CN-121984938-A - Heterogeneous virtual network two-layer communication system and method based on physical direct connection

Abstract

The invention discloses a two-layer network communication system and method based on physical direct connection, which mainly solve the problems of VLAN tag loss, high virtual machine scheme resource expense and high overlay network encapsulation performance loss caused by the NAT mode of the existing Windows container. The system comprises a Windows physical host and a Linux physical host which are directly connected through a physical link. The Windows host uses the container transparent network mode to cooperate with the external virtual switch configured as the Trunk mode and with the intrinsic VLAN identifier of 0 to forcedly reserve the VLAN label of the data frame, avoids the automatic stripping logic of the protocol stack of the operating system, and realizes lossless transparent transmission. The Linux host builds a virtual switching network by using the OpenvSwitch, and completes the identification, stripping and addition mapping of VLAN labels through a boundary access network bridge, thereby realizing the two-layer interconnection with the internal switching network. The invention reduces the resource cost and the network encapsulation performance loss, realizes low-delay and high-fidelity two-layer isolated communication in heterogeneous environment, and can be used for large-scale industrial control network simulation scenes.

Inventors

• ZHAO NAN
• ZHAO CHONG
• CHI YING
• GAO YI

Assignees

• 西安电子科技大学

Dates

Publication Date

20260505

Application Date

20260130

Claims (10)

1. 1. A heterogeneous virtualized network two-layer communication system based on physical direct connection comprises a first physical host and a second physical host, and is characterized in that, The first physical host runs the Windows operating system, a virtual container network and an external virtual switch are deployed in the first physical host, and the first physical host is used for constructing a service data frame carrying a VLAN tag and transmitting the service data frame to a physical link through a physical network card in a lossless manner so as to prevent the operating system network stack from stripping the tag; The second physical host runs a Linux operating system, an Open vSwitch virtual switching network comprising a boundary access network bridge and an internal core switching network bridge is deployed in the second physical host, and is used for receiving tagged data frames from a physical communication link through the boundary access network bridge, executing VLAN tag identification, stripping or adding operation, and completing two-layer forwarding of the data frames through the internal core switching network bridge.
2. 2. The system according to claim 1, wherein: the virtual container network comprises a plurality of virtual controller nodes accessed based on a Transparent network mode, and each virtual controller node is allocated with a unique VLAN identifier; The external virtual switch is configured into a Trunk mode and is provided with configuration parameters, one end of the external virtual switch is connected with the virtual container network, and the other end of the external virtual switch is bound to a physical network card of the first physical host machine and is used for transmitting data frames with VLAN labels between the virtual container network and the physical network card.
3. 3. The system according to claim 1, wherein: The boundary Access network bridge comprises a physical uplink interface configured into a Trunk mode and a plurality of virtual Access ports corresponding to the VLAN identifiers one by one, and the physical uplink interface is bound to a physical network card of a second physical host and is used for receiving a data frame with VLAN labels from a physical link; The internal core switching network bridge is connected with the virtual Access port and is used for receiving the data frame with the label stripped and carrying out two-layer forwarding and data switching.
4. 4. The system of claim 2, wherein the configuration parameters in the external virtual switch include a list of allowed VLAN IDs and an intrinsic VLAN identifier, and the VLAN identifier is specifically set to 0 to force the external virtual switch to maintain a tagged state for all passing data frames.
5. 5. A system according to claim 3, wherein the maintenance flow table rules set inside the boundary access network bridge include VLAN tag stripping rules and VLAN tag adding rules for handling physical inbound data flows and virtual outbound data flows, respectively, namely: When a data frame from a physical communication link is received, according to a physical port number and VLAN tag matching flow table rule, executing a VLAN tag stripping action and forwarding the data frame to a target virtual Access port; When the data frame is sent out from the virtual Access port, the VLAN tag adding action is executed according to the port attribute matching flow table rule, and the data frame is forwarded to the Trunk port binding the physical network card.
6. 6. A communication method based on the heterogeneous virtualized network two-layer communication system of claim 1, comprising: (1) Performing two-layer address resolution interaction on the heterogeneous virtualized network two-layer communication system to acquire a target MAC address; (2) The virtual container node in the first physical host generates a service data frame, the virtual container node is endowed with a corresponding VLAN label through a Transparent network mode, then an external virtual switch configured into a Trunk mode is entered, and the tagged data frame is prevented from peeling logic of a host protocol stack by utilizing the attribute of 0 of an intrinsic VLAN identifier of the external virtual switch and is directly transmitted to a physical communication link through a first physical network card; (3) The boundary Access network bridge of the second physical host receives the data frame with the label through the second physical network card, recognizes the VLAN ID label of the data frame, and peels off the VLAN label after matching to the corresponding virtual Access port according to the preset maintenance flow table rule, and forwards the original two-layer data frame to the virtual Access port; (4) The internal core exchange network bridge receives the original two-layer data frame from the virtual Access port, and completes the two-layer forwarding according to the destination MAC address; (5) The original two-layer data frame is automatically remapped with a corresponding VLAN tag by the boundary Access network bridge according to the attribute of the virtual Access port of the station, and returned to the first physical host through the physical communication link; (6) The first physical network card of the first physical host receives the tagged data frame from the physical communication link, and transmits the tagged data frame to the virtual container network through an external virtual switch configured as a Trunk mode and with an intrinsic VLAN identifier of 0, and the virtual container network recognizes the VLAN tag and performs stripping operation, and then delivers the original data frame to the corresponding virtual container node.
7. 7. The method of claim 6, wherein (1) performing a two-layer address resolution interaction on a heterogeneous virtualized network two-layer communication system comprises: when a virtual container node of a first physical host sends an ARP request, the ARP request is forcedly packaged in a data frame with a specific VLAN ID, and the ARP request is sent out through a first physical network card by utilizing the intrinsic VLAN 0 configuration of an external virtual switch; The second physical host boundary Access network bridge identifies the VLAN label of the ARP request in the physical inbound direction, establishes a mapping relation table of the source MAC address of the ARP request initiator and a corresponding virtual Access port based on a source address learning mechanism, then reverts to a standard ARP broadcast packet in the corresponding virtual Access port according to a maintenance flow table rule, and sends the standard ARP broadcast packet to the internal core exchange network bridge; the internal core exchange network bridge floods the ARP broadcast packet to other virtual Access ports, and the boundary Access network bridge re-adds the corresponding VLAN label and then returns the ARP broadcast packet to the first physical host through a physical communication link; the target virtual container node in the first physical host receives the broadcast packet and generates a unicast ARP response data frame, and the response data frame is sent to the second physical host again; the second physical host boundary Access network bridge receives the ARP response data frame, identifies the source MAC address and VLAN label, establishes a mapping relation table of the MAC address and a corresponding virtual Access port based on a source address learning mechanism, and unicasts and forwards the ARP response data frame to a virtual container node initiating a request according to the previously established mapping relation of a request initiator.
8. 8. The method of claim 6, wherein the service data frame in (2) is in a standard communication protocol format or a proprietary protocol format, and the complete frame structure comprises a destination MAC address, a source MAC address, and no VLAN tag field in an initial state, wherein: The source MAC address is a physical address of a virtual container node within the first physical host that generated the data frame, The target MAC address is a physical address of a target node in the second physical host obtained through address resolution interaction.
9. 9. The method of claim 6, wherein the stripping VLAN tag after matching to the corresponding virtual Access port according to the preset maintenance flow table rule in (3) comprises: Firstly, the boundary access network bridge firstly utilizes an OpenFlow protocol to extract a physical port number of an inbound tagged data frame and a VLAN ID field of a frame head; Then the extracted port number and VLAN ID field are used as matching key values, and searching and comparing are carried out in a preset flow table; When a specific inbound stream table item with the matching domain consistent with the port number and the VLAN ID field is found, VLAN stripping action is executed to physically delete VLAN tag information in the data frame, and the processed original data frame is directionally forwarded to a virtual Access port with a static mapping relation with the VLAN ID field; otherwise, the data frame is directly discarded.
10. 10. The method of claim 6, wherein the virtual container network identifies the VLAN tag and performs the stripping operation in (6) by verifying, through the transport network driver, whether the VLAN ID in the data frame matches the VLAN identifier bound by the target virtual container node when the data frame with the VLAN tag is transmitted intact to the underlying interface of the virtual container network via the external virtual switch configured in Trunk mode: If the verification is passed, removing VLAN label field in the data frame by the driver program, and uploading the restored original data frame to a network protocol stack of the virtual container node; if the verification is not passed, the data frame is directly discarded by the transmission driver so as to realize the isolation of the data link layers among different virtual container nodes.

Description

Heterogeneous virtual network two-layer communication system and method based on physical direct connection Technical Field The invention belongs to the technical field of computer network communication and distributed virtualization simulation, and particularly relates to a heterogeneous virtualization network two-layer communication system and method, which can be used for constructing a large-scale and high-fidelity industrial control network digital twin system and performing full life cycle simulation verification and network security exercise of a Digital Control System (DCS) across an operating system. Background With the continuous expansion of simulation scales of Industrial Control Systems (ICS) and Digital Control Systems (DCS), in order to realize the simulation of large-scale nodes while ensuring the system performance, in engineering practice, a distributed heterogeneous architecture is often adopted, that is, a physical host running a Windows operating system is used to carry a large number of lightweight container applications to simulate a controller, and is directly connected to another physical host running a Linux operating system through a physical network cable, and the latter carries a high-performance Open vSwitch virtual switching network. In constructing such a digital twin system based on physical direct connection, a core challenge is how to ensure data link layer integrity across physical lines, in particular lossless pass-through of IEEE 802.1Q VLAN tags, which is critical to reproducing security domain partitioning and traffic isolation in real industrial networks. However, under the prior art framework, implementing VLAN pass-through between the Windows physical machine and the Linux physical machine faces serious challenges. When the container generates a data frame with a VLAN tag and tries to send the data frame to the Linux host at the opposite end through the physical network card, the network protocol stack of the Windows host often strips the original VLAN tag, which results in that the Open vSwitch virtual switch network at the Linux end receives unlabeled traffic, so that the traffic source cannot be identified and the traffic source cannot be effectively isolated. The patent document with the publication number of CN108494607B discloses a design method of a large two-layer network architecture based on a container, which is characterized in that physical network cards on different hosts are directly connected, so that physical connection channels of a container network are established between the different hosts, task information is acquired through self-managed services based on the physical connection, and network connection between the container and an OpenvSwitch virtual switching network is dynamically established or a new container is established according to the task information, so that container network deployment and management across the hosts are realized. Although the scheme relates to physical connection and resource scheduling across hosts, the technical limitation that VLAN labels are automatically stripped when the outbound traffic is processed by a Windows container network stack under a heterogeneous environment is not solved because the architecture design is essentially a universal Linux container environment or standard bridge model. Therefore, if the scheme is directly applied to the interconnection scene of the Windows physical host and the Linux physical host, the data packet cannot retain the key two-layer VLAN information when crossing the boundary of the Windows physical network card, so that the network isolation and transparent transmission with high fidelity cannot be realized. Patent document with publication number CN108521403a discloses a method for isolating multi-tenant networks on a Docker container platform, which adopts an Open vSwitch virtual switch as a bottom layer switching device of the container network, and implements two-layer logic isolation between different tenant networks by allocating an independent VLAN ID for each tenant and dividing containers belonging to the same tenant into the same VLAN. However, this solution is typically designed for a homogeneous Linux environment, which is highly dependent on the native collaboration mechanism between the Linux kernel to the Docker container and the virtual switch bridge. The method is not suitable for the physical direct connection scene of the heterogeneous operating system, because the Docker network driver under the Windows system has an essential difference with Linux in structure, can not directly interact seamlessly with the OpenvSwitch virtual switch like Linux and keep the label, and if the scheme is directly applied to the Windows end, the VLAN label of the data packet sent by the container is stripped by the Windows network stack, so that the isolation mechanism in cross-system communication is invalid. To address cross-machine connectivity, alternatives commo