Attention is currently focused on an IaaS (Infrastructure as a Service) of cloud computing as a new application form of ICT (Information and Communication Technology) system construction. The IaaS service constructs a virtual server (hereinafter referred to as a virtual machine or a VM) by using computing resources in a network, and provides the virtual machine to a user as a service. In a cloud computing infrastructure providing such an IaaS service, virtual servers of a plurality of enterprises, divisions or departments (hereinafter referred to generically as tenants) are running. Accordingly, a network environment (hereinafter referred to as a subnet) separated for each tenant is needed to protect security among tenants.
Techniques of constructing a plurality of subnets in one physical Ethernet network include VLAN (Virtual Local Area Network) and PBB (Provider Backbone Bridge).
FIG. 1 is an explanatory view of constructing a network using the VLAN or the PBB technique. Each physical server includes a plurality of virtual machines, and a plurality of virtual switches in units of subnets. Each physical server accommodates, in the same virtual switch, virtual machines that belong to the same subnet. For example, a server 1 includes a VM2, a VM3, and a virtual switch that accommodates the VM2 and the VM3. A server 5 includes a VM6, a VM7, and a virtual switch 8 that accommodates the VM6 and the VM7, and also includes a a VM9, a VM10, and a virtual switch 11 that accommodates the VM9 and the VM10. A server 12 includes a VM13, a VM14, and a virtual switch 15 that accommodates the VM13 and the VM14, and also includes a VM16, a VM17, and a virtual switch 18 that accommodates the VM16 and the VM17.
For example, a subnet that forms a tenant A includes the VM2, the VM3, the VM6 and the VM7. For example, a subnet that forms a tenant C includes the VM9 and the VM10. For example, a subnet that forms a tenant D includes the VM13 and the VM14. For example, a subnet that forms a tenant E includes the VM16 and the VM17.
For example, a network management system not illustrated constructs a network 19 by using the VLAN or the PBB. The network management system is a system of a network including layer 2 switch devices that construct the network 19, and a management apparatus for controlling the layer 2 switch devices.
The network management system sets, for example, physical port/subnet association information as VLAN settings in each of the layer 2 switch devices (L2SWs) 20, 21, 22, 23. The physical port/subnet association information is information indicating to which virtual subnet each physical port of each of the layer 2 switch devices belongs. For example, the layer 2 switch device 22 provided with physical ports (P) 0, 1, 2 includes physical port/subnet association information where the ports P0 and P1 belong to a subnet that forms the tenant A.
Here, a packet includes MACDA, MACSA and a payload. The MACDA stands for Media Access Control (MAC) Destination Address, whereas the MACSA stands for Media Access Control (MAC) Source Address. The payload represents a data portion except for a header including the MACDA, the MACSA and the like.
As illustrated in FIG. 1, the network management system attaches, to a packet that flows in the physical network, a tag (subnet identifier) for identifying a subnet. VID is used as the subnet identifier for the VLAN, whereas I-SID is used as the subnet identifier for the PBB. The packet to which the tag for identifying a subnet is attached is referred to as a VM transmission packet.
For example, upon receiving a packet from the physical server 1 that is a transmission source, the layer 2 switch device 22 references a subnet identifier of the packet, and transfers the packet to a physical port that belongs to the subnet identified based on the subnet identifier. In this case, the subnet identifier of the packet is VLAN-A. Therefore, the layer 2 switch device 22 searches physical port/subnet association information for VLAN-A, and obtains “port 0, port 1” corresponding to VLAN-A. The layer 2 switch device 22 transfers the packet not to the port 0 that has received the packet but to the port 1.
As described above, by using a subnet identifier, a packet is transmitted/received within the same tenant. A subnet is constructed for each subnet identifier. Accordingly, if there are a plurality of subnet identifiers, a plurality of subnets are constructed in one physical network according to the subnet identifiers.
There is another technique of increasing the number of VPNs (Virtual Private Networks) in a Wide Area Ethernet (registered trademark) network. A further technique is a technique for a core network that is configured with a transmission source edge switch, a transmission destination edge switch and one or more core switches, and connects the transmission source edge switch and the transmission destination edge switch. This technique can provide VPNs the number of which exceeds 4096 even if conventional switches that do not support a VLAN stacking technique are used.
Patent Document 1: Japanese Laid-open Patent Publication No. 2009-118127