CN112637135A - Method, device and system for host network isolation based on macvlan - Google Patents
Method, device and system for host network isolation based on macvlan Download PDFInfo
- Publication number
- CN112637135A CN112637135A CN202011401329.0A CN202011401329A CN112637135A CN 112637135 A CN112637135 A CN 112637135A CN 202011401329 A CN202011401329 A CN 202011401329A CN 112637135 A CN112637135 A CN 112637135A
- Authority
- CN
- China
- Prior art keywords
- macvlan
- network
- host
- data stream
- vlan tag
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000002955 isolation Methods 0.000 title claims abstract description 70
- 238000013507 mapping Methods 0.000 claims abstract description 29
- 238000012795 verification Methods 0.000 claims description 21
- 238000004891 communication Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 239000000047 product Substances 0.000 description 4
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 101100368725 Bacillus subtilis (strain 168) tagF gene Proteins 0.000 description 1
- LKDRXBCSQODPBY-OEXCPVAWSA-N D-tagatose Chemical compound OCC1(O)OC[C@@H](O)[C@H](O)[C@@H]1O LKDRXBCSQODPBY-OEXCPVAWSA-N 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method, a device and a system for host network isolation based on macvlan, wherein a macvlan network plug-in receives a control instruction sent by a control server; adding a vlan tag for the data stream generated by the host based on the mapping relation between the host and the vlan tag in the control instruction; and the host uploads the data stream added with the vlan tag to a switch of the data center through a trunk channel so that a firewall of the data center can perform access control on the data stream received from the switch. The isolation scheme is used for simultaneously realizing mutual isolation among all hosts of data centers such as containers, virtual machines and physical machines and ensuring smaller performance loss of a basic network.
Description
Technical Field
The application relates to the field of network security, in particular to a method, a device and a system for host network isolation based on macvlan.
Background
A data center is a globally collaborative network of devices that is used to communicate, accelerate, present, compute, store data information over an internet network infrastructure. Most of the electronic components of the data center are driven by low direct current power supplies to operate.
A data center usually has a plurality of types of hosts such as containers, virtual machines, and physical machines. However, network security is important in this information age, and network isolation among various types of hosts in a data center is one of them. Several host isolation methods that are currently more common are as follows:
a method for realizing Overlay multi-tenant CNI container network based on Open vSwitch is disclosed, which comprises the following steps: the method can perform network isolation among different tenants, so that each tenant only can access own network resources and cannot access network resources of other tenants, thereby solving the network isolation problem between the tenant and the services of other tenants, ensuring the legal right of the tenant for accessing the service of the tenant, and forbidding malicious access of other tenants.
One method is to isolate the multi-tenant network on the Docker container platform: in the method for isolating the multi-tenant network on the Docker container platform, the Docker container network is realized by adopting a virtual switch Open vSwitch, the characteristic that the Open vSwitch virtual switch can configure a VLAN is utilized, a VLAN ID is distributed to each tenant, the same tenant container is divided into the same VLAN, and different tenant networks are isolated through the VLAN. The method can realize the isolation between the container and the physical machine.
A multi-layer network plane construction method of kubernets comprises the following steps: and deploying a Multus CNI plug-in and integrating a Macvlan plug-in so that the Pod supports multi-network card starting. The scheme is used for constructing a multi-plane network, so that the fusion of a Kubernetes platform and the CT field is effectively deepened.
It can be seen that, in the related art, the isolation of the container network is implemented based on either network policy of kubernets themselves or isolation of the container network is implemented based on Open vSwitch, and both of them have disadvantages. The isolation of the container network is realized based on the network of the kubernets: the method can only realize mutual isolation among containers in a kubernets cluster of the data center, and cannot realize mutual isolation among all hosts of the data center, such as containers, containers and virtual machines, containers and physical machines, virtual machines and virtual machines, virtual machines and physical machines, and physical machines. The isolation of the container network is realized based on Open vSwitch: although the isolation between the container and between the container and the physical machine can be realized, the number of components is too many, the data forwarding path is long, and the loss of network performance is very large.
Therefore, how to adopt a scheme to simultaneously realize mutual isolation between all hosts of a data center, such as a container and a container, a container and a virtual machine, a container and a physical machine, a virtual machine and a virtual machine, a virtual machine and a physical machine, a physical machine and a physical machine, and the like, and meanwhile, to ensure that the performance loss of an underlying network is small is a technical problem which needs to be solved at present.
Disclosure of Invention
The present application mainly aims to provide a method, an apparatus, and a system for host network isolation based on macvlan, so as to provide an isolation scheme that can simultaneously implement mutual isolation between all hosts of data centers such as container and container, container and virtual machine, container and physical machine, virtual machine and virtual machine, virtual machine and physical machine, and physical machine, and meanwhile, ensure that performance loss of an underlying network is small.
To achieve the above object, according to a first aspect of the present application, a method for macvlan-based host network isolation is provided.
The method for host network isolation based on macvlan according to the present application comprises:
receiving a control instruction sent by a control server by a macvlan network plug-in; adding a vlan tag for the data stream generated by the host based on the mapping relation between the host and the vlan tag in the control instruction;
and the host uploads the data stream added with the vlan tag to a switch of the data center through a trunk channel so that a firewall of the data center can perform access control on the data stream received from the switch.
Optionally, before the macvlan network plug-in receives the control instruction sent by the control server, the method further includes:
and the macvlan network plug-in sends a registration verification request to the control server so that the network controller can add the macvlan network plug-in to a trusted list.
To achieve the above object, according to a second aspect of the present application, there is also provided a method for macvlan-based host network isolation.
The method for host network isolation based on macvlan according to the present application comprises:
the network controller sends a control instruction to the controlled server through the API gateway, so that a macvlan network plug-in of the controlled server receives the control instruction and adds a vlan tag to a data stream generated by a host based on a mapping relation between the host and the vlan tag in the control instruction, and the host of the controlled server uploads the data stream with the vlan tag to a switch of a data center through a trunk channel, so that a firewall of the data center performs access control on the data stream received from the switch.
Optionally, the method further includes:
receiving a registration verification request sent by the macvlan network plug-in to the control server;
and the network controller adds the macvlan network plug-in into a trusted list according to the registration verification request.
Optionally, before the network controller sends the control instruction to the controlled server through the API gateway, the method further includes:
receiving verification information sent by a macvlan network plug-in of a controlled server;
judging whether the macvlan network plug-in is trusted or not based on the trusted list;
and if so, sending a control instruction to the controlled server through the API gateway.
In order to achieve the above object, according to a third aspect of the present application, there is provided a controlled server for host network isolation based on macvlan, the controlled server including a host, a network card, and a macvlan network plug-in:
the host is used for generating a data stream and uploading the data stream added with the vlan tag to a switch of the data center through a trunk channel;
the macvlan network plug-in is used for receiving a control instruction sent by the control server; adding a vlan tag for the data stream generated by the host based on the mapping relation between the host and the vlan tag in the control instruction;
the network card is used for uploading the data stream added with the vlan tag to a switch of a data center based on a trunk channel, so that a firewall of the data center can perform access control on the data stream received from the switch.
In order to achieve the above object, according to a fourth aspect of the present application, there is also provided a macvlan-based host network isolated control server, including a network controller, an API gateway, and a distributed state storage module:
the network controller is used for sending a control instruction to the controlled server through the API gateway;
the API gateway is used for sending the control instruction to the controlled server so that a macvlan network plug-in of the controlled server receives the control instruction and adds a vlan tag to a data stream generated by a host on the basis of a mapping relation between the host and the vlan tag in the control instruction, and the host of the controlled server uploads the data stream with the vlan tag to a switch of a data center through a trunk channel so that a firewall of the data center can access and control the data stream received from the switch;
and the distributed state storage module is used for performing distributed storage on the data of the mapping relation between each host and the vlan tag on the controlled server.
Optionally, the network controller is further configured to:
receiving a registration verification request sent by the macvlan network plug-in to the control server through the API gateway;
and adding the macvlan network plug-in into a trusted list according to the registration verification request.
To achieve the above object, according to a fifth aspect of the present application, there is provided a system for host network isolation based on macvlan, the controlled server as described in the first aspect, the control server as described in any one of the second aspects, a switch, a firewall;
the control server is configured to execute the method for macvlan-based host network isolation according to the first aspect;
the controlled server, configured to perform the method for macvlan-based host network isolation according to any one of the second aspects;
the switch is used for receiving the data stream added with the vlan tag and sending the data stream to a firewall of a data center through a trunk channel;
and the firewall is used for carrying out network access control on the received data stream added with the vlan tag.
To achieve the above object, according to a sixth aspect of the present application, there is provided a computer-readable storage medium storing computer instructions for causing the computer to perform the method for macvlan-based host network isolation according to any one of the first and second aspects.
In the embodiment of the application, in the method, the device and the system for host network isolation based on macvlan, the method is based on macvlan, and specifically, a macvlan network plug-in of a controlled server receives a control instruction of a control server, marks vlan tags corresponding to hosts on data streams sent by the hosts based on a mapping relation between the hosts and the vlan tags in the controlled instruction, and then drains the data streams to a switch through a trunk channel to enable the switch to identify the vlan tags and drain the data streams to a firewall for control.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, serve to provide a further understanding of the application and to enable other features, objects, and advantages of the application to be more apparent. The drawings and their description illustrate the embodiments of the invention and do not limit it. In the drawings:
fig. 1 is a flowchart of a method for macvlan-based host network isolation according to an embodiment of the present application;
fig. 2 is a diagram illustrating an example of a method for macvlan-based host network isolation according to an embodiment of the present application;
fig. 3 is a flowchart of another method for macvlan-based host network isolation according to an embodiment of the present application;
fig. 4 is a flowchart of a method for macvlan-based host network isolation according to an embodiment of the present application;
fig. 5 is a block diagram illustrating an apparatus for macvlan-based host network isolation according to an embodiment of the present disclosure;
fig. 6 is a block diagram of another apparatus for macvlan-based host network isolation according to an embodiment of the present application;
fig. 7 is a block diagram of a system for host network isolation based on macvlan according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be used. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
According to the embodiment of the application, a method for host network isolation based on macvlan is provided, which is applied to a controlled server side as shown in fig. 1, and the method includes the following steps:
and S101, adding a vlan tag to data streams generated by all hosts on the controlled server by the macvlan network plug-in the controlled server according to the control instruction.
It should be noted that, the embodiment of the present application is a network plug-in product based on a macvlan vepa mode, and is divided into two roles, namely a control end and a controlled end, where the control end and the controlled end are both servers, and the control end at least includes a network controller, an API gateway, and may also include a distributed storage module; the controlled end at least comprises macvlan network plug-ins, different types of hosts (physical machines, virtual machines and/or containers) and network cards. In an actual application, generally, one control server may correspond to a plurality of controlled servers. In addition, the Network plug-in product of the macvlan vepa mode is a CNI (Container Network Interface, CNI) plug-in based on the macvlan vepa mode. The macvlan vepa mode is a mode of macvlan, the macvlan is a linxu kernel module, the macvlan function is to allow multiple MAC addresses, namely multiple interfaces, to be configured on the same physical network card, and each interface can be configured with its own IP. macvlan is essentially a network card virtualization technology. The macvlan vepa mode is that direct communication cannot be performed between the sub-devices (communication can be performed through the switch supporting port aggregation), and external communication can be performed.
The control instruction is an instruction which is sent by the control server to the macvlan network plug-in and is used for controlling communication data of the controlled server, and the control instruction comprises mapping relations between all hosts on the controlled server and vlan tags. The specific control instruction is sent by the network controller in the control server through the API gateway. And after the controlled end receives the control instruction, adding the vlan tag according to the mapping relation between each host and the vlan tag set in the control instruction. A specific example is given for explanation, as shown in fig. 2, a controlled end in the figure is a controlled server, which includes a host 1, a host 2, and a host 3, and vlan tags corresponding to the three hosts are tag100, tag200, and tag300, respectively. When the three hosts send data streams through the network card, corresponding labels are marked on the corresponding data streams. In practical applications, when a data stream is transmitted, the original IP address of the host may be an IP address with a vlan tag.
And S102, the controlled server uploads the data stream with the vlan tag to a switch of the data center through a trunk channel.
In practical application, the trunk channel sets the network card to trunk mode, and only in this mode, the data stream to which the vlan tag is added can be transmitted through. Specifically, in this step, the controlled server may upload the data stream to which the vlan tag is added to the switch of the data center through the trunk channel encapsulated with 802.1 q. After the controlled server uploads the data stream added with the vlan tag to a switch of the data center through a trunk channel, the switch identifies the data stream added with the vlan tag and sends the received data stream added with the vlan tag to a firewall of the data center for access control isolation and release of a network. Specifically, as shown in fig. 2, the switch transmits the data stream sent by host 1 to host 4, transmits the data stream sent by host 2 to host 5, and transmits the data stream sent by host 3 to host 6 through the protection of the firewall.
From the above description, it can be seen that, in the method for host network isolation based on macvlan according to the embodiment of the present application, the method is based on macvlan, and specifically, the macvlan network plug-in of the controlled server receives the control instruction of the control server, and prints a vlan tag corresponding to each host on a data stream sent by each host based on a mapping relationship between the host and the vlan tag in the controlled instruction, and then drains the data stream to the switch through a trunk channel, so that the switch identifies the vlan tag and drains the vlan tag to the firewall for control.
Further, as a further supplement and refinement to the above embodiment, before step S101, the method further includes: the macvlan network plug-in sends a registration verification request to the control server for the network controller of the control server to add the macvlan network plug-in to the trusted list. Only the macvlan network plug-in the trusted list will the network controller send it control instructions. The macvlan network plug-in recorded in the trusted list may be identification information of the macvlan network plug-in, such as an identification code or the like.
According to the embodiment of the present application, another method for host network isolation based on macvlan is provided, which is applied to the control server side as shown in fig. 3, and the method includes the following steps:
s201, a network controller in the control server sets a mapping relation between each host on the controlled server and the vlan tag.
The same as the embodiment of fig. 1, the embodiment of the present application is also a network plug-in product based on the macvlan vepa mode, and is divided into two roles, namely a control end and a controlled end, where the control end and the controlled end are both servers, and the control end at least includes a network controller and an API gateway, and may also include a distributed storage module; the controlled end at least comprises macvlan network plug-ins, different types of hosts (physical machines, virtual machines and/or containers) and network cards. In an actual application, generally, one control server may correspond to a plurality of controlled servers. In addition, the Network plug-in product of the macvlan vepa mode is a CNI (Container Network Interface, CNI) plug-in based on the macvlan vepa mode. The macvlan vepa mode is a mode of macvlan, the macvlan is a linxu kernel module, the macvlan function is to allow multiple MAC addresses, namely multiple interfaces, to be configured on the same physical network card, and each interface can be configured with its own IP. macvlan is essentially a network card virtualization technology. The macvlan vepa mode is that direct communication cannot be performed between the sub-devices (communication can be performed through the switch supporting port aggregation), and external communication can be performed.
The mapping relation between each host and the vlan tag on the controlled server can be configured to the network controller in the control server in advance, so that the control server can send the execution command to the macvlan network plug-in when sending the execution command, and the control server can bind each host and the vlan tag according to the configuration. The mode of configuration in advance can lead the control server to omit the performance loss process of self operation and analysis and accelerate the speed of network communication.
For the configuration of the mapping relationship between each host and the vlan tag, a description is given of an example configuration in practical application. For example, different vlan tags may be configured for different service requirements or different users (cloud service clients), different services or users may perform data interaction on the host, and the host executing different services may correspond to the vlan tags, that is, at the bottom of the computer, there is a corresponding relationship between the vlan tags and the IP addresses of the host. It should be noted that different vlan tags correspond to different IP addresses, and one vlan tag may correspond to multiple IP addresses. There is no intersection between multiple IP addresses corresponding to different labels, i.e. the relation graph between labels and addresses is a one-to-many tree graph, not a mesh graph.
For example, there are 4 service lines, A, B, C, D, 4 vlan tags, tag1, tag2, tag3, and tag 4, the correspondence between a-tag 1, B-tag 2, C-tag 3, and D-tag 4 is set in the upper layer service, and the bottom layer is A, B, C, D for allocating host addresses, such as a-IP 1 and IP 2; B-IP 3, IP4, IP 5; C-IP 6, IP 7; D-IP 8, IP9, IP 10; then, by combining the relationship between the service and the vlan tag, the mapping relationship between each host and the vlan tag can be obtained, that is: tag 1-IP 1, IP 2; tag 2-IP 3, IP4, IP 5; tag 3-IP 6, IP 7; tags 4-IP 8, IP9, IP 10.
S202, the network controller sends a control instruction to the controlled server through the API gateway
The "the network controller sends the control instruction to the controlled server through the API gateway" specifically includes: and the network controller in the control server sends a control instruction to the macvlan network plug-in the controlled server through the API gateway in the control server.
After network control in the control server sends a control instruction to a macvlan network plug-in the controlled server through an API gateway in the control server, the macvlan network plug-in the controlled server adds a vlan tag to a data stream generated by each host in the controlled server according to the mapping relationship in the control instruction and uploads the data stream added with the vlan tag to a switch of a data center through a trunk channel, so that the switch sends the received data stream added with the vlan tag to a firewall of the data center for network access control isolation and release. When a vlan tag is added to a data stream, the vlan tag corresponding to a host is marked on the data stream according to the host that generates the data stream.
From the above description, it can be seen that, in the method for host network isolation based on macvlan according to the embodiment of the present application, the method is based on macvlan, and specifically, the macvlan network plug-in of the controlled server receives the control instruction of the control server, and prints a vlan tag corresponding to each host on a data stream sent by each host based on a mapping relationship between the host and the vlan tag in the controlled instruction, and then drains the data stream to the switch through a trunk channel, so that the switch identifies the vlan tag and drains the vlan tag to the firewall for control.
Further, as a further supplement and refinement to the above embodiment, the network controller in the control server may store the data of the mapping relationship between each host and the vlan tag in the configured controlled end service into the distributed state storage module.
In addition, before the network controller sends the control instruction to the macvlan network plug-in through the API gateway, it is further required to receive verification information sent by the macvlan network plug-in of the controlled server, and determine whether the macvlan network plug-in is trusted based on the trusted list, that is, determine whether the macvlan network plug-in is in the trusted list, and if the macvlan network plug-in is in the trusted list, the macvlan network plug-in is considered trusted and the control instruction can be sent; conversely, if not in the trusted list, then deemed untrusted, control instructions may not be sent. And for the records in the trusted list, the macvlan network plug-in sends a registration verification request to the control server, and after the verification is passed, the network controller adds the macvlan network plug-in to the trusted list according to the registration verification request.
According to an embodiment of the present application, another method for host network isolation based on macvlan is provided, as shown in fig. 4, the method includes the following steps:
and S301, the macvlan network plug-in sends a registration verification request to the control server, and the network controller adds the macvlan network plug-in to the trusted list.
S302, the network controller receives verification information sent by the macvlan network plug-in of the controlled server, and judges whether the macvlan network plug-in is trustable or not based on the trusty list.
And S303, if the network plug-in is credible, the network controller sends a control instruction to the macvlan network plug-in through the API gateway.
And S304, the macvlan network plug-in receives the control instruction, and adds a vlan tag to the data stream generated by the host according to the mapping relation between the host and the vlan tag in the control instruction.
S305, the controlled server uploads the data stream with the vlan tag to a switch of the data center through a trunk channel.
S306, the exchanger sends the data streams from the hosts to which the vlan tags are added to a data center firewall, and the firewall performs access control isolation and release operations of the network according to rule matching of the firewall.
For detailed descriptions of each step in this embodiment, reference may be made to the description of related contents in the embodiments corresponding to fig. 1 and fig. 3, and details are not described here again.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
According to an embodiment of the present application, there is also provided a controlled server based on macvlan network isolation for implementing the method described in fig. 1, where as shown in fig. 5, the controlled server includes a host 41, a network card 42, and a macvlan network plug-in 43:
the host 41 is configured to generate a data stream, and upload the data stream to which the vlan tag is added to a switch of the data center through a trunk channel;
the macvlan network plug-in 43 is configured to receive a control instruction sent by the control server; adding a vlan tag for the data stream generated by the host based on the mapping relation between the host and the vlan tag in the control instruction;
the network card 42 is configured to upload the data stream to which the vlan tag is added to a switch of the data center based on a trunk channel, so that a firewall of the data center performs access control on the data stream received from the switch.
From the above description, it can be seen that, in the apparatus for host network isolation based on macvlan according to the embodiment of the present application, the macvlan network plug-in of the controlled server receives the control instruction of the control server, and prints the vlan tag corresponding to each host on the data stream sent by each host based on the mapping relationship between the host and the vlan tag in the controlled instruction, and then drains the data stream to the switch through the trunk channel, so that the switch recognizes the vlan tag and drains the data stream to the firewall for control, thereby solving the problem that network isolation between any hosts can be achieved, and the macvlan method is light-weight, and simultaneously solving the problem of large network performance loss in the prior art.
Specifically, the specific process of implementing the functions of each unit and module in the device in the embodiment of the present application may refer to the related description in the method embodiment, and is not described herein again.
According to an embodiment of the present application, there is also provided a macvlan-based host network isolation control server for implementing the method described in fig. 3, as shown in fig. 6, where the control server includes a network controller 51, an API gateway 52, and a distributed state storage module 53:
the network controller 51 is configured to send a control instruction to the controlled server through the API gateway;
the API gateway 52 is configured to send the control instruction to the controlled server, so that a macvlan network plug-in of the controlled server receives the control instruction and adds a vlan tag to a data stream generated by a host based on a mapping relationship between the host and the vlan tag in the control instruction, and the host of the controlled server uploads the data stream to which the vlan tag is added to a switch of a data center through a trunk channel, so that a firewall of the data center performs access control on the data stream received from the switch;
and the distributed state storage module 53 is configured to perform distributed storage on data of a mapping relationship between each host on the controlled server and the vlan tag.
From the above description, it can be seen that, in the apparatus for host network isolation based on macvlan according to the embodiment of the present application, the macvlan network plug-in of the controlled server receives the control instruction of the control server, and prints the vlan tag corresponding to each host on the data stream sent by each host based on the mapping relationship between the host and the vlan tag in the controlled instruction, and then drains the data stream to the switch through the trunk channel, so that the switch recognizes the vlan tag and drains the data stream to the firewall for control, thereby solving the problem that network isolation between any hosts can be achieved, and the macvlan method is light-weight, and simultaneously solving the problem of large network performance loss in the prior art.
Further, the network controller 51 is further configured to:
receiving a registration verification request sent by the macvlan network plug-in to the control server through the API gateway;
and adding the macvlan network plug-in into a trusted list according to the registration verification request.
Specifically, the specific process of implementing the functions of each unit and module in the device in the embodiment of the present application may refer to the related description in the method embodiment, and is not described herein again.
According to an embodiment of the present application, there is also provided a system for macvlan-based host network isolation for implementing the methods described in fig. 1 to fig. 4, as shown in fig. 7, the system includes a controlled server 61, a control server 62, a switch 63, and a firewall 64;
the control server 61 is configured to execute the method for macvlan-based host network isolation in the embodiment of fig. 1;
the controlled server 62 is configured to execute the method for macvlan-based host network isolation described in the embodiments of fig. 2 to 3;
the switch 63 is configured to receive the data stream to which the vlan tag is added, and send the data stream to a firewall of the data center through a trunk channel;
and the firewall 64 is used for performing network access control on the received data stream to which the vlan tag is added.
From the above description, it can be seen that, in the system for host network isolation based on macvlan according to the embodiment of the present application, the macvlan network plug-in of the controlled server receives the control instruction of the control server, and prints the vlan tag corresponding to each host on the data stream sent by each host based on the mapping relationship between the host and the vlan tag in the controlled instruction, and then drains the data stream to the switch through the trunk channel, so that the switch recognizes the vlan tag and drains the data stream to the firewall for control, thereby solving the problem that network isolation between any hosts can be achieved, and the macvlan method is light-weight, and simultaneously solving the problem of large network performance loss in the prior art.
According to an embodiment of the present application, there is further provided a computer-readable storage medium, where the computer-readable storage medium stores computer instructions for causing the computer to perform the method for macvlan-based host network isolation in the above method embodiment.
According to an embodiment of the present application, there is also provided an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to cause the at least one processor to perform the method of macvlan-based host network isolation in the above method embodiments.
It will be apparent to those skilled in the art that the modules or steps of the present application described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and they may alternatively be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, or fabricated separately as individual integrated circuit modules, or fabricated as a single integrated circuit module from multiple modules or steps. Thus, the present application is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A method for host network isolation based on macvlan is applied to a controlled server, and is characterized in that the method comprises the following steps:
receiving a control instruction sent by a control server by a macvlan network plug-in; adding a vlan tag for the data stream generated by the host based on the mapping relation between the host and the vlan tag in the control instruction;
and the host uploads the data stream added with the vlan tag to a switch of the data center through a trunk channel so that a firewall of the data center can perform access control on the data stream received from the switch.
2. The method for macvlan-based host network isolation as recited in claim 1, wherein prior to the macvlan network plug-in receiving the control command sent by the control server, the method further comprises:
and the macvlan network plug-in sends a registration verification request to the control server so that the network controller can add the macvlan network plug-in to a trusted list.
3. A method for host network isolation based on macvlan is applied to a control server, and is characterized in that the method comprises the following steps:
the network controller sends a control instruction to the controlled server through the API gateway, so that a macvlan network plug-in of the controlled server receives the control instruction and adds a vlan tag to a data stream generated by a host based on a mapping relation between the host and the vlan tag in the control instruction, and the host of the controlled server uploads the data stream with the vlan tag to a switch of a data center through a trunk channel, so that a firewall of the data center performs access control on the data stream received from the switch.
4. The method for macvlan-based host network isolation as recited in claim 3, further comprising:
receiving a registration verification request sent by the macvlan network plug-in to the control server;
and the network controller adds the macvlan network plug-in into a trusted list according to the registration verification request.
5. The method for macvlan-based host network isolation as recited in claim 4, wherein prior to the network controller sending control instructions to the controlled server through the API gateway, the method further comprises:
receiving verification information sent by a macvlan network plug-in of a controlled server;
judging whether the macvlan network plug-in is trusted or not based on the trusted list;
and if so, sending a control instruction to the controlled server through the API gateway.
6. A controlled server based on macvlan network isolation of a host is characterized in that the controlled server comprises the host, a network card and a macvlan network plug-in unit:
the host is used for generating a data stream and uploading the data stream added with the vlan tag to a switch of the data center through a trunk channel;
the macvlan network plug-in is used for receiving a control instruction sent by the control server; adding a vlan tag for the data stream generated by the host based on the mapping relation between the host and the vlan tag in the control instruction;
the network card is used for uploading the data stream added with the vlan tag to a switch of a data center based on a trunk channel, so that a firewall of the data center can perform access control on the data stream received from the switch.
7. A macvlan-based host network isolated control server, the control server comprising a network controller, an API gateway, a distributed state storage module:
the network controller is used for sending a control instruction to the controlled server through the API gateway;
the API gateway is used for sending the control instruction to the controlled server so that a macvlan network plug-in of the controlled server receives the control instruction and adds a vlan tag to a data stream generated by a host on the basis of a mapping relation between the host and the vlan tag in the control instruction, and the host of the controlled server uploads the data stream with the vlan tag to a switch of a data center through a trunk channel so that a firewall of the data center can access and control the data stream received from the switch;
and the distributed state storage module is used for performing distributed storage on the data of the mapping relation between each host and the vlan tag on the controlled server.
8. The macvlan-based host network isolated control server of claim 7, wherein the network controller is further configured to:
receiving a registration verification request sent by the macvlan network plug-in to the control server through the API gateway;
and adding the macvlan network plug-in into a trusted list according to the registration verification request.
9. A system for macvlan-based host network isolation, comprising a controlled server as claimed in claim 1 or 2, a control server as claimed in any one of claims 3 to 5, a switch, a firewall;
the control server for performing the method for macvlan-based host network isolation recited in claim 1 or 2;
the controlled server to perform the method for macvlan-based host network isolation of any one of claims 3 to 5;
the switch is used for receiving the data stream added with the vlan tag and sending the data stream to a firewall of a data center through a trunk channel;
and the firewall is used for carrying out network access control on the received data stream added with the vlan tag.
10. A computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method for macvlan-based host network isolation recited in any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011401329.0A CN112637135A (en) | 2020-12-04 | 2020-12-04 | Method, device and system for host network isolation based on macvlan |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011401329.0A CN112637135A (en) | 2020-12-04 | 2020-12-04 | Method, device and system for host network isolation based on macvlan |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112637135A true CN112637135A (en) | 2021-04-09 |
Family
ID=75307713
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011401329.0A Pending CN112637135A (en) | 2020-12-04 | 2020-12-04 | Method, device and system for host network isolation based on macvlan |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637135A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114070622A (en) * | 2021-11-16 | 2022-02-18 | 北京宏达隆和科技有限公司 | Micro-isolation system based on network port security |
| CN115189948A (en) * | 2022-07-11 | 2022-10-14 | 北京志凌海纳科技有限公司 | Method and system for realizing container network plug-in CaaS platform |
| CN115865838A (en) * | 2022-11-29 | 2023-03-28 | 深圳市美科星通信技术有限公司 | Communication method, communication system, storage medium, access device, and switch |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110764A (en) * | 2007-08-13 | 2008-01-23 | 中兴通讯股份有限公司 | Method for Ethernet switchboard data frame partitioning virtual local area network and transmitting |
| US20110243134A1 (en) * | 2010-03-31 | 2011-10-06 | International Business Machines Corporation | Data Frame Forwarding Using a Distributed Virtual Bridge |
| CN102255903A (en) * | 2011-07-07 | 2011-11-23 | 广州杰赛科技股份有限公司 | Safety isolation method for virtual network and physical network of cloud computing |
| US20190081955A1 (en) * | 2017-09-08 | 2019-03-14 | Verizon Patent And Licensing Inc. | Isolating containers on a host |
| CN109600269A (en) * | 2019-01-21 | 2019-04-09 | 云南电网有限责任公司信息中心 | A kind of cloud management platform based on DCOS |
| CN111147297A (en) * | 2019-12-23 | 2020-05-12 | 广东省新一代通信与网络创新研究院 | A multi-layer network plane construction method for kubernetes |
-
2020
- 2020-12-04 CN CN202011401329.0A patent/CN112637135A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110764A (en) * | 2007-08-13 | 2008-01-23 | 中兴通讯股份有限公司 | Method for Ethernet switchboard data frame partitioning virtual local area network and transmitting |
| US20110243134A1 (en) * | 2010-03-31 | 2011-10-06 | International Business Machines Corporation | Data Frame Forwarding Using a Distributed Virtual Bridge |
| CN102255903A (en) * | 2011-07-07 | 2011-11-23 | 广州杰赛科技股份有限公司 | Safety isolation method for virtual network and physical network of cloud computing |
| US20190081955A1 (en) * | 2017-09-08 | 2019-03-14 | Verizon Patent And Licensing Inc. | Isolating containers on a host |
| CN109600269A (en) * | 2019-01-21 | 2019-04-09 | 云南电网有限责任公司信息中心 | A kind of cloud management platform based on DCOS |
| CN111147297A (en) * | 2019-12-23 | 2020-05-12 | 广东省新一代通信与网络创新研究院 | A multi-layer network plane construction method for kubernetes |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114070622A (en) * | 2021-11-16 | 2022-02-18 | 北京宏达隆和科技有限公司 | Micro-isolation system based on network port security |
| CN114070622B (en) * | 2021-11-16 | 2024-02-09 | 北京宏达隆和科技有限公司 | Micro-isolation system based on network port security |
| CN115189948A (en) * | 2022-07-11 | 2022-10-14 | 北京志凌海纳科技有限公司 | Method and system for realizing container network plug-in CaaS platform |
| CN115189948B (en) * | 2022-07-11 | 2023-05-12 | 北京志凌海纳科技有限公司 | Method and system for realizing container network plug-in CaaS platform |
| CN115865838A (en) * | 2022-11-29 | 2023-03-28 | 深圳市美科星通信技术有限公司 | Communication method, communication system, storage medium, access device, and switch |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9602307B2 (en) | Tagging virtual overlay packets in a virtual networking system | |
| US9658876B2 (en) | Location-aware virtual service provisioning in a hybrid cloud environment | |
| US11005752B2 (en) | Packet transmission | |
| KR101912073B1 (en) | Virtualization gateway between virtualized and non-virtualized networks | |
| CN111131037B (en) | Data transmission method, device, medium and electronic equipment based on virtual gateway | |
| US10320674B2 (en) | Independent network interfaces for virtual network environments | |
| US10476699B2 (en) | VLAN to VXLAN translation using VLAN-aware virtual machines | |
| US10078526B2 (en) | Securing a managed forwarding element that operates within a data compute node | |
| US10164868B2 (en) | Hypervisor routing between networks in a virtual networking environment | |
| US9628290B2 (en) | Traffic migration acceleration for overlay virtual environments | |
| US9294349B2 (en) | Host traffic driven network orchestration within data center fabric | |
| CN107276783B (en) | Method, device and system for realizing unified management and intercommunication of virtual machines | |
| US20150188802A1 (en) | System for supporting multi-tenant based on private ip address in virtual private cloud networks and operating method thereof | |
| US20120182993A1 (en) | Hypervisor application of service tags in a virtual networking environment | |
| US20170180274A1 (en) | Packets Processing | |
| CN112637135A (en) | Method, device and system for host network isolation based on macvlan | |
| CN112583655A (en) | Data transmission method and device, electronic equipment and readable storage medium | |
| WO2023158484A1 (en) | Edge gateways in disaggregated networks | |
| CN114629744A (en) | Data access method, system and related device based on macvlan host computer network | |
| US10637777B2 (en) | Address converting device, information processing system, and method of providing service | |
| KR102409272B1 (en) | Method for sharing public ip based on communication taget ip in virtual platform enviroment and host device thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210409 |