[go: up one dir, main page]

CN104506614A - Design method for distributed multi-activity data center based on cloud computing - Google Patents

Design method for distributed multi-activity data center based on cloud computing Download PDF

Info

Publication number
CN104506614A
CN104506614A CN201410805490.2A CN201410805490A CN104506614A CN 104506614 A CN104506614 A CN 104506614A CN 201410805490 A CN201410805490 A CN 201410805490A CN 104506614 A CN104506614 A CN 104506614A
Authority
CN
China
Prior art keywords
network
data center
switch
cloud computing
security protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410805490.2A
Other languages
Chinese (zh)
Other versions
CN104506614B (en
Inventor
夏飞
崔恒志
何金陵
孙祥刚
郑海雁
官国飞
葛崇慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Jiangsu Fangtian Power Technology Co Ltd
Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Jiangsu Fangtian Power Technology Co Ltd
Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Jiangsu Electric Power Co Ltd, Jiangsu Fangtian Power Technology Co Ltd, Information and Telecommunication Branch of State Grid Jiangsu Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201410805490.2A priority Critical patent/CN104506614B/en
Publication of CN104506614A publication Critical patent/CN104506614A/en
Application granted granted Critical
Publication of CN104506614B publication Critical patent/CN104506614B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1034Reaction to server failures by a load balancer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明公开了一种基于云计算的分布式多活数据中心的设计方法,包括以下步骤:(1)数据中心网络采用大二层架构设计,通过大规模二层网络和VLAN延伸,实现虚拟机在数据中心内部的大范围转移;(2)采用虚拟交换机技术实现数据中心网络的故障隔离;(3)数据中心网络采用板卡延伸技术来接入交换机,所述板卡延伸技术同时可以让数据中心网络感知到虚拟机;(4)设计构建物理上分离但逻辑上一体的跨数据中心网络实现数据中心的互联,并基于所述跨数据中心网络来建立分布式虚拟化的数据中心;(5)数据中心的安全防护采用多层次的安全防护,包括设备级的安全防护、网络级的安全防护、系统级的主动安全防护。

The invention discloses a design method of a distributed multi-active data center based on cloud computing, which includes the following steps: (1) The data center network adopts a large-scale two-layer architecture design, and implements a virtual machine through a large-scale two-layer network and VLAN extension. Large-scale transfer within the data center; (2) Virtual switch technology is used to implement fault isolation in the data center network; (3) The data center network uses board extension technology to access the switch, and the board extension technology can also allow data The central network is aware of the virtual machine; (4) Design and build a physically separated but logically integrated cross-data center network to realize the interconnection of data centers, and build a distributed virtualized data center based on the cross-data center network; (5) ) The security protection of the data center adopts multi-level security protection, including equipment-level security protection, network-level security protection, and system-level active security protection.

Description

一种基于云计算的分布式多活数据中心的设计方法A Design Method of Distributed Multi-Active Data Center Based on Cloud Computing

技术领域technical field

本发明涉及一种基于云计算的分布式多活数据中心的设计方法,属于电力系统信息化建设技术领域。The invention relates to a design method of a distributed multi-active data center based on cloud computing, and belongs to the technical field of power system information construction.

背景技术Background technique

数据大集中之后,企业的经营活动越来越依赖于数据中心与网络等IT基础设施,IT的全天业务连续运营成为大型企业IT建设运营与企业经营追求的目标。数据中心是计算机设备的核心场所,也是海量数据的关键承载,随着云计算大数据时代的到来,数据中心的建设掀起了新的热潮,数据中心朝着大型集约化发展,客户对数据中心的解决方案也提出了更高的要求。绿色节能、智能化、自动化管理是数据中心发展趋势。After the data is concentrated, the business activities of enterprises are increasingly dependent on IT infrastructure such as data centers and networks. The continuous operation of IT business throughout the day has become the goal pursued by large-scale enterprise IT construction operations and business operations. The data center is the core place of computer equipment and the key carrier of massive data. With the advent of the era of cloud computing and big data, the construction of data centers has set off a new upsurge. Data centers are developing towards large-scale intensification. The solution also raises higher demands. Green energy saving, intelligence, and automated management are the development trends of data centers.

出于灾备的目的,企业一般都会建设两个或多个数据中心。主数据中心承担用户的核心业务,其他的数据中心主要承担一些非关键业务并同时备份主中心的数据、配置、业务等。正常情况下,主中心和备中心各司其职,发生灾难时,主数据中心宕机,备份数据中心可以快速恢复数据和应用,从而减轻因灾难给用户带来的损失。For the purpose of disaster recovery, enterprises generally build two or more data centers. The main data center undertakes the user's core business, and other data centers mainly undertake some non-critical business and back up the data, configuration, business, etc. of the main center at the same time. Under normal circumstances, the main center and the backup center perform their respective duties. When a disaster occurs, the main data center goes down, and the backup data center can quickly restore data and applications, thereby reducing losses to users caused by the disaster.

由于灾难是小概率事件,而采用一主一备这种方式,备份数据中心只在灾难发生时才能起到作用,并且随着企业容灾建设标准的提升,备份IT资源和资金会投入越来越大,相互直接又不能够复用,从而造成浪费。另外主备模式的应用,备中心在接替主中心时需要较长的时间、关系复杂,往往会严重影响用户的业务办理。为克服上述缺点,能源电力等诸多行业用户,开始将关注点转向“分布式多活数据中心”的建设,分布式多活数据中心将业务分布到多个数据中心,彼此之间并行为客户提供服务,分布式多活包括两大关键特征——分布式和多活,体现出企业级用户在建设与使用数据中心时对资源调度利用和业务部署灵活性的新思路。Since disasters are rare events, with the method of one master and one backup, the backup data center can only play a role when a disaster occurs, and with the improvement of enterprise disaster recovery construction standards, more and more backup IT resources and funds will be invested. The larger it is, the more it is direct to each other and cannot be reused, resulting in waste. In addition, for the application of the master-standby mode, it takes a long time for the backup center to take over from the master center, and the relationship is complicated, which often seriously affects the user's business handling. In order to overcome the above shortcomings, users in many industries such as energy and electric power have begun to focus on the construction of "distributed multi-active data centers". The distributed multi-active data center distributes business to multiple data centers and provides customers with Service, distributed multi-active includes two key features—distributed and multi-active, reflecting new ideas for resource scheduling utilization and business deployment flexibility for enterprise-level users when building and using data centers.

发明内容Contents of the invention

本发明的目的是提供一种基于云计算的多分布式多活数据中心的设计方法,解决数据中心内部的网络扩展问题,满足应用程序在不同服务器上漂移后对大数据文件并发访问的便捷性、高速性以及可靠性。The purpose of the present invention is to provide a cloud computing-based multi-distributed multi-active data center design method to solve the problem of network expansion within the data center and to meet the convenience of concurrent access to large data files after application programs drift on different servers , high speed and reliability.

为克服现有技术存在的不足,解决上述技术问题,本发明采用如下技术方案:一种基于云计算的分布式多活数据中心的设计方法,其特征在于,包括以下步骤:In order to overcome the deficiencies in the prior art and solve the above-mentioned technical problems, the present invention adopts the following technical solution: a design method of a distributed multi-active data center based on cloud computing, which is characterized in that it includes the following steps:

(1)数据中心网络采用大二层架构设计,通过大规模二层网络和VLAN延伸,实现虚拟机在数据中心内部的大范围转移;(1) The data center network adopts a large-scale two-layer architecture design, and realizes the large-scale transfer of virtual machines in the data center through large-scale two-layer network and VLAN extension;

(2)采用虚拟交换机技术实现数据中心网络的故障隔离;(2) Adopt virtual switch technology to realize fault isolation of data center network;

(3)数据中心网络采用板卡延伸技术来接入交换机,所述板卡延伸技术同时可以让数据中心网络感知到虚拟机;(3) The data center network uses the board extension technology to access the switch, and the board extension technology can also allow the data center network to perceive the virtual machine;

(4)设计构建物理上分离但逻辑上一体的跨数据中心网络实现数据中心的互联,并基于所述跨数据中心网络来建立分布式虚拟化的数据中心,计算能力可以在不同的数据中心之间自由流动;(4) Design and build a physically separated but logically integrated cross-data center network to realize the interconnection of data centers, and establish a distributed virtualized data center based on the cross-data center network, and the computing power can be distributed among different data centers free movement between

(5)数据中心的安全防护采用多层次的安全防护,包括设备级的安全防护、网络级的安全防护、系统级的主动安全防护。(5) The security protection of the data center adopts multi-level security protection, including equipment-level security protection, network-level security protection, and system-level active security protection.

优选地,所述步骤(2)包括:将一个交换机在逻辑上分为多个虚拟交换机,所述虚拟交换机之间是彻底分离的,每个虚拟交换机有各自独立的二层和三层的协议栈和软件进程,有各自独立的管理员;由于每个虚拟交换机的软件进程是完全独立的,当某个虚拟交换机的出现问题的时候,是不会影响到别的虚拟交换机,实现了完善的故障隔离。Preferably, the step (2) includes: logically dividing a switch into multiple virtual switches, the virtual switches are completely separated, and each virtual switch has its own independent layer-2 and layer-3 protocols The stack and software process have their own independent administrators; since the software process of each virtual switch is completely independent, when a problem occurs in a certain virtual switch, it will not affect other virtual switches, realizing a perfect fault isolation.

优选地,所述步骤(3)包括:所述板卡延伸技术通过IEEE802.1qbh协议实现,将原本互联在一起的多个TOR(Top of Rack,机柜交换机)交换单元的控制平面和转发平面融合在一起,形成多个交换机组合成一个交换机的状态,原有的分布在各个机架的TOR接入交换机就成为新交换机的远程板卡;在上述架构下,TOR交换单元不是单独存在的网元管理点,也不用二层的生成树或三层的路由协议来维护网络拓扑。Preferably, the step (3) includes: the board extension technology is implemented through the IEEE802.1qbh protocol, and the control plane and the forwarding plane of a plurality of TOR (Top of Rack, cabinet switch) switching units interconnected together are originally integrated Together, multiple switches are combined into one switch, and the original TOR access switches distributed in each rack become the remote board of the new switch; under the above architecture, the TOR switching unit is not a separate network element The management point does not use the two-layer spanning tree or the three-layer routing protocol to maintain the network topology.

优选地,所述步骤(3)包括:采用基于IEEE801.1qbh的板卡延伸技术,在服务器内装一块支持IEEE802.1qbh协议的网卡,所述网卡可以分成多个虚网卡来和虚拟机对应,同时所述网卡也是外部交换机的远程板卡,可以在外部交换机上实现管理和策略的下发;上述方法不需要消耗服务器的CPU资源,所以具有更高的交换性能。Preferably, the step (3) includes: adopting IEEE801.1qbh-based card extension technology, installing a network card supporting the IEEE802.1qbh protocol in the server, the network card can be divided into multiple virtual network cards to correspond to the virtual machine, and at the same time The network card is also a remote board of the external switch, and can implement management and policy distribution on the external switch; the above method does not need to consume CPU resources of the server, so it has higher switching performance.

优选地,所述步骤(4)包括:所述跨数据中心的网络通过OTV技术实现穿越IP骨干网的数据中心网络的打通;所述OTV技术借用一部分Eo-MPLS-OGRE的数据帧封装,采用了完全不同的控制平面,通过ISIS来建立Adjacency关系,并交换数据中心之间的MAC地址表;OTV技术对于IP骨干网的要求只是IP可达,不需要MPLS的支持,大大简化了网络的维护;同时由于采用了控制平面和转发平面的分离,有效阻止了二层网络泛滥到IP骨干网上,同时也不需要把生成树跨在数据中心间的IP骨干网上,大大提高了整个网络的稳定性。Preferably, the step (4) includes: the cross-data center network implements the connection of the data center network across the IP backbone network through OTV technology; the OTV technology uses a part of Eo-MPLS-OGRE data frame encapsulation, using A completely different control plane is established, the Adjacency relationship is established through ISIS, and the MAC address tables between data centers are exchanged; OTV technology only requires IP reachability for the IP backbone network, and does not require MPLS support, which greatly simplifies network maintenance. ; At the same time, due to the separation of the control plane and the forwarding plane, it effectively prevents the flooding of the Layer 2 network to the IP backbone network, and also does not need to span the spanning tree across the IP backbone network between data centers, which greatly improves the stability of the entire network .

优选地,所述步骤(5)包括:所述网络级的安全包括进行用户接入认证、授权和审计以防止非法的接入,进行传输加密以防止信息的泄漏和窥测,进行安全划分和隔离以防止为授权的访问;所述系统级的主动安全防护包括通过准入控制来使“健康”的机器才能接入网络,通过事前探测即时分流来防止大规模DDoS攻击,进行全局的安全管理;网络作为信息传输的平台,有第一时间保护信息资源的能力和机会,智能的防御网络必须能够实现所谓“先知先觉”,在潜在威胁演变为安全攻击之前加以防护。Preferably, the step (5) includes: the network-level security includes user access authentication, authorization and auditing to prevent illegal access, transmission encryption to prevent information leakage and snooping, security division and isolation To prevent unauthorized access; the system-level active security protection includes allowing "healthy" machines to access the network through access control, preventing large-scale DDoS attacks through pre-detection instant distribution, and performing global security management; As a platform for information transmission, the network has the ability and opportunity to protect information resources in the first place. An intelligent defense network must be able to realize the so-called "foresight" and protect potential threats before they evolve into security attacks.

优选地,所述步骤(5)包括:所述网络级安全防护采用ACL控制,在允许网络流量接入网络的接口上配置一个ACL,否则数据中心网络将拒绝所述接口上的网络流量。Preferably, the step (5) includes: the network-level security protection adopts ACL control, and an ACL is configured on the interface that allows network traffic to access the network, otherwise the data center network will reject the network traffic on the interface.

优选地,所述步骤(5)包括:所述ACL包括多个由一系列语句构成的条目,所述每个条目包括一个允许或拒绝网络流量(入和出)到达条目中规定的网络各部分的执行单元,所述每个条目还包括一个基于源地址、目的地址、协议、协议特定参数的过滤器单元,所述每个ACL的最后都有一个隐式的拒绝全部的条目。Preferably, the step (5) includes: the ACL includes a plurality of entries consisting of a series of statements, and each entry includes an entry allowing or denying network traffic (incoming and outgoing) to each part of the network specified in the entry Each entry further includes a filter unit based on source address, destination address, protocol, and protocol-specific parameters, and each ACL has an implicit rejection of all entries at the end.

本发明所达到的有益效果:通过VPC虚拟机技术和板卡延伸技术,实现了数据中心内部的网络扩展问题,满足了应用程序在不同服务器上漂移后对大数据文件并发访问的便捷性、高速性以及可靠性。The beneficial effects achieved by the present invention: through the VPC virtual machine technology and the board extension technology, the problem of network expansion inside the data center is realized, and the convenience and high speed of concurrent access to large data files after the application program drifts on different servers are satisfied. performance and reliability.

说明书英文标记的含义:The meaning of the English marks in the manual:

TOR:Top of Rack,机柜交换机;TOR: Top of Rack, cabinet switch;

OTV:Overlay Transport Virtualization,覆盖传输虚拟化;OTV: Overlay Transport Virtualization, overlay transmission virtualization;

ISIS:Intermediate system to intermediate system,一个分级的链接状态路由协议;ISIS: Intermediate system to intermediate system, a hierarchical link state routing protocol;

Adjacency:邻接,在选择的邻近路由器和终端节点之间的关联;Adjacency: adjacency, the association between selected adjacent routers and end nodes;

MPLS:多协议标签交换,是一种用于快速数据包交换和路由的体系,它为网络数据流量提供了目标、路由地址、转发和交换等能力;MPLS: Multi-Protocol Label Switching, a system for fast data packet switching and routing, which provides destination, routing address, forwarding and switching capabilities for network data traffic;

DDoS:Distributed Denial of Service,分布式拒绝服务攻击,指借助于客户/服务器技术,将多个计算机联合起来作为攻击平台,对一个或多个目标发动DDoS攻击,从而成倍地提高拒绝服务攻击的威力;DDoS: Distributed Denial of Service, distributed denial of service attack, refers to the use of client/server technology to combine multiple computers as an attack platform to launch DDoS attacks on one or more targets, thereby doubling the probability of denial of service attacks power;

ACL:Access Control List,访问控制列表,是路由器和交换机接口的指令列表,用来控制端口进出的数据包;ACL: Access Control List, access control list, is a list of instructions for router and switch interfaces, used to control the data packets entering and leaving the port;

OGRE:Object-Oriented Graphics Rendering Engine,面向对象图形渲染引擎是一个用C++开发的面向场景、非常灵活的3D引擎。OGRE: Object-Oriented Graphics Rendering Engine, the object-oriented graphics rendering engine is a scene-oriented and very flexible 3D engine developed in C++.

附图说明Description of drawings

图1是本发明的一种基于云计算的分布式多活数据中心的设计方法的流程图。FIG. 1 is a flowchart of a design method of a distributed multi-active data center based on cloud computing in the present invention.

具体实施方式Detailed ways

下面结合附图对本发明作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案,而不能以此来限制本发明的保护范围。The present invention will be further described below in conjunction with the accompanying drawings. The following examples are only used to illustrate the technical solution of the present invention more clearly, but not to limit the protection scope of the present invention.

如图1所示的是本发明的一种基于云计算的分布式多活数据中心的设计方法的流程图,本发明提供一种基于云计算的分布式多活数据中心的设计方法,解决数据中心内部的网络扩展问题,满足应用程序在不同服务器上漂移后对大数据文件并发访问的便捷性、高速性以及可靠性,本发明包括以下步骤:As shown in Figure 1 is a flow chart of the design method of a distributed multi-active data center based on cloud computing according to the present invention. The present invention provides a design method of a distributed multi-active data center based on cloud computing to solve data The network expansion problem inside the center satisfies the convenience, high speed and reliability of concurrent access to large data files after the application program drifts on different servers. The present invention includes the following steps:

(1)数据中心网络采用大二层架构设计,通过大规模二层网络和VLAN延伸,实现虚拟机在数据中心内部的大范围转移;(1) The data center network adopts a large-scale two-layer architecture design, and realizes the large-scale transfer of virtual machines in the data center through large-scale two-layer network and VLAN extension;

(2)采用虚拟交换机技术实现数据中心网络的故障隔离;(2) Adopt virtual switch technology to realize fault isolation of data center network;

(3)数据中心网络采用板卡延伸技术来接入交换机,所述板卡延伸技术同时可以让数据中心网络感知到虚拟机;(3) The data center network uses the board extension technology to access the switch, and the board extension technology can also allow the data center network to perceive the virtual machine;

(4)设计构建物理上分离但逻辑上一体的跨数据中心网络实现数据中心的互联,并基于所述跨数据中心网络来建立分布式虚拟化的数据中心,计算能力可以在不同的数据中心之间自由流动;(4) Design and build a physically separated but logically integrated cross-data center network to realize the interconnection of data centers, and establish a distributed virtualized data center based on the cross-data center network, and the computing power can be distributed among different data centers free movement between

(5)数据中心的安全防护采用多层次的安全防护,包括设备级的安全防护、网络级的安全防护、系统级的主动安全防护。(5) The security protection of the data center adopts multi-level security protection, including equipment-level security protection, network-level security protection, and system-level active security protection.

优选地,所述步骤(2)包括:将一个交换机在逻辑上分为多个虚拟交换机,所述虚拟交换机之间是彻底分离的,每个虚拟交换机有各自独立的二层和三层的协议栈和软件进程,有各自独立的管理员;由于每个虚拟交换机的软件进程是完全独立的,当某个虚拟交换机的出现问题的时候,是不会影响到别的虚拟交换机,实现了完善的故障隔离。Preferably, the step (2) includes: logically dividing a switch into multiple virtual switches, the virtual switches are completely separated, and each virtual switch has its own independent layer-2 and layer-3 protocols The stack and software process have their own independent administrators; since the software process of each virtual switch is completely independent, when a problem occurs in a certain virtual switch, it will not affect other virtual switches, realizing a perfect fault isolation.

优选地,所述步骤(3)包括:所述板卡延伸技术通过IEEE802.1qbh协议实现,将原本互联在一起的多个TOR(Top of Rack,机柜交换机)交换单元的控制平面和转发平面融合在一起,形成多个交换机组合成一个交换机的状态,原有的分布在各个机架的TOR接入交换机就成为新交换机的远程板卡;在上述架构下,TOR交换单元不是单独存在的网元管理点,也不用二层的生成树或三层的路由协议来维护网络拓扑。Preferably, the step (3) includes: the board extension technology is implemented through the IEEE802.1qbh protocol, and the control plane and the forwarding plane of a plurality of TOR (Top of Rack, cabinet switch) switching units interconnected together are originally integrated Together, multiple switches are combined into one switch, and the original TOR access switches distributed in each rack become the remote board of the new switch; under the above architecture, the TOR switching unit is not a separate network element The management point does not use the two-layer spanning tree or the three-layer routing protocol to maintain the network topology.

优选地,所述步骤(3)包括:采用基于IEEE801.1qbh的板卡延伸技术,在服务器内装一块支持IEEE802.1qbh协议的网卡,所述网卡可以分成多个虚网卡来和虚拟机对应,同时所述网卡也是外部交换机的远程板卡,可以在外部交换机上实现管理和策略的下发;上述方法不需要消耗服务器的CPU资源,所以具有更高的交换性能。Preferably, the step (3) includes: adopting IEEE801.1qbh-based card extension technology, installing a network card supporting the IEEE802.1qbh protocol in the server, the network card can be divided into multiple virtual network cards to correspond to the virtual machine, and at the same time The network card is also a remote board of the external switch, and can implement management and policy distribution on the external switch; the above method does not need to consume CPU resources of the server, so it has higher switching performance.

优选地,所述步骤(4)包括:所述跨数据中心的网络通过OTV技术实现穿越IP骨干网的数据中心网络的打通;所述OTV技术借用一部分Eo-MPLS-OGRE的数据帧封装,采用了完全不同的控制平面,通过ISIS来建立Adjacency关系,并交换数据中心之间的MAC地址表;OTV技术对于IP骨干网的要求只是IP可达,不需要MPLS的支持,大大简化了网络的维护;同时由于采用了控制平面和转发平面的分离,有效阻止了二层网络泛滥到IP骨干网上,同时也不需要把生成树跨在数据中心间的IP骨干网上,大大提高了整个网络的稳定性。Preferably, the step (4) includes: the cross-data center network implements the connection of the data center network across the IP backbone network through OTV technology; the OTV technology uses a part of Eo-MPLS-OGRE data frame encapsulation, using A completely different control plane is established, the Adjacency relationship is established through ISIS, and the MAC address tables between data centers are exchanged; OTV technology only requires IP reachability for the IP backbone network, and does not require MPLS support, which greatly simplifies network maintenance. ; At the same time, due to the separation of the control plane and the forwarding plane, it effectively prevents the flooding of the Layer 2 network to the IP backbone network, and at the same time does not need to span the IP backbone network between the data centers, which greatly improves the stability of the entire network. .

优选地,所述步骤(5)包括:所述网络级的安全包括进行用户接入认证、授权和审计以防止非法的接入,进行传输加密以防止信息的泄漏和窥测,进行安全划分和隔离以防止为授权的访问;所述系统级的主动安全防护包括通过准入控制来使“健康”的机器才能接入网络,通过事前探测即时分流来防止大规模DDoS攻击,进行全局的安全管理;网络作为信息传输的平台,有第一时间保护信息资源的能力和机会,智能的防御网络必须能够实现所谓“先知先觉”,在潜在威胁演变为安全攻击之前加以防护。Preferably, the step (5) includes: the network-level security includes user access authentication, authorization and auditing to prevent illegal access, transmission encryption to prevent information leakage and snooping, security division and isolation To prevent unauthorized access; the system-level active security protection includes allowing "healthy" machines to access the network through access control, preventing large-scale DDoS attacks through pre-detection instant distribution, and performing global security management; As a platform for information transmission, the network has the ability and opportunity to protect information resources in the first place. An intelligent defense network must be able to realize the so-called "foresight" and protect potential threats before they evolve into security attacks.

优选地,所述步骤(5)包括:所述网络级安全防护采用ACL控制,在允许网络流量接入网络的接口上配置一个ACL,否则数据中心网络将拒绝所述接口上的网络流量。Preferably, the step (5) includes: the network-level security protection adopts ACL control, and an ACL is configured on the interface that allows network traffic to access the network, otherwise the data center network will reject the network traffic on the interface.

优选地,所述步骤(5)包括:所述ACL包括多个由一系列语句构成的条目,所述每个条目包括一个允许或拒绝网络流量(入和出)到达条目中规定的网络各部分的执行单元,所述每个条目还包括一个基于源地址、目的地址、协议、协议特定参数的过滤器单元,所述每个ACL的最后都有一个隐式的拒绝全部的条目。Preferably, the step (5) includes: the ACL includes a plurality of entries consisting of a series of statements, and each entry includes an entry allowing or denying network traffic (incoming and outgoing) to each part of the network specified in the entry Each entry further includes a filter unit based on source address, destination address, protocol, and protocol-specific parameters, and each ACL has an implicit rejection of all entries at the end.

以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明技术原理的前提下,还可以做出若干改进和变形,这些改进和变形也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that for those of ordinary skill in the art, without departing from the technical principle of the present invention, some improvements and modifications can also be made. It should also be regarded as the protection scope of the present invention.

Claims (8)

1., based on the method for designing at distributed many live datas center of cloud computing, it is characterized in that, comprise the following steps:
(1) data center network adopts large two-tiered structure to design, and is extended by extensive double layer network and VLAN, realizes the transfer on a large scale of virtual machine interior portion in the data;
(2) virtual switch technology is adopted to realize the Fault Isolation of data center network;
(3) data center network adopts board elongation technology to carry out access switch, and described board elongation technology can allow data center network perceive virtual machine simultaneously;
(4) design construction be physically separated but in logic one realize the interconnected of data center across data center network, and based on the described data center setting up distributed virtualization across data center network, computing capability can flow freely between different data centers;
(5) security protection of data center adopts multi-level security protection, comprises the security protection of device level, the security protection of network level, the protection of system-level active safety.
2. the method for designing at a kind of distributed many live datas center based on cloud computing according to claim 1, it is characterized in that, described step (2) comprising: a switch is logically divided into multiple virtual switch, thoroughly be separated between described virtual switch, each virtual switch has separately protocol stack and the software process of independently two layers and three layers, has respective independently keeper.
3. the method for designing at a kind of distributed many live datas center based on cloud computing according to claim 1, it is characterized in that, described step (3) comprising: described board elongation technology is by IEEE802.1qbh protocol realization, originally the control plane and Forwarding plane that are interconnected at multiple TOR crosspoints are together merged, form the state that multiple group of switches synthesizes a switch, original TOR access switch being distributed in each frame just becomes the long-range board of new switch.
4. the method for designing at a kind of distributed many live datas center based on cloud computing according to claim 3, it is characterized in that, described step (3) comprising: adopt the board elongation technology based on IEEE801.1qbh, at the network interface card of the in-built one piece of support IEEE802.1qbh agreement of server, described network interface card can be divided into multiple empty network interface card to be come and virtual machine correspondence, described network interface card is also the long-range board of external switch simultaneously, can realize managing and tactful issuing on external switch.
5. the method for designing at a kind of distributed many live datas center based on cloud computing according to claim 1, it is characterized in that, described step (4) comprising: the described network across data center realizes passing through getting through of the data center network of IP backbone by OTV technology; Described OTV technology uses the Frame encapsulation of a part of Eo-MPLS-OGRE, have employed diverse control plane, sets up Adjacency relation by ISIS, and the mac address table between swap data center.
6. the method for designing at a kind of distributed many live datas center based on cloud computing according to claim 1, it is characterized in that, described step (5) comprising: the safety of described network level comprises carries out access authentication of user, mandate and audit to prevent illegal access, carry out Transmission Encryption to prevent the leakage of information and to spy out, carry out safety and divide and isolate with the access prevented as authorizing; Described system-level active safety protection comprises the machine ability access network being made " health " by access control, prevents Large Scale DDoS Attack, carry out the safety management of the overall situation by detecting instant shunting in advance.
7. the method for designing at a kind of distributed many live datas center based on cloud computing according to claim 6, it is characterized in that, described step (5) comprising: described network level security protection adopts ACL to control, a configuration ACL on the interface allowing network traffics access network, otherwise data center network is by the network traffics on the described interface of refusal.
8. the method for designing at a kind of distributed many live datas center based on cloud computing according to claim 7, it is characterized in that, described step (5) comprising: described ACL comprises multiple entry be made up of a series of statement, described each entry comprises the performance element of the network parts that allows or specify in refusal network traffics arrival entry, described each entry also comprises a filter unit based on source address, destination address, agreement, agreement special parameter, the last entry having the refusal of an implicit expression whole of described each ACL.
CN201410805490.2A 2014-12-22 2014-12-22 A kind of design method at the more live data centers of distribution based on cloud computing Active CN104506614B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410805490.2A CN104506614B (en) 2014-12-22 2014-12-22 A kind of design method at the more live data centers of distribution based on cloud computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410805490.2A CN104506614B (en) 2014-12-22 2014-12-22 A kind of design method at the more live data centers of distribution based on cloud computing

Publications (2)

Publication Number Publication Date
CN104506614A true CN104506614A (en) 2015-04-08
CN104506614B CN104506614B (en) 2018-07-31

Family

ID=52948329

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410805490.2A Active CN104506614B (en) 2014-12-22 2014-12-22 A kind of design method at the more live data centers of distribution based on cloud computing

Country Status (1)

Country Link
CN (1) CN104506614B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106599694A (en) * 2015-10-14 2017-04-26 广达电脑股份有限公司 Security protection management method, computer system and computer readable storage medium
CN108737263A (en) * 2017-04-19 2018-11-02 阿里巴巴集团控股有限公司 Data center systems and data flow processing method
CN108833153A (en) * 2018-06-07 2018-11-16 中国石油天然气股份有限公司 Method for realizing unified management of cloud resources of data center at different places
CN110990200A (en) * 2019-11-26 2020-04-10 苏宁云计算有限公司 Flow switching method and device based on multi-activity data center
CN111371535A (en) * 2020-02-27 2020-07-03 广东南粤银行股份有限公司 Disaster backup system and switching method for different-place main and standby data centers
CN113992680A (en) * 2021-11-10 2022-01-28 中国工商银行股份有限公司 Scheduling method, device, equipment and medium applied to distributed multi-activity system
CN116827813A (en) * 2023-08-15 2023-09-29 广东云下汇金科技有限公司 Multi-data center secure communication method and DCI device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7609619B2 (en) * 2005-02-25 2009-10-27 Cisco Technology, Inc. Active-active data center using RHI, BGP, and IGP anycast for disaster recovery and load distribution
US20130325885A1 (en) * 2012-05-30 2013-12-05 Red Hat Israel, Inc. Provisioning composite applications using a hierarchical data structures
US8694664B2 (en) * 2010-11-23 2014-04-08 Cisco Technology, Inc. Active-active multi-homing support for overlay transport protocol
CN103812929A (en) * 2014-01-11 2014-05-21 浪潮电子信息产业股份有限公司 Active-active method for cloud data center management platforms
CN104243527A (en) * 2013-06-20 2014-12-24 华为技术有限公司 Data synchronization method and device and distributed system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7609619B2 (en) * 2005-02-25 2009-10-27 Cisco Technology, Inc. Active-active data center using RHI, BGP, and IGP anycast for disaster recovery and load distribution
US8694664B2 (en) * 2010-11-23 2014-04-08 Cisco Technology, Inc. Active-active multi-homing support for overlay transport protocol
US20130325885A1 (en) * 2012-05-30 2013-12-05 Red Hat Israel, Inc. Provisioning composite applications using a hierarchical data structures
CN104243527A (en) * 2013-06-20 2014-12-24 华为技术有限公司 Data synchronization method and device and distributed system
CN103812929A (en) * 2014-01-11 2014-05-21 浪潮电子信息产业股份有限公司 Active-active method for cloud data center management platforms

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LIU_FANG_YU: "CISCO-Nexus-7000", 《百度文库》 *
思科中国: "Cisco思科两地三中心-双活数据中心解决方案", 《百度文库》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106599694A (en) * 2015-10-14 2017-04-26 广达电脑股份有限公司 Security protection management method, computer system and computer readable storage medium
CN106599694B (en) * 2015-10-14 2019-06-07 广达电脑股份有限公司 Security protection management method, computer system and computer readable storage medium
CN108737263A (en) * 2017-04-19 2018-11-02 阿里巴巴集团控股有限公司 Data center systems and data flow processing method
CN108737263B (en) * 2017-04-19 2021-10-15 阿里巴巴集团控股有限公司 Data center system and data stream processing method
CN108833153A (en) * 2018-06-07 2018-11-16 中国石油天然气股份有限公司 Method for realizing unified management of cloud resources of data center at different places
CN110990200A (en) * 2019-11-26 2020-04-10 苏宁云计算有限公司 Flow switching method and device based on multi-activity data center
CN110990200B (en) * 2019-11-26 2022-07-05 苏宁云计算有限公司 A method and device for traffic switching based on a multi-active data center
CN111371535A (en) * 2020-02-27 2020-07-03 广东南粤银行股份有限公司 Disaster backup system and switching method for different-place main and standby data centers
CN113992680A (en) * 2021-11-10 2022-01-28 中国工商银行股份有限公司 Scheduling method, device, equipment and medium applied to distributed multi-activity system
CN113992680B (en) * 2021-11-10 2024-02-02 中国工商银行股份有限公司 Scheduling method, device, equipment and medium applied to distributed multi-activity system
CN116827813A (en) * 2023-08-15 2023-09-29 广东云下汇金科技有限公司 Multi-data center secure communication method and DCI device
CN116827813B (en) * 2023-08-15 2024-05-31 广东云下汇金科技有限公司 Multi-data center secure communication method and DCI equipment

Also Published As

Publication number Publication date
CN104506614B (en) 2018-07-31

Similar Documents

Publication Publication Date Title
CN104506614B (en) A kind of design method at the more live data centers of distribution based on cloud computing
US12218956B2 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
US11159487B2 (en) Automatic configuration of perimeter firewalls based on security group information of SDN virtual firewalls
Jain et al. Network virtualization and software defined networking for cloud computing: a survey
US10205603B2 (en) System and method for using a packet process proxy to support a flooding mechanism in a middleware machine environment
CN106254176B (en) A kind of traffic mirroring method based on openvswitch
US20210306338A1 (en) Role-based access control policy auto generation
US10567344B2 (en) Automatic firewall configuration based on aggregated cloud managed information
US20230013640A1 (en) Session management in a forwarding plane
US11929987B1 (en) Preserving packet flow information across bump-in-the-wire firewalls
CN105224385A (en) A kind of virtualization system based on cloud computing and method
US20240291753A1 (en) Policy enforcement for bare metal servers by top of rack switches
CN115766335A (en) Networking system for sharing technical research result information
CN105915604A (en) Cloud server network system architecture
Mahajan et al. Attacks in software-defined networking: a review
CN116112304A (en) An Endogenous Security Programmable Network System
DeCusatis Data center architectures
Liu et al. Design and study of network isolation between hosts in data centers based on Private VLANs
CN108809958A (en) A kind of SDN controller architectures managing system based on MDC
CN115277532B (en) Data message forwarding method based on service chain and electronic equipment
Kumar et al. Implementing geo-blocking and spoofing protection in multi-domain software defined interconnects
Wang Application Research of MPLS VPN and VR Panoramic Technology in Virtual Network of Party School System
CN119628920A (en) A server network isolation design method based on technology integration
DeCusatis Transforming the data center network
CN117675559A (en) Multi-data center cross-domain intercommunication multi-cloud service arrangement method, device and equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant