CN104954186B - A kind of application oriented SDN policy control method - Google Patents

A kind of application oriented SDN policy control method Download PDF

Info

Publication number
CN104954186B
CN104954186B CN201510344547.8A CN201510344547A CN104954186B CN 104954186 B CN104954186 B CN 104954186B CN 201510344547 A CN201510344547 A CN 201510344547A CN 104954186 B CN104954186 B CN 104954186B
Authority
CN
China
Prior art keywords
sdn
strategy
application
policy
vxlan
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510344547.8A
Other languages
Chinese (zh)
Other versions
CN104954186A (en
Inventor
黄祖源
马文
杜洁
李芹
陈何雄
李寒箬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Center of Yunnan Power Grid Co Ltd
Original Assignee
Information Center of Yunnan Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Center of Yunnan Power Grid Co Ltd filed Critical Information Center of Yunnan Power Grid Co Ltd
Priority to CN201510344547.8A priority Critical patent/CN104954186B/en
Publication of CN104954186A publication Critical patent/CN104954186A/en
Application granted granted Critical
Publication of CN104954186B publication Critical patent/CN104954186B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A kind of application oriented SDN policy control method, the SDN base control environment that the present invention is made up of SDN strategy controllers, SDN intelligent exchanges, base application system TE, same TG is divided into by the application terminal system TE for having similar policy requirement;Using Overlay encapsulation technologies, the flow in SDN is encapsulated in VXLAN and transmitted, extension VXLAN headers add new TG marks, distinguish different tactful groups;Beneficial effects of the present invention:The present invention is based on SDN basic environments, by extending VXLAN technologies and increase strategy group mark, separation physical location, security strategy and IP address relation, so as to more convenient deployment, migration server, safety control strategy is set, improves SDN automation performance and safety management performance.

Description

A kind of application oriented SDN policy control method
The technical field present invention is applied to the software defined network technical research under data center, WAN network, category In software and network technique field.
Background technology
SDN development is like a raging fire.It is proposed and rapid development with SDN concepts, expectation of the enterprise to SDN is also increasingly Height, including improve network utilization, automatic configuration management, lift security performance, using visualization, reduction complexity, reduction Operation cost, lifting scalability, support to create private clound and mixed cloud etc..Wherein, the O&M phase all with data center mostly Close, by way of SDN, create more flexible, efficient data center network, more preferable IT bases branch is provided for service application Support.
In data-center applications deployment and O&M, the newly-built deployment of server, deployment strategy involves each node of network Information configuration, it is relatively complicated.Under double layer network environment, migrate front and rear IP and MAC Address keeps constant, when for crossing over Different computer rooms or the migration of region, must realize big double layer network, loop and broadcast storm easily occur, it is difficult to manage.Meanwhile together Do not allow the access strategy that is easy to do under one VLAN, it is complex for the access control policy of different application.Above mentioned problem is in data The heart faces pressing issues.
The content of the invention
In order to solve the above problems, the present invention provides a kind of application oriented SDN policy control method, includes SDN Architecture environment and its network strategy control method, with this come accomplish data-center applications deployment with O&M in, by thing Reason position, security strategy and network ip address are decoupled, and improve SDN automation performance and safety management performance.
The technical scheme is that:A kind of application oriented SDN policy control method, is included comprising architecture SDN strategy controllers, SDN intelligent exchanges, the SDN basic environments of base application system composition, wherein,
SDN strategy controllers are as centralized policy administrative center, overall situation control network application policy information;
SDN intelligent exchanges can parse and perform the policy information that SDN strategy controllers issue;
Base application system includes server bare machine, virtual machine or application entity service, by base application system node A TE is marked as, the similar TE of network application strategy is divided into by same group, referred to as TG according to application demand;
Using the multiple encapsulation technologies of Overlay, the flow in SDN is encapsulated in VXLAN and transmitted, base application system MAC or IP and the VETP of node of uniting maps, and extends VXLAN headers and add new TG marks, by physical location, security strategy with Network ip address is decoupling;
Above-mentioned SDN strategy controllers are when carrying out tactical management, the newly-increased migration of server, network security policy effect granularity For TG, the access control policy between TG is represented with { Cij, Rij }, and wherein Cij represents TG annexation, and Rij represents TG's Exchanging visit relation.
Above-mentioned SDN strategy controllers are when carrying out tactical management, by api interface, by TG marks be issued to KVM, The server admin platform such as VCENTER, tactful group is identified belonging to terminal applies system node;
According to above-mentioned control method, following steps are taken:
S1. SDN basic environments are initialized;
S2. in SDN strategy controllers, division TG marks simultaneously issue TG marks, distinguishing terminal application system section by API Tactful group belonging to point;
S3. according to application system access relation and security strategy demand, the configuration access control plan in SDN strategy controllers Slightly { Cij, Rij };
S4. after application system is connected to SDN intelligent exchanges, according to the affiliated tactful corresponding TG of group binding;
S5. during application system data forwarding, extension of the packet of SDN intelligent exchanges by increasing TG marks newly is reached VXLAN is packaged to be forwarded again.
S6.SDN strategy controllers issue access control policy between TG to SDN intelligent exchanges;
S7.SDN intelligent exchanges parse and perform access control policy.
Beneficial effects of the present invention:The present invention is based on SDN basic environments, by extending VXLAN technologies and tactful group of increase Mark, separation physical location, security strategy and IP address relation, so as to more convenient deployment, migration server, safety is set Control strategy, improve SDN automation performance and safety management performance.
Brief description of the drawings
Fig. 1 is the SDN physical assemblies Organization Charts that the present invention uses.
Fig. 2 uses SDN policy components model for the present invention.
Fig. 3 is that the TG that the present invention uses divides example.
Fig. 4 is extension VXLAN messages and initial data message mapping graph.
Embodiment
The present invention is described further with specific embodiment below in conjunction with the accompanying drawings:
Principle, the course of work of the present invention is understood for the ease of one of ordinary skill in the art, first to the present invention's In the important vocabulary used be defined as follows:
(1)SDN:Software Defined Network, software defined network
(2)TE:Terminal Equipment, application terminal node
(3)TG:Terminal Group, application terminal node group
(4)eVXLAN:VXLAN is extended, is extended according to the part reserved field of standard VXLAN agreements
(5)VTEP:VXLAN Tunneling End Point, VXLAN tunneling terminations, are sealed for more VXLAN messages Dress and decapsulation, including MAC request messages and normal VXLAN data messages data center network gradually increase, O&M difficulty day Benefit increase.Such as involve the information configuration of each node of network in data-center applications server disposition strategy, it is relatively complicated;Two Under layer network environment, migrate front and rear IP and MAC Address keeps constant, when the migration for crossing over different computer rooms or region, obtain Big double layer network is realized, loop and broadcast storm easily occurs, it is difficult to is managed;Meanwhile do not allow to be easy to do under same VLAN and access plan Slightly, it is complex etc. for the access control policy of different application.Above mentioned problem is that data center faces pressing issues.
The fashionable whole world, theory be hardware-software separation, control forwarding separation, management domination set in recent years for SDN development In, increase income, will bring low cost, high efficiency and business it is flexible.Solved the above problems by way of SDN, be the present invention Formally designed based on above-mentioned consideration.
Illustrate the application oriented SDN policy control method of the present invention with instantiation below.
As shown in figure 1, the present invention is to be based on SDN system, including SDN strategy controllers, SDN intelligent exchanges, base The SDN basic environments of plinth application system composition.SDN intelligent exchanges include core switch (Core) and access switch (Access), flow is encapsulated by VXLAN between the two, then access switch is also VXLAN tunneling termination.Access switch Second line of a couplet base application system, including physical machine, virtual machine etc..Controller is as SDN strategy controllers as centralized policy Administrative center, overall situation control network application policy information.
SDN strategy controllers are when strategy scheduling is carried out, it is necessary to the object of all management is abstracted, foundation Object resource pond, the scheduling of object in resource pool is carried out by generating strategy.It is illustrated in figure 2 abstract SDN strategy group Part model, SDN strategy controllers are represented comprising wherein Controller, SW represents SDN intelligent exchanges, and TG represents strategy effect Application terminal node group.SDN strategy controllers are marked as a TE when carrying out tactical management, by application system (Terminal Equipment), one group of similar TE is divided into same group of the inside, referred to as TG (Terminal Group).
TG marks can be issued to the server pipe such as KVM, VCENTER by SDN strategy controllers by open api interface Platform, carry out service node mark.Such as by issuing Network Group to VCENTER, mark each in VCENTER Virtual machine.
Fig. 3 disposes framework for typical application, user by WEB systems, APP and DB as background system, can basis Actual demand, 4 TG, respectively TG-User, TG-Web, TG-App, TG-DB are divided into by this system, follow-up safe plan Slightly then performed by object of TG.
The newly-increased migration of server, network security policy effect granularity are TG, are represented between TG by { Cij, Rij }, wherein Cij represents TG annexation, and Rij represents TG exchanging visit relation.Cij=0, represent if closed between two EPG without connection System, Cij=1 represent annexation be present between two EPG.Rij examples are expressed as { Filter:TCP source port X, destination port Y;Qos:Q1 | Q2 | Q3 | ... represent that limitation EPG-outside source ports X can only access EPG-Web Destination interface Y;The qos requirement of access is identified by QoS grades.
The message of the present invention is illustrated in figure 4 when being forwarded in SDN environment, uses the multiple encapsulation technologies of Overlay, will Flow in SDN is encapsulated among VXLAN.In figure based on the latter half application system receive and dispatch multiple format data Message;As shown in figure top half, it is necessary to be packaged after intelligent access switch is reached, VXLAN packet header is added.Pass through The encapsulation of new message, the position of server is decoupling with network ip address, make server location address unrelated, improve application section Administration and the flexibility of migration.
Meanwhile increasing TG marks newly by extending VXLAN packet header, all security strategies are performed by object of TG, and The mode of traditional accesses control list is not used.By flexibly dividing TG, security strategy, enhancing safety is more adjusted flexibly Management and control.
According to above-mentioned control method, following steps are taken:
S1. SDN basic environments are initialized;
S2. in SDN strategy controllers, division TG marks simultaneously issue TG marks, distinguishing terminal application system section by API Tactful group belonging to point;
S3. according to application system access relation and security strategy demand, the configuration access control plan in SDN strategy controllers Slightly { Cij, Rij };
S4. after application system is connected to SDN intelligent exchanges, according to the affiliated tactful corresponding TG of group binding;
S5. during application system data forwarding, extension of the packet of SDN intelligent exchanges by increasing TG marks newly is reached VXLAN is packaged to be forwarded again.
S6.SDN strategy controllers issue access control policy between TG to SDN intelligent exchanges;
S7.SDN intelligent exchanges parse and perform access control policy.

Claims (1)

1. a kind of application oriented SDN policy control method, it is characterised in that this method is based on SDN system, and this is System includes:SDN strategy controllers, SDN intelligent exchanges, the SDN basic environments of base application system composition, wherein,
SDN strategy controllers are as centralized policy administrative center, overall situation control network application policy information;
SDN intelligent exchanges can parse and perform the policy information that SDN strategy controllers issue;
Base application system includes server bare machine, virtual machine or application entity service, and base application system node is marked Into a TE, the similar TE of network application strategy is divided into by same group, referred to as TG according to application demand;
Using the multiple encapsulation technologies of Overlay, the flow in SDN is encapsulated in VXLAN and transmitted, base application system section The MAC or IP of point and VETP map, and extend VXLAN headers and add new TG marks, by physical location, security strategy and network IP address is decoupling;
By api interface, TG marks are issued to KVM, VCENTER server admin platform, identify terminal applies system node Affiliated tactful group;
The newly-increased migration of server, network security policy effect granularity are TG, access control policy { Cij, Rij } table between TG Show, wherein Cij represents TG annexation, and Rij represents TG exchanging visit relation;
According to the above method, following steps are taken:
S1. SDN basic environments are initialized;
S2. in SDN strategy controllers, division TG marks simultaneously issue TG marks, distinguishing terminal application system node institute by API Belong to tactful group;
S3. according to application system access relation and security strategy demand, the configuration access control strategy in SDN strategy controllers {Cij,Rij};
S4. after application system is connected to SDN intelligent exchanges, according to the affiliated tactful corresponding TG of group binding;
S5. during application system data forwarding, extension of the packet of SDN intelligent exchanges by increasing TG marks newly is reached VXLAN is packaged to be forwarded again;
S6.SDN strategy controllers issue access control policy between TG to SDN intelligent exchanges;
S7.SDN intelligent exchanges parse and perform access control policy.
CN201510344547.8A 2015-06-19 2015-06-19 A kind of application oriented SDN policy control method Active CN104954186B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510344547.8A CN104954186B (en) 2015-06-19 2015-06-19 A kind of application oriented SDN policy control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510344547.8A CN104954186B (en) 2015-06-19 2015-06-19 A kind of application oriented SDN policy control method

Publications (2)

Publication Number Publication Date
CN104954186A CN104954186A (en) 2015-09-30
CN104954186B true CN104954186B (en) 2018-01-30

Family

ID=54168560

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510344547.8A Active CN104954186B (en) 2015-06-19 2015-06-19 A kind of application oriented SDN policy control method

Country Status (1)

Country Link
CN (1) CN104954186B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10171507B2 (en) * 2016-05-19 2019-01-01 Cisco Technology, Inc. Microsegmentation in heterogeneous software defined networking environments
CN107579850B (en) * 2017-09-05 2021-05-18 郑州云海信息技术有限公司 Wired and wireless hybrid networking method based on SDN control for cloud data center
CN110048946B (en) * 2018-01-15 2020-08-28 厦门靠谱云股份有限公司 Linux bridge and SDN controller-based unicast VXLAN management method
CN110768884B (en) 2018-07-25 2021-10-15 华为技术有限公司 VXLAN message encapsulation and policy execution method, equipment and system
CN109246100A (en) * 2018-09-07 2019-01-18 刘洋 A kind of software defined network safely performs method
CN110417576B (en) * 2019-06-17 2021-10-12 平安科技(深圳)有限公司 Deployment method, device, equipment and storage medium of hybrid software custom network
CN110391997A (en) * 2019-07-26 2019-10-29 新华三技术有限公司合肥分公司 A kind of message forwarding method and device
US11171992B2 (en) * 2019-07-29 2021-11-09 Cisco Technology, Inc. System resource management in self-healing networks

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763367A (en) * 2014-01-17 2014-04-30 浪潮(北京)电子信息产业有限公司 Method and system for designing distributed virtual network in cloud calculating data center
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8931046B2 (en) * 2012-10-30 2015-01-06 Stateless Networks, Inc. System and method for securing virtualized networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network
CN103763367A (en) * 2014-01-17 2014-04-30 浪潮(北京)电子信息产业有限公司 Method and system for designing distributed virtual network in cloud calculating data center

Also Published As

Publication number Publication date
CN104954186A (en) 2015-09-30

Similar Documents

Publication Publication Date Title
CN104954186B (en) A kind of application oriented SDN policy control method
CN105515978B (en) Realize the method and device of distributed routing, physical host access
CN107276783B (en) Method, device and system for realizing unified management and intercommunication of virtual machines
Azodolmolky et al. Cloud computing networking: Challenges and opportunities for innovations
US9658876B2 (en) Location-aware virtual service provisioning in a hybrid cloud environment
US9294351B2 (en) Dynamic policy based interface configuration for virtualized environments
CN104639372B (en) The correlating method and system of overlay network and physical network based on SDN
US11757773B2 (en) Layer-2 networking storm control in a virtualized cloud environment
CN103269282A (en) Method and device for automatically deploying network configuration
US20100169467A1 (en) Method and apparatus for determining a network topology during network provisioning
CN100471162C (en) Method for releasing and processing virtual circuit information and supplier edge device
CN109462534A (en) Regional internet controller, regional internet control method and computer storage medium
WO2016095493A1 (en) Method, apparatus, and controller for resource virtualization processing
CN103428061B (en) Access chassis node and the method utilizing access chassis node to carry out data forwarding
CN103209200B (en) Cloud service exchange system and service-seeking and exchange method
CN103581325B (en) A kind of cloud computing resources cell system and its implementation method
CN106383736A (en) Port extension method and apparatus
CN103138990A (en) Virtual machine management method under cloud computing network and cloud computing network management device
CN112600903B (en) Elastic virtual network card migration method
CN102932342A (en) Method and network equipment for isolating multi-user virtual local area network
CN112631726A (en) Virtual machine data processing method, system, equipment and medium
CN108574613A (en) The double layer intercommunication method and device of SDN data centers
CN108965134A (en) Message forwarding method and device
CN109756419A (en) Routing iinformation distribution method, device and RR
US20240121186A1 (en) Layer-2 networking using access control lists in a virtualized cloud environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant