JP2020039075A - Information processing system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing system for controlling a network used in SDN. An information processing system using an SDN controller and a switch, in which the switch determines that there is no flow entry for a packet from a connected terminal in the flow table, and identifies the port that received the packet and the terminal individually. A message containing information is sent to the SDN controller, and the SDN controller causes a network loop when the received messages with the same individual identification information but different ports satisfy the time and number of conditions. It is an information processing system that determines that there is. [Selection diagram] Fig. 1

Description

  The present invention relates to an information processing system for controlling a network used in an SDN (Software Defined Network).

  It is known that a computer network has a fault called a network loop. A network loop is an event in which a computer or network device connected to a network is connected on the loop due to human error, machine failure, or the like. For example, as shown in FIG. 6, the error occurs due to incorrect connection between cables.

  For example, when a network loop as shown in FIG. 6 occurs, a packet flowing in the network is looped by a switch, so that a remarkable load is generated on a network device such as a switch or a server, and the response of the server or the like is significantly reduced. Therefore, there is a method called MAC address thrashing detection for protecting a network from a network loop.

  Conventional techniques related to a loop guard function called MAC address thrashing detection include, for example, the following Patent Documents 1 and 2.

  In recent years, the network configuration has become complicated, and a technique called SDN may be used in order to facilitate management of the complicated network configuration and machine configuration (Patent Document 3). Therefore, it is required to cope with a network loop in a network using SDN.

JP-A-9-93282 JP 2006-173785 A WO2010 / 103909

  By using the devices disclosed in Patent Literature 1 and Patent Literature 2, a network loop in a certain case in a conventional general network can be detected. However, in the related arts such as Patent Literature 1 and Patent Literature 2, a network loop in a network using SDN cannot be detected. Further, in the devices disclosed in Patent Documents 1 and 2, a function of detecting MAC address thrashing is realized inside a network device such as a switch, so that a network loop is realized through a plurality of network devices. Could not be detected.

  In view of the above problems, the present inventor has invented an information processing system capable of detecting a network loop even in a network using SDN.

  A first invention is an information processing system using an SDN controller and a switch, wherein the switch determines a port that has received a packet and a port that has received the packet when determining that there is no flow entry for a packet from a connecting terminal in the flow table. A message including terminal identification information is sent to the SDN controller, and the SDN controller satisfies the conditions of time and number of the received messages that have the same individual identification information but different ports. In this case, the information processing system determines that there is a network loop.

  A second invention is an information processing system using an SDN controller and a plurality of switches, wherein the switch determines an individual identification of the terminal when determining that there is no flow entry for a packet from the terminal to be connected in the flow table. A message containing information is sent to the SDN controller, and the SDN controller determines that there is a network loop if the message containing the same individual identification information received from different switches satisfies the conditions of time and number of times. This is an information processing system to be determined.

  By configuring as in these inventions, it is possible to cope with a network loop even in a network using SDN. Further, even when a network loop is realized via a plurality of network devices, the detection can be performed.

  In the above invention, the SDN controller can be configured as an information processing system that executes a control process for eliminating a network loop when detecting that there is a network loop.

  In the above-mentioned invention, the SDN controller specifies, as the control processing, a location where a network loop has occurred, notifies the occurrence of the network loop, sends a control instruction to close a port where the network loop has occurred, Sending a control instruction to block the VLAN in which the network has occurred, and setting a flow entry for discarding a packet from the individual identification information in which the network loop has occurred in the flow table of the switch. , An information processing system.

  When it is determined that a network loop has occurred, by executing control processing for the network loop, it is possible to prevent the occurrence of a failure in the network.

  The first invention can be realized by using the SDN controller of the present invention. That is, an SDN controller used in a network constructed by SDN, wherein the SDN controller receives, from a switch, a message including a port that received a packet and individual identification information, and among the received messages, the same individual identification information. If the message with a different port satisfies the conditions of time and number, the SDN controller determines that there is a network loop.

  The second invention can be realized by using the SDN controller of the present invention. That is, an SDN controller used in a network constructed by SDN, wherein the SDN controller, when a message containing the same individual identification information received from different switches satisfies the conditions of time and number of times, Is an SDN controller that determines that there is

  By using the information processing system of the present invention, a network loop can be detected even in a network using SDN.

It is a figure which shows an example of the network using SDN typically. FIG. 3 is a diagram illustrating an example of a hardware configuration of a computer used in the information processing system of the present invention. It is an example of a flowchart showing an example of a processing process of the information processing system of the present invention. FIG. 2 is a diagram schematically illustrating an example of a network according to the first embodiment. FIG. 14 is a diagram schematically illustrating an example of a network according to a second embodiment. FIG. 4 is a diagram schematically illustrating occurrence of a network loop due to incorrect connection of a cable to a switch.

  The information processing system 1 of the present invention is used in a computer system that constructs a network using SDN. FIG. 1 shows an example of the entire information processing system 1 in a network using SDN. OpenFlow (OpenFlow) in each embodiment described later is a kind of SDN standard specification. In the information processing system 1 of the present invention, an SDN controller 2 and a switch are used to perform network control using SDN. One or more terminals 4 are connected to the switch.

  The information processing system 1 of the present invention uses a network management technique based on SDN, and the communication of one or a plurality of networks is controlled by an SDN controller 2. The SDN controller 2 manages the communication in the network constructed by SDN, and manages the management unit of the switch at the port level. The SDN controller 2 refers to software for controlling and managing a network and a computer on which the software operates. When OpenFlow is used as the SDN, the OpenFlow controller 2a becomes the SDN controller 2.

  In a network constructed by SDN, a terminal 4 (computer) is connected via a switch 3. The switch 3 is a network device that transfers data. A network device other than the switch 3 necessary for performing network communication, for example, a device such as a gateway is appropriately provided.

  The switch 3 stores a set of flow entries (flow table), which is a rule indicating how to control a packet received from the terminal 4, and processes the packet in accordance with the set. The flow table includes a table ID (identification information) for identifying a flow entry, a condition for determining which flow entry to process a packet received from the terminal 4, and a priority of the flow entry. , And the control when the condition is satisfied are stored in association with each other.

  When receiving the First Packet from the terminal 4, the switch 3 temporarily suspends the processing of the packet and sends a Packet-In message for inquiring all SDN controllers 2 connected to the switch 3. Then, the SDN controller 2 that manages the terminal 4 sets a flow entry for the packet processing of the terminal 4 in the flow table of the switch 3. Then, the temporarily held packet is processed based on the flow entry.

  The switch 3 may be connected to a plurality of SDN controllers 2 that manage different networks. When OpenFlow is used as the SDN, the OpenFlow switch (OFS) 3 a corresponds to the switch 3.

  The information processing system 1 of the present invention is realized by various computers such as a server and a personal computer. FIG. 2 shows an example of a hardware configuration of a computer. The computer includes an arithmetic device 70 such as a CPU that executes arithmetic processing of a program, a storage device 71 such as a RAM or a hard disk that stores information, a display device 72 such as a display, a keyboard and a pointing device (such as a mouse and a numeric keypad). And the like, and a communication device 74 for transmitting and receiving processing results of the arithmetic device 70 and information stored in the storage device 71 via a network such as the Internet or a LAN.

  Although FIG. 1 shows a case where each of the functions is realized by one computer, the functions may be distributed to a plurality of computers and realized. In addition, each processing unit in the present invention is only logically distinguished in its function, and may physically or virtually form the same area. Further, one SDN controller 2 may be connected to a plurality of switches 3, or one switch 3 may be connected to a plurality of SDN controllers 2.

  An example of a processing process of the information processing system 1 of the present invention will be described with reference to a flowchart of FIG.

  When receiving the First Packet from the terminal 4, the switch 3 refers to the flow table of the switch 3. Since the flow entry for the packet of the terminal 4 that has sent the first packet is not registered in the flow table, the switch 3 connects the packet-in message indicating that there is no corresponding flow entry in the flow table. To the existing SDN controller 2.

  The SDN controller 2 that has received the Packet-In message sent from the switch 3 (S100) determines whether a packet from the same MAC address has been received by another port or another switch 3. S110). If any, it is determined whether packets from the same MAC address have been received a predetermined number of times or more within a predetermined threshold time (S120, S130). That is, it is determined that a network loop has occurred by receiving packets from the same MAC address a plurality of times in a short time (for example, 100 milliseconds) from another port or switch 3 (S140). Although the MAC address is preferably used as the individual identification information of the computer, any identification information that can identify the computer may be used.

  If it is determined that there is a network loop, the SDN controller 2 executes a predetermined control process for eliminating the network loop (S150). As the predetermined control processing, for example, by specifying a port or a MAC address in the Packet-In message, the location of the occurrence of the network loop is specified, and the notification of the occurrence of the network loop is sent to a notification destination of a predetermined person, SNMP Trap, Syslog. Sending a control instruction to close the port where the network loop has occurred to the switch 3; sending a control instruction to close the VLAN where the network loop has occurred to the switch 3; For example, a flow entry for discarding (dropping) a packet from the MAC address is set in the flow table.

  In the above description, the process is executed based on the Packet-In message. However, the present invention is not limited to the Packet-In message, but may be any message received from the switch 3.

  Next, processing of the information processing system 1 of the present invention in the case of a network loop as shown in FIG. 4 will be described. In the present embodiment, a case will be described in which OpenFlow is used as SDN. Therefore, a case in which an OpenFlow controller 2a is used as the SDN controller 2 and an OpenFlow switch 3a is used as the switch 3 will be described.

  In the network of FIG. 4, two hubs (hub A and hub B) are connected to the OpenFlow switch 3a, and the hub A is connected to the port 1 of the OpenFlow switch 3a, and the hub B is connected to the port 2 of the OpenFlow switch 3a. I have. Hub A and hub B are connected. The terminal 4 is connected to the hub A.

  In such a network configuration, when a packet from the terminal 4 is in a network loop, the OpenFlow switch 3a accepts a packet whose source MAC address belongs to the terminal 4 from both the port 1 and the port 2. Become. Then, the OpenFlow switch 3a sends a Packet-In message to the OpenFlow controller 2a every time the port that receives the packet changes. Then, the OpenFlow controller 2a receives a large number of Packet-In messages of the OpenFlow switch 3a in a short time, and a remarkable load is generated on the OpenFlow controller 2a.

  Therefore, by the processing of the information processing system 1 of the present invention, it is determined whether the Packet-In message received by the OpenFlow controller 2a from the OpenFlow switch 3a is received from another port from the same MAC address. If it is received more than a predetermined number of times during a time (for example, 100 milliseconds) that is a predetermined threshold, it is determined that there is a network loop.

  That is, the OpenFlow controller 2a in FIG. 4 receives the Packet-In message received at the port 1 and the Packet-In message received at the port 2 from the same MAC address a plurality of times in a short time. Therefore, when a similar Packet-In message is received for the number of times equal to or greater than the predetermined threshold within the predetermined threshold time, it is determined that there is a network loop, and a predetermined control process is executed.

  Next, the processing of the information processing system 1 of the present invention in the case of a network loop as shown in FIG. 5 will be described. In this embodiment, the case where OpenFlow is used as the SDN will be described. Therefore, the case where the OpenFlow controller 2a is used as the SDN controller 2 and the OpenFlow switch 3a is used as the switch 3 will be described.

  In the network of FIG. 5, two OpenFlow switches 3a (OpenFlow switches A and B) are connected to the OpenFlow controller 2a, and a hub is connected to the two OpenFlow switches 3a. The terminal 4 is further connected to the hub, but a network loop occurs due to an incorrect connection in the hub cable.

  In such a network configuration, when a packet from the terminal 4 loops over the network, the OpenFlow controller 2a accepts a packet whose source MAC address is that of the terminal 4 from both the OpenFlow switch A and the OpenFlow switch B. Becomes Then, the OpenFlow switch A and the OpenFlow switch B each send a Packet-In message to the OpenFlow controller 2a each time the received OpenFlow switch 3a changes. Then, the OpenFlow controller 2a receives a large number of Packet-In messages of the OpenFlow switch A and Packet-In messages of the OpenFlow switch B in a short time, and a remarkable load is generated in the OpenFlow controller 2a.

  Therefore, by the processing of the information processing system 1 of the present invention, it is determined whether or not the OpenFlow controller 2a has received the Packet-In message received from the OpenFlow switch 3a by another OpenFlow switch 3a from the same MAC address. If it is received more than a predetermined number of times during a time (for example, 100 milliseconds) that is a predetermined threshold, it is determined that there is a network loop.

  That is, the OpenFlow controller 2a of FIG. 5 receives the Packet-In message received from the OpenFlow switch A and the Packet-In message received from the OpenFlow switch B having the same MAC address a plurality of times in a short time. Therefore, when a similar Packet-In message is received for the number of times equal to or greater than the predetermined threshold within the predetermined threshold time, it is determined that there is a network loop, and a predetermined control process is executed.

  In the present specification, the processing can be appropriately changed without departing from the technical idea of the present invention. For example, the order of the processes may be changed, some processes may not be performed, and processes may be added. Further, another network device may be provided between the SDN controller 2 and the switch 3 or between the switch 3 and the terminal 4. Further, various network devices may be changed to other network devices having similar functions.

  By using the information processing system 1 of the present invention, a network loop can be detected even in a network using SDN.

1: information processing system 2: SDN controller 2a: OpenFlow controller 3: switch 3a: OpenFlow switch 4: terminal 70: arithmetic device 71: storage device 72: display device 73: input device 74: communication device

Claims (6)

An information processing system using an SDN controller and a switch,
The switch is
If it is determined that there is no flow entry for the packet from the connecting terminal in the flow table, a message including the port that accepted the packet and the individual identification information of the terminal is sent to the SDN controller,
The SDN controller comprises:
If, among the received messages, messages having the same individual identification information but different ports satisfy the conditions of time and number of times, it is determined that there is a network loop.
An information processing system, comprising: An information processing system using an SDN controller and a plurality of switches,
The switch is
If it is determined that there is no flow entry for the packet from the connecting terminal in the flow table, a message including the individual identification information of the terminal is sent to the SDN controller,
The SDN controller comprises:
If a message containing the same individual identification information received from different switches satisfies the conditions of time and number of times, it is determined that there is a network loop.
An information processing system, comprising: The SDN controller comprises:
When it detects that there is a network loop, it executes control processing to resolve the network loop.
The information processing system according to claim 1 or 2, wherein: The SDN controller comprises:
As the control processing, control is performed to specify a location where a network loop has occurred, notify a network loop occurrence, send a control instruction to close a port where a network loop has occurred, and block a VLAN where a network loop has occurred. Sending an instruction, setting a flow entry for discarding a packet from the individual identification information in which the network loop has occurred in the flow table of the switch,
The information processing system according to claim 3, wherein: An SDN controller used in a network constructed by SDN,
The SDN controller comprises:
A message including the port that received the packet and the individual identification information is received from the switch,
If, among the received messages, messages having the same individual identification information but different ports satisfy the conditions of time and number of times, it is determined that there is a network loop.
An SDN controller, characterized in that: An SDN controller used in a network constructed by SDN,
The SDN controller comprises:
If a message containing the same individual identification information received from different switches satisfies the conditions of time and number of times, it is determined that there is a network loop.
An SDN controller, characterized in that:

Images