基于 VxLAN 的网络分组策略研究与分析-《计算机技术与发展》

文章信息/Info

Keywords:: enterprise network; network grouping policy ; security group; access control list ( ACL) ; software defined network (SDN)

摘要:: IP 网络接入的终端数量和种类越来越多( 如企业员工 PC 或 TC 接入、访客手机接入、IP Phone / 打印机 / 物联终端等接入)、承载的业务类型日益丰富,例如企业办公网、生产网、视频监控网、智能楼宇物联网等统一到 IP 网络上承载,员工接入方式也多种多样,如公司分支机构或总部接入、出差远程 VPN 接入等, 传统基于 ACL 的网络策略无法应对企业 IP 网络业务场景的变化,? 面临管理维护复杂度的重要挑战。该文给出一种基于用户逻辑分组( 安全组) 的策略模型,并全面分析企业应用场景,给出基于 VxLAN 网络的安全组全网同步方案, 实现网络策略与网络属性( IP / VLAN / MAC) 等无关,大大降低企业 IP 网络策略数量和变更频率,并在实际大型企业的 IT 网络进行应用评估,可以将数以万计的策略数量降低到百计,应用价值高、效果明显,指明了企业 IP 网络策略的演进方向。

Abstract:: The number and types of IP network access terminals are increasing,such as PC or TC access for enterprise employees, mobile- phone access for visitors, IP Phone / printer / IOT terminal access, etc. The types of services are increasingly diversified, such as? office network, production network, video monitoring network, intelligent building IoT, etc. , which are all carried on the IP network. The employee accessed methods are also diverse,such as access to branch offices or headquarters of the company, remote VPN access on business trips,etc. Traditional network policy based ACL can’ t cope with the changes of enterprise IP network scene, so it faces the important challenge of management and maintenance complexity. We propose a network policy model based on user logical grouping (security group) and analyze the enterprise application scenario comprehensively. The security group synchronization scheme based on VxLAN network is presented, and the network policy has nothing to do with network attributes ( IP / VLAN / MAC ) , which greatly reduces the number and change frequency of enterprise IP network policies. It can be applied in the IT network of actual large-scale enterprises, reducing tens of thousands of policy number to hundreds. With high application value and obvious effect, we indicate the evolution direction of enterprise IP network policy.