WO2014079005A1 - Mac address mandatory forwarding device and method - Google Patents

Mac address mandatory forwarding device and method Download PDF

Info

Publication number
WO2014079005A1
WO2014079005A1 PCT/CN2012/084991 CN2012084991W WO2014079005A1 WO 2014079005 A1 WO2014079005 A1 WO 2014079005A1 CN 2012084991 W CN2012084991 W CN 2012084991W WO 2014079005 A1 WO2014079005 A1 WO 2014079005A1
Authority
WO
WIPO (PCT)
Prior art keywords
arp
gateway
mac address
destination
address
Prior art date
Application number
PCT/CN2012/084991
Other languages
French (fr)
Chinese (zh)
Inventor
骆绍开
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2012/084991 priority Critical patent/WO2014079005A1/en
Priority to CN201280002989.9A priority patent/CN103404084B/en
Publication of WO2014079005A1 publication Critical patent/WO2014079005A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a MAC address forced forwarding device and method. Background technique
  • Layer 2 isolation is a virtual network technology that improves network security and isolates collision domains.
  • user hosts including virtual machines and physical terminal devices
  • MAC addresses By properly configuring Layer 2 network devices, user hosts (including virtual machines and physical terminal devices) corresponding to certain MAC addresses cannot be configured. Data exchange and communication between network devices.
  • the commonly used Layer 2 isolation implementation is to configure the port of the user host.
  • a VLAN Virtual Local Area Network
  • VMM Virtual Local Area Network
  • VMM Virtual Machine Manager
  • the gateway Whether in a virtual network or a non-virtual network, statistics and data monitoring for IP addresses and security of the network are necessary through the gateway.
  • the layer 2 isolation of multiple user hosts can be implemented in the virtual network and the non-virtual network, but belongs to the same VLAN.
  • the packet will be directly exchanged at the switch.
  • the packet can be directly exchanged through the bridge of the VMM. That is, in the above two application environments, the gateway cannot sense packets that are exchanged between terminals in the same VLAN. This results in the inability to perform proper traffic statistics and data monitoring for all messages communicating on the network.
  • the physical terminal or the VM can obtain the MAC addresses of other physical terminals or VMs in the same VLAN, and thus has a large network hazard.
  • a Layer 3 switch with MFF MAC Forced Forwarding
  • MFF MAC Forced Forwarding
  • the embodiment of the present invention provides a MAC address forced forwarding device and a method, which can implement all the packets to be forwarded to the gateway side as required, and implement traffic statistics of all the packets. Data monitoring and improved network security.
  • an embodiment of the present invention provides a MAC address forced forwarding device, including:
  • a receiving unit configured to receive an ARP request packet from a user host or a gateway
  • An ARP replying unit configured to construct an ARP response packet according to the source information and the destination information of the ARP request packet: according to the received host from the user host.
  • the source information and the destination information in the ARP request message are configured to construct an ARP reply packet with the MAC address of the gateway as the destination address, or obtain the corresponding information from the lookup table according to the source information and the destination information in the received ARP request packet of the gateway.
  • the destination MAC address constructing an ARP reply message with the destination MAC address as the source MAC address, and sending to the user host or gateway that sends the ARP request message.
  • the apparatus further includes a learning unit,
  • the receiving unit is further configured to receive an ARP response packet from the gateway;
  • the ARP pickup unit is further configured to parse the ARP response packet from the gateway;
  • the learning unit is configured to update the lookup table according to the source information and the destination information of the ARP response message from the gateway.
  • the apparatus further includes:
  • An enabling unit configured to enable the ARP pickup unit to enable a function for a VLAN
  • the switching unit is configured to send, according to the lookup table, the data packet sent by the user host to a corresponding destination user host or all user hosts in the same VLAN that belong to the same VLAN as the user host.
  • the apparatus includes:
  • a network card drive unit for driving a network card for driving a network card.
  • an embodiment of the present invention provides a method for forcibly forwarding a MAC address, including:
  • Receiving an ARP request packet from a user host or a gateway Constructing an ARP reply message according to the source information and the destination information of the ARP request packet: According to the received source information and destination information in the ARP request packet from the user host, constructing the ARP with the gateway MAC address as the destination address Responding to the message, or obtaining the corresponding destination MAC address from the lookup table according to the source information and the destination information in the received ARP request message from the gateway, configured to
  • the source IP address and the destination IP address in the source information of the user host ARP request packet are respectively used as the destination IP address of the ARP reply packet to be constructed.
  • the step of constructing an ARP response packet according to the source information and the destination information of the ARP request packet in: If the record of the MAC address of the gateway is not recorded in the lookup table, the IP address of the gateway is used as the destination IP address of the ARP reply message to be constructed, and the ARP reply message is constructed.
  • the method further includes: receiving an ARP response packet from the gateway;
  • the lookup table is updated according to the source information and the destination information of the ARP reply message from the gateway.
  • the step of updating the lookup table according to the source information and the destination information of the ARP response message from the gateway is : if the MAC address of the gateway is already recorded in the lookup table, the lookup table is not updated; otherwise, the MAC address of the gateway is recorded.
  • an embodiment of the present invention provides a MAC address forced forwarding device, including a central processing unit and a memory, where the memory storage computer executes an instruction, and the central processing unit and the memory are connected by using a communication bus.
  • the central processor executes the computer-executed instructions stored in the memory, such that the MAC address-forced forwarding device performs the method of any of the second aspects.
  • an embodiment of the present invention provides a computer readable medium, comprising: computer executable instructions, when a central processor of a computer executes the computer to execute an instruction, the computer Executing the instructions for causing a computer to perform the method according to any one of the second aspects of the present invention, the MAC address forcing forwarding device and the method of the present invention, and effectively implementing the MAC address forced forwarding function, effectively implementing the user host between Under the premise of Layer 2 isolation, all packets in a specific VLAN are forwarded to the gateway. On the other hand, traffic statistics and data monitoring for all packets are implemented, and network performance is improved. In addition, since the MFF function can be deployed in a network card or a network card driver, the cost of the network configuration is low.
  • FIG. 1 is a schematic block diagram of a conventional Layer 2 isolation for a non-virtual network
  • FIG. 2 is a schematic block diagram of a conventional Layer 2 isolation of a virtual network
  • FIG. 3 is a schematic diagram of a MAC address forced forwarding device according to Embodiment 1 of the present invention; Structure diagram;
  • FIG. 4 is a block diagram showing another structure of a MAC address forced forwarding device according to Embodiment 1 of the present invention.
  • FIG. 5 is a schematic structural diagram of a virtual network system according to Embodiment 2 of the present invention
  • FIG. 6 is a flowchart of performing MAC address forced forwarding according to the method for forcibly forwarding a MAC address in a virtual network system according to Embodiment 1 of the present invention;
  • FIG. 7 is a schematic diagram of a process flow of a network card in a virtual network system according to Embodiment 2 of the present invention, which allows certain VMs to perform internal packet exchange and implement Layer 2 isolation;
  • FIG. 8 is a schematic diagram of a network card in a virtual network system according to Embodiment 2 of the present invention; a block diagram of the switching unit;
  • FIG. 9 is a structural block diagram of a MAC address forced forwarding device according to Embodiment 3 of the present invention.
  • FIG. 10 is a schematic structural diagram of a virtual network system according to Embodiment 3 of the present invention
  • FIG. 11 is a structural block diagram of a MAC address forced forwarding apparatus according to Embodiment 4 of the present invention. detailed description
  • exemplary is used exclusively herein to mean “serving as an example, embodiment, or illustrative.” Any embodiment described herein as “exemplary” is not necessarily to be construed as preferred or advantageous.
  • the present invention provides a MAC address forced forwarding device.
  • the device is based on the MFF (MAC Forced Forwarding) function, and the ARP (Address Resolution Protocol) message will be different.
  • MFF MAC Forced Forwarding
  • ARP Address Resolution Protocol
  • the apparatus includes: a receiving unit 3 10, an ARP pickup unit 320, a transmitting unit 330, and a learning unit 340. among them:
  • the receiving unit 3 10 is configured to receive an ARP request from a user host or a gateway.
  • ARP is a protocol that determines its MAC address when it only knows the IP address of a network device.
  • the ARP request message is used to obtain a MAC address corresponding to an IP address in the network, most of which is a broadcast message; the ARP response message is used to inform other hosts of the local IP address and MAC address.
  • a type of message most of which is a unicast message.
  • the ARP pickup unit 320 is configured to perform an MFF function, and is configured to construct an ARP response packet according to the source information and the destination information of the ARP request packet, in which: the source according to the received ARP request packet from the user host.
  • the information and the destination information (including the source IP address, the source MAC address, and the destination IP address), and the ARP reply packet with the MAC address of the gateway as the destination address, or according to the received ARP request packet from the gateway.
  • the source information and the destination information are searched for a corresponding destination MAC address from the lookup table, and an ARP response packet with the destination MAC address as the source MAC address is constructed.
  • the lookup table may be a global linked list stored in the ARP pickup unit, and record the correspondence between the IP address and the MAC address of the user host and the gateway, and also record the MFF enable information of the ARP pickup unit for each VLAN, and other The functionality of the unit is based on interacting with the information in the lookup table.
  • the sending unit 330 is configured to send the ARP reply message constructed by the ARP pickup unit 320 to the user host or gateway that sends the ARP request message.
  • the receiving unit 310 is further configured to receive an ARP response packet from the gateway, where the ARP replying unit 320 is further configured to parse the ARP response packet from the gateway, so that the learning unit 340 can be based on the source information and the destination information of the ARP response packet. Update the lookup table.
  • the MAC address forcing device in the embodiment of the present invention by deploying the MFF function, transfers all the packets in the VLAN domain enabled with the MFF function to the gateway under the premise of effectively implementing the Layer 2 isolation between the user hosts. On the side, traffic statistics and data monitoring for IP addresses are implemented, which improves network performance.
  • the embodiment of the present invention further provides a method for forcibly forwarding a MAC address based on the MAC address forcing forwarding device, the method comprising the following steps: a receiving step, configured to receive an ARP request message from a user host or a gateway.
  • the ARP proxying step is configured to construct an ARP response packet according to the source information and the destination information of the ARP request packet, specifically: according to the received source information and destination information in the ARP request packet from the user host,
  • the destination MAC address is configured in the lookup table by using the MAC address of the gateway as the destination address of the ARP reply packet, or the source information and the destination information in the received ARP request packet from the gateway.
  • the ARP reply packet whose address is the source MAC address.
  • a sending step configured to send the ARP reply message constructed in the ARP pickup step to the user host or the gateway that sends the ARP request message.
  • the learning step updates the lookup table based on the source information and the destination information of the ARP response message received at the receiving step. In other words, if the MAC address of the gateway has been recorded in the lookup table, the lookup table is not updated; otherwise, the MAC address of the gateway is recorded.
  • the ARP request broadcast message from the user host If there is a record of the corresponding gateway MAC address in the lookup table, the source IP address and the destination IP address in the source information of the message As the destination IP address and source IP address of the ARP reply packet to be constructed, the source MAC address is used as the destination MAC address of the ARP reply packet to be constructed, and the gateway MAC address is used as the source MAC address of the ARP reply packet to be constructed. And constructing the ARP response message. In this way, in the ARP table stored in the user host, the MAC address of all the peers will be the MAC address of the gateway, and the destination MAC address in the unicast text sent by the user host will all point to the gateway.
  • the IP address of the gateway is used as the destination IP address of the ARP reply packet, and the ARP response packet is constructed.
  • the learning unit can learn the MAC address of the gateway according to the response message in the learning step.
  • the ARP request packet from the gateway searches the lookup table according to the destination IP address in the destination information, obtains the MAC address of the corresponding destination user host, and uses the source MAC address of the ARP request packet as the source MAC address of the ARP request packet.
  • the destination MAC address of the ARP reply packet to be constructed can replace the user's host with the destination MAC address to make a correct ARP response.
  • the MAC address forced forwarding apparatus 400 of the present embodiment further includes an enabling unit 410 and an switching unit 420 on the basis of each unit included in the MAC address forced forwarding apparatus of the first embodiment. among them:
  • the enabling unit 410 is configured to enable the ARP pickup unit 320 to enable the MFF function for a certain VLAN.
  • the switching unit 420 has a Layer 2 switching function, which is also called a vSwitch function, for the user to use according to the lookup table.
  • the data packets sent by the host are sent to the corresponding destination user host in the same VLAN as the user host or all user hosts in the same VLAN.
  • the MAC address forcing device 400 of the present embodiment can deploy each functional unit on the network card, so that whether the non-virtualized common network or the virtualized network can implement the Layer 2 isolation, all the MFFs can be enabled.
  • the functions in the VLAN are transferred to the gateway to implement traffic statistics and data monitoring for all packets, and to improve network security.
  • the functional units are deployed on the network card, and the cost of network configuration is low.
  • this embodiment further provides a virtual network system including a network card 520 in which each functional unit of the MAC address forced forwarding device shown in FIG. 4 is deployed.
  • the user host is deployed in each service.
  • the plurality of virtual machines (VMs) on the device 5 10 and the lookup table corresponds to a global linked list storing the "Queue ID-IP-MAC" table, which records the mapping relationship between the queue ID, the IP address, and the MAC address.
  • the corresponding team ID can be queried, and the IP address and MAC address of the virtual machine corresponding to the queue can be queried according to the ID of the team.
  • the virtual machine manager (VMM) 511 is responsible for creating virtual machines, allocating virtual network devices with exclusive resources, and managing virtual machines and physical resources. For example, the virtual machine manager assigns a unique NIC resource to a virtual machine to establish a correspondence.
  • the virtual machine manager manages virtual machines and physical resources into two categories: front-end mode and pass-through mode. In the front-end mode, all virtual machine access to the virtual network device needs to be forwarded by the virtual machine manager, but in the direct mode, the virtual network device can be directly accessed through the virtual machine manager and Corresponding actual physical resources.
  • Virtual Machine Device Queue (VMDQ) is an implementation of the pass-through mode.
  • I/O Virtualization is another implementation of the pass-through mode.
  • the IOV implements the partitioning of multiple configuration spaces by hardware, and each configuration space is exclusive to a single virtual machine.
  • the network card 520 supports the VMDQ or IOV pass-through mode function, so that each virtual machine in the server 5 10 can directly access the network card 520 resources. At this time, the virtual machine can bypass the virtual machine manager 5
  • the bridge in 1 1 directly exchanges messages with the network card 520 via the bus PCI 530.
  • the network card 520 picks up the ARP request sent by all the virtual machines with the MAC address of the gateway 550, and the ARP for the gateway 550 side. The request, the network card 520 performs the pickup by the MAC address of the virtual machine corresponding to the ARP request.
  • the user can configure parameters in the management domain DomainO of the virtual machine manager 5 11 as needed to enable the network card 520 to forward the MAC address of certain VLANs to implement all the packets of certain virtual machines. Go to the gateway side, some virtual machines can directly exchange internal messages. As shown in FIG. 6, the process of forcibly forwarding the MAC address by the network card 520 in the virtual network system of this embodiment according to the method in Embodiment 1 is as follows:
  • step S501 the network card receives the ARP request message.
  • step S502 the network card determines whether the received ARP request message is an ARP request message sent by the VM inside the VLAN enabled by the network card; if yes, step S503 is performed; otherwise, step S510 is performed.
  • step S503 the received ARP packet is parsed, and the source information and the destination information are obtained.
  • step S504 the ARP pickup unit of the network card constructs an ARP response message.
  • the specific configuration is as follows: If the gateway MAC address is recorded in the "team ID-IP-MAC" table, the source IP address and the destination IP address of the ARP request message are respectively used as the ARP reply packets to be constructed. The destination IP address and the source IP address are used as the destination MAC address of the ARP reply packet to be constructed, and then the gateway MAC address is used as the source MAC address of the ARP reply packet to be constructed.
  • Step S505 If only the MAC address of the gateway is not recorded in the "Queue ID-IP-MAC” table, the destination IP address of the ARP reply message to be constructed is changed to the gateway IP address, and step S505 is performed. If neither the MAC address of the gateway nor the IP address of the gateway is recorded, the processing is not performed, and step S505 is performed. In step S505, the ARP reply message constructed by the ARP pickup unit is sent out through the corresponding port.
  • step S510 the received ARP request message is parsed, and the source information and the destination information are obtained.
  • step S5 1 1 the "Queue ID-IP-MAC" table maintained in the network card is searched according to the destination IP address of the acquired ARP request message, to obtain the corresponding queue MAC address, and the queue MAC is found. After the address, the processing proceeds to step S52.
  • step S52 the ARP pickup unit of the network card constructs an ARP response message.
  • the specific configuration is as follows: The source IP address and the destination IP address of the ARP request packet are respectively used as the destination IP address and source IP address of the ARP reply packet to be constructed, and the source MAC address of the ARP request packet is used as the response to be constructed. The destination MAC address of the message, and then the found queue MAC address is used as the source MAC address of the response message to be constructed.
  • step S53 the ARP reply message constructed by the ARP pickup unit is sent from the port receiving the ARP request message to the requester virtual machine of the ARP request message.
  • the network card performs the correct ARP response instead of the virtual machine.
  • the NIC After receiving the ARP reply message, the NIC performs the following processing on the unicast ARP reply message from the gateway: when the gateway MAC address is not recorded in the "Queue ID-IP-MAC" table, The gateway MAC address in the text is recorded in the global linked list, and the message is discarded.
  • the network card After receiving the ARP response message from the virtual machine, the network card performs the following processing after receiving the ARP response message: if the destination MAC address is the gateway MAC address, the network port sends the message through the corresponding port. If not, the network card is released. The text. For non-ARP request or response packets, the network card does not process any of them, so that it is sent directly through the corresponding port of the network card or sent to the corresponding virtual machine through the bus.
  • FIG. 7 shows a process in which a virtual machine in a certain VLAN that is not enabled by the network card according to the embodiment performs internal message exchange and implements Layer 2 isolation.
  • step S601 the unicast packet sent by the virtual machine is parsed to obtain the destination MAC address.
  • step S602 the "Queue ID-IP-MAC" table maintained in the network card is searched according to the destination MAC address, and the corresponding queue ID is obtained.
  • step S603 the network card forwards the message to the found queue, and finally sends the message to the correct virtual machine.
  • the network card in the virtual network system of this embodiment can implement such a function: all the packets sent by the virtual machine in the VLAN that enables the function of the MAC address forced forwarding device arrive at the gateway side, so as to implement the second
  • the gateway performs traffic statistics and data monitoring on all packets.
  • the gateway for the transmission of text between virtual machines in the VLAN that does not need to be monitored, it is directly exchanged through the vSwitch in the network card. Units are exchanged without forcing forwarding to the gateway side.
  • the exchange unit 420 For the vSwitch function of the switching unit 420, it is responsible for exchanging the text in the VLAN for determining the destination to which the packet is to be sent according to the destination MAC address and related configuration of the message.
  • the exchange unit 420 yuan is divided into four modules: a configuration module (Config) 421, a table space module (Table Space) 422, a packet receiving module (RX) 423, and a packet sending module (TX) 424.
  • the configuration module 421 is responsible for the initialization and information configuration of the switching unit 420.
  • the table space module 421 maintains a free node space and a hash table for recording and finding intersections. Change information.
  • the receiving module 423 and the sending module 424 respectively process the received and sent messages to implement the packet switching function. specifically:
  • the table space module 422 includes functions of operations such as adding/deleting/finding nodes, and each node includes a MAC address, a VLAN ID, and a queue ID information.
  • the configuration module 421 is responsible for module initialization and information configuration, and includes: a. Setting the Layer 2 switching of the VLAN. This information is stored in the global VLAN information.
  • the receiving module 423 performs the following processing on the received packet: For the unicast packet, the hash table node is searched according to the VLAN ID and the destination MAC address of the packet, and if found, the packet is filled with the queue ID, otherwise the packet is discarded. For broadcast packets, the message is sent to all queues under the VLAN.
  • the sending module 424 performs the following processing on the packet to be sent: It is determined whether the internal switching needs to be performed. The condition that the internal switching function is enabled in both the VLAN and the queue must be met. Otherwise, the packet is directly passed through the sending module. When the internal exchange is required, the unicast packet is searched for the hash table node according to the VLAN ID and the destination MAC address of the packet. If found, the packet is filled with the queue ID and the packet is forwarded to the receiving side. Otherwise, nothing is done. Processing, so that the message passes directly through the sending module. When internal switching is required, for broadcast packets, all the packets in the VLAN (except the own queue) are sent (both to the receiving side), and then the packets are passed. The module does not perform any processing on the broadcast packet, and continues Continue to send the broadcast message
  • the present embodiment provides a MAC address forced forwarding device 900, which further includes a network card driving unit 910 based on the units included in the MAC address forced forwarding device of Embodiment 1.
  • the network card driving unit 910 is used to drive the network card.
  • the MAC address forcing and forwarding device 900 of the embodiment can deploy each functional unit on the network card driver.
  • the common network or the virtualized network whether it is a non-virtualized network, can transfer all the packets to the gateway side while implementing Layer 2 isolation, and implement traffic statistics and data monitoring for all packets, and improve network security.
  • the deployment of each functional unit on the NIC driver has a lower cost of network configuration.
  • this embodiment further provides a virtual network system including a network card driver 1111 in which the functional units of the MAC address forced forwarding device 900 shown in FIG. 9 are deployed, and the virtual network system is provided in Embodiment 2.
  • the virtual network system is similar, except that the virtual network of the embodiment has the network card driver 1111 of the server 1100 in the system only when the front-end mode is used, and the bridge exists in the virtual machine manager 1110. Since the bridge exists in the virtual machine manager 1110, the packets between the virtual machines can be virtually exchanged through the bridge, so the network card 1150 cannot monitor the communication between the virtual machines, so the same as the first and second embodiments are implemented.
  • the functional modules of the MAC address forced forwarding device of Embodiment 1 are deployed in the virtual machine manager 1110.
  • the DomainO NIC driver 1111 enables the MAC address to be forwarded by the NIC driver 1111 before the packet arrives at the bridge.
  • the VM1 when the VM1 sends an ARP request, it is intercepted by the network card driver 1111 and ARP is picked up by the MAC address of the gateway 1150, and all the messages of the VM1 are sent to the gateway 1150. Therefore The bridge in the virtual machine manager 11 10 cannot perform Layer 2 switching according to the destination MAC address.
  • the ARP pickup unit When the ARP request sent by the gateway 1 150 is sent to the network card driver 1 1 1 1 1 , the ARP pickup unit will query the MAC address of the corresponding virtual machine according to the destination IP address and perform ARP pickup.
  • FIG. 11 is a schematic structural diagram of a MAC address forced forwarding device 1200 according to an embodiment of the present invention.
  • the specific embodiment of the present invention does not limit the specific implementation of the MAC address forced forwarding device.
  • the MAC address forcible forwarding device 1200 can include:
  • a processor 1210 a communications interface 1220, a memory 1230, and a communication bus 1240. among them:
  • the processor 1210, the communication interface 1220, and the memory 1230 complete communication with each other via the communication bus 1240.
  • the communication interface 1220 is configured to communicate with a network element such as a client.
  • the processor 1210 is configured to execute the program 1232, and specifically, the related steps in the method embodiment shown in FIG. 6 to FIG. 7 above may be performed.
  • program 732 can include program code, the program code including computer operating instructions.
  • the processor 1210 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention.
  • CPU central processing unit
  • ASIC Application Specific Integrated Circuit
  • the memory 1230 is configured to store the program 1232.
  • the memory 1230 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory.
  • the program 1232 may specifically include: the receiving unit is configured to receive an ARP request from the user host or the gateway.
  • the ARP pickup unit is configured to construct an ARP response message by using the source information and the destination information of the ARP request packet, in which: the source information and the destination information (including the source) in the message according to the received ARP request from the user host.
  • IP address, source The MAC address and the destination IP address are used to construct an ARP reply packet with the MAC address of the gateway as the destination address, or the source information and the destination information in the received ARP request packet of the gateway are searched for from the lookup table.
  • the destination MAC address is configured to construct an ARP reply message with the destination MAC as the source MAC address.
  • the lookup table is equivalent to the global linked list stored in the ARP pickup unit, and records the correspondence between the IP address and the MAC address of the user host and the gateway, and also records the MFF enable information of the ARP pickup unit for each VLAN, and other The functionality of the unit is based on interacting with the information in the lookup table.
  • a sending unit configured to send the ARP response packet constructed by the ARP pickup unit 320 to the user host or the gateway that sends the ARP request message.
  • the learning unit is capable of updating the lookup table according to the source information and the destination information of the ARP reply message.
  • each unit in the program 1232 For the specific implementation of each unit in the program 1232, reference may be made to the corresponding units in the embodiment shown in FIG. 3 to FIG. 5 and FIG. 7 , and details are not described herein. A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the device and the module described above can be referred to the corresponding process description in the foregoing method embodiments, and details are not described herein again.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such an understanding, a part of the technical solution of the present invention that contributes in essence or to the prior art or a part of the technical solution may be in the form of a software product. It is embodied that the computer software product is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods of the various embodiments of the present invention. step.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. .

Abstract

Disclosed are a MAC address mandatory forwarding device and method, which relate to the technical field of communications. The device comprises: a receiving unit receiving a request message from an ARP; an ARP pickup unit constructing an ARP response message using a MAC address of a gateway as a target address according to the source information and the target information in the received ARP request message, or constructing an ARP response message using a target MAC address as a source MAC address by searching for the corresponding target MAC address; and a sending unit sending the ARP response message to a user host or gateway sending the ARP request message. By means of the device and method of the present invention, all the messages in a specific VLAN are forwarded to a gateway side on the premise of effectively achieving layer 2 isolation between user hosts, traffic statistics and data monitoring for the IP addresses are achieved, and the network performance is improved.

Description

说 明 书  Description
MAC地址强制转发装置及方法 技术领域  MAC address forced forwarding device and method
本发明涉及通信技术领域, 具体地, 涉及一种 MAC地址强 制转发装置及方法。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a MAC address forced forwarding device and method. Background technique
二层隔离是一种提高网络安全性并隔离冲突域的虚拟网络 技术, 其通过适当地配置二层网络设备, 使得某些 MAC地址所 对应的用户主机 (包括虚拟机和物理终端设备) 无法在网络设 备之间中进行数据交换以及通信。  Layer 2 isolation is a virtual network technology that improves network security and isolates collision domains. By properly configuring Layer 2 network devices, user hosts (including virtual machines and physical terminal devices) corresponding to certain MAC addresses cannot be configured. Data exchange and communication between network devices.
常用的二层隔离的实现方式是给用户主机的端口配置 The commonly used Layer 2 isolation implementation is to configure the port of the user host.
VLAN ( Virtual Local Area Network, 虚拟局域网 ), 使得属于 不同 VLAN的用户主机之间无法进行报文的交换和传输。 如图 1 所示, 对于非虚拟化的普通网络, 可在交换机上配置各端口 VLAN或者在物理终端设备上配置 VLAN。交换机的端口或者物 理终端设备的网络协议层对 艮文进行 VLAN过滤, 从而实现不 同终端之间的二层隔离。 如图 2所示, 对于虚拟化网络, 由于多 个虚拟机 ( Virtual Machine , VM ) (虚拟终端) 通过一个网卡 来与交换机连接, 因此, 除了在交换机上配置各端口的 VLAN 外, 必须在虚拟机管理器 ( Virtual Machine Manager , VMM ) 上配置 VLAN。 部署在同一服务器上的 VM, 通过 VMM的网络 协议层进行 VLAN过滤。 A VLAN (Virtual Local Area Network) is used to exchange and transmit packets between hosts that belong to different VLANs. As shown in Figure 1, for a non-virtualized common network, you can configure each port VLAN on the switch or configure a VLAN on the physical terminal device. The port of the switch or the network protocol layer of the physical terminal device performs VLAN filtering on the port to implement Layer 2 isolation between different terminals. As shown in Figure 2, for a virtualized network, because multiple virtual machines (VMs) (virtual terminals) are connected to the switch through a network card, in addition to configuring the VLANs of the ports on the switch, it must be virtual. VLANs are configured on the Virtual Machine Manager (VMM). VMs deployed on the same server perform VLAN filtering through the network protocol layer of the VMM.
无论在虚拟网络还是非虚拟网络中, 通过网关对针对 IP地 址的流量进行统计以及数据监控以及提高网络的安全性都是 必须的。 而在上述方案中, 虽然能够在虚拟网络以及非虚拟网 络中实现对多个用户主机进行二层隔离, 但是属于同一 VLAN 的终端之间通信时, 对于图 1的非虚拟网络, 报文将在交换机 直接进行二层交换; 对于图 2的虚拟网络, 报文可直接通过 VMM的网桥进行内部交换。 也即, 对于上述两种应用环境, 网关均无法感知在同一 V L A N中的终端之间进行交互的报文。 这导致无法对网络中通信的所有报文进行正确的流量统计和 数据监控。 此外, 物理终端或者 VM可以获得同一 VLAN中其他 物理终端或者 VM的 MAC地址, 因而具有较大的网络隐患。 Whether in a virtual network or a non-virtual network, statistics and data monitoring for IP addresses and security of the network are necessary through the gateway. In the above solution, although the layer 2 isolation of multiple user hosts can be implemented in the virtual network and the non-virtual network, but belongs to the same VLAN. For the communication between the terminals, for the non-virtual network of Figure 1, the packet will be directly exchanged at the switch. For the virtual network of Figure 2, the packet can be directly exchanged through the bridge of the VMM. That is, in the above two application environments, the gateway cannot sense packets that are exchanged between terminals in the same VLAN. This results in the inability to perform proper traffic statistics and data monitoring for all messages communicating on the network. In addition, the physical terminal or the VM can obtain the MAC addresses of other physical terminals or VMs in the same VLAN, and thus has a large network hazard.
如图 3所示, 在非虚拟化的普通网络中部署了一台具有 MFF ( MAC Forced Forwarding , MAC地址强制转发) 功能的 三层交换机, 因此能够使得各物理终端发出的报文一律发往网 关设备, 再经由交换机发往目的终端。 而对于虚拟化网络, 虽 然仍可采用图 3所示的部署, 使得 VM发出的报文被强制转发到 网关设备, 再经由交换机发往目的终端。 但是, 由于 VMM中 存在网桥,属于同一 VLAN的 VM之间的报文仍可在内部进行交 换。 从而, 在该虚拟化网络中, 无法实现将所有 艮文都转 向网关。 发明内容  As shown in Figure 3, a Layer 3 switch with MFF (MAC Forced Forwarding) is deployed on the non-virtualized network. Therefore, packets sent by each physical terminal are sent to the gateway. The device is sent to the destination terminal via the switch. For a virtualized network, the deployment shown in Figure 3 can still be used, so that packets sent by the VM are forcibly forwarded to the gateway device and then sent to the destination terminal through the switch. However, because there are bridges in the VMM, packets between VMs belonging to the same VLAN can still be exchanged internally. Thus, in this virtualized network, it is not possible to transfer all the messages to the gateway. Summary of the invention
有鉴于此, 本发明实施例提供了一种 M A C地址强制转发装 置及方法, 可以在实现二层隔离的同时, 根据需要将所有报文 都转到网关侧, 实现对所有报文的流量统计和数据监控, 并提 高网络的安全性。  In view of the above, the embodiment of the present invention provides a MAC address forced forwarding device and a method, which can implement all the packets to be forwarded to the gateway side as required, and implement traffic statistics of all the packets. Data monitoring and improved network security.
为了解决上述技术问题, 在第一方面, 本发明实施例提供 了一种 MAC地址强制转发装置, 包括:  In order to solve the above technical problem, in a first aspect, an embodiment of the present invention provides a MAC address forced forwarding device, including:
接收单元,用于接收来自用户主机或网关的 ARP请求报文; a receiving unit, configured to receive an ARP request packet from a user host or a gateway;
ARP代答单元, 用于根据所述 ARP请求报文的源信息以及 目 的信息构造 ARP应答报文: 根据接收到的来自用户主机的 ARP请求 艮文中的源信息以及目的信息, 构造以网关的 MAC地 址为目的地址的 ARP应答报文, 或根据接收到的来网关的 ARP 请求报文中的源信息以及目 的信息从查找表获取对应的目 的 MAC地址,构造以所述目的 MAC地址为源 MAC地址的 ARP应答 艮文; 以及 发送至发送所述 ARP请求报文的用户主机或网关。 An ARP replying unit, configured to construct an ARP response packet according to the source information and the destination information of the ARP request packet: according to the received host from the user host The source information and the destination information in the ARP request message are configured to construct an ARP reply packet with the MAC address of the gateway as the destination address, or obtain the corresponding information from the lookup table according to the source information and the destination information in the received ARP request packet of the gateway. The destination MAC address, constructing an ARP reply message with the destination MAC address as the source MAC address, and sending to the user host or gateway that sends the ARP request message.
结合第一方面, 在第一种可能的实现方式中, 该装置还包 括学习单元,  In combination with the first aspect, in a first possible implementation, the apparatus further includes a learning unit,
所述接收单元还用于接收来自网关的 ARP应答报文; 所述 ARP代答单元还用于解析所述来自网关的 ARP应答报 文;  The receiving unit is further configured to receive an ARP response packet from the gateway; the ARP pickup unit is further configured to parse the ARP response packet from the gateway;
所述学习单元用于才 据所述来自网关的 ARP应答报文的源 信息和目的信息更新所述查找表。  The learning unit is configured to update the lookup table according to the source information and the destination information of the ARP response message from the gateway.
结合第一方面或第一方面的第一种可能的实现方式, 在第 二种可能的实现方式中, 该装置还包括:  In conjunction with the first aspect or the first possible implementation of the first aspect, in a second possible implementation, the apparatus further includes:
使能单元, 用于使所述 ARP代答单元针对某个 VLAN使能 其功能;  An enabling unit, configured to enable the ARP pickup unit to enable a function for a VLAN;
交换单元, 用于根据所述查找表, 将用户主机发送的数据 报文发送至与所述用户主机属于同一 VLAN的对应的目的用户 主机或属于同一 VLAN的全部用户主机。  The switching unit is configured to send, according to the lookup table, the data packet sent by the user host to a corresponding destination user host or all user hosts in the same VLAN that belong to the same VLAN as the user host.
结合第一方面或第一方面的第一种可能的实现方式, 在第 三种可能的实现方式中, 该装置包括:  In conjunction with the first aspect or the first possible implementation of the first aspect, in a third possible implementation, the apparatus includes:
网卡驱动单元, 用于驱动网卡。  A network card drive unit for driving a network card.
在第二方面, 本发明实施例提供了一种 MAC地址强制转发 方法, 包括:  In a second aspect, an embodiment of the present invention provides a method for forcibly forwarding a MAC address, including:
接收来自用户主机或网关的 ARP请求报文; 根据所述 ARP请求报文的源信息以及目的信息构造 ARP应 答报文: 根据接收到的来自用户主机的 ARP请求报文中的源信 息以及目的信息, 构造以网关的 MAC地址为目的地址的 ARP应 答报文, 或根据接收到的来自网关的 ARP请求报文中的源信息 以及目的信息从查找表获取对应的目的 MAC地址, 构造以所述 Receiving an ARP request packet from a user host or a gateway; Constructing an ARP reply message according to the source information and the destination information of the ARP request packet: According to the received source information and destination information in the ARP request packet from the user host, constructing the ARP with the gateway MAC address as the destination address Responding to the message, or obtaining the corresponding destination MAC address from the lookup table according to the source information and the destination information in the received ARP request message from the gateway, configured to
的用户主机或网关。 User host or gateway.
结合第二方面, 在第一种可能的实现方式中, 在所述根据 所述 ARP请求报文的源信息以及目的信息构造 ARP应答报文的 步骤中:  With reference to the second aspect, in a first possible implementation, in the step of constructing an ARP response packet according to the source information and the destination information of the ARP request packet:
将所述来自用户主机 ARP请求报文的源信息中的源 IP地址 和目的 IP地址分别作为待构造的 ARP应答报文的目的 IP地址和  The source IP address and the destination IP address in the source information of the user host ARP request packet are respectively used as the destination IP address of the ARP reply packet to be constructed.
址, 构造所述 ARP应答报文。 Address, constructing the ARP response message.
结合第二方面, 在第二种可能的实现方式中, 在所述根据 所述 ARP请求报文的源信息以及目的信息构造 ARP应答报文的 步骤中:  With reference to the second aspect, in a second possible implementation, in the step of constructing an ARP response packet according to the source information and the destination information of the ARP request packet:
根据来自网关的 ARP请求报文的目的信息中的目的 IP地址 查找所述查找表, 获取对应的目的 MAC地址, 将所述 ARP请求  Finding the lookup table according to the destination IP address in the destination information of the ARP request packet from the gateway, obtaining the corresponding destination MAC address, and the ARP request
源 MAC地址。 Source MAC address.
结合第二方面或第二方面的第一种可能的实现方式, 在第 三种可能的实现方式中, 在所述根据所述 ARP请求报文的源信 息以及目的信息构造 ARP应答报文的步骤中: 若查找表中未记录网关的 MAC地址的记录, 则将网关的 IP 地址作为待构造的 ARP应答 艮文的目的 IP地址, 构造所述 ARP 应答报文。 With the second aspect or the first possible implementation manner of the second aspect, in a third possible implementation, the step of constructing an ARP response packet according to the source information and the destination information of the ARP request packet in: If the record of the MAC address of the gateway is not recorded in the lookup table, the IP address of the gateway is used as the destination IP address of the ARP reply message to be constructed, and the ARP reply message is constructed.
结合第二方面或第二方面的第一至第三种可能的实现方式 中的任一种, 在第四种可能的实现方式中, 该方法还包括: 接收来自网关的 ARP应答报文;  With reference to the second aspect, or any one of the first to the third possible implementation manners of the second aspect, in a fourth possible implementation, the method further includes: receiving an ARP response packet from the gateway;
解析所述来自网关的 ARP应答报文;  Parsing the ARP response packet from the gateway;
根据所述来自网关的 ARP应答报文的源信息和目的信息更 新所述查找表。  The lookup table is updated according to the source information and the destination information of the ARP reply message from the gateway.
结合第二方面的第四种可能的实现方式, 在第五种可能的 实现方式中, 在所述根据所述来自网关的 ARP应答报文的源信 息和目的信息更新所述查找表的步骤中: 若所述查找表中已记 录了网关的 MAC地址, 则不更新所述查找表; 否则, 记录所述 网关的 MAC地址。  With the fourth possible implementation of the second aspect, in a fifth possible implementation, the step of updating the lookup table according to the source information and the destination information of the ARP response message from the gateway is : if the MAC address of the gateway is already recorded in the lookup table, the lookup table is not updated; otherwise, the MAC address of the gateway is recorded.
在第三方面, 本发明实施例提供了一种 MAC地址强制转发 装置, 包括中央处理器和存储器, 所述存储器存储计算机执行 指令, 所述中央处理器与所述存储器通过通信总线连接, 当所 述 M A C地址强制转发装置运行时, 所述中央处理器执行所述存 储器存储的所述计算机执行指令, 使得所述 M A C地址强制转发 装置执行第二方面中任一所述的方法。  In a third aspect, an embodiment of the present invention provides a MAC address forced forwarding device, including a central processing unit and a memory, where the memory storage computer executes an instruction, and the central processing unit and the memory are connected by using a communication bus. When the MAC address enforcement forwarding device is in operation, the central processor executes the computer-executed instructions stored in the memory, such that the MAC address-forced forwarding device performs the method of any of the second aspects.
在第四方面, 本发明实施例提供了一种计算机可读介质, 其特征在于, 所述计算机可读介质包含计算机执行指令, 当计 算机的中央处理器执行所述计算机执行指令时, 所述计算机执 行指令用于使计算机执行权利要求第二方面中任一所述的方法 本发明实施例的 MAC地址强制转发装置及方法, 通过合理 部署 MAC地址强制转发功能, 在有效地实现了用户主机之间的 二层隔离的前提下, 将特定的 VLAN内的所有报文都转到网关 侧, 实现了针对所有报文的流量统计和数据监控, 提高了网络 性能; 此外, 由于可将 MFF功能部署在网卡或网卡驱动中, 网 络配置的成本较低。 In a fourth aspect, an embodiment of the present invention provides a computer readable medium, comprising: computer executable instructions, when a central processor of a computer executes the computer to execute an instruction, the computer Executing the instructions for causing a computer to perform the method according to any one of the second aspects of the present invention, the MAC address forcing forwarding device and the method of the present invention, and effectively implementing the MAC address forced forwarding function, effectively implementing the user host between Under the premise of Layer 2 isolation, all packets in a specific VLAN are forwarded to the gateway. On the other hand, traffic statistics and data monitoring for all packets are implemented, and network performance is improved. In addition, since the MFF function can be deployed in a network card or a network card driver, the cost of the network configuration is low.
才艮据下面参考附图对示例性实施例的详细说明, 本发明的 其它特征及方面将变得清楚。 附图说明  Further features and aspects of the present invention will become apparent from the following detailed description of exemplary embodiments. DRAWINGS
包含在说明书中并且构成说明书的一部分的附图与说明书 一起示出了本发明的示例性实施例、 特征和方面, 并且用于解 释本发明的原理。  The accompanying drawings, which are incorporated in FIG
图 1为传统的对非虚拟网络进行二层隔离的示意框图; 图 2为传统的对虚拟网络进行二层隔离的示意框图; 图 3为本发明实施例 1 的 MAC地址强制转发装置的一 种结构框图;  1 is a schematic block diagram of a conventional Layer 2 isolation for a non-virtual network; FIG. 2 is a schematic block diagram of a conventional Layer 2 isolation of a virtual network; FIG. 3 is a schematic diagram of a MAC address forced forwarding device according to Embodiment 1 of the present invention; Structure diagram;
图 4为本发明实施例 1 的 MAC地址强制转发装置的另 一种结构框图;  4 is a block diagram showing another structure of a MAC address forced forwarding device according to Embodiment 1 of the present invention;
图 5为本发明实施例 2的虚拟网络***的结构示意图; 图 6为本发明实施例 2的虛拟网络***中的网卡依照实 施例 1 中的 MAC地址强制转发方法进行 MAC地址强制转 发的流程图;  5 is a schematic structural diagram of a virtual network system according to Embodiment 2 of the present invention; FIG. 6 is a flowchart of performing MAC address forced forwarding according to the method for forcibly forwarding a MAC address in a virtual network system according to Embodiment 1 of the present invention; ;
图 7为本发明实施例 2的虚拟网络***中的网卡允许某 些 VM进行内部报文交换并实现二层隔离的处理流程示意; 图 8为本发明实施例 2的虚拟网络***中的网卡的交换 单元的结构框图;  FIG. 7 is a schematic diagram of a process flow of a network card in a virtual network system according to Embodiment 2 of the present invention, which allows certain VMs to perform internal packet exchange and implement Layer 2 isolation; FIG. 8 is a schematic diagram of a network card in a virtual network system according to Embodiment 2 of the present invention; a block diagram of the switching unit;
图 9为本发明实施例 3的 MAC地址强制转发装置的结构框 图;  9 is a structural block diagram of a MAC address forced forwarding device according to Embodiment 3 of the present invention;
图 10为本发明实施例 3的虚拟网络***的结构示意图; 图 11为本发明实施例 4的 MAC地址强制转发装置的结构框 图。 具体实施方式 10 is a schematic structural diagram of a virtual network system according to Embodiment 3 of the present invention; FIG. 11 is a structural block diagram of a MAC address forced forwarding apparatus according to Embodiment 4 of the present invention. detailed description
以下将参考附图详细说明本发明的各种示例性实施例、 特 征和方面。附图中相同的附图标记表示功能相同或相似的元件。 尽管在附图中示出了实施例的各种方面, 但是除非特别指出, 不必按比例绘制附图。  Various exemplary embodiments, features, and aspects of the invention are described in detail below with reference to the drawings. The same reference numerals in the drawings denote the same or similar elements. The various aspects of the embodiments are shown in the drawings, and the drawings are not necessarily drawn to scale unless otherwise indicated.
在这里专用的词"示例性 "意为 "用作例子、 实施例或说明 性"。这里作为"示例性 "所说明的任何实施例不必解释为优于或 好于其它实施例。  The term "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustrative." Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous.
另外, 为了更好的说明本发明, 在下文的具体实施方式中 给出了众多的具体细节。 本领域技术人员应当理解, 没有这些 具体细节, 本发明同样可以实施。 在另外一些实例中, 对于大 家熟知的方法、 手段、 元件和电路未作详细描述, 以便于凸显 本发明的主旨。  Further, in order to better illustrate the invention, numerous specific details are set forth in the Detailed Description. Those skilled in the art will appreciate that the present invention may be practiced without these specific details. In other instances, well-known methods, means, components, and circuits have not been described in detail in order to facilitate the invention.
实施例 1  Example 1
本发明本实施提供了一种 MAC地址强制转发装置, 该 装置基于 MFF ( MAC Forced Forwarding, MAC地址强制转 发) 功能, 通过对 ARP ( Address Resolution Protocal, 地址 解析协议) 报文的代答, 将不同用户主机之间的通信报文直 接传输给网关。  The present invention provides a MAC address forced forwarding device. The device is based on the MFF (MAC Forced Forwarding) function, and the ARP (Address Resolution Protocol) message will be different. The communication packets between the user hosts are directly transmitted to the gateway.
如图 3所示, 该装置包括: 接收单元 3 10、 ARP代答单 元 320、 发送单元 330、 以及学习单元 340。 其中:  As shown in FIG. 3, the apparatus includes: a receiving unit 3 10, an ARP pickup unit 320, a transmitting unit 330, and a learning unit 340. among them:
接收单元 3 10用于接收来自用户主机或网关的 ARP请 求。 ARP是在仅知道网络设备的 IP地址时确定其 MAC地址 的一种协议。 ARP请求 艮文用于获取网络内某 IP地址对应 的 MAC地址的一种 艮文, 其大多数为广播 艮文; ARP应答 艮文是用于告知别的主机本机的 IP地址和 MAC地址的一种 报文, 其大多数为单播报文。 The receiving unit 3 10 is configured to receive an ARP request from a user host or a gateway. ARP is a protocol that determines its MAC address when it only knows the IP address of a network device. The ARP request message is used to obtain a MAC address corresponding to an IP address in the network, most of which is a broadcast message; the ARP response message is used to inform other hosts of the local IP address and MAC address. A type of message, most of which is a unicast message.
ARP代答单元 320具备 MFF功能, 其用于根据所述 ARP请求 报文的源信息以及目的信息构造 ARP应答报文, 具言之: 根据 接收到的来自用户主机的 ARP请求报文中的源信息以及目的信 息(包括源 IP地址、 源 MAC地址以及目的 IP地址等信息), 构造 以网关的 MAC地址为目的地址的 ARP应答报文, 或根据接收到 的来网关的 ARP请求报文中的源信息以及目的信息从查找表中 查找对应的目 的 MAC地址, 构造以所述目 的 MAC地址为源 MAC地址的 ARP应答报文。 该查找表可为存储于 ARP代答单元 中的全局链表, 记录着用户主机与网关的 IP地址、 MAC地址的 对应关系, 还记录了 ARP代答单元针对各 VLAN的 MFF使能信 息, 其它各单元的功能均基于与该查找表的信息交互。  The ARP pickup unit 320 is configured to perform an MFF function, and is configured to construct an ARP response packet according to the source information and the destination information of the ARP request packet, in which: the source according to the received ARP request packet from the user host. The information and the destination information (including the source IP address, the source MAC address, and the destination IP address), and the ARP reply packet with the MAC address of the gateway as the destination address, or according to the received ARP request packet from the gateway. The source information and the destination information are searched for a corresponding destination MAC address from the lookup table, and an ARP response packet with the destination MAC address as the source MAC address is constructed. The lookup table may be a global linked list stored in the ARP pickup unit, and record the correspondence between the IP address and the MAC address of the user host and the gateway, and also record the MFF enable information of the ARP pickup unit for each VLAN, and other The functionality of the unit is based on interacting with the information in the lookup table.
发送单元 330则用于将该 ARP代答单元 320构造的 ARP应答 报文发送至发送该 ARP请求报文的用户主机或网关。  The sending unit 330 is configured to send the ARP reply message constructed by the ARP pickup unit 320 to the user host or gateway that sends the ARP request message.
接收单元 310还用于接收来自网关的 ARP应答报文, ARP代 答单元 320还用于解析所述来自网关的 ARP应答报文,使得学习 单元 340能够根据 ARP应答报文的源信息和目的信息更新所述 查找表。  The receiving unit 310 is further configured to receive an ARP response packet from the gateway, where the ARP replying unit 320 is further configured to parse the ARP response packet from the gateway, so that the learning unit 340 can be based on the source information and the destination information of the ARP response packet. Update the lookup table.
本发明实施例的上述 M A C地址强制转发装置通过部署 MFF功能,在有效地实现了用户主机之间的二层隔离的前提下, 将使能了 MFF功能的 VLAN域内的所有报文都转到网关侧, 实 现了针对 IP地址的流量统计和数据监控, 提高了网络性能。 此外, 本发明实施例还提供了一种基于上述 MAC地址 强制转发装置的 MAC地址强制转发方法,该方法包括步骤: 接收步骤,用于接收来自用户主机或网关的 ARP请求报文。The MAC address forcing device in the embodiment of the present invention, by deploying the MFF function, transfers all the packets in the VLAN domain enabled with the MFF function to the gateway under the premise of effectively implementing the Layer 2 isolation between the user hosts. On the side, traffic statistics and data monitoring for IP addresses are implemented, which improves network performance. In addition, the embodiment of the present invention further provides a method for forcibly forwarding a MAC address based on the MAC address forcing forwarding device, the method comprising the following steps: a receiving step, configured to receive an ARP request message from a user host or a gateway.
ARP代答步骤, 用于根据所述 ARP请求报文的源信息以及 目的信息构造 ARP应答报文, 具体地: 根据接收到的来自用户 主机的 ARP请求报文中的源信息以及目的信息, 构造以网关的 MAC地址为目的地址的 ARP应答报文, 或根据接收到的来自网 关的 ARP请求报文中的源信息以及目的信息在查找表中查找对 应的目的 MAC地址, 构造以所述目的 MAC地址为源 MAC地址 的 ARP应答报文。 The ARP proxying step is configured to construct an ARP response packet according to the source information and the destination information of the ARP request packet, specifically: according to the received source information and destination information in the ARP request packet from the user host, The destination MAC address is configured in the lookup table by using the MAC address of the gateway as the destination address of the ARP reply packet, or the source information and the destination information in the received ARP request packet from the gateway. The ARP reply packet whose address is the source MAC address.
发送步骤, 用于将在 ARP代答步骤中构造的 ARP应答报文 发送至发送所述 ARP请求报文的用户主机或网关。  And a sending step, configured to send the ARP reply message constructed in the ARP pickup step to the user host or the gateway that sends the ARP request message.
学习步骤, 根据在接收步骤接收到的 A RP应答报文的源信 息和目的信息更新所述查找表。 具言之, 若所述查找表中已记 录了网关的 MAC地址, 则不更新所述查找表; 否则, 记录所述 网关的 MAC地址。  The learning step updates the lookup table based on the source information and the destination information of the ARP response message received at the receiving step. In other words, if the MAC address of the gateway has been recorded in the lookup table, the lookup table is not updated; otherwise, the MAC address of the gateway is recorded.
在该 ARP代答步骤中, 对于来自用户主机的 ARP请求广播 艮文: 若在查找表中具有对应的网关 MAC地址的记录, 则将该 报文的源信息中的源 IP地址和目 的 IP地址分别作为待构造的 ARP应答报文的目的 IP地址和源 IP地址, 源 MAC地址作为待构 造的 ARP应答报文的目的 MAC地址, 将网关 MAC地址作为待构 造的 ARP应答报文的源 MAC地址, 构造所述 ARP应答报文。 这 样, 在用户主机中存储的 ARP表中, 所有对端的 MAC地址都会 是网关的 MAC地址, 用户主机发送的单播 艮文中的目的 MAC 地址将均指向网关。 需要说明的是, 若查找表中未记录对应的 网关的 MAC地址, 只记录了网关的 IP地址, 则将网关的 IP地址 作为 ARP应答报文的目的 IP地址, 构造所述 ARP应答报文。 这 样, 相当于发送了一个查找网关的 ARP请求, 使得网关在接收 到该报文后会回应一个 ARP应答, 而学习单元在学习步骤便能 才艮据该应答报文学习到网关的 MAC地址, 以更新所述查找表。 In the ARP pickup step, the ARP request broadcast message from the user host: If there is a record of the corresponding gateway MAC address in the lookup table, the source IP address and the destination IP address in the source information of the message As the destination IP address and source IP address of the ARP reply packet to be constructed, the source MAC address is used as the destination MAC address of the ARP reply packet to be constructed, and the gateway MAC address is used as the source MAC address of the ARP reply packet to be constructed. And constructing the ARP response message. In this way, in the ARP table stored in the user host, the MAC address of all the peers will be the MAC address of the gateway, and the destination MAC address in the unicast text sent by the user host will all point to the gateway. It should be noted that, if the MAC address of the corresponding gateway is not recorded in the lookup table, and only the IP address of the gateway is recorded, the IP address of the gateway is used as the destination IP address of the ARP reply packet, and the ARP response packet is constructed. This Similarly, it is equivalent to sending an ARP request for finding a gateway, so that the gateway will respond to an ARP response after receiving the message, and the learning unit can learn the MAC address of the gateway according to the response message in the learning step. To update the lookup table.
在该 ARP代答步骤中, 对于来自网关的 ARP请求报文, 根 据目的信息中的目的 IP地址查找查找表, 获取对应的目的用户 主机的 MAC地址, 将该 ARP请求报文的源 MAC地址作为待构造 的 ARP应答报文的目的 MAC地址, 将所查找到的目的 MAC地址 即可代替用户主机作出正确的 ARP应答。  In the ARP requesting step, the ARP request packet from the gateway searches the lookup table according to the destination IP address in the destination information, obtains the MAC address of the corresponding destination user host, and uses the source MAC address of the ARP request packet as the source MAC address of the ARP request packet. The destination MAC address of the ARP reply packet to be constructed can replace the user's host with the destination MAC address to make a correct ARP response.
实施例 2  Example 2
如图 4所示, 本实施例的 MAC地址强制转发装置 400 在实施例 1 的 MAC地址强制转发装置所包含的各单元的基 础上还包括使能单元 410以及交换单元 420。 其中:  As shown in FIG. 4, the MAC address forced forwarding apparatus 400 of the present embodiment further includes an enabling unit 410 and an switching unit 420 on the basis of each unit included in the MAC address forced forwarding apparatus of the first embodiment. among them:
使能单元 410用于使 ARP代答单元 320针对某个 VLAN使能 MFF功能; 交换单元 420具有普通网卡所具有的二层交换的功 能, 也称 vSwitch功能, 用于根据所述查找表将用户主机发送的 数据报文发送至与该用户主机属于同一 VLAN的对应的目的用 户主机或属于同一 VLAN的全部用户主机。  The enabling unit 410 is configured to enable the ARP pickup unit 320 to enable the MFF function for a certain VLAN. The switching unit 420 has a Layer 2 switching function, which is also called a vSwitch function, for the user to use according to the lookup table. The data packets sent by the host are sent to the corresponding destination user host in the same VLAN as the user host or all user hosts in the same VLAN.
换言之, 本实施例的 MAC地址强制转发装置 400可将 各功能单元部署在网卡上, 使得不论是非虚拟化的普通网络 还是虚拟化网络, 在实现二层隔离的同时均可以将所有使能 了 MFF功能的 VLAN 内的 艮文都转到网关侧, 实现对所有 报文的流量统计和数据监控, 并提高网络的安全性, 此外, 将各功能单元部署在网卡上, 网络配置的成本较低。  In other words, the MAC address forcing device 400 of the present embodiment can deploy each functional unit on the network card, so that whether the non-virtualized common network or the virtualized network can implement the Layer 2 isolation, all the MFFs can be enabled. The functions in the VLAN are transferred to the gateway to implement traffic statistics and data monitoring for all packets, and to improve network security. In addition, the functional units are deployed on the network card, and the cost of network configuration is low.
如图 5所示, 本实施例还提供了一种包括部署了图 4所 示的 MAC地址强制转发装置各功能单元的网卡 520的虚拟 网络***。 在该虚拟网络***中, 用户主机为部署在各服务 器 5 10上的多个虚拟机 ( VM ), 而查找表对应为存储着"队 列 ID-IP-MAC"表的全局链表, 其记录了队列 ID、 IP地址以 及 MAC地址的映射关系, 才艮据 IP地址或 MAC地址均可查 询到对应的队歹] ID, 而根据队歹] ID即可查询到队列所对应 的虚拟机的 IP地址和 MAC地址。 As shown in FIG. 5, this embodiment further provides a virtual network system including a network card 520 in which each functional unit of the MAC address forced forwarding device shown in FIG. 4 is deployed. In the virtual network system, the user host is deployed in each service. The plurality of virtual machines (VMs) on the device 5 10, and the lookup table corresponds to a global linked list storing the "Queue ID-IP-MAC" table, which records the mapping relationship between the queue ID, the IP address, and the MAC address. According to the IP address or MAC address, the corresponding team ID can be queried, and the IP address and MAC address of the virtual machine corresponding to the queue can be queried according to the ID of the team.
在该虚拟网络***中, 虚拟机管理器 ( VMM ) 511负责创 建虚拟机, 为其分配具有独占资源的虚拟网络设备, 并对虚拟 机和物理资源进行管理。 例如, 虚拟机管理器为虚拟机分配独 网卡资源建立对应关系。 虚拟机管理器对虚拟机和物理资源的 管理分为两大类: 前后端模式和直通模式。 其中, 在前后端模 式下, 所有虚拟机对虚拟网络设备的访问都需要由虚拟机管理 器进行转发, 而在直通模式下, 则不需要通过虚拟机管理器即 可直接访问虚拟网络设备及其对应的实际物理资源。 虚拟机设 备队列 ( Virtual Machine Device Queue , VMDQ ) 是直通模式 的一种实现方式, 在采用直通模式的虚拟化环境中, 虚拟机管 理器通过软件模拟使得虚拟机拥有一个虚拟设备, 但由于虚拟 机访问虚拟设备的资源实际是由虚拟机管理器 511映射之后的 物理资源, 因此 I/O吞吐量比前后端模式大。 I/O虚拟化 ( I/O Virtual , IOV )是直通模式的另一种实现方式, IOV通过硬件实 现多个配置空间的划分, 每个配置空间由单个虚拟机独享。  In this virtual network system, the virtual machine manager (VMM) 511 is responsible for creating virtual machines, allocating virtual network devices with exclusive resources, and managing virtual machines and physical resources. For example, the virtual machine manager assigns a unique NIC resource to a virtual machine to establish a correspondence. The virtual machine manager manages virtual machines and physical resources into two categories: front-end mode and pass-through mode. In the front-end mode, all virtual machine access to the virtual network device needs to be forwarded by the virtual machine manager, but in the direct mode, the virtual network device can be directly accessed through the virtual machine manager and Corresponding actual physical resources. Virtual Machine Device Queue (VMDQ) is an implementation of the pass-through mode. In a virtualized environment with pass-through mode, the virtual machine manager makes the virtual machine have a virtual device through software simulation, but because of the virtual machine. The resources accessing the virtual device are actually the physical resources mapped by the virtual machine manager 511, so the I/O throughput is larger than the front-end mode. I/O Virtualization (IOV) is another implementation of the pass-through mode. The IOV implements the partitioning of multiple configuration spaces by hardware, and each configuration space is exclusive to a single virtual machine.
在本实施例的虚拟网络***中,该网卡 520支持 VMDQ 或者 IOV直通模式功能,使得服务器 5 10 中的各虚拟机可以 直接访问网卡 520资源, 此时, 虚拟机能够绕过虚拟机管理 器 5 1 1 中的网桥, 经由总线 PCI 530与网卡 520直接进行报 文的交换传输。 网卡 520 以网关 550的 MAC地址来代答所 有虚拟机发出的 ARP请求, 而针对来自 网关 550侧的 ARP 请求, 网卡 520 以该 ARP请求所对应的虚拟机的 MAC地址 来进行代答。 In the virtual network system of the embodiment, the network card 520 supports the VMDQ or IOV pass-through mode function, so that each virtual machine in the server 5 10 can directly access the network card 520 resources. At this time, the virtual machine can bypass the virtual machine manager 5 The bridge in 1 1 directly exchanges messages with the network card 520 via the bus PCI 530. The network card 520 picks up the ARP request sent by all the virtual machines with the MAC address of the gateway 550, and the ARP for the gateway 550 side. The request, the network card 520 performs the pickup by the MAC address of the virtual machine corresponding to the ARP request.
具言之, 用户可根据需要在虚拟机管理器 5 11 的管理域 DomainO配置参数, 使能网卡 520对于某些 VLAN的 MAC 地址强制转发功能, 以实现将某些特定虚拟机的所有报文都 转到网关侧, 某些虚拟机则可直接进行内部报文交换。 如图 6所示, 本实施例的虚拟网络***中的网卡 520依照实施例 1 中的方法进行 MAC地址强制转发的过程如下:  In other words, the user can configure parameters in the management domain DomainO of the virtual machine manager 5 11 as needed to enable the network card 520 to forward the MAC address of certain VLANs to implement all the packets of certain virtual machines. Go to the gateway side, some virtual machines can directly exchange internal messages. As shown in FIG. 6, the process of forcibly forwarding the MAC address by the network card 520 in the virtual network system of this embodiment according to the method in Embodiment 1 is as follows:
在步骤 S501 中, 网卡接收 ARP请求 艮文。  In step S501, the network card receives the ARP request message.
在步骤 S502中, 网卡判断所接收到的 ARP请求报文是 否是网卡所使能的 VLAN 内部的 VM所发送的 ARP请求报 文; 若是, 则执行步骤 S503, 否则, 执行步骤 S5 10。  In step S502, the network card determines whether the received ARP request message is an ARP request message sent by the VM inside the VLAN enabled by the network card; if yes, step S503 is performed; otherwise, step S510 is performed.
在步骤 S503 中, 解析所接收到的 ARP报文, 获取其源 信息以及目 的信息。  In step S503, the received ARP packet is parsed, and the source information and the destination information are obtained.
在步骤 S504中,网卡的 ARP代答单元构造 ARP应答报 文。 具体构造方式如下: 若在"队歹 ll ID-IP-MAC"表中记录了 网关 MAC地址, 则将该 ARP请求 艮文的源 IP地址和目 的 IP地址分别作为待构造的 ARP应答报文的目 的 IP地址和源 IP地址,将 ARP请求 艮文的源 MAC地址作为待构造的 ARP 应答 艮文的目 的 MAC地址, 然后将网关 MAC地址作为待 构造的 ARP应答报文的源 MAC地址, 并执行步骤 S505 ; 若该"队列 ID-IP-MAC"表中只记录网关 IP地址未记录网关 的 MAC地址, 则将待构造的 ARP应答 艮文的目 的 IP地址 修改为网关 IP地址, 并执行步骤 S505 ; 若既未记录网关的 MAC地址, 又未记录网关的 IP地址, 则对该 艮文不 4故任何 处理, 并执行步骤 S505。 在步骤 S505 中,将 ARP代答单元构造的 ARP应答报文 通过相应的端口发送出去。 In step S504, the ARP pickup unit of the network card constructs an ARP response message. The specific configuration is as follows: If the gateway MAC address is recorded in the "team ID-IP-MAC" table, the source IP address and the destination IP address of the ARP request message are respectively used as the ARP reply packets to be constructed. The destination IP address and the source IP address are used as the destination MAC address of the ARP reply packet to be constructed, and then the gateway MAC address is used as the source MAC address of the ARP reply packet to be constructed. Step S505; If only the MAC address of the gateway is not recorded in the "Queue ID-IP-MAC" table, the destination IP address of the ARP reply message to be constructed is changed to the gateway IP address, and step S505 is performed. If neither the MAC address of the gateway nor the IP address of the gateway is recorded, the processing is not performed, and step S505 is performed. In step S505, the ARP reply message constructed by the ARP pickup unit is sent out through the corresponding port.
在步骤 S5 10中, 解析所接收到的 ARP请求报文, 并获 取其源信息以及目 的信息。  In step S510, the received ARP request message is parsed, and the source information and the destination information are obtained.
在步骤 S5 1 1 中, 根据所获取到的 ARP请求报文的目 的 IP地址查找网卡中所维护的"队列 ID-IP-MAC"表, 以获得所 对应的队列 MAC地址, 在查找到队列 MAC地址之后, 处 理进入步骤 S5 12。  In step S5 1 1 , the "Queue ID-IP-MAC" table maintained in the network card is searched according to the destination IP address of the acquired ARP request message, to obtain the corresponding queue MAC address, and the queue MAC is found. After the address, the processing proceeds to step S52.
在步骤 S5 12中,网卡的 ARP代答单元构造 ARP应答报 文。 具体构造方式如下: 将 ARP请求报文的源 IP地址和目 的 IP地址分别作为待构造的 ARP应答报文的目 的 IP地址和 源 IP地址, 将 ARP请求 艮文的源 MAC地址作为待构造的 应答 艮文的目 的 MAC地址, 然后将所查找到的队列 MAC 地址作为待构造的应答 艮文的源 MAC地址。  In step S52, the ARP pickup unit of the network card constructs an ARP response message. The specific configuration is as follows: The source IP address and the destination IP address of the ARP request packet are respectively used as the destination IP address and source IP address of the ARP reply packet to be constructed, and the source MAC address of the ARP request packet is used as the response to be constructed. The destination MAC address of the message, and then the found queue MAC address is used as the source MAC address of the response message to be constructed.
在步骤 S5 13 中,将 ARP代答单元所构造的 ARP应答报 文从接收该 ARP请求 艮文的端口发送至该 ARP请求 艮文的 请求方虚拟机。  In step S53, the ARP reply message constructed by the ARP pickup unit is sent from the port receiving the ARP request message to the requester virtual machine of the ARP request message.
综上, 网卡代替虚拟机进行了正确的 ARP应答。  In summary, the network card performs the correct ARP response instead of the virtual machine.
而对于来自 网关的单播 ARP应答报文, 网卡在接收到 该 ARP应答报文后, 进行如下处理: 在该"队列 ID-IP-MAC" 表中未记录网关 MAC地址的情况下, 将该 艮文中的网关 MAC地址记录在全局链表中, 并丟弃该 艮文。  After receiving the ARP reply message, the NIC performs the following processing on the unicast ARP reply message from the gateway: when the gateway MAC address is not recorded in the "Queue ID-IP-MAC" table, The gateway MAC address in the text is recorded in the global linked list, and the message is discarded.
对于来自虚拟机的单播 ARP应答报文, 网卡在接收到 该 ARP应答 艮文后, 进行如下处理: 若其目 的 MAC地址为 网关 MAC地址, 则通过相应的端口发送出去, 若不是, 则 释放该 艮文。 对于非 ARP请求或应答报文, 网卡对其不做任何处理, 使其直接通过网卡的对应端口发送出去或通过总线发送至 对应的虚拟机。 After receiving the ARP response message from the virtual machine, the network card performs the following processing after receiving the ARP response message: if the destination MAC address is the gateway MAC address, the network port sends the message through the corresponding port. If not, the network card is released. The text. For non-ARP request or response packets, the network card does not process any of them, so that it is sent directly through the corresponding port of the network card or sent to the corresponding virtual machine through the bus.
图 7示出了根据本实施例的网卡所执行的允许其未使能 的某些 VLAN中的虚拟机进行内部报文交换并实现二层隔 离的处理。  FIG. 7 shows a process in which a virtual machine in a certain VLAN that is not enabled by the network card according to the embodiment performs internal message exchange and implements Layer 2 isolation.
在步骤 S 601 中, 解析虚拟机发送的单播报文, 获取目 的 MAC地址。  In step S601, the unicast packet sent by the virtual machine is parsed to obtain the destination MAC address.
在步骤 S 602中,根据该目 的 MAC地址查找网卡中维护 的"队列 ID-IP-MAC"表, 获得对应的队列 ID。  In step S602, the "Queue ID-IP-MAC" table maintained in the network card is searched according to the destination MAC address, and the corresponding queue ID is obtained.
在步骤 S 603 中, 网卡将报文转发给查找到的队列, 最 终将报文发送到正确的虚拟机。  In step S603, the network card forwards the message to the found queue, and finally sends the message to the correct virtual machine.
综上, 本实施例的虚拟网络***中的网卡能够实现这样 的功能: 使得使能 MAC地址强制转发装置的功能的 VLAN 中的虚拟机所发送的所有报文都到达网关侧, 以在实现二层 隔离的同时, 使网关对所有报文进行流量统计和数据监控; 并且,对于某些不需要进行监控的 VLAN 内部的虚拟机之间 的 艮文传输, 则直接通过网卡中的 ( vSwitch ) 交换单元进 行交换, 而不需要强制转发到网关侧。  In summary, the network card in the virtual network system of this embodiment can implement such a function: all the packets sent by the virtual machine in the VLAN that enables the function of the MAC address forced forwarding device arrive at the gateway side, so as to implement the second When the layer is isolated, the gateway performs traffic statistics and data monitoring on all packets. In addition, for the transmission of text between virtual machines in the VLAN that does not need to be monitored, it is directly exchanged through the vSwitch in the network card. Units are exchanged without forcing forwarding to the gateway side.
对于交换单元 420的 vSwitch功能, 其负责对 艮文进行 在 VLAN 内部的交换, 用于才 据 艮文的目 的 MAC地址和相 关配置, 确定报文将要发往的队列。如图 8所示, 交换单 420 元分为 4个模块: 配置模块( Config ) 421、表空间模块( Table Space ) 422、 收包模块( RX ) 423、 以及发包模块( TX ) 424。 配置模块 421 负责交换单元 420初始化和信息配置。 表空间 模块 421维护空闲节点空间和 Hash表, 用于记录和查找交 换信息。 收包模块 423和发包模块 424则分别处理接收和发 送的报文, 以实现报文的交换功能。 具体地: For the vSwitch function of the switching unit 420, it is responsible for exchanging the text in the VLAN for determining the destination to which the packet is to be sent according to the destination MAC address and related configuration of the message. As shown in FIG. 8, the exchange unit 420 yuan is divided into four modules: a configuration module (Config) 421, a table space module (Table Space) 422, a packet receiving module (RX) 423, and a packet sending module (TX) 424. The configuration module 421 is responsible for the initialization and information configuration of the switching unit 420. The table space module 421 maintains a free node space and a hash table for recording and finding intersections. Change information. The receiving module 423 and the sending module 424 respectively process the received and sent messages to implement the packet switching function. specifically:
表空间模块 422包括节点的添加 /删除 /查找等操作的功 能, 每个节点包含 MAC地址、 VLAN ID、 队列 ID信息。  The table space module 422 includes functions of operations such as adding/deleting/finding nodes, and each node includes a MAC address, a VLAN ID, and a queue ID information.
配置模块 421 负责模块初始化和信息配置, 主要包括: a、 设置 VLAN的二层交换使能, 该信息存储在全局 VLAN信息中。  The configuration module 421 is responsible for module initialization and information configuration, and includes: a. Setting the Layer 2 switching of the VLAN. This information is stored in the global VLAN information.
b、 设置虚拟机队列的二层交换使能, 该信息存储在全 局队列信息中。  b. Set the Layer 2 switching enable of the VM queue. This information is stored in the global queue information.
c、 更新虚拟机队列的 MAC地址, 包括更新 Hash表和 全局队列信息。  c. Update the MAC address of the virtual machine queue, including updating the Hash table and global queue information.
d、 删除队列的 MAC地址 /删除所有队列的 MAC地址, 包括删除 Hash表对应节点, 删除全局队列信息对应的 MAC d. Delete the MAC address of the queue. / Delete the MAC address of all queues, including deleting the corresponding node of the Hash table, and deleting the MAC corresponding to the global queue information.
Ί¾息。 Ί3⁄4 interest.
收包模块 423对接收到的报文做以下处理: 对于单播报 文, 根据报文的 VLAN ID和目 的 MAC, 查找 Hash表节点, 若找到则给报文填充队列 ID, 否则丟弃该报文; 对于广播报 文, 往 VLAN下的所有队列都发送该 艮文。  The receiving module 423 performs the following processing on the received packet: For the unicast packet, the hash table node is searched according to the VLAN ID and the destination MAC address of the packet, and if found, the packet is filled with the queue ID, otherwise the packet is discarded. For broadcast packets, the message is sent to all queues under the VLAN.
发包模块 424对要发送的报文做以下处理: 判断是否需 要做内部交换, 满足的条件必须是 VLAN和队列都使能内部 交换功能, 否则不做任何处理,使该报文直接通过发送模块。 当需内部交换时, 对于单播报文, 根据报文的 VLAN ID和目 的 MAC地址,查找 Hash表节点,若找到则给报文填充队列 ID, 并将报文转到接收侧, 否则不做任何处理, 使该报文直接通 过发送模块。 当需内部交换时, 对于广播报文, 向 VLAN下 所有队列(自身队列除外)都发送报文(都是转到接收侧), 然 后通过报文。 其中, 本模块对该广播报文不做任何处理, 继 续向外发送该广播报文 The sending module 424 performs the following processing on the packet to be sent: It is determined whether the internal switching needs to be performed. The condition that the internal switching function is enabled in both the VLAN and the queue must be met. Otherwise, the packet is directly passed through the sending module. When the internal exchange is required, the unicast packet is searched for the hash table node according to the VLAN ID and the destination MAC address of the packet. If found, the packet is filled with the queue ID and the packet is forwarded to the receiving side. Otherwise, nothing is done. Processing, so that the message passes directly through the sending module. When internal switching is required, for broadcast packets, all the packets in the VLAN (except the own queue) are sent (both to the receiving side), and then the packets are passed. The module does not perform any processing on the broadcast packet, and continues Continue to send the broadcast message
实施例 3  Example 3
如图 9所示, 本实施例提供了一种 MAC地址强制转发 装置 900, 其在实施例 1 的 MAC地址强制转发装置所包含 的各单元的基础上还包括网卡驱动单元 910。 该网卡驱动单 元 910用于驱动网卡, 换言之, 本实施例的 MAC地址强制 转发装置 900可将各功能单元部署在网卡驱动上。 使得不论 是非虚拟化的普通网络还是虚拟化网络, 在实现二层隔离的 同时均可以将所有报文都转到网关侧, 实现对所有报文的流 量统计和数据监控, 并提高网络的安全性。 此外, 将各功能 单元部署在网卡驱动上, 网络配置的成本较低。  As shown in FIG. 9, the present embodiment provides a MAC address forced forwarding device 900, which further includes a network card driving unit 910 based on the units included in the MAC address forced forwarding device of Embodiment 1. The network card driving unit 910 is used to drive the network card. In other words, the MAC address forcing and forwarding device 900 of the embodiment can deploy each functional unit on the network card driver. The common network or the virtualized network, whether it is a non-virtualized network, can transfer all the packets to the gateway side while implementing Layer 2 isolation, and implement traffic statistics and data monitoring for all packets, and improve network security. . In addition, the deployment of each functional unit on the NIC driver has a lower cost of network configuration.
如图 10所示, 本实施例还提供了一种包括部署了图 9 所示的 MAC地址强制转发装置 900各功能单元的网卡驱动 1111 的虚拟网络***,该虚拟网络***与实施例 2所提供的 虚拟网络***的类似, 所不同的是, 本实施例的虚拟网络该 ***中的服务器 1100的网卡驱动 1111只能使用前后端模式 时, 且虚拟机管理器 1110 中存在网桥。 由于虚拟机管理器 1110 中存在网桥,虚拟机之间的报文可以通过网桥进行虚拟 交换, 因此网卡 1150无法监控到虚拟机之间的通信, 所以 为了实现与实施例 1和 2相同的、二层隔离、二层交换功能, 在本实施例的虚拟网络***中, 实施例 1 的 MAC地址强制 转发装置的各功能模块部署在虚拟机管理器 1110的  As shown in FIG. 10, this embodiment further provides a virtual network system including a network card driver 1111 in which the functional units of the MAC address forced forwarding device 900 shown in FIG. 9 are deployed, and the virtual network system is provided in Embodiment 2. The virtual network system is similar, except that the virtual network of the embodiment has the network card driver 1111 of the server 1100 in the system only when the front-end mode is used, and the bridge exists in the virtual machine manager 1110. Since the bridge exists in the virtual machine manager 1110, the packets between the virtual machines can be virtually exchanged through the bridge, so the network card 1150 cannot monitor the communication between the virtual machines, so the same as the first and second embodiments are implemented. In the virtual network system of the embodiment, the functional modules of the MAC address forced forwarding device of Embodiment 1 are deployed in the virtual machine manager 1110.
DomainO 网卡驱动 1111上, 使得在报文到达网桥之前由网 卡驱动 1111对其进行 MAC地址强制转发处理。 The DomainO NIC driver 1111 enables the MAC address to be forwarded by the NIC driver 1111 before the packet arrives at the bridge.
继续如图 10所示, 以虚拟机 VM1为例, VM1发送 ARP请 求时, 被网卡驱动 1111截获并以网关 1150的 MAC地址进行 ARP代答, 之后 VM1所有的 艮文都将发送到网关 1150, 因此 虚拟机管理器 11 10中的网桥无法根据目 的 MAC地址进行二 层交换。而当网关 1 150发送的 ARP请求到该网卡驱动 1 1 1 1时, 该 ARP代答单元将才 据目 的 IP地址查询对应虚拟机的 MAC 地址并进行 ARP代答。 Continuing with the virtual machine VM1 as an example, when the VM1 sends an ARP request, it is intercepted by the network card driver 1111 and ARP is picked up by the MAC address of the gateway 1150, and all the messages of the VM1 are sent to the gateway 1150. Therefore The bridge in the virtual machine manager 11 10 cannot perform Layer 2 switching according to the destination MAC address. When the ARP request sent by the gateway 1 150 is sent to the network card driver 1 1 1 1 , the ARP pickup unit will query the MAC address of the corresponding virtual machine according to the destination IP address and perform ARP pickup.
实施例 4  Example 4
图 11为本发明实施例提供的一种 MAC地址强制转发装置 1200的结构示意图, 本发明具体实施例并不对 MAC地址强制 转发装置的具体实现做限定。 如图 11所示, 该 MAC地址强制 转发装置 1200可以包括:  FIG. 11 is a schematic structural diagram of a MAC address forced forwarding device 1200 according to an embodiment of the present invention. The specific embodiment of the present invention does not limit the specific implementation of the MAC address forced forwarding device. As shown in FIG. 11, the MAC address forcible forwarding device 1200 can include:
处 理 器 (processor) 1210 、 通 信 接 口 (Communications Interface) 1220、 存储器(memory) 1230、 以及通信总线 1240。 其 中:  A processor 1210, a communications interface 1220, a memory 1230, and a communication bus 1240. among them:
处理器 1210、 通信接口 1220、 以及存储器 1230通过通信 总线 1240完成相互间的通信。  The processor 1210, the communication interface 1220, and the memory 1230 complete communication with each other via the communication bus 1240.
通信接口 1220, 用于与比如客户端等的网元通信。  The communication interface 1220 is configured to communicate with a network element such as a client.
处理器 1210, 用于执行程序 1232, 具体可以执行上述图 6 至图 7所示的方法实施例中的相关步骤。  The processor 1210 is configured to execute the program 1232, and specifically, the related steps in the method embodiment shown in FIG. 6 to FIG. 7 above may be performed.
具体地, 程序 732可以包括程序代码, 所述程序代码包括 计算机操作指令。  In particular, program 732 can include program code, the program code including computer operating instructions.
处理器 1210 可能是一个中央处理器 CPU, 或者是特定集 成电路 ASIC ( Application Specific Integrated Circuit ), 或者是 被配置成实施本发明实施例的一个或多个集成电路。  The processor 1210 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention.
存储器 1230, 用于存放程序 1232。 存储器 1230可能包含 高速 RAM存储器,也可能还包括非易失性存储器( non-volatile memory ) ,例如至少一个磁盘存储器。程序 1232具体可以包括: 接收单元用于接收来自用户主机或网关的 ARP请求。 The memory 1230 is configured to store the program 1232. The memory 1230 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory. The program 1232 may specifically include: the receiving unit is configured to receive an ARP request from the user host or the gateway.
ARP代答单元, 用于所述 ARP请求报文的源信息以及目的 信息构造 ARP应答报文, 具言之: 根据接收到的来自用户主机 的 ARP请求 艮文中的源信息以及目的信息 ( 包括源 IP地址、 源 MAC地址以及目的 IP地址等信息), 构造以网关的 MAC地址为 目的地址的 ARP应答报文, 或根据接收到的来网关的 ARP请求 报文中的源信息以及目 的信息从查找表中查找对应的 目 的 MAC地址, 构造以所述目的 MAC为源 MAC地址的 ARP应答报 文。 该查找表相当于存储于 ARP代答单元中的全局链表, 记录 着用户主机与网关的 IP地址、 MAC地址的对应关系, 还记录了 ARP代答单元针对各 VLAN的 MFF使能信息, 其它各单元的功 能均基于与该查找表的信息交互。 The ARP pickup unit is configured to construct an ARP response message by using the source information and the destination information of the ARP request packet, in which: the source information and the destination information (including the source) in the message according to the received ARP request from the user host. IP address, source The MAC address and the destination IP address are used to construct an ARP reply packet with the MAC address of the gateway as the destination address, or the source information and the destination information in the received ARP request packet of the gateway are searched for from the lookup table. The destination MAC address is configured to construct an ARP reply message with the destination MAC as the source MAC address. The lookup table is equivalent to the global linked list stored in the ARP pickup unit, and records the correspondence between the IP address and the MAC address of the user host and the gateway, and also records the MFF enable information of the ARP pickup unit for each VLAN, and other The functionality of the unit is based on interacting with the information in the lookup table.
发送单元, 用于将该 ARP代答单元 320构造的 ARP应答报文 发送至发送该 ARP请求报文的用户主机或网关。  And a sending unit, configured to send the ARP response packet constructed by the ARP pickup unit 320 to the user host or the gateway that sends the ARP request message.
学习单元, 能够根据 ARP应答报文的源信息和目的信息更 新所述查找表。  The learning unit is capable of updating the lookup table according to the source information and the destination information of the ARP reply message.
程序 1232中各单元的具体实现可以参见图 3-图 5以及图 7所 示实施例中的相应单元, 在此不赘述。 所属领域的技术人员可 以清楚地了解到, 为描述的方便和简洁, 上述描述的设备和模 块的具体工作过程, 可以参考前述方法实施例中的对应过程描 述, 在此不再赘述。  For the specific implementation of each unit in the program 1232, reference may be made to the corresponding units in the embodiment shown in FIG. 3 to FIG. 5 and FIG. 7 , and details are not described herein. A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the device and the module described above can be referred to the corresponding process description in the foregoing method embodiments, and details are not described herein again.
本领域普通技术人员可以意识到, 结合本文中所公开的实 施例描述的各示例的单元及方法步骤, 能够以电子硬件、 或者 计算机软件和电子硬件的结合来实现。 这些功能究竟以硬件还 是软件方式来执行, 取决于技术方案的特定应用和设计约束条 件。 专业技术人员可以对每个特定的应用来使用不同方法来实 现所描述的功能, 但是这种实现不应认为超出本发明的范围。  Those of ordinary skill in the art will appreciate that the elements and method steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所述功能如果以软件功能单元的形式实现并作为独立的产 品销售或使用时, 可以存储在一个计算机可读取存储介质中。 基于这样的理解, 本发明的技术方案本质上或者说对现有技术 做出贡献的部分或者该技术方案的部分可以以软件产品的形式 体现出来, 该计算机软件产品存储在一个存储介质中, 包括若 干指令用以使得一台计算机设备(可以是个人计算机, 服务器, 或者网络设备等) 执行本发明各个实施例所述方法的全部或部 分步骤。 而前述的存储介质包括: U盘、 移动硬盘、 只读存储 器( ROM, Read-Only Memory )、随机存取存储器( RAM, Random Access Memory )、 磁碟或者光盘等各种可以存储程序代码的介 质。 The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such an understanding, a part of the technical solution of the present invention that contributes in essence or to the prior art or a part of the technical solution may be in the form of a software product. It is embodied that the computer software product is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods of the various embodiments of the present invention. step. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. .
以上实施方式仅用于说明本发明,而并非对本发明的限制, 有关技术领域的普通技术人员, 在不脱离本发明的精神和范围 的情况下, 还可以做出各种变化和变型, 因此所有等同的技术 方案也属于本发明的范畴, 本发明的专利保护范围应由权利要 求限定。  The above embodiments are merely illustrative of the present invention and are not to be construed as limiting the scope of the invention, and various modifications and changes can be made without departing from the spirit and scope of the invention. Equivalent technical solutions are also within the scope of the invention, and the scope of the invention is defined by the claims.

Claims

权 利 要 求 书 claims
1、 一种 MAC地址强制转发装置, 其特征在于, 包括: 接收单元,用于接收来自用户主机或网关的 ARP请求报文; ARP代答单元, 用于根据所述 ARP请求报文的源信息以及 目 的信息构造 ARP应答报文: 根据接收到的来自用户主机的 ARP请求 艮文中的源信息以及目的信息, 构造以网关的 MAC地 址为目的地址的 ARP应答报文, 或根据接收到的来网关的 ARP 请求报文中的源信息以及目 的信息从查找表获取对应的目 的 MAC地址,构造以所述目的 MAC地址为源 MAC地址的 ARP应答 艮文; 以及 发送至发送所述 ARP请求报文的用户主机或网关。 1. A MAC address forced forwarding device, characterized in that it includes: a receiving unit, used to receive an ARP request message from a user host or a gateway; an ARP proxy unit, used to respond according to the source information of the ARP request message and destination information to construct an ARP response message: According to the source information and destination information in the ARP request message received from the user host, construct an ARP response message with the MAC address of the gateway as the destination address, or according to the received ARP response message from the gateway The source information and destination information in the ARP request message are obtained from the lookup table to obtain the corresponding destination MAC address, and an ARP response message with the destination MAC address as the source MAC address is constructed; and sent to the source that sent the ARP request message. User host or gateway.
2、 如权利要求 1所述的装置, 其特征在于, 该装置还包括 学习单元, 2. The device according to claim 1, characterized in that, the device further includes a learning unit,
所述接收单元还用于接收来自网关的 ARP应答报文; 所述 ARP代答单元还用于解析所述来自网关的 ARP应答报 文; The receiving unit is also used to receive the ARP response message from the gateway; the ARP proxy unit is also used to parse the ARP response message from the gateway;
所述学习单元用于才 据所述来自网关的 ARP应答报文的源 信息和目的信息更新所述查找表。 The learning unit is used to update the lookup table based on the source information and destination information of the ARP reply message from the gateway.
3、 如权利要求 1或 2所述的装置, 其特征在于, 该装置还包 括: 3. The device according to claim 1 or 2, characterized in that the device further includes:
使能单元, 用于使所述 ARP代答单元针对某个 VLAN使能 其功能; An enabling unit, used to enable the ARP proxy unit to enable its function for a certain VLAN;
交换单元, 用于根据所述查找表, 将用户主机发送的数据 报文发送至与所述用户主机属于同一 VLAN的对应的目的用户 主机或属于同一 VLAN的全部用户主机。 The switching unit is configured to send the data message sent by the user host to the corresponding destination user host that belongs to the same VLAN as the user host or all user hosts that belong to the same VLAN according to the lookup table.
4、如权利要求 1或 2所述的装置,其特征在于,该装置包括: 网卡驱动单元, 用于驱动网卡。 4. The device according to claim 1 or 2, characterized in that the device includes: a network card driving unit, used to drive the network card.
5、 一种 MAC地址强制转发方法, 其特征在于, 包括: 接收来自用户主机或网关的 ARP请求报文; 5. A MAC address forced forwarding method, characterized by including: receiving an ARP request message from the user host or gateway;
根据所述 ARP请求报文的源信息以及目的信息构造 ARP应 答报文: 根据接收到的来自用户主机的 ARP请求报文中的源信 息以及目的信息, 构造以网关的 MAC地址为目的地址的 ARP应 答报文, 或根据接收到的来自网关的 ARP请求报文中的源信息 以及目的信息从查找表获取对应的目的 MAC地址, 构造以所述 Construct an ARP response message based on the source information and destination information of the ARP request message: Construct an ARP with the gateway's MAC address as the destination address based on the source information and destination information in the received ARP request message from the user host. reply message, or obtain the corresponding destination MAC address from the lookup table according to the source information and destination information in the received ARP request message from the gateway, constructed as described
的用户主机或网关。 user host or gateway.
6、 如权利要求 5所述的方法, 其特征在于, 在所述根据所 述 ARP请求 艮文的源信息以及目的信息构造 ARP应答 艮文的步 骤中: 6. The method of claim 5, wherein in the step of constructing an ARP response text based on the source information and destination information of the ARP request text:
将所述来自用户主机 ARP请求报文的源信息中的源 IP地址 和目的 IP地址分别作为待构造的 ARP应答报文的目的 IP地址和 The source IP address and destination IP address in the source information of the ARP request message from the user host are respectively used as the destination IP address and destination IP address of the ARP reply message to be constructed.
址, 构造所述 ARP应答报文。 address, and construct the ARP reply message.
7、 如权利要求 5所述的方法, 其特征在于, 在所述根据所 述 ARP请求 艮文的源信息以及目的信息构造 ARP应答 艮文的步 骤中: 7. The method of claim 5, wherein in the step of constructing an ARP response text based on the source information and destination information of the ARP request text:
根据来自网关的 ARP请求报文的目的信息中的目的 IP地址 查找所述查找表, 获取对应的目的 MAC地址, 将所述 ARP请求 Search the lookup table according to the destination IP address in the destination information of the ARP request message from the gateway, obtain the corresponding destination MAC address, and convert the ARP request
源 MAC地址。 Source MAC address.
8、 如权利要求 5或 6所述的方法, 其特征在于, 在所述根据 所述 ARP请求报文的源信息以及目的信息构造 ARP应答报文的 步骤中: 8. The method according to claim 5 or 6, characterized in that, according to In the step of constructing an ARP response message from the source information and destination information of the ARP request message:
若查找表中未记录网关的 MAC地址, 则将网关的 IP地址作 为待构造的 ARP应答报文的目的 IP地址, 构造所述 ARP应答报 文。 If the MAC address of the gateway is not recorded in the lookup table, the IP address of the gateway is used as the destination IP address of the ARP response message to be constructed, and the ARP response message is constructed.
9、 如权利要求 5至 8中任一项所述的方法, 其特征在于, 该 方法还包括: 9. The method according to any one of claims 5 to 8, characterized in that the method further includes:
接收来自网关的 ARP应答报文; Receive ARP reply message from the gateway;
解析所述来自网关的 ARP应答报文; Parse the ARP reply message from the gateway;
根据所述来自网关的 ARP应答报文的源信息和目的信息更 新所述查找表。 The lookup table is updated according to the source information and destination information of the ARP reply message from the gateway.
10、 如权利要求 9所述的方法, 其特征在于, 在所述根据所 述来自网关的 ARP应答报文的源信息和目的信息更新所述查找 表的步骤中: 若所述查找表中已记录了网关的 MAC地址, 则不 更新所述查找表; 否则, 记录所述网关的 MAC地址。 10. The method of claim 9, wherein in the step of updating the lookup table according to the source information and destination information of the ARP reply message from the gateway: If the lookup table already contains If the MAC address of the gateway is recorded, the lookup table is not updated; otherwise, the MAC address of the gateway is recorded.
11、 一种 MAC地址强制转发装置, 其特征在于, 包括中央 处理器和存储器, 所述存储器存储计算机执行指令, 所述中央 处理器与所述存储器通过通信总线连接, 当所述 M A C地址强制 计算机执行指令, 使得所述 MAC地址强制转发装置执行权利要 求 5至 10中任一所述的方法。 11. A MAC address forced forwarding device, characterized in that it includes a central processor and a memory. The memory stores computer execution instructions. The central processor and the memory are connected through a communication bus. When the MAC address forces the computer to Execute instructions to cause the MAC address forced forwarding device to execute the method described in any one of claims 5 to 10.
12、 一种计算机可读介质, 其特征在于, 所述计算机可读 介质包含计算机执行指令, 当计算机的中央处理器执行所述计 算机执行指令时, 所述计算机执行指令用于使计算机执行权利 要求 5至 10中任一所述的方法。 12. A computer-readable medium, characterized in that the computer-readable medium contains computer-executable instructions. When the central processor of the computer executes the computer-executable instructions, the computer-executable instructions are used to cause the computer to execute the claims. The method described in any one of 5 to 10.
PCT/CN2012/084991 2012-11-21 2012-11-21 Mac address mandatory forwarding device and method WO2014079005A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2012/084991 WO2014079005A1 (en) 2012-11-21 2012-11-21 Mac address mandatory forwarding device and method
CN201280002989.9A CN103404084B (en) 2012-11-21 2012-11-21 MAC Address forces retransmission unit and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/084991 WO2014079005A1 (en) 2012-11-21 2012-11-21 Mac address mandatory forwarding device and method

Publications (1)

Publication Number Publication Date
WO2014079005A1 true WO2014079005A1 (en) 2014-05-30

Family

ID=49565858

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/084991 WO2014079005A1 (en) 2012-11-21 2012-11-21 Mac address mandatory forwarding device and method

Country Status (2)

Country Link
CN (1) CN103404084B (en)
WO (1) WO2014079005A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086272A (en) * 2022-06-23 2022-09-20 杭州云合智网技术有限公司 ARP (Address resolution protocol) answer-substitute method, device, equipment and storage medium

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109729188A (en) 2013-12-31 2019-05-07 华为技术有限公司 A kind of message transmitting method, equipment and communication system
CN106797344B (en) * 2015-06-30 2020-10-16 华为技术有限公司 Method and apparatus for communicating through remote network element port
CN105872117A (en) * 2015-10-26 2016-08-17 乐视云计算有限公司 Method and system for obtaining MAC address and virtual machine manager
CN105553698A (en) * 2015-12-09 2016-05-04 福建天晴数码有限公司 Traffic counting method and traffic counting system based on local area network
CN107181681B (en) * 2016-03-10 2022-02-25 中兴通讯股份有限公司 SDN two-layer forwarding method and system
CN107395508B (en) * 2016-05-17 2020-04-14 华为技术有限公司 Method and device for forwarding message
CN106789756A (en) 2016-12-26 2017-05-31 腾讯科技(深圳)有限公司 A kind of data transmission method for uplink and device based on operating system nucleus bridge
CN107360058A (en) * 2017-07-12 2017-11-17 郑州云海信息技术有限公司 A kind of method and device for realizing traffic monitoring
CN107547346B (en) * 2017-07-24 2021-02-26 新华三技术有限公司 Message transmission method and device
CN109525601B (en) 2018-12-28 2021-04-27 杭州迪普科技股份有限公司 Method and device for isolating transverse flow between terminals in intranet
CN112468383B (en) 2019-09-06 2023-01-06 华为云计算技术有限公司 Communication method and gateway in hybrid cloud environment, management method and device
CN111130981B (en) * 2019-12-24 2022-05-20 锐捷网络股份有限公司 Proxy response method and device for MAC address
CN111654558B (en) * 2020-05-29 2023-02-28 杭州迪普科技股份有限公司 ARP interaction and intranet flow forwarding method, device and equipment
CN115242748A (en) * 2022-07-04 2022-10-25 裕太微电子股份有限公司 Method for reducing power consumption of computer system and low-power-consumption computer system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972230A (en) * 2006-11-09 2007-05-30 杭州华为三康技术有限公司 A broadcasting method and access controller for wireless LAN address resolution protocol
CN101123614A (en) * 2007-09-04 2008-02-13 中兴通讯股份有限公司 A method and communication device for processing address parsing protocol packet
CN101924707A (en) * 2010-09-27 2010-12-22 杭州华三通信技术有限公司 Method and equipment for processing message of address resolution protocol (ARP)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100596111C (en) * 2007-07-16 2010-03-24 杭州华三通信技术有限公司 Method and device for sending out ARP request under condition without VLAN virtual interface
CN101577722B (en) * 2009-06-03 2012-09-05 中兴通讯股份有限公司 Method for realizing MAC forced forwarding function and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972230A (en) * 2006-11-09 2007-05-30 杭州华为三康技术有限公司 A broadcasting method and access controller for wireless LAN address resolution protocol
CN101123614A (en) * 2007-09-04 2008-02-13 中兴通讯股份有限公司 A method and communication device for processing address parsing protocol packet
CN101924707A (en) * 2010-09-27 2010-12-22 杭州华三通信技术有限公司 Method and equipment for processing message of address resolution protocol (ARP)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086272A (en) * 2022-06-23 2022-09-20 杭州云合智网技术有限公司 ARP (Address resolution protocol) answer-substitute method, device, equipment and storage medium
CN115086272B (en) * 2022-06-23 2023-11-21 杭州云合智网技术有限公司 ARP (Address resolution protocol) answering substituting method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN103404084B (en) 2017-11-17
CN103404084A (en) 2013-11-20

Similar Documents

Publication Publication Date Title
WO2014079005A1 (en) Mac address mandatory forwarding device and method
US20210200578A1 (en) Method and apparatus for determining virtual machine migration
US11283650B2 (en) Method for sending virtual extensible local area network packet, computer device, and computer readable medium
JP5946532B2 (en) Method for overlaying a virtual network on a physical network in a data center environment, method for communicating over an overlay virtual network, system for network virtualization environment, data center and computer program
US9940153B2 (en) Method for generating configuration information, and network control unit
JP6931644B2 (en) Systems and methods to support intersubnet partitions in high performance computing environments
JP7034187B2 (en) Data processing methods, network interface cards, and servers
CN107070691B (en) Cross-host communication method and system of Docker container
US9461943B2 (en) Network assisted virtual machine mobility
EP2874359B1 (en) Extended ethernet fabric switches
US11522763B2 (en) Agent-based network scanning in software-defined networking (SDN) environments
US11032183B2 (en) Routing information validation in SDN environments
EP2309680B1 (en) Switching API
US20150180959A1 (en) Network interface controller supporting network virtualization
JP2020515188A (en) System and method for providing multicast group membership defined in relation to partition membership in a high performance computing environment
JP2019503595A5 (en)
WO2018024187A1 (en) Message monitoring
WO2015003295A1 (en) Communication method, device and system in virtual domain
WO2018171722A1 (en) Mac address synchronization
US11949660B2 (en) Methods for enabling enhanced firewall rules via ARP-based annotations
JP2013239996A (en) Computer, data converter, communication method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12888655

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12888655

Country of ref document: EP

Kind code of ref document: A1