[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107623636B - User isolation method and switch - Google Patents

User isolation method and switch Download PDF

Info

Publication number
CN107623636B
CN107623636B CN201610552867.7A CN201610552867A CN107623636B CN 107623636 B CN107623636 B CN 107623636B CN 201610552867 A CN201610552867 A CN 201610552867A CN 107623636 B CN107623636 B CN 107623636B
Authority
CN
China
Prior art keywords
multicast
user
address
switch
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610552867.7A
Other languages
Chinese (zh)
Other versions
CN107623636A (en
Inventor
顾勤丰
程璞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201610552867.7A priority Critical patent/CN107623636B/en
Publication of CN107623636A publication Critical patent/CN107623636A/en
Application granted granted Critical
Publication of CN107623636B publication Critical patent/CN107623636B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The embodiment of the invention provides a user isolation method and a switch, relates to the field of communication, and can solve the problem that BUM flow cannot be isolated among tenants. The method comprises the following steps: the method comprises the steps that a switch monitors information carried in a first message sent by a first user when the first user is online, the switch determines that the first user belongs to a first EPG according to the corresponding relation between the information carried in the first message and an EPG identifier, determines that the first user corresponds to a first IP multicast address according to the EPG identifier and the corresponding relation between the EPG identifier and the IP multicast address, determines that the first user belongs to a multicast group corresponding to the first IP multicast address, then, the switch adds the first user into the multicast group, and when the switch receives first BUM flow sent by the first user, the switch packages the first BUM flow into first multicast flow of the multicast group, wherein the first multicast flow comprises the first IP multicast address, so that the first multicast flow is forwarded to other users of the multicast group. The embodiment of the invention is used for user isolation in VXLAN.

Description

User isolation method and switch
Technical Field
The present invention relates to the field of communications, and in particular, to a user isolation method and a switch.
Background
A Virtual Local Area Network (VLAN) is a group of logical devices and users, which are not limited by physical locations and can be organized according to functions, departments, applications, and other factors, and the communication between them is similar to that in the same Network segment, so that the VLAN is called a Virtual lan. VLANs work at layers 2 and 3 of the Open System Interconnection (OSI) reference model.
In a computer network, a two-tier network may be divided into a number of different broadcast domains, one broadcast domain for a particular tenant, the different broadcast domains being isolated from each other by default. The communication between different broadcast domains is required to be forwarded through one or more routers or switches, such a broadcast domain is a VLAN, and a user under a VLAN can be a tenant, that is, a tenant can include multiple users. The tenant can be understood as an End-Point Policy Group (EPG), i.e. all users in one tenant are one EPG. Communication between different VLANs or different tenants is accomplished through layer 3 routers or switches.
Thus, after users are isolated by using different VLANs, different EPGs can allocate different VLANs, and when one device in one VLAN sends Broadcast or unknown Unicast or Multicast (BUM) traffic, the traffic will flood in the VLAN, and the entire network device in the VLAN will receive the BUM traffic. However, the resources of the VLAN are limited, which results in a limited number of supported tenants (isolation groups), and if different tenants share the same VLAN, BUM traffic cannot be isolated among the tenants.
Disclosure of Invention
The embodiment of the invention provides a user isolation method and a switch, which can solve the problem that BUM flow cannot be isolated among tenants.
In one aspect, a user isolation method is provided, including:
the method comprises the steps that a switch monitors information carried in a first message sent by a first user when the first user is online; the switch determines that the first user belongs to a first EPG according to the corresponding relation between the information carried in the first message and the identifier of the terminal strategy group EPG, determines a first IP multicast address corresponding to the first user according to the identifier of the first EPG and the corresponding relation between the identifier of the EPG and the IP multicast address, and determines that the first user belongs to a multicast group corresponding to the first IP multicast address; the EPG comprises a virtual local area network VLAN, a virtual expanded local area network VXLAN, or partial users in the same network segment or subnet, and the first EPG is one of a plurality of EPGs; the switch adds the first user into the multicast group; when the switch receives a first broadcast and unknown unicast and multicast BUM flow sent by a first user, the switch packages the first BUM flow into a first multicast flow of a multicast group, wherein the first multicast flow comprises a first IP multicast address, so that the first multicast flow is forwarded to other users corresponding to the multicast group.
Therefore, if different EPGs exist in the same VLAN, BUM flows under different EPGs need to be isolated, one EPG is a tenant group, when an IP multicast address is configured for the EPG in the switch, if a first user is on line, the switch determines a first IP multicast address of a multicast group to which the first user belongs according to information sensed when the first user is on line, and adds the first user into the multicast group, and if the switch receives the BUM flow sent by the first user, the switch can package the BUM flow into the multicast flow according to the first IP multicast address and then forwards the multicast flow to other users belonging to the multicast group, so that the BUM flows between different EPGs in the same VLAN are isolated.
In one possible design, the method further includes: the switch establishes a corresponding relation between the VLAN identifier and the access interface identifier and the EPG identifier; and the exchanger establishes the corresponding relation between the EPG identifier and the IP multicast address. The corresponding relationship may be configured by an Access Controller (AC) issued to the switch, or may be manually configured in the switch.
Therefore, when any user goes online from the interface of the switch, the EPG to which the user belongs and the IP multicast address thereof can be determined according to the corresponding relation, so that the multicast flow can be sent according to the IP multicast address.
In one possible design, the determining, by the switch, that the first user belongs to the first EPG according to the correspondence between the information carried in the first message and the identifier of the terminal policy group EPG includes: the switch determines that the first user belongs to the first EPG according to the first VLAN identification carried in the first message, a first incoming interface of the switch for receiving the first message, and the corresponding relation between the VLAN identification and the incoming interface identification and the EPG identification.
In one possible design, the switch joining the first user to the multicast group includes: the switch determines whether a second user which belongs to a multicast group corresponding to the first IP multicast address with the first user exists or not; if yes, adding the first user into a multicast group to which the second user belongs together, and establishing a corresponding relation between the first input interface identifier and the first IP multicast address; if the judgment result is no, the switch establishes a corresponding relation between the first incoming interface identifier and the first IP multicast address, and sends a multicast join message to the rendezvous point RP through the upstream equipment connected with the switch, wherein the multicast join message comprises the first IP multicast address, and establishes a corresponding relation between the identifier of the first outgoing interface of the switch sending the multicast join message and the first IP multicast address, so that the upstream equipment and the RP establish a corresponding relation between the incoming interface identifier of receiving the multicast join message and the first IP multicast address, and a corresponding relation between the identifier of the outgoing interface of sending the multicast join message and the first IP multicast address.
Therefore, after the corresponding relationship between the IP multicast address of the user and the input interface and the output interface of the switch is established, when the user sends the multicast traffic, the switch can forward the multicast traffic to other users of the multicast group according to the IP multicast address and the input interface and the output interface of the switch, namely, the user is added into the multicast group based on the interface granularity.
In one possible design, the switch joining the first user to the multicast group includes: the switch determines whether a second user belonging to the same multicast group as the first user exists; if so, adding the first user into a multicast group to which the second user belongs together, and establishing a corresponding relation between the first interface identifier and the first IP address together and the first IP multicast address, or establishing a corresponding relation between the first interface identifier, the first IP address and the first VLAN identifier together and the first IP multicast address; if the first IP multicast address is not the same as the first IP multicast address, the exchanger establishes a corresponding relation between the first incoming interface identifier and the first IP address together with the first IP multicast address, or establishes a corresponding relation between the first incoming interface identifier, the first IP address and the first VLAN identifier together with the first IP multicast address, the exchanger sends a multicast join message to the rendezvous point RP through the upstream equipment connected with the exchanger, the multicast join message comprises the first IP multicast address, and establishes a corresponding relation between the first outgoing interface identifier of the exchanger sending the multicast join message and the first IP multicast address, so that the upstream equipment and the RP establish a corresponding relation between the incoming interface identifier of receiving the multicast join message and the first IP multicast address, and a corresponding relation between the outgoing interface identifier of sending the multicast join message and the first IP multicast address.
Thus, users may be joined into a multicast group based on user granularity. Therefore, when a plurality of users correspond to the same interface, for example, a plurality of VMs correspond to the same interface, if the plurality of VMs belong to different EPGs, the VMs belonging to the same EPG can be determined according to the common corresponding relation between the IP address and the interface identifier of the user and the EPG, and unnecessary traffic flooding is avoided.
In one possible design, the method further includes: when the switch receives a second multicast flow corresponding to a third user, the second multicast flow comprises a second IP multicast address corresponding to a multicast group to which the third user belongs, and the switch copies and sends the second multicast flow to the user under the output interface corresponding to the second IP multicast address according to the corresponding relation between the second IP multicast address and the output interface.
In one possible design, the method further includes: when the switch receives a second multicast flow corresponding to a third user, the second multicast flow comprises a second IP multicast address corresponding to a multicast group to which the third user belongs, and the switch replaces the second IP multicast address with the second IP address corresponding to the second IP multicast address according to the correspondence between a second incoming interface identifier corresponding to at least one user and the second IP address and the second IP multicast address; and the switch takes the interface corresponding to the second input interface identifier as an output interface, copies the second multicast traffic at the output interface, and sends the copied second multicast traffic to at least one user according to the replaced second IP address.
For example, when a plurality of Virtual Machines (VMs) are connected to the same interface of the switch, if the plurality of VMs belong to different EPGs, the IP multicast address may be replaced with the IP address of the VM according to the correspondence between the interface identifier and the IP address and the IP multicast address, and the multicast is changed to the unicast, so that the multicast traffic of the user of the same EPG is not sent to the users of other EPGs.
In one possible design, after the first user comes online, the method further includes:
the exchanger establishes a member table for the first user, the member table comprises the corresponding relation of the MAC address, the first input interface identification, the first VLAN identification and the first IP address of the first user, and the first member table is used for checking whether the user sending the multicast flow is legal or not.
For example, another user may copy the IP address and MAC address of the first user and send the attacked multicast traffic to the switch at another interface, and then the switch may determine that the interface information corresponding to the multicast traffic is incorrect according to the stored member table, and determine that the multicast traffic is illegal, so as to prevent the illegal multicast traffic from being sent.
In one possible design, the method further includes: when the exchanger detects that the first user is off-line, the member table is deleted, and a second message is sent to the rendezvous point RP, wherein the second message comprises the first IP multicast address, so that the RP deletes the corresponding relation between the inlet interface identification for receiving the multicast adding message and the first IP multicast address and the corresponding relation between the outlet interface identification and the first IP multicast address.
Therefore, when the first user is offline, the member table in the switch and the corresponding relation in the RP are deleted, and the storage space of the switch and the storage space of the RP can be saved.
In another aspect, a switch is provided, including:
the monitoring unit is used for monitoring information carried in a first message sent by a first user when the first user is online; a determining unit, configured to determine that a first user belongs to a first EPG according to a correspondence between information carried in the first message and an identifier of an EPG (terminal policy group), determine that the first user corresponds to a first IP multicast address according to the identifier of the first EPG and a correspondence between the identifier of the EPG and an IP multicast address, and determine that the first user belongs to a multicast group corresponding to the first IP multicast address, where the EPG includes a virtual local area network VLAN, a virtual extended local area network VXLAN, or some users in the same network segment or subnet, and the first EPG is one of multiple EPGs; a joining unit, configured to join the first user to the multicast group; and the encapsulating unit is used for encapsulating the first BUM flow into a first multicast flow of a multicast group when the exchanger receives the first broadcast and unknown unicast and multicast BUM flow sent by the first user, wherein the first multicast flow comprises a first IP multicast address so as to forward the first multicast flow to other users corresponding to the multicast group.
In one possible design, further comprising: the establishing unit is used for establishing the corresponding relation between the VLAN identifier and the access interface identifier and the EPG identifier; and establishing a corresponding relation between the EPG identifier and the IP multicast address.
In one possible embodiment, the determination unit is configured to:
and determining that the first user belongs to the first EPG according to the first VLAN identification carried in the first message, a first incoming interface of the first message received by the switch, and the corresponding relation between the VLAN identification and the incoming interface identification and the EPG identification.
In one possible design, the joining unit includes: a determining subunit, configured to determine whether a second user, which belongs to a multicast group corresponding to the first IP multicast address in common with the first user, exists; the establishing subunit is to: if yes, adding the first user into a multicast group to which the second user belongs together, and establishing a corresponding relation between the first input interface identifier and the first IP multicast address; if not, establishing a corresponding relation between the first interface identifier and the first IP multicast address, and the method further comprises a sending subunit, configured to send a multicast join message to the rendezvous point RP through an upstream device connected to the switch, where the multicast join message includes the first IP multicast address, and establishing a corresponding relation between an identifier of a first outgoing interface, through which the switch sends the multicast join message, and the first IP multicast address, so that the upstream device and the RP establish a corresponding relation between the first IP multicast address and the interface identifier of the first outgoing interface, through which the multicast join message is received, and a corresponding relation between the first IP multicast address and the interface identifier of the first outgoing interface, through which the multicast join message is sent.
In one possible design, the joining unit includes: a determining subunit, configured to determine whether a second user belonging to the same multicast group as the first user exists; the establishing subunit is to: if so, adding the first user into a multicast group to which the second user belongs together, and establishing a corresponding relation between the first interface identifier and the first IP address together and the first IP multicast address, or establishing a corresponding relation between the first interface identifier, the first IP address and the first VLAN identifier together and the first IP multicast address; if the first IP multicast address is not the same as the first IP multicast address, establishing a corresponding relation between the first incoming interface identifier and the first IP address or establishing a corresponding relation between the first incoming interface identifier, the first IP address and the first VLAN identifier and the first IP multicast address, sending a multicast join message to a rendezvous point RP through an upstream device connected with the switch, wherein the multicast join message comprises the first IP multicast address, and establishing a corresponding relation between a first outgoing interface identifier of the multicast join message sent by the switch and the first IP multicast address, so that the upstream device and the RP establish a corresponding relation between the incoming interface identifier of the multicast join message and the first IP multicast address, and a corresponding relation between an outgoing interface identifier of the multicast join message and the first IP multicast address.
In one possible design, the method further includes a sending unit configured to: when the switch receives a second multicast flow corresponding to a third user, the second multicast flow comprises a second IP multicast address corresponding to a multicast group to which the third user belongs, and the second multicast flow is copied and sent to the user under the output interface corresponding to the second IP multicast address according to the corresponding relation between the second IP multicast address and the output interface.
In a possible design, the system further includes a replacing unit, configured to, when the switch receives a second multicast traffic corresponding to a third user, where the second multicast traffic includes a second IP multicast address corresponding to a multicast group to which the third user belongs, replace the second IP multicast address with a second IP address corresponding to the second IP multicast address according to a correspondence between a second access interface identifier corresponding to at least one user and the second IP address together with the second IP multicast address; and the sending unit is used for taking the interface corresponding to the second input interface identifier as an output interface, copying the second multicast traffic at the output interface, and sending the copied second multicast traffic to at least one user according to the replaced second IP address.
In one possible design, the establishing unit is further configured to: and establishing a member table for the first user, wherein the member table comprises the corresponding relation of the MAC address, the first input interface identifier, the first VLAN identifier and the first IP address of the first user, and the first member table is used for checking whether the user sending the multicast flow is legal or not.
In one possible design, further comprising: the deleting unit is used for deleting the member table when the switch senses that the first user is off-line; the sending unit is further configured to: and sending a second message to the rendezvous point RP, wherein the second message comprises the first IP multicast address, so that the RP deletes the corresponding relation between the incoming interface identifier for receiving the multicast adding message and the first IP multicast address and the corresponding relation between the outgoing interface identifier and the first IP multicast address.
The embodiment of the invention provides a user isolation method and a switch, wherein the switch monitors information carried in a first message sent by a first user when the first user is online, the switch determines that the first user belongs to a first EPG according to the corresponding relation between the information carried in the first message and an EPG identifier, determines that the first user corresponds to a first IP multicast address according to the identifier of the first EPG and the corresponding relation between the EPG identifier and an IP multicast address, determines that the first user belongs to a multicast group corresponding to the first IP multicast address, then, the switch adds the first user into the multicast group, when the switch receives the first BUM flow sent by the first user, the switch packages the first BUM flow into a first multicast flow of the multicast group, the first multicast flow comprises the first IP multicast address, so that the first multicast flow is forwarded to other users of the multicast group, thus, different EPGs are divided in a network, each EPG is allocated with an IP multicast address to bear all BUM flows of users of the EPG, namely, user isolation is realized through the BUM flows of different isolated EPGs, so that the problem that the BUM flows among tenant groups sharing the same VLAN or the same VXLAN cannot be isolated is solved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of a network structure of a VLAN according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a network structure of a VXLAN according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a user isolation method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a system for traffic isolation among multiple EPGs according to an embodiment of the present invention;
fig. 5 is a signal flow chart of a user joining a multicast group according to an embodiment of the present invention;
fig. 6 is a signal flow chart of sending multicast traffic according to an embodiment of the present invention;
fig. 7 is a signal flow chart of the user offline according to the embodiment of the present invention;
fig. 8 is a schematic structural diagram of a switch according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a switch according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the VLAN, each VLAN corresponds to a network segment or a subnet, so that the number of servers in the same broadcast domain can be reduced, and unnecessary broadcast flow is reduced. As shown in fig. 1, a plurality of users connected to the switch correspond to different VLANs, user devices corresponding to user 1, user 2, and user 3 belong to VLAN10, user devices corresponding to user 4 and user 5 belong to VLAN20, and BUM traffic isolation between VLAN10 and VLAN20 is performed, that is, when any user device in VLAN10 sends BUM traffic, all other user devices in VLAN10 receive the BUM traffic, and all user devices in VLAN20 do not receive the BUM traffic. If the BUM traffic needs to be transported from VLAN10 to VLAN20, it needs to be implemented by a router or a tri-level switch.
A Virtual eXtensible Local Area Network (VXLAN) is a technology for encapsulating a two-layer message with a three-layer protocol, and can extend a two-layer Network in a three-layer range. Each Broadcast Domain (BD) is called a VXLAN segment, and its ID is identified by a VXLAN Network Identifier (VNI) located in the VXLAN packet header. The VNI field contains 24bits, so the maximum number of segments is 24 to the power of 2 and only virtual machines within the same VXLAN segment can communicate with each other. In VXLAN, a traditional physical server is virtualized into several virtual servers, i.e., Virtual Machines (VMs), each running a separate operating system. A tenant corresponding to the same VXLAN owns one VM or a group of VMs in the virtual server resource pool. As shown in fig. 2, VXLAN may include Rendezvous Point (RP) (not shown), spine (spine) switches, leaf (leaf) switches, and servers. A plurality of servers are connected under different leaf switches, each server comprises at least one VM, each VM is an independent user, the server 1 comprises a VM1 and a VM2, the server 2 comprises a VM3 and a VM4, the server 3 comprises a VM5 and a VM6, different VMs in the same server may belong to different tenants, for example, the VM1 and the VM6 in fig. 2 may belong to the same tenant, the VM2 and the VM3 may belong to the same tenant, and the VM4 and the VM5 may belong to the same tenant. BUM traffic from any VM (or server) within the same VXLAN network is flooded to each member in the VXLAN, and BUM traffic across vxlas needs to be implemented through routers or layer-by-layer switches.
Aiming at the problems that in the prior art, VLAN and VXLAN need global planning, the resources of the VLAN and the VXLAN are limited, the number of supported isolation groups is limited, and if different tenants share the same VLAN or VXLAN, BUM flow cannot be isolated among the tenants. Therefore, an embodiment of the present invention provides a user isolation method, taking VXLAN as an example, as shown in fig. 3, including:
301. the exchanger establishes the corresponding relation between the VLAN identification and the interface identification of the exchanger and the EPG identification, and establishes the corresponding relation between the EPG identification and the IP multicast address.
The switch here is a leaf switch, i.e. a switch directly connected to the user equipment.
In the embodiment of the present application, an IP multicast address may be allocated to each EPG, and a correspondence between an identifier of the EPG and the IP multicast address is established. The EPG is a tenant, the same VLAN may correspond to one EPG or a plurality of EPGs, that is, a plurality of EPGs share the same VLAN, and similarly, the same VXLAN may also correspond to one EPG or a plurality of EPGs. For example, as shown in fig. 4, different VMs are connected to a Top-set switch (Top of Rank, ToR) (not shown in the figure), and the ToR is a leaf switch in the present embodiment. The VM1 and the VM6 are the same tenant and belong to the EPG-1, the IP multicast address corresponding to the EPG-1 is 225.0.0.1, the VM2 and the VM3 are the same tenant and belong to the EPG-2, the IP multicast address corresponding to the EPG-2 is 225.0.0.2, the VM4 and the VM5 are the same tenant and belong to the EPG-3, and the IP multicast address corresponding to the EPG-3 is 225.0.0.3. EPG-1, EPG-2 and EPG-3 all belong to the broadcast domain BD8 of the same VXLAN, the VNI corresponding to the broadcast domain BD8 is 10000, and the network segment corresponding to the VXLAN is IP192.168.1.1/16. GateWay (GW) 1 and GW2 may be routers or switches.
After the corresponding relationship between the VLAN identifier and the incoming interface identifier of the leaf switch and the identifier of the EPG is configured in the leaf switch, if a certain user is online, the leaf switch may determine the EPG to which the user belongs according to the identifier of the incoming interface that receives the message sent by the user and the corresponding relationship between the VLAN identifier carried in the message and the identifier of the EPG.
The correspondence between the VLAN identifier and the ingress interface identifier established in the leaf switch and the identifier of the EPG, and the correspondence between the identifier of the EPG and the IP multicast address may be manually configured in the leaf switch, or may be, for example, an Access Controller (AC) in fig. 4, which sends configuration information to the leaf switch directly or indirectly through other switches and stores the configuration information in the leaf switch. When the manual configuration is carried out, the corresponding relation can be input into the leaf switch through a command line; when the AC issues the configuration information to the leaf switch, the configuration information may be first input and configured at the AC end through a command line, and the AC passes the configuration information through a GW connected to the leaf switch, or the AC may also be directly connected to the leaf switch, and directly issues the configuration information to the leaf switch, for example, the AC may issue the configuration information to the leaf switch through an OpenFlow interface, a network management interface, or another interface.
302. The switch monitors information carried in a first message sent by a first user when the first user is online.
When a new user (corresponding to a VM) comes online from the leaf switch at a certain time, the leaf switch may receive a first message sent by the first user, where the first message may be a Dynamic Host Configuration Protocol (DHCP) message, and intercept a first Media Access Control (MAC) address of the first user and a first VLAN identifier of a first VLAN to which the first user belongs, where the first message is carried in the DHCP message.
303. The switch determines that the first user belongs to the first EPG according to the corresponding relation between the information carried in the first message and the EPG identifier, and determines a first IP multicast address corresponding to the first user according to the corresponding relation between the EPG identifier and the IP multicast address.
After the Leaf switch intercepts the first MAC address and the first VLAN identifier of the first user carried in the first message, the Leaf switch may determine, according to the interface receiving the first message, that the first user connects to the Leaf switch, and allocate a first IP address to the first user. The Leaf switch may establish a member table for the first user equipment according to the first MAC address, the first VLAN identifier, the first IP address, and the first interface identifier, where the member table includes information such as the first MAC address, the first VLAN identifier, the first IP address, and the first interface identifier. The membership table may be used for security check to detect whether the multicast traffic sent by the subsequent user is legitimate, for example, there is another user that spoofs the same first MAC address and first IP address as the first user, but is connected to the leaf switch separately from the first user through a different interface, and another user may send the multicast traffic for attack to the leaf switch through another interface. Assuming that the leaf switch is the same as the first IP address and the first MAC address in the member table when determining that another user sends multicast traffic, but the interface identifier is different from the first interface identifier in the member table, the leaf switch may not receive the multicast traffic sent by another user.
Because the corresponding relationship between the interface identifier and the VLAN identifier and the identifier of the EPG is stored in the leaf switch, the leaf switch may determine, according to the corresponding relationship between the first interface identifier and the first VLAN identifier and the identifier of the first EPG, the first EPG to which the first user belongs, for example, the first user belongs to EPG-1. Since the corresponding relationship between the identifier of the EPG and the IP multicast address is stored in the leaf switch, the leaf switch may determine the first IP multicast address corresponding to the multicast group to which the first user belongs according to the corresponding relationship between the identifier of the first EPG to which the first user belongs and the first IP multicast address, for example, the IP multicast address corresponding to the EPG-1 is 225.0.0.1, and the IP multicast address corresponding to the multicast group to which the first user belongs is 225.0.0.1. A multicast group may be understood as a destination address for transmitting a multicast message or a data frame, where the destination address is, for example, 225.0.0.1.
The reason why the corresponding relationship between the interface identifier and the VLAN identifier, which are stored in the Leaf switch, and the identifier of the EPG is common is that the same interface of the Leaf switch may be connected to VMs in different EPGs, that is, any interface of the Leaf switch may be connected to a different VXLAN or a VM in a different EPG.
304. The switch joins the first user to the multicast group and then performs either step 305 or step 306.
After determining the first IP multicast address of the multicast group to which the first user belongs, the Leaf switch may join the first user to the multicast group. The process of adding users into the multicast group is the process of establishing the multicast sharing tree, and the established multicast sharing tree is established by taking the RP known by the leaf switch as the root. The multicast shared tree is that after one RP is selected in the network, all multicast messages need to be transmitted from the RP. The RP is a preset router or switch, and takes responsibility for forwarding all multicast packets. Before sending the multicast message, the server sending the multicast message needs to register on the RP, then the shortest path to the RP is determined through a directly connected router or switch, and the shortest path to the destination is determined through the RP.
The embodiment of the application comprises the step of adding the multicast group based on the interface granularity and the step of adding the multicast group based on the user granularity. Whether the first user is added into the multicast group based on the interface granularity or the user granularity, before the first user is added into the multicast group, because the user in the same EPG can be connected under different interfaces of the leaf switch, if another user belonging to the same multicast group with the first user is added into the multicast group, the transmission path of the another user and the RP and the transmission path of the RP to the destination are already established, the leaf switch does not need to send a multicast adding message to the RP through the multicast sharing tree to be added into the multicast group, and the leaf switch only needs to add the first user into the multicast group which the another user belongs to.
Therefore, before the leaf switch joins the first user to the multicast group, the leaf switch first determines whether a second user belonging to the same multicast group as the first user is stored in the switch, and specifically may determine whether a correspondence between the first VLAN identifier and the second interface identifier and the identifier of the first EPG is established in the leaf switch, that is, the users at different interfaces in the leaf switch may belong to the same EPG, and if the establishment is determined, it is determined that the second user belonging to the same multicast group as the first user is present in the leaf switch, at this time, a path for forwarding multicast traffic corresponding to the multicast group is already established, and the leaf switch only needs to join the first user to the multicast group of the leaf switch.
Specifically, if a first user is added to a multicast group based on the interface granularity and a second user belonging to the same multicast group as the first user already exists, the leaf switch establishes a corresponding relationship between a first interface identifier and a first IP multicast address of a first message sent by the first user; if a first user is added to a multicast group based on the interface granularity and there is no second user belonging to the same multicast group as the first user, as shown in fig. 5, a leaf switch establishes a corresponding relationship between a first input interface identifier and a first IP multicast address, and sends a multicast join message to an RP through an upstream device connected to the switch, where the multicast join message includes the first IP multicast address, and establishes a corresponding relationship between a first output interface identifier of the leaf switch that sends the multicast join message and the first IP multicast address, and when the upstream device and the RP receive the multicast join message, the upstream device and the RP establish a corresponding relationship between an input interface identifier of an interface that receives the multicast join message and the first IP multicast address, and a corresponding relationship between an output interface identifier of the multicast join message and the first IP multicast address. Specifically, the leaf switch may send a Multicast Join message to an upstream switch and an RP through a Protocol Independent Multicast (PIM) Join message, where the upstream switch and the RP that receive the Multicast Join message at each stage establish a correspondence between an incoming interface that receives the PIM Join message and a first IP Multicast address, and a correspondence between an outgoing interface that sends the PIM Join message and the first IP Multicast address, so as to Join the first user to the Multicast group;
if the first user is added into the multicast group based on the user granularity and a second user belonging to the same multicast group with the first user exists, the leaf switch establishes a corresponding relation between a first access interface identifier and a first IP address together and a first IP multicast address, or establishes a corresponding relation between the first access interface identifier, the first IP address and a first VLAN identifier together and the first IP multicast address; if a first user is added into a multicast group based on user granularity and a second user belonging to the same multicast group with the first user does not exist, the leaf switch establishes a common corresponding relation between a first incoming interface identifier and a first IP address and a first IP multicast address, or establishes a common corresponding relation between the first incoming interface identifier, the first IP address and a first VLAN identifier and the first IP multicast address, then sends a multicast join message to the RP through upstream equipment connected with the leaf switch, wherein the multicast join message comprises the first IP multicast address, establishes a corresponding relation between a first outgoing interface identifier of the leaf switch for sending the multicast join message and the first IP multicast address, and establishes a corresponding relation between the incoming interface identifier for receiving the multicast join message and the first IP multicast address and a corresponding relation between an outgoing interface identifier for sending the multicast join message and the first IP multicast address after each upstream equipment and RP receive the multicast access message, to join the first user to the multicast group.
305. When the switch receives the first BUM flow sent by the first user, the switch packages the first BUM flow into a first multicast flow of the multicast group, so that the first multicast flow is forwarded to other users belonging to the multicast group.
When the first user is a VM, a VXLAN tunnel terminal (VXLAN tunneling Point, VTEP) may also be deployed in the leaf switch, and is configured to encapsulate the BUM traffic into a VXLAN data message at one End, send an encapsulation message to the VTEP at the other End through a tunnel, and forward the message to each user after the VETP at the other End receives the encapsulation of the encapsulation message and decapsulates the encapsulation message. Optionally, the VETP may also be deployed in a Virtual Switch (vSwitch) of the server, that is, when the leaf Switch receives multicast traffic sent by a user, the vSwitch determines that the traffic is not unicast and needs flooding due to failure of forwarding table lookup based on MAC or IP control of the VM, and the BUM traffic may be encapsulated as multicast traffic by the vSwitch in the server and sent to the leaf Switch.
After a leaf switch joins a first user in a multicast group, if the first user wants to send a BUM traffic to other users in the multicast group, when the leaf switch connected to the first user receives the first BUM traffic sent by the first user, if the leaf switch fails to perform a routing table lookup or an Address Resolution Protocol (ARP) table lookup or a Media Access Control (MAC) table lookup, it indicates that the traffic is not unicast, but BUM traffic, and flooding is required. As shown in fig. 6, the VTEP in the leaf switch encapsulates the first BUM traffic into a first multicast traffic of a multicast group to which the first user joins, and forwards the first multicast traffic in the VXLAN according to the multicast shared tree, so that the first multicast traffic is forwarded to other users belonging to the multicast group in the established multicast shared tree. Specifically, the first multicast traffic includes a first IP multicast address, when the leaf switch receives the first multicast traffic, the leaf switch sends the first multicast traffic to the upstream switch according to the correspondence between the first IP multicast address and the first outgoing interface identifier, the upstream switch sends the first multicast traffic to other leaf switches connected to the remaining users of the multicast group through the spine switch and the RP according to the correspondence between the incoming interface identifier and the first IP multicast address and the correspondence between the outgoing interface identifier and the first IP multicast address established in step 304, and the other leaf switches send the first multicast traffic to the remaining users of the multicast group according to the correspondence between the first IP multicast address and the outgoing interface connected to the other leaf switches when the remaining users join the multicast group.
306. When the switch receives a second multicast flow corresponding to a third user, the second multicast flow comprises a second IP multicast address corresponding to a multicast group to which the third user belongs, and the switch copies and sends the second multicast flow to the user under the output interface corresponding to the second IP multicast address according to the corresponding relation between the second IP multicast address and the output interface.
For the leaf switch, if the leaf switch joins the user to the multicast group based on the interface granularity, if the leaf switch receives a second multicast traffic corresponding to a third user forwarded by an upstream device of the multicast sharing tree, assuming that the second multicast traffic includes a second IP multicast address corresponding to the multicast group to which the third user belongs, the leaf switch may copy and send the second multicast traffic to the user under the outgoing interface corresponding to the second IP multicast address according to a correspondence between the second IP multicast address and the outgoing interface. Because the second multicast traffic carries the second IP multicast address, the user set of the users connected under the leaf switch and the third user belonging to the same EPG is the same as the multicast address corresponding to the third user, that is, the second IP multicast address, and the user who is online in the user set will also be added to the multicast group of the third user as the first user when online, and will establish the corresponding relationship between the incoming interface connected with the leaf switch and the second IP multicast address, so when the leaf switch receives the second multicast traffic sent upstream, the incoming interface will be used as the outgoing interface sent to the downstream user according to the corresponding relationship between the second IP multicast address in the second multicast traffic and the incoming interface of the leaf switch, and the second multicast traffic will be sent to the user set belonging to the same EPG as the third user. Since users in the same EPG may be connected to different interfaces on the leaf switch, when the leaf switch determines multiple interfaces to which the users in the EPG are connected to the leaf switch, the leaf switch copies the received second multicast traffic under each determined interface and sends the second multicast traffic to each determined interface, so that users of the same EPG under different interfaces of the leaf switch receive the second multicast traffic. When sending the second multicast traffic, the VTEP in the leaf switch may decapsulate the second multicast traffic according to the destination IP, that is, the second IP multicast address, to obtain a packet corresponding to the second multicast traffic, so as to copy and send the packet to the user under the output interface; or, the leaf switch sends the second multicast traffic to the user under the interface, and the vSwitch in the server where the user is located decapsulates the second multicast traffic to obtain a decapsulated message.
Since, in VXLAN, multiple VMs may be included in a server connected under the same interface, if multicast traffic is replicated under the interface where the leaf switch connects to the server and forwarded to the server, it is possible that multiple VMs in the server will receive the multicast traffic, but if multiple VMs belong to different EPGs, it is possible that different tenants will all receive the multicast traffic, thus, in step 304, if the multicast group to which the user is joined is based on user granularity, namely, the leaf switch establishes the corresponding relation between the IP address of the user and the IP multicast address, when the leaf switch receives a second multicast flow corresponding to a third user, the switch may replace the second IP multicast address with a second IP address corresponding to the second IP multicast address according to a correspondence between a second incoming interface identifier corresponding to at least one user and the second IP address together with the second IP multicast address; and the leaf switch takes the interface corresponding to the second input interface identifier as an output interface, copies the second multicast traffic at the output interface, and sends the copied second multicast traffic to at least one user according to the replaced second IP address. That is, when the second multicast traffic sent upstream arrives at the leaf switch, if the corresponding relationship between the second IP multicast address in the second multicast traffic and the second incoming interface identifier and the second IP address connected to the VM and the leaf switch is stored in the leaf switch, the multicast is converted into the unicast, i.e. replacing the second IP multicast address with the second IP addresses of multiple VMs under the same EPG, and a plurality of incoming interfaces of the VM under the same EPG and the leaf switch are used as outgoing interfaces of traffic transmission, the second multicast traffic is copied at each egress interface, the second multicast traffic carries the replaced second IP address for unicast, when the server receives the second multicast traffic, the server sends the second multicast traffic to a plurality of VMs under the same EPG according to the second IP address, therefore, the multicast traffic can be prevented from being received by users of different EPGs under the same interface, and unnecessary traffic flooding or unknown traffic receiving of downstream equipment can be reduced.
Optionally, when the first subscriber is offline, in order to save storage resources of the switch, the method further includes:
307. when the exchanger detects that the first user is off-line, the exchanger sends a second message to the RP, wherein the second message comprises the first IP multicast address, so that the RP deletes the corresponding relation between the incoming interface identification for receiving the multicast adding message and the first IP multicast address and the corresponding relation between the outgoing interface identification and the first IP multicast address.
As shown in fig. 7, when the first user goes offline, an offline notification is sent to the leaf switch, where the offline notification includes a first IP address and a first IP multicast address of the first user, and when the leaf switch senses that the first user goes offline, the corresponding relationship between the first incoming interface identifier and the first IP multicast address when the first user joins in the multicast group based on the interface granularity is deleted, or the corresponding relationship between the first incoming interface identifier and the first IP address when the first user joins in the multicast group based on the user granularity and the first IP multicast address together is deleted, and a second packet is sent to the RP, where the second packet carries the first IP multicast address, and after receiving the second packet, the RP deletes the first IP multicast address and the incoming interface identifier for receiving the multicast join message. At the same time, the leaf exchange will delete the member table created for the first user.
In addition, the leaf switch will also maintain the user's MAC table and ARP table. The MAC table comprises a corresponding relation between the MAC address and the interface established by the leaf switch, and the ARP table comprises a corresponding relation between the MAC address and the IP address, so that when the first user goes offline, the leaf switch can age the MAC table and the ARP table corresponding to the MAC address of the first user, and the storage space of the leaf switch is saved.
Therefore, an embodiment of the present invention provides a user isolation method, in which an exchange monitors information carried in a first message sent by a first user when the first user is online, the exchange determines that the first user belongs to a first EPG according to a correspondence between the information carried in the first message and an identifier of the EPG, determines that the first user corresponds to a first IP multicast address according to the identifier of the first EPG and a correspondence between the identifier of the EPG and an IP multicast address, and determines that the first user belongs to a multicast group corresponding to the first IP multicast address, then, the exchange adds the first user to the multicast group, and when the exchange receives a first BUM traffic sent by the first user, the exchange encapsulates the first BUM traffic into a first multicast traffic of the multicast group, the first multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other users of the multicast group, thus, different EPGs are divided in one network, each EPG is allocated with an IP multicast address to bear all BUM flows of users of the EPG, namely, user isolation is realized through the BUM flows of different isolated EPGs, so that the problem that the BUM flows among tenant groups sharing the same VLAN or the same VXLAN cannot be isolated is solved.
An embodiment of the present invention provides a switch 8, as shown in fig. 8, including:
the interception unit 802 is configured to intercept information carried in a first message sent by a first user when the first user is online;
a determining unit 803, configured to determine that the first user belongs to a first EPG according to a correspondence between information carried in the first message and an identifier of an EPG (terminal policy group), determine that the first user corresponds to a first IP multicast address according to the identifier of the first EPG and a correspondence between the identifier of the EPG and an IP multicast address, and determine that the first user belongs to a multicast group corresponding to the first IP multicast address, where the EPG includes a virtual local area network VLAN, a virtual extended local area network VXLAN, or some users in the same network segment or subnet, and the first EPG is one of multiple EPGs;
a joining unit 804, configured to join the first user into the multicast group;
an encapsulating unit 805, configured to encapsulate, when the switch receives a first broadcast and an unknown unicast and multicast BUM traffic sent by a first user, the first BUM traffic as a first multicast traffic of a multicast group, where the first multicast traffic includes a first IP multicast address, so that the first multicast traffic is forwarded to another user corresponding to the multicast group.
Optionally, the method may further include: an establishing unit 801, configured to establish a correspondence between the VLAN identifier and the ingress interface identifier and the identifier of the EPG; and
and establishing a corresponding relation between the EPG identifier and the IP multicast address.
Optionally, the determining unit 803 may be configured to:
and determining that the first user belongs to the first EPG according to the first VLAN identification carried in the first message, a first incoming interface of the first message received by the switch, and the corresponding relation between the VLAN identification and the incoming interface identification and the EPG identification.
Optionally, the determining unit 803 may be configured to:
and sending a Dynamic Host Configuration Protocol (DHCP) message when the first user is intercepted to be on line, wherein the DHCP message carries a first Media Access Control (MAC) address of the first user and a first Virtual Local Area Network (VLAN) identifier to which the first user belongs.
Optionally, the adding unit 804 may include:
a determining subunit 8041, configured to determine whether there is a second user that belongs to the multicast group corresponding to the first IP multicast address in common with the first user;
a building subunit 8042, configured to, if the determination is yes, join the first user into a multicast group to which the second user belongs, and build a corresponding relationship between the first incoming interface identifier and the first IP multicast address;
if not, establishing a corresponding relationship between the first incoming interface identifier and the first IP multicast address, and the method further includes a sending subunit 8043, configured to send a multicast join message to the rendezvous point RP through an upstream device connected to the switch, where the multicast join message includes the first IP multicast address, and establishing a corresponding relationship between an identifier of a first outgoing interface, through which the switch sends the multicast join message, and the first IP multicast address, so that the upstream device and the RP establish a corresponding relationship between an incoming interface identifier for receiving the multicast join message and the first IP multicast address, and a corresponding relationship between an outgoing interface identifier for sending the multicast join message and the first IP multicast address.
Optionally, the adding unit 804 may include:
a determining subunit 8041, configured to determine whether there is a second user belonging to the same multicast group as the first user;
a establishing subunit 8042, configured to, if the determination is yes, add the first user to a multicast group to which the second user belongs, and establish a correspondence between the first incoming interface identifier and the first IP address together and the first IP multicast address, or establish a correspondence between the first incoming interface identifier, the first IP address, and the first VLAN identifier together and the first IP multicast address;
if the first IP multicast address is not the same as the first IP multicast address, establishing a corresponding relation between the first incoming interface identifier and the first IP address or establishing a corresponding relation between the first incoming interface identifier, the first IP address and the first VLAN identifier and the first IP multicast address, sending a multicast join message to a rendezvous point RP through an upstream device connected with the switch, wherein the multicast join message comprises the first IP multicast address, and establishing a corresponding relation between a first outgoing interface identifier of the multicast join message sent by the switch and the first IP multicast address, so that the upstream device and the RP establish a corresponding relation between the incoming interface identifier of the multicast join message and the first IP multicast address, and a corresponding relation between an outgoing interface identifier of the multicast join message and the first IP multicast address.
Optionally, the method may further include:
a sending unit 806, configured to, when the switch receives a second multicast traffic corresponding to a third user, copy the second multicast traffic to a user on an egress interface corresponding to a second IP multicast address according to a correspondence between the second IP multicast address and the egress interface, where the second multicast traffic includes the second IP multicast address corresponding to the multicast group to which the third user belongs, and send the second multicast traffic.
Optionally, the system further includes a replacing unit 807, configured to, when the switch receives a second multicast traffic corresponding to a third user, where the second multicast traffic includes a second IP multicast address corresponding to a multicast group to which the third user belongs, replace the second IP multicast address with a second IP address corresponding to the second IP multicast address according to a correspondence between a second incoming interface identifier and the second IP address that correspond to at least one user and the second IP multicast address;
the sending unit 806 may be configured to: and taking the interface corresponding to the second input interface identifier as an output interface, copying the second multicast traffic at the output interface, and sending the copied second multicast traffic to at least one user according to the replaced second IP address.
Optionally, the establishing unit 801 may further be configured to: and establishing a member table for the first user, wherein the member table comprises the corresponding relation of the MAC address, the first input interface identifier, the first VLAN identifier and the first IP address of the first user, and the first member table is used for checking whether the user sending the multicast flow is legal or not.
Optionally, the method may further include: a deleting unit 808, configured to delete the member table when the switch senses that the first user is offline;
the sending unit 806 is further configured to: and sending a second message to the rendezvous point RP, wherein the second message comprises the first IP multicast address, so that the RP deletes the corresponding relation between the incoming interface identifier for receiving the multicast adding message and the first IP multicast address and the corresponding relation between the outgoing interface identifier and the first IP multicast address.
Therefore, the switch provided in the embodiment of the present invention monitors information carried in a first message sent when a first user is online, the switch determines that the first user belongs to a first EPG according to a correspondence between the information carried in the first message and an identifier of the EPG, determines that the first user corresponds to a first IP multicast address according to the identifier of the first EPG and a correspondence between the identifier of the EPG and an IP multicast address, and determines that the first user belongs to a multicast group corresponding to the first IP multicast address, then, the switch adds the first user to the multicast group, when the switch receives a first BUM traffic sent by the first user, the switch encapsulates the first BUM traffic into a first multicast traffic of the multicast group, the first multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other users of the multicast group, thus, by dividing different EPGs in one network, each EPG allocates one IP multicast address to carry all BUM traffic of the users of the EPG, namely, user isolation is realized through the isolated BUM flows of different EPGs, so that the problem that the BUM flows among tenant groups sharing the same VLAN or the same VXLAN cannot be isolated is solved, and compared with the situation that the flow is forwarded in a non-multicast mode in the prior art, unnecessary ports can receive the flow and the network bandwidth is occupied, the BUM flow forwarding function is optimized.
Fig. 9 shows a schematic structural diagram of the switch involved in the above embodiment. The switch may be a switch in the network architecture shown in fig. 1, a leaf switch in the network architecture shown in fig. 2, or a switch in the method set forth in fig. 3.
The switch may include: a controller/processor 902 is used for controlling and managing the operation of the switch. For example, controller/processor 902 may be used to support a switch performing processes 301 through 307 of FIG. 3, and/or other processes for the techniques described in embodiments of the invention. The memory 901 is used to store program codes and data of the switch. The network interface 903 is used to support the switch's communication with other network entities and may include a transmitter and a receiver. For example, the network interface 903 is used to support the switch in communication with the server where the user is located. As another example, the network interface 903 is used to support communication between a switch and other switches in a multicast shared tree.
In the embodiment of the present invention, the network interface 903 may be used to monitor information carried in a first message sent by a first user when the first user is online; the controller/processor 902, executing the embodiment of the present invention, may be configured to determine that the first user belongs to a first EPG according to a correspondence between information carried in the first packet and an identifier of an EPG (terminal policy group), determine a first IP multicast address corresponding to the first user according to the identifier of the first EPG and a correspondence between the identifier of the EPG and an IP multicast address, and determine that the first user belongs to a multicast group corresponding to the first IP multicast address; the EPG comprises a virtual local area network VLAN, a virtual expanded local area network VXLAN, or partial users in the same network segment or subnet, and the first EPG is one of a plurality of EPGs; controller/processor 902 performs embodiments of the present invention for joining the first user to the multicast group; when the network interface 903 receives the first broadcast and unknown unicast and multicast BUM traffic sent by the first user, the controller/processor 902, executing the embodiment of the present invention, is further configured to encapsulate the first BUM traffic as the first multicast traffic of the multicast group, where the first multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other users belonging to the multicast group.
For specific implementation of the controller/processor 902 and the network interface 903, reference may be made to the above embodiments, which are not described herein again.
Therefore, in the switch provided in the embodiment of the present invention, different EPGs are divided in one network, and each EPG allocates one IP multicast address to bear all BUM flows of a user of the EPG, that is, user isolation is realized by the BUM flows of the different isolated EPGs, so as to solve the problem that the BUM flows between tenant groups sharing the same VLAN cannot be isolated.
In the several embodiments provided in the present application, it should be understood that the disclosed terminal and method can be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be physically included alone, or two or more units may be integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (18)

1. A method of user isolation, comprising:
the method comprises the steps that a switch monitors information carried in a first message sent by a first user when the first user is online;
the switch determines that the first user belongs to a first EPG according to the corresponding relation between the information carried in the first message and the identifier of the terminal strategy group EPG, determines a first IP multicast address corresponding to the first user according to the identifier of the first EPG and the corresponding relation between the identifier of the EPG and an Internet protocol IP multicast address, and determines that the first user belongs to a multicast group corresponding to the first IP multicast address; the EPG comprises a virtual local area network VLAN, a virtual expanded local area network VXLAN, or partial users in the same network segment or subnet, and the first EPG is one of a plurality of EPGs;
the switch joins the first user to the multicast group;
when the switch receives a first broadcast and unknown unicast multicast BUM flow sent by the first user, the switch packages the first BUM flow into a first multicast flow of the multicast group, wherein the first multicast flow comprises the first IP multicast address, so that the first multicast flow is forwarded to other users corresponding to the multicast group.
2. The method of claim 1, further comprising:
the switch establishes a corresponding relation between the VLAN identifier and the access interface identifier and the EPG identifier; and
and the exchanger establishes the corresponding relation between the EPG identifier and the IP multicast address.
3. The method according to claim 2, wherein the determining, by the switch, that the first user belongs to the first EPG according to the correspondence between the information carried in the first message and the identifier of the terminal policy group EPG includes:
and the switch determines that the first user belongs to the first EPG according to a first VLAN identification carried in the first message, a first incoming interface of the switch for receiving the first message, and the corresponding relation between the VLAN identification and the incoming interface identification and the EPG identification.
4. The method of claim 3, wherein the switch joining the first user to the multicast group comprises:
the switch determines whether a second user which belongs to a multicast group corresponding to a first IP multicast address with the first user exists or not;
if so, adding the first user into a multicast group to which the second user belongs together, and establishing a corresponding relation between the first input interface identifier and the first IP multicast address;
if not, the switch establishes a corresponding relation between the first interface identifier and the first IP multicast address, and sends a multicast join message to a Rendezvous Point (RP) through upstream equipment connected with the switch, wherein the multicast join message comprises the first IP multicast address, and establishes a corresponding relation between an identifier of a first outlet interface for sending the multicast join message and the first IP multicast address through the switch, so that the upstream equipment and the RP establish a corresponding relation between the interface identifier for receiving the multicast join message and the first IP multicast address, and a corresponding relation between the identifier of the outlet interface for sending the multicast join message and the first IP multicast address.
5. The method of claim 3, wherein the switch joining the first user to the multicast group comprises:
the switch determines whether a second user belonging to the same multicast group as the first user exists;
if so, adding the first user into a multicast group to which the second user belongs together, and establishing a corresponding relation between the first incoming interface identifier and the first IP address together and the first IP multicast address, or establishing a corresponding relation between the first incoming interface identifier, the first IP address and the first VLAN identifier together and the first IP multicast address;
if not, the switch establishes a corresponding relation between the first interface identifier and the first IP address together and the first IP multicast address, or establishing the corresponding relation of the first incoming interface identifier, the first IP address and the first VLAN identifier and the identifier of the first IP multicast address, sending a multicast join message to a rendezvous point RP through an upstream device connected to the switch, the multicast join message including the first IP multicast address, and establishing a corresponding relation between a first output interface identifier of the switch for sending the multicast join message and the first IP multicast address, so that the upstream device and the RP establish the corresponding relationship between the interface identifier for receiving the multicast join message and the first IP multicast address, and sending the corresponding relation between the output interface identification of the multicast joining message and the first IP multicast address.
6. The method of claim 4, further comprising:
when the switch receives a second multicast flow corresponding to a third user, the second multicast flow comprises a second IP multicast address corresponding to a multicast group to which the third user belongs, and the switch copies and sends the second multicast flow to the user under the output interface corresponding to the second IP multicast address according to the corresponding relation between the second IP multicast address and the output interface.
7. The method of claim 5, further comprising:
when the switch receives a second multicast flow corresponding to a third user, the second multicast flow comprises a second IP multicast address corresponding to a multicast group to which the third user belongs, and the switch replaces the second IP multicast address with a second IP address corresponding to the second IP multicast address according to the correspondence between a second access interface identifier corresponding to at least one user and the second IP address and the second IP multicast address;
and the switch takes an interface corresponding to the second incoming interface identifier as an outgoing interface, copies the second multicast traffic at the outgoing interface, and sends the copied second multicast traffic to the at least one user according to the replaced second IP address.
8. The method of any of claims 4-7, wherein after the first user comes online, the method further comprises:
the switch establishes a member table for the first user, the member table comprises the corresponding relation of the MAC address of the first user, the first access interface identifier, the first VLAN identifier and the first IP address, and the member table is used for checking whether the user sending the multicast flow is legal or not.
9. The method of claim 8, further comprising:
and when the exchanger listens that the first user is offline, deleting the member table, and sending a second message to the RP, wherein the second message comprises the first IP multicast address, so that the RP deletes the corresponding relation between the interface-in identifier and the first IP multicast address of the multicast adding message, and the corresponding relation between the interface-out identifier and the first IP multicast address.
10. A switch, comprising:
the monitoring unit is used for monitoring information carried in a first message sent by a first user when the first user is online;
a determining unit, configured to determine that the first user belongs to a first EPG according to a correspondence between information carried in the first message and an identifier of an EPG (terminal policy group), determine that the first user corresponds to a first IP multicast address according to the identifier of the first EPG and a correspondence between the identifier of the EPG and an IP multicast address, and determine that the first user belongs to a multicast group corresponding to the first IP multicast address, where the EPG includes a VLAN (virtual local area network), a VXLAN (virtual extensible local area network), or a part of users in a same network segment or a subnet, and the first EPG is one of the EPGs;
a joining unit, configured to join the first user to the multicast group;
and an encapsulating unit, configured to encapsulate, when the switch receives a first broadcast and an unknown unicast and multicast BUM traffic sent by the first user, the first BUM traffic as a first multicast traffic of the multicast group, where the first multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other users corresponding to the multicast group.
11. The switch of claim 10, further comprising:
the establishing unit is used for establishing the corresponding relation between the VLAN identifier and the interface identifier and the EPG identifier; and
and establishing a corresponding relation between the EPG identifier and the IP multicast address.
12. The switch of claim 11, wherein the determining unit is configured to:
and determining that the first user belongs to the first EPG according to a first VLAN identification carried in the first message, a first incoming interface of the first message received by the switch, and the corresponding relation between the VLAN identification and the incoming interface identification and the EPG identification.
13. The switch of claim 12, wherein the joining unit comprises: a determining subunit, configured to determine whether a second user that belongs to a multicast group corresponding to a first IP multicast address in common with the first user exists;
a establishing subunit, configured to, if the determination is yes, add the first user to a multicast group to which the second user belongs, and establish a correspondence between the first incoming interface identifier and the first IP multicast address;
if not, establishing a corresponding relationship between the first incoming interface identifier and the first IP multicast address, and further comprising a sending subunit, configured to send a multicast join message to a rendezvous point RP through an upstream device connected to the switch, where the multicast join message includes the first IP multicast address, and establishing a corresponding relationship between an identifier of a first outgoing interface, which sends the multicast join message, of the switch and the first IP multicast address, so that the upstream device and the RP establish a corresponding relationship between an incoming interface identifier, which receives the multicast join message, and the first IP multicast address, and a corresponding relationship between an identifier of an outgoing interface, which sends the multicast join message, and the first IP multicast address.
14. The switch of claim 12, wherein the joining unit comprises:
a determining subunit, configured to determine whether a second user belonging to the same multicast group as the first user exists;
a establishing subunit, configured to, if the determination is yes, add the first user to a multicast group to which the second user belongs, and establish a correspondence between the first incoming interface identifier and the first IP address together and the first IP multicast address, or establish a correspondence between the first incoming interface identifier, the first IP address, and the first VLAN identifier together and the first IP multicast address;
if not, establishing the corresponding relation between the first interface identifier and the first IP address together with the first IP multicast address, or establishing the corresponding relation between the first interface identifier, the first IP address and the first VLAN identifier and the identifier of the first IP multicast address, sending a subunit, for sending a multicast join message to a rendezvous point, RP, through an upstream device connected to the switch, the multicast join message including the first IP multicast address, and establishing a corresponding relation between a first output interface identifier of the switch for sending the multicast join message and the first IP multicast address, so that the upstream device and the RP establish the corresponding relationship between the interface identifier for receiving the multicast join message and the first IP multicast address, and sending the corresponding relation between the output interface identification of the multicast joining message and the first IP multicast address.
15. The switch of claim 13, further comprising a sending unit configured to: when the switch receives a second multicast flow corresponding to a third user, the second multicast flow comprises a second IP multicast address corresponding to a multicast group to which the third user belongs, and the second multicast flow is copied to the user under the output interface corresponding to the second IP multicast address and sent according to the corresponding relation between the second IP multicast address and the output interface.
16. The switch of claim 14, further comprising a replacement unit to: when the switch receives a second multicast flow corresponding to a third user, the second multicast flow comprises a second IP multicast address corresponding to a multicast group to which the third user belongs, and the second IP multicast address is replaced by the second IP address corresponding to the second IP multicast address according to the correspondence between a second incoming interface identifier and the second IP address which correspond to at least one user and the second IP multicast address;
and the sending unit is used for taking an interface corresponding to the second incoming interface identifier as an outgoing interface, copying the second multicast traffic at the outgoing interface, and sending the copied second multicast traffic to the at least one user according to the replaced second IP address.
17. The switch according to any of claims 13-16, characterized in that the establishing unit is further configured to: and establishing a member table for the first user, wherein the member table comprises the corresponding relation among the MAC address of the first user, the first access interface identifier, the first VLAN identifier and the first IP address, and the member table is used for checking whether the user sending the multicast flow is legal or not.
18. The switch of claim 17, further comprising: the deleting unit is used for deleting the member table when the switch snoops that the first user is offline;
the sending unit is used for: and sending a second message to a Rendezvous Point (RP), wherein the second message comprises the first IP multicast address, so that the RP deletes the corresponding relation between the interface-in identifier for receiving the multicast joining message and the first IP multicast address and the corresponding relation between the interface-out identifier and the first IP multicast address.
CN201610552867.7A 2016-07-13 2016-07-13 User isolation method and switch Active CN107623636B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610552867.7A CN107623636B (en) 2016-07-13 2016-07-13 User isolation method and switch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610552867.7A CN107623636B (en) 2016-07-13 2016-07-13 User isolation method and switch

Publications (2)

Publication Number Publication Date
CN107623636A CN107623636A (en) 2018-01-23
CN107623636B true CN107623636B (en) 2020-08-25

Family

ID=61087494

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610552867.7A Active CN107623636B (en) 2016-07-13 2016-07-13 User isolation method and switch

Country Status (1)

Country Link
CN (1) CN107623636B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900422B (en) * 2018-07-27 2021-10-12 新华三技术有限公司 Multicast forwarding method and device and electronic equipment
CN110661732B (en) * 2019-09-20 2022-05-27 浪潮思科网络科技有限公司 Device and method for scheduling flow among working groups based on MAC (media access control) VLAN (virtual local area network)
CN111464511A (en) * 2020-03-18 2020-07-28 紫光云技术有限公司 Method for supporting multi-VPC isolation in cloud computing network
CN113079030B (en) * 2020-05-29 2022-05-24 新华三信息安全技术有限公司 Configuration information issuing method and access equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159665A (en) * 2007-08-28 2008-04-09 杭州华三通信技术有限公司 Method and device to implement forwarding of unknown multicast packet to router port
EP3013006A1 (en) * 2014-10-22 2016-04-27 Juniper Networks, Inc. Protocol independent multicast sparse mode (pim-sm) support for data center interconnect

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9794180B2 (en) * 2014-07-18 2017-10-17 Cisco Technology, Inc. Reducing transient packet duplication and improving split-horizon filtering

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159665A (en) * 2007-08-28 2008-04-09 杭州华三通信技术有限公司 Method and device to implement forwarding of unknown multicast packet to router port
EP3013006A1 (en) * 2014-10-22 2016-04-27 Juniper Networks, Inc. Protocol independent multicast sparse mode (pim-sm) support for data center interconnect

Also Published As

Publication number Publication date
CN107623636A (en) 2018-01-23

Similar Documents

Publication Publication Date Title
EP3582449B1 (en) Route processing in a vxlan
EP3304815B1 (en) Operations, administration and management (oam) in overlay data center environments
US9374323B2 (en) Communication between endpoints in different VXLAN networks
CN106656719B (en) Inter-cloud communication method and related equipment, inter-cloud communication configuration method and related equipment
CN104115453B (en) A kind of method and apparatus realizing virtual machine communication
US9596099B2 (en) Scalable network virtualization with aggregate endpoints
Lasserre et al. Framework for data center (DC) network virtualization
CN108880968B (en) Method and device for realizing broadcast and multicast in software defined network and storage medium
KR102054338B1 (en) Routing vlan tagged packets to far end addresses of virtual forwarding instances using separate administrations
EP3240250B1 (en) Virtual router terminating an overlay tunnel in a storage area network
EP3554020A1 (en) Bum traffic control method, related device and system
WO2016066119A1 (en) Deployment of virtual extensible local area network
WO2019137355A1 (en) Method and device for transmitting data, and network system
WO2016003490A1 (en) Encoding control plane information in transport protocol source port field and applications thereof in network virtualization
GB2497202A (en) Transmitting frames between, possibly different, local VLANs by encapsulating frames for global VLAN tunnel
CN107623636B (en) User isolation method and switch
US12081367B2 (en) Generating route target values for virtual private network routes
CN110474829B (en) Method and device for transmitting message
US9716688B1 (en) VPN for containers and virtual machines in local area networks
CN107332772A (en) Forwarding-table item method for building up and device
CN108881013B (en) Method and system for controlling gateway mode, SDN controller and access device
CN113507425A (en) Overlay multicast method, device and equipment
JP4011528B2 (en) Network virtualization system
Potter et al. The integration of Ethernet Virtual Private Network in Kubernetes
WO2022063065A1 (en) Routing information transmission method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant