Nothing Special   »   [go: up one dir, main page]

CN116418632A - Message processing method, device, equipment and machine-readable storage medium - Google Patents

Message processing method, device, equipment and machine-readable storage medium Download PDF

Info

Publication number
CN116418632A
CN116418632A CN202310325310.XA CN202310325310A CN116418632A CN 116418632 A CN116418632 A CN 116418632A CN 202310325310 A CN202310325310 A CN 202310325310A CN 116418632 A CN116418632 A CN 116418632A
Authority
CN
China
Prior art keywords
message
vgre
tunnel
gateway
vni
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310325310.XA
Other languages
Chinese (zh)
Inventor
谢林芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
New H3C Information Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Information Technologies Co Ltd filed Critical New H3C Information Technologies Co Ltd
Priority to CN202310325310.XA priority Critical patent/CN116418632A/en
Publication of CN116418632A publication Critical patent/CN116418632A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure provides a method, an apparatus, a device, and a machine-readable storage medium for processing a message, where the method includes: receiving a vGRE message sent through a vGRE tunnel; analyzing the vGRE message to obtain VNI information carried by the message, and establishing a vGRE session according to five-tuple information, tunnel information and VNI information of the message; and performing NAT conversion processing on the vGRE message according to the vGRE session and the matched NAT configuration, and forwarding the vGRE message to the public network according to the processing result. According to the technical scheme, through the vGRE message and the vGRE tunnel, corresponding identification and VNI information are carried in the message to distinguish different tenant VMs, so that different tenant VMs with overlapped addresses can be distinguished, the problem that the address of the tenant VM is overlapped is solved without adding network equipment and changing a network architecture, and the problem that the address of the tenant VM is overlapped is solved without secondary NAT conversion, and the limitation of VLAN identification resource capacity of the network equipment is avoided.

Description

Message processing method, device, equipment and machine-readable storage medium
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a machine-readable storage medium for processing a message.
Background
After the server is virtualized, the number of VMs in the data center is changed by orders of magnitude compared with the number of the original physical machines, and the number of MAC addresses of virtual network cards of the virtual machines corresponding to the number of the VMs is correspondingly increased, so that great impact is generated on the address capacity of the original TOR switch.
On the other hand, only 4094 virtual network identifiers are available for dividing the VLAN of the virtual network by the original data center, and the VLAN technology can not meet the requirements in the scene of the large-scale data center and public cloud.
In addition, the virtual machine in the cloud data center can be migrated in a certain range, the virtual machine can only be migrated under the two-layer network under the VLAN network, and in order to support the migration of the virtual machine, VLAN pre-configuration is required to be carried out on the two-layer network, so that abuse of VLAN configuration is caused, isolation of VLAN broadcast domains is affected, and the efficiency of the network is reduced.
VXLAN (Virtual eXtensible Local Area Network, virtual extended LAN), a tunneling technique, can establish a two-layer Ethernet network tunnel on the basis of a three-layer network, thereby realizing cross-domain two-layer interconnection. VNI (VXLAN Network Identifier, VXLAN network identity) for differentiating VXLAN segments. BD (Bridge Domain) for connecting two different network segments. NAT (Network Address Translation ), a technique for rewriting source or destination IP addresses as IP packets pass through routers or firewalls.
Disclosure of Invention
In view of the above, the disclosure provides a method and apparatus for processing a message, an electronic device, and a machine-readable storage medium, so as to solve the problem that the network efficiency is affected due to insufficient network identification capacity.
The technical scheme is as follows:
the disclosure provides a message processing method, which is applied to gateway equipment, and comprises the following steps: receiving a vGRE message sent through a vGRE tunnel, wherein the vGRE message is a message to be forwarded sent to gateway equipment through the vGRE tunnel after a private network gateway decapsulates a VXLAN message of which the next hop is a private network of the vGRE tunnel; analyzing the vGRE message to obtain VNI information carried by the vGRE message, and establishing a vGRE session according to five-tuple information, tunnel information and VNI information of the vGRE message; and performing NAT conversion processing on the vGRE message according to the vGRE session and the matched NAT configuration, and forwarding the vGRE message to the public network according to the processing result.
As a technical solution, the private network gateway is an SDN gateway, and the gateway device is a NAT gateway device.
As a technical solution, the vGRE tunnel is configured to forward a vGRE packet, where the vGRE packet includes a specific GRE packet header, where the specific GRE packet header includes a specific flag bit and a VNI field, where the specific flag bit is used to identify that a packet of the specific GRE packet header is a packet that is forwarded through the vGRE tunnel after VXLAN decapsulation, and the VNI field is used to record VNI information of an associated VXLAN terminal.
As a technical scheme, receiving a response message from a public network associated with the vGRE session; encapsulating the response message according to the VNI information to generate a vGRE message; and forwarding the generated vGRE message to the private network gateway so that the private network gateway generates and forwards the VXLAN message according to the VNI information of the vGRE message.
The disclosure also provides a message processing device applied to gateway equipment, the device comprising: the receiving module is used for receiving the vGRE message sent by the vGRE tunnel, wherein the vGRE message is a message to be forwarded sent to the gateway equipment by the vGRE tunnel after the private network gateway decapsulates the VXLAN message of which the next hop is the private network of the vGRE tunnel; the processing module is used for analyzing the vGRE message to obtain VNI information carried by the vGRE message, and establishing a vGRE session according to five-tuple information, tunnel information and VNI information of the vGRE message; and the sending module is used for carrying out NAT conversion processing on the vGRE message according to the vGRE session and the matched NAT configuration, and forwarding the vGRE message to the public network according to the processing result.
As a technical solution, the private network gateway is an SDN gateway, and the gateway device is a NAT gateway device.
As a technical solution, the vGRE tunnel is configured to forward a vGRE packet, where the vGRE packet includes a specific GRE packet header, where the specific GRE packet header includes a specific flag bit and a VNI field, where the specific flag bit is used to identify that a packet of the specific GRE packet header is a packet that is forwarded through the vGRE tunnel after VXLAN decapsulation, and the VNI field is used to record VNI information of an associated VXLAN terminal.
As a technical scheme, the receiving module is further configured to receive a reply packet from the public network associated with the vGRE session; the processing module is also used for encapsulating the response message according to the VNI information to generate a vGRE message; the sending module is further used for forwarding the generated vGRE message to the private network gateway so that the private network gateway can generate and forward the VXLAN message according to the VNI information of the vGRE message.
The present disclosure also provides an electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement the foregoing message processing method.
The present disclosure also provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the foregoing message processing method.
The technical scheme provided by the disclosure at least brings the following beneficial effects:
through the vGRE message and the vGRE tunnel, the corresponding identification and VNI information are carried in the message to distinguish different tenant VMs, so that different tenant VMs with overlapped addresses can be distinguished, the problem of overlapping tenant VM addresses is solved without secondary NAT conversion under the condition that network equipment is not required to be added and network architecture is not required to be changed, and the problem of overlapping tenant VM addresses is not limited by VLAN identification resource capacity of the network equipment.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings that are required to be used in the embodiments of the present disclosure or the description of the prior art will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings may also be obtained according to these drawings of the embodiments of the present disclosure to those skilled in the art.
FIG. 1 is a flow chart of a message processing method in one embodiment of the present disclosure;
FIG. 2 is a block diagram of a message processing apparatus in one embodiment of the present disclosure;
fig. 3 is a hardware configuration diagram of an electronic device in one embodiment of the present disclosure.
Detailed Description
The terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to any or all possible combinations including one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in the embodiments of the present disclosure to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. Depending on the context, furthermore, the word "if" used may be interpreted as "at … …" or "at … …" or "in response to a determination".
In a technical scheme, the technical problem is improved by using a VXLAN technology, the VXLAN is an overlay network technology, a virtual two-layer network of a multi-tenant public cloud data center is realized by using MAC over UDP encapsulation, the VXLAN has 24-bit VXLAN network identifiers, can support VXLAN network isolation of up to 16M, mac over UDP message encapsulation is carried out, the two-layer network is overlapped on a three-layer network, the extension of the two-layer network on the three-layer network is realized, a physical network and a virtual network are decoupled, and a tenant can independently plan own IP address space.
VXLAN is a tunneling technique that encapsulates the original two-layer message in a UDP message (destination port number 4789), and forwards a common UDP message from the perspective of the external network. And the message forwarding guides forwarding according to the IP address and the MAC address encapsulated by the outer layer. The devices that can be encapsulated and decapsulated are called VTEP (Vxlan Tunnel End Point) and the VTEP devices are endpoints of VXLAN tunnels. When the VXLAN message is forwarded to the VTEP, the VTEP decapsulates the message and then forwards the message according to the inner layer IP and the inner layer MAC. VNI (VXLAN Network Identifier) is a VXLAN network identifier, like VLAN tag, which uses VNIs to identify different network segments.
A typical VXLAN is configured such that an original message sent by a VM is encapsulated and then transmitted through a VXLAN tunnel, and the VM at both ends of the tunnel does not need to perceive the physical architecture of the transmission network. Thus, a VM having the same network segment IP address is logically equivalent to being in the same two-layer domain even though its physical location is not in the same two-layer network. Namely, the VXLAN technology constructs a virtual large two-layer network on a three-layer network, and the virtual machine can be planned into the same large two-layer network as long as the route of the virtual machine is reachable. The virtual extensible local area network (VXLAN) technology based on Overlay does not sense the current physical network, and can superimpose two layers of virtual networks on a network with any route reachable, so that two layers of interconnection between stations can be realized. And the VXLAN network identifier VNI (VXLAN Network Identifie) effectively solves the problem of isolation of a large number of tenants in cloud computing. Meanwhile, three layers of interconnection between stations can be realized based on the VXLAN three-layer gateway. Therefore, interconnection among different sites of the tenant can be realized through the VXLAN technology, and the interconnection is quicker and more flexible.
The broadcast domain is divided by BD (Bridge Domain) in VXLAN networks, similar to the VLAN-division broadcast domain method in conventional networks. In VXLAN networks, VNIs are mapped to broadcast domains BD in a 1:1 manner, where one BD represents one broadcast domain, and hosts within the same BD can perform two-layer interworking.
The VLANIF interface forwarding is required for similar VLANs to achieve inter-VLAN access. VXLAN also requires a VBDIF interface to forward data between VNIs, which is a three-layer logical interface created based on BD. Different BD's can not directly access each other, and VXLAN network can not directly access external network, and three layers of VXLAN gateway are required to be deployed for cross-subnet communication of VXLAN virtual network and access of external network.
The virtual machine in the service POD initiates external network access, the traffic passes through the switch in the POD, reaches the POD interconnection layer, and if the traffic is the north-south traffic, the traffic can reach the north-south convergence switch, the north-south convergence switch sends the traffic to the side-hung SDN gateway through the VXLAN, after the SDN gateway terminates the VXLAN, the traffic is sent back to the north-south convergence switch, and then the traffic is sent to the SDN NAT gateway of the network outlet layer by the switch, the conversion from the private network address to the public network address in the cloud is completed on the SDN NAT gateway, and finally the public network is entered. And the traffic of the virtual machine in the public network access cloud is the reverse path.
However, in the above technical solution, when the VXLAN network accesses the external network, the VXLAN tunnel needs to be decapsulated. The original message may come from different tenants, the unpacked original VM addresses are private network addresses, and overlapping addresses are necessarily present between different tenants.
If different tenants are distinguished by VLAN or VRF, the VNI field of VXLAN has 24 bits, that is, at most 2≡24=1600 ten thousand tenants are supported, and network devices (such as switches and SDN gateways) on the traffic path can only support at most 4K VLAN or VRF, which results in that a single resource pool cannot support tenants above 4K.
If a NAT is first made before a message sent by a VM enters a VXLAN tunnel, tenant addresses are first converted into non-overlapping addresses, then the tenant is not required to be isolated by a VRF on a gateway of an outgoing public network, the NAT conversion is first made once before the traffic enters the VXLAN package, virtual machine addresses are converted into public network addresses used in the cloud, then the NAT conversion is made for the second time on an SDN NAT gateway, the virtual machine addresses are converted into real public network addresses, the non-overlapping addresses are required to be planned by an administrator in advance, and are required to be bound with a subsequent real gateway, free migration is not possible, complexity is increased for operation and maintenance, and each tenant can be destroyed by a mechanism of completely isolating the VXLAN network, thereby possibly causing unauthorized access among tenants and bringing potential safety hazards.
In view of the above, the disclosure provides a message processing method and apparatus, an electronic device, and a machine-readable storage medium, so as to improve the above technical problems.
The specific technical scheme is as follows.
In one embodiment, the present disclosure provides a method for processing a message, applied to a gateway device, where the method includes: receiving a vGRE message sent through a vGRE tunnel, wherein the vGRE message is a message to be forwarded sent to gateway equipment through the vGRE tunnel after a private network gateway decapsulates a VXLAN message of which the next hop is a private network of the vGRE tunnel; analyzing the vGRE message to obtain VNI information carried by the vGRE message, and establishing a vGRE session according to five-tuple information, tunnel information and VNI information of the vGRE message; and performing NAT conversion processing on the vGRE message according to the vGRE session and the matched NAT configuration, and forwarding the vGRE message to the public network according to the processing result.
Specifically, as shown in fig. 1, the method comprises the following steps:
step S11, receiving a vGRE message sent through a vGRE tunnel;
step S12, analyzing the vGRE message to obtain VNI information carried by the vGRE message, and establishing a vGRE session according to five-tuple information, tunnel information and VNI information of the vGRE message;
and step S13, performing NAT conversion processing on the vGRE message according to the vGRE session and the matched NAT configuration, and forwarding the vGRE message to the public network according to the processing result.
Through the vGRE message and the vGRE tunnel, the corresponding identification and VNI information are carried in the message to distinguish different tenant VMs, so that different tenant VMs with overlapped addresses can be distinguished, the problem of overlapping tenant VM addresses is solved without secondary NAT conversion under the condition that network equipment is not required to be added and network architecture is not required to be changed, and the problem of overlapping tenant VM addresses is not limited by VLAN identification resource capacity of the network equipment.
In an embodiment, the private network gateway is an SDN gateway and the gateway device is a NAT gateway device.
In one embodiment, the vGRE tunnel is configured to forward a vGRE packet, where the vGRE packet includes a specific GRE packet header, where the specific GRE packet header includes a specific flag bit and a VNI field, where the specific flag bit is used to identify that the packet of the specific GRE packet header is a packet that is forwarded through the vGRE tunnel after VXLAN decapsulation, and the VNI field is used to record VNI information of an associated VXLAN terminal.
In one embodiment, receiving a reply message from a public network associated with the vGRE session; encapsulating the response message according to the VNI information to generate a vGRE message; and forwarding the generated vGRE message to the private network gateway so that the private network gateway generates and forwards the VXLAN message according to the VNI information of the vGRE message.
In an exemplary embodiment, the simplified packet forwarding path is exemplified by POD (tenant VM, private network device), north-south aggregation switch, SDN gateway, north-south aggregation switch, SDN NAT gateway, egress router, internet (public network).
The GRE tunnel is defined as a vGRE tunnel in an expanding way, the vGRE tunnel is used for transmitting a vGRE message, namely a specific GRE message, a VNI field of the VXLAN with VNI information is packaged in a message header of the specific GRE message, a specific flag bit is added in the message to identify that the message is unpacked by the VXLAN and then enters the vGRE tunnel for forwarding.
And establishing the vGRE tunnel between the SDN gateway and the NAT gateway, configuring a route on the SDN gateway, inquiring the route to find that the next hop is the vGRE tunnel when the SDN gateway receives the VXLAN traffic from the north-south aggregation switch, and then, decapsulating and entering a tunnel forwarding flow.
After receiving the message through the vGRE tunnel, the NAT gateway decapsulates the message, finds out the message to be forwarded to the public network after routing, generates a vGRE session, records five-tuple information, tunnel information and VNI information of the message, matches NAT configuration, performs NAT conversion, and forwards the message to the public network. When the NAT receives the message returned from the public network, matching the vGRE session, performing NAT conversion and encapsulation operation on the message according to the obtained information, and forwarding the encapsulated message carrying the VNI information from the vGRE tunnel portal to the SDN gateway. After receiving the message, the SDN gateway decapsulates, adds VXLAN encapsulation to the original message according to the VNI field in the vGRE tunnel message header, and then carries out normal VXLAN forwarding.
In one embodiment, there is one virtual machine VM1 in the tenant service POD, the address is 1.1.1.1, and the WEB site of the internet needs to be accessed, the public network address of the WEB site is 39.156.69.79, and the VM1 of the tenant belongs to the VXLAN10. A vGRE tunnel is established between the SDN gateway and the SDN NAT gateway, the source address of the vGRE tunnel is configured to be 2.2.2.2 on the SDN gateway, the destination address is 3.3.3.3.3, the source address of the vGRE tunnel is configured to be 3.3.3.3 on the SDN NAT gateway, and the destination address is 2.2.2.2.2. And a public network address pool is configured on the SDN NAT gateway and used for converting the private network address of the tenant VM1 into a public network address which can enter the Internet, and the address pool ranges from 30.1.1.1 to 30.1.1.10.
When the tenant VM1 initiates access 39.156.69.79, the source IP is 1.1.1.1, the destination IP is 39.156.69.79, the protocol is TCP, and the message is sent to the north-south aggregation switch.
The north-south aggregation switch receives the message sent by the VM1, identifies that the message belongs to the VXLAN10, searches a target MAC table entry, encapsulates the message through the VXLAN and sends the encapsulated message to the SDN gateway. Wherein the VNI in the VXLAN header is 10; the external source IP address is the IP of the VXLAN tunnel of the switch, and the external destination IP address is the VXLAN tunnel IP of the SDN gateway; the outer layer source MAC address is the MAC of the switch, and the outer layer destination MAC address is the MAC address of the next hop device in the network to the destination IP. And transmitting the encapsulated message in the IP network according to the outer MAC and the IP information until reaching the SDN gateway.
And configuring a corresponding routing strategy on the SDN gateway, wherein the next hops of all messages destined for the public network are vGRE tunnel interfaces. The SDN gateway receives the message from the north-south aggregation exchanger, discovers that the outer layer destination IP is self, and then decapsulates the message, and recognizes that the message is a message destined for the public network by searching a route after decapsulating, so that the message needs to enter a vGRE tunnel. And then the original message is packaged, the source IP of the inner layer is 1.1.1.1, the destination IP of the inner layer is 39.156.69.79, the protocol is TCP, the source IP of the outer layer of the vGRE tunnel is 2.2.2.2, the destination IP of the outer layer of the message is 3.3.3.3, the VNI field in the message header is filled to 10, the MAC address of the outer layer source is the MAC address of the vGRE tunnel, and the MAC address of the outer layer of the destination is the MAC address of the next hop device in the network to the destination IP. And transmitting the encapsulated message in the IP network according to the outer MAC and the IP information until the encapsulated message reaches the SDN NAT gateway at the opposite end.
The SDN NAT gateway receives the message from the SDN gateway through the vGRE tunnel, the message is unpacked to obtain an inner layer message, the message which is destined to the public network is found through the lookup routing table, the message is sent to the public network port, and the relevant session table items are recorded on the equipment.
Matching with NAT strategy at public network exit, selecting an unoccupied public network address from configured public network address pool to make NAT conversion to message source IP, and transmitting message to exit router, at the same time filling session completely and formalizing.
And matching the message returned from the public network with the session, correspondingly converting the IP address of the message, encapsulating the vGRE, forwarding the vGRE to the SDN gateway through the vGRE tunnel portal, and after the SDN gateway decapsulates the vGRE message, performing a VXLAN encapsulation process, wherein the subsequent forwarding path is a reverse path of the forward message and is not repeated.
If the VM1 further provides access to the outside by using the public network address 31.1.1.1, a NAT server needs to be configured at the public network port of the SDN NAT gateway, and the corresponding relationship between the public network address 31.1.1.1, the private network address 1.1.1.1, the protocol TCP and the VNI 10 is specified.
And the SDN NAT gateway performs corresponding address port conversion and vGRE encapsulation on the message according to the configuration, and fills in the message header VNI field of the vGRE by using the VNI in the configuration when the vGRE is encapsulated. The subsequent forwarding flow is the same as described above.
According to the embodiment, no network equipment is required to be added, network architecture change is not required, the north-south access requirement of large-scale tenants exceeding 4K in a cloud scene can be met, and a mechanism that each tenant is completely isolated through a VXLAN network is not damaged. The problem of VM address overlap can be handled without performing a secondary NAT translation. On an SDN NAT gateway, even though addresses of VMs of different tenants are overlapped, the different VNIs of different tenants are different, session table items generated on the SDN NAT gateway are not identical, and when the VMs actively access a public network, a source address performs public network address conversion, so that obtained public network IP+ ports are necessarily different; when the public network actively accesses the VM, the destination address is converted, and even if the converted private network IP is overlapped, different tenant VMs can be distinguished through the VNI. According to the scheme, through a vGRE tunnel mechanism, the VNI can be carried, different tenants do not need to be distinguished through VRF or VLAN, even if network equipment (such as a switch and an SDN gateway) on a flow path can only support 4K VLAN or VRF at most, a single resource pool can reach the tenant scale of more than 4K.
In one embodiment, the disclosure also provides a message processing apparatus, as shown in fig. 2, applied to a gateway device, where the apparatus includes: a receiving module 21, configured to receive a vGRE packet sent through a vGRE tunnel, where the vGRE packet is a to-be-forwarded packet sent to a gateway device through the vGRE tunnel after a private network gateway decapsulates a VXLAN packet whose next hop is a private network of the vGRE tunnel; the processing module 22 is configured to parse the vGRE message to obtain VNI information carried by the vGRE message, and establish a vGRE session according to five-tuple information, tunnel information and VNI information of the vGRE message; and the sending module 23 is configured to perform NAT conversion processing on the vGRE message according to the vGRE session and the matched NAT configuration, and forward the vGRE message to the public network according to the processing result.
In an embodiment, the private network gateway is an SDN gateway and the gateway device is a NAT gateway device.
In one embodiment, the vGRE tunnel is configured to forward a vGRE packet, where the vGRE packet includes a specific GRE packet header, where the specific GRE packet header includes a specific flag bit and a VNI field, where the specific flag bit is used to identify that the packet of the specific GRE packet header is a packet that is forwarded through the vGRE tunnel after VXLAN decapsulation, and the VNI field is used to record VNI information of an associated VXLAN terminal.
In one embodiment, the receiving module is further configured to receive a reply packet from the public network associated with the vGRE session; the processing module is also used for encapsulating the response message according to the VNI information to generate a vGRE message; the sending module is further used for forwarding the generated vGRE message to the private network gateway so that the private network gateway can generate and forward the VXLAN message according to the VNI information of the vGRE message.
The device embodiments are the same as or similar to the corresponding method embodiments and are not described in detail herein.
In one embodiment, the disclosure provides an electronic device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions that can be executed by the processor, where the processor executes the machine-executable instructions to implement the foregoing message processing method, and from a hardware level, a schematic diagram of a hardware architecture may be shown in fig. 3.
In one embodiment, the present disclosure provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned message processing method.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware when implementing the present disclosure.
It will be apparent to those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Moreover, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be appreciated by those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (which may include, but are not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The foregoing is merely an embodiment of the present disclosure and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of the present disclosure, are intended to be included within the scope of the claims of the present disclosure.

Claims (10)

1. A method for processing a message, the method being applied to a gateway device, the method comprising:
receiving a vGRE message sent through a vGRE tunnel, wherein the vGRE message is a message to be forwarded sent to gateway equipment through the vGRE tunnel after a private network gateway decapsulates a VXLAN message of which the next hop is a private network of the vGRE tunnel;
analyzing the vGRE message to obtain VNI information carried by the vGRE message, and establishing a vGRE session according to five-tuple information, tunnel information and VNI information of the vGRE message;
and performing NAT conversion processing on the vGRE message according to the vGRE session and the matched NAT configuration, and forwarding the vGRE message to the public network according to the processing result.
2. The method of claim 1, wherein the private network gateway is an SDN gateway and the gateway device is a NAT gateway device.
3. The method of claim 1, wherein the vGRE tunnel is configured to forward a vGRE message, the vGRE message includes a specific GRE message header, the specific GRE message header includes a specific flag bit and a VNI field, the specific flag bit is configured to identify that the message of the specific GRE message header is a message forwarded through the vGRE tunnel after VXLAN decapsulation, and the VNI field is configured to record VNI information of an associated VXLAN terminal.
4. The method of claim 1, wherein the step of determining the position of the substrate comprises,
receiving a response message from the public network associated with the vGRE session;
encapsulating the response message according to the VNI information to generate a vGRE message;
and forwarding the generated vGRE message to the private network gateway so that the private network gateway generates and forwards the VXLAN message according to the VNI information of the vGRE message.
5. A message processing apparatus, for use in a gateway device, the apparatus comprising:
the receiving module is used for receiving the vGRE message sent by the vGRE tunnel, wherein the vGRE message is a message to be forwarded sent to the gateway equipment by the vGRE tunnel after the private network gateway decapsulates the VXLAN message of which the next hop is the private network of the vGRE tunnel;
the processing module is used for analyzing the vGRE message to obtain VNI information carried by the vGRE message, and establishing a vGRE session according to five-tuple information, tunnel information and VNI information of the vGRE message;
and the sending module is used for carrying out NAT conversion processing on the vGRE message according to the vGRE session and the matched NAT configuration, and forwarding the vGRE message to the public network according to the processing result.
6. The apparatus of claim 5, wherein the private network gateway is an SDN gateway and the gateway device is a NAT gateway device.
7. The apparatus of claim 5, wherein the vGRE tunnel is configured to forward a vGRE message, the vGRE message includes a specific GRE message header, the specific GRE message header includes a specific flag bit and a VNI field, the specific flag bit is configured to identify that the message of the specific GRE message header is a message forwarded through the vGRE tunnel after VXLAN decapsulation, and the VNI field is configured to record VNI information of an associated VXLAN terminal.
8. The apparatus of claim 5, wherein the device comprises a plurality of sensors,
the receiving module is also used for receiving a response message from the public network associated with the vGRE session;
the processing module is also used for encapsulating the response message according to the VNI information to generate a vGRE message;
the sending module is further used for forwarding the generated vGRE message to the private network gateway so that the private network gateway can generate and forward the VXLAN message according to the VNI information of the vGRE message.
9. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform the method of any one of claims 1-4.
10. A machine-readable storage medium storing machine-executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any one of claims 1-4.
CN202310325310.XA 2023-03-23 2023-03-23 Message processing method, device, equipment and machine-readable storage medium Pending CN116418632A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310325310.XA CN116418632A (en) 2023-03-23 2023-03-23 Message processing method, device, equipment and machine-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310325310.XA CN116418632A (en) 2023-03-23 2023-03-23 Message processing method, device, equipment and machine-readable storage medium

Publications (1)

Publication Number Publication Date
CN116418632A true CN116418632A (en) 2023-07-11

Family

ID=87057595

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310325310.XA Pending CN116418632A (en) 2023-03-23 2023-03-23 Message processing method, device, equipment and machine-readable storage medium

Country Status (1)

Country Link
CN (1) CN116418632A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116760795A (en) * 2023-08-15 2023-09-15 中移(苏州)软件技术有限公司 Network address translation NAT gateway equipment, message processing method and device
CN117811874A (en) * 2023-12-07 2024-04-02 中科驭数(北京)科技有限公司 Tunnel creation method, data transmission method, device, equipment and medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116760795A (en) * 2023-08-15 2023-09-15 中移(苏州)软件技术有限公司 Network address translation NAT gateway equipment, message processing method and device
CN116760795B (en) * 2023-08-15 2023-12-08 中移(苏州)软件技术有限公司 Network address translation NAT gateway equipment, message processing method and device
CN117811874A (en) * 2023-12-07 2024-04-02 中科驭数(北京)科技有限公司 Tunnel creation method, data transmission method, device, equipment and medium

Similar Documents

Publication Publication Date Title
US11671367B1 (en) Methods and apparatus for improving load balancing in overlay networks
US11411776B2 (en) Multi-cloud VPC routing and registration
KR102054338B1 (en) Routing vlan tagged packets to far end addresses of virtual forwarding instances using separate administrations
CN106998286B (en) VX L AN message forwarding method and device
CN108199963B (en) Message forwarding method and device
CN111092801B (en) Data transmission method and device
US10148458B2 (en) Method to support multi-protocol for virtualization
CN111937358B (en) Multiple VRF generic device internet protocol addresses for fabric edge devices
CN103200069A (en) Message processing method and device
CN116418632A (en) Message processing method, device, equipment and machine-readable storage medium
CN112671628A (en) Business service providing method and system
CN105591982A (en) Message transmission method and device
CN107659484B (en) Method, device and system for accessing VXLAN network from VLAN network
JP2020529762A (en) Virtualized network capabilities through address space consolidation
CN107342941A (en) A kind of optimization method and device of VXLAN control planes
CN104869013A (en) SDN-based gateway configuration method and SDN controller
CN112671938A (en) Business service providing method and system and remote acceleration gateway
CN108390812B (en) Message forwarding method and device
CN114640554A (en) Multi-tenant communication isolation method and hybrid networking method
CN110752989A (en) Method and device for forwarding east-west traffic
CN112187609B (en) Table entry generation method and device
CN116488958A (en) Gateway processing method, virtual access gateway, virtual service gateway and related equipment
CN111010344B (en) Message forwarding method and device, electronic equipment and machine-readable storage medium
CN113542112B (en) Message forwarding method and network equipment
CN115190100A (en) Data forwarding method, VTEP gateway, electronic device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination