CN102025535B - Virtual machine management method and device and network equipment - Google Patents
Virtual machine management method and device and network equipment Download PDFInfo
- Publication number
- CN102025535B CN102025535B CN201010549171A CN201010549171A CN102025535B CN 102025535 B CN102025535 B CN 102025535B CN 201010549171 A CN201010549171 A CN 201010549171A CN 201010549171 A CN201010549171 A CN 201010549171A CN 102025535 B CN102025535 B CN 102025535B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- network device
- management
- security policy
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000007726 management method Methods 0.000 title claims abstract description 144
- 230000005012 migration Effects 0.000 claims description 42
- 238000013508 migration Methods 0.000 claims description 42
- 238000012545 processing Methods 0.000 claims description 11
- 238000000034 method Methods 0.000 abstract description 22
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000007547 defect Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 230000000694 effects Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供一种虚拟机管理方法、装置及网络设备,方法包括:网络设备接收数据报文,并解析数据报文以获取数据报文中的MAC地址;网络设备根据MAC地址和预先存储的虚拟机MAC地址,识别发送数据报文的对象是否为虚拟机。采用本发明技术方案,可以识别出虚拟机,进而可以对虚拟机做进一步管理,例如安全策略配置等,克服了现有技术中网络设备因无法识别虚拟机造成的缺陷,利于从整体上提高网络设备对虚拟机进行管理的效率。
The present invention provides a virtual machine management method, device and network equipment. The method includes: the network equipment receives the data message, and parses the data message to obtain the MAC address in the data message; the network equipment according to the MAC address and the pre-stored virtual MAC address of the machine to identify whether the object sending the data packet is a virtual machine. By adopting the technical solution of the present invention, the virtual machine can be identified, and then the virtual machine can be further managed, such as security policy configuration, etc., which overcomes the defect caused by the inability of the network device to identify the virtual machine in the prior art, and is beneficial to improve the network overall. The efficiency with which the device manages virtual machines.
Description
技术领域 technical field
本发明涉及网络通信技术,尤其涉及一种虚拟机管理方法、装置及网络设备。 The present invention relates to network communication technology, in particular to a virtual machine management method, device and network equipment. the
背景技术 Background technique
服务器虚拟化是一种使得在单一物理服务器上可以运行多个虚拟服务器(业界又称为虚拟机)的技术,该物理服务器为多个虚拟机提供支持其运行的硬件资源抽象,例如虚拟基本输入输出系统(Basic Input Output System;简称为:BIOS)、虚拟处理器、虚拟内存和虚拟设备与输入输出(Input Output;简称为:IO)等,同时还为各个虚拟机提供良好的隔离性和安全性。例如:在采用服务器虚拟化技术之前,客户关系管理(Customer Relationship Management;简称为:CRM)系统、在线游戏和企业资源计划(Enterprise Resource Planning;简称为:ERP)系统需要在三台独立的物理服务器上运行;而在采用服务器虚拟化技术之后,上述三个应用可以运行在三个虚拟机上,而三个虚拟机被一台物理服务器托管。由此可见,服务器虚拟技术可以使物理服务器资源得到更加充分的利用。例如在数据中心环境的实际运行中通常会采用服务器虚拟化技术在一台物理服务器上安装多个系统,将一台物理服务器虚拟成多个虚拟机来使用,以提高物理服务器的利用率。 Server virtualization is a technology that enables multiple virtual servers (also known as virtual machines in the industry) to run on a single physical server. The physical server provides abstraction of hardware resources that support the operation of multiple virtual machines, such as virtual basic input Output system (Basic Input Output System; referred to as: BIOS), virtual processors, virtual memory and virtual devices and input and output (Input Output; referred to as: IO), etc., and also provide good isolation and security for each virtual machine sex. For example: Before adopting server virtualization technology, customer relationship management (Customer Relationship Management; referred to as: CRM) system, online games and enterprise resource planning (Enterprise Resource Planning; referred to as: ERP) system needs to be on three independent physical servers After adopting server virtualization technology, the above three applications can run on three virtual machines, and the three virtual machines are hosted by one physical server. It can be seen that server virtualization technology can make more full use of physical server resources. For example, in the actual operation of the data center environment, server virtualization technology is usually used to install multiple systems on one physical server, and virtualize one physical server into multiple virtual machines for use, so as to improve the utilization rate of the physical server. the
服务器实时迁移是一种在虚拟机运行过程中,将整个虚拟机的运行状态完整、快速的从原来所在的物理服务器(称为源物理服务器)上迁移到新的物理服务器(目标物理服务器)上的技术。整个虚拟机的迁移过程是平滑的,且对用户来说是透明的。由于虚拟化抽象了真实物理资源,因此, 服务器实时迁移可以支持源物理服务器和目标物理服务器之间的异构性。服务器实时迁移需要通过源物理服务器上的虚拟机监视器(称为源虚拟机监视器)和目标物理服务器上的虚拟机监视器(目标虚拟机监视器)相互配合来完成虚拟机操作系统的内存或其他状态信息的拷贝。服务器实时迁移开始后,内存页面被不断地从源虚拟机监视器拷贝到目标虚拟机监视器;当最后一部分内存页面被拷贝到目标虚拟机监视器之后,由源虚拟机监视器和目标虚拟机监视器完成虚拟机的切换操作,目标物理服务器上的虚拟机开始运行,源物理服务器上的虚拟机被终止,服务器实时迁移完成。例如:在数据中心环境中,对系统硬件的维护和更新可以采用服务器实时迁移技术来完成,即将虚拟机从一台物理服务器上迁移到另一台物理服务器上,然后,对原来的物理服务器进行硬件维护;待维护完成后,再将虚拟机迁回到原来的物理服务器上,整个过程可以在不宕机的情况下完成,进一步提升数据中心环境中资源的利用率。 Server real-time migration is a complete and rapid migration of the entire virtual machine's running state from the original physical server (called the source physical server) to a new physical server (the target physical server) during the running of the virtual machine. Technology. The migration process of the entire virtual machine is smooth and transparent to users. Because virtualization abstracts real physical resources, server live migration can support heterogeneity between source and target physical servers. Server live migration requires the cooperation of the virtual machine monitor on the source physical server (called the source virtual machine monitor) and the virtual machine monitor on the target physical server (the target virtual machine monitor) to complete the memory of the virtual machine operating system. or other copies of state information. After the server live migration starts, the memory pages are continuously copied from the source virtual machine monitor to the target virtual machine monitor; when the last part of the memory pages is copied to the target virtual machine monitor, the source virtual machine monitor and the target virtual machine The monitor completes the switching operation of the virtual machine, the virtual machine on the target physical server starts to run, the virtual machine on the source physical server is terminated, and the server real-time migration is completed. For example: in the data center environment, the maintenance and update of the system hardware can be completed by using the server live migration technology, that is, the virtual machine is migrated from one physical server to another physical server, and then the original physical server is Hardware maintenance; after the maintenance is completed, the virtual machine will be migrated back to the original physical server. The whole process can be completed without downtime, further improving the utilization rate of resources in the data center environment. the
通常,物理服务器是通过挂接在网络设备上,通过网络设备与外界进行通讯的。其中,网络设备肩负着物理服务器上虚拟机对外通讯的数据流的安全性和可靠性传输等,因此,网络设备上会配置一些安全策略。当虚拟机发生迁移后,上述安全策略需要相应的被迁移到新的网络设备或新的端口上并在新的网络设备或新的端口上生效。但是,由于目前的网络设备无法感知到虚拟机的迁移,因此,待虚拟机迁移后,虚拟机所对应的安全策略只能由网络管理员手动或通过网管软件迁移到新的网络设备或新的端口上。上述操作方式不仅效率低,而且操作起来也极为不方便,因此,网络设备如何能够识别虚拟机的迁移成为目前服务器虚拟化技术中首要解决的问题。 Usually, a physical server is connected to a network device, and communicates with the outside world through the network device. Among them, the network device is responsible for the security and reliable transmission of the data flow of the external communication of the virtual machine on the physical server. Therefore, some security policies will be configured on the network device. When the virtual machine is migrated, the above security policy needs to be migrated to a new network device or a new port accordingly and take effect on the new network device or new port. However, since the current network equipment cannot perceive the migration of the virtual machine, after the migration of the virtual machine, the security policy corresponding to the virtual machine can only be migrated to the new network equipment or new network by the network administrator manually or through the network management software. port. The above operation method is not only inefficient, but also extremely inconvenient to operate. Therefore, how the network device can identify the migration of the virtual machine has become the primary problem to be solved in the current server virtualization technology. the
发明内容 Contents of the invention
本发明提供一种虚拟机管理方法、装置及网络设备,用以识别虚拟机,从整体上提高管理虚拟机的效率。 The present invention provides a virtual machine management method, device and network equipment, which are used to identify virtual machines and improve the efficiency of managing virtual machines as a whole.
本发明提供一种虚拟机管理方法,包括: The present invention provides a virtual machine management method, including:
网络设备接收数据报文,并解析所述数据报文以获取所述数据报文中的介质访问控制地址; The network device receives the data packet, and parses the data packet to obtain the media access control address in the data packet;
所述网络设备根据所述介质访问控制地址和预先存储的虚拟机介质访问控制地址,识别发送所述数据报文的对象是否为虚拟机; The network device identifies whether the object sending the data message is a virtual machine according to the media access control address and the pre-stored virtual machine media access control address;
当所述网络设备识别出发送所述数据报文的对象为虚拟机时,根据所述介质访问控制地址和预先获取的虚拟机状态表,判断所述虚拟机是否发生迁移; When the network device recognizes that the object sending the data message is a virtual machine, judge whether the virtual machine has migrated according to the media access control address and the pre-acquired virtual machine state table;
当判断结果为所述虚拟机发生迁移时,所述网络设备根据所述虚拟机状态表向所述虚拟机迁移前连接的网络设备发送失效通告报文,以告知所述迁移前连接的网络设备对所述虚拟机的安全策略进行失效处理。 When the judgment result is that the virtual machine is migrated, the network device sends a failure notification message to the network device connected before the virtual machine is migrated according to the virtual machine state table, so as to inform the network device connected before the migration Perform invalidation processing on the security policy of the virtual machine. the
本发明提供一种虚拟机管理装置,包括: The present invention provides a virtual machine management device, including:
接收模块,用于接收数据报文,并解析所述数据报文以获取所述数据报文中的介质访问控制地址; The receiving module is used to receive the data message, and parse the data message to obtain the media access control address in the data message;
识别模块,用于根据所述介质访问控制地址和预先存储的虚拟机介质访问控制地址,识别发送所述数据报文的对象是否为虚拟机; An identification module, configured to identify whether the object sending the data message is a virtual machine according to the media access control address and the pre-stored virtual machine media access control address;
判断模块,用于在所述识别模块识别发送所述数据报文的对象为虚拟机时,根据所述介质访问控制地址和预先获取的虚拟机状态表,判断所述虚拟机是否发生迁移; A judging module, configured to judge whether the virtual machine has migrated according to the media access control address and the pre-acquired virtual machine state table when the identifying module identifies that the object sending the data message is a virtual machine;
发送模块,用于在所述判断模块判断出所述虚拟机发生迁移时,根据所述虚拟机状态表向所述虚拟机迁移前连接的虚拟机管理装置发送失效通告报文,以告知所述迁移前连接的虚拟机管理装置对所述虚拟机的安全策略进行失效处理。 A sending module, configured to send a failure notification message to a virtual machine management device connected before the virtual machine migration according to the virtual machine state table when the judging module judges that the virtual machine has migrated, to inform the The virtual machine management device connected before the migration performs invalidation processing on the security policy of the virtual machine. the
本发明提供一种网络设备,包括本发明提供的任一虚拟机管理装置。 The present invention provides a network device, including any virtual machine management device provided by the present invention. the
本发明提供的虚拟机管理方法、装置及网络设备,预先存储虚拟机介质访问控制地址,通过解析获取接收到的数据报文中的介质访问控制地址,并将数据报文中的介质访问控制地址和虚拟机介质访问控制地址进行比较,以此可以识别出发送数据报文的对象是否为虚拟机。通过本发明技术方案,网络设备可以识别虚拟机,进而可以对虚拟机做进一步管理,例如安全策略配置等,克服了现有技术中网络设备因无法识别虚拟机造成的缺陷,利于从整体上提高网络设备对虚拟机进行管理的效率。 The virtual machine management method, device, and network equipment provided by the present invention store the media access control address of the virtual machine in advance, obtain the media access control address in the received data message through parsing, and store the media access control address in the data message Compared with the media access control address of the virtual machine, it can be identified whether the object sending the data message is a virtual machine. Through the technical solution of the present invention, the network device can identify the virtual machine, and further manage the virtual machine, such as security policy configuration, etc., which overcomes the defect caused by the inability of the network device to identify the virtual machine in the prior art, and is beneficial to improve overall Efficiency of network devices to manage virtual machines. the
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。 In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort. the
图1为本发明实施例一提供的虚拟机管理方法的流程图; Fig. 1 is a flowchart of a virtual machine management method provided by Embodiment 1 of the present invention;
图2为本发明实施例二提供的虚拟机管理方法的流程图; Fig. 2 is a flow chart of the virtual machine management method provided by Embodiment 2 of the present invention;
图3A为本发明实施例三提供的虚拟机管理方法的一种流程图; FIG. 3A is a flowchart of a virtual machine management method provided in Embodiment 3 of the present invention;
图3B为本发明实施例三提供的虚拟机管理方法的另一种流程图; FIG. 3B is another flow chart of the virtual machine management method provided in Embodiment 3 of the present invention;
图4A为本发明实施例四提供的虚拟机管理方法的流程图; FIG. 4A is a flowchart of a virtual machine management method provided in Embodiment 4 of the present invention;
图4B为本发明实施例四提供的虚拟机管理方法所基于的网络拓扑结构示意图; FIG. 4B is a schematic diagram of the network topology structure based on the virtual machine management method provided by Embodiment 4 of the present invention;
图5为本发明实施例五提供的虚拟机管理装置的结构示意图; FIG. 5 is a schematic structural diagram of a virtual machine management device provided in Embodiment 5 of the present invention;
图6A为本发明实施例六提供的虚拟机管理装置的一种结构示意图; FIG. 6A is a schematic structural diagram of a virtual machine management device provided in Embodiment 6 of the present invention;
图6B为本发明实施例六提供的虚拟机管理装置的另一种结构示意图。 FIG. 6B is another schematic structural diagram of a virtual machine management device provided by Embodiment 6 of the present invention. the
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。 In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention. the
实施例一 Embodiment one
图1为本发明实施例一提供的虚拟机管理方法的流程图。本实施例的执行主体为网络设备,如图1所示,本实施例的方法包括: FIG. 1 is a flowchart of a virtual machine management method provided by Embodiment 1 of the present invention. The execution subject of this embodiment is a network device, as shown in Figure 1, the method of this embodiment includes:
步骤101,网络设备接收数据报文,并解析数据报文以获取数据报文中的介质访问控制(Media Access Control;简称为:MAC)地址;
在本实施例中,网络设备与服务器连接,服务器通过网络设备与外界进行通信。 In this embodiment, the network device is connected to the server, and the server communicates with the outside world through the network device. the
步骤102,网络设备根据MAC地址和预先存储的虚拟机MAC地址,识别发送数据报文的对象是否为虚拟机。
其中,每个虚拟机都对应一个虚拟机MAC地址,在本发明各实施例中将虚拟机对应的MAC地址称为虚拟机MAC地址。具体的,在网络设备中预先存储有所在网络中的虚拟机MAC地址;当网络设备接收到数据报文时,将学习到的数据报文中的MAC地址与本地存储的虚拟机MAC地址进行比较;若比较结果为发现与学习到的MAC地址一致的虚拟机MAC地址,则确认发送数据报文的对象为运行于物理服务器上的虚拟机;反之,则确认发送数据报文的对象为非虚拟机。 Wherein, each virtual machine corresponds to a virtual machine MAC address, and in each embodiment of the present invention, the MAC address corresponding to the virtual machine is called a virtual machine MAC address. Specifically, the MAC address of the virtual machine in the network is pre-stored in the network device; when the network device receives the data packet, the MAC address in the learned data packet is compared with the MAC address of the virtual machine stored locally ; If the result of the comparison is that the MAC address of the virtual machine consistent with the learned MAC address is found, it is confirmed that the object sending the data message is a virtual machine running on the physical server; otherwise, it is confirmed that the object sending the data message is a non-virtual machine machine. the
本实施例提供的虚拟机管理方法,通过预先存储虚拟机MAC地址,使网络设备可以通过MAC地址学习和比较两个过程,自动识别出发送数据报文的对象是否为虚拟机,以达到识别虚拟机的目的,进而可以在识别出是虚拟机时对虚拟机进行后续管理操作,为提高对虚拟机进行管理时的便利性和效率打下了基础。 The virtual machine management method provided in this embodiment stores the virtual machine MAC address in advance, so that the network device can automatically identify whether the object sending the data message is a virtual machine through the two processes of MAC address learning and comparison, so as to identify the virtual machine. The purpose of the virtual machine, and then can perform subsequent management operations on the virtual machine when it is identified as a virtual machine, laying a foundation for improving the convenience and efficiency of virtual machine management. the
其中,各个虚拟机的生产商均有独自申请使用的虚拟机MAC地址,例如VM ware公司的虚拟机MAC地址字段有00-1C-14-XX-XX-XX。因此,在本发明各实施例中,可以由管理员预先为网络设备配置各个虚拟机生产商申请的虚拟机MAC地址,并通过软件升级或在线更新的方式更新这些虚拟机生产商的虚拟机MAC地址字段。 Among them, each virtual machine manufacturer has its own virtual machine MAC address, for example, the virtual machine MAC address field of VMware company has 00-1C-14-XX-XX-XX. Therefore, in each embodiment of the present invention, the administrator can pre-configure the virtual machine MAC addresses applied by each virtual machine manufacturer for network devices, and update the virtual machine MAC addresses of these virtual machine manufacturers through software upgrades or online updates. address field. the
当网络设备接收到数据报文时,通过MAC地址学习和比较,一旦得到虚拟机生产商的虚拟机MAC地址,就可以认为感知到虚拟机的存在,即识别出虚拟机。 When the network device receives the data packet, it learns and compares the MAC address. Once the virtual machine MAC address of the virtual machine manufacturer is obtained, it can be regarded as sensing the existence of the virtual machine, that is, identifying the virtual machine. the
另外,本发明各实施例中的虚拟机MAC地址并不限于各个虚拟机生产商申请的虚拟机MAC地址,还可以是特殊配置的虚拟机MAC地址,例如在一个网络中的网络设备间预先约定特殊的虚拟机MAC地址,并由管理员手动为网络设备进行添加。其中,只有该网络中的网络设备能够识别所添加的MAC地址为虚拟机MAC地址。 In addition, the virtual machine MAC address in each embodiment of the present invention is not limited to the virtual machine MAC address applied by each virtual machine manufacturer, but can also be a specially configured virtual machine MAC address, such as a pre-agreed among network devices in a network A special virtual machine MAC address, which is manually added for network devices by the administrator. Wherein, only the network devices in the network can recognize the added MAC address as the virtual machine MAC address. the
进一步,本发明各实施例中的虚拟机MAC地址可以同时包括虚拟机生产商申请的虚拟机MAC地址和特殊约定使用的虚拟机MAC地址。其中,特 殊约定的虚拟机MAC地址,可以满足部分虚拟机因特殊需要或原因不得不使用特殊MAC地址时的需求。 Further, the virtual machine MAC address in each embodiment of the present invention may include the virtual machine MAC address applied by the virtual machine manufacturer and the virtual machine MAC address specially agreed to be used. Among them, the specially agreed virtual machine MAC address can meet the needs of some virtual machines when they have to use special MAC addresses due to special needs or reasons. the
实施例二 Example two
图2为本发明实施例二提供的虚拟机管理方法的流程图。本实施例可基于实施例一实现,如图2所示,本实施例的虚拟机管理方法包括: FIG. 2 is a flowchart of a virtual machine management method provided by Embodiment 2 of the present invention. This embodiment can be implemented based on Embodiment 1, as shown in Figure 2, the virtual machine management method of this embodiment includes:
步骤201,网络设备接收数据报文,并解析数据报文以获取数据报文中的MAC地址;即网络设备进行MAC地址的学习。 Step 201, the network device receives the data message, and parses the data message to obtain the MAC address in the data message; that is, the network device learns the MAC address. the
步骤202,网络设备将学习到的MAC地址与预先存储的虚拟机MAC地址进行匹配,并判断是否匹配到与学习到的MAC地址相一致的虚拟机MAC地址;当判断结果为是时,说明匹配到与学习到的MAC地址相一致的虚拟机MAC地址,即识别出发送数据报文的对象为虚拟机,则继续执行步骤203;反之,说明未匹配到与学习到的MAC地址相一致的虚拟机MAC地址,即识别出发送数据报文的对象为非虚拟机,则执行步骤204。
步骤203,网络设备根据学习到的MAC地址和预先获取的虚拟机安全策略对应表,对接收到数据报文的端口进行安全策略配置,并结束。
在本发明各实施例中,虚拟机安全策略对应表是由网络设备预先获取的。其中,虚拟机安全策略对应表可以是由管理员根据网络状态、布局等情况手动配置的,也可以是由各网络设备通过信息交互相互学习到的。其中,由于相互学习获取虚拟机安全策略对应表的方式具有灵活方便、以及可随网络情况变化而自行变化等优点,而成为一种优选方式。 In each embodiment of the present invention, the virtual machine security policy correspondence table is obtained in advance by the network device. Wherein, the virtual machine security policy correspondence table may be manually configured by an administrator according to network status, layout, etc., or may be learned by each network device through information interaction. Among them, the way of learning from each other to obtain the virtual machine security policy correspondence table has the advantages of being flexible and convenient, and can be changed automatically with changes in network conditions, and thus becomes a preferred way. the
其中,虚拟机安全策略对应表中存储有各个虚拟机MAC地址以及与各个虚拟机MAC地址对应的安全策略。且虚拟机安全策略对应表中的虚拟机MAC地址与网络设备预先存储的虚拟机MAC地址相一致。因此,当网络设备经学习、匹配等操作识别到虚拟机MAC地址时,可以通过查询虚拟机安全策略对应表以获取发送数据报文的虚拟机对应的安全策略,并将该安全策略配置在网络设备的连接该虚拟机的端口(即接收到数据报文的端口)上, 即将安全策略在该端口上对该虚拟机生效;在后续将根据该安全策略对该虚拟机的报文进行安全控制。 Wherein, the virtual machine security policy correspondence table stores each virtual machine MAC address and a security policy corresponding to each virtual machine MAC address. And the virtual machine MAC address in the virtual machine security policy correspondence table is consistent with the virtual machine MAC address pre-stored in the network device. Therefore, when the network device recognizes the MAC address of the virtual machine through operations such as learning and matching, you can query the virtual machine security policy correspondence table to obtain the security policy corresponding to the virtual machine that sends the data packet, and configure the security policy on the network On the port of the device connected to the virtual machine (that is, the port that receives the data message), the security policy will take effect on the virtual machine on the port; in the future, the security control of the message of the virtual machine will be performed according to the security policy . the
其中,网络设备主要通过安全策略来负责服务器对外通信时的数据流的安全和可靠传输。常用的实现安全策略的方式主要有配置访问控制列表(Access Control List;简称为:ACL)。其中,ACL是通过定义一些规则对网络设备的端口接收的数据报文进行控制:允许通过或丢弃。网络设备通过ACL可以在数据报文通过网络设备时对其进行分类过滤,并对从指定端口输入或者输出的数据报文进行检查,根据匹配条件(Conditions)决定是允许其通过(Permit)还是丢弃(Deny)。ACL由一系列的表项组成,每个ACL对应表项包括满足该表项的匹配条件和满足匹配条件时的行为。而访问ACL的规则可以针对数据报文的源MAC或源网际协议(Internet Protocol;简称为:IP)地址、目标MAC或目标IP地址、上层协议,时间区域等信息。例如:只允许192.168.1.0/24这个网段的IP地址访问虚拟机时,则网络设备应该在该虚拟机连接的端口的输出方向上配置ACL,且ACL规则为:PERMIT(允许)源IP=192.168.1.0/24,并将该ACL规则在该端口上生效。其中,通过设置ACL的缺省规则为禁止其他数据报文通过,因此源IP地址不满足上述要求的数据报文将被过滤掉。 Among them, the network device is mainly responsible for the safe and reliable transmission of the data flow when the server communicates externally through the security policy. Commonly used ways to implement security policies include configuring access control lists (Access Control List; abbreviated as: ACL). Among them, the ACL is to control the data packets received by the port of the network device by defining some rules: allow to pass or discard. Through the ACL, the network device can classify and filter the data packets when they pass through the network device, and check the data packets input or output from the specified port, and decide whether to allow them to pass (Permit) or discard them according to the matching conditions (Conditions) (Deny). An ACL consists of a series of entries. Each ACL entry includes matching conditions and actions when the matching conditions are met. The rules of the access ACL can be aimed at information such as the source MAC or source Internet Protocol (Internet Protocol; IP) address, destination MAC or destination IP address, upper-layer protocol, and time zone of the data packet. For example: when only the IP address of the network segment 192.168.1.0/24 is allowed to access the virtual machine, the network device should configure ACL in the output direction of the port connected to the virtual machine, and the ACL rule is: PERMIT (allow) source IP= 192.168.1.0/24, and make the ACL rule take effect on this port. Among them, by setting the default rule of the ACL to prohibit other data packets from passing, the data packets whose source IP addresses do not meet the above requirements will be filtered out. the
另外,网络设备还可以通过服务质量(Quality of Service;简称为:QOS)进行安全控制,例如:可以根据网络带宽的限制来进行安全控制。例如:只允许虚拟机发送10M的数据报文时,网络设备需要在虚拟机连接的端口上配置QOS带宽限制规则,QOS带宽限制规则为:rate limit 10M,并将该QOS带宽限制规则配置在该端口。 In addition, network devices can also perform security control through Quality of Service (QOS for short), for example, security control can be performed according to the limitation of network bandwidth. For example: when the virtual machine is only allowed to send 10M data packets, the network device needs to configure the QOS bandwidth limit rule on the port connected to the virtual machine. The QOS bandwidth limit rule is: rate limit 10M, and the QOS bandwidth limit rule is configured in this port. the
步骤204,网络设备对数据报文进行常规处理。例如:网络设备可以对数据报文中的各字段进行合法性检查;又例如:网络设备也可以根据数据报文中的目的MAC地址,查找MAC地址表,如果查询到该目的MAC地址,则将数据报文转发到相应的端口上;反之,则将数据报文广播到所有端口上。 其中,本实施例中的常规处理是指对非虚拟机发送的数据报文进行的处理,该常规处理中也可能包括有安全性检测处理,在本实施例中并不对常规处理进行限定。
In
在此需要说明,在本实施例技术方案中,当虚拟机一直与网络设备的某一端口连接时,只需根据初始学习到的MAC地址对接收到虚拟机发送的数据报文的端口进行一次安全策略配置即可,无需在每次学习到MAC地址时均进行安全策略配置。 It needs to be explained here that in the technical solution of this embodiment, when the virtual machine is always connected to a certain port of the network device, it is only necessary to perform an operation once on the port that receives the data message sent by the virtual machine according to the initially learned MAC address. Security policy configuration is sufficient, and there is no need to perform security policy configuration every time a MAC address is learned. the
本实施例的虚拟机管理方法,通过预先存储虚拟机MAC地址、进行MAC地址学习、匹配和判断等操作,可以使网络设备识别虚拟机,并在识别出虚拟机之后根据预先获取的虚拟机安全策略对应表自行进行安全策略配置,以保证虚拟机与外界通信时的数据报文的安全和可靠传输;同时,本实施例基于对虚拟机的识别,可由网络设备对虚拟机进行安全策略配置,无须管理员手动操作,提高了配置安全策略的效率,可以更加方便地对虚拟机进行管理。 In the virtual machine management method of this embodiment, by pre-storing the virtual machine MAC address, performing operations such as MAC address learning, matching, and judgment, the network device can identify the virtual machine, and after the virtual machine is identified, according to the pre-acquired virtual machine security The policy correspondence table performs security policy configuration by itself to ensure the safe and reliable transmission of data packets when the virtual machine communicates with the outside world; meanwhile, in this embodiment, based on the identification of the virtual machine, the network device can configure the security policy for the virtual machine, Manual operation by the administrator is not required, the efficiency of configuring security policies is improved, and virtual machines can be managed more conveniently. the
实施例三 Embodiment three
图3A为本发明实施例三提供的虚拟机管理方法的一种流程图。本实施例可基于实施例一和实施例二实现,如图3A所示,本实施例的管理方法包括: FIG. 3A is a flowchart of a virtual machine management method provided by Embodiment 3 of the present invention. This embodiment can be implemented based on Embodiment 1 and Embodiment 2, as shown in Figure 3A, the management method of this embodiment includes:
步骤301,网络设备接收数据报文,并解析数据报文以获取数据报文中的MAC地址;即网络设备进行MAC地址的学习。 Step 301, the network device receives the data message, and parses the data message to obtain the MAC address in the data message; that is, the network device learns the MAC address. the
步骤302,网络设备将学习到的MAC地址与预先存储的虚拟机MAC地址进行匹配,并判断是否匹配到与学习到的MAC地址相一致的虚拟机MAC地址;当判断结果为是时,执行步骤303;反之,执行步骤305。
步骤303,网络设备根据学习到的MAC地址和预先获取的虚拟机状态表,判断学习到的MAC地址对应的虚拟机是否发生迁移;若判断结果为是,则执行步骤304,若判断结果为否,则结束。
其中,网络设备接收到的该MAC地址对应的数据报文可能是由一直被 一台服务器托管的虚拟机在新启动时发出的,也可能是由从一台服务器(物理服务器)迁移到另一台服务器上的虚拟机发出的。通过步骤303的判断操作可以识别上述虚拟机是否发生迁移。
Among them, the data packet corresponding to the MAC address received by the network device may be sent by a virtual machine that has been hosted by a server when it is newly started, or it may be migrated from one server (physical server) to another issued by a virtual machine on the server. Through the judging operation in
其中,虚拟机状态表中存储有网络中各个网络设备连接的服务器上运行的虚拟机的状态信息,例如包括网络设备的端口、连接的服务器、服务器上对应该端口运行的虚拟机列表,以及虚拟机的MAC地址等信息。 Wherein, the virtual machine state table stores the status information of the virtual machines running on the servers connected to each network device in the network, such as including the port of the network device, the connected server, the virtual machine list running on the server corresponding to the port, and the virtual machine list. information such as the MAC address of the computer. the
步骤304,网络设备根据虚拟机状态表向虚拟机迁移前连接的网络设备发送失败通告报文,以告知虚拟机迁移前连接的网络设备对虚拟机的安全策略进行失效处理,并结束。
其中,当发现虚拟机是由一台服务器迁移到另一台服务器,需要通告原来的网络设备,以便告知迁移前连接的网络设备对连接虚拟机的端口上的安全策略进行删除,即失效操作。当迁移前连接的网络设备接收到失效通告报文后,可以解析获取通告报文中携带的虚拟机MAC地址,然后根据该虚拟机MAC地址对相应端口上的安全策略进行失效处理。这样可以保证安全策略迁移的完整性。 Among them, when it is found that the virtual machine is migrated from one server to another server, the original network device needs to be notified, so as to inform the network device connected before the migration to delete the security policy on the port connected to the virtual machine, that is, invalidate the operation. After the network device connected before the migration receives the invalidation notification message, it can parse and obtain the virtual machine MAC address carried in the notification message, and then invalidate the security policy on the corresponding port according to the virtual machine MAC address. This ensures the integrity of the security policy migration. the
步骤305,网络设备对数据报文进行常规处理。
本实施例的虚拟机管理方法,通过预先存储虚拟机MAC地址、进行MAC地址学习、匹配和判断等操作,可以使网络设备识别虚拟机,并可识别出虚拟机的迁移,同时通过失效通告报文通告迁移前连接的网络设备使其对迁移前的安全策略进行失效操作,以完成安全策略的完整迁移;本实施例可以识别虚拟机和虚拟机迁移,解决了无法识别虚拟机和虚拟机的迁移问题,便于后续对安全策略的迁移或配置 In the virtual machine management method of this embodiment, by pre-storing the virtual machine MAC address, performing operations such as MAC address learning, matching, and judgment, the network device can identify the virtual machine, and can identify the migration of the virtual machine, and at the same time pass the failure notification report The document notifies the network device connected before the migration to invalidate the security policy before the migration, so as to complete the complete migration of the security policy; Migration issues to facilitate subsequent migration or configuration of security policies
上述技术方案,当网络设备识别出虚拟机时,无论该虚拟机是由一台服务器迁移到另一台服务的还是一直被一台服务器所托管的,网络设备需要在连接虚拟机的端口上进行安全策略配置。图3B所示为本发明实施例三提供的虚拟机管理方法的另一种结构示意图;图3B所示流程与图3A的区别在于在 步骤302之后还包括步骤303a:网络设备根据学习到的MAC地址和预先获取的虚拟机安全策略对应表,对接收到数据报文的端口进行安全策略配置。
In the above technical solution, when the network device recognizes the virtual machine, no matter whether the virtual machine is migrated from one server to another or has been hosted by one server all the time, the network device needs to perform Security policy configuration. Figure 3B is another schematic structural diagram of the virtual machine management method provided by Embodiment 3 of the present invention; the difference between the process shown in Figure 3B and Figure 3A is that after
在此说明,无论是一直被一台物理服务器托管的虚拟机,还是发生迁移的虚拟机,在本实施例步骤303a中,网络设备只需根据初始学习到的MAC地址对接收虚拟机发送的数据报文的端口进行一次安全策略配置即可。 It should be noted here that, whether it is a virtual machine that has been hosted by a physical server or a virtual machine that has migrated, in step 303a of this embodiment, the network device only needs to receive the data sent by the virtual machine according to the initially learned MAC address. The port of the packet needs to be configured with a security policy once. the
在此需要说明,步骤303a和步骤303两者没有先后顺序,即可以是先进行安全策略配置,然后执行是否迁移的判断;也可以是先判断是否发生迁移,然后再进行安全策略配置,此时可以将安全策略配置称为安全策略迁移。 It should be noted here that there is no sequence between step 303a and step 303, that is, the security policy configuration can be performed first, and then the judgment whether to migrate is performed; or it can be judged whether migration occurs first, and then the security policy is configured. Security policy configuration may be referred to as security policy migration. the
进一步,本地网络设备在完成对虚拟机的安全策略配置之后,还可以将其各个端口上配置的安全策略以及与安全策略对应的虚拟机信息发送给其他网络设备,以便其他网络设备记录或更新所存储的信息。 Furthermore, after the local network device completes the security policy configuration for the virtual machine, it can also send the security policy configured on each port and the virtual machine information corresponding to the security policy to other network devices, so that other network devices can record or update all stored information. the
本实施例的虚拟机管理方法,网络设备可以识别虚拟机和虚拟机的迁移,并在识别出虚拟机之后根据预先获取的虚拟机安全策略对应表自行进行安全策略配置,保证了虚拟机与外界通信时的数据报文的安全和可靠传输;而基于对虚拟机迁移的识别,网络设备可自行对虚拟机进行安全策略配置,无须管理员手动操作,提高了配置安全策略的效率,可以更加方便地对虚拟机进行管理。 In the virtual machine management method of this embodiment, the network device can identify the virtual machine and the migration of the virtual machine, and after identifying the virtual machine, configure the security policy by itself according to the virtual machine security policy correspondence table obtained in advance, ensuring that the virtual machine is in touch with the outside world. Safe and reliable transmission of data packets during communication; based on the identification of virtual machine migration, the network device can configure the security policy for the virtual machine by itself, without manual operation by the administrator, which improves the efficiency of configuring security policies and can be more convenient manage virtual machines. the
其中,本实施例提供一种网络设备预先获取虚拟机安全策略对应表和虚拟机状态表的实施方式,但并不限于此。本实施例提供的实施方式包括: Wherein, this embodiment provides an implementation manner in which a network device obtains a virtual machine security policy correspondence table and a virtual machine state table in advance, but is not limited thereto. The implementation methods provided in this embodiment include:
步骤3031,在各个网络设备启动时,均发送第一管理报文,第一管理报文中包括网络设备的MAC地址和发送第一管理报文的端口信息,其中端口信息包括端口号以及端口的类型(例如是设备端口还是服务器端口)等信息。 Step 3031, when each network device is started, all send a first management message, the first management message includes the MAC address of the network device and the port information for sending the first management message, wherein the port information includes the port number and port number Type (such as device port or server port) and other information. the
步骤3033,作为本实施例的执行主体的网络设备接收其他网络设备发送的第一管理报文,根据第一管理报文识别出网络设备的设备端口和服务器端口;其中,网络设备不仅和服务器连接,同时也会与其他网络设备连接,与服务器连接的端口称为服务器端口,与网络设备连接的端口称为设备端口; 其中,预先约定第一管理报文只能通过与网络设备连接的端口(即设备端口)发送,且只能通过设备端口接收。因此,网络设备可以将接收到第一管理报文的端口识别为设备端口,而其他端口则作为服务器端口。然后,各网络设备均可以根据上述实施例提供的方法在各自服务器端口上进行虚拟机识别、虚拟机安全策略配置或迁移等操作,或者也可以由管理员根据网络约定使用的虚拟机MAC地址在相应网络设备上进行安全策略配置。当各个网络设备配置完安全策略之后,可以通过各自的设备端口向除自己以外的其他网络设备发送其所配置的安全策略以及安全策略对应的虚拟机信息等信息。 Step 3033, the network device as the execution subject of this embodiment receives the first management message sent by other network devices, and identifies the device port and server port of the network device according to the first management message; wherein, the network device is not only connected to the server , and will also be connected to other network devices at the same time, the port connected to the server is called the server port, and the port connected to the network device is called the device port; Among them, it is pre-agreed that the first management message can only pass through the port connected to the network device ( That is, the device port) and can only be received through the device port. Therefore, the network device can identify the port that receives the first management packet as a device port, and other ports as server ports. Then, each network device can perform operations such as virtual machine identification, virtual machine security policy configuration or migration on its own server port according to the method provided by the above embodiment, or the virtual machine MAC address used by the administrator according to the network agreement can be Configure security policies on corresponding network devices. After each network device configures the security policy, it can send information such as the configured security policy and the virtual machine information corresponding to the security policy to other network devices other than itself through their respective device ports. the
步骤3035,作为本实施例的执行主体的网络设备通过设备端口接收其他网络设备发送的第二管理报文,第二管理报文中包括运行于其他网络设备的各个服务器端口上的虚拟机的信息和为处于运行状态的各虚拟机配置的安全策略; Step 3035, the network device as the execution subject of this embodiment receives the second management message sent by other network devices through the device port, and the second management message includes the information of the virtual machine running on each server port of the other network device And the security policy configured for each virtual machine in the running state;
步骤3037,作为本实施例执行主体的网络设备根据第二管理报文,生成虚拟机安全策略对应表和虚拟机状态表。 Step 3037, the network device as the execution subject of this embodiment generates a virtual machine security policy correspondence table and a virtual machine state table according to the second management message. the
具体地,网络设备通过获取各个其他网络设备发送的第二管理报文中的虚拟机的信息、为各虚拟机配置的安全策略,以及相互间的对应关系,进行综合处理以生成虚拟机安全策略对应表,该虚拟机安全策略对应表中包括虚拟机的信息、安全策略以及安全策略和虚拟机之间的对应关系;而根据第二管理报文中的服务器端口信息(例如端口号)和对应的虚拟机信息(例如虚拟机MAC地址)生成虚拟机状态表,该虚拟机状态表包括虚拟机、虚拟机所处的服务器以及服务器所连接的网络设备的端口等信息以及上述信息的对应关系。因此,当作为执行主体的网络设备识别到虚拟机MAC地址时,可根据前一时刻的虚拟机状态表识别虚拟机是否发生迁移,如果虚拟机MAC地址同时出现在其他服务器端口上,说明该虚拟机发生了迁移,并对该虚拟机的安全策略进行相应迁移。 Specifically, the network device performs comprehensive processing to generate the virtual machine security policy by obtaining the information of the virtual machine in the second management packet sent by each other network device, the security policy configured for each virtual machine, and the corresponding relationship between them. A correspondence table, the virtual machine security policy correspondence table includes virtual machine information, a security policy, and a correspondence between the security policy and the virtual machine; and according to the server port information (such as the port number) and the corresponding The virtual machine information (for example, the virtual machine MAC address) generates a virtual machine state table, and the virtual machine state table includes information such as the virtual machine, the server where the virtual machine is located, and the port of the network device connected to the server, as well as the correspondence between the above information. Therefore, when the network device as the execution subject recognizes the MAC address of the virtual machine, it can identify whether the virtual machine has migrated according to the virtual machine state table at the previous moment. If the MAC address of the virtual machine appears on other server ports at the same time, it means that the virtual machine The virtual machine is migrated, and the security policy of the virtual machine is migrated accordingly. the
其中,若无需对虚拟机是否发生迁移进行识别时(例如实施例二所描述 的场景),可以仅根据本实施例技术方案生成虚拟机安全策略对应表,而无需生成虚拟机状态表。 Wherein, if there is no need to identify whether the virtual machine is migrated (such as the scenario described in Embodiment 2), the virtual machine security policy correspondence table can be generated only according to the technical solution of this embodiment, without generating the virtual machine state table. the
通过上述方式,各个网络设备均可以预先获取虚拟机安全策略对应表和/或虚拟机状态表。其中为了保证各个网络设备上的虚拟机安全策略对应表和虚拟机状态表能够跟随网络状态或虚拟机的迁移而相应变化,本实施例中还规定各个网络设备定时向其他网络设备发送第二管理报文,以供各网络设备实时获取其他网络设备上运行的虚拟机的信息以及处于运行状态的虚拟机所对应的安全策略,以据此对虚拟机安全策略对应表和/或虚拟机状态表进行更新。 Through the above method, each network device can obtain the virtual machine security policy correspondence table and/or the virtual machine state table in advance. In order to ensure that the virtual machine security policy correspondence table and the virtual machine state table on each network device can change correspondingly following the network status or the migration of the virtual machine, it is also stipulated in this embodiment that each network device regularly sends the second management The message is used for each network device to obtain the information of the virtual machine running on other network devices in real time and the security policy corresponding to the virtual machine in the running state, so as to update the virtual machine security policy corresponding table and/or the virtual machine status table accordingly to update. the
进一步,在上述实施例中,在3033之后还包括步骤3034,即作为本实施例的执行主体的网络设备对其服务器端口上的虚拟机进行安全策略配置,并通过设备端口定时向其他网络设备发送运行于其各个服务器端口上的虚拟机的信息与为各虚拟机配置的安全策略(即第二管理报文),用于供其他网络设备预先生成虚拟机安全策略对应表和虚拟机状态表,以及更新虚拟机安全策略对应表和虚拟机状态表。 Further, in the above-mentioned embodiment, step 3034 is also included after 3033, that is, the network device as the executive subject of this embodiment configures the security policy for the virtual machine on its server port, and periodically sends the policy to other network devices through the device port. The information of the virtual machines running on each server port thereof and the security policy configured for each virtual machine (i.e. the second management message) are used for other network devices to pre-generate a virtual machine security policy correspondence table and a virtual machine status table, And update the virtual machine security policy correspondence table and the virtual machine state table. the
上述为本发明获取虚拟机安全策略对应表和虚拟机状态表的一种实施方式,该实施方式主要是通过根据预先约定的规则发送第一管理报文以供各个网络设备识别设备端口和服务器端口,然后,进行安全策略配置,并通过设备端口发送第二管理报文,以进行虚拟机和虚拟机对应的安全策略的全网统一操作,即在各个网络设备上均生成内容基本相同的虚拟机安全策略对应表和虚拟机状态表,进而为本发明各实施例的实施打下基础。 The above is an implementation of the present invention to obtain the virtual machine security policy correspondence table and the virtual machine status table. This implementation mainly sends the first management message according to the pre-agreed rules for each network device to identify the device port and the server port. , and then, perform security policy configuration, and send a second management packet through the device port, so as to perform unified operations on the entire network of the virtual machine and the security policy corresponding to the virtual machine, that is, generate virtual machines with basically the same content on each network device The security policy correspondence table and the virtual machine state table further lay the foundation for the implementation of various embodiments of the present invention. the
以下将通过具体实施例,结合网络拓扑结构详细说明本发明技术方案的流程。 The flow of the technical solution of the present invention will be described in detail below through specific embodiments in combination with the network topology. the
实施例四 Embodiment four
图4A为本发明实施例四提供的虚拟机管理方法的流程图;图4B为本发明实施例四提供的虚拟机管理方法所基于的网络拓扑结构示意图。如图4B 所示,本实施例包括网络设备41、网络设备42、网络设备43、网络设备44以及服务器45和服务器46。网络设备41分别与网络设备42、网络设备43和网络设备44连接,服务器45和网络设备41连接,服务器46和网络设备42连接。其中网络设备41、网络设备42、网络设备43和网络设备44分别遵循预先约定的虚拟机统一管理机制,并且在各个网络设备上均配置了网络所使用的虚拟机MAC地址。则本实施例的方法包括:
FIG. 4A is a flowchart of a virtual machine management method provided in Embodiment 4 of the present invention; FIG. 4B is a schematic diagram of a network topology based on which the virtual machine management method provided in Embodiment 4 of the present invention is based. As shown in FIG. 4B, the present embodiment includes a
步骤401,在网络设备41-网络设备44开机后均定时向外广播第一管理报文,声明自己支持虚拟机管理机制,并让其他网络设备知晓。其中,网络设备41-网络设备44将收到第一管理报文的端口,记为设备端口(Net-Port),根据虚拟机管理机制预先约定的规则可知:各网络设备只有通过设备端口向其他网络设备发送第一管理报文,而连接虚拟机的端口不会收到第一管理报文,因此可将其他未接收到第一管理报文的端口记为服务器端口(Server-Port)。基于此,在图4B所示网络拓扑中,存在设备端口51、52和53;服务器端口54和55。其中,第一管理报文的格式包括但并不限于以下信息字段:网络设备MAC地址;发送第一管理报文的当前网络设备的端口的编号;发送第一管理报文的当前网络设备的端口类型(例如是Server-Port还是Net-Port)。
步骤402,针对预先配置的虚拟机MAC地址,识别出虚拟机,并在网络设备上生成“虚拟机配置单元”,网络管理员将虚拟机的“安全策略”(即上文提到的ACL、QOS等策略)生效在这些“虚拟机配置单元”上。其中,因为网络设备的一个物理端口连接一台物理服务器,物理服务器上可以安装有多个虚拟机,因此网络设备的一个物理端口可以包含多个“虚拟机配置单元”,并在网络设备上生成多个虚拟机MAC地址与安全策略的对应关系。
步骤403,通过第二管理报文,把<虚拟机MAC地址,安全策略>的对应关系通过设备端口通告给全网支持虚拟机管理机制的所有其他网络设备。此时第二管理报文在第一管理报文的基础上增加了但并不限于以下字段:本网 络设备的“Server-Port”列表及其总个数;本网络设备的虚拟机配置单元列表及其总个数;应用在每个虚拟机配置单元上的虚拟机MAC地址与安全策略的对应关系等。 Step 403: Notify the corresponding relationship of <virtual machine MAC address, security policy> to all other network devices supporting the virtual machine management mechanism in the whole network through the device port through the second management message. At this time, the second management message adds but is not limited to the following fields on the basis of the first management message: the "Server-Port" list of the network device and its total number; the virtual machine configuration unit of the network device The list and its total number; the corresponding relationship between the virtual machine MAC address and the security policy applied to each virtual machine configuration unit, etc. the
基于上述,网络设备41-网络设备44上已经全部保存有虚拟机安全策略对应表了,为进行安全策略实时快速生效做好了准备。 Based on the above, the virtual machine security policy correspondence table has been stored on the network equipment 41-44, which is ready for the security policy to take effect quickly in real time. the
步骤404,假设虚拟机从服务器45迁移到服务器46上,这时网络设备42立即通过MAC地址学习和虚拟机安全策略对应表中的信息获知虚拟机从服务器45上迁移到了服务器46上,并发现MAC地址是在服务器端口55上学习到的,则把该虚拟机MAC地址对应的安全策略生效在新的服务器端口55上。其中,与虚拟机MAC地址对应的安全策略只能生效在服务器端口(Server-Port)并随着MAC地址的变化而生效,不能生效在设备端口(net-port)。在此需要说明,在本实施例中虚拟机安全策略对应表中同时包括了网络中处于运行状态的虚拟机的信息、虚拟机所对应的安全策略信息以及虚拟机所在服务器信息;即在本实施例中网络设备不需要单独生成虚拟机状态表来存储虚拟机与虚拟机所在服务器及其对应关系的信息。
步骤405,在网络设备42上的新安全策略生效成功后,要通知原有网络设备41把原安全策略删除,以便完整达成“安全策略迁移”的过程。
通过上述方式可以解决现有网络设备对虚拟机应用安全策略无法独立进行自动迁移的问题,达到数据中心网络环境中全网智能化、自动化管理安全策略的目的。 The above-mentioned method can solve the problem that existing network devices cannot independently and automatically migrate security policies applied to virtual machines, and achieve the purpose of intelligent and automatic management of security policies in the entire network in the data center network environment. the
实施例五 Embodiment five
图5为本发明实施例五提供的虚拟机管理装置的结构示意图。如图5所示,本实施例的虚拟机管理装置包括:接收模块61和识别模块62。
FIG. 5 is a schematic structural diagram of a virtual machine management device provided by Embodiment 5 of the present invention. As shown in FIG. 5 , the virtual machine management device of this embodiment includes: a receiving
其中,接收模块61,用于接收数据报文,并解析数据报文以获取数据报文中的MAC地址;识别模块62,与接收模块61连接,用于根据接收模块61获取的MAC地址和预先存储的虚拟机MAC地址,识别发送数据报文的 对象是否为虚拟机。
Wherein, the receiving
本实施例提供的虚拟机管理装置,可用于执行本发明实施例提供的虚拟机管理方法的流程,通过预先存储虚拟机MAC地址,使网络设备可以通过MAC地址学习和比较两个过程,自动识别出发送数据报文的对象是否为虚拟机,以达到识别虚拟机的目的,进而可以在识别出是虚拟机时对虚拟机进行后续管理操作,为提高对虚拟机进行管理时的便利性和效率打下了基础。 The virtual machine management device provided in this embodiment can be used to execute the process of the virtual machine management method provided in the embodiment of the present invention. By pre-storing the virtual machine MAC address, the network device can automatically identify the virtual machine through the two processes of MAC address learning and comparison. In order to achieve the purpose of identifying the virtual machine, it is possible to perform subsequent management operations on the virtual machine when it is identified as a virtual machine, in order to improve the convenience and efficiency of virtual machine management Lay the groundwork. the
实施例六 Embodiment six
图6A为本发明实施例六提供的虚拟机管理装置的一种结构示意图。本实施例可基于实施例五实现,如图6A所示,本实施例的虚拟机管理装置还包括:第一配置模块63。
FIG. 6A is a schematic structural diagram of a virtual machine management device provided by Embodiment 6 of the present invention. This embodiment can be implemented based on the fifth embodiment. As shown in FIG. 6A , the virtual machine management device of this embodiment further includes: a
其中,第一配置模块63,与识别模块62连接,用于在识别模块62识别发送数据报文的对象为虚拟机时,根据MAC地址和预先获取的虚拟机安全策略对应表,对接收到的数据报文的端口进行安全策略配置。
Wherein, the
本实施例的虚拟机管理装置,同样可用于执行本发明实施例提供的虚拟机管理方法的流程,通过预先存储虚拟机MAC地址、进行MAC地址学习、匹配和判断等操作,可以识别虚拟机,并在识别出虚拟机之后根据预先获取的虚拟机安全策略对应表自行进行安全策略配置,以保证虚拟机与外界通信时的数据报文的安全和可靠传输;同时,本实施例基于对虚拟机的识别,可自行对虚拟机进行安全策略配置,无须管理员手动操作,提高了配置安全策略的效率,可以更加方便地对虚拟机进行管理。 The virtual machine management device of this embodiment can also be used to execute the process of the virtual machine management method provided by the embodiment of the present invention, and can identify the virtual machine by pre-storing the virtual machine MAC address, performing operations such as MAC address learning, matching, and judgment, After the virtual machine is identified, the security policy configuration is performed according to the pre-acquired virtual machine security policy correspondence table, so as to ensure the safe and reliable transmission of data packets when the virtual machine communicates with the outside world; meanwhile, this embodiment is based on the virtual machine It can configure the security policy of the virtual machine by itself without manual operation by the administrator, which improves the efficiency of configuring security policies and makes it easier to manage the virtual machine. the
图6B为本发明实施例六提供的虚拟机管理装置的另一种结构示意图。如图6B所示,本实施例的虚拟机管理装置还包括:判断模块64和发送模块65。
FIG. 6B is another schematic structural diagram of a virtual machine management device provided by Embodiment 6 of the present invention. As shown in FIG. 6B , the virtual machine management device of this embodiment further includes: a judging
当识别出发送数据报文的对象为虚拟机时,还可以识别该虚拟机是否发生迁移。判断模块64,分别与接收模块61和识别模块62连接,用于根据MAC地址和预先获取的虚拟机状态表,判断虚拟机是否发生迁移;发送模块65,与判断模块64连接,用于在判断模块64判断出虚拟机发生迁移时,根 据虚拟机状态表向虚拟机迁移前连接的虚拟机管理装置发送失效通告报文,以告知迁移前连接的虚拟机管理装置对虚拟机的安全策略进行失效处理。
When it is identified that the object sending the data packet is a virtual machine, it can also be identified whether the virtual machine has been migrated. The judging
本实施例图6B所示的虚拟机管理装置,同样可用于执行本发明实施例提供的虚拟机管理方法的流程,在识别出虚拟机之后进一步判断虚拟机是否迁移,当发现虚拟机迁移时,通过向虚拟机迁移前连接的虚拟机管理装置发送失效通告报文,以使迁移前连接的虚拟机管理装置对相应端口上的安全策略进行失效处理,保证了安全策略随虚拟机的迁移而完全迁移。 The virtual machine management device shown in FIG. 6B of this embodiment can also be used to execute the process of the virtual machine management method provided by the embodiment of the present invention. After the virtual machine is identified, it is further judged whether the virtual machine is migrated. When the virtual machine is found to be migrated, By sending an invalidation notification message to the virtual machine management device connected before the migration of the virtual machine, the virtual machine management device connected before the migration can invalidate the security policy on the corresponding port, ensuring that the security policy is completely updated with the migration of the virtual machine migrate. the
其中,当识别出虚拟机时,无论是否对虚拟机的迁移进行识别,虚拟机管理装置均需要在相应端口上进行安全策略配置。基于此,如图6B所示,本实施例的虚拟机管理装置还包括:第二配置模块67,与识别模块62连接,用于在识别模块62识别出虚拟机时,根据MAC地址和预先获取的虚拟机安全策略对应表,对接收到的数据报文的端口进行安全策略配置。
Wherein, when the virtual machine is identified, the virtual machine management device needs to perform security policy configuration on the corresponding port no matter whether the migration of the virtual machine is identified or not. Based on this, as shown in FIG. 6B , the virtual machine management device of this embodiment further includes: a
其中,图6A中的第一配置模块63用于在识别出虚拟机而无需识别虚拟机是否发生迁移的情况下进行安全策略配置;而第二配置模块67用于在识别出虚拟机且需要识别虚拟机发生迁移的情况下进行安全策略配置。但在具体实施过程中,第一配置模块63和第二配置模块67可由不同模块分别来实现;也可以由同一模块来实现,并用于在不同情况下进行安全策略配置(在图6B中以一个配置模块为例,即第二配置模块67),本实施例并不对此进行限制。
Among them, the
基于上述技术方案,如图6B所示,本实施例的虚拟机管理装置还包括获取模块66,分别与第二配置模块67和判断模块64连接,用于预先获取虚拟机安全策略对应表和虚拟机状态表。具体的,该获取模块66包括:第一接收单元、第二接收单元和生成单元。其中,第一接收单元,用于接收其他虚拟机管理装置发送的第一管理报文,并根据第一管理报文识别出本地虚拟机管理装置的设备端口和服务器端口,所述第一管理报文包括其他网络设备的MAC地址、发送第一管理报文的端口信息;第二接收单元,用于通过设备端口接收其他虚拟机管理装置发送的第二管理报文,所述第二管理报文包括运行在其他虚拟机管理装置上的虚拟机信息和为该虚拟机配置的安全策略;生 成单元,用于根据第二管理报文,生成包括虚拟机和安全策略对应关系的所述虚拟机安全策略对应表,以及包括处于运行状态的虚拟机信息的所述虚拟机状态表。在此需要说明,当不需要识别虚拟机是否发生迁移时,该生成单元可以只生成虚拟机安全策略对应表,而无需生成虚拟机状态表。
Based on the above technical solution, as shown in FIG. 6B , the virtual machine management device of this embodiment also includes an
进一步,该获取模块66还包括:发送单元,用于对运行于本地虚拟机管理装置的服务器端口上的虚拟机进行安全策略配置,并通过设备端口定时向其他虚拟机管理装置发送运行于本地虚拟机管理装置的各个服务器端口上的虚拟机信息与为各虚拟机配置的安全策略(即第二管理报文),以供其他虚拟机管理装置预先生成虚拟机安全策略对应表和虚拟机状态表。同理,对于其他虚拟机管理装置而言,当仅需对虚拟机进行识别而无需识别虚拟机是否迁移时,可以仅生成虚拟机安全策略对应表而不生成虚拟机状态表,但具体是否生成虚拟机状态表本实施例并不做限定。
Further, the
通过上述技术方案,本实施例的虚拟机管理装置可以以信息交互的方式预先获取其他虚拟机管理装置上运行的虚拟机的信息和为各虚拟机配置的安全策略,以及上述信息的对应关系,进而预先生成虚拟机安全策略对应表和虚拟机状态表,为本发明各实施例的实施提供基础。通过上述技术方案获取的其他虚拟机管理装置上的虚拟机信息、安全策略以及上述信息的对应关系更加准确和及时,且可对虚拟机安全策略对应表和虚拟机状态表及时更新,提高了基于获取的上述信息进行虚拟机管理的准确性和实时性。 Through the above technical solution, the virtual machine management device in this embodiment can obtain in advance the information of virtual machines running on other virtual machine management devices, the security policies configured for each virtual machine, and the corresponding relationship of the above information in the form of information interaction, Furthermore, a virtual machine security policy correspondence table and a virtual machine state table are generated in advance to provide a basis for implementation of various embodiments of the present invention. The virtual machine information on other virtual machine management devices obtained through the above technical solution, the security policy and the corresponding relationship between the above information are more accurate and timely, and the virtual machine security policy correspondence table and the virtual machine status table can be updated in time, improving the efficiency based on Accuracy and real-time performance of the above-mentioned information obtained for virtual machine management. the
实施例七 Embodiment seven
本发明实施例七提供一种网络设备,包括虚拟机管理装置。其中,虚拟机管理装置可以为本发明实施例提供的虚拟机管理装置,其工作原理和结构请参见本发明上述实施例的描述,在此不再赘述。本实施例的网络设备可以为与运行有虚拟机的物理服务器连接的各种网络设备,例如路由器、交换机,也可以是各种网关设备,可用于对虚拟机进行管理。 Embodiment 7 of the present invention provides a network device, including a virtual machine management device. Wherein, the virtual machine management device may be the virtual machine management device provided by the embodiment of the present invention. For its working principle and structure, please refer to the description of the above-mentioned embodiments of the present invention, which will not be repeated here. The network device in this embodiment may be various network devices connected to the physical server running the virtual machine, such as a router, a switch, or various gateway devices, which may be used to manage the virtual machine. the
本实施例的网络设备具有本发明实施例提供的虚拟机管理装置,并可用 于执行本发明实施例提供的虚拟机管理方法的流程,因此,采用本实施例的网络设备对虚拟机进行管理,可以自行识别虚拟机的迁移,并对虚拟机进行安全策略配置,无须管理员手动配置,提高了配置安全策略的效率,极大地提高了对虚拟机进行管理的便利性。 The network device of this embodiment has the virtual machine management device provided by the embodiment of the present invention, and can be used to execute the process of the virtual machine management method provided by the embodiment of the present invention. Therefore, the network device of this embodiment is used to manage the virtual machine. It can identify the migration of the virtual machine by itself, and configure the security policy for the virtual machine without manual configuration by the administrator, which improves the efficiency of configuring the security policy and greatly improves the convenience of managing the virtual machine. the
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。 Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes. the
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention. the
Claims (9)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010549171A CN102025535B (en) | 2010-11-17 | 2010-11-17 | Virtual machine management method and device and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010549171A CN102025535B (en) | 2010-11-17 | 2010-11-17 | Virtual machine management method and device and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102025535A CN102025535A (en) | 2011-04-20 |
| CN102025535B true CN102025535B (en) | 2012-09-12 |
Family
ID=43866427
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010549171A Expired - Fee Related CN102025535B (en) | 2010-11-17 | 2010-11-17 | Virtual machine management method and device and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102025535B (en) |
Families Citing this family (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102148715A (en) * | 2011-05-17 | 2011-08-10 | 杭州华三通信技术有限公司 | Method and device for virtual network configuration migration |
| CN103024090B (en) * | 2011-09-20 | 2015-07-01 | 阿里巴巴集团控股有限公司 | Method and system for identifying user terminal |
| CN102413041B (en) * | 2011-11-08 | 2015-04-15 | 华为技术有限公司 | Method, device and system for moving security policy |
| CN103139167B (en) * | 2011-11-30 | 2017-12-12 | 温州大学 | A kind of method and apparatus for associating virtual site during virtual site migration |
| CN102739645B (en) * | 2012-04-23 | 2016-03-16 | 杭州华三通信技术有限公司 | The moving method of secure virtual machine strategy and device |
| CN103428106B (en) * | 2012-05-16 | 2016-11-23 | 华为技术有限公司 | The method of the Message processing after virtual machine VM migration and equipment thereof |
| CN103891206B (en) * | 2012-10-12 | 2017-02-15 | 华为技术有限公司 | Method and device for synchronizing network data flow detection status |
| US8910162B2 (en) * | 2012-11-30 | 2014-12-09 | International Business Machines Corporation | User datagram protocol (UDP) packet migration in a virtual machine (VM) migration |
| CN103905383B (en) * | 2012-12-26 | 2017-11-24 | 华为技术有限公司 | A kind of data message forwarding method, device and system |
| CN103179192B (en) * | 2013-02-07 | 2015-11-25 | 杭州华三通信技术有限公司 | The message forwarding method that virtual server moves, system and NAT service equipment |
| CN103236963A (en) * | 2013-04-25 | 2013-08-07 | 西北工业大学 | VMWare virtual machine remote detection method |
| CN103220298A (en) * | 2013-04-27 | 2013-07-24 | 西北工业大学 | Windows Virtual machine remote detecting method |
| CN104348671A (en) * | 2013-07-26 | 2015-02-11 | 中国电信股份有限公司 | Method for identifying virtual host in IPv6 network and DPI equipment |
| CN104901923B (en) * | 2014-03-04 | 2018-12-25 | 新华三技术有限公司 | A kind of virtual machine access mechanism and method |
| CN105450532B (en) * | 2014-09-28 | 2018-10-09 | 新华三技术有限公司 | Three-layer forwarding method in software defined network and device |
| CN104780071B (en) * | 2015-04-21 | 2018-12-25 | 新华三技术有限公司 | The upgrade method and device of virtual switch |
| CN105100109B (en) | 2015-08-19 | 2019-05-24 | 华为技术有限公司 | A kind of method and device of deployment secure access control policy |
| EP3229405B1 (en) | 2015-12-31 | 2020-07-15 | Huawei Technologies Co., Ltd. | Software defined data center and scheduling and traffic-monitoring method for service cluster therein |
| CN108293001B (en) * | 2015-12-31 | 2020-10-23 | 华为技术有限公司 | A software-defined data center and a deployment method for a service cluster therein |
| CN105763440B (en) * | 2016-01-29 | 2019-04-09 | 新华三技术有限公司 | A kind of method and apparatus of message forwarding |
| CN109246134B (en) * | 2016-08-25 | 2021-04-06 | 杭州数梦工场科技有限公司 | Message control method and device |
| CN108259545B (en) * | 2017-01-13 | 2021-04-27 | 新华三技术有限公司 | Port security policy diffusion method and device |
| CN107707551A (en) * | 2017-10-09 | 2018-02-16 | 山东中创软件商用中间件股份有限公司 | A kind of method and system of IP access controls |
| CN108363611A (en) * | 2017-11-02 | 2018-08-03 | 北京紫光恒越网络科技有限公司 | Method for managing security, device and the omnidirectional system of virtual machine |
| CN109413082A (en) * | 2018-11-12 | 2019-03-01 | 郑州云海信息技术有限公司 | Message processing method and device in cloud computing system |
| CN110703899B (en) * | 2019-09-09 | 2020-09-25 | 创新奇智(南京)科技有限公司 | Data center energy efficiency optimization method based on transfer learning |
| CN110943880B (en) * | 2019-11-07 | 2021-07-13 | 中国联合网络通信集团有限公司 | Device management method and device |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101809943A (en) * | 2007-09-24 | 2010-08-18 | 英特尔公司 | Method and system for virtual port communication |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7561531B2 (en) * | 2005-04-19 | 2009-07-14 | Intel Corporation | Apparatus and method having a virtual bridge to route data frames |
| CN101459618B (en) * | 2009-01-06 | 2011-01-19 | 北京航空航天大学 | Data packet forwarding method and device for virtual machine network |
| CN101605084B (en) * | 2009-06-29 | 2011-09-21 | 北京航空航天大学 | Method and system for processing virtual network packets based on virtual machine |
-
2010
- 2010-11-17 CN CN201010549171A patent/CN102025535B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101809943A (en) * | 2007-09-24 | 2010-08-18 | 英特尔公司 | Method and system for virtual port communication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102025535A (en) | 2011-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102025535B (en) | Virtual machine management method and device and network equipment | |
| US20210152443A1 (en) | Technologies for annotating process and user information for network flows | |
| CN110612702B (en) | Intent specification checks for inconsistent | |
| US20210328854A1 (en) | Method and system for sharing state between network elements | |
| CN110521170B (en) | Static Network Policy Analysis of Network | |
| US9571569B2 (en) | Method and apparatus for determining virtual machine migration | |
| CN103026660B (en) | Network policy configuration method, management equipment, and network management center equipment | |
| RU2562438C2 (en) | Network system and network management method | |
| CN110785963B (en) | Collecting network model and node information from a network | |
| US9749182B2 (en) | Method and apparatus for configuring network policy of virtual network | |
| US20190171435A1 (en) | Distributed upgrade in virtualized computing environments | |
| CN103763121B (en) | The method and device that a kind of network configuration information quickly issues | |
| CN110754063B (en) | Verify endpoint configuration between nodes | |
| CN110741602B (en) | Event generation in response to network intent form peer failure | |
| CN111684439B (en) | Network assurance of database version compatibility | |
| EP3643009A1 (en) | Validation of layer 3 using virtual routing forwarding containers in a network | |
| CN110754062A (en) | Network Node Memory Utilization Analysis | |
| US11997015B2 (en) | Route updating method and user cluster | |
| US20200004742A1 (en) | Epoch comparison for network policy differences | |
| US10846120B2 (en) | Configuration tracking in virtualized computing environments | |
| WO2018137520A1 (en) | Service recovery method and apparatus | |
| CN102316043A (en) | Port virtualization method, switch and communication system | |
| CN103560957A (en) | Table look-up key value construction method and microcode issuing method, device and system | |
| US10659298B1 (en) | Epoch comparison for network events | |
| JP6149444B2 (en) | Application start control method, system, apparatus and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor Patentee after: RUIJIE NETWORKS Co.,Ltd. Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor Patentee before: Fujian Star-net Ruijie Network Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120912 |