
- the classification, network segment, and quantity of private network addresses are shown in the following table:
- Private network address classification network segment Number of available private network addresses Class A private network address 192.168.0.0/16 65,532 Class B private network address 172.16.0.0/12 1,048,572 Class C private network address 10.0.0.0/8 16,777,212
- VPC Virtual Private Cloud
- a VPC is set up in a public cloud.
- the VPC is the local area network of the data center on the cloud for users of public cloud services.
- VPC isolates virtual networks.
- Each VPC has an independent tunnel number, and one tunnel number corresponds to a virtualized network.
- the packets between virtual machines in a VPC correspond to the same tunnel identifier, and then they are sent to the physical network for transmission.
- the virtual machines in different VPCs are in two different routing planes because of the different tunnel identifiers. Therefore, the virtual machines in different VPCs cannot communicate, and logical isolation is naturally realized.
- the tunnel identification may be, for example, a virtual local area network identification (Virtual Local Area Network Identification, VLAN ID) or a virtual network identification (Virtual Network ID, VNI).
- VLAN ID Virtual Local Area Network Identification
- VNI Virtual Network ID
- MAC Media Access Control Address
- OSI Open System Interconnection
- the third network layer is responsible for the IP address.
- the second data link layer is responsible for the MAC address.
- the MAC address is used to uniquely identify a network card in the network. If a device has one or more network cards, each network card needs and has a unique MAC address.
- a data frame is a protocol data unit located at the second layer of the data link layer in the OSI seven-layer model.
- the data frame includes an Ethernet header and a data part.
- the Ethernet header contains some necessary control information, such as address information (source MAC address and destination MAC address), and the data part contains data passed down from the network layer, such as IP packets, specifically, the IP of the IP packets
- IP packets specifically, the IP of the IP packets
- the data part carries the data frame of the IP message.
- the four-tuple of the layer 2 message includes the source IP address, destination IP address, source MAC address and destination MAC address.
- the source MAC address and destination MAC address are set in In the Ethernet header of the data frame, the source IP address and the destination IP address are set in the IP header of the IP message.
- Address Resolution Protocol It is stipulated in the Ethernet protocol that if a host in the same LAN communicates directly with another host, the MAC address of the target host must be known. In the TCP/IP protocol, the network layer and the transport layer only care about the IP address of the target host. This leads to when the IP protocol is used in the Ethernet, the Ethernet protocol of the data link layer is connected to the data provided by the upper IP protocol, and only contains the IP address of the destination host. Therefore, a method is needed to obtain the MAC address of the destination host based on its IP address. This is what the ARP protocol does. Address resolution is the process by which the host converts the target IP address into the target MAC address.
- the host broadcasts the ARP request message containing the target IP address to all hosts on the LAN, and receives the ARP response message returned by the target host corresponding to the target IP address on the LAN.
- the ARP response message carries the MAC address of the target host.
- the host uses this to determine the MAC address of the target host, and after receiving the ARP response message, the host stores the IP address and MAC address in the local ARP table entry and keeps it for a certain period of time. The next time the request is made, the ARP table entry is directly inquired to save money Resources, ARP is an important communication protocol in the local area network.
- VXLAN is an overlay network technology.
- Figure 1 is a schematic diagram of the data format of VXLAN packets.
- VXLAN packets encapsulate inner packets in User Datagram Protocol (UDP) packets.
- UDP User Datagram Protocol
- the data part of the UDP message carries the VXLAN header, the internal Ethernet header (Inner Ethernet Header), the internal IP header (Inner IP Header) and the data of the IP message shown in Figure 1.
- Part (Payload) and the inner message of the VXLAN message includes the internal Ethernet header, the internal IP header, and the data part of the IP message.
- the internal Ethernet header records the source MAC address and destination MAC address of the inner message.
- the internal IP header records the source IP address and destination IP address of the inner packet.
- the VXLAN packet also includes a tunnel encapsulation header.
- the tunnel encapsulation header includes the Outer Ethernet Header, Outer IP Header, Outer UDP Header, and VXLAN header.
- the VXLAN header includes the VXLAN Flags field. (8 bits), Reserved field (24 bits), VNI (14 bits) and Reserved field (24 bits).
- the external Ethernet header records the source and destination MAC addresses of the VXLAN tunnel end point (VXLAN Tunnel End Point, VTEP), and the external IP header records the source and destination IP addresses of the VXLAN tunnel terminal.
- VXLAN Tunnel End Point VXLAN Tunnel End Point
- the VXLAN tunnel terminal is called a VTEP device in the following.
- the VTEP device is the endpoint of the VXLAN tunnel and is used to encapsulate the inner layer message, that is, the outer Ethernet header, the outer IP header, and the external user data are added to the inner layer message.
- VTEP equipment can also decapsulate VXLAN packets, that is, strip the external Ethernet header, external IP header, external user datagram protocol header, and VXLAN header of the VXLAN message ,
- the VTEP device obtains the VNI from the VXLAN header, and the VNI is used to identify which VPC the inner layer packet belongs to.
- the VTEP device treats the Layer 2 packet as the inner layer of the VXLAN packet, and records in the outer Ethernet header of the tunnel encapsulation header of the VXLAN packet that the source MAC address is the MAC address of the VTEP device itself.
- the MAC address is the MAC address of the next-hop device.
- the external IP header of the tunnel encapsulation header of the VXLAN packet records that the source IP address is the IP address of the VTEP device itself, and the destination IP address is the IP address of the opposite VTEP device.
- the VNI is recorded in the VNI field of the VXLAN header of the message.
- next-hop device refers to the network device connected to the VTEP device, which is the route path from the VTEP device to the VTEP device at the opposite end of the tunnel in the VXLAN packet according to the destination IP address recorded in the external IP header.
- Next hop device refers to the network device connected to the VTEP device, which is the route path from the VTEP device to the VTEP device at the opposite end of the tunnel in the VXLAN packet according to the destination IP address recorded in the external IP header.
- the IP address of the VTEP device is called VTEP IP in the embodiment of the present invention
- the MAC address of the VTEP device is called VTEP MAC in the embodiment of the present invention.
- Layer 2 communication tunnel A communication tunnel constructed by overlay network technology. Layer 2 messages are transmitted as the inner layer of VXLAN messages through the Layer 2 communication tunnel. The source MAC address and destination MAC address of the Layer 2 message are kept during the transmission process. constant.
- Figure 2 is a schematic diagram of the system structure of a hybrid cloud communication system.
- the hybrid cloud communication system includes an under-cloud data center 10 and a cloud-based data center 20, an under-cloud data center 10 and a cloud
- the upper data center 20 is respectively connected to the Internet (not shown in the figure), and the off-cloud data center 10 and the on-cloud data center 20 are located in different geographic locations.
- the cloud data center 20 is used to provide public cloud services.
- the virtual machine cloud data center 20 is maintained by a public cloud service provider, and users purchase and use the public cloud services provided by the cloud data center 20.
- the control platform 201 of the cloud data center 20 provides a user interaction interface, such as a configuration page or an application programming interface (API).
- the user inputs configuration information in the user interaction interface of the control platform 201, and the control platform 201 stores the configuration information in the cloud according to the configuration information.
- the upper data center 20 creates a user-specific VPC1, sets subnet 1 (192.168.0.0/24) in VPC1, and creates a virtual machine VM1 in subnet 1, where VM1 runs in the computing node 203 of the cloud data center 20 .
- the private network address of VM1 is 192.168.0.2, which belongs to the private network address segment of subnet 1.
- control platform 201 is connected to the device manager 2031 of the computing node 203, and the control platform 201 can control the device manager 2031 to create VM1 in the computing node 203 according to the configuration information, and set the private network address of VM1 to 192.168.0.2.
- the control platform 201 is used to manage all the devices of the cloud data center 10, for example, it can allocate and record the private network addresses and MAC addresses of all virtual machines of the VPC, record the VTEP IP and VTEP MAC of the VTEP device, and perform operations on the virtual machines in the VPC. Full life cycle management (such as creating, deleting, restarting, modifying specifications, modifying network configuration, modifying storage configuration, etc.).
- the control platform 201 is, for example, a software defined network (Software Defined Network, SDN) controller.
- the device manager 2031 is, for example, a virtual machine monitor (VMM) or a virtual machine manager hypervisor.
- VMM virtual machine monitor
- the cloud data center 10 provides local deployment services.
- the cloud data center 10 includes a physical machine PM1 set in subnet 2 (192.168.0.0/24).
- the private network address of PM1 is 192.168.0.4.
- subnet 1 and subnet 2 have the same private network address segment, and the private network address 192.168.0.4 of PM1 is different from the private network address 192.168.0.2 of VM1.
- the data center 10 under the cloud may be a server cluster that a user purchases a computer room or rents a computer room and sets up in the computer room, or a home communication system implemented by a user in a home environment through a router and a personal computer.
- the user has management rights to all devices in the data center 10 under the cloud, and the user only has management rights to the VPC1 in the data center 20 on the cloud.
- the user's management authority to VPC1 is obtained by paying a public cloud service provider.
- the user's subnet 1 and subnet 2 belong to the same private network address segment 192.168.0.0./24, but the private network addresses of PM1 and VM1 are different.
- the user wants subnet 1 of the cloud data center 10 and the cloud data center 10
- the subnet 2 can communicate with each other, so that PM1 and VM1 are set in the same subnet.
- a Layer 2 communication tunnel 30 can be set up between the subnet 1 and the subnet 2.
- the data center 10 under the cloud and the data center 20 on the cloud are remotely connected through a Layer 2 communication tunnel 30.
- the Layer 2 communication tunnel 30 can be implemented by a remote connection gateway and a Layer 2 tunnel gateway.
- the remote connection gateway is, for example, a virtual private network (Virtual Private Network).
- Layer 2 tunnel gateways can be implemented through large Layer 2 technology, virtual extended local area network (Virtual eXtensible Local Area Network, VXLAN) or Generic Routing Encapsulation (GRE), etc., Layer 2 reporting
- the source MAC address and the destination MAC address can be kept unchanged during the transmission process of the layer 2 communication tunnel 30.
- the specific principle will be described in detail in the following embodiments.
- PM1 needs to communicate with VM1 for the first time.
- PM1 records VM1’s private network address 192.168.0.2, but PM1 does not record VM1’s MAC address, so PM1 needs to broadcast an ARP request message in subnet 2.
- the source MAC address of the ARP request packet is the MAC address of PM1
- the source IP address is the private network address of PM1
- the destination MAC address is FFFF FFFF FFFF (this is the broadcast address)
- the destination IP address is the private network address of VM1.
- ARP request The message is used to request the MAC address corresponding to the private network address 192.168.0.2 of VM1.
- the ARP request message is broadcast on subnet 2, and is sent to subnet 1 through the layer 2 communication tunnel 30, and broadcast in subnet 1.
- the control platform 201 prohibits the ARP request message from the data center 10 under the cloud from being broadcast in subnet 1.
- VM1 cannot receive the ARP request message, and PM1 cannot obtain the ARP response message sent by VM1. Therefore, PM1 cannot obtain the MAC address of VM1.
- PM1 and VM1 are also separated at layer 2.
- an embodiment of the present invention provides a method for managing a hybrid cloud environment. See FIG. 3, which is a flowchart of a method for managing a hybrid cloud environment according to an embodiment of the present invention. The method includes the following steps:
- Step S101 Create a Layer 2 gateway 200.
- the control platform 201 creates a layer 2 gateway 200 in the subnet 1 according to the configuration information.
- the layer 2 gateway 200 includes the network card 1 and the network card 2.
- the network card 1 is set with the MAC address 1 of the layer 2 gateway 200, and the network card 2 is set with The MAC address of the Layer 2 gateway 200 is 2.
- Step S102 Configure the Layer 2 gateway 200.
- control platform 201 configures the network card 1 to access the Layer 2 communication tunnel 30 to connect to the subnet 2 and configures the network card 2 to connect to the subnet 1.
- control platform 201 configures the layer 2 gateway 200 to intercept the ARP request message from PM1 of subnet 2 for VM1 of subnet 1, and configures the layer 2 gateway 200 to return an ARP response message to PM1, where the ARP response message carries The MAC address 1 of the network card 1 that the layer 2 gateway 200 is connected to the subnet 2.
- control platform 201 may also configure the layer 2 gateway 200 to perform MAC address conversion on the layer 2 message received from the network card 1. Specifically, the layer 2 gateway 200 determines that the destination IP address of the layer 2 message is the IP address of VM1 When the MAC address of VM1 is obtained according to the IP address of VM1, the destination MAC address of the layer 2 message is modified from MAC address 1 to the MAC address of VM1, and the source MAC address is modified from the MAC address of PM1 to MAC address 2. And send the converted message to subnet 1 through the network card 2.
- control platform 201 can also configure the layer 2 gateway 200 to perform MAC address conversion on the layer 2 message received from the network card 2. Specifically, the layer 2 gateway 200 determines that the destination IP address of the layer 2 message is the IP address of PM1 When the MAC address of PM1 is obtained according to the IP address of PM1, the destination MAC address of the layer 2 message is modified from MAC address 2 to the MAC address of PM1, and the source MAC address is modified from the MAC address of VM1 to MAC address 1. And send the converted message to subnet 2 through the network card 1.
- Step S103 Configure the device manager 2031.
- the control platform 201 configures the device manager 2031 to intercept the ARP request message from VM1 to PM1 of the subnet 2, and configures the device manager 2031 to return an ARP response message to VM1, where the ARP response message carries the layer 2 gateway 200 and The MAC address 2 of the network card 2 connected to the subnet 1.
- control platform 201 can also configure the Layer 2 gateway 200 to intercept the ARP request message from VM1 for the PM1 of the subnet 2 in step 102, and configure the Layer 2 gateway 200 to return an ARP response to VM1 Message, where the ARP response message carries the MAC address 2 of the network card 2 that the Layer 2 gateway 200 is connected to the subnet 1.
- the Layer 2 gateway 200 since the Layer 2 gateway 200 is used to intercept the ARP request message sent by VM1, there is no need to configure the device manager 2031 to intercept the ARP request message sent by VM1, so step S103 can be omitted in this embodiment.
- the device manager 2031 and VM1 are set in the same computing node 203, configuring the device manager 2031 to intercept the ARP request message sent by VM1 can restrict the ARP request message to the computing node 203, which can relieve the data center 20 on the cloud. Network load.
- FIG. 4 is a schematic diagram of the system structure of the hybrid cloud environment according to an embodiment of the present invention. As shown in the figure, this embodiment has further settings compared with the previous embodiment.
- the layer 2 gateway 200 wherein the network card 1 of the layer 2 gateway 200 is connected to the layer 2 communication tunnel 30, thereby accessing the subnet 2, and the network card 2 is connected to the subnet 1.
- FIG. 5 is a data interaction diagram of a communication method in a hybrid cloud environment according to an embodiment of the present invention.
- PM1 actively communicates with VM1, because in the TCP/IP protocol, the network layer and the transport layer only care about the target host Therefore, when PM1 communicates with VM1 for the first time, PM1 records VM1’s private network address 192.168.0.2, but PM1’s local ARP entry does not record the MAC address corresponding to VM1’s private network address 192.168.0.2.
- the MAC address of PM1 is recorded as PM1 MAC
- the MAC address of VM1 is VM1 MAC
- the MAC address 1 of the layer 2 gateway 200 is recorded as L2 MAC1
- the MAC address 2 of the layer 2 gateway 200 is recorded as L2 MAC2.
- the hybrid cloud communication method of the embodiment of the present invention includes the following steps:
- Step S201 PM1 broadcasts the ARP request message 1 on the subnet 2, and the ARP request message 1 is sent to the layer 2 gateway 200 through the layer 2 communication tunnel.
- PM1 actively communicates with VM1.
- PM1 records the private network address of VM1 192.168.0.2, but does not record the MAC address corresponding to the private network address of VM1.
- PM1 needs to obtain The private network address of VM1 corresponds to the MAC address. Therefore, PM1 broadcasts ARP request message 1 on subnet 2.
- the source IP address of the ARP request message 1 is PM1's private network address 192.168.0.4, and the source MAC address is PM1 MAC ,
- the destination IP address is VM1's private network address 192.168.0.2, the destination MAC address is FFFF FFFF FFFF, and the ARP request message 1 is used to request the MAC address of VM1.
- the ARP request message 1 is sent to the network card 1 of the layer 2 gateway 200 through the layer 2 communication tunnel 30.
- the ARP request message 1 reaches the network card 1 of the layer 2 gateway 200 through the layer 2 communication tunnel 30.
- the source MAC address, destination MAC address, source IP address, and destination IP of the ARP request message 1 The addresses remain the same, and the specific principles will be explained in detail below.
- Step S202 The Layer 2 gateway 200 constructs an ARP response message 1 according to the ARP request message 1, and sends the ARP response message 1 to PM1.
- the layer 2 gateway 200 obtains the ARP request message 1 from the network card 1, and confirms that the ARP request message 1 is a broadcast message according to the destination MAC address (FFFF FFFF FFFF) of the ARP request message 1, and the layer 2 gateway 200 intercepts the ARP request message 1 , And construct ARP reply message 1.
- the source IP address of the ARP response message 1 is VM1's private network address 192.168.0.2, the source MAC address is L2 MAC1, the destination IP address is PM1's private network address 192.168.0.4, and the destination MAC address is PM1 MAC.
- the layer 2 gateway 200 sends an ARP response message 1 to the layer 2 communication tunnel 30 through the network card 1, and the ARP response message 1 is transmitted to the PM1 of the subnet 2 through the layer 2 communication tunnel 30.
- the Layer 2 gateway 200 learns and records the correspondence between the source MAC address (PM1 MAC) of the ARP request message 1 and the source IP address (192.168.0.4).
- the layer 2 gateway 200 may record the correspondence between PM1 MAC and 192.168.0.4 in the local ARP entry of the layer 2 gateway 200.
- Step S203 PM1 constructs a layer 2 message 1 according to the ARP response message 1 and sends the layer 2 message 1 to the layer 2 gateway 200.
- PM1 constructs a layer 2 message 1 according to the ARP response message 1 and sends the layer 2 message 1 to the network card 1 of the layer 2 gateway 200 through the layer 2 communication tunnel 30.
- PM1 learns L2 MAC1 from the source MAC address of ARP reply message 1, PM1 constructs Layer 2 message 1 according to the learned L2 MAC1, and the source IP address of Layer 2 message 1 is PM1's private network address 192.168.0.4 ,
- the source MAC address is PM1 MAC
- the destination IP address is VM1's private network address 192.168.0.2
- the destination MAC address is L2 MAC1 (that is, the MAC address of network card 1).
- the data part of the layer 2 message 1 carries the IP message 1
- the data part of the IP message 1 carries the request information 1
- the request information 1 is used to request a response from the VM1
- the IP header of the IP message 1 carries There are destination IP address and source IP address.
- PM1 can record the correspondence between 192.168.0.2 and L2 MAC1 in the local ARP table entry. Subsequent communication between PM1 and 192.168.0.2 only needs to check the local ARP table entry to confirm L2 MAC1, and there is no need to resend ARP. Request packets for MAC address learning.
- Step S204 The Layer 2 gateway 200 modifies the Layer 2 message 1, and sends the modified Layer 2 message 1 to VM1.
- the layer 2 gateway 200 confirms the MAC address (VM1 MAC) of VM1 according to the destination IP address 192.168.0.2 of the layer 2 message 1, and changes the destination MAC address of the layer 2 message 1 from L2 MAC1 to VM1 MAC, The source MAC address is changed from PM1 MAC to L2 MAC2.
- the correspondence between 192.168.0.2 and VM1 MAC may be sent to the layer 2 gateway 200 by the control platform 201 in advance, and the layer 2 gateway 200 records the correspondence between 192.168.0.2 and VM1 MAC in the local ARP table entry.
- control platform 201 may preset the correspondence between 192.168.0.2 and VM1 MAC in the layer 2 gateway 200 when creating the layer 2 gateway 200.
- the layer 2 gateway 200 sends the modified layer 2 message 1 to the VM1 in the subnet 1 through the network card 2 connected to the subnet 1.
- Step S205 VM1 constructs a layer 2 message 2 according to the layer 2 message 1 and sends the modified layer 2 message 2 to the layer 2 gateway 200.
- the layer 2 message 2 is the response message of the layer 2 message 1.
- the data part of the layer 2 message 1 carries IP message 1, and the data part of the IP message 1 carries request information 1.
- VM1 generates response information 1 based on the request information 1, and constructs two Layer message 2, the data part of layer 2 message 2 carries IP message 2, and the data part of IP message 2 carries response information 1.
- the source MAC address of layer 2 message 2 is VM1 MAC, and the destination MAC address is L2 MAC2, the source IP address is VM1's private network address 192.168.0.2, and the destination IP address is PM1's private network address 192.168.0.4.
- VM1 sends the modified Layer 2 message 2 to the network card 2 of the Layer 2 gateway 200.
- VM1 After VM1 receives the layer 2 message 1, it can record the correspondence between the source IP address (192.168.0.4) of the layer 2 message 1 and the source MAC address (L2 MAC2) of the layer 2 message in the local ARP table entry.
- Step S206 The layer 2 gateway 200 modifies the layer 2 message 2 and sends the modified layer 2 message 2 to the PM1.
- the Layer 2 gateway 200 queries the local ARP table entry according to the destination IP address of the Layer 2 message 2 (192.168.0.4) to confirm PM1 MAC, and modify the destination MAC address of the Layer 2 message 2 to PM1 MAC, Modify the source MAC address to L2 MAC1.
- the Layer 2 gateway 200 has learned and recorded the correspondence between 192.168.0.4 and PM1 MAC, and the correspondence relationship is recorded in the local ARP entry of the Layer 2 gateway 200.
- the layer 2 gateway 200 After modifying the layer 2 message 2, the layer 2 gateway 200 sends the layer 2 message 2 to the PM1 through the network card 1.
- the layer 2 message 2 is sent from the network card 1 and reaches the PM1 of the subnet 2 through the layer 2 communication tunnel 30.
- PM1 has received the Layer 2 message 2, and obtained the response information 1 of VM1 from the Layer 2 message 2, and the communication between PM1 and VM1 is completed.
- PM1 only needs to construct a Layer 2 message with a destination IP address of 192.168.0.2 and a destination MAC address of L2 MAC1 based on the local ARP table entry.
- the text reaches VM1 through the Layer 2 communication tunnel 30 and the Layer 2 gateway 200.
- VM1 When VM1 responds, it constructs a layer 2 message with a destination IP address of 192.168.0.2 and a destination MAC address of L2 MAC1.
- the layer 2 message can reach PM1 through the layer 2 gateway 200 and the layer 2 communication tunnel 30.
- the device manager 2031 is omitted in FIG. 5 for brevity.
- the modified layer 2 message 1 in step S204 is forwarded to VM1 via the device manager 2031, and the layer 2 message in step S205 is forwarded to VM1.
- Text 2 is forwarded to the Layer 2 gateway 200 via the device manager 2031.
- FIG. 6 is another data interaction diagram of the communication method in the hybrid cloud environment according to an embodiment of the present invention.
- VM1 communicates with PM1 for the first time.
- the local ARP entry of VM1 does not record the MAC address corresponding to PM1's private network address (192.168.0.4).
- VM1 needs to send an ARP request message to obtain the MAC address corresponding to 192.168.0.4.
- the hybrid cloud communication method according to the embodiment of the present invention specifically includes the following steps:
- Step 301 VM1 sends an ARP request message 2 to the device manager 2031.
- VM1 Since VM1 actively communicates with PM1, the local ARP table entry of VM1 does not record the MAC address corresponding to PM1's private network address (192.168.0.4). Therefore, VM1 needs to obtain 192.168 before VM1 actively sends Layer 2 packets to PM1. .0.4 corresponding MAC address.
- VM1 needs to broadcast ARP request message 2 on subnet 1.
- the source IP address of the ARP request message 2 is 192.168.0.2
- the source MAC address is VM1 MAC
- the destination IP address is 192.168.0.2
- the destination MAC address is FFFF FFFF FFFF
- ARP request message 2 is used to request the MAC address corresponding to 192.168.0.2.
- VM1 and the device manager 2031 are both set in the computing node 203, and the device manager 2031 is used to manage VM1.
- the ARP request message 2 sent by VM1 to subnet 1 for broadcasting first reaches the device manager. 2031.
- Step 302 The device manager 2031 constructs an ARP response message 2 according to the ARP request message 2 and sends the ARP response message 2 to VM1.
- the device manager 2031 first confirms that the ARP request message 2 is a broadcast message according to the destination MAC address of the ARP request message 2 (FFFF FFFF FFFF), and according to the destination IP address of the ARP request message 2 (PM1's private network address 192.168. 0.4) Confirm that the ARP request message 2 is for a device other than subnet 1. At this time, the device manager 2031 needs to intercept the ARP request message 2, and therefore constructs the ARP response message 2.
- control platform 201 sends the private network addresses of all virtual machines in the subnet 1 to the device manager 2031 in advance.
- the private network address of VM1 is 192.168.0.2.
- the device manager 2031 receives and records the private network address of VM1 in subnet 1, and after receiving the ARP request message 2 sent by VM1, determines whether the destination IP address (192.168.0.4) of the ARP request message 2 belongs to the Record the private network address of the virtual machine in subnet 1.
- ARP request message 2 is for the virtual machine in subnet 1, and the device manager 2031 sends the ARP request message 2 to subnet 1 for broadcasting ; If not, it means that the ARP request message 2 is for a device other than subnet 1 (that is, the physical machine of subnet 2), and the device manager 2031 intercepts the ARP request message 2, and constructs ARP response message 2, ARP response
- the source MAC address of message 2 is L2 MAC2, the source IP address is PM1's private network address 192.168.0.4, the destination MAC address is VM1 MAC, and the destination IP address is VM1's private network address 192.168.0.2.
- control platform 201 may send L2 MAC2 to the device manager 2031 in advance, and the device manager 2031 receives and records the L2 MAC2.
- the device manager 2031 determines that the destination IP address (192.168.0.4) of the ARP request message 2 does not belong to the private network address (192.168.0.2) of the virtual machine in the subnet 1. Therefore, the device manager 2031 constructs ARP reply message 2 and sends ARP reply message 2 to VM1.
- ARP reply message 2 is used to notify VM1 that the MAC address corresponding to 192.168.0.4 is L2 MAC2.
- Step 303 VM1 constructs a layer 2 message 3 according to the ARP response message 2 and sends the layer 2 message 3 to the device manager 2031.
- VM1 After VM1 receives ARP response message 2, it learns L2 MAC2 according to the source MAC address of ARP response message 2. VM1 constructs layer 2 message 3 according to L2 MAC2, and the data part of layer 2 message 3 carries IP message 3. The data part of the IP message 3 carries request information 2. The request information 2 is used to request a response from PM1.
- the source MAC address of the layer 2 message 3 is VM1 MAC, the source IP address is 192.168.0.2, and the destination IP address is 192.168 .0.4, the destination MAC address is L2 MAC2.
- VM1 sends a Layer 2 message 3 to the network card 2 of the Layer 2 gateway 200.
- Step S304 The device manager 2031 forwards the layer 2 message 3 to the layer 2 gateway 200 according to the destination MAC address of the layer 2 message 3.
- the device manager 2031 forwards the layer 2 message 3 to the network card 2 of the layer 2 gateway 200.
- Step 305 The layer 2 gateway 200 modifies the layer 2 message 3, and sends the modified layer 2 message 3 to the PM1.
- the network card 2 of the layer 2 gateway 200 receives the layer 2 message 3, and confirms whether the local ARP table entry records the MAC address corresponding to 192.168.0.4 according to the destination IP address of the layer 2 message 3 (192.168.0.4), in PM1
- the local ARP table entry of the layer 2 gateway 200 records the correspondence between 192.168.0.4 and PM1 MAC.
- the Layer 2 gateway 200 can obtain the PM1 MAC from the local ARP table entry according to 192.168.0.4
- the local ARP table entry of the Layer 2 gateway 200 does not record the MAC address corresponding to 192.168.0.4.
- the Layer 2 gateway 200 can connect to the subnet 2 through NIC 1 actively sends an ARP request message to subnet 2 to learn the MAC address of PM1.
- the source MAC address of the ARP request message is L2 MAC1, the source IP address is 192.168.0.2, the destination IP address is 192.168.0.4, and the destination MAC address is FFFF FFFF FFFF.
- the ARP request message is used to request 192.168 in subnet 2. .0.4 corresponding to the MAC address, the ARP request message is broadcast on the subnet 2 through the layer 2 communication tunnel 30.
- PM1 receives the ARP request message and constructs an ARP response message according to the destination IP address (192.168.0.4) of the ARP request message.
- the source MAC address of the ARP response message is PM1 MAC
- the destination MAC address is L2 MAC1.
- the IP address is 192.168.0.4 of PM1
- the destination IP address is 192.168.0.2.
- PM1 sends an ARP response message to the network card 1 of the layer 2 gateway 200 through the layer 2 communication tunnel 30.
- the layer 2 gateway 200 learns PM1 MAC from the source MAC address of the ARP response message, and records PM1 MAC and 192.168 in the local ARP table entry. .0.4 Correspondence.
- the layer 2 gateway 200 After the layer 2 gateway 200 obtains the PM1 MAC, the destination MAC address of the layer 2 message 3 is changed from L2 MAC2 to PM1 MAC, and the source MAC address is changed from VM1 MAC to L2 MAC1.
- the layer 2 gateway 200 sends the layer 2 message 3 to the layer 2 communication tunnel 30 through the network card 1, and the layer 2 message 2 is sent to the PM1 of the subnet 2 via the layer 2 communication tunnel 30.
- the layer 2 gateway 200 directly modifies the layer 2 message 2 according to L2 MAC1, and when the local ARP table entry records L2 MAC1, it can actively send an ARP request The message goes to subnet 2 to learn L2 MAC1.
- Step 306 PM1 constructs a layer 2 message 4 according to the layer 2 message 3 and sends the layer 2 message 4 to the layer 2 gateway 200.
- PM1 After PM1 receives the layer 2 message 3, it obtains the IP message 3 from the data part of the layer 2 message 3, and obtains the request information 2 from the data part of the IP message 3. PM1 generates response information 2 according to the communication request 2, and constructs Layer 2 message 4, the data part of layer 2 message 4 carries IP message 4, and the data part of IP message 4 carries response information 2.
- the source MAC address of layer 2 message 2 is PM1 MAC, and the destination MAC address It is L2 MAC1, the source IP address is 192.168.0.4, and the destination IP address is 192.168.0.2.
- PM1 can record the source MAC address (L2 MAC1) and source IP address (192.168.0.2) of the Layer 2 message 2 in the local ARP table entry.
- PM1 sends the layer 2 message 4 to the network card 1 of the layer 2 gateway 200 through the layer 2 communication tunnel 30.
- Step 307 The layer 2 gateway 200 modifies the layer 2 message 4, and sends the modified layer 2 message 4 to the device manager 2031 through the network card 2.
- the Layer 2 gateway 200 searches for the local ARP entry according to the destination IP address of the Layer 2 message 4 (192.168.0.2) to confirm VM1 MAC, and changes the destination MAC address of the Layer 2 message 4 from L2 MAC1 to VM1 MAC, and changes the source The MAC address is changed from PM1 MAC to L2 MAC2.
- the correspondence between 192.168.0.2 and VM1 MAC may be sent to the layer 2 gateway 200 by the control platform 201 in advance, and the layer 2 gateway 200 records the correspondence between 192.168.0.2 and VM1 MAC in the local ARP table entry.
- Step 308 The device manager 2031 forwards the modified layer 2 message 4 to VM1.
- VM1 After VM1 receives the layer 2 message 2, it obtains the IP message 4 from the data part of the layer 2 message 2, and obtains the response information 2 from the data part of the IP message 2.
- VM1 has obtained the response information 2 generated by PM1, and the subsequent communication from VM1 to PM1 does not require VM1 to send ARP request packets.
- VM1 only needs to construct the destination MAC address according to the local ARP table entry as L2 MAC2, and the destination IP address is The Layer 2 message of 192.168.0.2 can communicate with PM1 through Layer 2 gateway 200 and Layer 2 communication tunnel 30.
- the Layer 2 gateway 200 connects to Subnet 1 and Subnet 2 with the same private network address segment, and responds to ARP request messages, and performs MAC conversion on Layer 2 messages. Therefore, from the perspective of PM1 and VM1 It can be seen that subnet 1 and subnet 2 belong to the same broadcast domain, and VM1 on the cloud and PM1 under the cloud realize Layer 2 intercommunication through the Layer 2 gateway 200.
- the device manager 2031 intercepts the ARP request message 2 sent by VM1, and directly sends the ARP response message 2 to VM1 to notify VM1 that the MAC address corresponding to 192.168.0.4 is L2MAC2, and in some other examples of the present invention, the device manager 2031 may also forward the ARP request message 2 to the subnet 1 for broadcasting without intercepting the ARP request message 2 sent by the VM1, so that the network card 2 is connected to the subnet 1
- the layer 2 gateway 200 can receive the ARP request message 2 from the subnet 1, and generate an ARP response message according to the ARP request message 2.
- the layer 2 gateway 200 sends the ARP response message to the VM1 of the subnet 1 through the network card 2. This informs VM1 that the MAC address corresponding to 192.168.0.4 is L2 MAC2.
- the embodiment of the present invention can support Layer 2 interworking between the subnet 2 of the data center 10 under the cloud and the subnet 1 of the data center 20 on the cloud with the same private network address segment, which facilitates the scenario where the hybrid cloud is switched to the public cloud.
- switching from hybrid cloud to public cloud refers to migrating the image of the device in subnet 2 of the data center 10 under the cloud to the virtual machine of subnet 1 of the data center 20 on the cloud, and deactivating the subnet after the migration is successful.
- Equipment in net 2 refers to migrating the image of the device in subnet 2 of the data center 10 under the cloud to the virtual machine of subnet 1 of the data center 20 on the cloud, and deactivating the subnet after the migration is successful.
- Equipment in net 2 refers to migrating the image of the device in subnet 2 of the data center 10 under the cloud to the virtual machine of subnet 1 of the data center 20 on the cloud, and deactivating the subnet after the migration is successful.
- VM3 when PM1 needs to be migrated to subnet 1 of data center 20 on the cloud, the user can create a new VM3 in subnet 1, import the image of PM1 into VM3, and shut down PM1 at the same time. Since VM3 is a mirror image of PM1, VM3 With the same private network address 192.168.0.4 and MAC address PM1 MAC as PM1, when VM3 needs to actively communicate with VM1, by broadcasting the ARP request message for 192.168.0.2 on subnet 1, you can get the return from VM1 Carrying the ARP response message of VM1 MAC, VM3 can implement Layer 2 communication with VM1 in subnet 1 according to VM1 MAC.
- subnet 2 Based on the same principle, all devices in subnet 2 can be migrated to subnet 1 in a similar manner. After devices in subnet 2 are migrated to subnet 1, their private network addresses and MAC addresses are the same as before the migration. Therefore, there is no need to modify the private network address and MAC address of the devices of subnet 2, and the network model of subnet 2 can be completely migrated to subnet 1, which provides great convenience for the migration of devices in the data center under the cloud to the public cloud.
- subnet 1 and subnet 2 are interoperable at the second layer through the second-tier gateway.
- the network model of the data center under the cloud can be completely retained in the public cloud.
- FIG. 7 is a schematic diagram of a specific system structure of a hybrid cloud environment according to an embodiment of the present invention.
- FIG. 7 further shows a possible implementation of the layer 2 communication tunnel 30 on the basis of FIG. 4.
- the Layer 2 communication tunnel 30 is implemented by a VTEP device 301, a VTEP device 304, a VPN gateway 302, and a VPN gateway 303.
- VTEP device 301 is connected to subnet 2
- VTEP device 304 is connected to network card 1 of layer 2 gateway 200
- VTEP device 301 is set with VTEP IP1
- VTEP device 304 is set with VTEP IP2
- VPN gateway 302 is set with public network IP1
- VPN The gateway 303 is set with a public network IP2.
- the VTEP device 304 encapsulates the Layer 2 message 1 sent by PM1 into the inner layer of the VXLAN message 1.
- the source IP address of the outer layer of the VXLAN message 1 is VTEP IP1, and the destination IP address is VTEP IP2, the source MAC address is the MAC address of the VTEP device 301, the destination MAC address is the MAC address of the next hop device to VTEP IP2 (for example, the MAC address of the VPN gateway 302), the VTEP device 301 sends the VXLAN message 1 to the VPN Gateway 302, VPN gateway 302 sets VXLAN message 1 in the data part of VPN message 1.
- the source IP address of the VPN header of the VPN message 1 is the public network IP1 of VPN gateway 302, and the destination IP address is VPN gateway 303 Public network IP2, the source MAC address is the MAC address of VPN gateway 302, and the destination MAC address is the MAC address of the next hop device.
- VPN gateway 302 sends VPN message 1 to the Internet, and the routing device in the Internet responds to VPN message 1 The VPN message 1 is forwarded to the VPN gateway 303 by the destination IP address of.
- the VPN gateway 303 receives the VPN message 1, obtains the VXLAN message 1 from the data part of the VPN message 1, and sends the VXLAN message 1 to the VTEP device 304 according to the destination IP address (VTEP IP2) of the VXLAN message 1.
- VTEP IP2 destination IP address
- the VTEP device 304 decapsulates the VXLAN message 1, thereby obtaining the layer 2 message 1, and sends the layer 2 message 1 to the network card 1 of the layer 2 gateway 200.
- the subnet 2 of the data center 10 under the cloud can be interconnected with the layer 2 gateway 200 of the cloud data center 10.
- PM1 and the Layer 2 gateway 200 are unaware of the above encapsulation and decapsulation process, and the Layer 2 message 1 can be transmitted from the subnet 2 to the subnet 1 unchanged.
- the VTEP device 304 encapsulates the layer 2 message 2 sent by the layer 2 gateway 200 through the network card 1 into the inner layer of the VXLAN message 2.
- the source IP address of the outer layer of the VXLAN message 2 is VTEP IP2, and the destination IP address It is VTEP IP1, the source MAC address is the MAC address of VTEP device 304, the destination MAC address is the MAC address of the next hop device to VTEP IP1, VTEP device 304 sends VXLAN packet 2 to VPN gateway 303, and VPN gateway 303 sends VXLAN Message 2 is encapsulated into the data part of VPN message 2.
- the source IP address of the VPN header of the VPN message 2 is the public network IP2 of VPN gateway 303, the destination IP address is the public network IP1 of VPN gateway 302, and the source MAC address is The MAC address of the VPN gateway 303, the destination MAC address is the MAC address of the next hop device to the public network IP1, the VPN gateway 302 sends the VPN message 2 to the Internet, and the Internet routing device according to the destination IP address of the VPN message 2
- the VPN message 2 is forwarded to the VPN gateway 302.
- the VPN gateway 302 receives the VPN message 2, obtains the VXLAN message 2 from the data part of the VPN message 2, and sends the VXLAN message 1 to the VTEP device 301 according to the destination IP address (VTEP IP1) of the VXLAN message 2.
- the VTEP device 301 decapsulates the VXLAN message 2 to obtain the Layer 2 message 2, and sends the Layer 2 message 2 to PM1.
- the layer 2 gateway 200 of the cloud data center 10 can be interconnected with the PM1 layer of the cloud data center 10, PM1 and the Layer 2 gateway 200 are unaware of the above-mentioned encapsulation and decapsulation process, and the Layer 2 message 2 can also be transmitted from the subnet 1 to the subnet 2 unchanged.
- the layer 2 message 1 is encapsulated into the inner layer of the VXLAN message 1, when the layer 2 message 1 passes through the layer 2 communication tunnel 30 from PM1 to the layer 2 gateway 200, the source MAC address and destination MAC address of the layer 2 message 1 constant.
- the layer 2 message 2 is encapsulated into the inner layer of the VXLAN message 2.
- the layer 2 message 2 passes through the layer 2 communication tunnel 30 from the layer 2 gateway 200 to the PM1, the source MAC address and the destination MAC of the layer 2 message 2 The address remains unchanged, so the layer 2 communication tunnel 30 can realize the layer 2 intercommunication between the PM1 and the layer 2 gateway 200.
- the ARP request message and the ARP response message between the PM1 and the Layer 2 gateway 304 can also be transmitted in the Layer 2 communication tunnel 30 in the above-mentioned manner.
- the VPN gateway is used to implement remote communication across data centers
- the VTEP device is used to implement Layer 2 intercommunication
- the cooperation of the VPN gateway and the VTEP device can implement remote Layer 2 intercommunication across data centers.
- the VPN gateway can be replaced by other remote connection gateways, such as a dedicated line gateway.
- the VTEP device accesses the dedicated line network provided by the operator through the dedicated line gateway, without the need to perform VPN encapsulation and decapsulation operations on the VXLAN message .
- the local dedicated line gateway can directly send VXLAN packets to the dedicated line network, and the routing device in the dedicated line network forwards the VXLAN packets to the peer dedicated line gateway according to the destination IP address of the VXLAN packet.
- the embodiment of the present invention is not limited to only using VXLAN technology to encapsulate or decapsulate the packets in subnet 1 and subnet 2.
- the embodiment of the present invention can also adopt any large two-layer encapsulation/decapsulation technology to achieve similar Functions, such as using GRE technology instead of VXLAN technology to implement packet encapsulation and decapsulation are also feasible.
- Figures 8a-8c show schematic diagrams of interactive interfaces provided by the control platform according to an embodiment of the present invention.
- the control platform 201 provides an interactive interface 1, and the interactive interface 1 is set with "Create When the user clicks on the selection box, the user enters the interactive interface 2 shown in Figure 8b.
- the interactive interface 2 the user enters the configuration information.
- the configuration information includes the name of the second-level gateway to be created, and the local end. Tunnel information, the VPC to which the Layer 2 gateway to be created belongs, the subnet that the Layer 2 gateway is connected to in the VPC, and the peer tunnel information.
- the user clicks the "OK" button it will enter the interface shown in Figure 8c. This interface It is used to prompt that the Layer 2 gateway 200 is set successfully.
- the user can enter (or select) the VPN gateway 303 in the local tunnel information input box, and the user can enter the VTEP device in the remote tunnel information input box VTEP IP3 of 301 and VNI0 of subnet 2.
- VNI0 is set by the VTEP device 301, and since the user has full management authority to the VTEP device 301 of the data center 10 under the cloud, VTEP IP1 and VNI0 are parameters known to the user.
- this embodiment assumes that the VPN gateway 302 and the VPN gateway 303 have established a VPN connection, and the user only needs to enter the VPN gateway 303 to be connected to the layer 2 gateway 200 to make the layer 2 gateway 300 and the cloud data center 10 realize Remote Connection.
- the user can create a VPN gateway 303 through the VPN service provided by the data center 20 on the cloud, and set the VPN gateway 303 to connect with the VPN gateway 302.
- the outer destination IP address of the VXLAN packet can be set to VTEP IP2, and the encapsulated VXLAN After the message reaches the cloud data center 20 through the VPN gateway 303, the VXLAN message is routed to the VTEP device 304 in the internal network of the cloud data center 20 through the outer destination IP address VTEP IP2.
- FIGS. 9 to 12 show a possible specific implementation of the hybrid cloud environment disclosed in FIG. 7.
- Figure 9 details the message flow of the Layer 2 gateway 200 for ARP pickup to PM1
- Figure 10 details the message flow that PM1 actively sends to PM1.
- Figure 11 details the message flow of VM1's response to PM1
- Figure 12 details the message flow of the device manager's ARP pickup to VM1.
- the hybrid cloud communication system includes a data center 10 on the cloud and a data center 20 under the cloud.
- the data center 10 on the cloud and the data center 20 off the cloud are respectively connected to the Internet 30.
- the user accesses the Internet 30 through the client 40, and the user
- the user has management authority for all devices in the data center 10 under the cloud, and the user only has the management authority for the VPC1, the Layer 2 gateway 200, and the VPN gateway 303 of the data center 20 on the cloud.
- the user accesses the interaction provided by the control platform 201 by operating the client 40
- the interface or API inputs commands for managing the VPC1, the Layer 2 gateway 200 or the VPN gateway 303, and the control platform 201 manages the VPC1, the Layer 2 gateway 200 or the VPN gateway 303 according to these commands.
- the client terminal 40 is, for example, a terminal device such as a mobile phone, a personal computer, and a personal tablet computer. In other embodiments, the client terminal 40 may also be set in the data center 10 under the cloud.
- the cloud data center 20 includes a control platform 201, a computing node 203, a network node 204, a router 205, a top of rack switch 206, and a top of rack switch 207.
- the top-of-rack switch 206, the top-of-rack switch 207, the control platform 201, the VPN gateway 303, and the control platform 201 are respectively connected to the router 205.
- the computing node 203 and the network node 204 are, for example, servers.
- the computing node 203 runs virtual machines VM1 and VM2 provided by public cloud services, and the network node 204 runs a layer 2 gateway 200.
- the computing node 203 includes VM1, VM2, an operating system 2030, and a physical network card 2033.
- the operating system 2030 is provided with a device manager 2031.
- the device manager 2031 includes a virtual switch 2032 and a VTEP device 305.
- the virtual switch 2032 is provided with a virtual port 5.
- the logical network bridge 2034 is connected to virtual port 5, virtual port 6 and virtual port 7, respectively.
- VM1 is provided with virtual network card 3
- VM2 is provided with virtual network card 4
- virtual network card 3 is connected with Virtual port 5 is connected, virtual network card 4 is connected to virtual port 6, and virtual port 7 is connected to VTEP device 305.
- the VTEP device 305 is also connected to the physical network card 2033, and the computing node 203 is connected to the top-of-rack switch 206 through the physical network card 2033.
- VM1 and VM2 are set in subnet 1 of VPC1, the tunnel identifier of VPC1 is VNI1, and the logical bridge 2034 is used to implement the switch function of subnet 1.
- the network node 204 includes a Layer 2 gateway 200, an operating system 2040, and a physical network card 2043.
- the operating system 201 is provided with a device manager 2041.
- the device manager 2041 includes a virtual switch 2042 and a VTEP device 304.
- the virtual switch 2042 includes a virtual port 1, a virtual Port 2 and virtual port 3.
- the virtual port 3 is connected to the virtual port 2, the virtual port 3 is also connected to the virtual port 1, the VTEP device 304 is connected to the physical network card 2043, and the network node 204 is connected to the top-of-rack switch 207 through the physical network card 2043.
- the Layer 2 gateway 200 is provided with a virtual network card 1 and a virtual network card 2, the virtual network card 1 is connected to the virtual port 1, the virtual network card 2 is connected to the virtual port 2, and the virtual port 3 is connected to the VTEP device 304.
- the data center 10 under the cloud includes a VPN gateway 302, a VTEP device 301, subnet 2 and subnet 3.
- the private network address segment of subnet 2 is the same as that of subnet 1 (both are 192.168.0.0/24), and subnet 2 is set with physical Machines PM1 and PM2, and physical machines PM3 and PM4 are set in subnet 3.
- VTEP device 301 is, for example, a VXLAN switch.
- the VXLAN switch has switch functions and VXLAN encapsulation and decapsulation functions.
- Subnet 2 and subnet 3 are divided by VTEP device 301.
- VTEP device 301 sets the tunnel identifier of subnet 2 to VNI0, and The tunnel ID of the subnet is set to VNI1.
- the VTEP device 305 and the VTEP device 304 are implemented by software. Specifically, the VTEP device 305 is implemented by the kernel of the operating system 2030 of the computing node 203, and the VTEP device 304 is implemented by the kernel of the operating system 2040 of the network node 204 , The VTEP device 301 is implemented by hardware, such as a VXLAN switch.
- the VTEP device 301 may also be implemented by an operating system kernel. At this time, the VTEP device 301 is connected to a virtual machine running in the operating system of the physical machine of the data center 10 under the cloud.
- the network parameters of each device are respectively set as:
- the private network address of VM1 192.168.0.2; the virtual network card 3 of VM1 has a MAC address: VM1 MAC;
- the private network address of VM2 192.168.0.3; the virtual network card 4 of VM2 has a MAC address: VM2 MAC;
- the VTEP device 305 is set with a VTEP IP address: VTEP IP1;
- the VTEP device 304 is set with a VTEP IP address: VTEP IP2;
- the VTEP device 302 is set with a VTEP IP address: VTEP IP3;
- VPN gateway 302 is set with: public network IP1;
- VPN gateway 303 is set with: public network IP2;
- the tunnel identifier of subnet 1 is: VNI1;
- the tunnel identifier of subnet 2 is: VNI0;
- the MAC address of the virtual network card 1 of the Layer 2 gateway 200 L2 MAC1;
- the MAC address of the virtual network card 2 of the Layer 2 gateway 200 L2 MAC2.
- the above network parameters are all recorded in the control platform 201. It is worth noting that the public network IP1 of the VPN gateway 302, the VNI0 of the subnet 2 and the VTEP IP3 of the VTEP device 301 are input into the control platform 301 by the user through the operation client 40 . Among them, VTEP IP3 and VNI0 are input from the client 40 when the Layer 2 gateway 200 is created. For details, please refer to the interactive interface 2 shown in Figure 8b. The public IP1 of the VPN gateway 302 is input from the client 40 when the VPN connection is configured. .
- PM2's private network address 192.168.0.5; PM2's MAC address: PM2 MAC;
- PM3's private network address 192.168.1.4; PM3's MAC address: PM3 MAC;
- PM4's private network address 192.168.1.5; PM4's MAC address: PM4 MAC;
- the control platform 201 has no management authority for the data center 10 under the cloud, and the control platform 201 does not record the network addresses of the physical machines of the data center 10 under the cloud. These network addresses need to be learned by the Layer 2 gateway 200.
- the router 205, the top-of-rack switch 206, the top-of-rack switch 207, the physical network card 2033, and the physical network card 2043 are all provided with IP addresses and have a message forwarding function.
- the router 205 records the routing rules. When the router receives a packet with the destination IP address of VTEP IP1, it sends the packet to the top-of-rack switch 206; when it receives a packet with the destination IP address of VTEP IP2, it sends the packet to the top of rack switch 206. Sent to the top-of-rack switch 207; when the destination IP address is a message with VTEP IP3, the message is sent to the VPN gateway 303.
- the physical network card 2033 forwards the message received from the VTEP device 305 to the top-of-rack switch 206, and forwards the message received from the top-of-rack switch 206 to the VTEP device 305.
- the top-of-rack switch 206 forwards the message received from the physical network card 2033 to the router 205, and forwards the message received from the router 205 to the physical network card 2033.
- the physical network card 2043 forwards the message received from the VTEP device 304 to the top-of-rack switch 207, and forwards the message received from the top-of-rack switch 207 to the VTEP device 304.
- the top-of-rack switch 207 forwards the message received from the physical network card 2043 to the router 205, and forwards the message received from the router 205 to the physical network card 2043.
- a VPN connection has been established between the VPN gateway 303 and the VPN gateway 302 in advance, and the public network IP1 of the VPN gateway 302 is input from the client 40 when the VPN connection is configured.
- VTEP device 305 records:
- VTEP device 304 records:
- Virtual port 3 records the correspondence between virtual port 2 and VNI1 and the correspondence between virtual port 1 and VNI0.
- the Layer 2 gateway 200 is connected to the virtual port 1 bound to the VNI0 through the virtual network card 1, thereby realizing the connection with the subnet 2, and the Layer 2 gateway 200 is connected to the VNI1 bound to the VNI1 through the virtual network card 2. Virtual port 2, thus realizing the connection with subnet 1.
- Figure 9 describes the method for PM1 to actively communicate with VM1.
- the method includes the following steps:
- Step 1 PM1 constructs ARP request message 1 and sends it to VTEP device 301.
- PM1 records VM1's private network address 192.168.0.2, and broadcasts ARP request message 1 in subnet 2 to request the MAC address corresponding to 192.168.0.2.
- the four-tuple of ARP request message 1 is:
- Step 2 The VTEP device 302 sends a VXLAN message 1 to the VPN gateway 302.
- VTEP device 302 receives the ARP request message 1 broadcast by PM1 in subnet 2, and encapsulates the ARP request message 1 into the inner message of VXLAN message 1, and the destination IP address of the outer message of VXLAN message 1 It is VTEP IP2 (VTEP IP of VTEP device 304), and the VXLAN header of VXLAN message 1 also carries the tunnel identifier VNI0 assigned by VTEP device 302 to subnet 2.
- VXLAN message 1 The inner and outer quadruples of VXLAN message 1 are as follows:
- Destination MAC Next hop MAC (MAC address of VPN gateway 303)
- the layer 2 gateway 200 receives and intercepts the ARP request message 1, so the VTEP device 302 needs to send the VXLAN message 1 encapsulated with the ARP request message 1 to the VTEP device 304 connected to the layer 2 gateway 200 Therefore, the outer destination IP address of VXLAN message 1 is VTEP IP2.
- Step 3 The VPN gateway 302 sends the VPN message 1 to the Internet 30.
- VPN gateway 302 constructs VPN message 1, the data part of VPN message 1 carries VXLAN message 1, the destination IP address of the VPN header of VPN message 1 is public network IP1 (the public network IP of VPN gateway 303), and the source IP The address is the public network IP2 (the public network IP of the VPN gateway 302).
- Step 4 The routing device of the Internet 30 forwards the VPN message 1 to the VPN gateway 303 according to the destination IP address of the VPN message 1.
- Step 5 VPN gateway 303 sends VXLAN message 1 to router 205.
- the VPN gateway 302 strips off the VPN header, obtains the VXLAN message 1 from the data part, and sends the VXLAN message 1 to the router 205.
- Step 6 The router 205 sends the VXLAN message 1 to the top-of-rack switch 207 according to the outer destination IP address of the VXLAN message 1.
- Step 7 The top-of-rack switch 207 sends the VXLAN message 1 to the physical network card 2043.
- Step 8 The physical network card 2043 sends the VXLAN message 1 to the VTEP device 304.
- Step 9 The VTEP device 304 decapsulates the VXLAN message 1, obtains the ARP request message 1 and VNI0 from the VXLAN header from the inner message.
- Step 10 The VTEP device 304 sends the ARP request message 1 and VNI0 to the virtual port 3.
- Step 11 The virtual port 3 sends the ARP request message 1 to the virtual port 1, and the ARP request message 1 reaches the virtual network card 1 through the virtual port 1.
- the virtual port 3 records the correspondence between VNI0 and virtual port 1, and records the correspondence between VNI1 and virtual port 2.
- the virtual port 3 selects the virtual port 1 according to the VNI0, and sends the ARP request message 1 to the virtual port 1, so that the ARP request message 1 reaches the virtual network card 1 of the Layer 2 gateway 200 via the virtual port 1.
- Step 12 The Layer 2 gateway 200 generates an ARP response message 1 according to the ARP request message 1, and sends the ARP response message 1 to the virtual port 1 through the virtual network card 1, and the ARP response message 1 reaches the virtual port 3 through the virtual port 1.
- the Layer 2 gateway 200 determines that the ARP request message 1 is a broadcast message according to the destination MAC address FFFF FFFF FFFF of the ARP request message 1. At this time, the Layer 2 gateway 200 needs to intercept the ARP request message 1 and cannot let The broadcast message reaches subnet 1.
- the Layer 2 gateway 200 constructs an ARP response message 1, and its four-tuple is:
- Source MAC L2 MAC1
- the ARP response message 1 is used to notify PM1 that the MAC address corresponding to 192.168.0.2 is the MAC address L2 MAC1 of the virtual network card 1.
- the layer 2 gateway 200 learns and records the correspondence between 192.168.0.4 and PM1 MAC in the ARP request message 1. Specifically, the layer 2 gateway 200 records the correspondence in the local ARP entry .
- Step 13 The virtual port 3 receives the ARP response message 1 from the virtual port 1, confirms the VNI0 according to the corresponding relationship between the virtual port 1 and the VNI0, and sends the ARP response message 1 and VNI0 to the VTEP device 304.
- Step 14 VTEP device 304 determines VTEP IP3 (VTEP IP of VTEP device 301) according to VNI0 to encapsulate ARP response message 1 to generate VXLAN message 2.
- the VXLAN header of VXLAN message 2 carries VNI0 and VXLAN message 2
- the outer destination IP address is VTEP IP3.
- VXLAN message 2 The inner and outer quadruples of VXLAN message 2 are as follows:
- Next hop MAC (MAC address of physical network card 2043)
- Source MAC L2 MAC1
- the destination IP address of the VXLAN message 2 is the VTEP IP3 of the VTEP device 301 connected to PM1.
- Step 15 The VTEP device 304 sends the VXLAN message 2 to the physical network card 2043.
- Step 16 The physical network card 2043 sends the VXLAN message 2 to the top-of-rack switch 207.
- Step 17 The top-of-rack switch 207 sends the VXLAN message 2 to the router 205.
- Step 18 The router 205 sends the VXLAN message 2 to the VPN gateway 303 according to the outer destination IP address of the VXLAN message 2.
- Step 19 The VPN gateway 303 receives the VXLAN message 2, generates the VPN message 2, and sends the VPN message 2 to the Internet 30.
- the data part of VPN message 2 carries VXLAN message 2
- the destination IP address of the VPN header of VPN message 2 is public network IP2 (the public network IP of VPN gateway 302)
- the source IP address is public network IP1 (VPN The public IP of the gateway 303).
- Step 20 The routing device of the Internet 30 forwards the VPN message 2 to the VPN gateway 302 according to the destination IP address of the VPN message 2.
- Step 21 VPN gateway 302 receives VPN message 2, strips off the VPN header of VPN message 2, obtains VXLAN message 2 from the data part of VPN message 2, and converts the VXLAN message to the outer destination IP address of VXLAN message 2.
- Message 2 is sent to the VTEP device 302.
- Step 22 The VTEP device 302 sends an ARP response message 1 to PM1.
- the VTEP device 302 receives the VXLAN message 2, decapsulates the VXLAN message 2 to obtain the inner ARP response message 1, and obtains the VNI0 carried in the VXLAN header of the VXLAN message 2, and selects the subnet according to VNI0 2. Send ARP reply message 1 to PM1 in subnet 2.
- PM1 receives ARP response message 1, and according to the source MAC address (L2 MAC1) of ARP response message 1, considers that the MAC address corresponding to 192.168.0.2 is L2 MAC1, and PM1 records 192.168.0.2 and L2 MAC1 to PM1's local ARP In the table entry.
- L2 MAC1 source MAC address
- Figure 10 shows a method for PM1 to communicate with VM1 after obtaining L2 MAC1.
- the method includes:
- Step 23 PM1 sends Layer 2 message 1 to VTEP device 302.
- the data part of the layer 2 message 1 carries the IP message 1, and the data part of the IP message 1 carries the request information 1.
- the four-tuple of Layer 2 message 1 is:
- PM1 considers that the MAC address of VM1 is L2 MAC1.
- Step 24 The VTEP device 302 sends the VXLAN message 3 to the VPN gateway 303.
- VTEP device 302 encapsulates Layer 2 message 1 into the inner message of VXLAN message 3.
- the destination IP address of the outer message of VXLAN message 3 is VTEP IP2 (VTEP IP of VTEP device 304), VXLAN message
- the VXLAN header of 3 carries the tunnel identifier VNI0 of subnet 2.
- VXLAN packet 3 The four inner and outer layers of VXLAN packet 3 are as follows:
- Next hop MAC (MAC address of VPN gateway 302)
- Step 25 The VPN gateway 302 sends the VPN message 3 to the Internet 30.
- VPN gateway 303 After VPN gateway 303 receives VXLAN message 3, it constructs VPN message 3 according to VXLAN message 3.
- the data part of VPN message 3 carries VXLAN message 3, and the destination IP address of the VPN header of VPN message 3 is public network IP1 (The public IP of the VPN gateway 303), and the source IP address is the public IP2 (the public IP of the VPN gateway 302).
- Step 26 The routing device of the Internet 30 forwards the VPN message 3 to the VPN gateway 303 according to the destination IP address of the VPN message 3.
- Step 27 The VPN gateway 302 sends the VXLAN message 3 to the router 205.
- the VPN gateway 302 strips off the VPN header, obtains the VXLAN message 3 from the data part of the VPN message 3, and sends the VXLAN message 3 to the router 205.
- Step 28 The router 205 sends the VXLAN message 1 to the top-of-rack switch 207 according to the outer destination IP address of the VXLAN message 1.
- Step 29 The top-of-rack switch 207 sends the VXLAN message 3 to the physical network card 2043.
- Step 30 The physical network card 2043 sends the VXLAN message 3 to the VTEP device 304.
- Step 31 The VTEP device 304 decapsulates the VXLAN message 3 to obtain the Layer 2 message 1 and VNI0.
- Step 32 The VTEP device 304 sends the Layer 2 message 1 and VNI0 to the virtual port 3.
- Step 33 The virtual port 3 sends the layer 2 message 1 to the virtual port 1.
- the virtual port 3 selects the virtual port 1 according to the VNI0, and sends the layer 2 message 1 to the virtual port 1, so that the layer 2 message 1 reaches the virtual network card 1 of the layer 2 gateway 200 via the virtual port 1.
- Step 34 The layer 2 gateway 200 modifies the layer 2 message 1.
- the layer 2 gateway 200 obtains the layer 2 message 1 from the virtual network card 1, confirms that the layer 2 message 1 is not a broadcast message according to the destination MAC address of the layer 2 message 1, and searches the local ARP entry for the layer 2 message 1
- the layer 2 gateway 200 modifies the source MAC address of the layer 2 message 1 to L2 MAC2, and the destination MAC address to VM1 MAC.
- the modified quadruple of the layer 2 message 1 is:
- Source MAC L2 MAC2
- Destination MAC VM1 MAC.
- the correspondence between 192.168.0.2 and VM1 MAC can be sent by the control platform 201 to the layer 2 gateway 200 in advance after the layer 2 gateway 200 is successfully created (or directly set in the layer 2 gateway 200 when the layer 2 gateway 200 is created).
- the Layer 2 gateway 200 receives the corresponding relationship, and records the corresponding relationship in the local ARP entry of the Layer 2 gateway 200.
- Step 35 The layer 2 gateway 200 sends the modified layer 2 message 1 to the virtual port 3.
- the layer 2 gateway 200 sends the modified layer 2 message 1 to the virtual port 2 through the virtual network card 2, and the modified layer 2 message 1 is transmitted to the virtual port 3 via the virtual port 2.
- Step 36 The virtual port 3 receives the layer 2 message 1 from the virtual port 2, confirms the VNI1 according to the virtual port 2, and sends the layer 2 message 2 and VNI1 to the VTEP device 304.
- Step 37 VTEP device 304 confirms VTEP IP1 (VTEP IP of VTEP device 305) according to VNI1, and performs VXLAN encapsulation on layer 2 message 2 to generate VXLAN message 4.
- the VXLAN header of VXLAN message 4 carries VNI1 and VXLAN messages
- the outer destination IP address of 4 is VTEP IP1.
- VXLAN packet 4 The four inner and outer layers of VXLAN packet 4 are as follows:
- Source MAC L2 gateway MAC2
- Destination MAC VM1 MAC.
- Step 38 The VTEP device 304 sends the VXLAN message 4 to the physical network card 2043.
- Step 39 The physical network card 2043 sends the VXLAN message 4 to the top-of-rack switch 207.
- Step 40 The top-of-rack switch 207 sends the VXLAN message 4 to the router 205.
- Step 41 The router 205 sends the VXLAN message 4 to the top-of-rack switch 206 according to the outer destination IP address of the VXLAN message 4.
- Step 42 The top-of-rack switch 206 sends the VXLAN message 4 to the physical network card 2033.
- Step 43 The physical network card 2033 sends the VXLAN message 4 to the VTEP device 305.
- Step 44 The VTEP device 305 decapsulates the VXLAN message 4 to obtain the Layer 2 message 1 and VNI1.
- Step 45 The VTEP device 305 sends the Layer 2 message 1 and VNI1 to the virtual port 7.
- Step 46 The virtual port 7 sends the Layer 2 message 1 to the logical bridge 2034.
- the virtual port 7 receives the Layer 2 message 2 and VNI1, selects the logical bridge 2034 according to VNI1, and sends the Layer 2 message 2 to the logical bridge 2034.
- the computing node 203 also runs VMs of other VPCs.
- the virtual switch 1011 includes multiple logical bridges. Each logical bridge is bound to the VNI of a different VPC.
- the virtual port 7 is based on VNI selects the corresponding logical bridge.
- VNI1 is bound to the logical bridge 2034, and the virtual port 3 determines to send the Layer 2 message 2 to the logical bridge 2034 through VNI1.
- Step 47 The logical bridge 2034 sends the layer 2 message 1 to the virtual port 5 connected to the virtual network card 3 of the VM1 according to the destination MAC address (VM1 MAC) of the layer 2 message 1.
- Step 48 The virtual port 5 sends the layer 2 message 1 to the virtual network card 3 of the VM1.
- VM1 obtains layer 2 message 1 from virtual network card 3, obtains IP message 1 from the data part of layer 2 message 1, and obtains request information 1 from the data part of IP message 1, and responds to request information 1 to generate Response message 1.
- VM1 After generating response information 1, VM1 constructs layer 2 message 2.
- the data part of layer 2 message 2 carries IP message 2, and the data part of IP message 2 carries response information 1.
- the quadruple of Layer 2 message 2 is:
- Source MAC VM1 MAC
- the source IP address and destination IP address of the second layer message 2 are obtained by inverting the source and destination IP addresses of the second layer message 1, and the source and destination MAC addresses of the second layer message 2 are obtained by reversing the source and destination IP addresses of the second layer message 1.
- the source MAC address and destination MAC address of message 1 are obtained by inverting.
- VM1 records the correspondence between the source MAC address (L2 MAC2) of the Layer 2 message 2 and the source IP address (192.168.0.4) of the Layer 2 message 2 in the local ARP table entry of VM1.
- Figure 11 shows a communication method for VM1 to respond to a message. As shown in Figure 11, the method includes the following steps:
- Step 49 VM1 sends Layer 2 message 2 to virtual port 5 through virtual network card 3.
- Step 50 The virtual port 5 sends a Layer 2 message 2 to the logical bridge 2034.
- Step 51 The logical bridge 2034 sends a Layer 2 packet 2 to the virtual port 7.
- the logical bridge 2034 does not have a virtual port bound to L2 MAC2 locally, so the layer 2 packet 2 is sent to the virtual port 7.
- Step 52 The virtual port 7 sends the Layer 2 message 2 and VNI1 to the VTEP device 305.
- the virtual port 7 obtains the Layer 2 message 2 from the logical bridge 2034, and the virtual port 7 confirms the VNI1 according to the logical bridge 2034.
- Step 53 The VTEP device 305 performs VXLAN encapsulation on the layer 2 message 2 to generate a VXLAN message 5.
- VTEP device 305 determines VTEP IP2 according to VNI1, the inner message of VXLAN message 5 is Layer 2 message 2, the VXLAN header of VXLAN message 5 carries VNI1, and the outer destination IP address of VXLAN message 5 is VTEP IP2.
- the outer source IP address is VTEP IP1.
- VXLAN message 5 The inner and outer quadruples of VXLAN message 5 are:
- Source MAC VM1 MAC
- Step 54 The VTEP device 305 sends the VXLAN message 5 to the physical network card 2033.
- Step 55 The physical network card 2033 sends the VXLAN message 5 to the top-of-rack switch 206.
- Step 56 The top-of-rack switch 206 sends the VXLAN message 5 to the router 205.
- Step 57 The router 205 sends the VXLAN message 5 to the top-of-rack switch 207 according to the outer destination IP address of the VXLAN message 5.
- Step 58 The top-of-rack switch 207 sends the VXLAN message 5 to the physical network card 2043 according to the outer destination IP address of the VXLAN message 5.
- Step 59 The physical network card 2043 sends the VXLAN message 5 to the VTEP device 304 according to the outer destination IP address of the VXLAN message 5.
- Step 60 The VTEP device 304 performs VXLAN decapsulation on the VXLAN message 5 to obtain the Layer 2 message 2 and VNI1.
- Step 61 The VTEP device 304 sends the Layer 2 message 2 and VNI1 to the virtual port 3.
- Step 62 The virtual port 3 selects the virtual port 2 according to the VNI1, and sends the layer 2 message 2 to the virtual port 2, and the layer 2 message 2 is sent to the virtual network card 2 via the virtual port 2.
- Step 63 The layer 2 gateway 200 obtains the layer 2 message 2 from the virtual network card 2 and modifies the layer 2 message 2.
- the layer 2 gateway 200 obtains the layer 2 message 2, and according to the destination IP address 192.168.0.4 of the layer 2 message 2, finds the PM1 MAC corresponding to 192.168.0.4 from the local ARP table of the layer 2 gateway 200, and sends the layer 2 message
- the destination MAC address of document 2 is modified to PM1 MAC
- the source MAC address is modified to L2 MAC1.
- the quadruple of the modified Layer 2 message 2 is:
- Source MAC L2 MAC1
- Destination MAC PM1 MAC.
- Step 64 The layer 2 gateway 200 sends the modified layer 2 message 2 to the virtual port 1 through the virtual network card 1, and the virtual port 1 sends the modified layer 2 message 2 to the virtual port 3.
- Step 65 The virtual port 3 sends the Layer 2 message 2 and VNI0 to the VTEP device 304.
- virtual port 3 receives layer 2 message 2 from virtual port 1, and confirms VNI0 according to virtual port 1.
- Step 66 VTEP device 304 confirms VTEP IP3 (VTEP IP address of VTEP device 301) according to VNI0, and constructs VXLAN packet 6.
- the inner layer of VXLAN packet 6 is Layer 2 packet 2, and the VXLAN header of VXLAN packet 6 It carries VNI0, the outer destination IP address is VTEP IP3, and the outer source IP address is VTEP IP2.
- VXLAN packet 6 The inner and outer quadruples of VXLAN packet 6 are:
- Source MAC L2 MAC1
- Destination MAC PM1 MAC.
- Step 67 The VTEP device 304 sends a VXLAN packet 6 to the physical network card 2043.
- Step 68 The physical network card 2043 sends the VXLAN packet 6 to the top-of-rack switch 207.
- Step 69 The top-of-rack switch 207 sends the VXLAN packet 6 to the router 205.
- Step 70 The router 205 sends the VXLAN message 6 to the VPN gateway 303 according to the outer destination IP address of the VXLAN message 6.
- Step 71 The VPN gateway 303 sends the VPN message 4 to the Internet 30.
- the VPN gateway 302 sets the VXLAN message 6 in the data part of the VPN message 4.
- the source IP address of the VPN header of the VPN message 4 is the public network IP1, and the destination IP address is the public network IP2.
- Step 72 The routing device in the Internet 30 forwards the VPN message 4 to the VPN gateway 302 according to the destination IP address of the VPN message 4.
- Step 73 The VPN gateway 302 strips the VPN header of the VPN message 4, obtains the VXLAN message 6 from the data part of the VPN message 4, and sends the VXLAN message 6 to the VTEP device according to the outer destination IP address of the VXLAN message 6 301.
- Step 74 VTEP device 301 receives VXLAN message 6, decapsulates VXLAN message 6 to obtain Layer 2 message 2 and VNI0, selects subnet 1 according to VNI0, and sends Layer 2 message 2 to subnet 1 PM1.
- PM1 receives Layer 2 message 2, obtains IP message 2 from the data part of Layer 2 message 2, and obtains response information 1 from the data part of IP message 2.
- PM1 sends to VM1
- the request information is answered by VM1, and the communication between PM1 and VM1 is completed.
- PM1 may record the source MAC address (L2 MAC1) of layer 2 message 2 and the source IP address (192.168.0.2) of layer 2 message 2 in the local ARP table entry.
- PM1 has no perception of the Layer 2 gateway 200 and the Layer 2 communication tunnel, and PM1 believes that VM1 and PM1 are in the same local area network (192.168.0.0/24). Therefore, in the embodiment of the present invention, the PM1 of the data center 10 under the cloud and the VM1 of the data center 20 on the cloud can be set in the same local area network.
- Figure 12 shows a method for VM1 to actively send an ARP request message to PM1.
- VM1 actively communicates with PM1.
- PM1 only records PM1’s private network address 192.168.0.4, but VM1’s private network address is 192.168.0.4.
- the local ARP entry does not record the MAC address corresponding to 192.168.0.4.
- VM1 sends an ARP request message to query the MAC address corresponding to 192.168.0.4.
- the method includes the following steps:
- Step 1' VM1 sends an ARP request message 2 to virtual port 5.
- the four-tuple of ARP request message 2 is:
- Source MAC VM1 MAC
- Step 2' The virtual port 5 sends an ARP request message 2 to the logical bridge 2034.
- Step 3' The logical bridge 2034 sends an ARP reply message 2 to the virtual port 5.
- the four-tuple of ARP reply message 2 is:
- Source MAC L2 MAC1
- the logical bridge 2034 After the logical bridge 2034 receives the message sent by the virtual machine connected to the device manager 2031, when it determines that the destination MAC address of the message is FFFF FFFF FF, it confirms that the received message is ARP Request message, and further determine whether the destination IP address of the ARP request message is an occupied private network address in subnet 1 (for example, 192.168.0.2 or 192.168.0.3).
- the logical bridge 2034 intercepts the ARP request message and sends an ARP response message to the virtual machine.
- the source MAC address of the ARP response message is L2 MAC2, used to notify VM1 that the MAC address corresponding to 192.168.0.4 is L2 MAC2.
- the private network address is the private network address of subnet 1
- the logical bridge 2034 broadcasts the ARP request message on subnet 1.
- Step 4' Virtual port 5 sends ARP reply message 2 to VM1.
- VM1 confirms that the MAC address corresponding to 192.168.0.4 is L2MAC1 according to the source MAC address of the ARP request message 2.
- VM1 records the correspondence between 192.168.0.4 and L2 MAC1 in the local ARP entry of VM1.
- VM1 After VM1 obtains L2 MAC1, it constructs layer 2 message 3 and sends it to virtual port 5.
- the quadruple of this layer 2 message 3 is the same as that of layer 2 message 2 above, the difference lies in the data part of layer 2 message 3.
- Carrying IP message 3, the data part of IP message 3 carries request information 2 instead of response information 1, but the data flow direction of layer 2 message 3 in the hybrid cloud communication system is exactly the same as that of layer 2 message 2. Therefore, I will not repeat it.
- the Layer 2 gateway 200 needs to send an ARP request message to the subnet 2 through the virtual network card 1 to obtain the MAC address corresponding to 192.168.0.4.
- the quadruple of the layer 2 message 4 constructed by PM1 to respond to VM1 is the same as the layer 2 message 1 described above, the difference lies in the layer 2 message 4.
- the data part of the IP message 4 carries the IP message 4
- the data part of the IP message 4 carries the response information 2 instead of the request information 1.
- the data flow direction of the second layer message 4 in the hybrid cloud communication system is the same as the above-mentioned second layer message Text 1 is completely consistent, so I won’t repeat it.
- the logical bridge 2034 after the logical bridge 2034 confirms that the received message is an ARP request message, it can send the ARP request message to the layer 2 gateway 200, and the layer 2 gateway 200 intercepts the ARP request message. And return an ARP reply message to VM1.
- the logical bridge 2034 intercepts the ARP request message, which can prevent the ARP request message from being broadcast in the cloud data center 20.
- FIG. 13 is a schematic diagram of the device structure of a layer 2 gateway in a hybrid cloud environment according to an embodiment of the present invention.
- the Layer 2 gateway 200 includes a receiving module 2001, a sending module 2002, a corresponding relationship acquisition module 2003, and a MAC address conversion module 2004.
- the receiving module 2001 is used to perform the actions of receiving messages in the above embodiments, and send The action of sending a message in the above embodiment of module 2002, the corresponding relationship acquisition module 2003 is used to perform the action of learning and recording the correspondence between the private network address of the virtual machine and the MAC address of the virtual machine in the above embodiment, and the above implementation In the example, the action of learning and recording the correspondence between the private network address of the physical machine and the MAC address of the physical machine, the MAC address conversion module 2004 is used to execute the action of modifying the message in the above embodiment.
- FIG. 14 is a schematic diagram of a device structure of a management device in a hybrid cloud environment according to an embodiment of the present invention.
- the management device 2000 includes a gateway creation module 2021 and a gateway configuration module 2022.
- the gateway creation module 2021 is used to execute the method for creating a layer 2 gateway 200 in the above embodiment
- the gateway configuration module 2022 is used to execute the method in the above embodiment.
- the method of configuring the Layer 2 gateway 200 can be set in the control platform 201 as a functional module of the control platform 201.
- FIG. 15 is a schematic diagram of another apparatus structure of a layer 2 gateway according to an embodiment of the present invention.
- the layer 2 gateway 200 includes a processor 2006. , The memory 2007, the first network interface 2008, the second network interface 2009, and the bus 2010.
- the memory 2007 stores program instructions, and the processor 2006 executes the program instructions to implement the related functions of the Layer 2 gateway 200 described in the foregoing embodiment.
- the virtual switch 2042 and the VTEP device 304 connected to the Layer 2 gateway 200 described in FIGS. 9 to 12 can be configured to have switch functions and VXLAN encapsulation and decapsulation functions. VXLAN switch implementation.
- the Layer 2 gateway 200 may be a general-purpose computing device that implements Network Functions Virtualization (NFV).
- NFV Network Functions Virtualization
- FIG. 16 is a schematic diagram of another device structure of a management device in a hybrid cloud environment according to an embodiment of the present invention. As shown in Figure 15, it includes a processor 2023, a memory 2024, a network interface 2025, and a bus 2026.
- the memory 2024 stores program instructions, and the processor 2023 executes the program instructions to implement the management in the hybrid cloud environment described in the foregoing embodiment. method.
- the embodiment of the present invention also provides a computer program product that realizes the function of the above-mentioned Layer 2 gateway, and a computer program product that realizes the function of the above-mentioned control platform, and each of the above-mentioned computer program products includes a computer-readable storage storing program code.
- the instructions included in the program code are used to execute the method flow described in any one of the foregoing method embodiments.
- the aforementioned storage medium includes: U disk, mobile hard disk, magnetic disk, optical disk, random-access memory (RAM), solid state disk (SSD) or non-volatile Various non-transitory (non-transitory) machine-readable media that can store program codes, such as non-volatile memory.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Power Engineering (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
本发明实施例提供一种混合云环境中的通信方法及网关、管理方法及装置,其中,混合云环境中的通信方法用于第一数据中心和第二数据中心之间的通信,混合云环境包括第一数据中心和第二数据中心,第一数据中心用于提供非公有云业务,第二数据中心用于提供公有云业务,第二数据中心设置有网关,该网关与第一数据中心的第一子网通过通信隧道远程连接,并与第二数据中心的第二子网连接,第一子网与第二子网具有相同的私网网段,该方法包括以下步骤:二层网关接收第一子网中的第一设备发送的第一地址解析协议ARP请求报文,第一ARP请求报文用于请求第二子网中的第二设备的MAC地址,该网关向第一设备发送第一ARP应答报文,第一ARP应答报文携带该网关的第一MAC地址。通过以上方案,实现云上数据中心和云下数据中心二层互通。
Description
本申请涉及云技术领域,特别涉及一种混合云环境中的通信方法及网关、管理方法及装置。
随着云技术的发展,很多企业将云下数据中心的云下设备逐步迁移到公有云中,存在云上数据中心和云下数据中心之间二层互通的诉求,但是,基于安全性考虑,目前云上数据中心和云下数据中心之间无法二层互通,这对混合云的通信场景造成限制。
发明内容
为解决现有技术的问题,本申请提供一种混合云环境中的通信方法及网关、管理方法及装置,能有效解决云上数据中心和云下数据中心不能二层互通的技术问题。
第一方面,本申请提供一种混合云环境中的通信方法,该方法用于第一数据中心和第二数据中心之间的通信,混合云环境包括第一数据中心和第二数据中心,第一数据中心用于提供非公有云业务,第二数据中心用于提供公有云业务,第二数据中心设置有二层网关,二层网关与第一数据中心的第一子网通过二层通信隧道远程连接,并与第二数据中心的第二子网连接,第一子网与第二子网具有相同的私网网段,该方法包括以下步骤:二层网关接收第一子网中的第一设备发送的第一地址解析协议ARP请求报文,第一ARP请求报文用于请求第二网中的第二设备的MAC地址,二层网关向第一设备发送第一ARP应答报文,第一ARP应答报文携带二层网关的第一MAC地址。
第一ARP请求报文是来自第一数据中心的广播报文,第二数据中心的二层网关拦截该第一ARP请求报文,可避免第一ARP请求报文在第二数据中心广播,从而保证第二数据中心的安全性。并且,通过拦截第一ARP请求报文,也可以避免第二数据中心中出现大量的来自第一数据中心的广播报文,从而避免第二数据中心产生的广播报文对第一数据中心造成网络负担。
并且,二层网关通过向第一设备返回携带二层网关的第一MAC地址的第一ARP应答报文,对第一设备进行善意的MAC地址欺骗,令第一设备认为第二设备的MAC地址是二层网关的第一MAC地址,此时从第一设备的角度来讲,第二设备的MAC地址是二层网关的第一MAC地址,由于广播发送的第一ARP应答报文得到应答,因此第一设备确认第一设备和第二设备是位于同一局域网中,第一设备可通过访问二层网关的第一MAC地址来访问第二设备,从而使得第一设备和第二设备之间实现二层互通。
结合第一方面,在一种可能的实现方式下,第一ARP请求报文和第一ARP应答报文在二层通信隧道传输时,第一ARP请求报文和第一ARP应答报文的源MAC地址、目的MAC地址、源IP地址以及目的IP地址均保持不变。
结合第一方面,在一种可能的实现方式下,二层网关获取并记录第二子网中的第二设 备的私网地址与MAC地址的第一对应关系。第一设备获取二层网关的第一MAC地址之后,经二层网关访问第二设备时,二层网关根据第一对应关系将第一设备发送的报文的目的MAC地址从二层网关的第一MAC地址修改为第二设备的MAC地址,从而使得该报文能够到达第二设备,因此二层网关通过学习和记录第一对应关系,可打通第一子网和第二子网。
结合第一方面,在一种可能的实现方式下,二层网关可接收第二数据中心的控制平台发送的第二子网中的第二设备的私网地址与MAC地址的第一对应关系,并将第一对应关系记录在本地ARP表项中。
控制平台对第二数据中心的设备有管理权限,第二设备在第二数据中心创建好之后,控制平台记录第二设备的私网地址与MAC地址的第一对应关系。
结合第一方面,在一种可能的实现方式下,上述方法还包括以下步骤:二层网关接收第一设备通过二层通信隧道发送的第一报文,具体地,第一报文的目的IP地址包括第二设备的私网地址,目的MAC地址包括二层网关的第一MAC地址,源IP地址包括第一设备的私网地址,源MAC地址包括第一设备的MAC地址,二层网关根据第一报文携带的第二设备的私网地址从以上记录的第一对应关系获取第二设备的MAC地址,将第一报文的目的MAC地址修改为第二设备的MAC地址,将第一报文的源MAC地址修改为二层网关的第二MAC地址,二层网关将修改后的第一报文发送至第二设备。
第一设备接收第一ARP应答报文之后,认为第二设备的MAC地址是第一ARP应答报文携带的二层网关的第一MAC地址,第一设备根据二层网关的第一MAC地址构造针对二层网关的第一MAC地址的第一报文,并将第一报文发送至二层网关,二层网关修改第一报文的MAC地址,使得修改后的第一报文的目的MAC地址是第二设备的MAC地址,二层网关将修改后的第一报文发送至第二设备,从而实现第一报文自第一设备到第二设备的跨数据中心传输。
因此,二层网关可连接第一设备和第二设备,使得第一设备和第二设备均认为对方与自身是在同一个局域网中。
结合第一方面,在一种可能的实现方式下,第一ARP请求报文的源IP地址包括第一设备的私网地址,源MAC地址包括第一设备的MAC地址,上述方法还包括以下步骤:二层网关学习并记录第一设备的私网地址和第一设备的MAC地址的第二对应关系。
第二设备经二层网关访问第一设备时,二层网关根据第二对应关系修改第二设备发送的报文的目的MAC地址,从而使得该报文可到达第一设备。
结合第一方面,在一种可能的实现方式下,在二层网关学习并记录第一设备的私网地址和第一设备的MAC地址的第二对应关系之后,二层网关接收第二设备发送的第二报文,其中,第二报文的目的IP地址包括第一设备的私网地址,目的MAC地址包括二层网关的第二MAC地址,源IP地址包括第一设备的私网地址,源MAC地址包括第二设备的MAC地址,二层网关根据第二报文携带的第一设备的私网地址从第二对应关系获取第一设备的MAC地址,将第二报文的目的MAC地址修改为第一设备的MAC地址,将第二报文的源MAC地址修改为二层网关的第一MAC地址,二层网关将修改后的第二报文通过二层通信隧道发送至第一设备。
二层网关接收到第二设备发送的针对二层网关的第二报文之后,修改第二报文的MAC地址,使得修改后的第二报文的目的MAC地址是第一设备的MAC地址,二层网关将修改后的第一报文发送至第一设备,从而实现第二报文的自第二设备到第一设备的跨数据中心传输。
结合第一方面,在一种可能的实现方式下,二层网关接收第二设备发送的第二报文之前,第二设备通过以下方式确认第一设备的私网地址对应的MAC地址:二层网关接收第二设备发送的第二ARP请求报文,该第二ARP请求报文用于请求第一子网中的第一设备的MAC地址,二层网关向第二设备发送第二ARP应答报文,第二ARP应答报文携带二层网关的第二MAC地址。
二层网关通过对第二设备发送的第二ARP请求报文进行代答,使得第二设备认为第一设备的私网地址对应的MAC地址是二层网关的第二MAC地址。
结合第一方面,在一种可能的实现方式下,第二数据中心还包括与第二设备连接的设备管理器,二层网关接收第二设备发送的第二报文之前,第二设备还需确认第一设备的私网地址对应的MAC地址:设备管理器接收第二设备发送的第二ARP请求报文,第二ARP请求报文用于请求第一子网中的第一设备的MAC地址,设备管理器向第二设备发送第二ARP应答报文,第二ARP应答报文携带二层网关的第二MAC地址。
通过设备管理器对第二设备发送的第二ARP请求报文进行代答,使得第二设备认为第一设备的私网地址对应的MAC地址是二层网关的第二MAC地址,并且,通过与第二设备连接的设备管理器来拦截第二设备发出的第二ARP请求报文,可最大限度地减少第二ARP请求报文在第二数据中心的广播次数。
结合第一方面,在一种可能的实现方式下,设备管理器和第二设备设置在同一个计算节点中。
第二方面,本申请提供一种混合云环境的管理方法,混合云环境包括第一数据中心和第二数据中心,第一数据中心用于提供非公有云业务,第二数据中心用于提供公有云业务,第一数据中心的第一子网与第二数据中心的第二子网的配置有相同的私网网段,该方法包括以下步骤:创建二层网关,该二层网关位于第二数据中心,二层网关与第一数据中心的第一子网通过二层通信隧道远程连接,二层网关与第二数据中心中的第二子网连接,在二层网关配置拦截模块,该拦截模块用于拦截来自第一子网的第一设备针对第二子网中的第二设备的第一地址解析协议ARP请求报文,并向第一设备返回第一ARP应答报文,其中第一ARP应答报文携带二层网关的第一MAC地址。
通过在第二数据中心设置二层网关来拦截第一ARP请求报文,可避免第一ARP请求报文在第二数据中心的第二子网广播,从而保证第二数据中心的安全性,同时也可以避免第二数据中心中出现大量的来自第一数据中心的广播报文,从而避免第二数据中心产生的广播报文对第一数据中心造成网络负担。
结合第二方面,在一种可能的实现方式下,上述方法还包括以下步骤:在二层网关配置学习模块,该学习模块用于学习并记录第一ARP请求报文中携带的第一设备的IP地址与MAC地址之间的对应关系。
第一设备获取二层网关的第一MAC地址之后,经二层网关访问第二设备时,二层网 关根据学习到的第一对应关系将第一设备发送的报文的目的MAC地址从二层网关的第一MAC地址修改为第二设备的MAC地址,从而使得该报文能够到达第二设备。
结合第二方面,在一种可能的实现方式下,上述方法还包括以下步骤:在二层网关配置应答模块,该应答模块用于接收来自第二子网的第二设备针对第一设备的第二ARP请求报文,以及向第二设备返回第二ARP应答报文,第二ARP应答报文携带二层网关的第二MAC地址。
通过配置二层网关对第二设备发送的第二ARP请求报文进行代答,使得第二设备认为第一设备的私网地址对应的MAC地址是二层网关的第二MAC地址,从而对第二设备进行善意欺骗,使得第二设备认为第一设备与第二设备位于同一局域网中。
结合第二方面,在一种可能的实现方式下,上述方法还包括以下步骤:配置设备管理器接收来自第二设备针对第一设备的第二ARP请求报文,以及向第二设备返回第二ARP应答报文,第二ARP应答报文携带二层网关的第二MAC地址,其中设备管理器与第二设备连接。
通过设备管理器对第二设备发送的第二ARP请求报文进行代答,使得第二设备认为第一设备的私网地址对应的MAC地址是二层网关的第二MAC地址,并且,通过与第二设备连接的设备管理器来拦截第二设备发出的第二ARP请求报文,可最大限度地减少第二ARP请求报文在第二数据中心的广播次数。
第三方面,本申请提供一种混合云环境的二层网关,包括能够执行上述第一方面以及第一方面的任意可能的实现方式中提供的以二层网关作为执行主体的混合云环境中的通信方法的功能模块。
第四方面,本申请提供一种混合云环境的管理装置,包括能够执行上述第二方面以及第二方面的任意可能的实现方式中提供的混合云环境中的管理方法的功能模块。
第五方面,本申请提供一种混合云环境的二层网关,包括第一网络接口、第二网络接口、存储器和处理器,存储器存储有程序指令,处理器运行程序指令以能够执行上述第一方面以及第一方面的可能的实现方式中提供的以二层网关作为执行主体的混合云环境中的通信方法。
第六方面,本申请提供一种混合云环境的管理装置,包括网络接口、存储器和处理器,存储器存储有程序指令,处理器运行程序指令以执行上述第二方面以及第二方面的可能的实现方式中提供的混合云环境中的管理方法。
第七方面,本申请提供一种计算机程序产品,包括程序代码,程序代码包括的指令被计算机所执行以执行上述第一方面以及第一方面的可能的实现方式中提供的以二层网关为执行主体的混合云环境中的通信方法。
第八方面,本申请提供一种计算机可读存储介质,包括程序指令,当计算机程序指令在计算机上运行时,使得计算机执行上述第一方面以及第一方面的可能的实现方式中提供的以二层网关为执行主体混合云环境中的通信方法。
第九方面,本申请提供一种计算机程序产品,包括程序代码,程序代码包括的指令被计算机所执行以执行上述第二方面以及第二方面的可能的实现方式中提供的混合云环境中的管理方法。
第十方面,本申请提供一种计算机可读存储介质,包括程序指令,当计算机程序指令在计算机上运行时,使得计算机执行上述第二方面以及第二方面的可能的实现方式中提供的混合云环境中的管理方法。
第十一方面,本申请提供一种混合云环境中通信的配置方法,其特征在于,该混合云环境包括第一数据中心和第二数据中心,该第一数据中心用于提供非公有云业务,该第二数据中心用于提供公有云业务,该第一数据中心的第一子网与该第二数据中心的第二子网的配置有相同的私网网段,该方法包括:提供配置页面,配置页面提示用户在第二数据中心中创建网关,并提示用户输入该网关需要连接的第一子网的信息,以及该网关需要连接的通信隧道的本端隧道信息和对端隧道信息,根据该配置页面的信息,创建该网关,并在网关创建成功之后,提供提示页面,改提示页面用于提示与该网关连接的虚拟隧道终端VTEP设备的地址。
结合第十一方面,在一种可能的实现方式下,本端隧道信息包括第二数据中心的远程连接网关的信息,对端隧道信息包括第一数据中心的第二子网的隧道标识和与第二子网连接的VTEP设备的地址。
本申请第三方面至第十一方面的有益效果可以参考对第一方面和第二方面及其各可能的设计的有益效果的描述,在此不再赘述。
图1是虚拟扩展局域网(Virtual Extensible Local Area Network,VXLAN)报文的数据格式图;
图2是一种混合云通信系统的系统结构示意图;
图3是根据本发明实施例的混合云环境中的配置方法的流程图;
图4是根据本发明实施例的混合云环境的系统结构示意图;
图5是根据本发明实施例的混合云环境中的通信方法的数据交互图;
图6是根据本发明实施例的混合云环境中的通信方法的另一数据交互图;
图7是根据本发明实施例的混合云环境的另一系统结构示意图;
图8a-8c示出根据本发明实施例的控制平台提供的交互界面的示意图;
图9是根据本发明实施例的二层网关向物理机进行代答的报文流向图;
图10是根据本发明实施例的物理机主动发送报文至虚拟机的报文流向图;
图11是根据本发明实施例的虚拟机向物理机进行应答的报文流向图;
图12是根据本发明实施例的设备管理器向虚拟机进行代答的报文流向图;
图13是根据本发明实施例的混合云环境中的二层网关的装置结构示意图;
图14是根据本发明实施例的混合云环境中的管理装置的装置结构示意图;
图15是根据本发明实施例的二层网关的另一装置结构示意图;
图16是根据本发明实施例的混合云环境中的管理装置的另一装置结构示意图。
首先,本发明实施例涉及的名词解释如下:
公有云业务:即基础设施即服务(Infrastructure as a Service,IaaS),是指把公有云业务提供方提供的基础设施作为一种服务通过互联网对外提供。在这种服务模型中,用户不用自己构建一个数据中心,而是通过租用的方式来使用服务器、存储和网络等基础设施。公有云业务通过提供虚拟环境(例如虚拟机)实现,公有云的核心属性是多用户共享云基础设施且用户之间隔离。
非公有云业务:单个用户专属的基础设施,例如为私有云业务和本地部署业务。
私有云(Private Clouds)业务:单个用户拥有服务器、存储和网络等基础设施,并可以完全控制此基础设施,私有云业务通过提供虚拟环境(例如虚拟机)实现,私有云业务的核心属性是单用户独享基础设施。
本地部署(On-premises)业务:单个用户在本地自建服务器、存储和网络等基础设施,该用户独享该自建的基础设施,本地部署业务通过物理机(physical machine)实现。
云上数据中心:提供公有云业务的数据中心。
云下数据中心:提供非公有云业务的数据中心,云下数据中心提供本地部署业务的情况下,云下数据中心包括多个物理机(physical machine),云下数据中心提供私有云业务的情况下,云下数据中心包括多个虚拟机。
公网地址:公网地址由互联网信息中心(Internet Network Information Center,Internet NIC)负责管理。公网地址可在互联网寻址的IP地址。
私网地址:不能在互联网寻址,只能在局域网中寻址的IP地址,私网地址被禁止出现在互联网中。
私网地址是一段保留的IP地址,私网地址的分类、网段以及数量如下表所示:
私网地址分类 | 网段 | 可用私网地址数量 |
A类私网地址 | 192.168.0.0/16 | 65,532 |
B类私网地址 | 172.16.0.0/12 | 1,048,572 |
C类私网地址 | 10.0.0.0/8 | 16,777,212 |
虚拟私有网络(Virtual Private Cloud,VPC):VPC设置于公有云中,VPC是公有云业务的用户在云上数据中心的的局域网。
具体而言,VPC隔离了虚拟网络,每个VPC都有一个独立的隧道号,一个隧道号对应着一个虚拟化网络。一个VPC内的虚拟机之间的报文对应有相同的隧道标识,然后送到物理网络上进行传输。不同VPC内的虚拟机因为所在的隧道标识不同,本身处于两个不同的路由平面,所以不同VPC内的虚拟机无法进行通信,天然地实现了逻辑隔离。
隧道标识可例如为虚拟局域网标识(Virtual Local Area Network Identification,VLAN ID)或虚拟网络标识(Virtual Network ID,VNI)。
媒体存取控制地址(Media Access Control Address,MAC),是一个用来确认网络设备位置的地址,在开放系统互联(Open System Interconnection,OSI)七层模型中,第三层网络层负责IP地址,第二层数据链路层则负责MAC地址。MAC地址用于在网络中唯一标示一个网卡,一台设备若有一或多个网卡,则每个网卡都需要并会有一个唯一的MAC地址。
数据帧(Data frame):数据帧是位于OSI七层模型中第二层的数据链路层的协议数据单元,数据帧包括以太网头和数据部分。其中,以太网头包含一些必要的控制信息,比如 地址信息(源MAC地址和目的MAC地址),数据部分则包含网络层传下来的数据,比如IP报文,具体而言,IP报文的IP头和数据部分均设置于数据帧的数据部分。
二层报文:数据部分携带有IP报文的数据帧,二层报文的四元组包括源IP地址、目的IP地址、源MAC地址和目的MAC地址,源MAC地址和目的MAC地址设置在数据帧的以太网头中,源IP地址和目的IP地址设置在IP报文的IP报文头中。
地址解析协议(Address Resolution Protocol,ARP):在以太网协议中规定,同一局域网中的一台主机要和另一台主机进行直接通信,必须要知道目标主机的MAC地址。而在TCP/IP协议中,网络层和传输层只关心目标主机的IP地址。这就导致在以太网中使用IP协议时,数据链路层的以太网协议接到上层IP协议提供的数据中,只包含目的主机的IP地址。于是需要一种方法,根据目的主机的IP地址,获得其MAC地址。这就是ARP协议要做的事情,地址解析(address resolution)就是主机将目标IP地址转换成目标MAC地址的过程。主机将包含目标IP地址的ARP请求报文广播到局域网上的所有主机,并接收局域网上目标IP地址对应的目标主机返回的ARP应答报文,该ARP应答报文携带有目标主机的MAC地址,主机以此确定目标主机的MAC地址,并且,主机收到ARP应答报文后将该IP地址和MAC地址存入本地ARP表项中并保留一定时间,下次请求时直接查询ARP表项以节约资源,ARP是局域网内的重要通信协议。
VXLAN:VXLAN是一种叠加网络技术,具体可参见图1,图1是VXLAN报文的数据格式示意图,VXLAN报文将内层报文封装在用户数据报协议(User Datagram Protocol,UDP)报文的数据部分(payload)中,其中,UDP报文的数据部分携带有图1所示的VXLAN头、内部以太网头(Inner Ethernet Header)、内部IP头(Inner IP Header)以及IP报文的数据部分(Payload),而VXLAN报文的内层报文包括内部以太网头、内部IP头以及IP报文的数据部分,内部以太网头记录有内层报文的源MAC地址和目的MAC地址,内部IP头记录有内层报文的源IP地址和目的IP地址。
VXLAN报文还包括隧道封装头,隧道封装头包括外部以太网头(Outer Ethernet Header)、外部IP头(Outer IP Header)、外部UDP头(Outer UDP Header)以及VXLAN头,VXLAN头包括VXLAN Flags字段(8比特)、Reserved字段(24比特)、VNI(14比特)以及Reserved字段(24比特)。
外部以太网头记录有VXLAN隧道终端(VXLAN Tunnel End Point,VTEP)的源MAC地址和目的MAC地址,外部IP头记录VXLAN隧道终端的源IP地址和目的IP地址。
VXLAN隧道终端在下文中称为VTEP设备,VTEP设备是VXLAN隧道的端点,用于对内层报文进行封装,即在内层报文的基础上打上外部以太网头、外部IP头、外部用户数据报协议头以及VXLAN头,从而产生VXLAN报文;VTEP设备还可对VXLAN报文进行解封装,即将VXLAN报文的外部以太网头、外部IP头、外部用户数据报协议头以及VXLAN头剥除,以获取内层报文,并且,在解封装过程中,VTEP设备从VXLAN头中获取VNI,VNI用于识别内层报文属于哪一个VPC。
VTEP设备在VXLAN封装过程中将二层报文作为VXLAN报文的内层报文,并在VXLAN报文的隧道封装头的外部以太网头中记录源MAC地址是VTEP设备自身的MAC地址,目的MAC地址是下一跳设备的MAC地址,在VXLAN报文的隧道封装头的外部IP 头中记录源IP地址是VTEP设备自身的IP地址,目的IP地址是对端的VTEP设备的IP地址,在VXLAN报文的VXLAN头的VNI字段中记录VNI。其中,上述的下一跳设备是指与VTEP设备连接的网络设备,该网络设备是VXLAN报文根据外部IP头中记录目的IP地址的从该VTEP设备前往隧道对端的VTEP设备的路由路径中的下一跳设备。
其中,VTEP设备的IP地址在本发明实施例中称为VTEP IP,VTEP设备的MAC地址在本发明实施例中称为VTEP MAC。
二层通信隧道:通过叠加网络技术构建的通信隧道,二层报文作为VXLAN报文的内层报文经二层通信隧道传输,传输过程中二层报文的源MAC地址和目的MAC地址保持不变。
以下请参见图2,图2是一种混合云通信系统的系统结构示意图,如图1所示,混合云通信系统包括云下数据中心10和云上数据中心20,云下数据中心10和云上数据中心20分别接入到互联网(图未示),云下数据中心10和云上数据中心20位于不同的地理位置。
云上数据中心20用于提供公有云业务,虚拟机云上数据中心20是由公有云业务提供方进行维护,用户购买并使用云上数据中心20提供的公有云业务。
云上数据中心20的控制平台201提供用户交互接口,如配置页面或应用程序接口(Application Programming Interface,API),用户在控制平台201的用户交互接口输入配置信息,控制平台201根据配置信息在云上数据中心20创建属于用户专用的VPC1,在VPC1中设置子网1(192.168.0.0/24),在子网1中创建虚拟机VM1,其中VM1运行在云上数据中心20的计算节点203中。
VM1的私网地址是192.168.0.2,该私网地址属于子网1的私网地址段。
具体地,控制平台201与计算节点203的设备管理器2031连接,控制平台201可根据配置信息控制设备管理器2031在计算节点203中创建VM1,并设置VM1的私网地址为192.168.0.2。
控制平台201用于管理云数据中心10的所有设备,例如可分配并记录VPC的所有虚拟机的私网地址和MAC地址,记录VTEP设备的VTEP IP和VTEP MAC,并对VPC中的虚拟机进行全生命周期管理(例如创建、删除、重启、修改规格、修改网络配置、修改存储配置等)。
控制平台201例如为软件定义网络(Software Defined Network,SDN)控制器。设备管理器2031例如为虚拟机监视器(Virtual Machine Monitor,VMM)或虚拟机管理器Hypervisor。
在本实施例中,云下数据中心10提供本地部署业务,云下数据中心10包括设置在子网2(192.168.0.0/24)中的物理机PM1,PM1的私网地址是192.168.0.4,其中,子网1和子网2具有相同的私网地址段,且PM1的私网地址192.168.0.4和VM1的私网地址192.168.0.2不相同。
举例而言,云下数据中心10可以是用户通过自购机房或租用机房并在机房中架设的服务器集群,也可以是用户在家庭环境中通过路由器和个人电脑实现的家庭通信系统。
因此,用户对云下数据中心10的所有设备均具有管理权限,而用户仅对对云上数据中 心20中的VPC1具有管理权限。
其中,用户对VPC1的管理权限是通过对公有云业务提供方进行付费获得的。
用户的子网1和子网2属于相同的私网地址段192.168.0.0./24,但PM1和VM1的私网地址不相同,用户希望云上数据中心10的子网1和云下数据中心10的子网2可以互通,让PM1和VM1设置在同一个子网中,为达到这个目的,可在子网1和子网2之间设置二层通信隧道30。
云下数据中心10和云上数据中心20通过二层通信隧道30实现远程连接,二层通信隧道30具体可通过远程连接网关和二层隧道网关实现,远程连接网关例如为虚拟私有网络(Virtual Private Network,VPN)网关或专线网关,二层隧道网关可通过大二层技术实现,虚拟扩展本地局域网(Virtual eXtensible Local Area Network,VXLAN)或通用路由封装(Generic Routing Encapsulation,GRE)等,二层报文在二层通信隧道30传输过程中可保持源MAC地址和目的MAC地址不变,其具体原理在下文的实施例中将会详细说明。
在本发明实施例中,PM1需和VM1进行首次通信,PM1记录有VM1的私网地址192.168.0.2,但PM1没有记录VM1的MAC地址,于是PM1需在子网2中广播ARP请求报文,ARP请求报文的源MAC地址是PM1的MAC地址,源IP地址是PM1的私网地址,目的MAC地址是FFFF FFFF FFFF(此为广播地址),目的IP地址是VM1的私网地址,ARP请求报文用于请求VM1的私网地址192.168.0.2对应的MAC地址,ARP请求报文在子网2进行广播,并通过二层通信隧道30发送至子网1,在子网1中进行广播。
但是,基于对安全性的考虑,控制平台201禁止来自云下数据中心10的ARP请求报文在子网1中广播,VM1无法接收到ARP请求报文,PM1不能获取VM1发送的ARP应答报文,因此,PM1无法获取VM1的MAC地址,即便子网1和子网2通过二层通信隧道30连接,PM1和VM1也是二层隔离的。
针对以上技术问题,本发明实施例提供一种混合云环境的管理方法,参见图3,图3是根据本发明实施例的混合云环境的管理方法的流程图,该方法包括以下步骤:
步骤S101:创建二层网关200。
在本步骤中,控制平台201根据配置信息在子网1中创建二层网关200,二层网关200包括网卡1和网卡2,网卡1设置有二层网关200的MAC地址1,网卡2设置有二层网关200的MAC地址2。
步骤S102:配置二层网关200。
在本步骤中,控制平台201配置网卡1接入二层通信隧道30,从而与子网2连接,配置网卡2连接到子网1。
并且,控制平台201配置二层网关200拦截来自子网2的PM1针对子网1的VM1的ARP请求报文,并配置二层网关200向PM1返回ARP应答报文,其中该ARP应答报文携带二层网关200与子网2连接的网卡1的MAC地址1。
并且,控制平台201还可配置二层网关200对从网卡1接收到的二层报文进行MAC地址转换,具体地,二层网关200确定该二层报文的目的IP地址是VM1的IP地址时,根据VM1的IP地址获取VM1的MAC地址,将在该二层报文的目的MAC地址从MAC地 址1修改为VM1的MAC地址,将源MAC地址从PM1的MAC地址修改为MAC地址2,并通过网卡2将转换后的报文发送至子网1。
进一步,控制平台201还可配置二层网关200对从网卡2接收到的二层报文进行MAC地址转换,具体地,二层网关200确定该二层报文的目的IP地址是PM1的IP地址时,根据PM1的IP地址获取PM1的MAC地址,将在该二层报文的目的MAC地址从MAC地址2修改为PM1的MAC地址,将源MAC地址从VM1的MAC地址修改为MAC地址1,并通过网卡1将转换后的报文发送至子网2。
步骤S103:配置设备管理器2031。
控制平台201配置设备管理器2031拦截来自VM1且针对子网2的PM1的ARP请求报文,并配置设备管理器2031向VM1返回ARP应答报文,其中该ARP应答报文携带二层网关200与子网1连接的网卡2的MAC地址2。
可选地,在其他实施例中,控制平台201还可在步骤102中配置二层网关200拦截来自VM1针对子网2的PM1的ARP请求报文,并配置二层网关200向VM1返回ARP应答报文,其中该ARP应答报文携带二层网关200与子网1连接的网卡2的MAC地址2。在该实施例中,由于是利用二层网关200拦截VM1发出的ARP请求报文,无需配置设备管理器2031拦截VM1发出的ARP请求报文,因此该实施例中可省略步骤S103。
由于设备管理器2031与VM1设置在同一计算节点203中,因此配置设备管理器2031拦截VM1发出的ARP请求报文可将该ARP请求报文限制在计算节点203内部,可减轻云上数据中心20的网络负载。
经以上配置之后,混合云环境更新如图4所示,图4是根据本发明实施例的混合云环境的系统结构示意图,如图所示,本实施例与上一实施例相比进一步设置了二层网关200,其中二层网关200的网卡1与二层通信隧道30连接,从而接入子网2,且网卡2接入子网1。
以下将结合图5介绍基于图4所示的混合云环境,子网1和子网2之间的通信过程。
图5是根据本发明实施例的混合云环境中的通信方法的数据交互图,在本实施例中,PM1主动与VM1通信,由于在TCP/IP协议中,网络层和传输层只关心目标主机的IP地址,因此PM1与VM1首次通信时,PM1记录有VM1的私网地址192.168.0.2,但PM1的本地ARP表项没有记录有VM1的私网地址192.168.0.2对应的MAC地址。
而下文为了便于说明,将PM1的MAC地址记录为PM1 MAC,将VM1的MAC地址为VM1 MAC,将二层网关200的MAC地址1记录为L2 MAC1,将二层网关200的MAC地址2记录为L2 MAC2。
具体地,本发明实施例的混合云通信方法包括以下步骤:
步骤S201:PM1在子网2广播ARP请求报文1,ARP请求报文1通过二层通信隧道发送至二层网关200。
在本步骤中,PM1主动和VM1通信,此时PM1记录有VM1的私网地址192.168.0.2,但没有记录VM1的私网地址对应的MAC地址,PM1和VM1进行二层通信之前,PM1需 获取VM1的私网地址对应的MAC地址,因此,PM1在子网2广播ARP请求报文1,该ARP请求报文1的源IP地址是PM1的私网地址192.168.0.4,源MAC地址是PM1 MAC,目的IP地址是VM1的私网地址192.168.0.2,目的MAC地址是FFFF FFFF FFFF,ARP请求报文1用于请求VM1的MAC地址。
具体地,ARP请求报文1通过二层通信隧道30发送至二层网关200的网卡1。
值得注意的是,ARP请求报文1经二层通信隧道30到达二层网关200的网卡1,在此过程中,ARP请求报文1的源MAC地址、目的MAC地址、源IP地址以及目的IP地址均不变,其具体原理在下文将会详细说明。
步骤S202:二层网关200根据ARP请求报文1构造ARP应答报文1,并发送ARP应答报文1至PM1。
二层网关200从网卡1获取ARP请求报文1,根据ARP请求报文1的目的MAC地址(FFFF FFFF FFFF)确认ARP请求报文1是广播报文,二层网关200拦截ARP请求报文1,并构造ARP应答报文1。
ARP应答报文1的源IP地址是VM1的私网地址192.168.0.2,源MAC地址是L2 MAC1,目的IP地址是PM1的私网地址192.168.0.4,目的MAC地址是PM1 MAC,ARP应答报文2用于通知PM1:192.168.0.2对应的MAC地址为L2 MAC1。
二层网关200通过网卡1发送ARP应答报文1至二层通信隧道30,ARP应答报文1经二层通信隧道30传输至子网2的PM1。
并且,在本步骤中,二层网关200学习并记录ARP请求报文1的源MAC地址(PM1 MAC)和源IP地址(192.168.0.4)的对应关系。
举例而言,二层网关200可将该PM1 MAC和192.168.0.4的对应关系记录于二层网关200的本地ARP表项中。
步骤S203:PM1根据ARP应答报文1构造二层报文1发送二层报文1至二层网关200。
具体地,PM1根据ARP应答报文1构造二层报文1并通过二层通信隧道30发送二层报文1至二层网关200的网卡1。
其中,PM1从ARP应答报文1的源MAC地址学习到L2 MAC1,PM1根据学习到的L2 MAC1构造二层报文1,二层报文1的源IP地址是PM1的私网地址192.168.0.4,源MAC地址是PM1 MAC,目的IP地址是VM1的私网地址192.168.0.2,目的MAC地址是L2 MAC1(即网卡1的MAC地址)。具体地,二层报文1的数据部分携带有IP报文1,该IP报文1的数据部分携带有请求信息1,请求信息1用于请求VM1应答,其中IP报文1的IP头携带有目的IP地址和源IP地址。
在本步骤中,PM1可将192.168.0.2和L2 MAC1的对应关系记录在本地ARP表项中,后续PM1与192.168.0.2通信,只需通过查本地ARP表项确认L2 MAC1,无需再重新发送ARP请求报文进行MAC地址学习。
步骤S204:二层网关200对二层报文1进行修改,并将修改后的二层报文1发送至 VM1。
在本步骤中,二层网关200根据二层报文1的目的IP地址192.168.0.2确认VM1的MAC地址(VM1 MAC),将二层报文1的目的MAC地址从L2 MAC1修改为VM1 MAC,源MAC地址从PM1 MAC修改为L2 MAC2。
值得注意的是,192.168.0.2和VM1 MAC的对应关系可由控制平台201预先发送至二层网关200中,二层网关200在本地ARP表项记录192.168.0.2和VM1 MAC的对应关系。
举例而言,控制平台201可在创建二层网关200时将192.168.0.2和VM1 MAC的对应关系预先设置在二层网关200中。
具体地,二层网关200通过与子网1连接的网卡2将修改后的二层报文1发送至子网1中的VM1。
步骤S205:VM1根据二层报文1构造二层报文2并将修改后的二层报文2发送至二层网关200。
在本步骤中,二层报文2是二层报文1的应答报文。
具体地,如上所述,二层报文1的数据部分携带有IP报文1,该IP报文1的数据部分携带有请求信息1,VM1根该请求信息1产生应答信息1,并构造二层报文2,二层报文2的数据部分携带有IP报文2,IP报文2的数据部分携带有应答信息1,二层报文2的源MAC地址是VM1 MAC,目的MAC地址是L2 MAC2,源IP地址是VM1的私网地址192.168.0.2,目的IP地址是PM1的私网地址192.168.0.4。VM1将修改后的二层报文2发送至二层网关200的网卡2。
进一步,VM1接收到二层报文1之后,可在本地ARP表项记录二层报文1的源IP地址(192.168.0.4)与二层报文的源MAC地址(L2 MAC2)的对应关系。
后续VM1与192.168.0.4通信,只需通过查询本地ARP表项确认L2 MAC2,也无需发送ARP请求报文进行MAC地址学习。
步骤S206:二层网关200对二层报文2进行修改,并将修改后的二层报文2发送至PM1。
在本步骤中,二层网关200根据二层报文2的目的IP地址(192.168.0.4)查询本地ARP表项,从而确认PM1 MAC,将二层报文2的目的MAC地址修改为PM1 MAC,将源MAC地址修改为L2 MAC1。
其中,在上述的步骤S202中,二层网关200已经学习并记录192.168.0.4与PM1 MAC的对应关系,且该对应关系记录于二层网关200的本地ARP表项。
在修改二层报文2之后,二层网关200通过网卡1将二层报文2发送至PM1。
具体地,由于网卡1与二层通信隧道30连接,二层报文2从网卡1发出,通过二层通信隧道30到达子网2的PM1。
至此,PM1接收到二层报文2,从二层报文2中获取到VM1的应答信息1,PM1与VM1的通信完成。
后续PM1到VM1的再次通信无需再由PM1发送ARP请求报文,PM1只需根据本地 ARP表项构造目的IP地址是192.168.0.2且目的MAC地址是L2 MAC1的二层报文,该二层报文通过二层通信隧道30和二层网关200到达VM1。
而VM1作出应答时,通过构造目的IP地址是192.168.0.2且目的MAC地址是L2 MAC1的二层报文,该二层报文通过二层网关200和二层通信隧道30可到达PM1。
值得注意的是,图5为了简洁,省略了设备管理器2031,其中,步骤S204中修改后的二层报文1是经由设备管理器2031转发至VM1中的,且步骤S205中的二层报文2是经由设备管理器2031转发至二层网关200中的。
以下参见图6,图6是根据本发明实施例的混合云环境中的通信方法的另一数据交互图,与图5不同的是,在图6所示实施例中,VM1与PM1首次通信,VM1的本地ARP表项没有记录有PM1的私网地址(192.168.0.4)对应的MAC地址,VM1需发送ARP请求报文获取192.168.0.4对应的MAC地址。
如图5所示,根据本发明实施例的混合云通信方法具体包括以下步骤:
步骤301:VM1发送ARP请求报文2至设备管理器2031。
由于是VM1主动与PM1通信,此时VM1的本地ARP表项中没有记录PM1的私网地址(192.168.0.4)对应的MAC地址,因此VM1主动发送二层报文至PM1之前,VM1需获取192.168.0.4对应的MAC地址。
因此,VM1需在子网1广播ARP请求报文2,该ARP请求报文2的源IP地址是192.168.0.2,源MAC地址是VM1 MAC,目的IP地址是192.168.0.2,目的MAC地址是FFFF FFFF FFFF,ARP请求报文2用于请求192.168.0.2对应的MAC地址。
如图4所示,VM1与设备管理器2031均设置在计算节点203中,而设备管理器2031用于管理VM1,VM1发送至子网1中进行广播的ARP请求报文2首先到达设备管理器2031。
步骤302:设备管理器2031根据ARP请求报文2构造ARP应答报文2并将ARP应答报文2发送至VM1。
设备管理器2031首先根据ARP请求报文2的目的MAC地址(FFFF FFFF FFFF)确认ARP请求报文2是广播报文,并根据ARP请求报文2的目的IP地址(PM1的私网地址192.168.0.4)确认该ARP请求报文2针对的是非子网1的设备,此时,设备管理器2031需拦截ARP请求报文2,因此构造ARP应答报文2。
具体地,控制平台201预先发送子网1中的所有虚拟机的私网地址至设备管理器2031。在本实施例中,子网1中仅设置有VM1,VM1的私网地址为192.168.0.2。
设备管理器2031接收并记录子网1中的VM1的私网地址,并在接收到VM1发送的ARP请求报文2之后,判断ARP请求报文2的目的IP地址(192.168.0.4)是否属于已经记录的子网1中的虚拟机的私网地址,如果是,说明ARP请求报文2针对的是子网1的虚拟机,设备管理器2031将ARP请求报文2发送至子网1进行广播;如果否,说明ARP请求报文2针对的是非子网1的设备(即子网2的物理机),设备管理器2031拦截该ARP请求报文2,并构造ARP应答报文2,ARP应答报文2的源MAC地址是L2 MAC2,源IP地址是PM1的私网地址192.168.0.4,目的MAC地址是VM1 MAC,目的IP地址是VM1 的私网地址192.168.0.2。
其中,控制平台201可预先发送L2 MAC2至设备管理器2031,设备管理器2031接收并记录L2 MAC2。
在本实施例中,设备管理器2031判断到ARP请求报文2的目的IP地址(192.168.0.4)不属于子网1中的虚拟机的私网地址(192.168.0.2),因此,设备管理器2031构造ARP应答报文2,并向VM1发送ARP应答报文2。
ARP应答报文2用于通知VM1:192.168.0.4对应的MAC地址是L2 MAC2。
步骤303:VM1根据ARP应答报文2构造二层报文3并发送二层报文3至设备管理器2031。
VM1接收到ARP应答报文2后,根据ARP应答报文2的源MAC地址学习到L2 MAC2,VM1根据L2 MAC2构造二层报文3,二层报文3的数据部分携带有IP报文3,该IP报文3的数据部分携带有请求信息2,请求信息2用于请求PM1应答,二层报文3的源MAC地址是VM1 MAC,源IP地址是192.168.0.2,目的IP地址是192.168.0.4,目的MAC地址是L2 MAC2。
VM1发送二层报文3至二层网关200的网卡2。
步骤S304:设备管理器2031根据二层报文3的目的MAC地址将二层报文3转发至二层网关200。
具体地,设备管理器2031将将二层报文3转发至二层网关200的网卡2。
步骤305:二层网关200对二层报文3进行修改,并将修改后的二层报文3发送至PM1。
具体地,二层网关200的网卡2接收二层报文3,根据二层报文3的目的IP地址(192.168.0.4)确认本地ARP表项是否记录有192.168.0.4对应的MAC地址,在PM1在已经发送过ARP请求报文到二层网关200的情况下(参见步骤202),二层网关200的本地ARP表项记录有192.168.0.4与PM1 MAC的对应关系。
二层网关200可根据192.168.0.4从本地ARP表项获取PM1 MAC
在PM1没有发送过ARP请求报文到二层网关200的情况下,二层网关200的本地ARP表项没有记录192.168.0.4对应的MAC地址,此时二层网关200可通过与子网2连接的网卡1主动发送ARP请求报文至子网2来学习PM1的MAC地址。
该ARP请求报文的源MAC地址是L2 MAC1,源IP地址是192.168.0.2,目的IP地址是192.168.0.4,目的MAC地址是FFFF FFFF FFFF,该ARP请求报文用于在子网2请求192.168.0.4对应的MAC地址,该ARP请求报文通过二层通信隧道30在子网2广播。
PM1接收到该ARP请求报文,根据该ARP请求报文的目的IP地址(192.168.0.4)构造ARP应答报文,ARP应答报文的源MAC地址是PM1 MAC,目的MAC地址是L2 MAC1,源IP地址是PM1的192.168.0.4,目的IP地址是192.168.0.2。
PM1通过二层通信隧道30发送ARP应答报文至二层网关200的网卡1,二层网关200从ARP应答报文的源MAC地址学习到PM1 MAC,并在本地ARP表项记录PM1 MAC和192.168.0.4的对应关系。
二层网关200获取PM1 MAC之后,将二层报文3的目的MAC地址从L2 MAC2修改为PM1 MAC,源MAC地址从VM1 MAC修改为L2 MAC1。二层网关200通过网卡1将二层报文3发送至二层通信隧道30,二层报文2经由二层通信隧道30发送至子网2的PM1。
综上,二层网关200在本地ARP表项记录有L2 MAC1的情况下,直接根据L2 MAC1修改二层报文2,在本地ARP表项记录有L2 MAC1的情况下,则可主动发送ARP请求报文至子网2学习L2 MAC1。
步骤306:PM1根据二层报文3构造二层报文4并将二层报文4发送至二层网关200。
PM1接收二层报文3后,从二层报文3的数据部分获取IP报文3,并从IP报文3的数据部分获取请求信息2,PM1根据通信请求2产生应答信息2,并构造二层报文4,二层报文4的数据部分携带有IP报文4,IP报文4的数据部分携带有应答信息2,二层报文2的源MAC地址是PM1 MAC,目的MAC地址是L2 MAC1,源IP地址是192.168.0.4,目的IP地址是192.168.0.2。
并且,PM1可将二层报文2的源MAC地址(L2 MAC1)和源IP地址(192.168.0.2)记录在本地ARP表项中。
具体地,PM1通过二层通信隧道30发送二层报文4至二层网关200的网卡1。
步骤307:二层网关200对二层报文4进行修改,并通过网卡2将修改后的二层报文4发送至设备管理器2031。
二层网关200根据二层报文4的目的IP地址(192.168.0.2)查找本地ARP表项,从而确认VM1 MAC,将二层报文4的目的MAC地址从L2 MAC1修改为VM1 MAC,将源MAC地址从PM1 MAC修改为L2 MAC2。
值得注意的是,192.168.0.2和VM1 MAC的对应关系可由控制平台201预先发送至二层网关200中,二层网关200在本地ARP表项记录192.168.0.2和VM1 MAC的对应关系。
步骤308:设备管理器2031转发修改后的二层报文4至VM1。
在本步骤中,VM1接收二层报文2后,从二层报文2的数据部分获取IP报文4,并从IP报文2的数据部分获取应答信息2。
至此,VM1获取到PM1产生的的应答信息2,而且后续VM1到PM1的通信无需再由VM1发送ARP请求报文,VM1只需根据本地ARP表项构造目的MAC地址是L2 MAC2,目的IP地址是192.168.0.2的二层报文,通过二层网关200和二层通信隧道30即可与PM1进行二层通信。
综上,二层网关200分别连接具有相同私网地址段的子网1和子网2,并对ARP请求报文进行代答,对二层报文进行MAC转换,因此,从PM1和VM1角度来看,子网1和子网2属于同一个广播域,云上的VM1和云下的PM1通过二层网关200实现二层互通。
值得注意的是,上述实施例中由设备管理器2031拦截VM1发送的ARP请求报文2,并直接向VM1发送ARP应答报文2,以通知VM1:192.168.0.4对应的MAC地址是L2MAC2,而在本发明另外一些示例中,设备管理器2031也可以不拦截VM1发送的ARP请求报文2,将ARP请求报文2转发至子网1中进行广播,使得通过网卡2与子网1连接的二层网关200可从子网1中接收ARP请求报文2,并根据ARP请求报文2产生ARP应答报文,二层网关200通过网卡2将ARP应答报文发送至子网1的VM1,从而通知VM1:192.168.0.4对应的MAC地址是L2 MAC2。
本发明实施例可支持具有相同私网地址段的云下数据中心10的子网2和云上数据中心20的子网1二层互通,这对混合云切换到公有云的场景提供便利。
其中,混合云切换到公有云是指将云下数据中心10的子网2中的设备的镜像迁移到云上数据中心20的子网1的虚拟机中,并在迁移成功之后,停用子网2中的设备。
举例而言,当PM1需迁移到云上数据中心20的子网1时,用户可在子网1新建VM3,并将PM1的镜像导入VM3,同时将PM1关机,由于VM3是PM1的镜像,VM3具有与PM1相同的私网地址192.168.0.4和MAC地址PM1 MAC,当VM3需主动与VM1进行通信时,通过在子网1广播针对192.168.0.2的ARP请求报文,即可获取到VM1返回的携带有VM1 MAC的ARP应答报文,VM3可根据VM1 MAC在子网1中与VM1实现二层通信。
基于相同原理,子网2中的所有设备均可以类似方式迁移到子网1中,子网2中的设备在迁移到子网1之后,其私网地址和MAC地址均与迁移前相同。因此无需修改子网2的设备的私网地址和MAC地址,子网2的网络模型可完整地迁移到子网1中,这对云下数据中心的设备迁移到公有云提供极大的便利。
因此,通过二层网关实现子网1和子网2二层互通,在混合云切换到公有云的场景中,可将云下数据中心的网络模型完整地保留到公有云中。
以下请参见图7,图7是根据本发明实施例的混合云环境的具体系统结构示意图,图7在图4的基础上进一步示出二层通信隧道30的一种可能的实现方式。
如图7所示,二层通信隧道30通过VTEP设备301、VTEP设备304、VPN网关302以及VPN网关303实现。其中,VTEP设备301连接到子网2,VTEP设备304连接到二层网关200的网卡1,VTEP设备301设置有VTEP IP1,VTEP设备304设置有VTEP IP2,VPN网关302设置有公网IP1,VPN网关303设置有公网IP2。
在本实施例中,VTEP设备304将PM1发出的二层报文1封装至VXLAN报文1的内层,VXLAN报文1的外层报文的源IP地址是VTEP IP1,目的IP地址是VTEP IP2,源MAC地址是VTEP设备301的MAC地址,目的MAC地址是到VTEP IP2的下一跳设备的MAC地址(例如为VPN网关302的MAC地址),VTEP设备301将VXLAN报文1发送至VPN网关302,VPN网关302将VXLAN报文1设置于VPN报文1的数据部分,该VPN报文1的VPN头的源IP地址是VPN网关302的公网IP1,目的IP地址是VPN网关303的公网IP2,源MAC地址是VPN网关302的MAC地址,目的MAC地址是下一跳设备的 MAC地址,VPN网关302将VPN报文1发送至互联网中,互联网中的路由设备根据VPN报文1的目的IP地址将VPN报文1转发至VPN网关303。
VPN网关303接收到VPN报文1,从VPN报文1的数据部分获取VXLAN报文1,并根据VXLAN报文1的目的IP地址(VTEP IP2)将VXLAN报文1发送至VTEP设备304。
VTEP设备304对VXLAN报文1进行解封装,从而获取到二层报文1,并将二层报文1发送至二层网关200的网卡1。
通过二层通信隧道30中的设备实现VXLAN封装、VPN封装、VPN解封装以及VXLAN解封装,云下数据中心10的子网2得以与云数据中心10的二层网关200实现二层互连,PM1和二层网关200对上述封装及解封装过程无感知,二层报文1得以保持不变地从子网2传输至子网1。
类似地,VTEP设备304将二层网关200通过网卡1发送的二层报文2封装至VXLAN报文2内层,VXLAN报文2的外层报文的源IP地址是VTEP IP2,目的IP地址是VTEP IP1,源MAC地址是VTEP设备304的MAC地址,目的MAC地址是到VTEP IP1的下一跳设备的MAC地址,VTEP设备304将VXLAN报文2发送至VPN网关303,VPN网关303将VXLAN报文2封装至VPN报文2的数据部分,该VPN报文2的VPN头的源IP地址是VPN网关303的公网IP2,目的IP地址是VPN网关302的公网IP1,源MAC地址是VPN网关303的MAC地址,目的MAC地址是到公网IP1的下一跳设备的MAC地址,VPN网关302将VPN报文2发送至互联网中,互联网的路由设备根据VPN报文2的目的IP地址将VPN报文2转发至VPN网关302。
VPN网关302接收到VPN报文2,从VPN报文2的数据部分获取VXLAN报文2,并根据VXLAN报文2的目的IP地址(VTEP IP1)将VXLAN报文1发送至VTEP设备301。
VTEP设备301对VXLAN报文2进行解封装以获取二层报文2,并将二层报文2发送至PM1。
类似地,通过二层通信隧道30中的设备实现VXLAN封装、VPN封装、VPN解封装以及VXLAN解封装,云数据中心10的二层网关200得以与云下数据中心10的PM1二层互连,PM1和二层网关200对上述封装及解封装过程无感知,二层报文2亦可得以保持不变地从子网1传输至子网2。
由于二层报文1被封装到VXLAN报文1的内层,二层报文1经过二层通信隧道30从PM1到达二层网关200时,二层报文1的源MAC地址和目的MAC地址不变。并且,二层报文2被封装到VXLAN报文2的内层,二层报文2经过二层通信隧道30从二层网关200到达PM1时,二层报文2的源MAC地址和目的MAC地址不变,因此二层通信隧道30可实现PM1与二层网关200之间的二层互通。
类似地,PM1与二层网关304之间的ARP请求报文和ARP应答报文也可以上述方式在二层通信隧道30中传输。
在本实施例中,VPN网关用于实现跨数据中心远程通信,VTEP设备用于实现二层互通,VPN网关和VTEP设备配合则可实现跨数据中心的远程二层互通。
在本发明其他实施例中,VPN网关可以用其他远程连接网关代替,例如专线网关,VTEP设备通过专线网关接入到运营商提供的专线网络,而无需对VXLAN报文进行VPN封装及解封装操作。举例而言,本端专线网关可直接将VXLAN报文发送到专线网络,专线网络中的路由设备根据VXLAN报文的目的IP地址将VXLAN报文转发至对端专线网关中。
进一步地,本发明实施例也不局限于仅使用VXLAN技术对子网1和子网2中的报文进行封装或解封装,本发明实施例也可以采用任何大二层封装/解封装技术实现类似功能,例如利用GRE技术代替VXLAN技术实现报文封装及解封装也是可行的。
以下请参见图8a-8c,图8a-8c示出根据本发明实施例的控制平台提供的交互界面的示意图,如图8a所示,控制平台201提供交互界面1,交互界面1设置有“创建二层网关”的选择框,当用户点击该选择框时,进入图8b所示的交互界面2,在交互界面2中,用户输入配置信息,配置信息包括要创建的二层网关名称、本端隧道信息、要创建的二层网关所属的VPC、二层网关在所属VPC中连接的子网以及对端隧道信息,当用户点击点击“确认”按钮时,进入图8c所示的界面,该界面用于提示二层网关200设置成功。
举例而言,以下结合图7所示的二层通信隧道进行说明,用户可在本端隧道信息输入框中输入(或选择)VPN网关303,用户可在对端隧道信息输入框中输入VTEP设备301的VTEP IP3和子网2的VNI0,其中,VNI0由VTEP设备301设置,且由于用户对云下数据中心10的VTEP设备301有完全的管理权限,因此VTEP IP1和VNI0是用户已知的参数。
值得注意的是,本实施例假设VPN网关302与VPN网关303已经建立VPN连接,用户仅需输入二层网关200要连接的VPN网关303,即可使得二层网关300与云下数据中心10实现远程连接。
具体而言,用户可通过云上数据中心20提供的VPN服务创建VPN网关303,并将设置VPN网关303与VPN网关302连接。
值得注意的是,在图8c中,当交互界面3提示二层网关200设置成功时,可进一步提示用户与二层网关200连接的VTEP设备304的VTEP IP2,用户从交互界面3获取VTEP IP2,在云下数据中心10对VTEP设备301进行设置,使得VTEP设备301记录VTEP IP2,VTEP设备301在做VXLAN封装时,可将VXLAN报文的外层目的IP地址设置为VTEP IP2,封装好的VXLAN报文经VPN网关303到达云上数据中心20之后,该VXLAN报文在云上数据中心20内部网络中通过外层目的IP地址VTEP IP2路由至VTEP设备304。
为便于理解,以下请参见图9至图12,图9至图12示出图7揭示的混合云环境的一种可能的具体实现方式。
其中,图9至图12所示的混合云环境完全相同,区别在于,图9详细介绍了二层网关200向PM1进行ARP代答的报文流向,图10详细介绍了PM1主动发送报文至VM1的报文流向,图11详细介绍了VM1对PM1进行应答的报文流向,图12详细介绍了设备管理器向VM1进行ARP代答的报文流向。
并且,图9至12与图7相比,相同的标号表示相同的设备。
首先参见图9,混合云通信系统包括云上数据中心10和云下数据中心20,云上数据中心10和云下数据中心20分别接入互联网30,用户通过客户端40接入互联网30,用户对云下数据中心10的所有设备具有管理权限,且用户仅对云上数据中心20的VPC1、二层网关200以及VPN网关303具有管理权限,用户通过操作客户端40访问控制平台201提供的交互界面或API输入用于管理VPC1、二层网关200或VPN网关303的命令,控制平台201根据该些命令管理VPC1、二层网关200或VPN网关303。
值得注意的是,客户端40例如为手机、个人电脑和个人平板电脑等终端设备,在其他实施例中,客户端40也可以设置在云下数据中心10中。
云上数据中心20包括控制平台201、计算节点203、网络节点204、路由器205、架顶(Top of rack)交换机206、架顶交换机207。架顶交换机206、架顶交换机207、控制平台201、VPN网关303以及控制平台201分别接入到路由器205。
计算节点203和网络节点204例如为服务器,计算节点203上运行公有云业务提供的虚拟机VM1和VM2,网络节点204上运行有二层网关200。
计算节点203包括VM1、VM2、操作系统2030以及物理网卡2033,操作系统2030中设置有设备管理器2031,设备管理器2031包括虚拟交换机2032和VTEP设备305,虚拟交换机2032中设置有虚拟端口5、虚拟端口6、虚拟端口7以及逻辑网桥2034,逻辑网桥2034分别与虚拟端口5、虚拟端口6和虚拟端口7连接,VM1设置有虚拟网卡3,VM2设置有虚拟网卡4,虚拟网卡3与虚拟端口5连接,虚拟网卡4与虚拟端口6连接,虚拟端口7与VTEP设备305连接。VTEP设备305还与物理网卡2033连接,计算节点203通过物理网卡2033接入架顶交换机206。
VM1和VM2设置在VPC1的子网1中,VPC1的隧道标识为VNI1,逻辑网桥2034用于实现子网1的交换机功能。
网络节点204包括二层网关200、操作系统2040以及物理网卡2043,操作系统201中设置有设备管理器2041,设备管理器2041包括虚拟交换机2042和VTEP设备304,虚拟交换机2042包括虚拟端口1、虚拟端口2以及虚拟端口3。虚拟端口3与虚拟端口2连接,虚拟端口3还与虚拟端口1连接,VTEP设备304与物理网卡2043连接,网络节点204通过物理网卡2043接入架顶交换机207。
二层网关200设置有虚拟网卡1和虚拟网卡2,虚拟网卡1与虚拟端口1连接,虚拟网卡2和虚拟端口2连接,虚拟端口3和VTEP设备304连接。
云下数据中心10包括VPN网关302,VTEP设备301、子网2和子网3,子网2的私网地址段和子网1相同(均为192.168.0.0/24),子网2中设置有物理机PM1和PM2,子网 3中设置有物理机PM3和PM4。
其中,VTEP设备301例如为VXLAN交换机,VXLAN交换机具有交换机功能以及VXLAN封装及解封装功能,子网2和子网3由VTEP设备301划分,VTEP设备301将子网2的隧道标识设置为VNI0,将子网的隧道标识设置为VNI1。
在本实施例中,VTEP设备305和VTEP设备304通过软件实现,具体地,VTEP设备305通过计算节点203的操作系统2030的内核实现,VTEP设备304是通过网络节点204的操作系统2040的内核实现,VTEP设备301通过硬件实现,例如VXLAN交换机。
在本发明其他实施例中,VTEP设备301也可以由操作系统内核实现,此时与VTEP设备301连接的是运行在云下数据中心10的物理机的操作系统中的虚拟机。
进一步,在本实施例的混合云通信系统中,各设备的网络参数分别设置为:
VM1的私网地址:192.168.0.2;VM1的虚拟网卡3具有MAC地址:VM1 MAC;
VM2的私网地址:192.168.0.3;VM2的虚拟网卡4具有MAC地址:VM2 MAC;
VTEP设备305设置有VTEP IP地址:VTEP IP1;
VTEP设备304设置有VTEP IP地址:VTEP IP2;
VTEP设备302设置有VTEP IP地址:VTEP IP3;
VPN网关302设置有:公网IP1;
VPN网关303设置有:公网IP2;
子网1的隧道标识为:VNI1;
子网2的隧道标识为:VNI0;
二层网关200的虚拟网卡1的MAC地址:L2 MAC1;
二层网关200的虚拟网卡2的MAC地址:L2 MAC2。
上述网络参数均记录于控制平台201中,值得注意的是,VPN网关302的公网IP1、子网2的VNI0以及VTEP设备301的VTEP IP3是由用户通过操作客户端40输入到控制平台301中。其中,VTEP IP3和VNI0是在创建二层网关200时从客户端40输入,具体可参见图8b所示的交互界面2,VPN网关302的公网IP1是在配置VPN连接时从客户端40输入。
云下数据中心10中:
PM1的私网地址:192.168.0.4;PM1的MAC地址:PM1 MAC;
PM2的私网地址:192.168.0.5;PM2的MAC地址:PM2 MAC;
PM3的私网地址:192.168.1.4;PM3的MAC地址:PM3 MAC;
PM4的私网地址:192.168.1.5;PM4的MAC地址:PM4 MAC;
控制平台201对云下数据中心10没有管理权限,控制平台201并不记录云下数据中心10的物理机的网络地址,该些网络地址需由二层网关200学习获得。
路由器205、架顶交换机206、架顶交换机207、物理网卡2033、物理网卡2043均设置有IP地址并具有报文转发功能。
路由器205记录有路由规则,路由器在接收到目的IP地址是VTEP IP1的报文时,将该报文发送架顶交换机206;在接收到目的IP地址是VTEP IP2的报文时,将该报文发送至架顶交换机207;目的IP地址是VTEP IP3的报文时,将该报文发送至VPN网关303。
物理网卡2033将从VTEP设备305接收的报文转发至架顶交换机206,将从架顶交换机206接收的报文转发至VTEP设备305。架顶交换机206将从物理网卡2033接收的报文转发至路由器205,将从路由器205接收的报文转发至物理网卡2033。
物理网卡2043将从VTEP设备304接收的报文转发至架顶交换机207,将从架顶交换机207接收的报文转发至VTEP设备304。架顶交换机207将从物理网卡2043接收的报文转发至路由器205,将从路由器205接收的报文转发至物理网卡2043。
VPN网关303和VPN网关302之间已经预先建立有VPN连接,其中VPN网关302的公网IP1是在配置该VPN连接时从客户端40输入的。
进一步:
VTEP设备305记录有:
VNI1与VTEP IP2的对应关系;
VTEP设备304记录有:
VNI1与VTEP IP1的对应关系;
VNI0与VTEP IP3的对应关系。
虚拟端口3记录有虚拟端口2与VNI1的对应关系以及虚拟端口1与VNI0的对应关系。
上述的对应关系均由控制平台201设置并记录。
在本发明实施例中,二层网关200通过虚拟网卡1连接与VNI0绑定的虚拟端口1,从而实现与子网2的连接,并且,二层网关200通过虚拟网卡2连接与VNI1绑定的虚拟端口2,从而实现与子网1的连接。
基于以上设置,图9介绍了PM1主动与VM1进行通信的方法,该方法包括以下步骤:
步骤1:PM1构造ARP请求报文1并发送至VTEP设备301。
PM1记录有VM1的私网地址192.168.0.2,在子网2中广播ARP请求报文1以请求192.168.0.2对应的MAC地址,ARP请求报文1的四元组为:
源IP:192.168.0.4
目的IP:192.168.0.2
源MAC:PM1 MAC
目的MAC:FFFF FFFF FFFF。
步骤2:VTEP设备302发送VXLAN报文1至VPN网关302。
VTEP设备302接收到PM1在子网2广播的ARP请求报文1,将ARP请求报文1封装到VXLAN报文1的内层报文中,VXLAN报文1的外层报文的目的IP地址是VTEP IP2(VTEP设备304的VTEP IP),VXLAN报文1的VXLAN头还携带有VTEP设备302为子网2分配的隧道标识VNI0。
VXLAN报文1的内外层四元组如下:
外层四元组:
源IP:VTEP IP3
目的IP:VTEP IP2
源MAC:VTEP MAC3
目的MAC:下一跳MAC(VPN网关303的MAC地址)
内层四元组:
源IP:192.168.0.4
目的IP:192.168.0.2
源MAC:PM1 MAC
目的MAC:FFFF FFFF FFFF。
在本发明实施例中,二层网关200接收并拦截ARP请求报文1,因此VTEP设备302需将封装有ARP请求报文1的VXLAN报文1发送至与二层网关200连接的VTEP设备304中,故VXLAN报文1的外层目的IP地址是VTEP IP2。
步骤3:VPN网关302发送VPN报文1至互联网30。
VPN网关302构造VPN报文1,VPN报文1的数据部分携带有VXLAN报文1,VPN报文1的VPN头的目的IP地址是公网IP1(VPN网关303的公网IP),源IP地址是公网IP2(VPN网关302的公网IP)。
步骤4:互联网30的路由设备根据VPN报文1的目的IP地址转发VPN报文1至VPN网关303。
步骤5:VPN网关303发送VXLAN报文1至路由器205。
VPN网关302接收到VPN报文1之后,剥除VPN头,从数据部分中获取VXLAN报文1,并将VXLAN报文1发送至路由器205。
步骤6:路由器205根据VXLAN报文1的外层目的IP地址将VXLAN报文1发送至架顶交换机207。
步骤7:架顶交换机207将VXLAN报文1发送至物理网卡2043。
步骤8:物理网卡2043将VXLAN报文1发送至VTEP设备304。
步骤9:VTEP设备304对VXLAN报文1解封装,从内层报文获取ARP请求报文1和并从VXLAN头中获取VNI0。
步骤10:VTEP设备304将ARP请求报文1和VNI0发送至虚拟端口3。
步骤11:虚拟端口3将ARP请求报文1发送至虚拟端口1,ARP请求报文1经由虚拟端口1达到虚拟网卡1。
如前所述,由于虚拟端口3记录有VNI0与虚拟端口1的对应关系,并记录有VNI1与虚拟端口2的对应关系。
因此,虚拟端口3根据VNI0选择虚拟端口1,将ARP请求报文1发送至虚拟端口1,使得ARP请求报文1经由虚拟端口1到达二层网关200的虚拟网卡1。
步骤12:二层网关200根据ARP请求报文1产生ARP应答报文1,并通过虚拟网卡1发送ARP应答报文1至虚拟端口1,ARP应答报文1经由虚拟端口1到达虚拟端口3。
在本步骤中,二层网关200根据ARP请求报文1的目的MAC地址FFFF FFFF FFFF 确定ARP请求报文1为广播报文,此时,二层网关200需拦截ARP请求报文1,不能让广播报文到达子网1。
对应地,二层网关200构造ARP应答报文1,其四元组为:
源IP:192.168.0.2
目的IP:192.168.0.4
源MAC:L2 MAC1
目的MAC:PM1 MAC
ARP应答报文1用于通知PM1:192.168.0.2对应的MAC地址是虚拟网卡1的MAC地址L2 MAC1。
进一步地,在本步骤中,二层网关200学习并记录ARP请求报文1中的192.168.0.4和PM1 MAC的对应关系,具体地,二层网关200将该对应关系记录到本地ARP表项中。
步骤13:虚拟端口3从虚拟端口1接收ARP应答报文1,根据虚拟端口1与VNI0的对应关系确认VNI0,将ARP应答报文1和VNI0发送至VTEP设备304。
步骤14:VTEP设备304根据VNI0确定VTEP IP3(VTEP设备301的VTEP IP)对ARP应答报文1进行封装以产生VXLAN报文2,VXLAN报文2的VXLAN头携带有VNI0,VXLAN报文2的外层目的IP地址是VTEP IP3。
VXLAN报文2的内外层四元组如下:
外层四元组
源IP:VTEP IP2
目的IP:VTEP IP3
源MAC:VTEP MAC2
目的MAC:下一跳MAC(物理网卡2043的MAC地址)
内层四元组
源IP:192.168.0.2
目的IP:192.168.0.4
源MAC:L2 MAC1
目的MAC:PM1 MAC
由于ARP应答报文1需发送至PM1,因此VXLAN报文2的目的IP地址是与PM1相连的VTEP设备301的VTEP IP3。
步骤15:VTEP设备304将VXLAN报文2发送至物理网卡2043。
步骤16:物理网卡2043将VXLAN报文2发送架顶交换机207。
步骤17:架顶交换机207将VXLAN报文2发送至路由器205。
步骤18:路由器205根据VXLAN报文2的外层目的IP地址将VXLAN报文2发送至VPN网关303。
步骤19:VPN网关303接收VXLAN报文2,产生VPN报文2,并将VPN报文2发送至互联网30。
其中,VPN报文2的数据部分携带有VXLAN报文2,VPN报文2的VPN头的目的 IP地址是公网IP2(VPN网关302的公网IP),源IP地址是公网IP1(VPN网关303的公网IP)。
步骤20:互联网30的路由设备根据VPN报文2的目的IP地址转发VPN报文2至VPN网关302。
步骤21:VPN网关302接收VPN报文2,剥除VPN报文2的VPN头,从VPN报文2的数据部分获取VXLAN报文2,并根据VXLAN报文2的外层目的IP地址将VXLAN报文2发送至VTEP设备302。
步骤22:VTEP设备302发送ARP应答报文1至PM1。
在本步骤中,VTEP设备302接收VXLAN报文2,对VXLAN报文2解封装以获取内层的ARP应答报文1,并获取VXLAN报文2的VXLAN头携带的VNI0,根据VNI0选择子网2,并将ARP应答报文1发送至子网2中的PM1。
PM1接收ARP应答报文1,根据ARP应答报文1的源MAC地址(L2 MAC1)认为192.168.0.2对应的MAC地址是L2 MAC1,并且,PM1将192.168.0.2和L2 MAC1记录到PM1的本地ARP表项中。
承接图9,并请参见图10,图10示出PM1在获取L2 MAC1之后与VM1进行通信的方法,该方法包括:
步骤23:PM1发送二层报文1至VTEP设备302。
二层报文1的数据部分携带有IP报文1,该IP报文1的数据部分携带有请求信息1。
二层报文1的四元组为:
源IP:192.168.0.4
目的IP:192.168.0.2
源MAC:PM1 MAC
目的MAC:L2 MAC1
于此,PM1认为VM1的MAC地址是L2 MAC1。
步骤24:VTEP设备302发送VXLAN报文3至VPN网关303。
VTEP设备302将二层报文1封装到VXLAN报文3的内层报文中,VXLAN报文3的外层报文的目的IP地址是VTEP IP2(VTEP设备304的VTEP IP),VXLAN报文3的VXLAN头携带有子网2的隧道标识VNI0。
VXLAN报文3的内外层四组如下:
外层四元组:
源IP:VTEP IP3
目的IP:VTEP IP2
源MAC:VTEP MAC3
目的MAC:下一跳MAC(VPN网关302的MAC地址)
内层四元组:
源IP:192.168.0.4
目的IP:192.168.0.2
源MAC:PM1 MAC
目的MAC:L2 MAC1。
步骤25:VPN网关302发送VPN报文3至互联网30。
VPN网关303接收VXLAN报文3后,根据VXLAN报文3构造VPN报文3,VPN报文3的数据部分携带有VXLAN报文3,VPN报文3的VPN头的目的IP地址是公网IP1(VPN网关303的公网IP),源IP地址是公网IP2(VPN网关302的公网IP)。
步骤26:互联网30的路由设备根据VPN报文3的目的IP地址转发VPN报文3至VPN网关303。
步骤27:VPN网关302发送VXLAN报文3至路由器205。
VPN网关302接收到VPN报文3后,剥除VPN头,从VPN报文3的数据部分中获取VXLAN报文3,并将VXLAN报文3发送至路由器205。
步骤28:路由器205根据VXLAN报文1的外层目的IP地址将VXLAN报文1发送至架顶交换机207。
步骤29:架顶交换机207将VXLAN报文3发送至物理网卡2043。
步骤30:物理网卡2043将VXLAN报文3发送至VTEP设备304。
步骤31:VTEP设备304对VXLAN报文3解封装,以获取二层报文1和VNI0。
步骤32:VTEP设备304将二层报文1和VNI0发送至虚拟端口3。
步骤33:虚拟端口3将二层报文1发送至虚拟端口1。
其中,虚拟端口3根据VNI0选择虚拟端口1,将二层报文1发送至虚拟端口1,从而使得二层报文1经由虚拟端口1到达二层网关200的虚拟网卡1。
步骤34:二层网关200修改二层报文1。
其中,二层网关200从虚拟网卡1获取二层报文1,根据二层报文1的目的MAC地址确认二层报文1不是广播报文,在本地ARP表项查找二层报文1的目的IP地址(192.168.0.2)对应的MAC地址VM1 MAC。
二层网关200将二层报文1的源MAC地址修改为L2 MAC2,目的MAC地址修改为VM1 MAC,修改后的二层报文1的四元组为:
源IP:192.168.0.4
目的IP:192.168.0.2
源MAC:L2 MAC2
目的MAC:VM1 MAC。
其中,192.168.0.2和VM1 MAC的对应关系可由控制平台201在创建二层网关200成功之后预先发送至二层网关200中(或在创建二层网关200时直接设置在二层网关200中),二层网关200接收该对应关系,并将该对应关系记录到二层网关200的本地ARP表项中。
步骤35:二层网关200发送修改后二层报文1至虚拟端口3。
其中,二层网关200通过虚拟网卡2将修改后的二层报文1发送至虚拟端口2,修改后的二层报文1经由虚拟端口2传输至虚拟端口3。
步骤36:虚拟端口3从虚拟端口2接收二层报文1,根据虚拟端口2确认VNI1,将二层报文2和VNI1发送至VTEP设备304。
步骤37:VTEP设备304根据VNI1确认VTEP IP1(VTEP设备305的VTEP IP),对 二层报文2进行VXLAN封装以产生VXLAN报文4,VXLAN报文4的VXLAN头携带有VNI1,VXLAN报文4的外层目的IP地址是VTEP IP1。
VXLAN报文4的内外层四组如下:
外层四元组:
源IP:VTEP IP2
目的IP:VTEP IP1
源MAC:VTEP MAC2
目的MAC:下一跳MAC
内层四元组:
源IP:192.168.0.4
目的IP:192.168.0.2
源MAC:L2网关MAC2
目的MAC:VM1 MAC。
步骤38:VTEP设备304将VXLAN报文4发送至物理网卡2043。
步骤39:物理网卡2043将VXLAN报文4发送至架顶交换机207。
步骤40:架顶交换机207将VXLAN报文4发送至路由器205。
步骤41:路由器205根据VXLAN报文4的外层目的IP地址将VXLAN报文4发送至架顶交换机206。
步骤42:架顶交换机206将VXLAN报文4发送至物理网卡2033。
步骤43:物理网卡2033将VXLAN报文4发送至VTEP设备305。
步骤44:VTEP设备305对VXLAN报文4解封装以获取二层报文1和VNI1。
步骤45:VTEP设备305发送二层报文1和VNI1至虚拟端口7。
步骤46:虚拟端口7将二层报文1发送至逻辑网桥2034。
在本步骤中,虚拟端口7接收二层报文2和VNI1,根据VNI1选择逻辑网桥2034,将二层报文2发送至逻辑网桥2034。
值得注意的是,在另外一些示例中,计算节点203还运行有其他VPC的VM,此时虚拟交换机1011包括多个逻辑网桥,每个逻辑网桥绑定不同VPC的VNI,虚拟端口7根据VNI选择对应的逻辑网桥。
在本实施例中,VNI1与逻辑网桥2034绑定,虚拟端口3通过VNI1确定将二层报文2发送至逻辑网桥2034。
步骤47:逻辑网桥2034根据二层报文1的目的MAC地址(VM1 MAC)将二层报文1发送至与VM1的虚拟网卡3连接的虚拟端口5。
步骤48:虚拟端口5将二层报文1发送至VM1的虚拟网卡3。
VM1从虚拟网卡3获取二层报文1,从二层报文1的数据部分获取IP报文1,从IP报文1的数据部分获取请求信息1,并对请求信息1进行应答,以产生应答信息1。
在产生应答信息1之后,VM1构造二层报文2,二层报文2的数据部分携带有IP报文2,IP报文2的数据部分携带有应答信息1。
二层报文2的四元组为:
源IP:192.168.0.2
目的IP:192.168.0.4
源MAC:VM1 MAC
目的MAC:L2 MAC2
其中,二层报文2的源IP地址和目的IP地址是将二层报文1的源IP地址和目的IP地址倒置获得,二层报文2的源MAC地址和目的MAC地址是将二层报文1的源MAC地址和目的MAC地址倒置获得。
并且,VM1将二层报文2的源MAC地址(L2 MAC2)与二层报文2的源IP地址(192.168.0.4)的对应关系记录在VM1的本地ARP表项。
承接图10,并请参见图11,图11示出VM1进行报文应答的通信方法,如图11所示,该方法包括以下步骤:
步骤49:VM1通过虚拟网卡3发送二层报文2至虚拟端口5。
步骤50:虚拟端口5发送二层报文2至逻辑网桥2034。
步骤51:逻辑网桥2034发送二层报文2至虚拟端口7。
在本步骤中,逻辑网桥2034本地没有与L2 MAC2绑定的虚拟端口,于是将二层报文2发送至虚拟端口7。
步骤52:虚拟端口7发送二层报文2和VNI1至VTEP设备305。
在本步骤中,虚拟端口7从逻辑网桥2034获取二层报文2,虚拟端口7根据逻辑网桥2034确认VNI1。
步骤53:VTEP设备305对二层报文2进行VXLAN封装产生VXLAN报文5。
VTEP设备305根据VNI1确定VTEP IP2,VXLAN报文5的内层报文为二层报文2,VXLAN报文5的VXLAN头携带有VNI1,VXLAN报文5的外层目的IP地址是VTEP IP2,外层源IP地址是VTEP IP1。
VXLAN报文5的内外层四元组为:
外层四元组:
源IP:VTEP IP1
目的IP:VTEP IP2
源MAC:VTEP MAC1
目的MAC:下一跳MAC
内层四元组:
源IP:192.168.0.2
目的IP:192.168.0.4
源MAC:VM1 MAC
目的MAC:L2 MAC2。
步骤54:VTEP设备305发送VXLAN报文5至物理网卡2033。
步骤55:物理网卡2033发送VXLAN报文5至架顶交换机206。
步骤56:架顶交换机206发送VXLAN报文5至路由器205。
步骤57:路由器205根据VXLAN报文5的外层目的IP地址发送VXLAN报文5至架顶交换机207。
步骤58:架顶交换机207根据VXLAN报文5的外层目的IP地址发送VXLAN报文5至物理网卡2043。
步骤59:物理网卡2043根据VXLAN报文5的外层目的IP地址发送VXLAN报文5至VTEP设备304。
步骤60:VTEP设备304对VXLAN报文5进行VXLAN解封装获取二层报文2和VNI1。
步骤61:VTEP设备304发送二层报文2和VNI1到虚拟端口3。
步骤62:虚拟端口3根据VNI1选择虚拟端口2,将二层报文2发送至虚拟端口2,二层报文2经虚拟端口2发送至虚拟网卡2。
步骤63:二层网关200从虚拟网卡2获取二层报文2,修改二层报文2。
其中,二层网关200获取二层报文2,根据二层报文2的目的IP地址192.168.0.4,从二层网关200的本地ARP表项查找192.168.0.4对应的PM1 MAC,将二层报文2的目的MAC地址修改为PM1 MAC,源MAC地址修改为L2 MAC1。
其中,192.168.0.4和PM1 MAC的对应关系在前述步骤12已经记录到二层网关200的本地ARP表项中。
修改后的二层报文2的四元组为:
源IP:192.168.0.2
目的IP:192.168.0.4
源MAC:L2 MAC1
目的MAC:PM1 MAC。
步骤64:二层网关200通过虚拟网卡1将修改后的二层报文2发送至虚拟端口1,虚拟端口1将修改后的二层报文2发送至虚拟端口3。
步骤65:虚拟端口3将二层报文2和VNI0发送至VTEP设备304。
在本步骤中,虚拟端口3从虚拟端口1接收二层报文2,根据虚拟端口1确认VNI0。
步骤66:VTEP设备304根据VNI0确认VTEP IP3(VTEP设备301的VTEP IP地址),构造VXLAN报文6,VXLAN报文6的内层报文为二层报文2,VXLAN报文6的VXLAN头携带有VNI0,外层目的IP地址是VTEP IP3,外层源IP地址是VTEP IP2。
VXLAN报文6的内外层四元组为:
外层四元组:
源IP:VTEP IP2
目的IP:VTEP IP3
源MAC:VTEP MAC2
目的MAC:下一跳MAC
内层四元组:
源IP:192.168.0.2
目的IP:192.168.0.4
源MAC:L2 MAC1
目的MAC:PM1 MAC。
步骤67:VTEP设备304发送VXLAN报文6至物理网卡2043。
步骤68:物理网卡2043发送VXLAN报文6至架顶交换机207。
步骤69:架顶交换机207发送VXLAN报文6至路由器205。
步骤70:路由器205根据VXLAN报文6的外层目的IP地址将VXLAN报文6至VPN网关303。
步骤71:VPN网关303发送VPN报文4至互联网30。
VPN网关302接收到VXLAN报文6之后,将VXLAN报文6设置于VPN报文4的数据部分,VPN报文4的VPN头的源IP地址是公网IP1,目的IP地址是公网IP2。
步骤72:互联网30中的路由设备根据VPN报文4的目的IP地址将VPN报文4转发至VPN网关302。
步骤73:VPN网关302剥离VPN报文4的VPN头,从VPN报文4的数据部分获取VXLAN报文6,并根据VXLAN报文6的外层目的IP地址将VXLAN报文6发送至VTEP设备301。
步骤74:VTEP设备301接收VXLAN报文6,对VXLAN报文6进行解封装,以获取二层报文2和VNI0,根据VNI0选择子网1,并发送二层报文2至子网1中的PM1。
在本步骤中,PM1接收到二层报文2,从二层报文2的数据部分获取IP报文2,从IP报文2的数据部分获取到应答信息1,此时,PM1发送至VM1的请求信息得到VM1的应答,PM1与VM1的通信完成。
进一步,在本步骤中,PM1可将二层报文2的源MAC地址(L2 MAC1)与二层报文2的源IP地址(192.168.0.2)记录在本地ARP表项中。
综上,PM1对二层网关200和二层通信隧道无感知,PM1认为VM1与PM1处于同一局域网(192.168.0.0/24)中。因此本发明实施例可使得云下数据中心10的PM1和云上数据中心20的VM1设置于同一局域网中。
以下请参见图12,图12示出VM1主动发送ARP请求报文到PM1的方法,在本实施例中,VM1主动与PM1通信,VM1仅记录有PM1的私网地址192.168.0.4,但VM1的本地ARP表项没有记录192.168.0.4对应的MAC地址,此时,VM1发送ARP请求报文查询192.168.0.4对应的MAC地址,该方法包括以下步骤:
步骤1’:VM1发送ARP请求报文2到虚拟端口5。
ARP请求报文2的四元组为:
源IP:192.168.0.2
目的IP:192.168.0.4
源MAC:VM1 MAC
目的MAC:FFFF FFFF FFFF
步骤2’:虚拟端口5发送ARP请求报文2到逻辑网桥2034。
步骤3’:逻辑网桥2034发送ARP应答报文2到虚拟端口5。
ARP应答报文2的四元组为:
源IP:192.168.0.4
目的IP:192.168.0.2
源MAC:L2 MAC1
目的MAC:VM1 MAC
在本步骤中,逻辑网桥2034在接收与设备管理器2031连接的虚拟机发送的报文之后,在判断到该报文的目的MAC地址为FFFF FFFF FFFF时,确认接收到的报文是ARP请求报文,进一步判断该ARP请求报文的目的IP地址是否是子网1中已被占用的私网地址(例如为192.168.0.2或192.168.0.3)。
如果否,说明该私网地址是云下数据中心10的私网地址,逻辑网桥2034拦截该ARP请求报文,并向该虚拟机发送ARP应答报文,ARP应答报文的源MAC地址为L2 MAC2,用于通知VM1 192.168.0.4对应的MAC地址是L2 MAC2。
如果是,说明该私网地址是子网1的私网地址,逻辑网桥2034在子网1广播该ARP请求报文。
步骤4’:虚拟端口5将ARP应答报文2发送至VM1。
VM1根据ARP请求报文2的源MAC地址确认192.168.0.4对应的MAC地址是L2MAC1。
VM1将192.168.0.4和L2 MAC1的对应关系记录在VM1的本地ARP表项中。
VM1获得L2 MAC1之后,构造二层报文3并发送至虚拟端口5,其中该二层报文3的四元组与上述的二层报文2相同,区别在于二层报文3的数据部分携带IP报文3,IP报文3的数据部分携带的是请求信息2,而非应答信息1,但该二层报文3在混合云通信系统的数据流向与二层报文2完全一致,因此不作赘述。
值得注意的是,与上述略有不同的时,当二层报文3到达二层网关200时,若二层网关200的本地ARP表项没有记录有二层报文2的目的IP地址(192.168.0.4)对应的MAC地址,二层网关200需通过虚拟网卡1向子网2发送ARP请求报文以获取192.168.0.4对应的MAC地址。
进一步,VM1发给PM1的二层报文3到达PM1之后,PM1构造的用于应答VM1的二层报文4的四元组与上述的二层报文1相同,区别在于二层报文4的数据部分携带IP报文4,IP报文4的数据部分携带的是应答信息2,而非请求信息1,但该二层报文4在混合云通信系统的数据流向与上述的二层报文1完全一致,因此也不作赘述。
在本发明的其他实施例中,逻辑网桥2034确认接收到的报文是ARP请求报文之后,可将ARP请求报文发送至二层网关200,由二层网关200拦截ARP请求报文,并返回ARP应答报文至VM1。
值得注意的是,由逻辑网桥2034拦截ARP请求报文,可以避免ARP请求报文在云上数据中心20中广播。
综上,在图9至图12所示的实施例中,详细说明了VM1和PM1通过二层网关200进 行二层互通的过程。
以下请参见图13,图13是根据本发明实施例的混合云环境中的二层网关的装置结构示意图。如图13所示,二层网关200包括接收模块2001、发送模块2002、对应关系获取模块2003、MAC地址转换模块2004,其中,接收模块2001用于执行以上实施例中接收报文的动作,发送模块2002以上实施例中发送报文的动作,对应关系获取模块2003用于用于执行以上实施例中学习并记录虚拟机的私网地址和虚拟机的MAC地址的对应关系的动作,以及以上实施例中学习并记录物理机的私网地址和物理机的MAC地址的对应关系的动作,MAC地址转换模块2004用于执行以上实施例中修改报文的动作。
以下请参见图14,图14是根据本发明实施例的混合云环境中的管理装置的装置结构示意图。如图14所述,管理装置2000包括网关创建模块2021和网关配置模块2022,网关创建模块2021用于执行上述实施例中创建二层网关200的方法,网关配置模块2022用于执行上述实施例中配置二层网关200的方法。其中,该管理装置2000可作为控制平台201的一个功能模块设置在控制平台201中。
值得注意的是,上述图9至图12中所述的二层网关200具体是运行在网络节点204的软件、虚拟机或容器来实现的,但本发明实施例不仅限于此,二层网关200还可通过通用计算设备实现,举例而言,请参见图15,图15是根据本发明实施例的二层网关的另一装置结构示意图,如图15所示,二层网关200包括处理器2006、存储器2007、第一网络接口2008、第二网络接口2009以及总线2010,存储器2007存储有程序指令,处理器2006执行程序指令以实现上述实施例中所述的二层网关200的相关功能。
值得注意的是,当二层网关200为通用计算设备时,图9至图12中所述的与二层网关200连接的虚拟交换机2042和VTEP设备304可通过具有交换机功能以及VXLAN封装和解封装功能的VXLAN交换机实现。
举例而言,二层网关200可以是实现网络功能虚拟化(Network Functions Virtualization,NFV)的通用计算设备。
以下请参见图16,图16是根据本发明实施例的混合云环境中的管理装置的另一装置结构示意图。如图15所述,包括包括处理器2023、存储器2024、网络接口2025以及总线2026,存储器2024存储有程序指令,处理器2023执行程序指令以实现上述实施例中所述的混合云环境中的管理方法。
本发明实施例还提供一种实现上述二层网关的功能的计算机程序产品,一种实现上述控制平台的功能的计算机程序产品,并且,上述计算机程序产品均包括存储了程序代码的计算机可读存储介质,所述程序代码包括的指令用于执行前述任意一个方法实施例所述的方法流程。本领域普通技术人员可以理解,前述的存储介质包括:U盘、移动硬盘、磁碟、光盘、随机存储器(Random-Access Memory,RAM)、固态硬盘(Solid State Disk,SSD)或者非易失性存储器(non-volatile memory)等各种可以存储程序代码的非短暂性的(non-transitory)机器可读介质。
需要说明的是,本申请所提供的实施例仅仅是示意性的。所属领域的技术人员可以清楚的了解到,为了描述的方便和简洁,在上述实施例中,对各个实施例的描述都各有侧重, 某个实施例中没有详述的部分,可以参见其他实施例的相关描述。在本发明实施例、权利要求以及附图中揭示的特征可以独立存在也可以组合存在。在本发明实施例中以硬件形式描述的特征可以通过软件来执行,反之亦然。在此不做限定。
Claims (27)
- 一种混合云环境中的通信方法,其特征在于,用于第一数据中心和第二数据中心之间的通信,所述第一数据中心用于提供非公有云业务,所述第二数据中用于提供公有云业务,所述第二数据中心设置有网关,所述网关与所述第一数据中心的第一子网通过通信隧道远程连接,并与所述第二数据中心的第二子网连接,所述第一子网与所述第二子网具有相同的私网网段,所述方法包括:所述网关接收所述第一子网中的第一设备发送的第一地址解析协议ARP请求报文,所述第一ARP请求报文用于请求所述第二子网中的第二设备的MAC地址;所述网关向所述第一设备发送第一ARP应答报文,所述第一ARP应答报文携带所述网关的第一MAC地址。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:所述网关获取并记录所述第二子网中的第二设备的私网地址与MAC地址的第一对应关系。
- 根据权利要求2所述的方法,其特征在于,所述方法还包括:所述网关接收所述第一设备通过所述通信隧道发送的第一报文,所述第一报文的目的IP地址包括所述第二设备的私网地址,目的MAC地址包括所述网关的第一MAC地址,源IP地址包括所述第一设备的私网地址,源MAC地址包括所述第一设备的MAC地址;所述网关根据所述第一报文携带的所述第二设备的私网地址从所述第一对应关系获取所述第二设备的MAC地址,将所述第一报文的目的MAC地址修改为所述第二设备的MAC地址,将所述第一报文的源MAC地址修改为所述网关的第二MAC地址;所述网关将所述修改后的第一报文发送至所述第二设备。
- 根据权利要求1所述的方法,其特征在于,所述第一ARP请求报文的源IP地址包括所述第一设备的私网地址,源MAC地址包括所述第一设备的MAC地址,所述方法还包括:所述网关学习并记录所述第一设备的私网地址和所述第一设备的MAC地址的第二对应关系。
- 根据权利要求4所述的方法,其特征在于,所述方法还包括:所述网关接收所述第二设备发送的第二报文,所述第二报文的目的IP地址包括所述第一设备的私网地址,目的MAC地址包括所述网关的第二MAC地址,源IP地址包括所述第一设备的私网地址,源MAC地址包括所述第二设备的MAC地址;所述网关根据所述第二报文携带的所述第一设备的私网地址从所述第二对应关系获取所述第一设备的MAC地址,将所述第二报文的目的MAC地址修改为所述第一设备的MAC地址,将所述第二报文的源MAC地址修改为所述网关的第一MAC地址;所述网关将所述修改后的第二报文通过所述通信隧道发送至所述第一设备。
- 根据权利要求5所述的方法,其特征在于,所述网关接收所述第二设备发送的第二报文之前,所述方法还包括:所述网关接收所述第二设备发送的第二ARP请求报文,所述第二ARP请求报文用于请求所述第一子网中的第一设备的MAC地址;所述网关向所述第二设备发送第二ARP应答报文,所述第二ARP应答报文携带所述网关的第二MAC地址。
- 根据权利要求5所述的方法,其特征在于,所述第二数据中心还包括设备管理器,所述网关接收所述第二设备发送的第二报文之前,所述方法还包括:所述设备管理器接收所述第二设备发送的第二ARP请求报文,所述第二ARP请求报文用于请求所述第一子网中的第一设备的MAC地址;所述设备管理器向所述第二设备发送第二ARP应答报文,所述第二ARP应答报文携带所述网关的第二MAC地址。
- 一种混合云环境中的管理方法,其特征在于,所述混合云环境包括第一数据中心和第二数据中心,所述第一数据中心用于提供非公有云业务,所述第二数据中心用于提供公有云业务,所述第一数据中心的第一子网与所述第二数据中心的第二子网的配置有相同的私网网段,所述方法包括:创建网关,所述网关位于所述第二数据中心,所述网关与所述第一数据中心的所述第一子网通过通信隧道远程连接,所述网关与所述第二数据中心中的所述第二子网连接;配置所述网关以拦截来自所述第一子网的第一设备针对所述第二子网中的第二设备的第一地址解析协议ARP请求报文,并向所述第一设备返回第一ARP应答报文,其中所述第一ARP应答报文携带所述网关的第一MAC地址。
- 如权利要求8所述的方法,其特征在于,所述方法还包括:配置所述网关以学习并记录所述第一ARP请求报文中携带的所述第一设备的IP地址与MAC地址之间的对应关系。
- 根据权利要求8或9所述的方法,其特征在于,所述方法还包括:配置所述网关以接收来自所述第二子网的第二设备针对所述第一设备的第二ARP请求报文,以及向所述第二设备返回第二ARP应答报文,所述第二ARP应答报文携带所述网关的第二MAC地址。
- 如权利要求8或9所述的方法,其特征在于,所述方法还包括:配置设备管理器以接收来自所述第二设备针对所述第一设备的第二ARP请求报文,以及向所述第二设备返回第二ARP应答报文,所述第二ARP应答报文携带所述网关的第二MAC地址,其中所述设备管理器与所述第二设备连接。
- 一种混合云环境中的网关,其特征在于,所述网关与第一数据中心的第一子网通过通信隧道远程连接,并与第二数据中心的第二子网连接,所述第一子网与所述第二子网具有相同的私网网段,所述第一数据中心用于提供非公有云业务,所述第二数据中用于提供公有云业务,所述网关包括:接收模块,用于接收所述第一子网中的第一设备发送的第一地址解析协议ARP请求报文,所述第一ARP请求报文用于请求所述第二网中的第二设备的MAC地址;发送模块,用于向所述第一设备发送第一ARP应答报文,所述第一ARP应答报文携带所述网关的第一MAC地址。
- 根据权利要求12所述的网关,其特征在于,所述网关还包括:对应关系获取模块,用于获取并记录所述第二子网中的第二设备的私网地址与MAC 地址的第一对应关系。
- 根据权利要求13所述的网关,其特征在于,所述网关还包括MAC地址转换模块,所述接收模块,用于接收所述第一设备通过所述通信隧道发送的第一报文,所述第一报文的目的IP地址包括所述第二设备的私网地址,目的MAC地址包括所述网关的第一MAC地址,源IP地址包括所述第一设备的私网地址,源MAC地址包括所述第一设备的MAC地址;所述MAC地址转换模块,用于根据所述第一报文携带的所述第二设备的私网地址从所述第一对应关系获取所述第二设备的MAC地址,将所述第一报文的目的MAC地址修改为所述第二设备的MAC地址,将所述第一报文的源MAC地址修改为所述网关的第二MAC地址;所述发送模块,用于将所述修改后的第一报文发送至所述第二设备。
- 根据权利要求12至14任一项所述的网关,其特征在于,所述第一ARP请求报文的源IP地址包括所述第一设备的私网地址,源MAC地址包括所述第一设备的MAC地址,所述对应关系获取模块,用于学习并记录所述第一设备的私网地址和所述第一设备的MAC地址的第二对应关系。
- 根据权利要求15所述的网关,其特征在于,所述接收模块,用于接收所述第二设备发送的第二报文,所述第二报文的目的IP地址包括所述第一设备的私网地址,目的MAC地址包括所述网关的第二MAC地址,源IP地址包括所述第一设备的私网地址,源MAC地址包括所述第二设备的MAC地址;所述MAC地址转换模块,用于根据所述第二报文携带的所述第一设备的私网地址从所述第二对应关系获取所述第一设备的MAC地址,将所述第二报文的目的MAC地址修改为所述第一设备的MAC地址,将所述第二报文的源MAC地址修改为所述网关的第一MAC地址;所述发送模块,用于将所述修改后的第二报文通过所述通信隧道发送至所述第一设备。
- 根据权利要求16所述的网关,其特征在于,所述接收模块接收所述第二设备发送的第二报文之前,所述接收模块,用于接收所述第二设备发送的第二ARP请求报文,所述第二ARP请求报文用于请求所述第一子网中的第一设备的MAC地址;所述发送模块,用于向所述第二设备发送第二ARP应答报文,所述第二ARP应答报文携带所述网关的第二MAC地址。
- 一种混合云环境中的管理装置,其特征在于,所述混合云环境包括第一数据中心和第二数据中心,所述第一数据中心用于提供非公有云业务,所述第二数据中心用于提供公有云业务,所述第一数据中心的第一子网与所述第二数据中心的第二子网的配置有相同的私网网段,所述管理装置包括:网关创建模块,用于创建网关,所述网关位于所述第二数据中心,所述网关与所述第一数据中心的所述第一子网通过通信隧道远程连接,所述网关与所述第二数据中心中的所述第二子网连接;网关配置模块,用于配置所述网关以拦截来自所述第一子网的第一设备针对所述第二 子网中的第二设备的第一地址解析协议ARP请求报文,并向所述第一设备返回第一ARP应答报文,其中所述第一ARP应答报文携带所述网关的第一MAC地址。
- 根据权利要求18所述的管理装置,其特征在于,所述网关配置模块,用于配置所述网关以学习并记录所述第一ARP请求报文中携带的所述第一设备的IP地址与MAC地址之间的对应关系。
- 根据权利要求18或19所述的管理装置,其特征在于,所述网关配置模块,用于配置所述网关以接收来自所述第二子网的第二设备针对所述第一设备的第二ARP请求报文,以及向所述第二设备返回第二ARP应答报文,所述第二ARP应答报文携带所述网关的第二MAC地址。
- 根据权利要求18或19所述的管理装置,其特征在于,所述网关配置模块,用于配置与所述第二子网的第二设备连接的设备管理器以接收来自所述第二设备针对所述第一设备的第二ARP请求报文,以及向所述第二设备返回第二ARP应答报文,所述第二ARP应答报文携带所述网关的第二MAC地址。
- 一种混合云环境中的网关,其特征在于,包括第一网络接口、第二网络接口、存储器和处理器,所述存储器存储有程序指令,所述处理器运行所述程序指令以执行权利要求1-6任意一项所述的方法。
- 一种混合云环境中的管理装置,其特征在于,包括网络接口、存储器和处理器,所述存储器存储有程序指令,所述处理器运行所述程序指令以执行以执行权利要求8-11任意一项所述的方法。
- 一种计算机程序产品,包括程序代码,所述程序代码包括的指令被计算机所执行以执行权利要求1-6任意一项所述的方法。
- 一种计算机可读存储介质,包括程序指令,当所述计算机程序指令在计算机上运行时,使得所述计算机执行权利要求1-6任意一项所述的方法。
- 一种计算机程序产品,包括程序代码,所述程序代码包括的指令被计算机所执行以执行权利要求8-11任意一项所述的方法。
- 一种计算机可读存储介质,包括程序指令,当所述计算机程序指令在计算机上运行时,使得所述计算机执行权利要求8-11任意一项所述的方法。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2021576171A JP7413415B2 (ja) | 2019-09-06 | 2020-09-07 | ハイブリッドクラウド環境における通信方法、ゲートウェイ、並びに管理方法及び装置 |
EP20861625.0A EP3975508A4 (en) | 2019-09-06 | 2020-09-07 | COMMUNICATION METHOD FOR HYBRID CLOUD ENVIRONMENT, GATEWAY AND MANAGEMENT METHOD AND DEVICE |
US17/570,184 US11888809B2 (en) | 2019-09-06 | 2022-01-06 | Communication method, gateway, and management method and apparatus in hybrid cloud environment |
US18/392,178 US20240154928A1 (en) | 2019-09-06 | 2023-12-21 | Communication method, gateway, and management method and apparatus in hybrid cloud environment |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910844549.1 | 2019-09-06 | ||
CN201910844549 | 2019-09-06 | ||
CN201911419113.4 | 2019-12-31 | ||
CN201911419113.4A CN112468383B (zh) | 2019-09-06 | 2019-12-31 | 混合云环境中的通信方法及网关、管理方法及装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/570,184 Continuation US11888809B2 (en) | 2019-09-06 | 2022-01-06 | Communication method, gateway, and management method and apparatus in hybrid cloud environment |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021043314A1 true WO2021043314A1 (zh) | 2021-03-11 |
Family
ID=74807817
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/113850 WO2021043314A1 (zh) | 2019-09-06 | 2020-09-07 | 混合云环境中的通信方法及网关、管理方法及装置 |
Country Status (5)
Country | Link |
---|---|
US (2) | US11888809B2 (zh) |
EP (1) | EP3975508A4 (zh) |
JP (1) | JP7413415B2 (zh) |
CN (2) | CN112468383B (zh) |
WO (1) | WO2021043314A1 (zh) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113312417B (zh) * | 2020-09-14 | 2022-07-26 | 北京知呱呱科技服务有限公司 | 应用于大数据和云计算的数据处理方法及大数据服务平台 |
US11956201B2 (en) * | 2021-11-03 | 2024-04-09 | Nutanix, Inc. | Method and system for efficient address resolution in extended subnets |
WO2023150527A1 (en) * | 2022-02-02 | 2023-08-10 | Oracle International Corporation | Configuring a network-link for establishing communication between different cloud environments |
CN114884810A (zh) * | 2022-03-25 | 2022-08-09 | 阿里云计算有限公司 | 基于sdn的网络数据传输方法、接入方法和存储介质 |
CN115396367B (zh) * | 2022-07-06 | 2023-07-21 | 北京百度网讯科技有限公司 | 流量调度方法、装置、电子设备及存储介质 |
US12074765B2 (en) * | 2022-10-13 | 2024-08-27 | VMware LLC | Replication of VPN configuration |
WO2024125332A1 (zh) * | 2022-12-12 | 2024-06-20 | 华为云计算技术有限公司 | 混合云环境中的通信方法及网关、管理方法及装置 |
US12113766B2 (en) | 2022-12-13 | 2024-10-08 | Microsoft Technology Licensing, Llc | Address resolution protocol request resolution |
CN116996476B (zh) * | 2023-09-27 | 2023-12-12 | 深圳市纽创信安科技开发有限公司 | 信息处理方法、电子设备以及存储介质 |
CN117118774B (zh) * | 2023-10-23 | 2024-02-27 | 杭州优云科技有限公司 | 二层网络下云计算网关的接入方法及装置 |
CN117834478A (zh) * | 2023-12-14 | 2024-04-05 | 天翼云科技有限公司 | 一种公有云检测集群支持高可用的方法和系统 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105591955A (zh) * | 2015-10-30 | 2016-05-18 | 杭州华三通信技术有限公司 | 一种报文传输的方法和装置 |
US20160352682A1 (en) * | 2015-05-29 | 2016-12-01 | Cisco Technology, Inc. | Default gateway extension |
US20170099188A1 (en) * | 2015-10-06 | 2017-04-06 | Cisco Technology, Inc. | Policy-driven switch overlay bypass in a hybrid cloud network environment |
WO2018150222A1 (en) * | 2017-02-14 | 2018-08-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Internet protocol (ip) address allocation over virtual layer 2 networks |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9154327B1 (en) * | 2011-05-27 | 2015-10-06 | Cisco Technology, Inc. | User-configured on-demand virtual layer-2 network for infrastructure-as-a-service (IaaS) on a hybrid cloud network |
WO2014079005A1 (zh) * | 2012-11-21 | 2014-05-30 | 华为技术有限公司 | Mac地址强制转发装置及方法 |
CN106921551A (zh) * | 2015-12-24 | 2017-07-04 | 中国电信股份有限公司 | 虚拟通信方法、系统及设备 |
US10200267B2 (en) * | 2016-04-18 | 2019-02-05 | Nyansa, Inc. | System and method for client network congestion detection, analysis, and management |
CN107332812B (zh) * | 2016-04-29 | 2020-07-07 | 新华三技术有限公司 | 网络访问控制的实现方法及装置 |
CN107800743B (zh) * | 2016-09-06 | 2020-11-24 | 中国电信股份有限公司 | 云桌面系统、云管理系统和相关设备 |
CN111835878A (zh) * | 2017-01-25 | 2020-10-27 | 华为技术有限公司 | 混合云管理方法、装置和计算设备 |
US11032369B1 (en) * | 2017-08-28 | 2021-06-08 | Aviatrix Systems, Inc. | System and method for non-disruptive migration of software components to a public cloud system |
CN108199945B (zh) * | 2017-12-23 | 2019-10-01 | 华为技术有限公司 | 报文传输方法、网络设备及报文处理系统 |
-
2019
- 2019-12-31 CN CN201911419113.4A patent/CN112468383B/zh active Active
- 2019-12-31 CN CN202310020606.0A patent/CN116208658A/zh active Pending
-
2020
- 2020-09-07 EP EP20861625.0A patent/EP3975508A4/en active Pending
- 2020-09-07 WO PCT/CN2020/113850 patent/WO2021043314A1/zh unknown
- 2020-09-07 JP JP2021576171A patent/JP7413415B2/ja active Active
-
2022
- 2022-01-06 US US17/570,184 patent/US11888809B2/en active Active
-
2023
- 2023-12-21 US US18/392,178 patent/US20240154928A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160352682A1 (en) * | 2015-05-29 | 2016-12-01 | Cisco Technology, Inc. | Default gateway extension |
US20170099188A1 (en) * | 2015-10-06 | 2017-04-06 | Cisco Technology, Inc. | Policy-driven switch overlay bypass in a hybrid cloud network environment |
CN105591955A (zh) * | 2015-10-30 | 2016-05-18 | 杭州华三通信技术有限公司 | 一种报文传输的方法和装置 |
WO2018150222A1 (en) * | 2017-02-14 | 2018-08-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Internet protocol (ip) address allocation over virtual layer 2 networks |
Also Published As
Publication number | Publication date |
---|---|
EP3975508A4 (en) | 2022-07-06 |
JP7413415B2 (ja) | 2024-01-15 |
CN112468383A (zh) | 2021-03-09 |
JP2022541381A (ja) | 2022-09-26 |
US11888809B2 (en) | 2024-01-30 |
US20220131827A1 (en) | 2022-04-28 |
US20240154928A1 (en) | 2024-05-09 |
CN112468383B (zh) | 2023-01-06 |
CN116208658A (zh) | 2023-06-02 |
EP3975508A1 (en) | 2022-03-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021043314A1 (zh) | 混合云环境中的通信方法及网关、管理方法及装置 | |
US11765000B2 (en) | Method and system for virtual and physical network integration | |
WO2021135344A1 (zh) | 虚拟私有云与云下数据中心通信、配置方法及相关装置 | |
Zeng et al. | Measurement and evaluation for docker container networking | |
AU2015256010B2 (en) | Migration of applications between an enterprise-based network and a multi-tenant network | |
US9042384B2 (en) | Distributed routing domains in multi-tenant datacenter virtual networks | |
WO2018137369A1 (zh) | 混合云管理方法、装置和计算设备 | |
WO2019204023A1 (en) | Cross-regional virtual network peering | |
US11743230B2 (en) | Network address translation (NAT) traversal and proxy between user plane function (UPF) and session management function (SMF) | |
CN109937400A (zh) | 用于虚拟机的实时迁移的流状态传送 | |
WO2021063028A1 (zh) | 为业务提供网络服务的方法、装置和计算设备 | |
CN112671628A (zh) | 业务服务提供方法及系统 | |
US20220239629A1 (en) | Business service providing method and system, and remote acceleration gateway | |
US20230106831A1 (en) | Building a platform to scale control and data plane for virtual network functions | |
WO2024141093A1 (zh) | Nfv接入方法、设备、系统及存储介质 | |
WO2024067338A1 (zh) | 云组网系统、安全访问方法、设备及存储介质 | |
CN116248595B (zh) | 一种云内网与物理网通信的方法、装置、设备以及介质 | |
WO2024125332A1 (zh) | 混合云环境中的通信方法及网关、管理方法及装置 | |
CN110875884B (zh) | 一种流量迁移系统、一种数据处理方法及装置 | |
CN118233227A (zh) | 混合云环境中的通信方法及网关、管理方法及装置 | |
Rangisetti | Importance of Virtual Networks in Cloud and Telecom Networks | |
CN117459491A (zh) | 一种私有网络互联方法、装置、设备及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20861625 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2021576171 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2020861625 Country of ref document: EP Effective date: 20211220 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |