CN113098787A - Flow processing method and equipment - Google Patents
Flow processing method and equipment Download PDFInfo
- Publication number
- CN113098787A CN113098787A CN201911336469.1A CN201911336469A CN113098787A CN 113098787 A CN113098787 A CN 113098787A CN 201911336469 A CN201911336469 A CN 201911336469A CN 113098787 A CN113098787 A CN 113098787A
- Authority
- CN
- China
- Prior art keywords
- tap
- message
- agent
- int
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/80—Actions related to the user profile or the type of traffic
- H04L47/806—Broadcast or multicast traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/59—Network arrangements, protocols or services for addressing or naming using proxies for addressing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4645—Details on frame tagging
- H04L12/465—Details on frame tagging wherein a single frame includes a plurality of VLAN tags
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a flow processing method and equipment, wherein the method comprises the following steps: the first agent end receives a tap _ service request from the control end, wherein the tap _ service request comprises a destination IP address list; receiving a first message from a second agent through br-tun; identifying the first message as a mirror message through br-tap; and sending the mirror image message to the target virtual machine through the br-int. In the embodiment of the invention, a first agent end receives a tap _ service request comprising a destination IP address list from a control end, a second agent end receives a tap _ flow request comprising a source IP address list from the control end, and the mirror image flow of the second agent end is distributed to one or more first agent ends through br-int, br-tun and br-tap arranged in the agent end, so that the load balancing function is realized, the flow pressure of an acquisition link in the original scheme is reduced, and the risk of overload caused by overlarge instantaneous flow pressure is avoided.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a traffic processing method and traffic processing equipment.
Background
At present, a traffic mirroring scheme in an OpenStack environment is mainly completed on an OpenvSwitch (OVS), and pairing of a mirror source address and a mirror destination address can be completed by associating a "mirror service instance (tap _ service)" with a "mirror flow instance (tap _ flow)". When a data packet passes through a virtual bridge (OVS) of a node where a mirror image source address is located, whether the data packet needs to be mirrored to a mirror image destination address or not is determined after a flow table rule of the virtual bridge (OVS) is matched. However, in the prior art, a plurality of tap _ flows are associated with one tap _ service, so that the configuration is not flexible, and the mirror flow cannot share the load, so that the use scene of the mirror is limited.
Disclosure of Invention
The embodiment of the invention provides a flow processing method and flow processing equipment, and solves the problems that in the prior art, configuration is inflexible, mirror flow cannot share load, and the use scene of a mirror is limited.
According to a first aspect of the embodiments of the present invention, there is provided a traffic processing method, applied to a first proxy, where the first proxy includes: an integrated bridge br-int, a tunnel bridge br-tun, and a mirror bridge br-tap serially connected between br-int and br-tun, the method comprising:
receiving a mirror image service instance tap _ service request from a control terminal, wherein the tap _ service request comprises a destination IP address list, and the destination IP address list is used for appointing a plurality of traffic mirror image destination IP addresses;
receiving a first message from a second agent through the br-tun;
identifying the first message as a mirror message through the br-tap;
and sending the mirror image message to a target virtual machine through the br-int.
Optionally, before the first packet is identified as a mirror packet by the br-tap, the method further includes:
when the first message is sent by the second agent end in a unicast mode, stripping a virtual extensible local area network (VNI) in the first message by br-tun;
when the first message is sent by the second agent end in a multicast mode, the first message is transmitted back to the second agent end, and then VNI in the first message is stripped through br-tun;
optionally, before sending the mirror packet to the target virtual machine through br-int, the method further includes:
and stripping the VLAN label of the mirror image message through br-int.
According to a second aspect of the embodiments of the present invention, there is provided a traffic processing method applied to a second proxy, where the second proxy includes: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the method comprising:
receiving a tap _ flow request of a mirror flow instance from a control end, wherein the tap _ flow request comprises a source IP address list, and the source IP address list represents a plurality of virtual machine IP addresses needing to be subjected to flow mirroring;
identifying a first message as a mirror image message through the br-int, wherein the first message is a message received by the br-int from an acquisition source IP address or a message sent to the acquisition source IP address;
selecting a target acquisition link through the br-tap, wherein the target acquisition link corresponds to a target IP address;
and sending the first message to one first agent end by the br-tun in a unicast mode, or sending the first message to a plurality of first agent ends in a multicast mode.
Optionally, the selecting a target acquisition link through the br-tap includes:
performing hash operation according to the quintuple information of the first message to obtain a calculation result;
and selecting a target acquisition link according to the calculation result.
Optionally, after the br-tun sends the first packet to a plurality of first agents in a multicast manner, the method further includes:
receiving the first returned message;
and recording the source address of the returned first message.
According to a third aspect of the embodiments of the present invention, there is provided a first proxy, including: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the first proxy further comprising: a first transceiver and a first processor;
the first transceiver is configured to receive a tap _ service request of a mirror image service instance from a controller, where the tap _ service request includes a destination IP address list, and the destination IP address list is used to specify a plurality of traffic mirror destination IP addresses;
the first transceiver is further configured to receive a first packet from a second agent through the br-tun;
the first processor is configured to identify the first packet as a mirror packet through the br-tap;
and the first transceiver is further configured to send the mirror image packet to a target virtual machine through the br-int.
Optionally, the first processor is further configured to strip, by br-tun, a virtual extension local area network identifier (VNI) in the first packet when the first packet is sent by the second proxy in a unicast manner;
the first processor is further configured to, when the first packet is sent by the second agent in a multicast manner, return the first packet to the second agent, and then strip the VNI in the first packet by br-tun;
optionally, the first processor is further configured to strip the VLAN tag of the mirrored packet through br-int.
According to a fourth aspect of the embodiments of the present invention, there is provided a second agent, including: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the second proxy further comprising: a second transceiver and a second processor;
the second transceiver is configured to receive a tap _ flow request of a mirror flow instance from a control end, where the tap _ flow request includes a source IP address list, and the source IP address list indicates multiple virtual machine IP addresses that need to be traffic mirrored;
the second processor is configured to identify a first packet as a mirror packet through the br-int, where the first packet is a packet received by the br-int from an acquisition source IP address or a packet sent to the acquisition source IP address;
the second processor is further configured to select a target acquisition link through the br-tap, where the target acquisition link corresponds to a target IP address;
the second transceiver is further configured to send the first packet to one first agent in a unicast manner through the br-tun, or send the first packet to a plurality of first agents in a multicast manner.
Optionally, the second processor is further configured to perform a hash operation according to the quintuple information of the first packet to obtain a calculation result;
and the second processor is also used for selecting a target acquisition link according to the calculation result.
Optionally, the second transceiver is further configured to receive the first message sent back;
the second processor is further configured to record a source address of the returned first packet.
According to a fifth aspect of the embodiments of the present invention, there is provided a first proxy, including: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the first proxy further comprising:
the first transceiver module is configured to receive a tap _ service request of a mirror image service instance from a controller, where the tap _ service request includes a destination IP address list, and the destination IP address list is used to specify a plurality of traffic mirror destination IP addresses;
the first transceiver module is further configured to receive a first packet from a second agent through the br-tun;
the first processing module is configured to identify the first packet as a mirror packet through the br-tap;
the first transceiver module is further configured to send the mirror image packet to a target virtual machine through the br-int.
Optionally, the first processing module is further configured to strip, by br-tun, a virtual extension local area network identifier (VNI) in the first packet when the first packet is sent by the second proxy in a unicast manner;
the first processing module is further configured to, when the first packet is sent by the second agent in a multicast manner, return the first packet to the second agent, and then strip the VNI in the first packet by br-tun;
optionally, the first processing module is further configured to strip the VLAN tag of the mirror packet through br-int.
According to a sixth aspect of the embodiments of the present invention, there is provided a second agent, including: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the second proxy further comprising:
the second transceiver module is configured to receive a tap _ flow request of a mirror flow instance from a control end, where the tap _ flow request includes a source IP address list, and the source IP address list indicates multiple virtual machine IP addresses that need to be traffic mirrored;
the second processing module is used for identifying a first message as a mirror image message through the br-int, wherein the first message is a message received by the br-int from an acquisition source IP address or a message sent to the acquisition source IP address;
the second processing module is further configured to select a target acquisition link through the br-tap, where the target acquisition link corresponds to a target IP address;
the second transceiver module is further configured to send the first packet to one first agent in a unicast manner through the br-tun, or send the first packet to a plurality of first agents in a multicast manner.
Optionally, the second processing module is further configured to perform a hash operation according to the quintuple information of the first packet to obtain a calculation result;
and the second processing module is also used for selecting a target acquisition link according to the calculation result.
Optionally, the second transceiver module is further configured to receive the first returned message;
the second processing module is further configured to record a source address of the returned first packet.
According to a seventh aspect of embodiments of the present invention, there is provided a communication device, comprising a processor, a memory, and a program stored on the memory and executable on the processor, wherein the program, when executed by the processor, implements the steps of the traffic processing according to the first aspect or the steps of the traffic processing according to the second aspect.
According to an eighth aspect of embodiments of the present invention, there is provided a computer-readable storage medium, characterized in that the computer-readable storage medium stores thereon a computer program, which when executed by a processor implements the steps of the flow processing according to the first aspect, or the steps of the flow processing according to the second aspect.
In the embodiment of the invention, a first agent end receives a tap _ service request comprising a destination IP address list from a control end, a second agent end receives a tap _ flow request comprising a source IP address list from the control end, and the mirror image flow of the second agent end is distributed to one or more first agent ends through br-int, br-tun and br-tap arranged in the agent end, so that the load balancing function is realized, the flow pressure of an acquisition link in the original scheme is reduced, and the risk of overload caused by overlarge instantaneous flow pressure is avoided.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a diagram of a conventional communication system architecture;
fig. 2 is a schematic diagram of an internal network architecture of a host according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a traffic processing method according to an embodiment of the present invention;
fig. 4 is a second schematic flow chart of a traffic processing method according to an embodiment of the present invention;
fig. 5 is a schematic flow chart of selecting a target acquisition link according to an embodiment of the present invention;
FIG. 6 is a flowchart illustrating a mirroring process according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a first proxy according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a second proxy according to an embodiment of the present invention;
fig. 9 is a second schematic structural diagram of the first agent according to the embodiment of the present invention;
fig. 10 is a second schematic structural diagram of a second proxy according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of a communication device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
Herein, relational terms such as "first" and "second", and the like, are used solely to distinguish one from another of like names, and do not imply a relationship or order between the names.
To describe the scheme of the embodiment of the present invention, the following technical contents are introduced first:
referring to fig. 1, currently, a traffic mirroring scheme in an OpenStack environment is mainly completed on an OVS, where a control end (also referred to as a service end) is integrated in an OpenStack control node, and is configured to receive a mirroring policy sent from the outside and forward the mirroring policy to an agent end (also referred to as an agent end) on a relevant computing node; the agent end is integrated in each computing node and used for issuing the received specific mirror image strategy to the virtual bridge of the computing node, the virtual bridge executes flow table matching, and the flow 'mirror image' action is also completed in the virtual bridge. In addition, the method defines two data structures as a mirror destination and a mirror source respectively:
1. mirror service instance (tap _ service): described is traffic mirroring destination address information, the mirroring service instance contains the following information:
mirror image service name: a name representing the "mirror service instance";
port ID: ID number of mirror image destination port;
tenant ID: a tenant ID number requiring mirroring service;
2. mirror stream instance (tap _ flow): described is the information of the traffic mirror source address, each tap _ flow needs to be associated with a traffic mirror source port, and the mirror flow instance contains the following information:
(1) mirror stream name: name indicating the "mirror stream instance";
(2) mirror image source port: port ID indicating that traffic mirroring is required;
(3) mirror service instance ID: indicating that the mirror flow instance is matched with the corresponding mirror service instance in an associated manner;
(4) tenant ID: a tenant ID number requiring mirroring service;
(5) VLAN filters the label: a set of VLAN values for message filtering;
(6) and (3) direction filtering identification: the direction of the 'out' direction, the direction of the 'in' direction and the direction of the 'BOTH';
and the matching of a mirror image source address and a mirror image destination address can be completed by associating the tap _ service with the tap _ flow. When the data packet passes through the OVS of the node where the mirror image source address is located, whether the data packet needs to be mirrored to the mirror image destination address or not is determined after matching the OVS flow table rule.
When the above method is adopted for traffic mirroring, two problems may be faced:
1. the current method is that multiple tap flows can be associated to one tap service, but the resource of the server to which the "mirror service instance" belongs may be limited, and if the server does not have enough resource to process the sent mirror traffic, the risk of failure of the traffic mirror is met.
2. If the mirror image requirement is to collect mirror image traffic from a plurality of mirror image sources, a tap _ service needs to be created first according to the current method, and then a plurality of tap _ flows are individually created to be associated to the tap _ service, so that the process is very complicated and errors are easy to occur.
Therefore, the existing scheme has the disadvantages that firstly, the configuration is not flexible, secondly, the mirror flow cannot share the load, and the use scene of the mirror is limited. The present application proposes to mainly improve on these two problems.
The method of the embodiment of the present invention is applied to the system architecture shown in fig. 1, and further, a mirror bridge (br-tap) is added to all hosts in the OpenStack environment, the traffic mirror function of the host is completed at the virtual bridge, and the host network architecture after adding the virtual bridge is shown in fig. 2.
Referring to fig. 3, an embodiment of the present invention provides a traffic processing method, where an execution main body of the method is a first proxy, and the first proxy includes: br-int, br-tun, and br-tap connected in series between br-int and br-tun. It should be noted that the first agent is an agent that collects a destination address.
The method comprises the following specific steps:
step 301: receiving a tap _ service request from a control terminal;
it should be noted that a user needing mirroring service sends a tap _ service request and a tap _ flow request to a control terminal according to an actual acquisition requirement, where the tap _ service request includes a destination Internet Protocol (IP) address list, and the tap _ flow request includes a source IP address list. Therefore, the load of the mirror image flow is collected in a balanced manner through the destination IP address list and the source IP address list.
In some embodiments, the tap _ service request comprises the following:
(1) a mirror service name indicating the name of the tap _ service;
(2) a tenant ID representing a user ID requiring a mirroring service;
(3) a destination IP address list, which represents a destination address list of the traffic mirror, and can be used to designate a plurality of traffic mirror destination IP addresses;
in some embodiments, the tap _ flow request includes the following:
(1) mirror stream name: name indicating the tap _ flow;
(2) ID of tap _ service: indicating a tap _ service associated with the tap _ flow;
(3) source IP address list: representing a plurality of virtual machine IP addresses needing to be subjected to flow mirroring;
(4) tenant ID: a user ID indicating that a mirroring service is required;
(5) VLAN filters the label: a set of VLAN values for message filtering;
(6) and (3) direction filtering identification: the direction of the 'out' direction, the direction of the 'in' direction and the direction of the 'BOTH';
accordingly, the control end sends the tap _ service request to the first agent end for collecting the destination address and sends the tap _ flow request to the second agent end for collecting the source address.
In the embodiment of the invention, the first agent end receives a tap _ service request from the control end, and after receiving the tap _ service request, an acquisition function flow table is added on each virtual bridge to meet the acquisition requirement.
Step 302: receiving a first message from a second agent through br-tun;
in the embodiment of the present invention, the first message is a mirror image message sent by the second proxy, and the sending of the first message from the second proxy to the first proxy can be divided into two cases, one is sent to a designated first proxy in a unicast manner, and the other is sent to a plurality of first proxies in a multicast manner, where the two cases correspond to a case where a Media Access Control (MAC) address of a tunnel receiving end is unknown.
Specifically, the mirror flow table function added on br-tun includes:
(1) when the first message is sent by the second agent end in a unicast mode, a Virtual extended Local Area Network Identifier (VNI) in the first message is stripped through br-tun;
in the embodiment of the invention, if br-tun receives a unicast mirror image message from an external Network, the VNI of a Virtual extended Local Area Network (VXLAN) of the message is stripped, and then the message is directly sent to br-tap;
(2) when the first message is sent by the second agent end in a multicast mode, the first message is transmitted back to the second agent end, and then VNI in the first message is stripped through br-tun;
in the embodiment of the invention, if br-tun receives the mirror image message of multicast from the external network, the message is returned at first, which is convenient for the other side to learn the address. Then, the VNI of the message VXLAN is stripped, and finally the message is forwarded to br-tap;
step 303: identifying the first message as a mirror message through br-tap;
in the embodiment of the invention, the first message is marked as a mirror image message in br-tap.
Specifically, the mirror flow table function added on the br-tap includes:
if the br-tap receives the mirror image message, setting the VLAN value of the message as a special value, wherein the special value indicates that the message is the mirror image message, and then sending the message to the br-int; the specific value of the special value is not limited in the embodiment of the invention.
Step 304: and sending the mirror image message to the target virtual machine through the br-int.
In the embodiment of the invention, the br-int sends the mirror image message to the target virtual machine.
In some embodiments, prior to performing step 304, the method further comprises: and stripping the VLAN label of the mirror image message through br-int.
Specifically, the mirror flow table function added to br-int includes:
if br-int receives the mirror image message, the VLAN label of the message is firstly stripped, and then the message is sent to a corresponding virtual machine.
In the embodiment of the invention, a first agent end receives a tap _ service request comprising a destination IP address list from a control end, a second agent end receives a tap _ flow request comprising a source IP address list from the control end, and the mirror image flow of the second agent end is distributed to one or more first agent ends through br-int, br-tun and br-tap arranged in the agent end, so that the load balancing function is realized, the flow pressure of an acquisition link in the original scheme is reduced, and the risk of overload caused by overlarge instantaneous flow pressure is avoided.
Referring to fig. 4, an embodiment of the present invention provides a traffic processing method, where an execution subject of the method is a second proxy, and the second proxy includes: br-int, br-tun, and br-tap connected in series between br-int and br-tun. It should be noted that the second proxy is a proxy for collecting a source address.
The method comprises the following specific steps:
step 401: receiving a tap _ flow request from a control terminal;
it should be noted that a user needing mirroring service sends a tap _ service request and a tap _ flow request to a control terminal according to an actual acquisition requirement, where the tap _ service request includes a destination Internet Protocol (IP) address list, and the tap _ flow request includes a source IP address list. Therefore, the load of the mirror image flow is collected in a balanced manner through the destination IP address list and the source IP address list.
In some embodiments, the tap _ service request comprises the following:
(1) a mirror service name indicating the name of the tap _ service;
(2) a tenant ID representing a user ID requiring a mirroring service;
(3) a destination IP address list, which represents a destination address list of the traffic mirror, and can be used to designate a plurality of traffic mirror destination IP addresses;
in some embodiments, the tap _ flow request includes the following:
(1) mirror stream name: name indicating the tap _ flow;
(2) ID of tap _ service: indicating a tap _ service associated with the tap _ flow;
(3) source IP address list: representing a plurality of virtual machine IP addresses needing to be subjected to flow mirroring;
(4) tenant ID: a user ID indicating that a mirroring service is required;
(5) VLAN filters the label: a set of VLAN values for message filtering;
(6) and (3) direction filtering identification: the direction of the 'out' direction, the direction of the 'in' direction and the direction of the 'BOTH';
accordingly, the control end sends the tap _ service request to the first agent end for collecting the destination address and sends the tap _ flow request to the second agent end for collecting the source address.
In the embodiment of the invention, the second agent receives a tap _ flow request from the control end, and after receiving the tap _ flow request, an acquisition function flow table is added on each virtual bridge to meet the acquisition requirement.
Step 402: identifying the first message as a mirror image message through br-int;
in the embodiment of the invention, the first message is a message received by br-int from the acquisition source IP address or a message sent to the acquisition source IP address, namely, the second proxy performs mirror image processing on the received or sent message;
in the embodiment of the invention, the first message is marked as a mirror image message in br-int.
Specifically, the mirror flow table function added to br-int includes:
if br-int receives a message from or sends to an acquisition source IP address, the VLAN value of the message is set as a special value, and the special value indicates that the message is a mirror image message and then is sent to br-tap; the specific value of the special value is not limited in the embodiment of the invention.
Step 403: selecting a target acquisition link through br-tap;
in the embodiment of the invention, the target acquisition link corresponds to the target IP address, namely each acquisition link corresponds to a different mirror image target IP address.
In some embodiments, the br-tap performs hash operation according to quintuple information of the first packet to obtain a calculation result, and selects a target acquisition link according to the calculation result, where the quintuple information includes: source MAC, source IP, destination MAC, destination IP, protocol type.
Specifically, the mirror flow table function added on the br-tap includes:
if the br-tap receives the mirror image message, the selection of the mirror image destination address is completed through the group table, and the function of load balancing is realized. As shown in fig. 5, a hash operation is performed according to five-tuple information (source MAC, source IP, destination MAC, destination IP, protocol type) of the packet, corresponding acquisition links are selected according to a hash operation result, each acquisition link corresponds to a different image destination IP address, and then the image packet is sent to br-tun for forwarding.
Step 404: sending a first message to one first agent end by br-tun in a unicast mode or sending the first message to a plurality of first agent ends in a multicast mode;
in the embodiment of the present invention, the sending of the first packet from the second proxy to the first proxy may be divided into two cases, one is sending to the designated first proxy in a unicast manner, and the other is sending to a plurality of first proxies in a multicast manner, where the two cases correspond to a case where a Media Access Control (MAC) address of a tunnel receiving end is unknown.
In some embodiments, after the first packet is sent to the plurality of first agents by the br-tun in a multicast manner, the method further includes: receiving a first returned message; and recording the source address of the returned first message to learn the address.
Specifically, the mirror flow table function added on br-tun includes:
(1) if the br-tun receives the mirror image message and needs to send the mirror image message, the mirror image message is sent out in a unicast mode or in a multicast mode through the VXLAN tunnel, and the condition that the MAC address of the tunnel receiving end is not known corresponds to the condition that the multicast is sent out.
(2) If br-tun receives the mirror image message reflected from the external network, the source address of the message is recorded through address learning, and the message can be sent out in a unicast mode when the br-tun touches the address message next time without multicasting.
In the embodiment of the invention, a first agent end receives a tap _ service request comprising a destination IP address list from a control end, a second agent end receives a tap _ flow request comprising a source IP address list from the control end, and the mirror image flow of the second agent end is distributed to one or more first agent ends through br-int, br-tun and br-tap arranged in the agent end, so that the load balancing function is realized, the flow pressure of an acquisition link in the original scheme is reduced, and the risk of overload caused by overlarge instantaneous flow pressure is avoided.
Referring to fig. 6, a mirroring process is shown, in which the collection source address corresponds to the second agent and the collection destination address corresponds to the first agent, and a traffic resolver (Monitor) may be disposed in the first agent to perform resolution collection on the mirroring traffic.
Referring to fig. 7, an embodiment of the present invention provides a first agent 700, where the first agent 700 includes: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the first proxy 700 further includes: a first transceiver 701 and a first processor 702;
the first transceiver 701 is configured to receive a tap _ service request of a mirror image service instance from a controller, where the tap _ service request includes a destination IP address list, and the destination IP address list is used to specify a plurality of traffic mirror destination IP addresses;
the first transceiver 701 is further configured to receive a first packet from a second agent through the br-tun;
the first processor 702 is configured to identify the first packet as a mirror packet through the br-tap;
the first transceiver 701 is further configured to send the mirror image packet to a target virtual machine through the br-int.
Optionally, the first processor 702 is further configured to strip, by br-tun, a virtual extension local area network identifier VNI in the first packet when the first packet is sent by the second agent in a unicast manner;
the first processor 702 is further configured to, when the first packet is sent by the second agent in a multicast manner, return the first packet to the second agent, and then strip the VNI in the first packet by br-tun;
optionally, the first processor 702 is further configured to strip the VLAN tag of the mirror packet through br-int.
In the embodiment of the invention, a first agent end receives a tap _ service request comprising a destination IP address list from a control end, a second agent end receives a tap _ flow request comprising a source IP address list from the control end, and the mirror image flow of the second agent end is distributed to one or more first agent ends through br-int, br-tun and br-tap arranged in the agent end, so that the load balancing function is realized, the flow pressure of an acquisition link in the original scheme is reduced, and the risk of overload caused by overlarge instantaneous flow pressure is avoided.
Referring to fig. 8, an embodiment of the present invention provides a second agent 800, where the second agent 800 includes: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the second proxy end 800 further includes: a second transceiver 802 and a second processor 803;
the second transceiver 802 is configured to receive a tap _ flow request of an image flow instance from a controller, where the tap _ flow request includes a source IP address list, and the source IP address list indicates multiple virtual machine IP addresses that need to be subjected to flow mirroring;
the second processor 803 is configured to identify a first packet as a mirror packet through the br-int, where the first packet is a packet received by the br-int from an acquisition source IP address or a packet received by the br-int from the acquisition source IP address;
the second processor 803 is further configured to select a target acquisition link through the br-tap, where the target acquisition link corresponds to a target IP address;
the second transceiver 802 is further configured to send the first packet to one first agent in a unicast manner through the br-tun, or send the first packet to a plurality of first agents in a multicast manner.
Optionally, the second processor 803 is further configured to perform a hash operation according to the quintuple information of the first packet, so as to obtain a calculation result;
the second processor 803 is further configured to select a target acquisition link according to the calculation result.
Optionally, the second transceiver 802 is further configured to receive the first message sent back;
the second processor 803 is further configured to record a source address of the returned first packet.
In the embodiment of the invention, a first agent end receives a tap _ service request comprising a destination IP address list from a control end, a second agent end receives a tap _ flow request comprising a source IP address list from the control end, and the mirror image flow of the second agent end is distributed to one or more first agent ends through br-int, br-tun and br-tap arranged in the agent end, so that the load balancing function is realized, the flow pressure of an acquisition link in the original scheme is reduced, and the risk of overload caused by overlarge instantaneous flow pressure is avoided.
Referring to fig. 9, an embodiment of the present invention provides a first agent 900, where the first agent 900 includes: br-int, br-tun, and br-tap serially connected between br-int and br-tun, the first proxy 900 further includes:
the first transceiver module 901 is configured to receive a tap _ service request of a mirror image service instance from a controller, where the tap _ service request includes a destination IP address list, and the destination IP address list is used to specify a plurality of traffic mirror destination IP addresses;
the first transceiver module 901 is further configured to receive a first packet from a second agent through the br-tun;
the first processing module 902 is configured to identify the first packet as a mirror packet through the br-tap;
the first transceiver module 902 is further configured to send the mirror image packet to a target virtual machine through the br-int.
Optionally, the first processing module 902 is further configured to strip, by br-tun, a virtual extension local area network identifier VNI in the first packet when the first packet is sent by the second agent in a unicast manner;
the first processing module 902 is further configured to, when the first packet is sent by the second agent in a multicast manner, return the first packet to the second agent, and then strip the VNI in the first packet by br-tun;
optionally, the first processing module 902 is further configured to strip the VLAN tag of the mirror packet through br-int.
In the embodiment of the invention, a first agent end receives a tap _ service request comprising a destination IP address list from a control end, a second agent end receives a tap _ flow request comprising a source IP address list from the control end, and the mirror image flow of the second agent end is distributed to one or more first agent ends through br-int, br-tun and br-tap arranged in the agent end, so that the load balancing function is realized, the flow pressure of an acquisition link in the original scheme is reduced, and the risk of overload caused by overlarge instantaneous flow pressure is avoided.
Referring to fig. 10, an embodiment of the present invention provides a second agent 1000, where the second agent 1000 includes: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the second proxy 1000 further comprises:
the second transceiver module 1001 is configured to receive a tap _ flow request of a mirror flow instance from a controller, where the tap _ flow request includes a source IP address list, and the source IP address list indicates multiple virtual machine IP addresses that need to be traffic mirrored;
the second processing module 1002 is configured to identify a first packet as a mirror packet through the br-int, where the first packet is a packet received by the br-int from an acquisition source IP address or a packet received by the br-int from the acquisition source IP address;
the second processing module 1002 is further configured to select a target acquisition link through the br-tap, where the target acquisition link corresponds to a target IP address;
the second transceiver module 1001 is further configured to send the first packet to one first agent in a unicast manner through the br-tun, or send the first packet to a plurality of first agents in a multicast manner.
Optionally, the second processing module 1002 is further configured to perform a hash operation according to the quintuple information of the first packet, so as to obtain a calculation result;
the second processing module 1002 is further configured to select a target acquisition link according to the calculation result.
Optionally, the second transceiver module 1001 is further configured to receive the first returned message;
the second processing module 1002 is further configured to record a source address of the returned first packet.
In the embodiment of the invention, a first agent end receives a tap _ service request comprising a destination IP address list from a control end, a second agent end receives a tap _ flow request comprising a source IP address list from the control end, and the mirror image flow of the second agent end is distributed to one or more first agent ends through br-int, br-tun and br-tap arranged in the agent end, so that the load balancing function is realized, the flow pressure of an acquisition link in the original scheme is reduced, and the risk of overload caused by overlarge instantaneous flow pressure is avoided.
Referring to fig. 11, an embodiment of the present invention provides a communication device 1100, including: a processor 1101, a transceiver 1102, a memory 1103, and a bus interface.
Among other things, the processor 1101 may be responsible for managing the bus architecture and general processing. The memory 1103 may store data used by the processor 1101 in performing operations.
In this embodiment of the present invention, the communication device 1100 may further include: a program stored on the memory 1103 and executable on the processor 1101, which when executed by the processor 1101, performs the steps of the methods provided by embodiments of the present invention.
In fig. 11, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 1101, and various circuits, represented by memory 1103, linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further in connection with embodiments of the present invention. The bus interface provides an interface. The transceiver 1102 may be a plurality of elements including a transmitter and a receiver that provide a means for communicating with various other apparatus over a transmission medium.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the processes of the method embodiments, and can achieve the same technical effects, and in order to avoid repetition, the details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A traffic processing method is applied to a first agent, and is characterized in that the first agent comprises: an integrated bridge br-int, a tunnel bridge br-tun, and a mirror bridge br-tap serially connected between br-int and br-tun, the method comprising:
receiving a mirror image service instance tap _ service request from a control terminal, wherein the tap _ service request comprises a destination IP address list, and the destination IP address list is used for appointing a plurality of traffic mirror image destination IP addresses;
receiving a first message from a second agent through the br-tun;
identifying the first message as a mirror message through the br-tap;
and sending the mirror image message to a target virtual machine through the br-int.
2. The method of claim 1, wherein prior to said identifying said first packet as a mirror packet by br-tap, the method further comprises:
when the first message is sent by the second agent end in a unicast mode, stripping a virtual extensible local area network (VNI) in the first message by br-tun;
and when the first message is sent by the second agent end in a multicast mode, returning the first message to the second agent end, and then stripping the VNI in the first message through br-tun.
3. The method according to claim 1, wherein before sending the mirror packet to the target virtual machine through br-int, the method further comprises:
and stripping the VLAN label of the mirror image message through br-int.
4. A traffic processing method is applied to a second agent, and is characterized in that the second agent comprises: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the method comprising:
receiving a tap _ flow request of a mirror flow instance from a control end, wherein the tap _ flow request comprises a source IP address list, and the source IP address list represents a plurality of virtual machine IP addresses needing to be subjected to flow mirroring;
identifying a first message as a mirror image message through the br-int, wherein the first message is a message received by the br-int from an acquisition source IP address or a message sent to the acquisition source IP address;
selecting a target acquisition link through the br-tap, wherein the target acquisition link corresponds to a target IP address;
and sending the first message to one first agent end by the br-tun in a unicast mode, or sending the first message to a plurality of first agent ends in a multicast mode.
5. The method of claim 4, wherein the selecting a target acquisition link via the br-tap comprises:
performing hash operation according to the quintuple information of the first message to obtain a calculation result;
and selecting a target acquisition link according to the calculation result.
6. The method of claim 4, wherein after the sending the first packet to the plurality of first agents via the br-tun in a multicast manner, the method further comprises:
receiving the first returned message;
and recording the source address of the returned first message.
7. A first agent, the first agent comprising: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the first proxy further comprising: a first transceiver and a first processor;
the first transceiver is configured to receive a tap _ service request of a mirror image service instance from a controller, where the tap _ service request includes a destination IP address list, and the destination IP address list is used to specify a plurality of traffic mirror destination IP addresses;
the first transceiver is further configured to receive a first packet from a second agent through the br-tun;
the first processor is configured to identify the first packet as a mirror packet through the br-tap;
and the first transceiver is further configured to send the mirror image packet to a target virtual machine through the br-int.
8. A second agent, characterized in that the second agent comprises: br-int, br-tun, and br-tap connected in series between br-int and br-tun, the second proxy further comprising: a first transceiver and a first processor;
the first transceiver is used for receiving a tap _ flow request of a mirror flow instance from a control end, wherein the tap _ flow request comprises a source IP address list, and the source IP address list represents a plurality of virtual machine IP addresses needing to be subjected to flow mirroring;
the first processor is configured to identify a first packet as a mirror packet through the br-int, where the first packet is a packet received by the br-int from an acquisition source IP address or a packet sent to the acquisition source IP address;
the first processor is used for selecting a target acquisition link through the br-tap, and the target acquisition link corresponds to a target IP address;
the first transceiver is further configured to send the first packet to one first agent in a unicast manner through the br-tun, or send the first packet to a plurality of first agents in a multicast manner.
9. A communication device comprising a processor, a memory, and a program stored on the memory and executable on the processor, the program, when executed by the processor, performing the steps of the traffic processing according to any one of claims 1 to 4 or the steps of the traffic processing according to any one of claims 5 to 8.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the flow processing according to one of the claims 1 to 4 or the steps of the flow processing according to one of the claims 5 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911336469.1A CN113098787B (en) | 2019-12-23 | 2019-12-23 | Flow processing method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911336469.1A CN113098787B (en) | 2019-12-23 | 2019-12-23 | Flow processing method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113098787A true CN113098787A (en) | 2021-07-09 |
| CN113098787B CN113098787B (en) | 2023-01-13 |
Family
ID=76662963
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911336469.1A Active CN113098787B (en) | 2019-12-23 | 2019-12-23 | Flow processing method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113098787B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113709005A (en) * | 2021-09-13 | 2021-11-26 | 成都安恒信息技术有限公司 | User-defined IP flow statistical method and system based on IPtables |
| CN114257472A (en) * | 2021-12-07 | 2022-03-29 | 中信银行股份有限公司 | Network topology monitoring method, device, equipment and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108092852A (en) * | 2017-12-26 | 2018-05-29 | 北京科来数据分析有限公司 | A kind of OpenStack flow collection methods based on Transmission Control Protocol |
| CN108111384A (en) * | 2017-12-26 | 2018-06-01 | 北京科来数据分析有限公司 | A kind of OpenStack flow collection methods based on tunnel protocol |
| CN108494657A (en) * | 2018-04-08 | 2018-09-04 | 苏州云杉世纪网络科技有限公司 | OpenStack cloud platform virtual probe mirror methods based on Open vSwitch |
| US20190188070A1 (en) * | 2017-12-15 | 2019-06-20 | Wipro Limited | Method and system for resolving error in open stack operating system |
-
2019
- 2019-12-23 CN CN201911336469.1A patent/CN113098787B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190188070A1 (en) * | 2017-12-15 | 2019-06-20 | Wipro Limited | Method and system for resolving error in open stack operating system |
| CN108092852A (en) * | 2017-12-26 | 2018-05-29 | 北京科来数据分析有限公司 | A kind of OpenStack flow collection methods based on Transmission Control Protocol |
| CN108111384A (en) * | 2017-12-26 | 2018-06-01 | 北京科来数据分析有限公司 | A kind of OpenStack flow collection methods based on tunnel protocol |
| CN108494657A (en) * | 2018-04-08 | 2018-09-04 | 苏州云杉世纪网络科技有限公司 | OpenStack cloud platform virtual probe mirror methods based on Open vSwitch |
Non-Patent Citations (1)
| Title |
|---|
| 刘瑛: "SDN在Openstack云数据中心的技术研究", 《移动通信》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113709005A (en) * | 2021-09-13 | 2021-11-26 | 成都安恒信息技术有限公司 | User-defined IP flow statistical method and system based on IPtables |
| CN114257472A (en) * | 2021-12-07 | 2022-03-29 | 中信银行股份有限公司 | Network topology monitoring method, device, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113098787B (en) | 2023-01-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11398966B2 (en) | Cluster wide packet tracing | |
| JP4008432B2 (en) | Apparatus and method for searching topology of network device | |
| US7970007B2 (en) | Communication apparatus and retrieval table management method used for communication apparatus | |
| US20070041328A1 (en) | Devices and methods of using link status to determine node availability | |
| EP3860095A1 (en) | Methods for information drainage, requesting transmission and communication acceleration, and drainage and node server | |
| US20070097972A1 (en) | Automatic VLAN ID discovery for ethernet ports | |
| CN113098787B (en) | Flow processing method and equipment | |
| US10411911B2 (en) | Network as service service cross-domain orchestration method, orchestration device, and control device | |
| CN106936662A (en) | A kind of method for realizing heartbeat mechanism, apparatus and system | |
| US20170054680A1 (en) | Control method, information processing apparatus, and storage medium | |
| CN114095430B (en) | Access message processing method, system and working node | |
| CN108521437A (en) | A kind of searching method and search system of lan device | |
| US6311208B1 (en) | Server address management system | |
| US20100094994A1 (en) | Network structure information acquiring method and device | |
| CN106713130B (en) | A kind of routing table update method, EVPN control equipment and EVPN system | |
| CN107852344B (en) | Storage network element discovery method and device | |
| US10536368B2 (en) | Network-aware routing in information centric networking | |
| US20080267193A1 (en) | Technique for enabling network statistics on software partitions | |
| CN110213365B (en) | User access request processing method based on user partition and electronic equipment | |
| CN108924011A (en) | Monitoring system, relevant device, method and medium for OSPF+ Routing Protocol | |
| CN109660458A (en) | A kind of method for routing and equipment | |
| JP5750933B2 (en) | Communication system, switching hub, router and program | |
| CN112769669B (en) | Message forwarding method and network equipment | |
| CN110636146B (en) | User address allocation method and device | |
| CN106559439B (en) | A kind of method for processing business and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |