CN104954186B - A kind of application oriented SDN policy control method - Google Patents
A kind of application oriented SDN policy control method Download PDFInfo
- Publication number
- CN104954186B CN104954186B CN201510344547.8A CN201510344547A CN104954186B CN 104954186 B CN104954186 B CN 104954186B CN 201510344547 A CN201510344547 A CN 201510344547A CN 104954186 B CN104954186 B CN 104954186B
- Authority
- CN
- China
- Prior art keywords
- sdn
- strategy
- application
- policy
- vxlan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of application oriented SDN policy control method, the SDN base control environment that the present invention is made up of SDN strategy controllers, SDN intelligent exchanges, base application system TE, same TG is divided into by the application terminal system TE for having similar policy requirement;Using Overlay encapsulation technologies, the flow in SDN is encapsulated in VXLAN and transmitted, extension VXLAN headers add new TG marks, distinguish different tactful groups;Beneficial effects of the present invention:The present invention is based on SDN basic environments, by extending VXLAN technologies and increase strategy group mark, separation physical location, security strategy and IP address relation, so as to more convenient deployment, migration server, safety control strategy is set, improves SDN automation performance and safety management performance.
Description
The technical field present invention is applied to the software defined network technical research under data center, WAN network, category
In software and network technique field.
Background technology
SDN development is like a raging fire.It is proposed and rapid development with SDN concepts, expectation of the enterprise to SDN is also increasingly
Height, including improve network utilization, automatic configuration management, lift security performance, using visualization, reduction complexity, reduction
Operation cost, lifting scalability, support to create private clound and mixed cloud etc..Wherein, the O&M phase all with data center mostly
Close, by way of SDN, create more flexible, efficient data center network, more preferable IT bases branch is provided for service application
Support.
In data-center applications deployment and O&M, the newly-built deployment of server, deployment strategy involves each node of network
Information configuration, it is relatively complicated.Under double layer network environment, migrate front and rear IP and MAC Address keeps constant, when for crossing over
Different computer rooms or the migration of region, must realize big double layer network, loop and broadcast storm easily occur, it is difficult to manage.Meanwhile together
Do not allow the access strategy that is easy to do under one VLAN, it is complex for the access control policy of different application.Above mentioned problem is in data
The heart faces pressing issues.
The content of the invention
In order to solve the above problems, the present invention provides a kind of application oriented SDN policy control method, includes SDN
Architecture environment and its network strategy control method, with this come accomplish data-center applications deployment with O&M in, by thing
Reason position, security strategy and network ip address are decoupled, and improve SDN automation performance and safety management performance.
The technical scheme is that:A kind of application oriented SDN policy control method, is included comprising architecture
SDN strategy controllers, SDN intelligent exchanges, the SDN basic environments of base application system composition, wherein,
SDN strategy controllers are as centralized policy administrative center, overall situation control network application policy information;
SDN intelligent exchanges can parse and perform the policy information that SDN strategy controllers issue;
Base application system includes server bare machine, virtual machine or application entity service, by base application system node
A TE is marked as, the similar TE of network application strategy is divided into by same group, referred to as TG according to application demand;
Using the multiple encapsulation technologies of Overlay, the flow in SDN is encapsulated in VXLAN and transmitted, base application system
MAC or IP and the VETP of node of uniting maps, and extends VXLAN headers and add new TG marks, by physical location, security strategy with
Network ip address is decoupling;
Above-mentioned SDN strategy controllers are when carrying out tactical management, the newly-increased migration of server, network security policy effect granularity
For TG, the access control policy between TG is represented with { Cij, Rij }, and wherein Cij represents TG annexation, and Rij represents TG's
Exchanging visit relation.
Above-mentioned SDN strategy controllers are when carrying out tactical management, by api interface, by TG marks be issued to KVM,
The server admin platform such as VCENTER, tactful group is identified belonging to terminal applies system node;
According to above-mentioned control method, following steps are taken:
S1. SDN basic environments are initialized;
S2. in SDN strategy controllers, division TG marks simultaneously issue TG marks, distinguishing terminal application system section by API
Tactful group belonging to point;
S3. according to application system access relation and security strategy demand, the configuration access control plan in SDN strategy controllers
Slightly { Cij, Rij };
S4. after application system is connected to SDN intelligent exchanges, according to the affiliated tactful corresponding TG of group binding;
S5. during application system data forwarding, extension of the packet of SDN intelligent exchanges by increasing TG marks newly is reached
VXLAN is packaged to be forwarded again.
S6.SDN strategy controllers issue access control policy between TG to SDN intelligent exchanges;
S7.SDN intelligent exchanges parse and perform access control policy.
Beneficial effects of the present invention:The present invention is based on SDN basic environments, by extending VXLAN technologies and tactful group of increase
Mark, separation physical location, security strategy and IP address relation, so as to more convenient deployment, migration server, safety is set
Control strategy, improve SDN automation performance and safety management performance.
Brief description of the drawings
Fig. 1 is the SDN physical assemblies Organization Charts that the present invention uses.
Fig. 2 uses SDN policy components model for the present invention.
Fig. 3 is that the TG that the present invention uses divides example.
Fig. 4 is extension VXLAN messages and initial data message mapping graph.
Embodiment
The present invention is described further with specific embodiment below in conjunction with the accompanying drawings:
Principle, the course of work of the present invention is understood for the ease of one of ordinary skill in the art, first to the present invention's
In the important vocabulary used be defined as follows:
(1)SDN:Software Defined Network, software defined network
(2)TE:Terminal Equipment, application terminal node
(3)TG:Terminal Group, application terminal node group
(4)eVXLAN:VXLAN is extended, is extended according to the part reserved field of standard VXLAN agreements
(5)VTEP:VXLAN Tunneling End Point, VXLAN tunneling terminations, are sealed for more VXLAN messages
Dress and decapsulation, including MAC request messages and normal VXLAN data messages data center network gradually increase, O&M difficulty day
Benefit increase.Such as involve the information configuration of each node of network in data-center applications server disposition strategy, it is relatively complicated;Two
Under layer network environment, migrate front and rear IP and MAC Address keeps constant, when the migration for crossing over different computer rooms or region, obtain
Big double layer network is realized, loop and broadcast storm easily occurs, it is difficult to is managed;Meanwhile do not allow to be easy to do under same VLAN and access plan
Slightly, it is complex etc. for the access control policy of different application.Above mentioned problem is that data center faces pressing issues.
The fashionable whole world, theory be hardware-software separation, control forwarding separation, management domination set in recent years for SDN development
In, increase income, will bring low cost, high efficiency and business it is flexible.Solved the above problems by way of SDN, be the present invention
Formally designed based on above-mentioned consideration.
Illustrate the application oriented SDN policy control method of the present invention with instantiation below.
As shown in figure 1, the present invention is to be based on SDN system, including SDN strategy controllers, SDN intelligent exchanges, base
The SDN basic environments of plinth application system composition.SDN intelligent exchanges include core switch (Core) and access switch
(Access), flow is encapsulated by VXLAN between the two, then access switch is also VXLAN tunneling termination.Access switch
Second line of a couplet base application system, including physical machine, virtual machine etc..Controller is as SDN strategy controllers as centralized policy
Administrative center, overall situation control network application policy information.
SDN strategy controllers are when strategy scheduling is carried out, it is necessary to the object of all management is abstracted, foundation
Object resource pond, the scheduling of object in resource pool is carried out by generating strategy.It is illustrated in figure 2 abstract SDN strategy group
Part model, SDN strategy controllers are represented comprising wherein Controller, SW represents SDN intelligent exchanges, and TG represents strategy effect
Application terminal node group.SDN strategy controllers are marked as a TE when carrying out tactical management, by application system
(Terminal Equipment), one group of similar TE is divided into same group of the inside, referred to as TG (Terminal Group).
TG marks can be issued to the server pipe such as KVM, VCENTER by SDN strategy controllers by open api interface
Platform, carry out service node mark.Such as by issuing Network Group to VCENTER, mark each in VCENTER
Virtual machine.
Fig. 3 disposes framework for typical application, user by WEB systems, APP and DB as background system, can basis
Actual demand, 4 TG, respectively TG-User, TG-Web, TG-App, TG-DB are divided into by this system, follow-up safe plan
Slightly then performed by object of TG.
The newly-increased migration of server, network security policy effect granularity are TG, are represented between TG by { Cij, Rij }, wherein
Cij represents TG annexation, and Rij represents TG exchanging visit relation.Cij=0, represent if closed between two EPG without connection
System, Cij=1 represent annexation be present between two EPG.Rij examples are expressed as { Filter:TCP source port X,
destination port Y;Qos:Q1 | Q2 | Q3 | ... represent that limitation EPG-outside source ports X can only access EPG-Web
Destination interface Y;The qos requirement of access is identified by QoS grades.
The message of the present invention is illustrated in figure 4 when being forwarded in SDN environment, uses the multiple encapsulation technologies of Overlay, will
Flow in SDN is encapsulated among VXLAN.In figure based on the latter half application system receive and dispatch multiple format data
Message;As shown in figure top half, it is necessary to be packaged after intelligent access switch is reached, VXLAN packet header is added.Pass through
The encapsulation of new message, the position of server is decoupling with network ip address, make server location address unrelated, improve application section
Administration and the flexibility of migration.
Meanwhile increasing TG marks newly by extending VXLAN packet header, all security strategies are performed by object of TG, and
The mode of traditional accesses control list is not used.By flexibly dividing TG, security strategy, enhancing safety is more adjusted flexibly
Management and control.
According to above-mentioned control method, following steps are taken:
S1. SDN basic environments are initialized;
S2. in SDN strategy controllers, division TG marks simultaneously issue TG marks, distinguishing terminal application system section by API
Tactful group belonging to point;
S3. according to application system access relation and security strategy demand, the configuration access control plan in SDN strategy controllers
Slightly { Cij, Rij };
S4. after application system is connected to SDN intelligent exchanges, according to the affiliated tactful corresponding TG of group binding;
S5. during application system data forwarding, extension of the packet of SDN intelligent exchanges by increasing TG marks newly is reached
VXLAN is packaged to be forwarded again.
S6.SDN strategy controllers issue access control policy between TG to SDN intelligent exchanges;
S7.SDN intelligent exchanges parse and perform access control policy.
Claims (1)
1. a kind of application oriented SDN policy control method, it is characterised in that this method is based on SDN system, and this is
System includes:SDN strategy controllers, SDN intelligent exchanges, the SDN basic environments of base application system composition, wherein,
SDN strategy controllers are as centralized policy administrative center, overall situation control network application policy information;
SDN intelligent exchanges can parse and perform the policy information that SDN strategy controllers issue;
Base application system includes server bare machine, virtual machine or application entity service, and base application system node is marked
Into a TE, the similar TE of network application strategy is divided into by same group, referred to as TG according to application demand;
Using the multiple encapsulation technologies of Overlay, the flow in SDN is encapsulated in VXLAN and transmitted, base application system section
The MAC or IP of point and VETP map, and extend VXLAN headers and add new TG marks, by physical location, security strategy and network
IP address is decoupling;
By api interface, TG marks are issued to KVM, VCENTER server admin platform, identify terminal applies system node
Affiliated tactful group;
The newly-increased migration of server, network security policy effect granularity are TG, access control policy { Cij, Rij } table between TG
Show, wherein Cij represents TG annexation, and Rij represents TG exchanging visit relation;
According to the above method, following steps are taken:
S1. SDN basic environments are initialized;
S2. in SDN strategy controllers, division TG marks simultaneously issue TG marks, distinguishing terminal application system node institute by API
Belong to tactful group;
S3. according to application system access relation and security strategy demand, the configuration access control strategy in SDN strategy controllers
{Cij,Rij};
S4. after application system is connected to SDN intelligent exchanges, according to the affiliated tactful corresponding TG of group binding;
S5. during application system data forwarding, extension of the packet of SDN intelligent exchanges by increasing TG marks newly is reached
VXLAN is packaged to be forwarded again;
S6.SDN strategy controllers issue access control policy between TG to SDN intelligent exchanges;
S7.SDN intelligent exchanges parse and perform access control policy.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510344547.8A CN104954186B (en) | 2015-06-19 | 2015-06-19 | A kind of application oriented SDN policy control method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510344547.8A CN104954186B (en) | 2015-06-19 | 2015-06-19 | A kind of application oriented SDN policy control method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104954186A CN104954186A (en) | 2015-09-30 |
CN104954186B true CN104954186B (en) | 2018-01-30 |
Family
ID=54168560
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510344547.8A Active CN104954186B (en) | 2015-06-19 | 2015-06-19 | A kind of application oriented SDN policy control method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104954186B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10171507B2 (en) * | 2016-05-19 | 2019-01-01 | Cisco Technology, Inc. | Microsegmentation in heterogeneous software defined networking environments |
CN107579850B (en) * | 2017-09-05 | 2021-05-18 | 郑州云海信息技术有限公司 | Wired and wireless hybrid networking method based on SDN control for cloud data center |
CN110048946B (en) * | 2018-01-15 | 2020-08-28 | 厦门靠谱云股份有限公司 | Linux bridge and SDN controller-based unicast VXLAN management method |
CN110768884B (en) | 2018-07-25 | 2021-10-15 | 华为技术有限公司 | VXLAN message encapsulation and policy execution method, equipment and system |
CN109246100A (en) * | 2018-09-07 | 2019-01-18 | 刘洋 | A kind of software defined network safely performs method |
CN110417576B (en) * | 2019-06-17 | 2021-10-12 | 平安科技(深圳)有限公司 | Deployment method, device, equipment and storage medium of hybrid software custom network |
CN110391997A (en) * | 2019-07-26 | 2019-10-29 | 新华三技术有限公司合肥分公司 | A kind of message forwarding method and device |
US11171992B2 (en) * | 2019-07-29 | 2021-11-09 | Cisco Technology, Inc. | System resource management in self-healing networks |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103763367A (en) * | 2014-01-17 | 2014-04-30 | 浪潮(北京)电子信息产业有限公司 | Method and system for designing distributed virtual network in cloud calculating data center |
CN103763310A (en) * | 2013-12-31 | 2014-04-30 | 曙光云计算技术有限公司 | Firewall service system and method based on virtual network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8931046B2 (en) * | 2012-10-30 | 2015-01-06 | Stateless Networks, Inc. | System and method for securing virtualized networks |
-
2015
- 2015-06-19 CN CN201510344547.8A patent/CN104954186B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103763310A (en) * | 2013-12-31 | 2014-04-30 | 曙光云计算技术有限公司 | Firewall service system and method based on virtual network |
CN103763367A (en) * | 2014-01-17 | 2014-04-30 | 浪潮(北京)电子信息产业有限公司 | Method and system for designing distributed virtual network in cloud calculating data center |
Also Published As
Publication number | Publication date |
---|---|
CN104954186A (en) | 2015-09-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104954186B (en) | A kind of application oriented SDN policy control method | |
CN105515978B (en) | Realize the method and device of distributed routing, physical host access | |
CN107276783B (en) | Method, device and system for realizing unified management and intercommunication of virtual machines | |
Azodolmolky et al. | Cloud computing networking: Challenges and opportunities for innovations | |
US9658876B2 (en) | Location-aware virtual service provisioning in a hybrid cloud environment | |
US9294351B2 (en) | Dynamic policy based interface configuration for virtualized environments | |
CN104639372B (en) | The correlating method and system of overlay network and physical network based on SDN | |
US11757773B2 (en) | Layer-2 networking storm control in a virtualized cloud environment | |
CN103269282A (en) | Method and device for automatically deploying network configuration | |
US20100169467A1 (en) | Method and apparatus for determining a network topology during network provisioning | |
CN100471162C (en) | Method for releasing and processing virtual circuit information and supplier edge device | |
CN109462534A (en) | Regional internet controller, regional internet control method and computer storage medium | |
WO2016095493A1 (en) | Method, apparatus, and controller for resource virtualization processing | |
CN103428061B (en) | Access chassis node and the method utilizing access chassis node to carry out data forwarding | |
CN103209200B (en) | Cloud service exchange system and service-seeking and exchange method | |
CN103581325B (en) | A kind of cloud computing resources cell system and its implementation method | |
CN106383736A (en) | Port extension method and apparatus | |
CN103138990A (en) | Virtual machine management method under cloud computing network and cloud computing network management device | |
CN112600903B (en) | Elastic virtual network card migration method | |
CN102932342A (en) | Method and network equipment for isolating multi-user virtual local area network | |
CN112631726A (en) | Virtual machine data processing method, system, equipment and medium | |
CN108574613A (en) | The double layer intercommunication method and device of SDN data centers | |
CN108965134A (en) | Message forwarding method and device | |
CN109756419A (en) | Routing iinformation distribution method, device and RR | |
US20240121186A1 (en) | Layer-2 networking using access control lists in a virtualized cloud environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |