CN112838974A - Service chain drainage system and method - Google Patents

Service chain drainage system and method Download PDF

Info

Publication number
CN112838974A
CN112838974A CN202011592147.6A CN202011592147A CN112838974A CN 112838974 A CN112838974 A CN 112838974A CN 202011592147 A CN202011592147 A CN 202011592147A CN 112838974 A CN112838974 A CN 112838974A
Authority
CN
China
Prior art keywords
drainage
service
vxlan
tunnel
checked
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011592147.6A
Other languages
Chinese (zh)
Other versions
CN112838974B (en
Inventor
韩艳辉
王瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN202011592147.6A priority Critical patent/CN112838974B/en
Publication of CN112838974A publication Critical patent/CN112838974A/en
Application granted granted Critical
Publication of CN112838974B publication Critical patent/CN112838974B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a service chain drainage system and a method, wherein the method comprises the following steps: the first drainage tunnel equipment receives a service message to be checked through a forward drainage input port of a virtual local area network VLAN associated with a forward drainage virtual extensible local area network VXLAN of a service chain; the first drainage tunnel equipment encapsulates the service message to be inspected through a forward drainage VXLAN tunnel of a forward drainage VXLAN, and sends the encapsulated service message to be inspected to the second drainage tunnel equipment through the forward drainage VXLAN tunnel; the second drainage tunnel equipment decapsulates the encapsulated service message to be inspected, and sends the service message to be inspected to a service chain input port of a service chain through a forward drainage output port in an associated VLAN of the forward drainage VXLAN; wherein the service chain is composed of more than one transparent mode device.

Description

Service chain drainage system and method
Technical Field
The application relates to communication technology, in particular to a service chain drainage system and a service chain drainage method.
Background
Many security devices operate in a transparent mode, such as IPS (Intrusion Prevention System), WAF (Web Application Firewall), etc., and this deployment mode can greatly simplify the Firewall configuration and improve the security performance. The secure device Transparent mode is Transparent (Transparent) to the user, who is unaware of the presence of the secure device. In conventional networks, a transparent security device is typically physically connected in series between a source and a destination, but the source and destination are not aware of the presence of the device.
Because the transparent device does not have an IP address, adding or removing the transparent security device in the traditional network only needs to change the physical connection between the upstream and downstream devices to be direct connection or connected through the transparent device, and the IP addresses and routing table items of the upstream and downstream devices of the transparent device do not need to be changed.
However, in the SDN Network, in an EVPN (Ethernet Virtual Private Network) Overlay Network, it is necessary to implement arbitrary access of a host, Network deployment as needed, Network and security policy accompanying, a control plane advertises EVPN routing information by using MP-BGP, and a data plane forwards a packet by using VXLAN encapsulation. But the hosts of the tenants are arbitrarily accessed at different positions, the SDN controller needs to configure the security policy to the SFC (Service Function Chaining) at an arbitrarily changed access position, but once each node of the Service chain is a transparent mode security device without an IP address, the security policy is synchronized and the Service packet requiring security inspection cannot be directed to the Service chain.
Disclosure of Invention
The application aims to provide a service chain drainage system and a service chain drainage method, which are used for draining messages of hosts accessed at any position to a service chain formed by equipment in a transparent mode.
To achieve the above object, the present application provides a service chain drainage method, wherein the method includes: the first drainage tunnel equipment receives a service message to be checked through a forward drainage input port of a virtual local area network VLAN associated with a forward drainage virtual extensible local area network VXLAN of a service chain; the first drainage tunnel equipment encapsulates the service message to be inspected through a forward drainage VXLAN tunnel of a forward drainage VXLAN, and sends the encapsulated service message to be inspected to the second drainage tunnel equipment through the forward drainage VXLAN tunnel; the second drainage tunnel equipment decapsulates the encapsulated service message to be inspected, and sends the service message to be inspected to a service chain input port of a service chain through a forward drainage output port in an associated VLAN of the forward drainage VXLAN; wherein the service chain is composed of more than one transparent mode device.
In order to achieve the above object, the present application further provides a service chain drainage system applied in a software defined network using a virtual extensible local area network VXLAN as an overlay network, the system comprising:
the first drainage tunnel equipment and the second drainage tunnel equipment are used for establishing a forward drainage VXLAN tunnel and a reverse drainage VXLAN tunnel; establishing a first service tunnel device and a second service tunnel device of a service VXLAN tunnel, a forward drainage switch, a reverse drainage switch and a source access device;
the first drainage tunnel equipment is used for receiving a service message to be checked through a forward drainage input port of a virtual local area network VLAN (virtual local area network) associated with a forward drainage virtual extensible local area network VXLAN (virtual extensible local area network) of a service chain; packaging the service message to be inspected through a forward drainage VXLAN tunnel of a forward drainage VXLAN, and sending the packaged service message to be inspected to second drainage tunnel equipment through the forward drainage VXLAN tunnel; the second drainage tunnel equipment is used for decapsulating the encapsulated service message to be detected and then sending the decapsulated service message to a service chain input port of a service chain through a forward drainage output port in an associated VLAN of a forward drainage VXLAN; wherein the service chain is composed of more than one transparent mode device.
The method has the advantages that even if each node of the service chain is the transparent mode safety equipment, no matter where the host is accessed, the service message needing safety inspection is guided to the service chain through the forward guiding tunnel.
Drawings
FIG. 1 is a flow chart illustrating an embodiment of a service chain drainage method provided by the present application;
FIGS. 2a-2c are schematic diagrams of drainage embodiments of a service chain drainage system provided herein;
fig. 3a-3c are schematic diagrams of another embodiment of a service chain drainage system provided herein.
Detailed Description
A detailed description will be given of a number of examples shown in a number of figures. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present application. Well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the examples.
The term "including" as that term is used is meant to include, but is not limited to; the term "comprising" means including but not limited to; the terms "above," "within," and "below" include the instant numbers; the terms "greater than" and "less than" mean that the number is not included. The term "based on" means based on at least a portion thereof.
FIG. 1 is a flow chart illustrating an embodiment of a service chain drainage method provided by the present application; the method comprises the following steps:
step 101, a first traffic guiding tunnel device receives a service message to be checked through a forward traffic guiding input port of a virtual local area network VLAN associated with a forward traffic guiding virtual extensible local area network VXLAN of a service chain. In this embodiment, the service chain is composed of more than one device in the transparent mode.
And 102, packaging the service message to be inspected by the first drainage tunnel equipment through the forward drainage VXLAN tunnel of the forward drainage VXLAN, and sending the packaged service message to be inspected to the second drainage tunnel equipment through the forward drainage VXLAN tunnel.
And 103, after the second drainage tunnel equipment decapsulates the encapsulated service message to be detected, sending the service message to be detected to a service chain input port of the service chain through a forward drainage output port in the associated VLAN of the forward drainage VXLAN.
The example shown in fig. 1 has the advantage that even if each node of the service chain is a transparent mode security device, no matter where the host is accessed, the service messages needing security check are drained from the service chain through the forward drainage tunnel.
Fig. 2a-2c are schematic diagrams illustrating a service chain drainage system provided in the present application, where the service chain drainage system includes: traffic tunneling devices leaf1 and leaf2, drainage tunneling devices leaf3 and leaf4, service chains SFC1 and SFC2, access switches vswitch1 and vswitch4, forward drainage switch vswitch2, and reverse drainage switch vswitch 3.
In fig. 2a, the first security policy is: service messages sent by the host VM A and the host VM B to the host VM C need to be checked through an intrusion prevention system and a firewall; the second security policy is: the traffic packets sent by the host VM a and VM B to the host VM D need to be inspected by the firewall.
When the hosts VM a and VM B are online accessed, the destination hosts VM and VMD are online in the Server2 or the Server2, and the SDN controller notifies the drainage tunnel devices leaf3 and leaf4 to establish a pair of forward and reverse drainage tunnels for the service chains SFC1 and SFC2, respectively, based on the network topology.
In fig. 2a, the SDN controller notifies the service tunneling device between leaf1 and leaf2 to establish a VXLAN100 tunnel in the service forwarding VXLAN100 for forwarding the service packet.
The SDN controller notifies the traffic steering tunnel devices leaf3 and leaf4 to establish a VXLAN tunnel 200 in VXLAN200 to forward steer the service message to service chain SFC1 for inspection, and establishes a VXLAN tunnel 300 in VXLAN300 to reverse steer the service chain SFC1 to complete the service message for security inspection.
The SDN controller notifies the traffic steering tunnel devices leaf3 and leaf4 to establish a VXLAN tunnel 400 in VXLAN400, and forward steer the service message to service chain SFC2 for inspection, and establishes a VXLAN tunnel 500 in VXLAN500, and reversely steer the service chain SFC2 to complete the service message for security inspection.
The SDN controller notifies the drainage tunnel device leaf3 to add the forward drainage ingress port P4 connecting the forward drainage switch vswitch2 to the VLAN20 associated with the forward drainage VXLAN200 and the VLXAN40 associated with the forward drainage VXLAN400, and to add the reverse drainage egress port P5 connecting the reverse drainage switch vswitch3 to the VLAN30 associated with the reverse drainage VXLAN300 and the VLXAN50 associated with the reverse drainage VXLAN 500.
The SDN controller notifies the drainage tunnel device leaf4 to add the forward drainage egress port P6 to the VLAN20 associated with the forward drainage VXLAN200 and the reverse drainage ingress port P7 to the VXLAN30 associated with the reverse drainage VXLAN 300. The forward drainage ingress port P6 of the drainage tunnel device leaf4 is connected to the service chain ingress port of the service chain SFC1, and the reverse drainage ingress port P7 of the drainage tunnel device leaf4 is connected to the service chain egress port of the service chain SFC 1.
The SDN controller notifies the drainage tunnel device leaf4 to add the forward drainage egress port P9 to the VLAN40 associated with the forward drainage VXLAN400 and the reverse drainage ingress port P10 to the VXLAN50 associated with the reverse drainage VXLAN 500. The forward drainage ingress port P9 of the drainage tunnel device leaf4 is connected to the service chain ingress port of the service chain SFC2, and the reverse drainage ingress port P10 of the drainage tunnel device leaf4 is connected to the service chain egress port of the service chain SFC 2.
The SDN controller synchronizes forward drainage table entries of a service chain SFC1 to an access switch vswitch1, sends out a service message which needs to pass security check of the service chain SFC1 through a forward drainage port P2, and adds a VLAN20 associated with a forward drainage VXLAN200 of the service chain SFC 1; the SDN controller synchronizes service chain SFC1 reverse drainage list items to the access switch vswitch1, strips off VLAN30 associated with the reverse drainage VXLAN300 carried by the received service message, adds VLAN10 associated with the service VXLAN100, and sends the service message through a service port P1.
The SDN controller synchronizes forward drainage table entries of a service chain SFC2 to an access switch vswitch1, sends out a service message which needs to pass security check of the service chain SFC2 through a forward drainage port P2, and adds a VLAN40 associated with a forward drainage VXLAN400 of the service chain SFC 2; the SDN controller synchronizes service chain SFC2 reverse drainage list items to the access switch vswitch1, strips off VLAN50 associated with the reverse drainage VXLAN500 carried by the received service message, adds VLAN10 associated with the service VXLAN100, and sends the service message through a service port P1.
As shown in fig. 2a, the host VMA and VMB send service packets to the host VMC, and after receiving these service packets, the access switch vswitch1 sends the service packets through the port P2 according to the forward flow entry and adds VLAN 20. The forward steering switch vswitch2 receives the service packet with the VLAN20, and sends the service packet to the forward steering ingress port P4 of the steering tunnel device leaf 3.
The traffic message with VLAN20 is received by the drainage tunnel device Leaf3, encapsulated according to the associated VXLAN200 tunnel, and sent to the drainage tunnel device Leaf4 through the VXLAN200 tunnel.
The traffic message to be subjected to security inspection is received by the drainage tunnel device Leaf4 through the VXLAN200 tunnel, VXLAN encapsulation is released, the traffic message is sent to the service link ingress port of the service chain SFC1 through the forward drainage egress port P6 of the VLAN20 associated with the VXLAN200, and security inspection is performed by the intrusion prevention system IPS 1.
The service chains SFC1 and SFC2 are formed by transparent mode devices, and each device in the service chain does not need to perform addressing forwarding, and only needs to receive the service message according to the set message receiving port, then perform security check, and then send the service message after the security check through the set message sending port, and does not need to perform addressing forwarding processing, so that the port of each device does not need to add a VLAN domain, and the existing implementation manners of the technical service chain in the field are combined here, and are not described again.
And after the intrusion prevention system IPS1 of the SFC1 of the service chain completes security check, sending the message to the drainage tunnel equipment Leaf 4. The drainage tunnel device Leaf4 sends the message to be checked to the firewall device FW of the service chain SFC1 according to the link of the service chain SFC 1.
As shown in fig. 2b, after the firewall device FW performs security check on the traffic packet, the traffic packet is sent to the reverse drainage ingress port P7 of the drainage tunnel device Leaf4 through the service link egress port.
The traffic message which completes the security check is received by the Leaf4 through the reverse traffic ingress port P7 in the VLAN30, the service message which completes the security check is encapsulated according to the reverse traffic VXLAN tunnel 300 bound by the VLAN3, and the service message which completes the check is sent to the Leaf 3.
The traffic message which completes the inspection is received by the drainage tunnel equipment Leaf3 through the reverse drainage VXLAN tunnel 300, and is sent to the reverse drainage switch vswitch3 through the reverse drainage output port P5 after being decapsulated.
The reverse drainage switch vswitch3 sends the service message of which the check is completed to the reverse drainage port P3 of the access switch vswitch 1.
As shown in fig. 2c, the access switch vswitch1 strips off the VLAN30 of the service packet that completes security check and is received by the reverse drainage port P3 according to the reverse drainage table entry, adds the service VLAN10 associated with the service VXLAN100, and sends the service packet to the service tunneling device leaf1 through the service port P1 added to the service VLAN 10.
The service tunnel device leaf1 receives the message with service VLAN10 through the service port, encapsulates the message according to VXLAN tunnel 100 of service VXLA100, and sends the encapsulated message to the service tunnel device leaf 2.
The service tunnel device leaf2 decapsulates the received message and sends the message to the host VM C according to the destination MAC address.
As shown in fig. 3a, the host VMA and VMB send service packets to the host VMD, and after receiving these service packets, the access switch vswitch1 sends the service packets through the port P2 according to the forward flow entry and adds VLAN 40. The forward steering switch vswitch2 receives the service packet with the VLAN40, and sends the service packet to the forward steering ingress port P4 of the steering tunnel device leaf 3.
The traffic message with VLAN40 is received by the drainage tunnel device Leaf3, encapsulated according to the associated VXLAN400 tunnel, and sent to the drainage tunnel device Leaf4 through the VXLAN400 tunnel.
The traffic message to be subjected to security inspection is received by the drainage tunnel equipment Leaf4 through the VXLAN400 tunnel, the VXLAN encapsulation is removed, the traffic message is sent to the service link entry port of the service chain SFC2 through the forward drainage exit port P9 of the VLAN40 associated with the VXLAN400, and the intrusion prevention system IPS2 performs security inspection.
As shown in fig. 3b, after the intrusion prevention system IPS2 of the SFC2 of the service chain completes the security check, it is sent to the reverse drainage ingress port P10 of the drainage tunnel device Leaf4 through the service chain egress port.
The traffic message which completes the security check is received by the Leaf4 through the reverse traffic ingress port P7 in the VLAN50, the service message which completes the security check is encapsulated according to the reverse traffic VXLAN tunnel 500 bound by the VLAN50, and the service message which completes the check is sent to the Leaf 3.
The traffic message which is checked is received by the drainage tunnel equipment Leaf3 through the reverse drainage VXLAN tunnel 500, and is sent to the reverse drainage switch vswitch3 through the reverse drainage outlet port P5 after being decapsulated.
The reverse drainage switch vswitch3 sends the service message of which the check is completed to the reverse drainage port P3 of the access switch vswitch 1.
As shown in fig. 3c, the access switch vswitch1 strips off the VLAN50 of the service packet that completes security check and is received by the reverse drainage port P3 according to the reverse drainage table entry, adds the service VLAN10 associated with the service VXLAN100, and sends the service packet to the service tunneling device leaf1 through the service port P1 added to the service VLAN 10.
The service tunnel device leaf1 receives the message with service VLAN10 through the service port, encapsulates the message according to VXLAN tunnel 100 of service VXLA100, and sends the encapsulated message to the service tunnel device leaf 2.
The service tunnel device leaf2 decapsulates the received message and sends the message to the host VM D according to the destination MAC address.
In the embodiments shown in fig. 2a-2c and fig. 3a-3c, the traffic tunneling devices leaf1 and leaf2, the drainage tunneling devices leaf3 and leaf4, and the service chains SFC1 and SFC2 may be virtual switches, access switches vswitch1 and vswitch4, forward drainage switch vswitch2, and reverse drainage switch vswitch3 may be physical switches, which is not limited in this application.
In an SDN, the application is applied to an EVPN serving as an Overlay network, a host is randomly accessed, the SDN controller is deployed according to the needs of the network and security policy follow-up is carried out, the synchronization of the security policy and the traffic message needing security check are ensured to be drained to a service chain formed by transparent mode security equipment, the traffic message after the security check of the service chain is completed is drained and sent to target equipment, and a user does not know the existence of the security equipment.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A method of service chain drainage, the method comprising:
the first drainage tunnel equipment receives a service message to be checked through a forward drainage input port of a virtual local area network VLAN associated with a forward drainage virtual extensible local area network VXLAN of a service chain;
the first drainage tunnel equipment encapsulates the service message to be inspected through the forward drainage VXLAN tunnel of the forward drainage VXLAN, and sends the encapsulated service message to be inspected to second drainage tunnel equipment through the forward drainage VXLAN tunnel;
the second drainage tunnel equipment decapsulates the encapsulated service message to be inspected and sends the service message to be inspected to a service chain input port of the service chain through a forward drainage output port in the associated VLAN of the forward drainage VXLAN; wherein the service chain is made up of more than one transparent mode device.
2. The method of claim 1, wherein before the first traffic tunneling device receives the service message to be inspected through a forward traffic ingress port of an associated VLAN of a forward traffic VXLAN of a service chain, the method further comprises:
the source access equipment redirects the service message to be checked to a forward drainage port of an associated VLAN belonging to the forward drainage VXLAN according to the service chain of the security check type of the service message to be checked;
the source access device sends the service message to be checked to the forward drainage device through the forward drainage port;
and the forward drainage equipment sends the service message to be detected to the forward drainage input port in the associated VLAN of the forward drainage VXLAN.
3. The method of claim 1, further comprising:
the second drainage tunnel equipment receives the checked service message through a reverse drainage input port in the associated VLAN of the reverse drainage VXLAN; the reverse drainage input port is connected with a service chain output port of the service chain;
the second drainage tunnel equipment encapsulates the checked service message through a reverse drainage VXLAN tunnel of the reverse drainage VXLAN; and sending the encapsulated checked service message to the first drainage tunnel equipment through the reverse drainage VXLAN tunnel.
4. The method of claim 3, further comprising:
the first drainage tunnel equipment sends the checked service message to the reverse drainage equipment through a reverse drainage outlet port in the associated VLAN of the reverse drainage VXLAN;
the reverse drainage device sends the checked service message to a reverse drainage port of the source access device in an associated VLAN of the reverse drainage VXLAN;
the source access device strips off the associated VLAN of the reverse drainage VXLAN of the checked service message received by the reverse drainage port, adds the associated VLAN of the service VXLAN, and sends the checked service message to the first service tunnel device through the service port of the associated VLAN belonging to the service VXLAN.
5. The method of claim 4, further comprising;
the first service tunnel equipment encapsulates the checked service message through a service VXLAN tunnel of the service VXLAN; transmitting the encapsulated checked service message to a second service tunnel device through the service VXLAN tunnel;
and the second service tunnel equipment decapsulates the encapsulated checked service message and sends the decapsulated service message to the destination equipment through the associated VLAN of the service VXLAN.
6. A service chain drainage system for use in a software defined network that employs a virtual extensible local area network, VXLAN, as an overlay network, the system comprising:
the first drainage tunnel equipment and the second drainage tunnel equipment are used for establishing a forward drainage VXLAN tunnel and a reverse drainage VXLAN tunnel; establishing a first service tunnel device and a second service tunnel device of a service VXLAN tunnel, a forward drainage switch, a reverse drainage switch and a source access device;
the first drainage tunnel equipment is used for receiving a service message to be checked through a forward drainage input port of a virtual local area network VLAN associated with a forward drainage virtual extensible local area network VXLAN of a service chain; packaging the service message to be inspected through the forward drainage VXLAN tunnel of the forward drainage VXLAN, and sending the packaged service message to be inspected to a second drainage tunnel device through the forward drainage VXLAN tunnel;
the second drainage tunnel device is used for decapsulating the encapsulated service message to be inspected and then sending the decapsulated service message to a service chain input port of the service chain through a forward drainage output port in the associated VLAN of the forward drainage VXLAN; wherein the service chain is made up of more than one transparent mode device.
7. The system of claim 6,
the source access device is used for redirecting the service message to be checked to a forward drainage port of an associated VLAN belonging to the forward drainage VXLAN according to the service chain of the security check type of the service message to be checked; sending the service message to be checked to the forward drainage equipment through the forward drainage port;
and the forward drainage equipment is used for sending the service message to be detected to the forward drainage input port in the associated VLAN of the forward drainage VXLAN.
8. The system of claim 7,
the second drainage tunnel equipment is also used for receiving the checked service message through a reverse drainage input port in the associated VLAN of the reverse drainage VXLAN; the reverse drainage input port is connected with a service chain output port of the service chain; packaging the checked service message through a reverse drainage VXLAN tunnel of the reverse drainage VXLAN; and sending the encapsulated checked service message to the first drainage tunnel equipment through the reverse drainage VXLAN tunnel.
9. The system of claim 3,
the first drainage tunnel device is further configured to send the checked service packet to a reverse drainage device through a reverse drainage egress port in an associated VLAN of the reverse drainage VXLAN;
the reverse drainage device is configured to send the checked service packet to a reverse drainage port of the source access device in an associated VLAN of the reverse drainage VXLAN;
the source access device is further configured to strip off the associated VLAN of the reverse drainage VXLAN of the checked service packet received by the reverse drainage port, add an associated VLAN of a service VXLAN, and send the checked service packet to the first service tunnel device through the service port belonging to the associated VLAN of the service VXLAN.
10. The system of claim 9,
the first service tunnel equipment is further configured to encapsulate the checked service packet through a service VXLAN tunnel of the service VXLAN; transmitting the encapsulated checked service message to a second service tunnel device through the service VXLAN tunnel;
the second service tunnel device is further configured to send the encapsulated checked service packet to the destination device through the associated VLAN of the service VXLAN after decapsulating the service packet.
CN202011592147.6A 2020-12-29 2020-12-29 Service chain drainage system and method Active CN112838974B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011592147.6A CN112838974B (en) 2020-12-29 2020-12-29 Service chain drainage system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011592147.6A CN112838974B (en) 2020-12-29 2020-12-29 Service chain drainage system and method

Publications (2)

Publication Number Publication Date
CN112838974A true CN112838974A (en) 2021-05-25
CN112838974B CN112838974B (en) 2022-07-12

Family

ID=75925105

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011592147.6A Active CN112838974B (en) 2020-12-29 2020-12-29 Service chain drainage system and method

Country Status (1)

Country Link
CN (1) CN112838974B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760246A (en) * 2022-03-29 2022-07-15 浪潮云信息技术股份公司 Service drainage method, device and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591971A (en) * 2015-10-28 2016-05-18 杭州华三通信技术有限公司 QoS implementation method and device
US20170302623A1 (en) * 2014-09-23 2017-10-19 Nec Europe Ltd. Efficient service function chaining over a transport network
WO2020010557A1 (en) * 2018-07-11 2020-01-16 上海诺基亚贝尔股份有限公司 Implementation of service function chain on basis of software-defined network
CN111464443A (en) * 2020-03-10 2020-07-28 中移(杭州)信息技术有限公司 Message forwarding method, device, equipment and storage medium based on service function chain
US20200314015A1 (en) * 2019-03-29 2020-10-01 Juniper Networks, Inc. Configuring service load balancers with specified backend virtual networks
CN112019437A (en) * 2019-05-31 2020-12-01 瞻博网络公司 Inter-network service chaining

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170302623A1 (en) * 2014-09-23 2017-10-19 Nec Europe Ltd. Efficient service function chaining over a transport network
CN105591971A (en) * 2015-10-28 2016-05-18 杭州华三通信技术有限公司 QoS implementation method and device
WO2020010557A1 (en) * 2018-07-11 2020-01-16 上海诺基亚贝尔股份有限公司 Implementation of service function chain on basis of software-defined network
US20200314015A1 (en) * 2019-03-29 2020-10-01 Juniper Networks, Inc. Configuring service load balancers with specified backend virtual networks
CN112019437A (en) * 2019-05-31 2020-12-01 瞻博网络公司 Inter-network service chaining
CN111464443A (en) * 2020-03-10 2020-07-28 中移(杭州)信息技术有限公司 Message forwarding method, device, equipment and storage medium based on service function chain

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LINDA SHIF ET AL.: "Improvement of security and scalability for IoT network using SD-VPN", 《NOMS 2018 - 2018 IEEE/IFIP NETWORK OPERATIONS AND MANAGEMENT SYMPOSIUM》 *
殷明勇 等: "云数据中心面向租户的安全功能按需服务***", 《北京交通大学学报》 *
郑邦峰: "基于分布式VxLAN和EVPN的企业级数据中心网络建设", 《工业技术创新》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760246A (en) * 2022-03-29 2022-07-15 浪潮云信息技术股份公司 Service drainage method, device and medium
CN114760246B (en) * 2022-03-29 2024-05-03 浪潮云信息技术股份公司 Service drainage method, device and medium

Also Published As

Publication number Publication date
CN112838974B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
CN109873760B (en) Method and device for processing route, and method and device for data transmission
US10237230B2 (en) Method and system for inspecting network traffic between end points of a zone
CN107547402B (en) Forwarding table generation method and device
EP3138243B1 (en) Network service insertion
US9178715B2 (en) Providing services to virtual overlay network traffic
US8908704B2 (en) Switch with dual-function management port
EP3223476B1 (en) Method, system, and apparatus for preventing tromboning in inter-subnet traffic within data center architectures
EP3300322B1 (en) Method and related apparatus for probing packet forwarding path
WO1998002821A1 (en) Virtual network architecture for connectionless lan backbone
WO2014169782A1 (en) Virtual machine migration
JPH10154998A (en) Packet traffic reduction process and packet traffic reduction device
CN109474507B (en) Message forwarding method and device
CN102571738A (en) Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof
CN112838974B (en) Service chain drainage system and method
CN116566752B (en) Safety drainage system, cloud host and safety drainage method
CN112187584B (en) Path fault detection method, system, server and storage medium
JP2019213182A (en) Network protection device and network protection system
EP2512070A1 (en) Protection method, equipment and system for semi-ring network
JP4289562B2 (en) Filter for traffic separation
CN114765567B (en) Communication method and communication system
CN114584509A (en) Communication method and related equipment
KR20180060438A (en) Method, apparatus and computer program for operating virtual network
US7796617B1 (en) Method for providing protocol aggregation as an end-to-end service across a tunneling network
CN112910790B (en) Diversion system and method thereof
CN111698156A (en) Data message forwarding method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant