WO2022001669A1 - Method for establishing vxlan tunnel, and related device - Google Patents

Method for establishing vxlan tunnel, and related device Download PDF

Info

Publication number
WO2022001669A1
WO2022001669A1 PCT/CN2021/100425 CN2021100425W WO2022001669A1 WO 2022001669 A1 WO2022001669 A1 WO 2022001669A1 CN 2021100425 W CN2021100425 W CN 2021100425W WO 2022001669 A1 WO2022001669 A1 WO 2022001669A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
network device
network
terminal device
vxlan
Prior art date
Application number
PCT/CN2021/100425
Other languages
French (fr)
Chinese (zh)
Inventor
林志鸿
畅文俊
于斌
马家斌
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022001669A1 publication Critical patent/WO2022001669A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4675Dynamic sharing of VLAN information amongst network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4645Details on frame tagging

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a method for establishing a virtual extensible local area network (VXLAN) tunnel and related equipment.
  • VXLAN virtual extensible local area network
  • VXLAN technology can superimpose a Layer 2 virtual network on any reachable network, thereby improving the scale expansion capability of the network.
  • VXLAN includes network devices with two roles. One is called a border device. The border device represents the exit of the VXLAN. Therefore, the border device can forward packets to other VXLANs or non-VXLANs. The other is called an edge device. The edge device represents a service access point of the VXLAN, and the user equipment can forward packets to the VXLAN through the edge device. A VXLAN tunnel is established between the edge device and the edge device to implement packet forwarding in the VXLAN.
  • VXLAN includes one or more edge devices, but the one or more edge devices are in a master-standby relationship, and the control plane operations performed on one edge device are synchronized to other edge devices. Therefore, the following contents may be described by taking a boundary device as an example.
  • a VXLAN tunnel is established between any edge device and the edge device, and between any two edge devices through dynamic routing in advance, so as to facilitate subsequent tasks.
  • an edge device receives a packet sent by a user equipment, it can forward the packet based on a pre-established VXLAN tunnel.
  • each edge device needs to establish a large number of VXLAN tunnels, which in turn causes more information to be stored in the forwarding table of each edge device, which not only leads to the loss of forwarding table resources on edge devices It is wasteful, and also makes the query efficiency of the forwarding table when forwarding the message low.
  • the present application provides a method and related equipment for establishing a VXLAN tunnel, which can reduce the data storage pressure on the equipment in the VXLAN, thereby saving forwarding table resources, and at the same time improving the forwarding table query efficiency when forwarding packets.
  • the technical solution is as follows:
  • a method for establishing a VXLAN tunnel is provided, the method is applied to a first network device in a VXLAN, the VXLAN includes multiple network devices, and the first network device is any one of the multiple network devices.
  • the first network device receives a first packet from the first terminal device, the destination address of the first packet is the address of the second terminal device, and in response to querying the second network device connected to the second terminal device failure, establish a correspondence between the address of the second terminal device and the tunnel identifier, where the tunnel identifier identifies the VXLAN tunnel between the first network device and the second network device.
  • establishing a VXLAN tunnel is essentially to obtain the identifier of the VXLAN tunnel, and then establish a correspondence between the destination address of the packet and the tunnel identifier, so that subsequent packets sent to the destination address can pass through the VXLAN tunnel.
  • the tunnel identifier can be the identifier of the peer device of the VXLAN tunnel (such as the IP address of the peer device), or it can be other unique symbols other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is for VXLAN A unique number for the tunnel. The network device can use this number to index the corresponding entry, and the entry stores the VXLAN tunnel parameters including the IP address of the peer device.
  • the above-mentioned implementation process of establishing the correspondence between the address of the second terminal device and the tunnel identifier is: sending a terminal query request to the control device, the terminal The query request includes the address of the second terminal device; the terminal query result returned by the control device is received, and the terminal query result includes the identifier of the second network device, and the second network device is the network device connected to the second terminal device; Second, the identification of the network device, and establish a correspondence between the address of the second terminal device and the tunnel identification.
  • control device can act as a service center to provide each network device with a query service, and the query service can query which network device any terminal device is connected to. Therefore, the first network device realizes the dynamic establishment of the VXLAN tunnel by controlling the device.
  • the terminal query result further includes an access policy corresponding to the second terminal device, and the access policy indicates the conditions that the packet sent to the second terminal device needs to meet.
  • the first network device receives the second packet sent by the first terminal device, and the destination address carried in the second packet is the address of the second terminal device; if the second packet satisfies the access policy, the second packet is forwarded through the established VXLAN tunnel.
  • the access policy of each terminal device is also stored in the control device, so that after the VXLAN tunnel is dynamically established, the access policy of the second terminal device is also sent to the first network device, so that the first network device can access the device according to the access policy.
  • the policy manages the traffic sent to the second terminal device, which improves the flexibility of forwarding packets based on the dynamic establishment of the VXLAN tunnel.
  • a second packet is received from the first terminal device, and the source address of the second packet is the address of the first terminal device; if The second packet is a packet received from the first terminal device for the first time, and a terminal access announcement message is sent to the control device, the terminal access announcement message includes the address of the first terminal device, and the terminal access announcement message indicates the first terminal device.
  • the terminal device is connected to the first network device.
  • the network device can notify the terminal device to the control device, so that the terminal access table of each network device is stored in the control device, and the terminal access table of any network device includes the terminal access table related to the terminal device.
  • the address of each terminal device connected to the network device so as to realize the on-demand dynamic establishment of the VXLAN tunnel provided by this application.
  • the first packet is sent to the control device via the VXLAN tunnel between the network device and the control device.
  • the packet Before the establishment of the VXLAN tunnel between the first network device and the second network device is completed, the packet may be sent to the second terminal device by detouring through the control device, so as to minimize the forwarding delay of the packet.
  • VXLAN tunnels are dynamically established, in order to avoid idle VXLAN tunnels occupying network resources, the resources occupied by VXLAN tunnels can be cleaned up by means of aging time, thereby further avoiding the waste of forwarding table resources.
  • the first network device further stores a correspondence between the tunnel identifier and the identifier of the second network device.
  • the first network device further stores a correspondence between the tunnel identifier and the identifier of the second network device.
  • the first network device after the aging of the correspondence between the address of the second terminal device and the tunnel identifier, if the correspondence between the address of any terminal device and the tunnel identifier is all aged out, delete the corresponding relationship between the address of the second terminal device and the tunnel identifier. The corresponding relationship between the tunnel identifier and the identifier of the second network device.
  • the VXLAN tunnel refers to deleting the corresponding relationship between the tunnel ID and the tunnel peer device ID), but deletes the established VXLAN tunnel after determining that the traffic does not reach any terminal device under the second network device within the aging time. , so as to ensure normal forwarding of traffic accessing other terminal devices connected to the second network device.
  • a first network device in a second aspect, is provided, and the first network device has a function of implementing the behavior of the method for establishing a VXLAN tunnel in the first aspect.
  • the apparatus includes at least one module, and the at least one module is configured to implement the method for establishing a VXLAN tunnel provided in the first aspect above.
  • a network device in a third aspect, includes a processor and a memory, and the memory is used to store a program that supports the network device to execute the method for establishing a VXLAN tunnel provided in the first aspect, and Data involved in implementing the method for establishing a VXLAN tunnel provided by the first aspect is stored.
  • the processor is configured to execute programs stored in the memory.
  • the operating means of the storage device may further include a communication bus for establishing a connection between the processor and the memory.
  • a computer-readable storage medium where instructions are stored in the computer-readable storage medium, when the computer-readable storage medium runs on a computer, the computer executes the method for establishing a VXLAN tunnel described in the first aspect.
  • a computer program product containing instructions, which, when executed on a computer, cause the computer to execute the method for establishing a VXLAN tunnel described in the first aspect above.
  • FIG. 1 is a schematic diagram of a VXLAN system provided by an embodiment of the present application.
  • FIG. 2 is a schematic diagram of another VXLAN system provided by an embodiment of the present application.
  • FIG. 3 is a schematic diagram of a VXLAN tunnel distribution provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of a format of a VXLAN message provided by an embodiment of the present application.
  • FIG. 5 is a schematic diagram of another VXLAN tunnel distribution provided by an embodiment of the present application.
  • FIG. 6 is a schematic diagram of dynamically establishing a VXLAN tunnel according to an embodiment of the present application.
  • FIG. 7 is a flowchart of a method for establishing a VXLAN tunnel provided by an embodiment of the present application.
  • FIG. 8 is a flowchart of another method for establishing a VXLAN tunnel provided by an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a first network device provided by an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a network device provided by an embodiment of the present application.
  • VXLAN technology is one of the standard technologies of Network Virtualization over Layer 3 (NVO3) defined by the Internet Engineering Task Force (IETF).
  • Request for comments (request for comments, RFC) 7348 defines the VXLAN message format.
  • MAC Media Access Control
  • UDP User Datagram Protocol
  • VXLAN can meet the needs of virtual migration and multi-tenancy of data center networks.
  • VXLAN is also suitable for the scenario of "one network with multiple uses" in the campus network. For example, the same bearer network is virtualized into multiple service networks to achieve mutual isolation between different service networks.
  • VXLAN can superimpose Layer 2 virtual networks on any network that can be reached by routes, and realize intercommunication within the VXLAN network through VXLAN gateways. At the same time, the VXLAN network can also realize the intercommunication with the traditional non-VXLAN network.
  • VXLAN technology extends the Layer 2 network by encapsulating the MAC into UDP, encapsulates the Ethernet packet on the Internet protocol (IP) packet, and transmits it in the network through the VXLAN gateway without paying attention to the MAC address of the terminal device. . Since the routing network has no network structure restrictions, it has the ability to expand on a large scale. Therefore, through the routing network, the migration of user equipment such as virtual machines is not limited by the network architecture.
  • FIG. 1 is a schematic structural diagram of a VXLAN network provided by an embodiment of the present application.
  • the basic physical network is called the underlay network
  • the virtualized network is called the overlay network or the virtual switch network (Fabric).
  • VXLAN network The virtual network devices in the VXLAN network are divided into two roles, one represents the exit of the VXLAN network, called the border device, which means it is connected to the external network, usually the three-layer gateway of the VXLAN network, corresponding to the bottom layer.
  • the network's egress gateway is a schematic structural diagram of a VXLAN network provided by an embodiment of the present application.
  • the basic physical network is called the underlay network
  • the virtualized network is called the overlay network or the virtual switch network (Fabric).
  • the virtual network devices in the VXLAN network are divided into two roles, one represents the exit of the VXLAN network, called the border device, which means it is connected to the external network, usually the three-layer gateway of the VXLAN network, corresponding to the bottom layer.
  • VXLAN network Another type of access that represents the VXLAN network is called the edge device, which represents the part of the VXLAN network that accesses the user equipment, and corresponds to the virtual access point (VAP) in the VXLAN network, usually corresponding to A network access device in an underlay network, such as an access switch or an access point (AP).
  • VAP virtual access point
  • C1-C5 in the top-level network correspond to access devices A1-A5 in the bottom-level network, respectively, and border device D1 (border) in the top-level network corresponds to network egress device B1 in the bottom-level network.
  • VAP or VXLAN Tunnel Endpoints may also be deployed in the non-access layer network equipment of the underlying network.
  • C1 and C2 correspond to aggregation devices Agg1 and Agg2 in the underlying network, respectively.
  • the edge device and the edge device communicate through VXLAN tunnels.
  • Layer 3 VXLAN tunnels are created between edge devices and edge devices, and the mutual access between terminal devices across different VXLANs (Layer 3 mutual access) needs to be forwarded through the Layer 3 VXLAN tunnel.
  • Layer 2 VXLAN tunnels are created between edge devices and edge devices, and terminal devices communicate with each other within the same VXLAN (Layer 2 mutual access) through Layer 2 VXLAN tunnels.
  • the encapsulation format of the VXLAN message is also explained.
  • the original frame original L2 frame
  • the outer UDP frame header the IP and MAC addresses of the bearer network are used as the outer header for encapsulation , you can get a VXLAN packet.
  • VXLAN Network Identifier Similar to the VLAN ID in traditional networks, it is used to distinguish VXLAN network segments. Tenants in different VXLAN segments cannot directly communicate at Layer 2. A network can be divided into one or more VNIs.
  • Broadcast domain Similar to the method of dividing the broadcast domain by VLAN in the traditional network, the broadcast domain is divided by BD in the VXLAN network. In a VXLAN network, a VNI is mapped to a broadcast domain BD in a 1:1 manner. A BD represents a broadcast domain, and hosts in the same BD can communicate at Layer 2.
  • VXLAN Tunnel Endpoints can encapsulate and decapsulate VXLAN packets.
  • the source IP address is the IP address of the source VTEP
  • the destination IP address is the IP address of the destination VTEP.
  • a pair of VTEP addresses corresponds to a VXLAN tunnel. After the source end encapsulates the packet, the encapsulated packet is sent to the destination VTEP through the tunnel, and the destination VTEP decapsulates the received encapsulated packet.
  • VAP Virtual Access Point
  • VXLAN service access point which can access services based on VLAN or packet flow encapsulation type.
  • NVE Network Virtualization Edge
  • the VXLAN network Similar to the traditional VLAN network, the VXLAN network also has mutual access within the VXLAN network and mutual access between the VXLAN networks.
  • Layer 2 gateway Similar to a Layer 2 access device on a traditional network, in a VXLAN network, a Layer 2 gateway enables tenants to access the VXLAN virtual network. Layer 2 gateways can also be used for subnet communication within the same VXLAN virtual network. Combined with the foregoing explanation of the functions of edge devices and edge devices, in VXLAN, edge devices can be used as Layer 2 gateways.
  • Layer 3 gateway Similar to traditional networks, users in different VLANs cannot directly communicate with each other at Layer 2, and VXLANs between different VNIs and between VXLANs and non-VXLANs cannot directly communicate with each other. To enable communication between VXLANs and between VXLANs and non-VXLANs, the concept of VXLAN Layer 3 gateways is introduced. Layer 3 gateways are used for cross-subnet communication of VXLAN virtual networks and access to external networks. Likewise, in conjunction with the foregoing explanations of the functions of the edge device and the edge device, in VXLAN, the edge device can be used as a Layer 3 gateway.
  • the method provided by the embodiment of the present application is applied to the above scenario of forwarding packets through VXLAN, and the purpose is to provide a method for dynamically establishing a VXLAN tunnel according to traffic requirements, so as to avoid the need to establish a VXLAN between all network devices during network initialization. Tunnel, thereby avoiding the waste of forwarding table resources of each network device, and also improving the forwarding table query efficiency when forwarding and forwarding packets.
  • the essence of establishing a VXLAN tunnel is to obtain the identifier of the VXLAN tunnel, and then establish a correspondence between the destination address of the packet and the tunnel identifier, so that subsequent packets sent to the destination address can be forwarded through the VXLAN tunnel.
  • the tunnel identifier can be the identifier of the peer device of the VXLAN tunnel (such as the IP address of the peer device), or it can be other unique symbols other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is for VXLAN A unique number for the tunnel. The network device can use this number to index the corresponding entry, and the entry stores the VXLAN tunnel parameters including the IP address of the peer device.
  • VXLAN tunnels between all network devices are not established. Instead, the VXLAN tunnel between the two network devices is established only when there is a traffic access requirement between the two network devices.
  • configure a control device for the VXLAN network After the control device is configured, the following configuration is performed between the control device and each network device in the VXLAN.
  • the above-mentioned control device is a certain network device in the VXLAN.
  • the control device may also be a device other than the above VXLAN, for example, the control device supports VXLAN but is in a VXLAN different from the virtual network identifier (VNI) of the network device, or the control device may not support VXLAN.
  • VNI virtual network identifier
  • OCP overlay control protocol
  • OCP protocol is only an optional control plane protocol for realizing the communication between the control device and other network devices in the VXLAN.
  • This embodiment of the present application does not limit how the control device establishes the control plane protocol with each network device.
  • control device is set as a border device in the VXLAN.
  • a virtual network control protocol overlay control protocol, OCP
  • OCP overlay control protocol
  • any edge device can first establish a north-south VXLAN tunnel with the edge device. information does not establish a VXLAN tunnel between edge devices.
  • the technical effect of establishing a north-south VXLAN tunnel between the edge device and the edge device is: before the VXLAN tunnel is established between the edge devices, the VXLAN packets between the two edge devices can bypass the edge device, avoiding the need for edge devices. The packet transmission delay is long before the VXLAN tunnel is established between devices.
  • FIG. 5 is a schematic diagram of the architecture of a VXLAN provided by an embodiment of the present application.
  • the VXLAN includes five VTEPs, which are marked as VTEP-1, VTEP-2, VTEP-3, VTEP-4, and VTEP-5.
  • VTEP P-1, VTEP-2, VTEP-3, and VTEP-4 are edge devices
  • VTEP-5 is a border device. Deploy the OCP protocol on VTEP-1, VTEP-2, VTEP-3, VTEP-4, and VTEP-5 respectively, so that VTEP-5 acts as the OCP server, VTEP P-1, VTEP-2, VTEP-3, VTEP -4 as OCP client.
  • VTEP-1, VTEP-2, VTEP-3, and VTEP-4 establish VXLAN tunnels with VTEP-5 respectively, and obtain four VXLAN tunnels in the north-south direction as shown in Figure 5. .
  • VXLAN tunnels are not established between VTEP-1, VTEP-2, VTEP-3, and VTEP-4.
  • any edge device and the edge device do not first establish a north-south VXLAN tunnel.
  • the packets are transmitted after the VXLAN tunnel between the two edge devices is established.
  • the terminal device is usually also configured with an access policy.
  • the access policy is used to indicate the conditions that the packet sent to the terminal device needs to meet, so as to realize the management and control of the traffic in the network.
  • each network device other than the control device since each network device other than the control device does not communicate during network initialization, any network device cannot obtain the access policy of a terminal device connected to another network device. Therefore, in order to facilitate the subsequent implementation of sending packets to a terminal device according to the access policy of a terminal device, the access policy of each terminal device can be configured at the control device, so that a network device can obtain the information from the control device in the future. Access policies for individual end devices. The specific function of the access policy will be described in detail in the embodiments of the subsequent packet forwarding, which will not be described here.
  • a network administrator defines an access policy for a terminal device according to the needs of network services.
  • the access policy includes the access priority of the terminal device, the bandwidth accessed by the terminal device, whether the terminal device allows broadcast access, and other conditions.
  • the network administrator can directly configure the access policy on the control device, so that the access policy of each terminal device is stored on the control device.
  • the network administrator can define access policies for each terminal device on the authentication server.
  • the authentication server delivers the access policy of the terminal device to the control device, so that the control device stores the access policy of the terminal device.
  • the access policy of each edge device is stored in the edge device.
  • each network device except the control device notifies the control device of its currently connected terminal device, so that the control device stores the terminal access table of each network device.
  • the terminal access table of any network device includes the addresses of each terminal device connected to the network device.
  • the above-mentioned terminal access table is a possible data structure of a terminal access set, and the terminal access set of a certain network device includes the addresses of each terminal device connected to the network device.
  • the terminal access set may also be represented by other data structures, such as a linked list, a list, and the like, which are not specifically limited in this embodiment of the present application.
  • each network device In order to dynamically establish a VXLAN tunnel between subsequent network devices, each network device notifies the information of the connected terminal device to the control device, so that any subsequent network device can learn through the control device that the terminal device to be accessed is accessed. network device to establish a VXLAN tunnel between the two network devices.
  • the VXLAN includes multiple network devices, and the first network device is any one of the multiple network devices.
  • the first network device is taken as an example to illustrate that each of the foregoing network devices notifies the control device of the terminal devices currently connected to them.
  • the first network device receives the second packet sent by the first terminal device, and the source address of the second packet is the address of the first terminal device. If the second packet is the first network device For the first received packet from the second terminal device, the first network device sends a terminal access announcement message to the control device, where the terminal access announcement message carries the address of the first terminal device. The terminal access announcement message indicates that the first terminal device is connected to the first edge device.
  • the control device can add the address of the first terminal device to the terminal access device of the first network device. In the entry table, the terminal access table maintains the addresses of each terminal device connected to the first network device.
  • terminal device A accesses edge device VTEP-1.
  • terminal device A sends a packet to VTEP-1, and the packet carries the address of terminal device A.
  • the address includes an IP address and/or a MAC address. If the message is the first time that VTEP-1 receives a message from terminal device A and learns that terminal device A is currently connected to VTEP-1, VTEP-1 sends a terminal access notification message to the border device through the OCP protocol, and the terminal The access announcement message carries the address of the terminal device A and the identifier of VTEP-1, and the identifier of VTEP-1 may be VTEP IP.
  • the border device When the border device receives the terminal access announcement message, according to the address of terminal device A and the identity of VTEP-1 carried in the terminal access announcement message, it learns that terminal device A is currently connected to VTEP-1, and sends terminal device A to VTEP-1.
  • the identifier of VTEP-1 is added to the terminal access table of VTEP-1.
  • the foregoing process may be referred to as a “terminal reporting” process, the purpose is that the edge device can obtain the address of the terminal device connected to each edge device.
  • terminal device B when terminal device B accesses VTEP-4, it can report the address of terminal device B to the border device by referring to the above "terminal reporting" process, so that the border device can add the address of terminal device B to the VTEP -4 in the terminal access table.
  • the terminal access notification message reported by the above edge device to the border device may also include the identification VNI of the network segment where the terminal device is located, so that the subsequent edge device sends a message to a terminal device based on the VNI where the terminal device is located. to send.
  • the embodiments of the present application do not specifically describe the detailed implementation manner in which the border device forwards the packet based on the VNI where the terminal device is located.
  • FIG. 5 and FIG. 6 illustrate an example in which the control device is a border device in the VXLAN.
  • the control device is an edge device in the VXLAN, at this time, other network devices in the VXLAN and the edge device can also be configured with reference to the above method.
  • the control device is a non-VXLAN device, in this scenario, the control device and any network device in the VXLAN only need to deploy the OCP protocol, and the north-south VXLAN shown in Figure 5 is not established. tunnel.
  • VXLAN can dynamically establish VXLAN tunnels when there is a traffic demand, instead of establishing VXLAN tunnels between all network devices in advance.
  • FIG. 7 is a flowchart of a method for establishing a VXLAN tunnel provided by an embodiment of the present application, which is used to explain how to dynamically establish a VXLAN tunnel based on traffic requirements. As shown in Figure 7, the method includes the following steps.
  • Step 701 The first network device receives a first packet from the first terminal device, and the destination address of the first packet is the address of the second terminal device.
  • the VXLAN provided by the embodiment of the present application includes multiple network devices, and the first network device is any one of the multiple network devices.
  • the embodiment shown in FIG. 7 uses the first network device as an example to illustrate how to dynamically establish a VXLAN tunnel based on traffic requirements. Any network device in the VXLAN network can refer to the embodiment shown in FIG. 7 to implement the embodiment of the present application provided method.
  • the VXLAN tunnel between all network devices is not established when the VXLAN network configuration is completed. Instead, the VXLAN tunnel between the two network devices is established only when there is a traffic access requirement between the two network devices. Therefore, after the first network device receives the first packet, it needs to determine the network device in the VXLAN to which the second terminal device is connected. If the first network device can query locally that the network device in the VXLAN connected to the second terminal device is the second network device, the first packet can be forwarded based on the VXLAN tunnel from the first network device to the second network device. If the first network device cannot locally query the network device connected to the second terminal device, the first packet is dynamically forwarded through the following step 702.
  • the first network device stores a forwarding table.
  • the forwarding table includes a plurality of terminal device addresses and tunnel identifiers corresponding to the respective terminal device addresses.
  • the function of the forwarding table is to forward the message to the terminal device indicated by the address of the terminal device through the VXLAN tunnel indicated by the tunnel identifier corresponding to the address of any terminal device.
  • the above-mentioned tunnel identifier is an identifier of the VTEP at the receiving end of the VXLAN tunnel (eg, the IP address of the peer device).
  • the tunnel identifier of the VXLAN tunnel is the identifier of the second network device.
  • the tunnel identifier is a symbol other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is a unique number for the VXLAN tunnel.
  • the tunnel identifier of the VXLAN tunnel is tunnel 1 .
  • the network device in order to facilitate the subsequent query of the peer device of a certain VXLAN tunnel to forward packets, the network device can use this number to index the corresponding entry, and the entry stores information including the peer device.
  • VXLAN tunnel parameters including the IP address. Therefore, in a possible implementation manner, the first network device may also maintain a tunnel list, where the tunnel list includes the identifiers of the VTEPs at the receiving end of the VXLAN tunnels that correspond one-to-one with each tunnel identifier.
  • the first network device searches in the forwarding table whether there is a connection with the first packet.
  • the tunnel identifier corresponding to the address of the second terminal device. If there is a tunnel identifier corresponding to the address of the second terminal device in the forwarding table, it indicates that there is a VXLAN tunnel between the first edge device and the second edge device.
  • the identifier of the VXLAN tunnel corresponding to the address forwards the first packet.
  • a network device sends the first packet according to the following step 702.
  • Step 702 In response to the failure to query the second network device connected to the second terminal device, establish a correspondence between the address of the second terminal device and the tunnel identifier, the tunnel identifier being between the first network device and the second network device VXLAN tunnel.
  • the control device stores the terminal access table of each network device, and the terminal access table of any network device includes the address of the terminal device connected to the corresponding network device. Therefore, in a possible implementation manner, the above-mentioned implementation process of establishing the correspondence between the address of the second terminal device and the tunnel identifier may be: the first network device sends a terminal query request to the control device.
  • the terminal query request is used to query the network device currently accessed by the second terminal device, and the terminal information query request includes the address of the second terminal device.
  • the control device receives the terminal query request, it queries the terminal access table including the address of the second terminal device from the stored terminal access table of each network device, and searches the network device corresponding to the queried terminal access table.
  • the control device finds out that the network device currently connected to the second terminal device is the second network device.
  • the control device sends a terminal query result to the first network device, where the terminal query result carries the identifier of the second network device.
  • the first network device receives the terminal query result returned by the control device, and learns that the network device currently accessed by the second terminal device is the second network device. Therefore, the first network device can establish the first network device according to the identifier of the second network device. The correspondence between the addresses of the two terminal devices and the tunnel identifier.
  • the first network device establishes the correspondence between the address of the second terminal device and the tunnel identifier according to the identifier of the second network device. different implementations.
  • the tunnel identifier in the forwarding table is the identifier of the device at the receiving end of the VXLAN tunnel.
  • the identifier of the second network device is used as the tunnel identifier of the VXLAN tunnel between the first network device and the second network device, and then the correspondence between the identifier of the second network device and the address of the second terminal device is established, namely Can.
  • "acting" means not including any operation.
  • the first network device obtains the identifier of the second network device, it is equivalent to determining the VXLAN between the first network device and the second network device.
  • the tunnel ID of the tunnel is the identifier of the device at the receiving end of the VXLAN tunnel.
  • the tunnel identifier in the forwarding table is a symbol other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is a unique number for the VXLAN tunnel.
  • establishing a correspondence between the address of the second terminal device and the tunnel identifier according to the identifier of the second network device means: searching for the corresponding tunnel receiving end from the tunnel list according to the identifier of the second network device as the first 2.
  • the tunnel identifier of the VXLAN tunnel of the network device is a symbol other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel.
  • the tunnel identifier is the identifier of the VXLAN tunnel between the first network device and the second network device, indicating that the first network device to the second network device has been established.
  • the VXLAN tunnel of the network device does not create a correspondence between the address of the second terminal device and the tunnel ID of the VXLAN tunnel, so the correspondence between the address of the second terminal device and the tunnel ID of the VXLAN tunnel is established relationship. If no tunnel identifier is found, the tunnel identifier of the VXLAN tunnel between the first network device and the second network device is generated based on the tunnel identifier generation rule.
  • the tunnel identification generation rule is a rule for generating a unique VXLAN tunnel symbol, which is not specifically limited in this embodiment of the present application.
  • the tunnel identifier is generated based on the number of VXLAN tunnels from the first network device to other network devices.
  • the packet sent to the second terminal device can be passed through the forwarding table subsequently.
  • the VXLAN tunnel between the first network device and the second network device performs forwarding.
  • the control device is the edge device VTEP-5.
  • the terminal device A connected to the network device VTEP-1, it is assumed that the terminal device A currently needs to send the first packet to the terminal device B.
  • VTEP-1 receives the first packet, it identifies the address of the terminal device B to be accessed according to the packet header of the first packet, and the address includes, for example, MAC and IP addresses.
  • VTEP-1 sends a terminal query request to the control device through the OCP protocol, and the terminal query request carries the address of the terminal device.
  • the control device When the control device receives the terminal query request, it queries the terminal access table including the address of terminal device B from the terminal access table of each network device, and the query result is that the terminal access table of VTEP-4 includes the address of terminal device B. address. Therefore, the control device returns a terminal query result to VTEP-1, and the terminal query result carries the identifier of VTEP-4, and the identifier of VTEP-4 is, for example, VTEP IP.
  • VTEP-1 After VTEP-1 receives the query result of the terminal, it can determine the tunnel ID of the VXLAN tunnel from VTEP-1 to VTEP-4 according to the ID of VTEP-4, and then add the tunnel ID and the address of the second terminal device in the forwarding table Correspondence between.
  • the above process is also referred to as a "terminal inquiry" process.
  • the control device also stores the access policies of each terminal device. Therefore, optionally, the terminal query result returned by the control device to VTEP-1 also includes the access policy of terminal device B, so that the subsequent VTEP-1 sends the access policy of terminal device A to terminal device B based on the access policy of terminal device B. flow.
  • the traffic sent by the VTEP-1 to the terminal device A to access the terminal device B based on the access policy of the terminal device B will also be explained in detail later, and will not be elaborated here.
  • the traffic response of the first terminal device currently accessing the second terminal device is slow, if the query of the network device connected to the second terminal device fails, the first network The device first sends the first packet to the control device, and the control device forwards the first packet to the second network device. After establishing the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device, if the first network device receives the packet sent by the first terminal device, the The destination address of the packet is still the second terminal device, and at this time, the first network device directly forwards the packet through the VXLAN tunnel between the first network device and the second network device.
  • the first terminal device accesses The traffic of the second terminal device is detoured through the control device. After the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device is established, the first terminal device can access the VXLAN through which the traffic of the second terminal device can pass. The tunnel is forwarded directly.
  • a VXLAN tunnel may be established between other network devices in the VXLAN and the control device in advance. In this way, between the first network device and the second network Before the VXLAN tunnel between the devices is established, the traffic from the first terminal device to the second terminal device is passed through the VXLAN tunnel between the first network device and the control device and the VXLAN tunnel between the control device and the second network device. Bypass forwarding.
  • the control device is the edge device VTEP-5.
  • the traffic of terminal device A is forwarded and detoured from the control device through the north-south VXLAN tunnel.
  • the traffic of terminal device A is sent to terminal device B through the east-west horizontal VXLAN tunnel.
  • the terminal query result also carries an access policy corresponding to the second terminal device
  • the first network device when sending a packet through the established VXLAN tunnel, the first network device first determines whether the packet meets the requirements of the second terminal device. If the packet satisfies the access policy of the second terminal device, the packet is sent to the second network device through the established VXLAN tunnel.
  • the access policy of terminal device B includes the access priority of terminal device B.
  • VTEP-1 when VTEP-1 sends the packet, it first assigns a specific priority to the packet according to the access priority of terminal device B, and VTEP-1 performs forwarding according to the priority of each packet.
  • the access policy of terminal device B includes the accessed bandwidth of terminal device B.
  • VTEP-1 when VTEP-1 sends the packet, it needs to first determine whether the traffic that has been sent exceeds the above-mentioned bandwidth. If it exceeds, the packet will not be sent first. If the above bandwidth is not exceeded, the packet is sent.
  • the access policy of the terminal device B includes whether the terminal device B is allowed to be accessed by broadcasting. If the access policy indicates that the terminal device B is allowed to be accessed by broadcast, VTEP-1 is allowed to send the message by broadcasting when sending the message. If the access policy indicates that terminal device B is not allowed to be accessed by broadcast, VTEP-1 is not allowed to send the message by broadcasting when sending the message.
  • VTEP-4 creates a unidirectional VXLAN tunnel to the peer VTEP-1, which is not repeated here.
  • VXLAN tunnels between network devices are dynamically established based on traffic requirements, further, in order to avoid that some VXLAN tunnels are not used for a long time after being established, which leads to waste of forwarding table resources. Therefore, after the first network device establishes the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device, if the correspondence continues to be missed, it will age out the corresponding relationship. Correspondence.
  • the continuous miss of the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device means that the first network device does not receive a destination address of address of the second terminal device. In this scenario, it indicates that the second terminal device has no need to access the first terminal device within the reference time period. At this time, the first network device deletes the address of the second terminal device and the link between the first network device and the second terminal device from the forwarding table. Correspondence between tunnel identifiers of VXLAN tunnels between network devices. The above process may also be referred to as the aging process of the forwarding table.
  • the tunnel identifier in the forwarding table is a symbol other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is a unique number for the VXLAN tunnel.
  • the network device can use this number to index the corresponding entry, and the entry stores the VXLAN tunnel parameters including the IP address of the peer device.
  • the first network device also maintains a tunnel list, where the tunnel list includes the VTEP identifiers of the receiving ends of the tunnels that correspond to each tunnel identifier one-to-one.
  • the tunnel ID and the second network device in the tunnel list are deleted.
  • the first terminal device is When there is no need to access the second terminal device, the first network device only deletes the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device from the forwarding table, that is, Yes, the related information of the VXLAN tunnel between the first network device and the second network device is not deleted from the tunnel list.
  • the first network device deletes the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device from the forwarding table
  • the forwarding table does not exist the address of the terminal device corresponding to the tunnel identifier of the VXLAN tunnel between the first network device and the second network device, indicating that the terminal device currently under the first network device does not have the requirement to access all the terminal devices accessed by the second terminal device, Therefore, the relevant information of the VXLAN tunnel between the first network device and the second network device is deleted from the tunnel list (the relevant information here is the tunnel identifier of the VXLAN tunnel between the first network device and the second network device and the second The corresponding relationship between the identifiers of network devices), so as to avoid idle VXLAN tunnels occupying network resources.
  • the above reference duration is also referred to as aging time, etc., which is not specifically limited in this embodiment of the present application.
  • the control device is the edge device VTEP-5.
  • the network device ages the forwarding table according to the traffic of the terminal. Specifically, when terminal device A and terminal device B do not exchange traffic for a period of time, and VTEP-1 does not receive traffic with the destination address of terminal device B within the aging time, VTEP-1 deletes the terminal device from the forwarding table.
  • Information of B (the information of terminal device B here refers to the address of terminal device B in the forwarding table and the tunnel identifier of the VXLAN tunnel from VTEP-1 to VTEP-4), and there is no VTEP-4 connection in the forwarding table. In the case of the addresses of other terminal devices, delete the VXLAN tunnel from VTEP-1 to VTEP-4.
  • VTEP-4 deletes the information of terminal device A in the forwarding table (the information of terminal device A here refers to the forwarding table. address of terminal device A and the tunnel identifier of the VXLAN tunnel from VTEP-4 to VTEP-1), and if the addresses of other terminal devices connected to VTEP-1 do not exist in the forwarding table, delete VTEP-4 to VTEP- 1 VXLAN tunnel.
  • VXLAN tunnels between all network devices are not established. Instead, the VXLAN tunnel between the two network devices is established only when there is a traffic access requirement between the two network devices.
  • the information stored in the forwarding table of each network device is reduced, and the data storage pressure of each network device is relieved.
  • the following takes the VXLAN shown in FIG. 5 as an example to describe in detail the method for establishing a VXLAN tunnel provided by the embodiment of the present application.
  • the method includes the following steps:
  • the edge device serves as the OCP server and the edge device serves as the OCP client.
  • the administrator deploys the access policy of the terminal device on the boundary device.
  • the access policy includes the access priority of the terminal device, the bandwidth of the terminal device to be accessed, and whether the terminal device allows broadcast access and other access conditions.
  • the edge device initiates registration with the edge device through OCP.
  • the OCP client and the OCP server establish a north-south VXLAN tunnel.
  • Terminal device A goes online and sends a traffic request to the gateway.
  • the edge device 1 receives the traffic of the terminal device A, identifies the information (MAC, IP) of the terminal device A, and the edge device 1 stores the information of the terminal device A, and combines the information of the terminal device A with the identity of the edge device 1 (VTEP IP) is reported to the border device through the OCP protocol.
  • MAC information
  • IP information of the terminal device A
  • VTEP IP identity of the edge device 1
  • the edge device stores the information of the terminal device A in the terminal access table of the edge device 1 .
  • Terminal device B goes online and sends a traffic request to the gateway.
  • the edge device 2 receives the traffic of the terminal device B, identifies the information (MAC, IP) of the terminal device B, and the edge device 2 stores the information of the terminal device B, and reports the information of the terminal device B to the edge device through the OCP protocol. .
  • the edge device stores the information of the terminal device B in the terminal access table of the edge device 2.
  • Terminal device A sends traffic to access terminal device B.
  • the edge device 1 receives the traffic of the terminal device A, searches the forwarding table of the device according to the destination IP (terminal device B), and does not find the information of the terminal device B. Through the OCP protocol, a query is initiated to the border device to query the relevant information of the terminal device B.
  • the border device queries the relevant information of terminal equipment B, and the relevant information of terminal equipment B (the relevant information includes, for example, the VNI of the network where terminal equipment B is located, the VTEP IP of the network equipment connected to terminal equipment B, the The access priority, the accessed bandwidth of the terminal device B, whether the terminal device B allows broadcast access, etc.) reply to the edge device 1 through the OCP protocol.
  • the relevant information includes, for example, the VNI of the network where terminal equipment B is located, the VTEP IP of the network equipment connected to terminal equipment B, the The access priority, the accessed bandwidth of the terminal device B, whether the terminal device B allows broadcast access, etc.
  • the edge device 1 stores the relevant information of the terminal device B. According to the relevant information of the terminal device B, it is determined that the terminal device B is connected to the edge device 2, and an east-west VXLAN tunnel from the edge device 1 to the edge device 2 is created.
  • the traffic of terminal device A accessing terminal device B is forwarded from the east-west tunnel, and the accessed policy of terminal device B is executed.
  • Terminal device B sends traffic back to terminal device A.
  • the edge device 2 receives the traffic of the terminal device B, searches the forwarding table of the device according to the destination IP (terminal device A), and does not find the relevant information of the terminal device A. Through the OCP protocol, a query is initiated to the border device to query the information of the terminal device A.
  • the edge device queries the related information of the terminal device A, and replies the related information of the terminal device A to the edge device 2 through the OCP protocol.
  • the edge device 2 stores the relevant information of the terminal device A. According to the relevant information of terminal device A, it is determined that terminal device A is connected to edge device 1, and an east-west VXLAN tunnel from edge device 2 to edge device 1 is created.
  • the edge device 1 device does not receive the traffic whose destination IP is terminal device B for a period of time, and deletes the entry of terminal device B in the forwarding table (the entry of terminal device B here refers to the entry in the forwarding table.
  • the edge device 1 device determines that there is no entry for the terminal device under the edge device 2 device on the forwarding table, and deletes the VXLAN tunnel from edge device 1 to edge device 2 (here, delete the VXLAN tunnel from edge device 1 to edge device 2 Refers to: delete the corresponding relationship between the tunnel ID of the VXLAN tunnel from edge device 1 to edge device 2 and the ID of edge device 2 in the tunnel list). If the edge device 1 device determines that there are other terminal device entries under the edge device 2 device on the forwarding table, the VXLAN tunnel is not deleted.
  • the edge device 2 does not receive the traffic whose destination IP is terminal device A for a period of time, the entry of terminal device A in the forwarding table is deleted (the entry of terminal device A here refers to the forwarding The correspondence between the address of terminal device A and the identifier of the VXLAN tunnel between edge device 2 and edge device 1 in the publication).
  • the edge device 2 device determines that there is no entry for the terminal device under the edge device 1 device on the forwarding table, and deletes the VXLAN tunnel from edge device 2 to edge device 1 (here, delete the VXLAN tunnel from edge device 2 to edge device 1 Refers to: delete the corresponding relationship between the tunnel ID of the VXLAN tunnel from edge device 2 to edge device 1 and the ID of edge device 1 in the tunnel list). If the edge device 2 device determines that there are other terminal device entries under the edge device 1 device on the forwarding table, the VXLAN tunnel is not deleted.
  • FIG. 9 is a schematic structural diagram of a first network device in a VXLAN provided by an embodiment of the present application.
  • the installed VXLAN includes multiple network devices, and the first network device is any one of the multiple network devices.
  • the first network device 900 includes:
  • a receiving module 901 configured to receive a first message from a first terminal device, where the destination address of the first message is the address of the second terminal device;
  • the establishment module 902 is configured to, in response to the failure to query the second network device connected to the second terminal device, establish a correspondence between the address of the second terminal device and the tunnel identifier, where the tunnel identifier identifies the first network device to VXLAN tunnel between second network devices.
  • build modules for:
  • the terminal query result includes an identifier of a second network device, and the second network device is a network device connected to the second terminal device;
  • a corresponding relationship between the address of the second terminal device and the tunnel identifier is established.
  • a receiving module further configured to receive a second packet from the first terminal device, where the source address of the second packet is the address of the first terminal device;
  • the first network device further includes a sending module, configured to send a terminal access announcement message to the control device if the second message is a message received from the first terminal device for the first time, where the terminal access announcement message includes the first terminal The address of the device, the terminal access announcement message indicates that the first terminal device is connected to the first network device.
  • a sending module configured to send a terminal access announcement message to the control device if the second message is a message received from the first terminal device for the first time, where the terminal access announcement message includes the first terminal The address of the device, the terminal access announcement message indicates that the first terminal device is connected to the first network device.
  • the first network device further includes a sending module
  • the sending module is configured to send the first packet to the control device via the VXLAN tunnel between the first network device and the control device.
  • the first network device further includes an aging module
  • An aging module configured to age the corresponding relationship between the address of the second terminal device and the tunnel identifier if the corresponding relationship continues to miss.
  • the first network device also stores a correspondence between the tunnel identifier and the identifier of the second network device;
  • the aging module is further configured to delete the corresponding relationship between the tunnel identifier and the identifier of the second network device if the corresponding relationship between any one of the terminal device addresses and the tunnel identifier is aging.
  • the embodiments of the present application can dynamically establish VXLAN tunnels between network devices and network devices only when there is a traffic forwarding requirement, which avoids the need to pre-establish VXLAN tunnels between all network devices, thereby saving network device processing time forwarding table resource. Since the information of the VXLAN tunnel stored in the forwarding table is reduced, the query efficiency of the forwarding table when forwarding packets can also be improved.
  • the first network device provided in the above embodiment establishes a VXLAN tunnel
  • only the division of the above functional modules is used as an example for illustration.
  • the above functions can be allocated to different functional modules as required. , that is, dividing the internal structure of the device into different functional modules to complete all or part of the functions described above.
  • the first network device provided in the above embodiment and the method embodiment for establishing a VXLAN tunnel belong to the same concept, and the specific implementation process thereof is detailed in the method embodiment, which will not be repeated here.
  • FIG. 10 is a schematic structural diagram of a network device provided by an embodiment of the present application.
  • the edge devices or border devices in the above-mentioned embodiments can all be implemented by the network devices shown in FIG. 10 .
  • the network device includes at least one processor 1001 , a communication bus 1002 , a memory 1003 and at least one communication interface 1004 .
  • the processor 1001 may be a general-purpose central processing unit (central processing unit, CPU), an application-specific integrated circuit (application-specific integrated circuit, ASIC), or one or more integrated circuits for controlling the execution of the programs of the present application.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • the functions of modules such as the establishment module and the aging module in the embodiment of FIG. 9 can all be implemented by a processor.
  • Communication bus 1002 may include a path to communicate information between the above-described components.
  • the memory 1003 can be read-only memory (ROM), random access memory (RAM), electrically erasable programmable read-only memory (EEPROM), optical disk (including compact disc read-only memory (CD-ROM), compact disc, laser disc, digital versatile disc, Blu-ray disc, etc.), magnetic disk or other magnetic storage device, or capable of carrying or storing instructions or data A desired program code in a structured form and any other medium that can be accessed by a computer, but is not limited thereto.
  • the memory 1003 can exist independently and is connected to the processor 1001 through the communication bus 1002 .
  • the memory 1003 may also be integrated with the processor 1001 .
  • the memory 1003 is used for storing the program code for executing the solution of the present application, and the execution is controlled by the processor 1001 .
  • the processor 1001 is used to execute program codes stored in the memory 1003 .
  • One or more software modules may be included in the program code.
  • the network device in FIGS. 1 to 6 may determine data for developing an application through the processor 1001 and one or more software modules in the program code in the memory 1003 .
  • Communication interface 1004 using any transceiver-like device, for communicating with other devices or communication networks, such as Ethernet, radio access networks (RAN), wireless local area networks (WLAN), etc. .
  • RAN radio access networks
  • WLAN wireless local area networks
  • the functions of the receiving module and the sending module in the embodiment of FIG. 9 may be implemented through a communication interface.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
  • the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, or the like that includes an integration of one or more available media.
  • the usable media may be magnetic media (eg: floppy disk, hard disk, magnetic tape), optical media (eg: digital versatile disc (DVD)), or semiconductor media (eg: solid state disk (SSD)) )Wait.

Abstract

Disclosed are a method for establishing a VXLAN tunnel, and a related device, which belong to the technical field of communications. The method comprises: a first network device receiving a first message from a first terminal device, wherein the destination address of the first message is an address of a second terminal device; and in response to a failure of querying a second network device connected to the second terminal device, establishing a correlation between the address of the second terminal device and a tunnel identifier, wherein the tunnel identifier is a VXLAN tunnel between the first network device and the second network device. Therefore, by means of the method, when there is a traffic forwarding requirement, a VXLAN tunnel between network devices can be dynamically established, thereby avoiding the need to pre-establish VXLAN tunnels between all network devices, and thus saving on forwarding table resources at the network devices. Since information of VXLAN tunnels that is stored in a forwarding table is reduced, the forwarding table query efficiency when forwarding a message can also be improved.

Description

建立VXLAN隧道的方法及相关设备Method and related equipment for establishing VXLAN tunnel
本申请实施例要求于2020年6月30日提交的申请号为202010617508.1、发明名称为“建立VXLAN隧道的方法及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请实施例中。The embodiments of this application claim the priority of the Chinese patent application with the application number 202010617508.1 and the invention titled "Method for Establishing a VXLAN Tunnel and Related Equipment" filed on June 30, 2020, the entire contents of which are incorporated into this application by reference. example.
技术领域technical field
本申请涉及通信技术领域,特别涉及一种建立虚拟扩展局域网(virtual extensible local area network,VXLAN)隧道的方法及相关设备。The present application relates to the field of communication technologies, and in particular, to a method for establishing a virtual extensible local area network (VXLAN) tunnel and related equipment.
背景技术Background technique
VXLAN技术能够在任意路由可达的网络上叠加二层虚拟网络,从而提高网络的规模扩展能力。VXLAN中包括两种角色的网络设备,一种称为边界(border)设备,该边界设备代表VXLAN的出口,因此,通过边界设备能够将报文转发至其他VXLAN中或非VXLAN中。另一种称为边缘(edge)设备,该边缘设备代表VXLAN的业务接入点,用户设备能够将报文通过边缘设备转发至VXLAN中。边界设备和边缘设备之间建立有VXLAN隧道,以实现报文在VXLAN中的转发。VXLAN technology can superimpose a Layer 2 virtual network on any reachable network, thereby improving the scale expansion capability of the network. VXLAN includes network devices with two roles. One is called a border device. The border device represents the exit of the VXLAN. Therefore, the border device can forward packets to other VXLANs or non-VXLANs. The other is called an edge device. The edge device represents a service access point of the VXLAN, and the user equipment can forward packets to the VXLAN through the edge device. A VXLAN tunnel is established between the edge device and the edge device to implement packet forwarding in the VXLAN.
通常VXLAN中包括一个或多个边界设备,但是这一个或多个边界设备是主备关系,一个边界设备上执行的控制层面的操作均会同步到其他边界设备上。因此,后续内容以一个边界设备为例进行说明即可。相关技术中,对于VXLAN中包括的一个边界设备和多个边缘设备,预先通过动态路由的方式在任一边缘设备和边界设备之间、以及任意两个边缘设备之间建立VXLAN隧道,以便于后续任一边缘设备在接收到用户设备发送的报文时,能够基于预先建立的VXLAN隧道转发报文。Usually, VXLAN includes one or more edge devices, but the one or more edge devices are in a master-standby relationship, and the control plane operations performed on one edge device are synchronized to other edge devices. Therefore, the following contents may be described by taking a boundary device as an example. In the related art, for one edge device and multiple edge devices included in the VXLAN, a VXLAN tunnel is established between any edge device and the edge device, and between any two edge devices through dynamic routing in advance, so as to facilitate subsequent tasks. When an edge device receives a packet sent by a user equipment, it can forward the packet based on a pre-established VXLAN tunnel.
由于VXLAN中通常有大量的边缘设备,导致每个边缘设备都需建立大量的VXLAN隧道,进而使得每个边缘设备的转发表中存储的信息也较多,不仅导致边缘设备上的转发表资源的浪费,还使得转发报文时的转发表查询效率较低。Because there are usually a large number of edge devices in VXLAN, each edge device needs to establish a large number of VXLAN tunnels, which in turn causes more information to be stored in the forwarding table of each edge device, which not only leads to the loss of forwarding table resources on edge devices It is wasteful, and also makes the query efficiency of the forwarding table when forwarding the message low.
发明内容SUMMARY OF THE INVENTION
本申请提供了一种建立VXLAN隧道的方法及相关设备,可以减缓VXLAN中的设备上的数据存储压力,从而节省转发表资源,同时还可以提高转发报文时的转发表查询效率。技术方案如下:The present application provides a method and related equipment for establishing a VXLAN tunnel, which can reduce the data storage pressure on the equipment in the VXLAN, thereby saving forwarding table resources, and at the same time improving the forwarding table query efficiency when forwarding packets. The technical solution is as follows:
第一方方面,提供了一种建立VXLAN隧道的方法,该方法应用于VXLAN中的第一网络设备,该VXLAN中包括多个网络设备,第一网络设备为多个网络设备中任一个。在该方法中,第一网络设备接收来自第一终端设备的第一报文,第一报文的目的地址为第二终端设备的地址,响应于查询第二终端设备所连接的第二网络设备的失败,建立第二终端设备的地址与隧道标识之间对应关系,该隧道标识所标识的为第一网络设备到第二网络设备之间的VXLAN隧道。In a first aspect, a method for establishing a VXLAN tunnel is provided, the method is applied to a first network device in a VXLAN, the VXLAN includes multiple network devices, and the first network device is any one of the multiple network devices. In this method, the first network device receives a first packet from the first terminal device, the destination address of the first packet is the address of the second terminal device, and in response to querying the second network device connected to the second terminal device failure, establish a correspondence between the address of the second terminal device and the tunnel identifier, where the tunnel identifier identifies the VXLAN tunnel between the first network device and the second network device.
在本申请中,建立VXLAN隧道实质上就是获取VXLAN隧道的标识,然后建立报文的目的地址和隧道标识之间的对应关系,以便于后续发送至该目的地址的报文均能够通过该VXLAN隧道转发。该隧道标识可为VXLAN隧道对端设备的标识(如对端设备的IP地址),还可为除VXLAN隧道对端设备的标识之外的其他唯一能够标识隧道的符号,比如隧道标识为针对VXLAN隧道的一个唯一编号。网络设备用该编号可以索引到相应的表项,表项内存放有包括对端设备的IP地址在内的VXLAN隧道参数。因此,通过本申请提供的方法,能够实现在存在流量转发需求的情况下,才动态建立网络设备与网络设备之间的VXLAN隧道,避免了需要预先建立全部的网络设备之间的VXLAN隧道,从而节省了网络设备处的转发表资源。由于转发表中存储的VXLAN隧道的信息减少,因此还可以提高转发报文时的转发表查询效率。In this application, establishing a VXLAN tunnel is essentially to obtain the identifier of the VXLAN tunnel, and then establish a correspondence between the destination address of the packet and the tunnel identifier, so that subsequent packets sent to the destination address can pass through the VXLAN tunnel. Forward. The tunnel identifier can be the identifier of the peer device of the VXLAN tunnel (such as the IP address of the peer device), or it can be other unique symbols other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is for VXLAN A unique number for the tunnel. The network device can use this number to index the corresponding entry, and the entry stores the VXLAN tunnel parameters including the IP address of the peer device. Therefore, through the method provided in the present application, it is possible to dynamically establish a VXLAN tunnel between network devices and network devices only when there is a traffic forwarding requirement, avoiding the need to pre-establish VXLAN tunnels between all network devices, thereby The forwarding table resources at the network device are saved. Since the information of the VXLAN tunnel stored in the forwarding table is reduced, the query efficiency of the forwarding table when forwarding packets can also be improved.
基于第一方面提供的方法,在一种可能的实现方式中,上述建立所述第二终端设备的地址与隧道标识之间的对应关系的实现过程为:向控制设备发送终端查询请求,该终端查询请求包括第二终端设备的地址;接收控制设备返回的终端查询结果,该终端查询结果包括所述第二网络设备的标识,第二网络设备为第二终端设备所连接的网络设备;根据第二网络设备的标识,建立第二终端设备的地址与该隧道标识之间的对应关系。Based on the method provided in the first aspect, in a possible implementation manner, the above-mentioned implementation process of establishing the correspondence between the address of the second terminal device and the tunnel identifier is: sending a terminal query request to the control device, the terminal The query request includes the address of the second terminal device; the terminal query result returned by the control device is received, and the terminal query result includes the identifier of the second network device, and the second network device is the network device connected to the second terminal device; Second, the identification of the network device, and establish a correspondence between the address of the second terminal device and the tunnel identification.
在本申请中,控制设备能够作为服务中心向各个网络设备提供查询服务,该查询服务能够实现查询任一终端设备所连接的网络设备为哪个网络设备。因此第一网络设备通过控制设备来实现动态建立VXLAN隧道。In this application, the control device can act as a service center to provide each network device with a query service, and the query service can query which network device any terminal device is connected to. Therefore, the first network device realizes the dynamic establishment of the VXLAN tunnel by controlling the device.
基于第一方面提供的方法,在一种可能的实现方式中,终端查询结果还包括与第二终端设备对应的访问策略,访问策略指示向第二终端设备发送的报文需要满足的条件。这种场景下,在该方法中,第一网络设备接收第一终端设备发送的第二报文,第二报文携带的目的地址为第二终端设备的地址;如果第二报文满足该访问策略,则通过建立的VXLAN隧道,转发第二报文。Based on the method provided in the first aspect, in a possible implementation manner, the terminal query result further includes an access policy corresponding to the second terminal device, and the access policy indicates the conditions that the packet sent to the second terminal device needs to meet. In this scenario, in this method, the first network device receives the second packet sent by the first terminal device, and the destination address carried in the second packet is the address of the second terminal device; if the second packet satisfies the access policy, the second packet is forwarded through the established VXLAN tunnel.
在本申请中,控制设备处还存储有各个终端设备的访问策略,以在动态建立VXLAN隧道后,将第二终端设备的访问策略也发送至第一网络设备,以使第一网络设备根据访问策略对发送至第二终端设备的流量进行管理,提高了基于动态建立VXLAN隧道转发报文的灵活性。In this application, the access policy of each terminal device is also stored in the control device, so that after the VXLAN tunnel is dynamically established, the access policy of the second terminal device is also sent to the first network device, so that the first network device can access the device according to the access policy. The policy manages the traffic sent to the second terminal device, which improves the flexibility of forwarding packets based on the dynamic establishment of the VXLAN tunnel.
基于第一方面提供的方法,在一种可能的实现方式中,在该方法中,接收来自第一终端设备的第二报文,第二报文的源地址为第一终端设备的地址;如果第二报文为首次接收到的来自第一终端设备的报文,则向控制设备发送终端接入通告消息,终端接入通告消息包括第一终端设备的地址,终端接入通告消息指示第一终端设备连接在第一网络设备处。Based on the method provided in the first aspect, in a possible implementation manner, in the method, a second packet is received from the first terminal device, and the source address of the second packet is the address of the first terminal device; if The second packet is a packet received from the first terminal device for the first time, and a terminal access announcement message is sent to the control device, the terminal access announcement message includes the address of the first terminal device, and the terminal access announcement message indicates the first terminal device. The terminal device is connected to the first network device.
各个终端设备首次访问网络设备时,网络设备即可向控制设备通告该终端设备,以使控制设备处存储有各个网络设备的终端接入表,任一网络设备的终端接入表中包括与该网络设备连接的各个终端设备的地址,从而实现本申请提供的按需动态建立VXLAN隧道。When each terminal device accesses the network device for the first time, the network device can notify the terminal device to the control device, so that the terminal access table of each network device is stored in the control device, and the terminal access table of any network device includes the terminal access table related to the terminal device. The address of each terminal device connected to the network device, so as to realize the on-demand dynamic establishment of the VXLAN tunnel provided by this application.
基于第一方面提供的方法,在一种可能的实现方式中,将第一报文经由所述网络设备到控制设备之间的VXLAN隧道发送至控制设备。Based on the method provided in the first aspect, in a possible implementation manner, the first packet is sent to the control device via the VXLAN tunnel between the network device and the control device.
在完成建立第一网络设备和第二网络设备的VXLAN隧道之前,报文可以通过控制设备绕道发送至第二终端设备,以尽量减少报文的转发时延。Before the establishment of the VXLAN tunnel between the first network device and the second network device is completed, the packet may be sent to the second terminal device by detouring through the control device, so as to minimize the forwarding delay of the packet.
基于第一方面提供的方法,在一种可能的实现方式中,在该方法中,如果所述第二终端 设备的地址与所述隧道标识之间的对应关系持续未命中,则老化该对应关系。Based on the method provided in the first aspect, in a possible implementation manner, in the method, if the correspondence between the address of the second terminal device and the tunnel identifier continues to miss, age the correspondence .
在本申请中,由于VXLAN隧道是动态建立的,为了避免闲置的VXLAN隧道占用网络资源,可以采用老化时间的方式对VXLAN隧道占用的资源进行清理,进一步避免转发表资源的浪费。In this application, since VXLAN tunnels are dynamically established, in order to avoid idle VXLAN tunnels occupying network resources, the resources occupied by VXLAN tunnels can be cleaned up by means of aging time, thereby further avoiding the waste of forwarding table resources.
基于第一方面提供的方法,在一种可能的实现方式中,所述第一网络设备中还存储有所述隧道标识和所述第二网络设备的标识之间的对应关系。这种场景下,所述老化所述第二终端设备的地址与所述隧道标识之间的对应关系之后,如果任一个终端设备地址与所述隧道标识之间的对应关系均老化,则删除所述隧道标识和所述第二网络设备的标识之间的对应关系。Based on the method provided in the first aspect, in a possible implementation manner, the first network device further stores a correspondence between the tunnel identifier and the identifier of the second network device. In this scenario, after the aging of the correspondence between the address of the second terminal device and the tunnel identifier, if the correspondence between the address of any terminal device and the tunnel identifier is all aged out, delete the corresponding relationship between the address of the second terminal device and the tunnel identifier. The corresponding relationship between the tunnel identifier and the identifier of the second network device.
在转发表中存储的隧道标识不是VXLAN隧道对端设备的标识的情况下,清理转发表之后,考虑到一个网络设备允许连接有多个终端设备,因此并没有立即删除VXLAN隧道(此处的删除V XLAN隧道是指删除隧道标识与隧道对端设备标识之间的对应关系),而是在确定老化时间内没有到达第二网络设备下的任一终端设备的流量后,才删除建立的VXLAN隧道,从而保证访问第二网络设备连接的其他终端设备的流量的正常转发。If the tunnel ID stored in the forwarding table is not the ID of the peer device of the VXLAN tunnel, after clearing the forwarding table, considering that a network device is allowed to be connected to multiple terminal devices, the VXLAN tunnel is not immediately deleted (delete here). The VXLAN tunnel refers to deleting the corresponding relationship between the tunnel ID and the tunnel peer device ID), but deletes the established VXLAN tunnel after determining that the traffic does not reach any terminal device under the second network device within the aging time. , so as to ensure normal forwarding of traffic accessing other terminal devices connected to the second network device.
第二方面,提供了一种第一网络设备,该第一网络设备具有实现上述第一方面中建立VXLAN隧道的方法行为的功能。该装置包括至少一个模块,该至少一个模块用于实现上述第一方面所提供的建立VXLAN隧道的方法。In a second aspect, a first network device is provided, and the first network device has a function of implementing the behavior of the method for establishing a VXLAN tunnel in the first aspect. The apparatus includes at least one module, and the at least one module is configured to implement the method for establishing a VXLAN tunnel provided in the first aspect above.
第三方面,提供了一种网络设备,该网络设备的结构中包括处理器和存储器,所述存储器用于存储支持该网络设备执行上述第一方面所提供的建立VXLAN隧道的方法的程序,以及存储用于实现上述第一方面所提供的建立VXLAN隧道的方法所涉及的数据。所述处理器被配置为用于执行所述存储器中存储的程序。所述存储设备的操作装置还可以包括通信总线,该通信总线用于该处理器与存储器之间建立连接。In a third aspect, a network device is provided, the structure of the network device includes a processor and a memory, and the memory is used to store a program that supports the network device to execute the method for establishing a VXLAN tunnel provided in the first aspect, and Data involved in implementing the method for establishing a VXLAN tunnel provided by the first aspect is stored. The processor is configured to execute programs stored in the memory. The operating means of the storage device may further include a communication bus for establishing a connection between the processor and the memory.
第四方面,提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述第一方面所述的建立VXLAN隧道的方法。In a fourth aspect, a computer-readable storage medium is provided, where instructions are stored in the computer-readable storage medium, when the computer-readable storage medium runs on a computer, the computer executes the method for establishing a VXLAN tunnel described in the first aspect.
第五方面,提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面所述的建立VXLAN隧道的方法。In a fifth aspect, there is provided a computer program product containing instructions, which, when executed on a computer, cause the computer to execute the method for establishing a VXLAN tunnel described in the first aspect above.
上述第二方面、第三方面、第四方面和第五方面所获得的技术效果与第一方面中对应的技术手段获得的技术效果近似,在这里不再赘述。The technical effects obtained by the second aspect, the third aspect, the fourth aspect and the fifth aspect are similar to the technical effects obtained by the corresponding technical means in the first aspect, and will not be repeated here.
附图说明Description of drawings
图1是本申请实施例提供的一种VXLAN系统示意图;1 is a schematic diagram of a VXLAN system provided by an embodiment of the present application;
图2是本申请实施例提供的另一种VXLAN系统示意图;FIG. 2 is a schematic diagram of another VXLAN system provided by an embodiment of the present application;
图3是本申请实施例提供的一种VXLAN隧道分布示意图;FIG. 3 is a schematic diagram of a VXLAN tunnel distribution provided by an embodiment of the present application;
图4是本申请实施例提供的一种VXLAN报文的格式示意图;4 is a schematic diagram of a format of a VXLAN message provided by an embodiment of the present application;
图5是本申请实施例提供的另一种VXLAN隧道分布示意图;FIG. 5 is a schematic diagram of another VXLAN tunnel distribution provided by an embodiment of the present application;
图6是本申请实施例提供的一种动态建立VXLAN隧道的示意图;FIG. 6 is a schematic diagram of dynamically establishing a VXLAN tunnel according to an embodiment of the present application;
图7是本申请实施例提供的一种建立VXLAN隧道的方法流程图;7 is a flowchart of a method for establishing a VXLAN tunnel provided by an embodiment of the present application;
图8是本申请实施例提供的另一种建立VXLAN隧道的方法流程图;8 is a flowchart of another method for establishing a VXLAN tunnel provided by an embodiment of the present application;
图9是本申请实施例提供的一种第一网络设备的结构示意图;FIG. 9 is a schematic structural diagram of a first network device provided by an embodiment of the present application;
图10是本申请实施例提供的一种网络设备的结构示意图。FIG. 10 is a schematic structural diagram of a network device provided by an embodiment of the present application.
具体实施方式detailed description
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the embodiments of the present application more clear, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.
在对本申请实施例进行详细说明之前,先对本申请实施例涉及的应用场景进行详细解释说明。Before describing the embodiments of the present application in detail, the application scenarios involved in the embodiments of the present application are explained in detail.
VXLAN技术,是由国际互联网工程任务组(Internet Engineering Task Force,IETF)定义的虚拟三层网络(Network Virtualization over Layer 3,NVO3)标准技术之一。请求意见稿(request for comments,RFC)7348定义了VXLAN的报文格式。具体地,采用将媒介接入控制(Media Access Control,MAC)置入(in)用户报文协议(User Datagram Protocol,UDP)的报文封装方式,将二层报文用三层协议进行封装,能够实现二层网络在三层范围内进行扩展。通过VXLAN能够满足数据中心网络的虚拟迁移和多租户的需求。同样,VXLAN也适用于园区网络中“一网多用”的场景。比如,将同一张承载网虚拟为多张业务网络,实现不同业务网络之间的相互隔离。VXLAN technology is one of the standard technologies of Network Virtualization over Layer 3 (NVO3) defined by the Internet Engineering Task Force (IETF). Request for comments (request for comments, RFC) 7348 defines the VXLAN message format. Specifically, a message encapsulation method in which the media access control (Media Access Control, MAC) is put into (in) the User Datagram Protocol (UDP) is used to encapsulate the Layer 2 message with the Layer 3 protocol, It can realize the expansion of the two-layer network in the three-layer range. VXLAN can meet the needs of virtual migration and multi-tenancy of data center networks. Similarly, VXLAN is also suitable for the scenario of "one network with multiple uses" in the campus network. For example, the same bearer network is virtualized into multiple service networks to achieve mutual isolation between different service networks.
VXLAN能够在任意路由可达的网络上叠加二层虚拟网络,通过VXLAN网关实现VXLAN网络内部的互通。同时,通过VXLAN网络也能够实现与传统的非VXLAN网络的互通。VXLAN技术通过采用MAC置入UDP的封装方式来延伸二层网络,将以太报文封装在网络(internet protocol,IP)报文之上,通过VXLAN网关在网络中传输,无需关注终端设备的MAC地址。由于路由网络无网络结构限制,因此具备大规模扩展能力。所以通过路由网络,虚拟机等用户设备迁移不受网络架构限制。VXLAN can superimpose Layer 2 virtual networks on any network that can be reached by routes, and realize intercommunication within the VXLAN network through VXLAN gateways. At the same time, the VXLAN network can also realize the intercommunication with the traditional non-VXLAN network. VXLAN technology extends the Layer 2 network by encapsulating the MAC into UDP, encapsulates the Ethernet packet on the Internet protocol (IP) packet, and transmits it in the network through the VXLAN gateway without paying attention to the MAC address of the terminal device. . Since the routing network has no network structure restrictions, it has the ability to expand on a large scale. Therefore, through the routing network, the migration of user equipment such as virtual machines is not limited by the network architecture.
图1是本申请实施例提供的一种VXLAN网络的架构示意图。如图1所示,将基础的物理网络称为底层(underlay)网络),将虚拟化出来的网络称为顶层(overlay)网络或虚拟交换网(Fabric),在该顶层网络中即可构建一个VXLAN网络。将VXLAN网络中的虚拟的网络设备分成两种角色,一种代表VXLAN网络的出口,称之为边界(border)设备,表示其与外部网络对接,通常是VXLAN网络的三层网关,对应于底层网络的出口网关。另一种代表VXLAN网络的接入,称之为边缘(edge)设备,表示VXLAN网络接入用户设备的部分,对应于VXLAN网络中的虚拟接入点(virtual access point,VAP),通常对应于underlay网络的网络接入设备,如接入交换机或接入点(access point,AP)。FIG. 1 is a schematic structural diagram of a VXLAN network provided by an embodiment of the present application. As shown in Figure 1, the basic physical network is called the underlay network, and the virtualized network is called the overlay network or the virtual switch network (Fabric). VXLAN network. The virtual network devices in the VXLAN network are divided into two roles, one represents the exit of the VXLAN network, called the border device, which means it is connected to the external network, usually the three-layer gateway of the VXLAN network, corresponding to the bottom layer. The network's egress gateway. Another type of access that represents the VXLAN network is called the edge device, which represents the part of the VXLAN network that accesses the user equipment, and corresponds to the virtual access point (VAP) in the VXLAN network, usually corresponding to A network access device in an underlay network, such as an access switch or an access point (AP).
比如,如图1所示,顶层网络中的C1-C5分别对于底层网络中的接入设备A1-A5,顶层网络中的边界设备D1(border)对应于底层网络中的网络出口设备B1。此外,根据VXLAN网络的部署模型,VAP或VXLAN隧道端点(VXLAN Tunnel Endpoints,VTEP)也有可能部署在底层网络的非接入层网络设备中。如图2所示,C1、C2分别对应于底层网络中的汇聚设备Agg1、Agg2。For example, as shown in FIG. 1 , C1-C5 in the top-level network correspond to access devices A1-A5 in the bottom-level network, respectively, and border device D1 (border) in the top-level network corresponds to network egress device B1 in the bottom-level network. In addition, according to the deployment model of the VXLAN network, VAP or VXLAN Tunnel Endpoints (VXLAN Tunnel Endpoints, VTEP) may also be deployed in the non-access layer network equipment of the underlying network. As shown in FIG. 2 , C1 and C2 correspond to aggregation devices Agg1 and Agg2 in the underlying network, respectively.
对于顶层网络,如图3所示,在边界设备与边缘设备之间,边缘设备与边缘设备之间通过VXLAN隧道进行通信。边界设备和边缘设备之间会创建三层VXLAN隧道,终端设备跨 不同VXLAN之间的互访(三层互访)需要通过三层VXLAN隧道转发。边缘设备和边缘设备之间会创建二层VXLAN隧道,终端设备在同一VXLAN内互访(二层互访)通过二层VXLAN隧道转发。For the top-level network, as shown in Figure 3, between the edge device and the edge device, the edge device and the edge device communicate through VXLAN tunnels. Layer 3 VXLAN tunnels are created between edge devices and edge devices, and the mutual access between terminal devices across different VXLANs (Layer 3 mutual access) needs to be forwarded through the Layer 3 VXLAN tunnel. Layer 2 VXLAN tunnels are created between edge devices and edge devices, and terminal devices communicate with each other within the same VXLAN (Layer 2 mutual access) through Layer 2 VXLAN tunnels.
此外,在对本申请实施例进行详细解释说明之前,对VXLAN报文的封装格式也进行解释说明。如图4所示,原始帧(original L2 frame)在封装过程中先被添加一个VXLAN帧头,再被封装在外层UDP帧头中,并使用承载网络的IP、MAC地址作为外层头进行封装,即可得到一个VXLAN报文。In addition, before the detailed explanation of the embodiments of the present application, the encapsulation format of the VXLAN message is also explained. As shown in Figure 4, the original frame (original L2 frame) is first added with a VXLAN frame header during the encapsulation process, and then encapsulated in the outer UDP frame header, and the IP and MAC addresses of the bearer network are used as the outer header for encapsulation , you can get a VXLAN packet.
上述VXLAN帧头、外层UDP帧头、外层IP帧头、以及外层以太网帧头中的各个字段的解释如表1所示。关于VXLAN报文中各个字段的含义在此就不再一一详细解释说明。The explanation of each field in the above VXLAN frame header, outer layer UDP frame header, outer layer IP frame header, and outer layer Ethernet frame header is shown in Table 1. The meaning of each field in the VXLAN packet will not be explained in detail here.
表1Table 1
Figure PCTCN2021100425-appb-000001
Figure PCTCN2021100425-appb-000001
为了后续便于说明,在此先对本申请实施例涉及的几个技术术语进行解释说明。For the convenience of subsequent descriptions, several technical terms involved in the embodiments of the present application are explained first.
VXLAN网络标识(VXLAN Network Identifier,VNI):类似于传统网络中的VLAN ID,用于区分VXLAN网段,不同VXLAN段的租户不能直接进行二层通信。一张网络可以划分一个或多个VNI。VXLAN Network Identifier (VNI): Similar to the VLAN ID in traditional networks, it is used to distinguish VXLAN network segments. Tenants in different VXLAN segments cannot directly communicate at Layer 2. A network can be divided into one or more VNIs.
广播域(Bridge Domain,BD):类似传统网络中采用VLAN划分广播域方法,在VXLAN网络中通过BD划分广播域。在VXLAN网络中,将VNI以1:1方式映射到广播域BD,一个BD就表示着一个广播域,同一个BD内的主机就可以进行二层互通。Broadcast domain (Bridge Domain, BD): Similar to the method of dividing the broadcast domain by VLAN in the traditional network, the broadcast domain is divided by BD in the VXLAN network. In a VXLAN network, a VNI is mapped to a broadcast domain BD in a 1:1 manner. A BD represents a broadcast domain, and hosts in the same BD can communicate at Layer 2.
VXLAN隧道端点(VXLAN Tunnel Endpoints,VTEP):VTEP可以对VXLAN报文进行封装和解封装。VXLAN报文中源IP地址为源端VTEP的IP地址,目的IP地址为目的端VTEP的IP地址。一对VTEP地址就对应着一条VXLAN隧道。在源端封装报文后通过隧道向目的端VTEP发送封装报文,目的端VTEP对接收到的封装报文进行解封装。VXLAN Tunnel Endpoints (VTEP): VTEP can encapsulate and decapsulate VXLAN packets. In a VXLAN packet, the source IP address is the IP address of the source VTEP, and the destination IP address is the IP address of the destination VTEP. A pair of VTEP addresses corresponds to a VXLAN tunnel. After the source end encapsulates the packet, the encapsulated packet is sent to the destination VTEP through the tunnel, and the destination VTEP decapsulates the received encapsulated packet.
虚拟接入点(Virtual Access Point,VAP):VXLAN业务接入点,可以基于VLAN或报文 流封装类型接入业务。Virtual Access Point (VAP): VXLAN service access point, which can access services based on VLAN or packet flow encapsulation type.
网络虚拟边缘(Network Virtualization Edge,NVE):NVE是实现网络虚拟化功能的网络实体。报文经过NVE封装转换后,NVE间就可基于三层基础网络建立二层虚拟化网络。Network Virtualization Edge (NVE): NVE is a network entity that implements network virtualization functions. After the packets are encapsulated and converted by NVE, a Layer 2 virtualized network can be established between NVEs based on the Layer 3 basic network.
类似于传统的VLAN网络,VXLAN网络也有VXLAN网络内互访和VXLAN网络间互访。Similar to the traditional VLAN network, the VXLAN network also has mutual access within the VXLAN network and mutual access between the VXLAN networks.
二层网关:类似传统网络的二层接入设备,在VXLAN网络中通过二层网关解决租户接入VXLAN虚拟网络。二层网关也可用于同一VXLAN虚拟网络的子网通信。结合前述对边缘设备和边界设备的功能的解释,在VXLAN中,边缘设备即可作为二层网关来使用。 Layer 2 gateway: Similar to a Layer 2 access device on a traditional network, in a VXLAN network, a Layer 2 gateway enables tenants to access the VXLAN virtual network. Layer 2 gateways can also be used for subnet communication within the same VXLAN virtual network. Combined with the foregoing explanation of the functions of edge devices and edge devices, in VXLAN, edge devices can be used as Layer 2 gateways.
三层网关:类似传统网络中不同VLAN的用户间不能直接进行二层互访,不同VNI之间的VXLAN及VXLAN和非VXLAN之间也不能直接相互通信。为了使VXLAN之间,以及VXLAN和非VXLAN之间能够进行通信,引入了VXLAN三层网关的概念。三层网关用于VXLAN虚拟网络的跨子网通信以及外部网络的访问。同样地,结合前述对边缘设备和边界设备的功能的解释,在VXLAN中,边界设备即可作为三层网关来使用。 Layer 3 gateway: Similar to traditional networks, users in different VLANs cannot directly communicate with each other at Layer 2, and VXLANs between different VNIs and between VXLANs and non-VXLANs cannot directly communicate with each other. To enable communication between VXLANs and between VXLANs and non-VXLANs, the concept of VXLAN Layer 3 gateways is introduced. Layer 3 gateways are used for cross-subnet communication of VXLAN virtual networks and access to external networks. Likewise, in conjunction with the foregoing explanations of the functions of the edge device and the edge device, in VXLAN, the edge device can be used as a Layer 3 gateway.
本申请实施例提供的方法就应用于上述通过VXLAN转发报文的场景中,目的在于提供一种按流量需求动态建立VXLAN隧道的方法,以避免在网络初始化时需要建立全部网络设备之间的VXLAN隧道,从而避免每个网络设备的转发表资源的浪费,同时也提高转发转报文时的转发表查询效率。The method provided by the embodiment of the present application is applied to the above scenario of forwarding packets through VXLAN, and the purpose is to provide a method for dynamically establishing a VXLAN tunnel according to traffic requirements, so as to avoid the need to establish a VXLAN between all network devices during network initialization. Tunnel, thereby avoiding the waste of forwarding table resources of each network device, and also improving the forwarding table query efficiency when forwarding and forwarding packets.
建立VXLAN隧道实质上就是获取VXLAN隧道的标识,然后建立报文的目的地址和隧道标识之间的对应关系,以便于后续发送至该目的地址的报文均能够通过该VXLAN隧道转发。该隧道标识可为VXLAN隧道对端设备的标识(如对端设备的IP地址),还可为除VXLAN隧道对端设备的标识之外的其他唯一能够标识隧道的符号,比如隧道标识为针对VXLAN隧道的一个唯一编号。网络设备用该编号可以索引到相应的表项,表项内存放有包括对端设备的IP地址在内的VXLAN隧道参数。The essence of establishing a VXLAN tunnel is to obtain the identifier of the VXLAN tunnel, and then establish a correspondence between the destination address of the packet and the tunnel identifier, so that subsequent packets sent to the destination address can be forwarded through the VXLAN tunnel. The tunnel identifier can be the identifier of the peer device of the VXLAN tunnel (such as the IP address of the peer device), or it can be other unique symbols other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is for VXLAN A unique number for the tunnel. The network device can use this number to index the corresponding entry, and the entry stores the VXLAN tunnel parameters including the IP address of the peer device.
在本申请实施例中,为了减轻网络设备上的转发表的数据存储压力,在VXLAN网络配置完成时,并不建立全部网络设备之间的VXLAN隧道。而是在某两个网络设备之间存在流量访问需求时,才建立这两个网络设备之间的VXLAN隧道。为了实现该技术效果,为VXLAN网络配置一个控制设备。在配置控制设备之后,在该控制设备和VXLAN中的各个网络设备之间进行如下配置。In the embodiment of the present application, in order to reduce the data storage pressure of the forwarding table on the network device, when the VXLAN network configuration is completed, VXLAN tunnels between all network devices are not established. Instead, the VXLAN tunnel between the two network devices is established only when there is a traffic access requirement between the two network devices. To achieve this technical effect, configure a control device for the VXLAN network. After the control device is configured, the following configuration is performed between the control device and each network device in the VXLAN.
在一种可能的实现方式中,上述控制设备为VXLAN中的某个网络设备。控制设备也可以为上述VXLAN之外的设备,例如控制设备支持VXLAN但在和网络设备虚拟网络标识(VNI)不同的VXLAN中,或者,该控制设备可以不支持VXLAN。下面以控制设备为VXLAN中的某个网络设备为例说明配置过程。In a possible implementation manner, the above-mentioned control device is a certain network device in the VXLAN. The control device may also be a device other than the above VXLAN, for example, the control device supports VXLAN but is in a VXLAN different from the virtual network identifier (VNI) of the network device, or the control device may not support VXLAN. The following describes the configuration process by taking the control device as a network device in the VXLAN as an example.
1、在控制设备和VXLAN中的其他网络设备上部署网络控制协议(overlay control protocol,OCP),以使控制设备作为OCP服务端(OCP server),其他网络设备作为OCP客户端(OCP client),实现其他网络设备和控制设备能够通信。1. Deploy the overlay control protocol (OCP) on the control device and other network devices in VXLAN, so that the control device acts as the OCP server (OCP server), and other network devices act as the OCP client (OCP client), Enable other network devices and control devices to communicate.
需要说明的是,上述OCP协议仅仅是实现控制设备和VXLAN中其他网络设备进行通信的一种可选的控制面协议。本申请实施例并不限定控制设备如何建立与各个网络设备之间的控制面协议。It should be noted that the above-mentioned OCP protocol is only an optional control plane protocol for realizing the communication between the control device and other network devices in the VXLAN. This embodiment of the present application does not limit how the control device establishes the control plane protocol with each network device.
在一种可能的实现方式中,控制设备设置为VXLAN中的边界设备。这种场景下,在边界设备和边缘设备上部署虚拟网络控制协议(overlay control protocol,OCP),以使边界设备作为OCP服务端(OCP server),边缘设备作为OCP客户端(OCP client)。In a possible implementation manner, the control device is set as a border device in the VXLAN. In this scenario, a virtual network control protocol (overlay control protocol, OCP) is deployed on the edge device and edge device, so that the edge device acts as an OCP server (OCP server) and the edge device acts as an OCP client (OCP client).
由于OCP客户端OCP服务端之间可以进行信息交互,如此,在VXLAN网络初始化时,任一边缘设备便可与边界设备先建立南北向的VXLAN隧道,而各个边缘设备之间由于无法获知对端信息则不建立边缘设备之间的VXLAN隧道。边缘设备与边界设备先建立南北向的VXLAN隧道的技术效果为:在边缘设备之间还未建立VXLAN隧道之前,以便两个边缘设备之间的VXLAN报文能够通过边界设备绕行,避免了边缘设备之间还未建立VXLAN隧道之前的报文传输时延较大。Since the OCP client and OCP server can exchange information, when the VXLAN network is initialized, any edge device can first establish a north-south VXLAN tunnel with the edge device. information does not establish a VXLAN tunnel between edge devices. The technical effect of establishing a north-south VXLAN tunnel between the edge device and the edge device is: before the VXLAN tunnel is established between the edge devices, the VXLAN packets between the two edge devices can bypass the edge device, avoiding the need for edge devices. The packet transmission delay is long before the VXLAN tunnel is established between devices.
图5是本申请实施例提供的一种VXLAN的架构示意图。该VXLAN中包括5个VTEP,分别标记为VTEP-1、VTEP-2、VTEP-3、VTEP-4、VTEP-5。其中,VTEP P-1、VTEP-2、VTEP-3、VTEP-4为边缘设备,VTEP-5为边界设备。分别在VTEP-1、VTEP-2、VTEP-3、VTEP-4和VTEP-5上部署OCP协议,以使VTEP-5作为OCP服务端,VTEP P-1、VTEP-2、VTEP-3、VTEP-4作为OCP客户端。FIG. 5 is a schematic diagram of the architecture of a VXLAN provided by an embodiment of the present application. The VXLAN includes five VTEPs, which are marked as VTEP-1, VTEP-2, VTEP-3, VTEP-4, and VTEP-5. Among them, VTEP P-1, VTEP-2, VTEP-3, and VTEP-4 are edge devices, and VTEP-5 is a border device. Deploy the OCP protocol on VTEP-1, VTEP-2, VTEP-3, VTEP-4, and VTEP-5 respectively, so that VTEP-5 acts as the OCP server, VTEP P-1, VTEP-2, VTEP-3, VTEP -4 as OCP client.
如图5所示,基于部署的OCP协议,VTEP-1、VTEP-2、VTEP-3、VTEP-4分别与VTEP-5建立VXLAN隧道,得到如图5所示的南北方向的4条VXLAN隧道。VTEP-1、VTEP-2、VTEP-3、VTEP-4之间并不建立VXLAN隧道。As shown in Figure 5, based on the deployed OCP protocol, VTEP-1, VTEP-2, VTEP-3, and VTEP-4 establish VXLAN tunnels with VTEP-5 respectively, and obtain four VXLAN tunnels in the north-south direction as shown in Figure 5. . VXLAN tunnels are not established between VTEP-1, VTEP-2, VTEP-3, and VTEP-4.
可选地,任一边缘设备与边界设备不先建立南北向的VXLAN隧道。这种场景下,如果两个边缘设备之间有VXLAN报文传输需求,则在两个边缘设备之间的VXLAN隧道建立完成后传输。Optionally, any edge device and the edge device do not first establish a north-south VXLAN tunnel. In this scenario, if there is a need for VXLAN packet transmission between two edge devices, the packets are transmitted after the VXLAN tunnel between the two edge devices is established.
2、在控制设备处配置各个终端设备的访问策略。2. Configure the access policy of each terminal device at the control device.
对于网络中任一终端设备,该终端设备通常还配置有访问策略。该访问策略用于指示向该终端设备发送的报文需要满足的条件,以实现对网络中的流量的管控。但是在本申请实施例中,由于网络初始化时除控制设备之外的各个网络设备之间并不进行通信,如此任一网络设备便无法获取另一网络设备连接的某个终端设备的访问策略。所以,为了便于后续能够实现根据某个终端设备的访问策略向该终端设备发送报文,在控制设备处可以配置各个终端设备的访问策略,以便于后续某个网络设备能够从控制设备处获取到各个终端设备的访问策略。关于访问策略的具体功能将在后续转发报文的实施例中详细说明,在此就先不展开阐述。For any terminal device in the network, the terminal device is usually also configured with an access policy. The access policy is used to indicate the conditions that the packet sent to the terminal device needs to meet, so as to realize the management and control of the traffic in the network. However, in this embodiment of the present application, since each network device other than the control device does not communicate during network initialization, any network device cannot obtain the access policy of a terminal device connected to another network device. Therefore, in order to facilitate the subsequent implementation of sending packets to a terminal device according to the access policy of a terminal device, the access policy of each terminal device can be configured at the control device, so that a network device can obtain the information from the control device in the future. Access policies for individual end devices. The specific function of the access policy will be described in detail in the embodiments of the subsequent packet forwarding, which will not be described here.
比如,网络管理员根据网络业务的需要,定义某个终端设备的访问策略。该访问策略包括该终端设备的访问优先级、该终端设备被访问的带宽,该终端设备是否允许广播访问等条件。可选地,网络管理员能够通过在控制设备上直接配置访问策略,以实现控制设备上存储有各个终端设备的访问策略。可选地,网络管理员能够在认证服务器上定义各个终端设备的访问策略。当终端设备接入VXLAN时,认证服务器将该终端设备的访问策略下发给控制设备,这样,控制设备就存储有终端设备的访问策略。For example, a network administrator defines an access policy for a terminal device according to the needs of network services. The access policy includes the access priority of the terminal device, the bandwidth accessed by the terminal device, whether the terminal device allows broadcast access, and other conditions. Optionally, the network administrator can directly configure the access policy on the control device, so that the access policy of each terminal device is stored on the control device. Optionally, the network administrator can define access policies for each terminal device on the authentication server. When the terminal device accesses the VXLAN, the authentication server delivers the access policy of the terminal device to the control device, so that the control device stores the access policy of the terminal device.
比如,当控制设备为VXLAN中的边界设备时,在边界设备处存储有各个边缘设备的访问策略。For example, when the control device is an edge device in the VXLAN, the access policy of each edge device is stored in the edge device.
3、VXLAN中除控制设备外各个网络设备向控制设备通告自身当前连接的终端设备,以使控制设备存存储有各个网络设备的终端接入表。任一网络设备的终端接入表包括该网络设备所连接的各个终端设备的地址。3. In the VXLAN, each network device except the control device notifies the control device of its currently connected terminal device, so that the control device stores the terminal access table of each network device. The terminal access table of any network device includes the addresses of each terminal device connected to the network device.
需要说明的是,上述终端接入表是终端接入集合的一种可能的数据结构,某个网络设备的终端接入集合中包括该网络设备所连接的各个终端设备的地址。在本申请实施例中,终端接入集合还可采用其他数据结构来表现,比如链表、列表等等,本申请实施例对此不作具体限定。It should be noted that the above-mentioned terminal access table is a possible data structure of a terminal access set, and the terminal access set of a certain network device includes the addresses of each terminal device connected to the network device. In this embodiment of the present application, the terminal access set may also be represented by other data structures, such as a linked list, a list, and the like, which are not specifically limited in this embodiment of the present application.
为了能够实现后续网络设备之间能够动态建立VXLAN隧道,各个网络设备将连接的终端设备的信息通告给控制设备,以便于后续任一网络设备能够通过控制设备获知到待访问的终端设备所接入的网络设备,从而建立两个网络设备之间的VXLAN隧道。In order to dynamically establish a VXLAN tunnel between subsequent network devices, each network device notifies the information of the connected terminal device to the control device, so that any subsequent network device can learn through the control device that the terminal device to be accessed is accessed. network device to establish a VXLAN tunnel between the two network devices.
假设VXLAN中包括多个网络设备,第一网络设备为这多个网络设备中任一个。以第一网络设备为例说明上述各个网络设备向控制设备通告自身当前连接的终端设备。It is assumed that the VXLAN includes multiple network devices, and the first network device is any one of the multiple network devices. The first network device is taken as an example to illustrate that each of the foregoing network devices notifies the control device of the terminal devices currently connected to them.
在一种可能的实现方式中,第一网络设备接收第一终端设备发送的第二报文,第二报文的源地址为第一终端设备的地址,如果第二报文是第一网络设备首次接收到的来自第二终端设备的报文,第一网络设备则向控制设备发送终端接入通告消息,该终端接入通告消息携带第一终端设备的地址。该终端接入通告消息指示第一终端设备连接在第一边缘设备处,控制设备在接收到该终端接入通告消息时,便可将第一终端设备的地址添加到第一网络设备的终端接入表中,该终端接入表中维护有连接在第一网络设备的各个终端设备的地址。In a possible implementation manner, the first network device receives the second packet sent by the first terminal device, and the source address of the second packet is the address of the first terminal device. If the second packet is the first network device For the first received packet from the second terminal device, the first network device sends a terminal access announcement message to the control device, where the terminal access announcement message carries the address of the first terminal device. The terminal access announcement message indicates that the first terminal device is connected to the first edge device. When receiving the terminal access announcement message, the control device can add the address of the first terminal device to the terminal access device of the first network device. In the entry table, the terminal access table maintains the addresses of each terminal device connected to the first network device.
对于图5所示的VXLAN架构,如图6所示,假设终端设备A接入边缘设备VTEP-1,此时终端设备A向VTEP-1发送报文,该报文携带终端设备A的地址,该地址包括IP地址和/或MAC地址。如果该报文是VTEP-1首次接收到来自终端设备A的报文,获悉当前终端设备A接入到VTEP-1上,VTEP-1通过OCP协议向边界设备发送终端接入通告消息,该终端接入通告消息携带包括终端设备A的地址、VTEP-1的标识,VTEP-1的标识可以为VTEP IP。当边界设备接收到该终端接入通告消息时,根据该终端接入通告消息携带的终端设备A的地址以及VTEP-1的标识,获知终端设备A当前接入到VTEP-1,将终端设备A的标识添加到VTEP-1的终端接入表中。如图6所示,前述过程可以称为“终端上报”过程,目的在于边界设备能够获取到各个边缘设备所连接的终端设备的地址。For the VXLAN architecture shown in Figure 5, as shown in Figure 6, it is assumed that terminal device A accesses edge device VTEP-1. At this time, terminal device A sends a packet to VTEP-1, and the packet carries the address of terminal device A. The address includes an IP address and/or a MAC address. If the message is the first time that VTEP-1 receives a message from terminal device A and learns that terminal device A is currently connected to VTEP-1, VTEP-1 sends a terminal access notification message to the border device through the OCP protocol, and the terminal The access announcement message carries the address of the terminal device A and the identifier of VTEP-1, and the identifier of VTEP-1 may be VTEP IP. When the border device receives the terminal access announcement message, according to the address of terminal device A and the identity of VTEP-1 carried in the terminal access announcement message, it learns that terminal device A is currently connected to VTEP-1, and sends terminal device A to VTEP-1. The identifier of VTEP-1 is added to the terminal access table of VTEP-1. As shown in FIG. 6 , the foregoing process may be referred to as a “terminal reporting” process, the purpose is that the edge device can obtain the address of the terminal device connected to each edge device.
如图6所示,当终端设备B接入VTEP-4时,可以参考上述“终端上报”过程实现将终端设备B的地址上报至边界设备,以使边界设备将终端设备B的地址添加到VTEP-4的终端接入表中。As shown in Figure 6, when terminal device B accesses VTEP-4, it can report the address of terminal device B to the border device by referring to the above "terminal reporting" process, so that the border device can add the address of terminal device B to the VTEP -4 in the terminal access table.
此外,上述边缘设备向边界设备上报的终端接入通告消息还可以包括终端设备的所在网段的标识VNI,以便于后续边界设备在向某个终端设备发送报文时基于该终端设备所在的VNI进行发送。本申请实施例对边界设备基于该终端设备所在的VNI转发报文的详细实现方式不作具体说明。In addition, the terminal access notification message reported by the above edge device to the border device may also include the identification VNI of the network segment where the terminal device is located, so that the subsequent edge device sends a message to a terminal device based on the VNI where the terminal device is located. to send. The embodiments of the present application do not specifically describe the detailed implementation manner in which the border device forwards the packet based on the VNI where the terminal device is located.
另外,图5和图6是以控制设备为VXLAN中的边界设备为例进行说明。可选地,如果控制设备为VXLAN中的某个边缘设备,此时,VXLAN中的其他网络设备和该边缘设备也可以参考上述方式进行配置。可选地,如果控制设备为非VXLAN中的一个设备,这种场景下,控制设备和VXLAN中的任一网络设备只需部署OCP协议即可,并不建立图5所示的南北向的VXLAN隧道。In addition, FIG. 5 and FIG. 6 illustrate an example in which the control device is a border device in the VXLAN. Optionally, if the control device is an edge device in the VXLAN, at this time, other network devices in the VXLAN and the edge device can also be configured with reference to the above method. Optionally, if the control device is a non-VXLAN device, in this scenario, the control device and any network device in the VXLAN only need to deploy the OCP protocol, and the north-south VXLAN shown in Figure 5 is not established. tunnel.
上述内容用于解释说明VXLAN中各个网络设备的配置内容。基于该配置,VXLAN可以实现在存在流量需求时动态建立VXLAN隧道,而不是预先将全部网络设备之间的VXLAN隧道建立完。The above content is used to explain the configuration content of each network device in VXLAN. Based on this configuration, VXLAN can dynamically establish VXLAN tunnels when there is a traffic demand, instead of establishing VXLAN tunnels between all network devices in advance.
图7是本申请实施例提供的一种建立VXLAN隧道的方法流程图,用于解释说明如何基于流量需求动态建立VXLAN隧道。如图7所示,该方法包括如下几个步骤。FIG. 7 is a flowchart of a method for establishing a VXLAN tunnel provided by an embodiment of the present application, which is used to explain how to dynamically establish a VXLAN tunnel based on traffic requirements. As shown in Figure 7, the method includes the following steps.
步骤701:第一网络设备接收来自第一终端设备的第一报文,第一报文的目的地址为第二终端设备的地址。Step 701: The first network device receives a first packet from the first terminal device, and the destination address of the first packet is the address of the second terminal device.
本申请实施例提供的VXLAN中包括多个网络设备,第一网络设备为多个网络设备中任一个。图7所示的实施例是以第一网络设备为例进行说明如何基于流量需求动态建立VXLAN隧道,VXLAN网络中的任一网络设备均可以参考图7所示的实施例来实现本申请实施例提供的方法。The VXLAN provided by the embodiment of the present application includes multiple network devices, and the first network device is any one of the multiple network devices. The embodiment shown in FIG. 7 uses the first network device as an example to illustrate how to dynamically establish a VXLAN tunnel based on traffic requirements. Any network device in the VXLAN network can refer to the embodiment shown in FIG. 7 to implement the embodiment of the present application provided method.
由于在VXLAN网络配置完成时,并不建立全部网络设备之间的VXLAN隧道。而是在某两个网络设备之间存在流量访问需求时,才建立这两个网络设备之间的VXLAN隧道。因此,在第一网络设备接收到第一报文后,需要确定第二终端设备所连接的VXLAN中的网络设备。如果第一网络设备从本地能够查询到第二终端设备所连接的VXLAN中的网络设备为第二网络设备,则可基于第一网络设备到第二网络设备的VXLAN隧道,转发第一报文。如果第一网络设备不能从本地查询到第二终端设备所连接的网络设备,则通过下述步骤702动态转发第一报文。Because the VXLAN tunnel between all network devices is not established when the VXLAN network configuration is completed. Instead, the VXLAN tunnel between the two network devices is established only when there is a traffic access requirement between the two network devices. Therefore, after the first network device receives the first packet, it needs to determine the network device in the VXLAN to which the second terminal device is connected. If the first network device can query locally that the network device in the VXLAN connected to the second terminal device is the second network device, the first packet can be forwarded based on the VXLAN tunnel from the first network device to the second network device. If the first network device cannot locally query the network device connected to the second terminal device, the first packet is dynamically forwarded through the following step 702.
为了便于第一网络设备能够快速转发报文,第一网络设备处存储有转发表。该转发表中包括多个终端设备地址和与各个终端设备地址对应的隧道标识。该转发表的功能为:通过与任一终端设备地址对应的隧道标识所指示的VXLAN隧道,能够将报文转发该终端设备地址所指示的终端设备。In order to facilitate the first network device to quickly forward the message, the first network device stores a forwarding table. The forwarding table includes a plurality of terminal device addresses and tunnel identifiers corresponding to the respective terminal device addresses. The function of the forwarding table is to forward the message to the terminal device indicated by the address of the terminal device through the VXLAN tunnel indicated by the tunnel identifier corresponding to the address of any terminal device.
在一种可能的实现方式中,上述隧道标识是VXLAN隧道的接收端的VTEP的标识(如对端设备的IP地址)。比如,对于第一网络设备到第二网络设备的VXLAN隧道,该VXLAN隧道的隧道标识为第二网络设备的标识。In a possible implementation manner, the above-mentioned tunnel identifier is an identifier of the VTEP at the receiving end of the VXLAN tunnel (eg, the IP address of the peer device). For example, for a VXLAN tunnel from the first network device to the second network device, the tunnel identifier of the VXLAN tunnel is the identifier of the second network device.
在另一种可能的实现方式中,隧道标识为除VXLAN隧道对端设备的标识之外的其他唯一能够标识隧道的符号,比如隧道标识为针对VXLAN隧道的一个唯一编号。比如,对于第一边缘设备到第二边缘设备的VXLAN隧道,该VXLAN隧道的隧道标识为隧道1。需要说明的是,在该实现方式中,为了便于后续查询某个VXLAN隧道的对端设备进转发报文,网络设备用该编号可以索引到相应的表项,表项内存放有包括对端设备的IP地址在内的VXLAN隧道参数。因此,在一种可能的实现方式中,第一网络设备还可以维护一个隧道列表,该隧道列表中包括与各个隧道标识一一对应的VXLAN隧道的接收端的VTEP的标识。In another possible implementation manner, the tunnel identifier is a symbol other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is a unique number for the VXLAN tunnel. For example, for the VXLAN tunnel from the first edge device to the second edge device, the tunnel identifier of the VXLAN tunnel is tunnel 1 . It should be noted that, in this implementation manner, in order to facilitate the subsequent query of the peer device of a certain VXLAN tunnel to forward packets, the network device can use this number to index the corresponding entry, and the entry stores information including the peer device. VXLAN tunnel parameters including the IP address. Therefore, in a possible implementation manner, the first network device may also maintain a tunnel list, where the tunnel list includes the identifiers of the VTEPs at the receiving end of the VXLAN tunnels that correspond one-to-one with each tunnel identifier.
所以,第一网络设备接收到第一终端设备发送的第一报文,且该第一报文的目的地址为第二终端设备的地址时,第一网络设备在转发表中查找是否存在与第二终端设备的地址对应的隧道标识。如果转发表中存在与第二终端设备的地址对应的隧道标识,则表明当前存在第一边缘设备到第二边缘设备之间的VXLAN隧道,这种情况下,便可根据该与第二终端设备的地址对应的VXLAN隧道的标识,转发第一报文。Therefore, when the first network device receives the first packet sent by the first terminal device, and the destination address of the first packet is the address of the second terminal device, the first network device searches in the forwarding table whether there is a connection with the first packet. The tunnel identifier corresponding to the address of the second terminal device. If there is a tunnel identifier corresponding to the address of the second terminal device in the forwarding table, it indicates that there is a VXLAN tunnel between the first edge device and the second edge device. The identifier of the VXLAN tunnel corresponding to the address, forwards the first packet.
如果转发表中不存在与第二终端设备的地址对应的VXLAN隧道的标识,则表明当前从第一网络设备的本地并不能获知第一终端设备所连接的网络设备,这种情况下,需要第一网络设备根据下述步骤702发送第一报文。If the identifier of the VXLAN tunnel corresponding to the address of the second terminal device does not exist in the forwarding table, it indicates that the network device connected to the first terminal device cannot be known locally from the first network device. A network device sends the first packet according to the following step 702.
步骤702:响应于查询第二终端设备所连接的第二网络设备的失败,建立第二终端设备的地址与隧道标识之间对应关系,该隧道标识为第一网络设备到第二网络设备之间的VXLAN 隧道。Step 702: In response to the failure to query the second network device connected to the second terminal device, establish a correspondence between the address of the second terminal device and the tunnel identifier, the tunnel identifier being between the first network device and the second network device VXLAN tunnel.
基于前述对VXLAN中的配置可知,控制设备处存储有各个网络设备的终端接入表,任一网络设备的终端接入表包括相应网络设备所连接的终端设备的地址。因此,在一种可能的实现方式中,上述建立第二终端设备的地址与隧道标识之间对应关系的实现过程可以为:第一网络设备向控制设备发送终端查询请求。该终端查询请求用于查询第二终端设备当前接入的网络设备,该终端信息查询请求包括第二终端设备的地址。当控制设备接收到该终端查询请求时,从存储的各个网络设备的终端接入表中查询包括第二终端设备的地址的终端接入表,将查询到的终端接入表所对应的网络设备作为第二网络设备。如此,控制设备查询出第二终端设备当前所连接的网络设备为第二网络设备。控制设备向第一网络设备发送终端查询结果,该终端查询结果携带第二网络设备的标识。第一网络设备接收控制设备返回的终端查询结果,获知到第二终端设备当前所接入的网络设备为第二网络设备,因此,第一网络设备便可根据第二网络设备的标识,建立第二终端设备的地址与该隧道标识之间的对应关系。Based on the aforementioned configuration in VXLAN, the control device stores the terminal access table of each network device, and the terminal access table of any network device includes the address of the terminal device connected to the corresponding network device. Therefore, in a possible implementation manner, the above-mentioned implementation process of establishing the correspondence between the address of the second terminal device and the tunnel identifier may be: the first network device sends a terminal query request to the control device. The terminal query request is used to query the network device currently accessed by the second terminal device, and the terminal information query request includes the address of the second terminal device. When the control device receives the terminal query request, it queries the terminal access table including the address of the second terminal device from the stored terminal access table of each network device, and searches the network device corresponding to the queried terminal access table. as a second network device. In this way, the control device finds out that the network device currently connected to the second terminal device is the second network device. The control device sends a terminal query result to the first network device, where the terminal query result carries the identifier of the second network device. The first network device receives the terminal query result returned by the control device, and learns that the network device currently accessed by the second terminal device is the second network device. Therefore, the first network device can establish the first network device according to the identifier of the second network device. The correspondence between the addresses of the two terminal devices and the tunnel identifier.
需要说明的是,由于转发表中隧道标识有不同的表现方式,因此,第一网络设备根据第二网络设备的标识,建立第二终端设备的地址与该隧道标识之间的对应关系也相应有不同的实现方式。It should be noted that, since the tunnel identifier in the forwarding table has different representations, the first network device establishes the correspondence between the address of the second terminal device and the tunnel identifier according to the identifier of the second network device. different implementations.
在一种可能的实现方式中,转发表中的隧道标识为是VXLAN隧道的接收端的设备的标识。此时,将第二网络设备的标识作为第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识,然后建立第二网络设备的标识和第二终端设备的地址之间的对应关系即可。该步骤中“作为”有不包括任何操作的含义,换句话说,当第一网络设备获取到第二网络设备的标识时,便相当于确定出了第一网络设备到第二网络设备的VXLAN隧道的隧道标识。In a possible implementation manner, the tunnel identifier in the forwarding table is the identifier of the device at the receiving end of the VXLAN tunnel. At this time, the identifier of the second network device is used as the tunnel identifier of the VXLAN tunnel between the first network device and the second network device, and then the correspondence between the identifier of the second network device and the address of the second terminal device is established, namely Can. In this step, "acting" means not including any operation. In other words, when the first network device obtains the identifier of the second network device, it is equivalent to determining the VXLAN between the first network device and the second network device. The tunnel ID of the tunnel.
在另一种可能的实现方式中,转发表中的隧道标识为除VXLAN隧道对端设备的标识之外的其他唯一能够标识隧道的符号,比如隧道标识为针对VXLAN隧道的一个唯一编号。此时,根据第二网络设备的标识,建立第二终端设备的地址与该隧道标识之间的对应关系是指:根据第二网络设备的标识,从隧道列表中查找对应的隧道接收端为第二网络设备VXLAN隧道的隧道标识,如果查找到一个隧道标识,该隧道标识即为第一网络设备到第二网络设备之间的VXLAN隧道的标识,表明当前已经建立有第一网络设备到第二网络设备的VXLAN隧道,只是没有将第二终端设备的地址和该VXLAN隧道的隧道标识之间的对应关系创建起来而已,因此建立第二终端设备的地址和该VXLAN隧道的隧道标识之间的对应关系即可。如果没有查找到任何隧道标识,则基于隧道标识生成规则,生成第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识。然后将生成的隧道标识和第二网络设备的标识之间的对应关系添加到隧道列表中,并建立第二终端设备的地址和生成的隧道标识之间的对应关系。该隧道标识生成规则为用于生成唯一标识VXLAN隧道符号的一个规则,本申请实施例对该规则并不做具体限定。比如,基于第一网络设备到其他网络设备的VXLAN隧道的数量来生成隧道标识。In another possible implementation manner, the tunnel identifier in the forwarding table is a symbol other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is a unique number for the VXLAN tunnel. At this time, establishing a correspondence between the address of the second terminal device and the tunnel identifier according to the identifier of the second network device means: searching for the corresponding tunnel receiving end from the tunnel list according to the identifier of the second network device as the first 2. The tunnel identifier of the VXLAN tunnel of the network device. If a tunnel identifier is found, the tunnel identifier is the identifier of the VXLAN tunnel between the first network device and the second network device, indicating that the first network device to the second network device has been established. The VXLAN tunnel of the network device does not create a correspondence between the address of the second terminal device and the tunnel ID of the VXLAN tunnel, so the correspondence between the address of the second terminal device and the tunnel ID of the VXLAN tunnel is established relationship. If no tunnel identifier is found, the tunnel identifier of the VXLAN tunnel between the first network device and the second network device is generated based on the tunnel identifier generation rule. Then, the corresponding relationship between the generated tunnel identifier and the identifier of the second network device is added to the tunnel list, and the corresponding relationship between the address of the second terminal device and the generated tunnel identifier is established. The tunnel identification generation rule is a rule for generating a unique VXLAN tunnel symbol, which is not specifically limited in this embodiment of the present application. For example, the tunnel identifier is generated based on the number of VXLAN tunnels from the first network device to other network devices.
需要说明的是,上述没有查找到隧道标识之后的一系列流程即可称为建立第一网络设备到第二网络设备之间的VXLAN隧道的过程。It should be noted that the above-mentioned series of processes after the tunnel identifier is not found can be called a process of establishing a VXLAN tunnel between the first network device and the second network device.
在建立第二终端设备的地址与第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系之后,后续通过转发表即可将发送至第二终端设备的报文通过第一网络设备到第二网络设备之间的VXLAN隧道进行转发。After the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device is established, the packet sent to the second terminal device can be passed through the forwarding table subsequently. The VXLAN tunnel between the first network device and the second network device performs forwarding.
对于图5所示的VXLAN架构,控制设备为边界设备VTEP-5。如图6所示,对于网络设备VTEP-1连接的终端设备A,假设终端设备A当前需要发送第一报文至终端设备B。当VTEP-1收到该第一报文时,根据该第一报文的报文头识别出待访问的终端设备B的地址,该地址包括诸如MAC、IP地址。VTEP-1通过OCP协议,向控制设备发送终端查询请求,该终端查询请求携带终端设备的地址。控制设备接收到该终端查询请求时,从各个网络设备的终端接入表中查询包括终端设备B的地址的终端接入表,查询结果为VTEP-4的终端接入表中包括终端设备B的地址。因此,控制设备向VTEP-1返回终端查询结果,该终端查询结果携带VTEP-4的标识,该VTEP-4的标识比如为VTEP IP。VTEP-1接收到该终端查询结果后,便可根据VTEP-4的标识确定VTEP-1到VTEP-4的VXLAN隧道的隧道标识,然后在转发表中添加该隧道标识和第二终端设备的地址之间的对应关系。For the VXLAN architecture shown in Figure 5, the control device is the edge device VTEP-5. As shown in FIG. 6 , for the terminal device A connected to the network device VTEP-1, it is assumed that the terminal device A currently needs to send the first packet to the terminal device B. When VTEP-1 receives the first packet, it identifies the address of the terminal device B to be accessed according to the packet header of the first packet, and the address includes, for example, MAC and IP addresses. VTEP-1 sends a terminal query request to the control device through the OCP protocol, and the terminal query request carries the address of the terminal device. When the control device receives the terminal query request, it queries the terminal access table including the address of terminal device B from the terminal access table of each network device, and the query result is that the terminal access table of VTEP-4 includes the address of terminal device B. address. Therefore, the control device returns a terminal query result to VTEP-1, and the terminal query result carries the identifier of VTEP-4, and the identifier of VTEP-4 is, for example, VTEP IP. After VTEP-1 receives the query result of the terminal, it can determine the tunnel ID of the VXLAN tunnel from VTEP-1 to VTEP-4 according to the ID of VTEP-4, and then add the tunnel ID and the address of the second terminal device in the forwarding table Correspondence between.
如图6所示,上述过程还称为“终端查询”过程。As shown in FIG. 6 , the above process is also referred to as a "terminal inquiry" process.
此外,基于前述对VXLAN的配置可知,控制设备处还存储有各个终端设备的访问策略。因此,可选地,控制设备向VTEP-1返回的终端查询结果中还包括终端设备B的访问策略,以便于后续VTEP-1基于该终端设备B的访问策略发送终端设备A访问终端设备B的流量。关于VTEP-1基于该终端设备B的访问策略发送终端设备A访问终端设备B的流量也将在后续进行详细解释说明,在此就先不展开阐述。In addition, based on the aforementioned configuration of the VXLAN, the control device also stores the access policies of each terminal device. Therefore, optionally, the terminal query result returned by the control device to VTEP-1 also includes the access policy of terminal device B, so that the subsequent VTEP-1 sends the access policy of terminal device A to terminal device B based on the access policy of terminal device B. flow. The traffic sent by the VTEP-1 to the terminal device A to access the terminal device B based on the access policy of the terminal device B will also be explained in detail later, and will not be elaborated here.
需要说明的是,为了避免创建VXLAN隧道所需的时间较长,导致第一终端设备当前访问第二终端设备的流量响应较慢,如果查询第二终端设备所连接的网络设备失败,第一网络设备先将第一报文发送至控制设备,由控制设备将第一报文转发至第二网络设备。在建立第二终端设备的地址与第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系之后,如果第一网络设备接收到第一终端设备发送的报文,该报文的目的地址仍为第二终端设备,此时第一网络设备便通过第一网络设备和第二网络设备之间的VXLAN隧道直接转发该报文。It should be noted that, in order to avoid the long time required to create the VXLAN tunnel, the traffic response of the first terminal device currently accessing the second terminal device is slow, if the query of the network device connected to the second terminal device fails, the first network The device first sends the first packet to the control device, and the control device forwards the first packet to the second network device. After establishing the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device, if the first network device receives the packet sent by the first terminal device, the The destination address of the packet is still the second terminal device, and at this time, the first network device directly forwards the packet through the VXLAN tunnel between the first network device and the second network device.
由此可知,在本申请实施例中,如果第二终端设备的地址与第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系建立完成之前,第一终端设备访问第二终端设备的流量则通过控制设备绕道而行。在第二终端设备的地址与第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系建立完成后,第一终端设备访问第二终端设备的流量便可通过的VXLAN隧道直接转发。It can be seen from this that in this embodiment of the present application, if the corresponding relationship between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device is established, the first terminal device accesses The traffic of the second terminal device is detoured through the control device. After the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device is established, the first terminal device can access the VXLAN through which the traffic of the second terminal device can pass. The tunnel is forwarded directly.
在一种可能的实现方式中,如果控制设备为VXLAN中的一个网络设备,则可以预先建立VXLAN中其他网络设备和该控制设备之间的VXLAN隧道,如此,在第一网络设备到第二网络设备之间的VXLAN隧道没有建立完成之前,则将第一终端设备访问第二终端设备的流量通过第一网络设备到控制设备之间的VXLAN隧道以及控制设备到第二网络设备之间的VXLAN隧道绕道转发。In a possible implementation, if the control device is a network device in the VXLAN, a VXLAN tunnel may be established between other network devices in the VXLAN and the control device in advance. In this way, between the first network device and the second network Before the VXLAN tunnel between the devices is established, the traffic from the first terminal device to the second terminal device is passed through the VXLAN tunnel between the first network device and the control device and the VXLAN tunnel between the control device and the second network device. Bypass forwarding.
比如,对于图5所示的VXLAN架构,控制设备为边界设备VTEP-5。如图6所示,VTEP-1到VTEP-4的VXLAN隧道在创建过程中,终端设备A的流量通过南北向的VXLAN隧道从控制设备转发绕行。VTEP-1到VTEP-4的VXLAN隧道在创建完成后,终端设备A的流量通过东西横向VXLAN隧道发送给终端设备B。For example, for the VXLAN architecture shown in FIG. 5 , the control device is the edge device VTEP-5. As shown in Figure 6, during the creation of the VXLAN tunnel from VTEP-1 to VTEP-4, the traffic of terminal device A is forwarded and detoured from the control device through the north-south VXLAN tunnel. After the VXLAN tunnel from VTEP-1 to VTEP-4 is created, the traffic of terminal device A is sent to terminal device B through the east-west horizontal VXLAN tunnel.
此外,在终端查询结果还携带与第二终端设备对应的访问策略时,这种场景下,第一网络设备在通过建立的VXLAN隧道发送报文时,先判断该报文是否满足第二终端设备的访问 策略,如果该报文满足第二终端设备的访问策略,则通过建立的VXLAN隧道将该报文发送至第二网络设备。In addition, when the terminal query result also carries an access policy corresponding to the second terminal device, in this scenario, when sending a packet through the established VXLAN tunnel, the first network device first determines whether the packet meets the requirements of the second terminal device. If the packet satisfies the access policy of the second terminal device, the packet is sent to the second network device through the established VXLAN tunnel.
比如,对于图6所示的VXLAN,终端设备B的访问策略包括终端设备B的访问优先级。这种场景下,VTEP-1在发送该报文时,先根据终端设备B的访问优先级赋予该报文特定的优先级,VTEP-1处按照各个报文的优先级执行转发。For example, for the VXLAN shown in FIG. 6 , the access policy of terminal device B includes the access priority of terminal device B. In this scenario, when VTEP-1 sends the packet, it first assigns a specific priority to the packet according to the access priority of terminal device B, and VTEP-1 performs forwarding according to the priority of each packet.
又比如,终端设备B的访问策略包括终端设备B的被访问的带宽。这种场景下,VTEP-1在发送该报文时,需先判断已经发送的流量是否超出上述带宽,如果超出,则先不发送该报文。如果没有超出上述带宽,则发送该报文。For another example, the access policy of terminal device B includes the accessed bandwidth of terminal device B. In this scenario, when VTEP-1 sends the packet, it needs to first determine whether the traffic that has been sent exceeds the above-mentioned bandwidth. If it exceeds, the packet will not be sent first. If the above bandwidth is not exceeded, the packet is sent.
又比如,终端设备B的访问策略包括终端设备B的是否允许被广播访问。如果访问策略中指示终端设备B允许被广播访问,则VTEP-1在发送该报文时允许通过广播方式发送该报文。如果访问策略中指示终端设备B不允许被广播访问,则VTEP-1在发送该报文时不允许通过广播方式发送该报文。For another example, the access policy of the terminal device B includes whether the terminal device B is allowed to be accessed by broadcasting. If the access policy indicates that the terminal device B is allowed to be accessed by broadcast, VTEP-1 is allowed to send the message by broadcasting when sending the message. If the access policy indicates that terminal device B is not allowed to be accessed by broadcast, VTEP-1 is not allowed to send the message by broadcasting when sending the message.
此外,对于图5所示的VXLAN,如果终端设备B需要向终端设备A回复流量,此时终端设备B向终端设备A发送报文的过程同样可以参考上述终端设备A向终端设备B发送报文的过程,最终VTEP-4创建单向到对端VTEP-1的VXLAN隧道,在此就不再赘述。In addition, for the VXLAN shown in Figure 5, if terminal device B needs to reply traffic to terminal device A, the process of terminal device B sending packets to terminal device A can also refer to the above-mentioned process of terminal device A sending packets to terminal device B. Finally, VTEP-4 creates a unidirectional VXLAN tunnel to the peer VTEP-1, which is not repeated here.
另外,因为网络设备之间的VXLAN隧道是基于流量需求动态建立的,进一步地,为了避免某些VXLAN隧道在建立后又长期不用,进而导致转发表资源的浪费。因此,第一网络设备在建立第二终端设备的地址和第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系后,如果该对应关系持续未命中,则老化该对应关系。In addition, because VXLAN tunnels between network devices are dynamically established based on traffic requirements, further, in order to avoid that some VXLAN tunnels are not used for a long time after being established, which leads to waste of forwarding table resources. Therefore, after the first network device establishes the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device, if the correspondence continues to be missed, it will age out the corresponding relationship. Correspondence.
上述第二终端设备的地址和第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系持续未命中是指:第一网络设备在参考时长内未接收到目的地址为第二终端设备的地址的报文。这种场景下,表明第二终端设备在参考时长内均没有访问第一终端设备的需求,此时第一网络设备则从转发表中删除第二终端设备的地址和第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系。上述过程还可以称为转发表的老化过程。The continuous miss of the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device means that the first network device does not receive a destination address of address of the second terminal device. In this scenario, it indicates that the second terminal device has no need to access the first terminal device within the reference time period. At this time, the first network device deletes the address of the second terminal device and the link between the first network device and the second terminal device from the forwarding table. Correspondence between tunnel identifiers of VXLAN tunnels between network devices. The above process may also be referred to as the aging process of the forwarding table.
此外,在如下场景中:转发表中的隧道标识为除VXLAN隧道对端设备的标识之外的其他唯一能够标识隧道的符号,比如隧道标识为针对VXLAN隧道的一个唯一编号。网络设备用该编号可以索引到相应的表项,表项内存放有包括对端设备的IP地址在内的VXLAN隧道参数。比如,在一种可能的实现方式中,第一网络设备还维护一个隧道列表,该隧道列表中包括与各个隧道标识一一对应的隧道的接收端的VTEP的标识。这种场景下,如果任一个终端设备地址与第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系均老化,则删除隧道列表中该隧道标识和该第二网络设备的标识之间的对应关系。In addition, in the following scenario: the tunnel identifier in the forwarding table is a symbol other than the identifier of the peer device of the VXLAN tunnel that can uniquely identify the tunnel, for example, the tunnel identifier is a unique number for the VXLAN tunnel. The network device can use this number to index the corresponding entry, and the entry stores the VXLAN tunnel parameters including the IP address of the peer device. For example, in a possible implementation manner, the first network device also maintains a tunnel list, where the tunnel list includes the VTEP identifiers of the receiving ends of the tunnels that correspond to each tunnel identifier one-to-one. In this scenario, if the corresponding relationship between the address of any terminal device and the tunnel ID of the VXLAN tunnel between the first network device and the second network device is aging, the tunnel ID and the second network device in the tunnel list are deleted. The correspondence between the identifiers of the devices.
在上述场景中,考虑到第二网络设备下允许还连接有其他终端设备,为了避免影响第一终端设备正常访问第二网络设备下的其他终端设备,因此,第一终端设备在参考时长内均没有访问第二终端设备的需求时,第一网络设备只从转发表中删除第二终端设备的地址和第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系即可,并不从隧道列表中删除第一网络设备到第二网络设备之间的VXLAN隧道的相关信息。In the above scenario, considering that other terminal devices are allowed to be connected to the second network device, in order to avoid affecting the normal access of the first terminal device to other terminal devices under the second network device, the first terminal device is When there is no need to access the second terminal device, the first network device only deletes the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device from the forwarding table, that is, Yes, the related information of the VXLAN tunnel between the first network device and the second network device is not deleted from the tunnel list.
进一步地,第一网络设备在从转发表中删除第二终端设备的地址和第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识之间的对应关系之后,如果转发表中不存在和第一 网络设备到第二网络设备之间的VXLAN隧道的隧道标识对应的终端设备的地址,表明当前第一网络设备下的终端设备没有访问第二终端设备接入的所有终端设备的需求,因此从隧道列表中删除第一网络设备到第二网络设备之间的VXLAN隧道的相关信息(此处的相关信息为第一网络设备到第二网络设备之间的VXLAN隧道的隧道标识和第二网络设备的标识之间的对应关系),从而避免闲置的VXLAN隧道占用网络资源。Further, after the first network device deletes the correspondence between the address of the second terminal device and the tunnel identifier of the VXLAN tunnel between the first network device and the second network device from the forwarding table, if the forwarding table does not exist the address of the terminal device corresponding to the tunnel identifier of the VXLAN tunnel between the first network device and the second network device, indicating that the terminal device currently under the first network device does not have the requirement to access all the terminal devices accessed by the second terminal device, Therefore, the relevant information of the VXLAN tunnel between the first network device and the second network device is deleted from the tunnel list (the relevant information here is the tunnel identifier of the VXLAN tunnel between the first network device and the second network device and the second The corresponding relationship between the identifiers of network devices), so as to avoid idle VXLAN tunnels occupying network resources.
需要说明的是,上述删除第一网络设备到第二网络设备之间的VXLAN隧道的相关信息的过程还称为删除第一网络设备到第二网络设备之间的VXLAN隧道的过程。It should be noted that the above process of deleting the relevant information of the VXLAN tunnel between the first network device and the second network device is also referred to as the process of deleting the VXLAN tunnel between the first network device and the second network device.
此外,上述参考时长还称为老化时间等,本申请实施例对此不作具体限定。In addition, the above reference duration is also referred to as aging time, etc., which is not specifically limited in this embodiment of the present application.
比如,对于图5所示的VXLAN,控制设备为边界设备VTEP-5。网络设备根据终端的流量来老化转发表。具体地,当终端设备A和终端设备B持续一段时间没有流量互访,VTEP-1在老化时间内未收到目的地址为终端设备B的流量,那么VTEP-1就从转发表中删除终端设备B的信息(此处的终端设备B的信息是指转发表中终端设备B的地址和VTEP-1到VTEP-4的VXLAN隧道的隧道标识),同时在转发表中不存在VTEP-4连接的其他终端设备的地址的情况下,删除VTEP-1到VTEP-4的VXLAN隧道。同理,VTEP-4设备在老化时间内未收到目的地址为终端设备A的流量,那么VTEP-4就删除转发表中终端设备A的信息(此处的终端设备A的信息是指转发表中终端设备A的地址和VTEP-4到VTEP-1的VXLAN隧道的隧道标识),同时在转发表中不存在VTEP-1连接的其他终端设备的地址的情况下,删除VTEP-4到VTEP-1的VXLAN隧道。For example, for the VXLAN shown in Figure 5, the control device is the edge device VTEP-5. The network device ages the forwarding table according to the traffic of the terminal. Specifically, when terminal device A and terminal device B do not exchange traffic for a period of time, and VTEP-1 does not receive traffic with the destination address of terminal device B within the aging time, VTEP-1 deletes the terminal device from the forwarding table. Information of B (the information of terminal device B here refers to the address of terminal device B in the forwarding table and the tunnel identifier of the VXLAN tunnel from VTEP-1 to VTEP-4), and there is no VTEP-4 connection in the forwarding table. In the case of the addresses of other terminal devices, delete the VXLAN tunnel from VTEP-1 to VTEP-4. Similarly, if the VTEP-4 device does not receive the traffic whose destination address is terminal device A within the aging time, then VTEP-4 deletes the information of terminal device A in the forwarding table (the information of terminal device A here refers to the forwarding table. address of terminal device A and the tunnel identifier of the VXLAN tunnel from VTEP-4 to VTEP-1), and if the addresses of other terminal devices connected to VTEP-1 do not exist in the forwarding table, delete VTEP-4 to VTEP- 1 VXLAN tunnel.
在本申请实施例中,在VXLAN网络配置完成时,并不建立全部网络设备之间的VXLAN隧道。而是在某两个网络设备之间存在流量访问需求时,才建立这两个网络设备之间的VXLAN隧道。以避免在网络初始化时需要建立全部网络设备之间的VXLAN隧道,从而减少每个网络设备的转发表中存储的信息,也就减轻了各个网络设备的数据存储压力。In this embodiment of the present application, when the VXLAN network configuration is completed, VXLAN tunnels between all network devices are not established. Instead, the VXLAN tunnel between the two network devices is established only when there is a traffic access requirement between the two network devices. In order to avoid the need to establish a VXLAN tunnel between all network devices during network initialization, the information stored in the forwarding table of each network device is reduced, and the data storage pressure of each network device is relieved.
下面以图5所示的VXLAN为例详细说明本申请实施例提供的建立VXLAN隧道的方法。The following takes the VXLAN shown in FIG. 5 as an example to describe in detail the method for establishing a VXLAN tunnel provided by the embodiment of the present application.
如图8所示,该方法包括如下几个步骤:As shown in Figure 8, the method includes the following steps:
1、边界设备和边缘设备部署OCP,边界设备作为OCP服务端,边缘设备作为OCP客户端。同时管理员在边界设备上部署终端设备的访问策略,该访问策略包括终端设备的访问优先级、终端设备被访问的带宽,终端设备是否允许广播访问等访问条件。1. Deploy OCP on edge devices and edge devices. The edge device serves as the OCP server and the edge device serves as the OCP client. At the same time, the administrator deploys the access policy of the terminal device on the boundary device. The access policy includes the access priority of the terminal device, the bandwidth of the terminal device to be accessed, and whether the terminal device allows broadcast access and other access conditions.
2、边缘设备通过OCP向边界设备发起注册。OCP客户端与OCP服务端建立南北向VXLAN隧道。2. The edge device initiates registration with the edge device through OCP. The OCP client and the OCP server establish a north-south VXLAN tunnel.
3、终端设备A上线,发送流量请求网关。3. Terminal device A goes online and sends a traffic request to the gateway.
4、边缘设备1收到终端设备A的流量,识别终端设备A的信息(MAC、IP),边缘设备1设备存储终端设备A的信息,将终端设备A的信息和边缘设备1的标识(VTEP IP)通过OCP协议,上报给边界设备。4. The edge device 1 receives the traffic of the terminal device A, identifies the information (MAC, IP) of the terminal device A, and the edge device 1 stores the information of the terminal device A, and combines the information of the terminal device A with the identity of the edge device 1 (VTEP IP) is reported to the border device through the OCP protocol.
5、边界设备将终端设备A信息存储到边缘设备1的终端接入表中。5. The edge device stores the information of the terminal device A in the terminal access table of the edge device 1 .
6、终端设备B上线,发送流量请求网关。6. Terminal device B goes online and sends a traffic request to the gateway.
7、边缘设备2收到终端设备B的流量,识别终端设备B的信息(MAC、IP),边缘设备2设备存储终端设备B的信息,将终端设备B的信息通过OCP协议,上报给边界设备。7. The edge device 2 receives the traffic of the terminal device B, identifies the information (MAC, IP) of the terminal device B, and the edge device 2 stores the information of the terminal device B, and reports the information of the terminal device B to the edge device through the OCP protocol. .
8、边界设备将终端设备B信息存储到边缘设备2的终端接入表中。8. The edge device stores the information of the terminal device B in the terminal access table of the edge device 2.
9、终端设备A发送流量访问终端设备B。9. Terminal device A sends traffic to access terminal device B.
10、边缘设备1收到终端设备A的流量,根据目的IP(终端设备B)查询本设备的转发表,未查找到终端设备B的信息。通过OCP协议,向边界设备发起查询,查询终端设备B的相关信息。10. The edge device 1 receives the traffic of the terminal device A, searches the forwarding table of the device according to the destination IP (terminal device B), and does not find the information of the terminal device B. Through the OCP protocol, a query is initiated to the border device to query the relevant information of the terminal device B.
11、边界设备查询终端设备B的相关信息,将终端设备B的相关信息(该相关性信息包括诸如终端设备B所在网络的VNI、终端设备B所连接的网络设备的VTEP IP、终端设备B的访问优先级、终端设备B被访问的带宽,终端设备B是否允许广播访问等)通过OCP协议回复给边缘设备1。11. The border device queries the relevant information of terminal equipment B, and the relevant information of terminal equipment B (the relevant information includes, for example, the VNI of the network where terminal equipment B is located, the VTEP IP of the network equipment connected to terminal equipment B, the The access priority, the accessed bandwidth of the terminal device B, whether the terminal device B allows broadcast access, etc.) reply to the edge device 1 through the OCP protocol.
12、边缘设备1存储终端设备B的相关信息。根据终端设备B的相关信息确定终端设备B连接在边缘设备2处,创建边缘设备1到边缘设备2的东西向VXLAN隧道。12. The edge device 1 stores the relevant information of the terminal device B. According to the relevant information of the terminal device B, it is determined that the terminal device B is connected to the edge device 2, and an east-west VXLAN tunnel from the edge device 1 to the edge device 2 is created.
13、东西向VXLAN隧道建立后,终端设备A访问终端设备B的流量就从东西向隧道转发,执行终端设备B的被访问策略。13. After the east-west VXLAN tunnel is established, the traffic of terminal device A accessing terminal device B is forwarded from the east-west tunnel, and the accessed policy of terminal device B is executed.
14、终端设备B发送流量回复终端设备A。14. Terminal device B sends traffic back to terminal device A.
15、边缘设备2收到终端设备B的流量,根据目的IP(终端设备A)查询本设备的转发表,未查找到终端设备A的相关信息。通过OCP协议,向边界设备发起查询,查询终端设备A的信息。15. The edge device 2 receives the traffic of the terminal device B, searches the forwarding table of the device according to the destination IP (terminal device A), and does not find the relevant information of the terminal device A. Through the OCP protocol, a query is initiated to the border device to query the information of the terminal device A.
16、边界设备查询终端设备A的相关信息,将终端设备A的相关信息通过OCP协议回复给边缘设备2。16. The edge device queries the related information of the terminal device A, and replies the related information of the terminal device A to the edge device 2 through the OCP protocol.
17、边缘设备2存储终端设备A的相关信息。根据终端设备A的相关信息确定终端设备A接入在边缘设备1上,创建边缘设备2到边缘设备1的东西向VXLAN隧道。17. The edge device 2 stores the relevant information of the terminal device A. According to the relevant information of terminal device A, it is determined that terminal device A is connected to edge device 1, and an east-west VXLAN tunnel from edge device 2 to edge device 1 is created.
18、东西向VXLAN隧道建立后,终端设备B访问终端设备A的流量就从东西向隧道转发。18. After the east-west VXLAN tunnel is established, the traffic of terminal device B accessing terminal device A is forwarded from the east-west tunnel.
19、边缘设备1设备在一段持续时间内未收到目的IP为终端设备B的流量,则删除转发表中的终端设备B的表项(此处的终端设备B的表项是指转发表中终端设备B的地址与边缘设备1到边缘设备2之间的VXLAN隧道的标识之间的对应关系)。19. The edge device 1 device does not receive the traffic whose destination IP is terminal device B for a period of time, and deletes the entry of terminal device B in the forwarding table (the entry of terminal device B here refers to the entry in the forwarding table. The correspondence between the address of terminal device B and the identifier of the VXLAN tunnel between edge device 1 and edge device 2).
20、边缘设备1设备判断转发表上没有任何边缘设备2设备下的终端设备的表项,则删除边缘设备1到边缘设备2的VXLAN隧道(此处删除边缘设备1到边缘设备2的VXLAN隧道是指:删除隧道列表中边缘设备1到边缘设备2的VXLAN隧道的隧道标识和边缘设备2的标识之间的对应关系)。如果边缘设备1设备判断转发表上还有边缘设备2设备下的其他的终端设备的表项,则不删除VXLAN隧道。20. The edge device 1 device determines that there is no entry for the terminal device under the edge device 2 device on the forwarding table, and deletes the VXLAN tunnel from edge device 1 to edge device 2 (here, delete the VXLAN tunnel from edge device 1 to edge device 2 Refers to: delete the corresponding relationship between the tunnel ID of the VXLAN tunnel from edge device 1 to edge device 2 and the ID of edge device 2 in the tunnel list). If the edge device 1 device determines that there are other terminal device entries under the edge device 2 device on the forwarding table, the VXLAN tunnel is not deleted.
21、同理,边缘设备2设备在一段持续时间内未收到目的IP为终端设备A的流量,则删除转发表中终端设备A的表项(此处的终端设备A的表项是指转发表中终端设备A的地址与边缘设备2到边缘设备1之间的VXLAN隧道的标识之间的对应关系)。21. In the same way, if the edge device 2 does not receive the traffic whose destination IP is terminal device A for a period of time, the entry of terminal device A in the forwarding table is deleted (the entry of terminal device A here refers to the forwarding The correspondence between the address of terminal device A and the identifier of the VXLAN tunnel between edge device 2 and edge device 1 in the publication).
22、边缘设备2设备判断转发表上没有任何边缘设备1设备下的终端设备的表项,则删除边缘设备2到边缘设备1的VXLAN隧道(此处删除边缘设备2到边缘设备1的VXLAN隧道是指:删除隧道列表中边缘设备2到边缘设备1的VXLAN隧道的隧道标识和边缘设备1的标识之间的对应关系)。如果边缘设备2设备判断转发表上还有边缘设备1设备下的其他的终端设备的表项,则不删除VXLAN隧道。22. The edge device 2 device determines that there is no entry for the terminal device under the edge device 1 device on the forwarding table, and deletes the VXLAN tunnel from edge device 2 to edge device 1 (here, delete the VXLAN tunnel from edge device 2 to edge device 1 Refers to: delete the corresponding relationship between the tunnel ID of the VXLAN tunnel from edge device 2 to edge device 1 and the ID of edge device 1 in the tunnel list). If the edge device 2 device determines that there are other terminal device entries under the edge device 1 device on the forwarding table, the VXLAN tunnel is not deleted.
图9是本申请实施例提供的一种VXLAN中的第一网络设备的结构示意图。该装VXLAN中包括多个网络设备,第一网络设备为多个网络设备中任一个。FIG. 9 is a schematic structural diagram of a first network device in a VXLAN provided by an embodiment of the present application. The installed VXLAN includes multiple network devices, and the first network device is any one of the multiple network devices.
如图9所示,该第一网络设备900包括:As shown in FIG. 9, the first network device 900 includes:
接收模块901,用于接收来自第一终端设备的第一报文,第一报文的目的地址为第二终端设备的地址;a receiving module 901, configured to receive a first message from a first terminal device, where the destination address of the first message is the address of the second terminal device;
建立模块902,用于响应于查询第二终端设备所连接的第二网络设备的失败,建立第二终端设备的地址与隧道标识之间对应关系,该隧道标识所标识的为第一网络设备到第二网络设备之间的VXLAN隧道。The establishment module 902 is configured to, in response to the failure to query the second network device connected to the second terminal device, establish a correspondence between the address of the second terminal device and the tunnel identifier, where the tunnel identifier identifies the first network device to VXLAN tunnel between second network devices.
可选地,建立模块用于:Optionally, build modules for:
向控制设备发送终端查询请求,终端查询请求包括第二终端设备的地址;Send a terminal query request to the control device, where the terminal query request includes the address of the second terminal device;
接收控制设备返回的终端查询结果,终端查询结果包括第二网络设备的标识,第二网络设备为第二终端设备所连接的网络设备;receiving a terminal query result returned by the control device, where the terminal query result includes an identifier of a second network device, and the second network device is a network device connected to the second terminal device;
根据第二网络设备的标识,建立第二终端设备的地址与隧道标识之间的对应关系。According to the identifier of the second network device, a corresponding relationship between the address of the second terminal device and the tunnel identifier is established.
可选地,Optionally,
接收模块,还用于接收来自第一终端设备的第二报文,第二报文的源地址为第一终端设备的地址;a receiving module, further configured to receive a second packet from the first terminal device, where the source address of the second packet is the address of the first terminal device;
第一网络设备还包括发送模块,用于如果第二报文为首次接收到的来自第一终端设备的报文,则向控制设备发送终端接入通告消息,终端接入通告消息包括第一终端设备的地址,终端接入通告消息指示第一终端设备连接在第一网络设备处。The first network device further includes a sending module, configured to send a terminal access announcement message to the control device if the second message is a message received from the first terminal device for the first time, where the terminal access announcement message includes the first terminal The address of the device, the terminal access announcement message indicates that the first terminal device is connected to the first network device.
可选地,第一网络设备还包括发送模块;Optionally, the first network device further includes a sending module;
发送模块,用于将第一报文经由第一网络设备到控制设备之间的VXLAN隧道发送至控制设备。The sending module is configured to send the first packet to the control device via the VXLAN tunnel between the first network device and the control device.
可选地,第一网络设备还包括老化模块;Optionally, the first network device further includes an aging module;
老化模块,用于如果第二终端设备的地址与隧道标识之间的对应关系持续未命中,则老化该对应关系。An aging module, configured to age the corresponding relationship between the address of the second terminal device and the tunnel identifier if the corresponding relationship continues to miss.
可选地,第一网络设备中还存储有隧道标识和第二网络设备的标识之间的对应关系;Optionally, the first network device also stores a correspondence between the tunnel identifier and the identifier of the second network device;
老化模块还用于:如果任一个终端设备地址与隧道标识之间的对应关系均老化,则删除隧道标识和第二网络设备的标识之间的对应关系。The aging module is further configured to delete the corresponding relationship between the tunnel identifier and the identifier of the second network device if the corresponding relationship between any one of the terminal device addresses and the tunnel identifier is aging.
本申请实施例能够实现在存在流量转发需求的情况下,才动态建立网络设备与网络设备之间的VXLAN隧道,避免了需要预先建立全部的网络设备之间的VXLAN隧道,从而节省了网络设备处的转发表资源。由于转发表中存储的VXLAN隧道的信息减少,因此还可以提高转发报文时的转发表查询效率。The embodiments of the present application can dynamically establish VXLAN tunnels between network devices and network devices only when there is a traffic forwarding requirement, which avoids the need to pre-establish VXLAN tunnels between all network devices, thereby saving network device processing time forwarding table resource. Since the information of the VXLAN tunnel stored in the forwarding table is reduced, the query efficiency of the forwarding table when forwarding packets can also be improved.
需要说明的是:上述实施例提供的第一网络设备在建立VXLAN隧道时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将设备的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的第一网络设备与建立VXLAN隧道的方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: when the first network device provided in the above embodiment establishes a VXLAN tunnel, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules as required. , that is, dividing the internal structure of the device into different functional modules to complete all or part of the functions described above. In addition, the first network device provided in the above embodiment and the method embodiment for establishing a VXLAN tunnel belong to the same concept, and the specific implementation process thereof is detailed in the method embodiment, which will not be repeated here.
图10是本申请实施例提供的一种网络设备的结构示意图。上述实施例中的边缘设备或边 界设备均可以通过图10所示的网络设备来实现。参见图10,该网络设备包括至少一个处理器1001,通信总线1002、存储器1003以及至少一个通信接口1004。FIG. 10 is a schematic structural diagram of a network device provided by an embodiment of the present application. The edge devices or border devices in the above-mentioned embodiments can all be implemented by the network devices shown in FIG. 10 . Referring to FIG. 10 , the network device includes at least one processor 1001 , a communication bus 1002 , a memory 1003 and at least one communication interface 1004 .
处理器1001可以是一个通用中央处理器(central processing unit,CPU)、特定应用集成电路(application-specific integrated circuit,ASIC)或一个或多个用于控制本申请方案程序执行的集成电路。图9实施例中的建立模块、老化模块等模块的功能均可以通过处理器来实现。The processor 1001 may be a general-purpose central processing unit (central processing unit, CPU), an application-specific integrated circuit (application-specific integrated circuit, ASIC), or one or more integrated circuits for controlling the execution of the programs of the present application. The functions of modules such as the establishment module and the aging module in the embodiment of FIG. 9 can all be implemented by a processor.
通信总线1002可包括一通路,在上述组件之间传送信息。 Communication bus 1002 may include a path to communicate information between the above-described components.
存储器1003可以是只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、光盘(包括只读光盘(compact disc read-only memory,CD-ROM)、压缩光盘、激光盘、数字通用光盘、蓝光光盘等)、磁盘或者其它磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其它介质,但不限于此。存储器1003可以是独立存在,通过通信总线1002与处理器1001相连接。存储器1003也可以和处理器1001集成在一起。The memory 1003 can be read-only memory (ROM), random access memory (RAM), electrically erasable programmable read-only memory (EEPROM), optical disk ( including compact disc read-only memory (CD-ROM), compact disc, laser disc, digital versatile disc, Blu-ray disc, etc.), magnetic disk or other magnetic storage device, or capable of carrying or storing instructions or data A desired program code in a structured form and any other medium that can be accessed by a computer, but is not limited thereto. The memory 1003 can exist independently and is connected to the processor 1001 through the communication bus 1002 . The memory 1003 may also be integrated with the processor 1001 .
其中,存储器1003用于存储执行本申请方案的程序代码,并由处理器1001来控制执行。处理器1001用于执行存储器1003中存储的程序代码。程序代码中可以包括一个或多个软件模块。图1至图6中的网络设备可以通过处理器1001以及存储器1003中的程序代码中的一个或多个软件模块,来确定用于开发应用的数据。Wherein, the memory 1003 is used for storing the program code for executing the solution of the present application, and the execution is controlled by the processor 1001 . The processor 1001 is used to execute program codes stored in the memory 1003 . One or more software modules may be included in the program code. The network device in FIGS. 1 to 6 may determine data for developing an application through the processor 1001 and one or more software modules in the program code in the memory 1003 .
通信接口1004,使用任何收发器一类的装置,用于与其它设备或通信网络通信,如以太网,无线接入网(radio access network,RAN),无线局域网(wireless local area networks,WLAN)等。图9实施例中的接收模块和发送模块的功能可以通过通信接口来实现。 Communication interface 1004, using any transceiver-like device, for communicating with other devices or communication networks, such as Ethernet, radio access networks (RAN), wireless local area networks (WLAN), etc. . The functions of the receiving module and the sending module in the embodiment of FIG. 9 may be implemented through a communication interface.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意结合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如:同轴电缆、光纤、数据用户线(digital subscriber line,DSL))或无线(例如:红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如:软盘、硬盘、磁带)、光介质(例如:数字通用光盘(digital versatile disc,DVD))、或者半导体介质(例如:固态硬盘(solid state disk,SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, or the like that includes an integration of one or more available media. The usable media may be magnetic media (eg: floppy disk, hard disk, magnetic tape), optical media (eg: digital versatile disc (DVD)), or semiconductor media (eg: solid state disk (SSD)) )Wait.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps of implementing the above embodiments can be completed by hardware, or can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium. The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, etc.
以上所述为本申请提供的实施例,并不用以限制本申请,凡在本申请实施例的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请实施例的保护范围之内。The above-mentioned embodiments provided for this application are not intended to limit this application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the embodiments of this application shall be included in the embodiments of this application. within the scope of protection.

Claims (14)

  1. 一种建立虚拟扩展局域网VXLAN隧道的方法,其特征在于,应用于VXLAN中的第一网络设备,所述VXLAN中包括多个网络设备,所述第一网络设备为所述多个网络设备中任一个;A method for establishing a virtual extended local area network VXLAN tunnel, characterized in that it is applied to a first network device in a VXLAN, the VXLAN includes multiple network devices, and the first network device is any one of the multiple network devices. One;
    所述方法包括:The method includes:
    接收来自第一终端设备的第一报文,所述第一报文的目的地址为第二终端设备的地址;receiving a first packet from the first terminal device, where the destination address of the first packet is the address of the second terminal device;
    响应于查询所述第二终端设备所连接的第二网络设备的失败,建立所述第二终端设备的地址与隧道标识之间对应关系,所述隧道标识所标识的为所述第一网络设备到所述第二网络设备之间的VXLAN隧道。In response to the failure to query the second network device connected to the second terminal device, establish a correspondence between the address of the second terminal device and a tunnel identifier, where the tunnel identifier identifies the first network device to the VXLAN tunnel between the second network device.
  2. 如权利要求1所述的方法,其特征在于,所述建立所述第二终端设备的地址与隧道标识之间的对应关系,包括:The method according to claim 1, wherein the establishing the correspondence between the address of the second terminal device and the tunnel identifier comprises:
    向控制设备发送终端查询请求,所述终端查询请求包括所述第二终端设备的地址;sending a terminal query request to the control device, where the terminal query request includes the address of the second terminal device;
    接收所述控制设备返回的终端查询结果,所述终端查询结果包括所述第二网络设备的标识,所述第二网络设备为所述第二终端设备所连接的网络设备;receiving a terminal query result returned by the control device, where the terminal query result includes an identifier of the second network device, and the second network device is a network device connected to the second terminal device;
    根据所述第二网络设备的标识,建立所述第二终端设备的地址与所述隧道标识之间的对应关系。According to the identifier of the second network device, the correspondence between the address of the second terminal device and the tunnel identifier is established.
  3. 如权利要求1或2所述的方法,其特征在于,所述方法还包括:The method of claim 1 or 2, wherein the method further comprises:
    接收来自所述第一终端设备的第二报文,所述第二报文的源地址为所述第一终端设备的地址;receiving a second packet from the first terminal device, where the source address of the second packet is the address of the first terminal device;
    如果所述第二报文为首次接收到的来自所述第一终端设备的报文,则向控制设备发送终端接入通告消息,所述终端接入通告消息包括所述第一终端设备的地址,所述终端接入通告消息指示所述第一终端设备连接在所述第一网络设备处。If the second packet is the first received packet from the first terminal device, send a terminal access announcement message to the control device, where the terminal access announcement message includes the address of the first terminal device , the terminal access announcement message indicates that the first terminal device is connected to the first network device.
  4. 如权利要求1至3任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, wherein the method further comprises:
    将所述第一报文经由所述第一网络设备到控制设备之间的VXLAN隧道发送至所述控制设备。The first packet is sent to the control device via the VXLAN tunnel between the first network device and the control device.
  5. 如权利要求1至4任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 4, wherein the method further comprises:
    如果所述第二终端设备的地址与所述隧道标识之间的对应关系持续未命中,则老化所述对应关系。If the correspondence between the address of the second terminal device and the tunnel identifier continues to miss, aging the correspondence.
  6. 如权利要求5所述的方法,其特征在于,所述第一网络设备中还存储有所述隧道标识和所述第二网络设备的标识之间的对应关系;The method of claim 5, wherein the first network device further stores a correspondence between the tunnel identifier and the identifier of the second network device;
    所述老化所述第二终端设备的地址与所述隧道标识之间的对应关系之后,还包括:After the aging of the correspondence between the address of the second terminal device and the tunnel identifier, the method further includes:
    如果任一个终端设备地址与所述隧道标识之间的对应关系均老化,则删除所述隧道标识 和所述第二网络设备的标识之间的对应关系。If the corresponding relationship between any terminal device address and the tunnel identifier is aging, the corresponding relationship between the tunnel identifier and the identifier of the second network device is deleted.
  7. 一种VXLAN中的第一网络设备,其特征在于,所述VXLAN中包括多个网络设备,所述第一网络设备为所述多个网络设备中任一个;A first network device in a VXLAN, wherein the VXLAN includes multiple network devices, and the first network device is any one of the multiple network devices;
    所述第一网络设备包括:The first network device includes:
    接收模块,用于接收来自第一终端设备的第一报文,所述第一报文的目的地址为第二终端设备的地址;a receiving module, configured to receive a first message from the first terminal device, where the destination address of the first message is the address of the second terminal device;
    建立模块,用于响应于查询所述第二终端设备所连接的第二网络设备的失败,建立所述第二终端设备的地址与隧道标识之间对应关系,所述隧道标识所标识的为所述第一网络设备到所述第二网络设备之间的VXLAN隧道。An establishment module, configured to establish a correspondence between the address of the second terminal device and the tunnel identifier in response to the failure to query the second network device connected to the second terminal device, where the tunnel identifier identifies the A VXLAN tunnel between the first network device and the second network device.
  8. 如权利要求7所述的第一网络设备,其特征在于,所述建立模块用于:The first network device according to claim 7, wherein the establishing module is used for:
    向控制设备发送终端查询请求,所述终端查询请求包括所述第二终端设备的地址;sending a terminal query request to the control device, where the terminal query request includes the address of the second terminal device;
    接收所述控制设备返回的终端查询结果,所述终端查询结果包括所述第二网络设备的标识,所述第二网络设备为所述第二终端设备所连接的网络设备;receiving a terminal query result returned by the control device, where the terminal query result includes an identifier of the second network device, and the second network device is a network device connected to the second terminal device;
    根据所述第二网络设备的标识,建立所述第二终端设备的地址与所述隧道标识之间的对应关系。According to the identifier of the second network device, the correspondence between the address of the second terminal device and the tunnel identifier is established.
  9. 如权利要求7或8所述的第一网络设备,其特征在于,The first network device according to claim 7 or 8, wherein,
    所述接收模块,还用于接收来自所述第一终端设备的第二报文,所述第二报文的源地址为所述第一终端设备的地址;The receiving module is further configured to receive a second packet from the first terminal device, where the source address of the second packet is the address of the first terminal device;
    所述第一网络设备还包括发送模块,用于如果所述第二报文为首次接收到的来自所述第一终端设备的报文,则向控制设备发送终端接入通告消息,所述终端接入通告消息包括所述第一终端设备的地址,所述终端接入通告消息指示所述第一终端设备连接在所述第一网络设备处。The first network device further includes a sending module, configured to send a terminal access announcement message to the control device if the second message is a message received from the first terminal device for the first time, and the terminal The access announcement message includes the address of the first terminal device, and the terminal access announcement message indicates that the first terminal device is connected at the first network device.
  10. 如权利要求7至9任一所述的第一网络设备,其特征在于,所述第一网络设备还包括发送模块;The first network device according to any one of claims 7 to 9, wherein the first network device further comprises a sending module;
    所述发送模块,用于将所述第一报文经由所述第一网络设备到控制设备之间的VXLAN隧道发送至所述控制设备。The sending module is configured to send the first packet to the control device via the VXLAN tunnel between the first network device and the control device.
  11. 如权利要求7至10任一所述的第一网络设备,其特征在于,所述第一网络设备还包括老化模块;The first network device according to any one of claims 7 to 10, wherein the first network device further comprises an aging module;
    所述老化模块,用于如果所述第二终端设备的地址与所述隧道标识之间的对应关系持续未命中,则老化所述对应关系。The aging module is configured to age the corresponding relationship if the corresponding relationship between the address of the second terminal device and the tunnel identifier continues to miss.
  12. 如权利要求11所述的第一网络设备,其特征在于,所述第一网络设备中还存储有所述隧道标识和所述第二网络设备的标识之间的对应关系;The first network device according to claim 11, wherein the first network device further stores a correspondence between the tunnel identifier and the identifier of the second network device;
    所述老化模块还用于:如果任一个终端设备地址与所述隧道标识之间的对应关系均老化, 则删除所述隧道标识和所述第二网络设备的标识之间的对应关系。The aging module is further configured to delete the corresponding relationship between the tunnel identifier and the identifier of the second network device if the corresponding relationship between any terminal device address and the tunnel identifier is aging.
  13. 一种VXLAN的网络设备,其特征在于,所述网络设备包括存储器和处理器;A VXLAN network device, characterized in that the network device includes a memory and a processor;
    所述存储器用于存储支持所述网络设备执行权利要求1-6任一项所述的方法的程序,以及存储用于实现权利要求1-6任一项所述的方法所涉及的数据;The memory is used to store a program that supports the network device to perform the method of any one of claims 1-6, and to store data involved in implementing the method of any one of claims 1-6;
    所述处理器被配置为用于执行所述存储器中存储的程序。The processor is configured to execute programs stored in the memory.
  14. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行权利要求1-6任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores an instruction, which, when executed on a computer, causes the computer to execute the method of any one of claims 1-6.
PCT/CN2021/100425 2020-06-30 2021-06-16 Method for establishing vxlan tunnel, and related device WO2022001669A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010617508.1 2020-06-30
CN202010617508.1A CN113872845B (en) 2020-06-30 2020-06-30 Method for establishing VXLAN tunnel and related equipment

Publications (1)

Publication Number Publication Date
WO2022001669A1 true WO2022001669A1 (en) 2022-01-06

Family

ID=78981764

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/100425 WO2022001669A1 (en) 2020-06-30 2021-06-16 Method for establishing vxlan tunnel, and related device

Country Status (2)

Country Link
CN (1) CN113872845B (en)
WO (1) WO2022001669A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115150224A (en) * 2022-06-29 2022-10-04 济南浪潮数据技术有限公司 Inter-cluster network two-layer communication method, device, equipment and storage medium
WO2023221452A1 (en) * 2022-05-17 2023-11-23 阿里云计算有限公司 Packet processing system and method, device, and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113923075A (en) * 2020-07-09 2022-01-11 华为技术有限公司 Data transmission method and device
CN115426217A (en) * 2022-09-30 2022-12-02 上海地面通信息网络股份有限公司 Internet access control system and method based on VXLAN
CN116055398A (en) * 2022-12-29 2023-05-02 天翼云科技有限公司 Forwarding method and system node of VXLAN cluster system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299723A (en) * 2008-07-02 2008-11-05 杭州华三通信技术有限公司 Method and apparatus for managing label switching route tunnel information
US20150341263A1 (en) * 2012-12-27 2015-11-26 Hangzhou H3C Technologies Co., Ltd. Associating internet protocol (ip) addresses with ethernet virtualisation interconnection (evi) links
CN106998286A (en) * 2017-05-05 2017-08-01 杭州迪普科技股份有限公司 A kind of VXLAN message forwarding methods and device
CN110391961A (en) * 2018-04-18 2019-10-29 华为技术有限公司 A kind of tunnel binding method, equipment and system

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1138367C (en) * 2001-09-17 2004-02-11 华为技术有限公司 Safety-alliance (SA) generation method for safety communication between nodes of network area
US7894369B2 (en) * 2005-08-19 2011-02-22 Opnet Technologies, Inc. Network physical connection inference for IP tunnels
CN101207546A (en) * 2006-12-18 2008-06-25 华为技术有限公司 Method for dynamically establishing tunnel, tunnel server and system thereof
CN102045233B (en) * 2009-10-22 2013-03-13 杭州华三通信技术有限公司 Method and device for controlling message forwarding in network communication
US9900793B2 (en) * 2013-01-11 2018-02-20 Lg Electronics Inc. Method and apparatus for transmitting information in wireless communication system
CN103259736A (en) * 2013-05-24 2013-08-21 杭州华三通信技术有限公司 Tunnel building method and network equipment
US20140376558A1 (en) * 2013-06-19 2014-12-25 Alcatel-Lucent Usa Inc. Dynamic Network Service Association and On Demand Service Provisioning
CN104022936B (en) * 2014-06-20 2018-02-06 新华三技术有限公司 A kind of tunnel establishing method and device
CN109412926B (en) * 2018-11-16 2021-04-27 新华三技术有限公司 Tunnel establishment method and device
CN110430116B (en) * 2019-07-26 2021-05-07 新华三技术有限公司成都分公司 Data forwarding method and device, edge device and readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299723A (en) * 2008-07-02 2008-11-05 杭州华三通信技术有限公司 Method and apparatus for managing label switching route tunnel information
US20150341263A1 (en) * 2012-12-27 2015-11-26 Hangzhou H3C Technologies Co., Ltd. Associating internet protocol (ip) addresses with ethernet virtualisation interconnection (evi) links
CN106998286A (en) * 2017-05-05 2017-08-01 杭州迪普科技股份有限公司 A kind of VXLAN message forwarding methods and device
CN110391961A (en) * 2018-04-18 2019-10-29 华为技术有限公司 A kind of tunnel binding method, equipment and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023221452A1 (en) * 2022-05-17 2023-11-23 阿里云计算有限公司 Packet processing system and method, device, and storage medium
CN115150224A (en) * 2022-06-29 2022-10-04 济南浪潮数据技术有限公司 Inter-cluster network two-layer communication method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN113872845B (en) 2023-04-07
CN113872845A (en) 2021-12-31

Similar Documents

Publication Publication Date Title
US11394644B2 (en) EVPN packet processing method, device, and system
WO2022001669A1 (en) Method for establishing vxlan tunnel, and related device
EP3591912B1 (en) Evpn packet processing method, device and system
US9787632B2 (en) Centralized configuration with dynamic distributed address management
JP5986692B2 (en) Network function virtualization for network devices
JP6068685B2 (en) Method and apparatus for realizing communication between virtual machines
EP2974234B1 (en) Generating a host route
CN112929273A (en) Method, equipment and system for processing route
EP4027593B1 (en) Tunnel configuration method, system, device and storage medium
WO2017032300A1 (en) Data transmission method, virtual network management apparatus, and data transmission system
WO2017113300A1 (en) Route determining method, network configuration method and related device
US11223597B2 (en) Network and network management method
WO2014180199A1 (en) Network establishment method and control device
US20220124033A1 (en) Method for Controlling Traffic Forwarding, Device, and System
CN113726915A (en) Network system, message transmission method therein and related device
US20220329566A1 (en) Access Control Method, Apparatus, and System
WO2022001666A1 (en) Method for creating vxlan tunnel and related devices
CN113300931B (en) Virtual machine migration discovery method and VTEP
WO2024016869A1 (en) Multicast configuration method and apparatus
US11902166B2 (en) Policy based routing in extranet networks
WO2023035836A1 (en) Message processing method and related apparatus
WO2022053007A1 (en) Network reachability verification method and apparatus, and computer storage medium
WO2023083103A1 (en) Data processing method and related apparatus
CN111510379B (en) EVPN message processing method, device and system
WO2013053293A1 (en) Identification network and conventional network interconnection and intercommunication method, asr and isr

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21833183

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21833183

Country of ref document: EP

Kind code of ref document: A1