CN103229489B - The collocation method of virtual machine control strategy and switch - Google Patents
The collocation method of virtual machine control strategy and switch Download PDFInfo
- Publication number
- CN103229489B CN103229489B CN201280002960.0A CN201280002960A CN103229489B CN 103229489 B CN103229489 B CN 103229489B CN 201280002960 A CN201280002960 A CN 201280002960A CN 103229489 B CN103229489 B CN 103229489B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- control
- mac address
- strategy
- control strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention relates to a kind of collocation method and switch of virtual machine control strategy. The method comprises: receive the first control strategy for virtual machine; According to the virtual machine mark in described the first control strategy, obtain the MAC Address of described virtual machine; Use the MAC Address of described virtual machine to replace the described virtual machine mark in described the first control strategy, obtain the second control strategy. Thus, the embodiment of the present invention has realized configuration and the management of the control strategy of MAC Address rank, makes the policy control of MAC Address rank be more prone to realize.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a configuration method of a virtual machine control policy and a switch.
Background
Virtualization is the most important technical foundation for realizing cloud computing, and the virtualization technology can improve the utilization rate of resources and can quickly and flexibly perform resource deployment according to the change of user service requirements. The server virtualization enables well-separated workloads to share hardware again, so that space occupation and power and heat dissipation consumption of the entity server are greatly reduced, server spreading is stopped, and the setting speed of the server is greatly increased.
Due to different application scenarios and different types of servers, a comprehensive virtualization software platform is used for realizing server virtualization, and a hardware platform with multi-core, high-density, reliable memory, and scalable Input/Output (I/O) throughput is also required. However, the common server virtualization technology cannot protect and execute the policy at the virtual machine level, and cannot make the policy move with the virtual machine.
In the prior art, a virtual switch supporting a virtual network card mark VN-Tag (used for identifying a virtual network card of a virtual machine) establishes a plurality of ports for corresponding to the virtual network card of the virtual machine, and when data enters the virtual switch, the virtual switch adds the VN-Tag to the data and forwards the data, thereby realizing virtual machine-level policy control. However, the prior art has the disadvantage that the implementation of the solution requires that the virtual switch, the access switch, and even the core network switch support the technology at the same time, so that the device that does not support the VNTag technology needs to be upgraded, which causes the application of the solution to be limited, and the cost of the device that needs to be upgraded is high.
Disclosure of Invention
In view of the problems that a method for configuring a virtual machine control policy by using a VN-tag technology in the prior art has high requirements on equipment and high cost, embodiments of the present invention provide a method for configuring a virtual machine control policy and a switch.
In a first aspect, an embodiment of the present invention provides a method for configuring a virtual machine control policy, where the method includes:
receiving a first control strategy aiming at a virtual machine;
acquiring the MAC address of the virtual machine according to the virtual machine identifier in the first control strategy;
and replacing the virtual machine identifier in the first control strategy by using the MAC address of the virtual machine to obtain a second control strategy.
In a first possible implementation manner, after obtaining the second control strategy, the method further includes: receiving an address change message aiming at the virtual machine, wherein the address change message carries an updated MAC address; and replacing the MAC address in the second control strategy by using the updated MAC address to obtain a third control strategy.
With reference to the first aspect, in a second possible implementation manner, after the obtaining the second control policy, the method further includes: receiving a first update control policy for the virtual machine, wherein the first update control policy comprises the virtual machine identifier of the virtual machine; acquiring the MAC address corresponding to the virtual machine identifier, and replacing the virtual machine identifier in the first updating control strategy with the MAC address to obtain a second updating control strategy; replacing the second control strategy with the second updated control strategy.
With reference to the first aspect, in a third possible implementation manner, before the obtaining, according to the virtual machine identifier in the first control policy, the MAC address of the virtual machine, the method further includes: and receiving the virtual machine identification and N MAC addresses corresponding to the virtual machine identification, wherein N is greater than or equal to 1.
With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner, the replacing, by the MAC address of the virtual machine, the virtual machine identifier in the first control policy to obtain a second control policy specifically includes: and replacing the virtual machine identification in the first control strategy one by using the N MAC addresses to obtain N second control strategies, wherein the N second control strategies are respectively in one-to-one correspondence with the N MAC addresses.
With reference to the first aspect, in a fifth possible implementation manner, after the obtaining the second control strategy, the method further includes: and processing the received data packet with the MAC address as a destination address or a source address according to the second control strategy.
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner, the processing, according to the second control policy, a data packet that is received and that uses the MAC address as a destination address or a source address specifically includes: receiving a data packet with the MAC address as a destination address or a source address; and forwarding the data packet or refusing to forward the data packet according to the second control strategy.
With reference to the first aspect or the first, second, third, fourth, fifth, and sixth possible implementation manners of the first aspect, in a seventh possible implementation manner, the first control policy includes at least one of the following control policies: the method comprises an access control strategy, a resource reservation strategy, a traffic priority strategy, a maximum traffic delay strategy, a maximum traffic packet loss rate strategy and a maximum traffic jitter strategy.
In a second aspect, an embodiment of the present invention provides a switch, including a control module, where the control module includes a receiving submodule, an obtaining submodule, and a converting submodule; the receiving submodule is used for receiving a first control strategy aiming at the virtual machine; the obtaining submodule is used for obtaining the MAC address of the virtual machine according to the virtual machine identifier in the first control strategy; and the conversion submodule is used for replacing the virtual machine identifier in the first control strategy by using the MAC address of the virtual machine to obtain a second control strategy.
In a first possible implementation manner, the receiving sub-module is further configured to receive an address change message for the virtual machine, where the address change message carries an updated MAC address; and the conversion module is also used for replacing the MAC address in the second control strategy by the updated MAC address to obtain a third control strategy.
With reference to the second aspect, in a second possible implementation manner, the switch further includes a replacement sub-module; the receiving submodule is further configured to receive a first update control policy for the virtual machine, where the first update control policy includes the virtual machine identifier of the virtual machine; the conversion submodule is further configured to obtain the MAC address corresponding to the virtual machine identifier, and replace the virtual machine identifier in the first update control policy with the MAC address to obtain a second update control policy; the replacement sub-module is configured to replace the second control strategy with the second updated control strategy.
With reference to the second aspect, in a third possible implementation manner, the receiving submodule is further configured to receive the virtual machine identifier and N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
With reference to the third possible implementation manner of the second aspect, in a fourth possible implementation manner, the conversion module is specifically configured to replace the virtual machine identifier in the first control policy one by one with the N MAC addresses to obtain N second control policies, where the N second control policies correspond to the N MAC addresses one to one, respectively.
With reference to the second aspect, in a fifth possible implementation manner, the switch further includes a switching module, and the switching module is connected to the control module; and the switching module is used for receiving the second control strategy from the control module and forwarding or rejecting the forwarding processing of the received data packet with the MAC address as a destination address or a source address according to the second control strategy.
With reference to the second aspect or the first, second, third, fourth, and fifth possible implementation manners of the second aspect, in a sixth possible implementation manner, the control policy includes, but is not limited to, one or any combination of the following: the method comprises an access control strategy, a resource reservation strategy, a traffic priority strategy, a maximum traffic delay strategy, a maximum traffic packet loss rate strategy and a maximum traffic jitter strategy.
In the embodiment of the invention, a switch acquires a first control strategy aiming at a virtual machine from a network management center; acquiring the MAC address of the virtual machine according to the virtual machine identifier in the first control strategy; and replacing the virtual machine identifier in the first control strategy by using the MAC address of the virtual machine to obtain a second control strategy. Therefore, the embodiment of the invention realizes the configuration and management of the control strategy at the MAC address level, solves the problems of high requirement on equipment and high cost of a method for configuring the control strategy of the virtual machine by using the VN-tag technology in the prior art, saves a large amount of economic cost and ensures that the strategy control at the virtual machine level is easier to realize.
Drawings
Fig. 1 is a schematic view of an application architecture of a configuration method of a virtual machine control policy according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for configuring a virtual machine control policy according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a switch according to an embodiment of the present invention;
fig. 4 is a schematic diagram of another switch according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic view of an application architecture of a configuration method of a virtual machine control policy according to an embodiment of the present invention. As shown in fig. 1, the network management center may obtain a virtual MAC address corresponding to each network port of the virtual machine, and may send a correspondence between the MAC address of the virtual network port of the virtual machine and the virtual machine (the correspondence may be embodied by a correspondence between a virtual machine identifier of the virtual machine (the virtual machine identifier in this document refers to an ID of the virtual machine) and the MAC address of the virtual machine), and a control policy for the virtual machine to a control module of a data center access switch, where the switch may be an OpenFlow switch; after receiving the corresponding relation between the MAC address of the virtual network port and the virtual machine and the control strategy aiming at the virtual machine, the control module can convert the control strategy aiming at the virtual machine into the control strategy aiming at the MAC address; when the switch receives a data packet from a certain MAC address of the virtual machine or a certain MAC address sent to the virtual machine, the switch can correspondingly process the data packet according to a control strategy aiming at the MAC address, thereby realizing the strategy control aiming at the virtual machine.
Fig. 2 is a flowchart of a configuration method of a virtual machine control policy according to an embodiment of the present invention. The main execution body of this embodiment is a switch, and a method of converting a control policy for a virtual machine into a control policy for a MAC address after the switch acquires the control policy for the virtual machine from a network management center is described in detail. As shown in fig. 2, this embodiment includes the steps of:
step 201, a first control strategy for a virtual machine is received.
In order to realize the technical scheme of the invention, the switch comprises a control module and a switching module, and the switching module and the control module carry out information interaction through an interface. The switch and the network management center can communicate through the management interface, and the network management center can actively send the virtual MAC address corresponding to each network port of the virtual machine and the control strategy aiming at the virtual machine to the controller component.
The first control policy acquired by the switch from the network management center is a control policy for the virtual machine, and the control policy packet may include at least one of the following control policies: the method comprises an access control strategy, a resource reservation strategy, a traffic priority strategy, a maximum traffic delay strategy, a maximum traffic packet loss rate strategy and a maximum traffic jitter strategy.
For example, an access control policy for a virtual machine may be defined as a denial of forwarding a packet sent to a virtual machine.
Certainly, the user may update the control policy of the virtual machine through the network management center, and at this time, the network management center may send the updated control policy to the switch; after the virtual machine is migrated, the MAC address of the virtual machine also changes correspondingly, and after the network management center acquires the migration information, the network management center may also actively send the updated MAC address to the switch.
Step 202, obtaining the MAC address of the virtual machine according to the virtual machine identifier in the first control policy.
After the network management center sends the virtual machine identifier of the virtual machine and the MAC address corresponding to the virtual machine identifier to the switch, the switch can store the virtual machine identifier and the virtual machine MAC address in a local database.
One virtual machine can have one or more network ports, each network port corresponds to one virtual MAC address, so that one virtual machine can have one or more virtual MAC addresses, and the switch can acquire the one or more MAC addresses from the network management center.
After the network management center receives the first control policy of the virtual machine, the switch extracts the virtual machine identifier of the virtual machine from the first control policy, and then queries the corresponding MAC address in the local database according to the virtual machine identifier.
Step 203, replacing the virtual machine identifier in the first control strategy with the MAC address of the virtual machine, so as to obtain a second control strategy.
If the virtual machine has only one network port, namely only one MAC address, the virtual machine identifier in the first control strategy aiming at the virtual machine is directly replaced by the MAC address, and then the second control strategy aiming at the MAC address can be obtained. If the virtual machine has a plurality of network ports, namely a plurality of MAC addresses MAC1, MAC2 and MAC3...... MACn, the virtual machine identifier in the first control strategy is replaced by MAC1, and then a second control strategy aiming at the MAC1 address can be obtained; replacing the virtual machine identifier in the first control strategy with MAC2 to obtain a second control strategy aiming at the MAC2 address; and after each MAC address in the n MAC addresses is used for replacing the virtual machine identifier in the first control strategy, the n second control strategies can be obtained.
For example, virtual machine 1 has only one portal, i.e., only one MAC address MAC1, and if the first control policy is to deny forwarding of all packets sent to virtual machine 1, the second control policy is to deny forwarding of all packets sent to MAC 1. If the virtual machine has a plurality of network ports, that is, a plurality of MAC addresses MAC1, MAC2, MAC3...... MACn, then if the first control policy is to refuse to forward all packets sent to the virtual machine 1, the second control policy is to refuse to forward all packets sent to the MAC1, MAC2, MAC3...... MACn.
After the control module in the switch converts the first control strategy for the virtual machine into the second control strategy for the MAC address, the second control strategy is sent to the switching module, so that the switching module processes the data packet originated from or sent to the MAC address according to the second control strategy.
Specifically, when the switching module receives a data packet with the MAC address as a destination address or a source address, the switching module may locally query a corresponding second control policy according to the source MAC address or the destination MAC address of the data packet, so as to perform corresponding processing on the data packet.
Of course, if the switch module determines that the local is not configured with the corresponding second control policy by local query after receiving the data packet with the MAC address as the destination address or the source address, the control module may issue the second control policy to the switch component. If the control module does not have a corresponding second control strategy, a first control strategy and a corresponding virtual machine MAC address corresponding to the second control strategy for the virtual machine can be obtained from the network management center, and the first control strategy is converted into the second control strategy and then is sent to the exchange module.
In an optional implementation manner of the embodiment of the present invention, after obtaining the second control policy, the method further includes: receiving an address change message aiming at the virtual machine, wherein the address change message carries an updated MAC address; and replacing the MAC address in the second control strategy by using the updated MAC address to obtain a third control strategy. Specifically, after the virtual machine is migrated, the MAC address of the virtual machine may also change correspondingly, and after the network management center acquires the migration information, the network management center may also actively send the updated MAC address to the switch through the address change message, and the switch may replace the MAC address in the stored second control policy with the updated MAC address to obtain the third control policy. If m updated MAC addresses exist, each MAC address in the m MAC addresses is used for replacing the original MAC address in the second control strategy, and then m third control strategies can be obtained.
Optionally, after the updated MAC address is obtained, a first control policy for the virtual machine may also be obtained from the network management center according to the virtual machine identifier corresponding to the MAC address, and each MAC address in the m MAC addresses is used to replace the virtual machine identifier in the first control policy, so that m second control policies may be obtained.
It should be noted here that, since the second control policy for the original MAC address is also converted from the first control policy for the corresponding virtual machine identifier, after the MAC address of the virtual machine is changed, the second control policy for the original MAC address can be deleted, so that on one hand, space can be saved, and on the other hand, it can be prevented that after the MAC address of the other virtual machine is changed to the original MAC address, an erroneous policy control is generated for the corresponding other virtual machine.
Correspondingly, after the second control strategy is obtained, the method further comprises the following steps: receiving a first update control policy for the virtual machine, wherein the first update control policy comprises the virtual machine identifier of the virtual machine; acquiring the MAC address corresponding to the virtual machine identifier, and replacing the virtual machine identifier in the first updating control strategy with the MAC address to obtain a second updating control strategy; replacing the second control strategy with the second updated control strategy. Specifically, if the user updates the control policy for the virtual machine through the network management center, the network management center may send the updated control policy to the switch, and after receiving the updated control policy, the switch may convert the updated control policy into the control policy for the corresponding MAC address, and replace the second control policy saved before with the updated control policy for the MAC address, thereby implementing configuration of the dynamic control policy.
In the embodiment of the invention, a switch acquires a first control strategy aiming at a virtual machine from a network management center; acquiring the MAC address of the virtual machine according to the virtual machine identifier in the first control strategy; and replacing the virtual machine identifier in the first control strategy by using the MAC address of the virtual machine to obtain a second control strategy. Therefore, the embodiment of the invention realizes the configuration and management of the control strategy at the MAC address level, solves the problems of high requirement on equipment and high cost of a method for configuring the control strategy of the virtual machine by using the VN-tag technology in the prior art, saves a large amount of economic cost and ensures that the strategy control at the virtual machine level is easier to realize.
It should be noted that, if the network interface adaptation module (physical network card) of the physical host where the virtual machine is located supports the hybrid mode (PromiscuousMode), the operating state of the physical network card needs to be set to the hybrid mode. In the mixed mode, the physical network card cannot modify the source MAC address of the transmitted data packet, so that the source MAC address of the data packet transmitted by the virtual network port of the virtual machine cannot be changed; and when receiving the data packet sent to the network card, the filtering operation will not be performed on the target MAC address. If the physical network card of the switch does not support the mixed mode, the function of the physical network card needs to be upgraded, so that the source MAC address is not modified when the physical network card forwards the data packet from the virtual machine, and the target MAC address is not filtered when the data packet sent to the network card is received.
Correspondingly, the embodiment of the invention also provides a switch, which can be an OpenFlow switch. Fig. 3 is a schematic diagram of a switch according to an embodiment of the present invention, and as shown in fig. 3, the switch includes a control module 310, where the control module 310 includes a receiving submodule 311, an obtaining submodule 312, and a transforming submodule 313; the switch also includes a switching module 320. Wherein the switching module 320 and the control module 310 may be connected through an interface. For example, for an OpenFlow switch, the control module 310 and the switch module 320 may be connected through an OpenFlow interface. Wherein,
the receiving submodule 311 is configured to receive a first control policy for the virtual machine.
The receiving submodule 312 is further configured to receive the virtual machine identifier and N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
The first control policy acquired by the switch from the network management center is a control policy for the virtual machine, and the control policy packet may include at least one of the following control policies: the method comprises an access control strategy, a resource reservation strategy, a traffic priority strategy, a maximum traffic delay strategy, a maximum traffic packet loss rate strategy and a maximum traffic jitter strategy.
For example, an access control policy for a virtual machine may be defined as a denial of forwarding a packet sent to a virtual machine.
The obtaining submodule 312 is configured to obtain the MAC address of the virtual machine according to the virtual machine identifier in the first control policy.
After the network management center sends the virtual machine identifier of the virtual machine and the MAC address corresponding to the virtual machine identifier to the switch, the switch can store the virtual machine identifier and the virtual machine MAC address in a local database.
One virtual machine can have one or more network ports, each network port corresponds to one virtual MAC address, so that one virtual machine can have one or more virtual MAC addresses, and the switch can acquire the one or more MAC addresses from the network management center.
After the network management center receives the first control policy of the virtual machine, the switch extracts the virtual machine identifier of the virtual machine from the first control policy, and then queries the corresponding MAC address in the local database according to the virtual machine identifier.
And the conversion module 313 is configured to replace the virtual machine identifier in the first control policy with the MAC address of the virtual machine to obtain a second control policy.
The conversion module 313 is specifically configured to replace the virtual machine identifier in the first control policy one by one with the N MAC addresses to obtain N second control policies, where the N second control policies correspond to the N MAC addresses one to one.
If the virtual machine has only one network port, namely only one MAC address, the virtual machine identifier in the first control strategy aiming at the virtual machine is directly replaced by the MAC address, and then the second control strategy aiming at the MAC address can be obtained. If the virtual machine has a plurality of network ports, namely a plurality of MAC addresses MAC1, MAC2 and MAC3...... MACn, the virtual machine identifier in the first control strategy is replaced by MAC1, and then a second control strategy aiming at the MAC1 address can be obtained; replacing the virtual machine identifier in the first control strategy with MAC2 to obtain a second control strategy aiming at the MAC2 address; and after each MAC address in the n MAC addresses is used for replacing the virtual machine identifier in the first control strategy, the n second control strategies can be obtained.
After the control module 310 in the switch converts the first control policy for the virtual machine into the second control policy for the MAC address, the second control policy is sent to the switching module, so that the switching module 320 processes the data packet originated from or sent to the MAC address according to the second control policy.
The switching module 320 is configured to receive the second control policy from the control module, and perform forwarding or forwarding rejection processing on the received data packet with the MAC address as a destination address or a source address according to the second control policy.
Of course, if the switching module 320 determines that the local is not configured with the corresponding second control policy by local query after receiving the data packet with the MAC address as the destination address or the source address, the control module 310 may issue the second control policy to the switching module 320. If the control module 310 does not have a corresponding second control policy, a first control policy and a corresponding virtual machine MAC address for the virtual machine corresponding to the second control policy may be obtained from the network management center, and the first control policy is converted into the second control policy and then sent to the switching module 320.
Preferably, when the address of the virtual machine is changed, the receiving submodule 311 is further configured to receive an address change message for the virtual machine, where the address change message carries an updated MAC address; the conversion module 313 is further configured to replace the MAC address in the second control strategy with the updated MAC address to obtain a third control strategy. Specifically, after the virtual machine is migrated, the MAC address of the virtual machine may also change correspondingly, and after the network management center acquires the migration information, the network management center may also actively send the updated MAC address to the switch through the address change message, and the switch may replace the MAC address in the stored second control policy with the updated MAC address to obtain the third control policy. If m updated MAC addresses exist, each MAC address in the m MAC addresses is used for replacing the original MAC address in the second control strategy, and then m third control strategies can be obtained.
Optionally, after the updated MAC address is obtained, a first control policy for the virtual machine may also be obtained from the network management center according to the virtual machine identifier corresponding to the MAC address, and each MAC address in the m MAC addresses is used to replace the virtual machine identifier in the first control policy, so that m second control policies may be obtained.
It should be noted here that, since the second control policy for the original MAC address is also converted from the first control policy for the corresponding virtual machine identifier, after the MAC address of the virtual machine is changed, the second control policy for the original MAC address can be deleted, so that on one hand, space can be saved, and on the other hand, it can be prevented that after the MAC address of the other virtual machine is changed to the original MAC address, an erroneous policy control is generated for the corresponding other virtual machine.
Preferably, the switch further includes a replacement submodule 314, and after a control policy for a virtual machine is changed, the reception submodule 311 is further configured to receive a first update control policy for the virtual machine, where the first update control policy includes the virtual machine identifier of the virtual machine; the conversion module 313 is further configured to obtain the MAC address corresponding to the virtual machine identifier, and replace the virtual machine identifier in the first update control policy with the MAC address to obtain a second update control policy; a replacement sub-module 314 for replacing the second control strategy with the second updated control strategy. Specifically, if the user updates the control policy for the virtual machine through the network management center, the network management center may send the updated control policy to the switch, and after receiving the updated control policy, the switch may convert the updated control policy into the control policy for the corresponding MAC address, and replace the second control policy saved before with the updated control policy for the MAC address, thereby implementing configuration of the dynamic control policy.
Therefore, the embodiment of the invention realizes the configuration and management of the control strategy at the MAC address level, solves the problems of high requirement on equipment and high cost of a method for configuring the control strategy of the virtual machine by using the VN-tag technology in the prior art, saves a large amount of economic cost and ensures that the strategy control at the virtual machine level is easier to realize.
Correspondingly, an embodiment of the present invention further provides a switch, and fig. 4 is a schematic diagram of another switch provided in the embodiment of the present invention. As shown in fig. 4, the switch provided in the present embodiment includes a network interface 401, a processor 402, and a memory 403. The system bus 404 is used to connect the network interface 401, the processor 402, and the memory 403.
The network interface 401 may be used to communicate with a network management center and the physical host where the virtual machine resides, respectively.
The memory 403 may be a permanent memory, such as a hard disk drive and a flash memory, and the memory 403 may have a software module and a device driver therein, and may also hold a database for storing control policies. The software module can execute various functional modules of the method; the device drivers may be network and interface drivers.
At startup, these software components are loaded into memory 403 and then accessed by processor 402 and executed by the following instructions:
receiving a first control strategy aiming at a virtual machine;
acquiring the MAC address of the virtual machine according to the virtual machine identifier in the first control strategy;
and replacing the virtual machine identifier in the first control strategy by using the MAC address of the virtual machine to obtain a second control strategy.
Wherein the first control strategy comprises at least one of the following control strategies: the method comprises an access control strategy, a resource reservation strategy, a traffic priority strategy, a maximum traffic delay strategy, a maximum traffic packet loss rate strategy and a maximum traffic jitter strategy.
After the network management center sends the virtual machine identifier of the virtual machine and the MAC address corresponding to the virtual machine identifier to the switch, the switch can store the virtual machine identifier and the virtual machine MAC address in a local database.
One virtual machine can have one or more network ports, each network port corresponds to one virtual MAC address, so that one virtual machine can have one or more virtual MAC addresses, and the switch can acquire the one or more MAC addresses from the network management center.
After the network management center receives the first control policy of the virtual machine, the switch extracts the virtual machine identifier of the virtual machine from the first control policy, and then queries the corresponding MAC address in the local database according to the virtual machine identifier.
Further, after obtaining the second control strategy, the processor 402 accesses the software component of the memory 403 to execute the following steps:
receiving an address change message aiming at the virtual machine, wherein the address change message carries an updated MAC address;
and replacing the MAC address in the second control strategy by using the updated MAC address to obtain a third control strategy.
Specifically, after the virtual machine is migrated, the MAC address of the virtual machine may also change correspondingly, and after the network management center acquires the migration information, the network management center may also actively send the updated MAC address to the switch through the address change message, and the switch may replace the MAC address in the stored second control policy with the updated MAC address to obtain the third control policy. If m updated MAC addresses exist, each MAC address in the m MAC addresses is used for replacing the original MAC address in the second control strategy, and then m third control strategies can be obtained.
Optionally, after the updated MAC address is obtained, a first control policy for the virtual machine may also be obtained from the network management center according to the virtual machine identifier corresponding to the MAC address, and each MAC address in the m MAC addresses is used to replace the virtual machine identifier in the first control policy, so that m second control policies may be obtained.
It should be noted here that, since the second control policy for the original MAC address is also converted from the first control policy for the corresponding virtual machine identifier, after the MAC address of the virtual machine is changed, the second control policy for the original MAC address can be deleted, so that on one hand, space can be saved, and on the other hand, it can be prevented that after the MAC address of the other virtual machine is changed to the original MAC address, an erroneous policy control is generated for the corresponding other virtual machine.
Further, after obtaining the second control strategy, the processor 402 accesses the software component of the memory 403 to execute the following steps:
receiving a first update control policy for the virtual machine, wherein the first update control policy comprises the virtual machine identifier of the virtual machine;
acquiring the MAC address corresponding to the virtual machine identifier, and replacing the virtual machine identifier in the first updating control strategy with the MAC address to obtain a second updating control strategy;
replacing the second control strategy with the second updated control strategy.
Specifically, if the user updates the control policy for the virtual machine through the network management center, the network management center may send the updated control policy to the switch, and after receiving the updated control policy, the switch may convert the updated control policy into the control policy for the corresponding MAC address, and replace the second control policy saved before with the updated control policy for the MAC address, thereby implementing configuration of the dynamic control policy.
Further, before said querying the MAC address of the virtual machine according to the virtual machine identifier in the first control policy, after the processor 402 accesses the software component of the memory 403, the following process is performed: and receiving the virtual machine identification and N MAC addresses corresponding to the virtual machine identification, wherein N is greater than or equal to 1.
The process of the processor 402 executing the virtual machine identifier in the first control policy replaced with the MAC address of the virtual machine to obtain the second control policy specifically includes: and replacing the virtual machine identification in the first control strategy one by using the N MAC addresses to obtain N second control strategies, wherein the N second control strategies are respectively in one-to-one correspondence with the N MAC addresses.
Further, after the switch receives the data packet through the network interface 401, the processor 402 accesses the software component of the memory 403 to execute the following procedures: and processing the received data packet with the MAC address as a destination address or a source address according to the second control strategy. Specifically, receiving a data packet with the MAC address as a destination address or a source address; and forwarding the data packet or refusing to forward the data packet according to the second control strategy.
Therefore, the embodiment of the invention realizes the configuration and management of the control strategy at the MAC address level, solves the problems of high requirement on equipment and high cost of a method for configuring the control strategy of the virtual machine by using the VN-tag technology in the prior art, saves a large amount of economic cost and ensures that the strategy control at the virtual machine level is easier to realize.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, a software module executed by a processor, or a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (12)
1. A method for configuring a virtual machine control policy, the method comprising:
receiving a first control strategy aiming at a virtual machine;
acquiring the MAC address of the virtual machine according to the virtual machine identifier in the first control strategy;
replacing the virtual machine identifier in the first control strategy by using the MAC address of the virtual machine to obtain a second control strategy;
receiving a data packet with the MAC address as a destination address or a source address, wherein when the data packet with the MAC address as the source address is received, the source address is not modified, and when the data packet with the MAC address as the destination address is received, the destination address is not filtered;
and forwarding the data packet or refusing to forward the data packet according to the second control strategy.
2. The method according to claim 1, wherein after obtaining the second control policy, the method further comprises:
receiving an address change message aiming at the virtual machine, wherein the address change message carries an updated MAC address;
and replacing the MAC address in the second control strategy by using the updated MAC address to obtain a third control strategy.
3. The method according to claim 1, wherein after obtaining the second control policy, the method further comprises:
receiving a first update control policy for the virtual machine, wherein the first update control policy comprises the virtual machine identifier of the virtual machine;
acquiring the MAC address corresponding to the virtual machine identifier, and replacing the virtual machine identifier in the first updating control strategy with the MAC address to obtain a second updating control strategy;
replacing the second control strategy with the second updated control strategy.
4. The method according to claim 1, wherein before acquiring the MAC address of the virtual machine according to the virtual machine identifier in the first control policy, the method further includes: and receiving the virtual machine identification and N MAC addresses corresponding to the virtual machine identification, wherein N is greater than or equal to 1.
5. The method according to claim 4, wherein the replacing the virtual machine identifier in the first control policy with the MAC address of the virtual machine obtains a second control policy specifically as follows:
and replacing the virtual machine identification in the first control strategy one by using the N MAC addresses to obtain N second control strategies, wherein the N second control strategies are respectively in one-to-one correspondence with the N MAC addresses.
6. The method for configuring the virtual machine control strategy according to any one of claims 1 to 5, wherein the first control strategy comprises at least one of the following control strategies: the method comprises an access control strategy, a resource reservation strategy, a traffic priority strategy, a maximum traffic delay strategy, a maximum traffic packet loss rate strategy and a maximum traffic jitter strategy.
7. The switch is characterized by comprising a control module, wherein the control module comprises a receiving submodule, an obtaining submodule and a converting submodule;
the receiving submodule is used for receiving a first control strategy aiming at the virtual machine;
the obtaining submodule is used for obtaining the MAC address of the virtual machine according to the virtual machine identifier in the first control strategy;
the conversion submodule is used for replacing the virtual machine identifier in the first control strategy by using the MAC address of the virtual machine to obtain a second control strategy;
the switch also comprises a switching module, and the switching module is connected with the control module;
the switching module is configured to receive the second control policy from the control module, and receive a data packet with the MAC address as a destination address or a source address, where the source address is not modified when the data packet with the MAC address as the source address is received, and the destination address is not filtered when the data packet with the MAC address as the destination address is received; and according to the second control strategy, forwarding or refusing forwarding processing is carried out on the received data packet with the MAC address as a destination address or a source address.
8. The switch of claim 7, wherein the receiving sub-module is further configured to receive an address change message for the virtual machine, the address change message carrying an updated MAC address;
and the conversion module is also used for replacing the MAC address in the second control strategy by the updated MAC address to obtain a third control strategy.
9. The switch of claim 7, further comprising a replacement submodule;
the receiving submodule is further configured to receive a first update control policy for the virtual machine, where the first update control policy includes the virtual machine identifier of the virtual machine;
the conversion submodule is further configured to obtain the MAC address corresponding to the virtual machine identifier, and replace the virtual machine identifier in the first update control policy with the MAC address to obtain a second update control policy;
the replacement sub-module is configured to replace the second control strategy with the second updated control strategy.
10. The switch of claim 7, wherein the receiving submodule is further configured to receive the virtual machine identifier and N MAC addresses corresponding to the virtual machine identifier, where N is greater than or equal to 1.
11. The switch according to claim 10, wherein the conversion module is specifically configured to replace the virtual machine identifier in the first control policy one by one with the N MAC addresses to obtain N second control policies, where the N second control policies correspond to the N MAC addresses one to one.
12. The switch according to any of claims 7-11, wherein the control policy includes, but is not limited to, one or a combination of any of the following: the method comprises an access control strategy, a resource reservation strategy, a traffic priority strategy, a maximum traffic delay strategy, a maximum traffic packet loss rate strategy and a maximum traffic jitter strategy.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2012/087123 WO2014094287A1 (en) | 2012-12-21 | 2012-12-21 | Configuration method of virtual machine control policy and exchange |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103229489A CN103229489A (en) | 2013-07-31 |
| CN103229489B true CN103229489B (en) | 2016-05-25 |
Family
ID=48838364
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201280002960.0A Active CN103229489B (en) | 2012-12-21 | 2012-12-21 | The collocation method of virtual machine control strategy and switch |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103229489B (en) |
| WO (1) | WO2014094287A1 (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104426760A (en) * | 2013-08-23 | 2015-03-18 | 中兴通讯股份有限公司 | Stream mapping processing method and device |
| CN104717181B (en) * | 2013-12-13 | 2018-10-23 | 中国电信股份有限公司 | The security strategy of Virtual Security Gateway configures System and method for |
| CN104735000A (en) * | 2013-12-23 | 2015-06-24 | 中兴通讯股份有限公司 | OpenFlow signaling control method and device |
| CN105577548B (en) | 2014-10-10 | 2018-10-09 | 新华三技术有限公司 | Message processing method and device in a kind of software defined network |
| CN104699522B (en) * | 2015-03-17 | 2017-10-13 | 成都麦进斗科技有限公司 | A kind of dynamic migration of virtual machine method |
| CN107566319B (en) * | 2016-06-30 | 2021-01-26 | 中央大学 | Virtual machine instant transfer method |
| EP3468236B1 (en) * | 2017-10-09 | 2021-04-28 | Comcast Cable Communications, LLC | Policy control for ethernet packet data |
| CA3021658A1 (en) | 2017-10-20 | 2019-04-20 | Comcast Cable Communications, Llc | Non-access stratum capability information |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136931A (en) * | 2010-09-20 | 2011-07-27 | 华为技术有限公司 | Method for configuring virtual port network strategies, network management center and related equipment |
| CN102413183A (en) * | 2011-11-22 | 2012-04-11 | 中国联合网络通信集团有限公司 | Cloud smart switch and its processing method and system |
| CN102571698A (en) * | 2010-12-17 | 2012-07-11 | 中国移动通信集团公司 | Access authority control method, system and device for virtual machine |
| CN102739645A (en) * | 2012-04-23 | 2012-10-17 | 杭州华三通信技术有限公司 | Method and device for migrating virtual machine safety policy |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8887227B2 (en) * | 2010-03-23 | 2014-11-11 | Citrix Systems, Inc. | Network policy implementation for a multi-virtual machine appliance within a virtualization environtment |
| CN101909054B (en) * | 2010-07-15 | 2012-12-19 | 华中科技大学 | Method for aggregating multiple network interface cards in virtualized environment |
| CN101916207B (en) * | 2010-08-28 | 2013-10-09 | 华为技术有限公司 | Energy saving method, device and system under desktop virtual environment |
-
2012
- 2012-12-21 CN CN201280002960.0A patent/CN103229489B/en active Active
- 2012-12-21 WO PCT/CN2012/087123 patent/WO2014094287A1/en not_active Ceased
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102136931A (en) * | 2010-09-20 | 2011-07-27 | 华为技术有限公司 | Method for configuring virtual port network strategies, network management center and related equipment |
| CN102571698A (en) * | 2010-12-17 | 2012-07-11 | 中国移动通信集团公司 | Access authority control method, system and device for virtual machine |
| CN102413183A (en) * | 2011-11-22 | 2012-04-11 | 中国联合网络通信集团有限公司 | Cloud smart switch and its processing method and system |
| CN102739645A (en) * | 2012-04-23 | 2012-10-17 | 杭州华三通信技术有限公司 | Method and device for migrating virtual machine safety policy |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2014094287A1 (en) | 2014-06-26 |
| CN103229489A (en) | 2013-07-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103229489B (en) | The collocation method of virtual machine control strategy and switch | |
| US11962501B2 (en) | Extensible control plane for network management in a virtual infrastructure environment | |
| EP3720189B1 (en) | Data routing method and terminal | |
| CN109343963B (en) | Application access method and device for container cluster and related equipment | |
| CN107078969B (en) | Computer device, system and method for realizing load balancing | |
| EP3525423B1 (en) | Packet processing method in cloud computing system, host, and system | |
| US20140254603A1 (en) | Interoperability for distributed overlay virtual environments | |
| CN109525684B (en) | Message forwarding method and device | |
| US11095716B2 (en) | Data replication for a virtual networking system | |
| WO2014190791A1 (en) | Method for setting identity of gateway device and management gateway device | |
| EP3160092B1 (en) | Method and device for network resource balancing | |
| US10693785B2 (en) | Method and system for forwarding data, virtual load balancer, and readable storage medium | |
| CN103067295A (en) | Method, device and system for service transmission | |
| CN101778050A (en) | Load balancing method, device and system | |
| US20160254958A1 (en) | Method, apparatus and system for virtualizing a policy and charging rules function | |
| CN102148715A (en) | Method and device for virtual network configuration migration | |
| JP2017509055A (en) | Method and apparatus for processing data packets based on parallel protocol stack instances | |
| US11271897B2 (en) | Electronic apparatus for providing fast packet forwarding with reference to additional network address translation table | |
| CN112583655A (en) | Data transmission method and device, electronic equipment and readable storage medium | |
| CN113709052B (en) | Processing method and device of network message, electronic equipment and storage medium | |
| CN109698845B (en) | Data transmission method, server, uninstall card and storage medium | |
| CN112954084B (en) | Edge computing processing method, network function example and edge service management and control center | |
| US10791088B1 (en) | Methods for disaggregating subscribers via DHCP address translation and devices thereof | |
| KR101984846B1 (en) | Communication method and apparatus providing mobility of objects | |
| CN104717216A (en) | Network access control method, device and core equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211221 Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province Patentee after: xFusion Digital Technologies Co., Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| CP03 | Change of name, title or address |
Address after: 450000 Henan Province, Zhengzhou City, Free Trade Zone Zhengzhou Area (Zhengdong), Inner Ring North Road of Longhu, No. 99 Patentee after: Super Fusion Digital Technology Co.,Ltd. Country or region after: China Address before: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province Patentee before: xFusion Digital Technologies Co., Ltd. Country or region before: China |