WO2008037210A1 - Method and device for transferring message in virtual private lan - Google Patents

Method and device for transferring message in virtual private lan Download PDF

Info

Publication number
WO2008037210A1
WO2008037210A1 PCT/CN2007/070735 CN2007070735W WO2008037210A1 WO 2008037210 A1 WO2008037210 A1 WO 2008037210A1 CN 2007070735 W CN2007070735 W CN 2007070735W WO 2008037210 A1 WO2008037210 A1 WO 2008037210A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
virtual
virtual switching
switching instance
local area
Prior art date
Application number
PCT/CN2007/070735
Other languages
French (fr)
Chinese (zh)
Inventor
Xindong Teng
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008037210A1 publication Critical patent/WO2008037210A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the present invention relates to a virtual private local area network, and more particularly to a message forwarding method and apparatus for a virtual private local area network shared by multiple virtual switching instances by setting a shared virtual switching instance.
  • Virtual Private LAN Services is a Layer 2 Virtual Private Network (VPN) technology that provides similar LANs over a Multi Protocol Label Switching (MPLS) network.
  • MPLS Multi Protocol Label Switching
  • LAN Local Area Network
  • the function of the service allows users to access the network from multiple geographically dispersed points and access each other as if they were directly connected to the LAN.
  • the role of VPLS is a virtual LAN switch.
  • FIG. 1 is a typical networking diagram of VPLS.
  • the interface where the user edge device (CE, Custom Edge) resides is added to the virtual switch instance (VSI, Virtual Switch Instance) in the VPLS.
  • the Provider Edge is connected to each other through PW (Pseudo Wire) to form a simulated LAN for the client.
  • PW Pseudo Wire
  • Each PE performs user MAC address learning (including the CE side and the PW side) in the virtual switching instance.
  • the item is published so that CE users who join the same virtual switching instance can access each other at the second layer.
  • the VPLS PW usually uses an MPLS tunnel or any other tunnel, such as GRE, L2TPV3, and TE.
  • the function of the VPLS PW is to transparently transmit Ethernet packets.
  • QinQ two-layer label technology, 802.lQ-in-802.lQ
  • QinQ also known as the virtual LAN stack (VLAN-Stack)
  • VLAN-Stack virtual LAN stack
  • the private network VLAN TAG is encapsulated in the public network VLAN TAG.
  • the packet carries the two layers of TAGs to traverse the backbone network of the service provider.
  • the public network VLAN TAG is stripped off at the edge of the service provider's backbone network to restore the private network VLAN TAG. Therefore, the user is provided with a relatively simple single layer VLAN TAG tunnel.
  • an individual or enterprise user can access the Internet access network through a virtual private LAN access to a broadband access server (BRAS, Broadband Remote Access Server) that acts as a remote access authentication device.
  • BRAS Broadband Remote Access Server
  • a user or enterprise user can perform Layer 2 access within the same virtual switching instance through the virtual private LAN.
  • the user can also be isolated by VLANs.
  • all users can access the same broadband access server device, and the broadband access server device can assign users IP addresses of different network segments, and the user accesses the broadband access server according to the IP address and accesses the Internet network. .
  • users belonging to the same virtual switching instance can access each other through the virtual private LAN.
  • the PE and BRAS are required.
  • a VLAN sub-interface is created. Different sub-interfaces need to be added to VSI1 and VSI2.
  • the user data carries the user VLAN, the user data of the PE device to the BRAS device becomes QinQ packets (with two layers of labels).
  • the broadband access server needs to be terminated.
  • the QinQ message is the QinQ message.
  • the main purpose of the present invention is through the operator edge device in the virtual private local area network
  • a shared virtual switching instance (Super-VSI) is set up to implement interworking between multiple virtual switching instances and a shared virtual switching instance to reduce the complexity of configuration and management of virtual private local area network access to the three-layer network.
  • users of different virtual switching instances are isolated at Layer 2 by sharing virtual switching instances, but Layer 3 mutual access can be easily implemented.
  • a packet forwarding method for a virtual private local area network includes:
  • the shared virtual switching instance forwards the packet to its destination.
  • the packet forwarding device of the virtual private local area network is provided by the embodiment of the present invention, including: at least one shared virtual switching instance, configured with multiple members, the member being at least one virtual switching instance in the virtual private local area network;
  • the shared virtual switching instance is configured to receive a packet from the virtual switching instance in the virtual private local area network; and when the virtual switching instance from the packet is the configured member, the packet is sent to the packet Destination forwarding.
  • the shared virtual switching instance can implement Layer 2 isolation in different virtual switching instances, but can implement Layer 3 mutual access. Applications such as security-based considerations prevent Layer 2 attacks between virtual switching instances.
  • the text forwarding device uniformly controls whether users of different virtual switching instances can access each other;
  • the virtual private instance network that is, the three-layer logical interface, implements the virtual private local area network access to the three-layer network, and solves the problem of not sharing the virtual exchange instance when accessing, for each virtual exchange instance. All build a related three-tier logical interface, and And configuring an IP address will consume a lot of IP addresses.
  • FIG. 1 is a typical networking diagram of a virtual private local area network in the prior art
  • FIG. 2 is a schematic diagram of a user accessing a broadband access server through a virtual private local area network in the prior art
  • FIG. 3 is a schematic diagram of a user accessing a broadband access server via a virtual private local area network using the present invention
  • FIG. 4 is a schematic diagram of implementing three-layer access by different virtual switching instance users through a virtual private local area network and a shared virtual switching instance by using the present invention. Mode for carrying out the invention
  • the core content of the present invention is that, by setting a shared virtual switching instance on a packet forwarding device of a virtual private local area network (for example, a carrier edge device PE), multiple virtual switching instances are interconnected with one shared virtual switching instance to reduce virtuality.
  • a virtual private local area network for example, a carrier edge device PE
  • multiple virtual switching instances are interconnected with one shared virtual switching instance to reduce virtuality.
  • the complexity of the configuration and management of the dedicated local area network to the three-layer network; in addition, the address resolution protocol (ARP) proxy function and the three-layer logical interface can be set up on the packet forwarding device provided with the shared virtual switching instance. Users of different virtual switching instances are connected in Layer 2 and Layer 3 access.
  • ARP address resolution protocol
  • the packet forwarding method of the virtual private local area network mainly includes the following steps: setting a packet forwarding device in the virtual private local area network, where the packet forwarding device includes at least one shared virtual switching instance;
  • the virtual virtual switching instance When a user in the virtual private local area network sends a text message through the virtual switching instance to which the user belongs, that is, when the user sends a text through the virtual switching instance of the member to which the user belongs, the virtual virtual switching instance is forwarded to the destination end of the text.
  • the shared virtual switching instance in the present invention is a shared virtual switching instance that can share multiple virtual switching instances.
  • Super-VSI the Super-VSI is set on the packet forwarding device, that is, the carrier edge device PE in this embodiment.
  • a Super-VSI packet forwarding device is set here. It is called Super Carrier Edge Device (Super-PE).
  • This member can be called a member virtual switching instance (Sub-VSI), that is, multiple virtual switching instances in the virtual private local area network, which can be all in the virtual private local area network.
  • the virtual switch instance is configured to share members of the virtual switch instance, or you can configure only a part.
  • the method of configuration there is no limitation in the present invention. As long as the sharing relationship between the Super-VSI and the Sub-VSI is established, all the virtual switching instances of the member can communicate with the shared virtual switching instance in the virtual private local area network. can.
  • Example 1 A user of a virtual private LAN requests authentication online:
  • FIG. 3 is a schematic diagram of realizing virtual private local area network users accessing the Internet through a broadband access server by using Super-VSI.
  • Super-PE is an edge device connected to a virtual private LAN and a broadband access server.
  • Super-VSI is configured on the Super-PE.
  • the Super-VSI includes VSI1 and VSI2 in the virtual private local area network are used as member virtual switching instances. This is not limited to this. It can include all virtual switching instances.
  • the Super-VSI includes VSI1 and VSI2 as examples.
  • the interface of the super-PE connected to the server is added to the Super-VSI, so that users of VSI1 and VSI2 can send the packet to the Super-VSI of the Super-PE and forward it to the broadband access server for authentication and Internet access.
  • the present invention only replaces the virtual switching instance connected with the BRAS in the prior art by using a shared virtual switching instance, that is, Super-VSI.
  • the authentication is implemented on the Internet. Therefore, the specific access process is not mentioned here.
  • the super-PE interface connected to the BRAS can be configured as a QinQ interface, and the user packets of different virtual switching instances are mapped to different outer VLANs.
  • QinQ terminates and distinguishes users. For example, you can distinguish different VLANs to which users belong.
  • a special case is that when the Super-VSI is processed, all the data without VLANs sent from other virtual switching instances that are not members of the Super-VSI are uniformly used to perform QinQ encapsulation.
  • the interface between the Super-PE and the broadband access server is the common physical interface.
  • the specific implementation method is:
  • Step 1 Configure the Super-VSI on the Super-PE and configure the member Sub-VSI of the Super-VSI.
  • VSI1 and VSI2 are configured as virtual exchange instances of the member.
  • Step 2 Establish related elements of the virtual private local area network of the PE1, the PE2, and the super-PE.
  • the PE may be all the PEs in the virtual private local area network, and is not limited to PE1 and PE2.
  • PE3 may be further included.
  • PE1 and PE2 are used as examples.
  • the process Specifically, the VPLS PW tunnels are established, and the interfaces related to the PC1 and PC2 on the PE1 and the PE2 are added to the corresponding VSIs. This process is the existing processing flow of the VPLS, and is not described here.
  • Step 3 The user PC2 sends an authentication request message to the Super-PE as the packet forwarding device via the virtual switching instance VSI2 to which the user belongs.
  • Step 4 Add the interface connected to the broadband access server to the Super-VSI.
  • Configure the interface type as a QinQ interface or a common interface.
  • For the QinQ interface you need to configure the mapping between the VSI and the outer label.
  • Step 5 After receiving the authentication request packet sent by the user PC2 of the virtual private local area network, the Super-PE checks whether the VSI2 to which it belongs is a member of the Super-VSI. If yes, the Super-VSI is the packet forwarding device. And all the members of the configuration, the sub-VSI (VSI1 and VSI2), find the MAC forwarding entry, and find the corresponding outgoing interface to send, in this embodiment, the interface connected to the access server;
  • the request packet is encapsulated in QinQ by using the default virtual LAN label and then forwarded.
  • the interface corresponding to the Super-VSI and all the member Sub-VSIs (including the PW but not the interface that receives the current packet)
  • the MAC address learning is performed in the range of the virtual switching instance, and the related information is saved. This process is also the existing processing flow of the virtual private local area network, and will not be described here.
  • the interface connected to the access server such as the BRAS
  • the interface type is configured as a QinQ interface or a common interface.
  • QinQ interface you need to configure the mapping between the VSI and the outer label.
  • common interface you can configure the default outer label of VSI user packets without VLANs.
  • users of different virtual switching instances of the VPLS network can easily access the BRAS and access the Internet through the Super-VSI, thereby eliminating the need to set multiple sub-interfaces corresponding to different virtual switching instances on the BRAS, and also reduce The number of virtual switching instances created on the PE reduces the complexity of configuration and management.
  • Example 2 Users requesting mutual access of different virtual switching instances in the virtual private local area network:
  • the packet forwarding device that is, the Super in this embodiment -
  • the arp proxy function is enabled at the PE, that is, the ARP proxy unit can be included in the Super-PE.
  • the arp proxy function refers to the process of proxying the arp request message in the different broadcast domains that are isolated by the user.
  • the arp proxy function needs to be implemented for users in the Sub-VSI of all members of the Super-VSI.
  • the proxy asks the user to send the text to the local, that is, the packet forwarding device, and forwards it locally.
  • PC1 and PC2 in the figure have IP addresses of IP1 and IP2, which belong to the same network segment.
  • ARP request packets sent by PC1 cannot reach PC2. Therefore, PC1 will not receive the arp response message of PC2, so the MAC address of PC2 cannot be obtained, so PC1 cannot send IP packets to PC2.
  • the Layer 3 logical interface associated with the Super-VSI is configured, and the IP address and MAC address of the Layer 3 logical interface are configured.
  • the members of the Super-VSI include VSI1 and VSI2.
  • the arp request message (broadcast message) of PC1 can be sent to Super-PE, and the super-PE starts the arp proxy function.
  • the IP address of PC1 is checked as the IP address of the proxy, it is in the range of Super-VSI.
  • the internal ie, VSI1 and VSI2
  • the arp request message will be sent to PC2 through PE2.
  • PC2 sends back an arp response message to Super-PE, and then Super-PE sends back arp to PCI through arp proxy function.
  • inform "PC2's MAC address” please note that at this time, Super-PE tells The MAC address of the PCI is not the real MAC address of the PC2, but the MAC address of the Layer 3 logical interface. This completes the Layer 2 isolation.
  • the PC1 sends an IP data packet to the PC2.
  • the IP data packet will be received locally. It is sent to the Layer 3 logical interface for processing, and is forwarded to PC2 by checking the routing table.
  • PC1 and PC2 implement Layer 3 access.
  • the specific implementation method is:
  • Step 1 Configure Super-VSI on the Super-PE and configure the member Sub-VSI of the Super-VSI.
  • VSI1 and VSI2 are configured as virtual exchange instances of the member.
  • Step 2 Set at least one Layer 3 logical interface related to the Super-VSI, and configure an IP address and a MAC address of the Layer 3 logical interface.
  • Step 3 Establish related elements of the virtual private local area network of the PE1, the PE2, and the super-PE.
  • all the PEs in the virtual private local area network may be used, and are not limited to PE1 and PE2, and may include, for example, PE3.
  • PE1 is used.
  • the PE2 is used as an example.
  • the process includes the establishment of a mutual VPLS PW tunnel.
  • the interfaces related to the PC1 and PC2 on PE1 and PE2 are added to the corresponding VSI. This process is the existing processing flow of the VPLS.
  • Step 4 The user PC1 of the virtual private local area network sends an arp request message to access PC2, where PC1 belongs to VSI1 at PE1, its IP address is IP1, PC2 belongs to VSI2 at PE2, its IP address is IP2, and the arp request
  • the virtual switching instance VSI1 to which the user PC1 belongs is sent to the text forwarding device Super-PE;
  • Step 5 The packet forwarding device Super-PE checks the user PC2, that is, whether the IP address of the destination user is the IP address of the proxy, that is, whether it is the IP address of the user of the member virtual switching instance, and if so, proceed Next steps.
  • Step 6 The Super-PE performs the arp proxy function, and the arp proxy function needs to implement proxying for users in the Sub-VSI of all members of the Super-VSI.
  • the super-PE checks the MAC address corresponding to the IP address of the destination user PC2 in the arp request packet, and the process can perform the search by using the shared virtual switching instance and its configured members. If not, the arp request is sent. The message is sent to the shared virtual switching instance Super-VSI and all its members Sub-VSI (can be requested in addition to the requesting user);
  • Step 7 The Super-PE sends an arp response message to the PC1 to inform the PC2 of the MAC address, here, The MAC address is actually the MAC address of the Layer 3 logical interface.
  • Step 8 PC1 sends a data packet to the Super-PE.
  • the Super-PE sends the data packet to the Layer 3 logical interface, and then forwards it to PC2 through the lookup routing table.
  • This example is similar to the second example. It is accessed at Layer 3. The difference is that when the packet forwarding device checks the IP address of the destination user as the IP address of the Layer 3 logical interface, it directly sends back the arp response message to request the user to When a data packet is sent, it is sent directly to the Layer 3 logical interface and forwarded through the lookup routing table.
  • the right side of the Super-PE device is the IP network, and the left side is the virtual private LAN.
  • the virtual private LAN For example, PC1 and PC2
  • the IP address belongs to the same network segment as IP1 and IP2, so PC1 and PC2 can Access to users in the three-tier IP network.
  • the specific implementation method is:
  • Step 1 Configure Super-VSI on the Super-PE and configure the member Sub-VSI of the Super-VSI.
  • VSI1 and VSI2 are configured as virtual exchange instances of the member.
  • Step 2 Establish related elements of the virtual private local area network of the PE1, the PE2, and the super-PE.
  • the PE may be all the PEs in the virtual private local area network, and is not limited to PE1 and PE2.
  • PE3 may be further included.
  • PE1 and PE2 are used as an example.
  • the process includes the establishment of mutual VPLS PW tunnels.
  • the interfaces related to users PC1 and PC2 on PE1 and PE2 are added to the corresponding VSI. This process is the existing processing flow of VPLS. No longer;
  • Step 3 Set at least one Layer 3 logical interface VSI-interface associated with the Super-VSI on the packet forwarding device, and configure an IP address on the Layer 3 logical interface that belongs to the same network segment as the IP address of the Sub-VSI user. And configuring the MAC address; in addition, the Super-PE needs to implement the routing function, that is, the outbound interface can be found as the VSI-interface through the destination address such as IP1;
  • Step 4 The user of the virtual private local area network, for example, the PC1 sends the data, and the virtual exchange instance VSI1 to which the user belongs is sent to the packet forwarding device Super-PE; the MAC address of the packet; if the judgment result is yes And the packet forwarding device sends the access request packet to the third layer for processing, and searches the routing table for forwarding;
  • the packet forwarding device Super-PE searches for the MAC address corresponding to the destination IP address in the Super-VSI and all member Sub-VSI ranges and sends a message through the corresponding VSI; When present, the packet forwarding device Super-PE sends an arp request message to the shared virtual instance Super-VSI and its member Sub-VSI to find the MAC address.
  • the virtual private local area network can be accessed to the three-layer network through the Super-VSI.
  • the Super-PE must find its outgoing interface VSI-interface through the destination address to implement the routing function.
  • the virtual private local area network of the present invention can create multiple Super-VSIs and multiple VSI-interfaces on a packet forwarding device, such as a carrier edge device, and apply in a single Super-VSI and VSI-interface.
  • a packet forwarding device such as a carrier edge device
  • access between different VSI-interfaces is handled according to the access of the normal Layer 3 interface, that is, general route forwarding is performed.
  • the present invention further provides a packet forwarding system and a packet forwarding device of a virtual private local area network, where the system includes: multiple clients, the multiple clients may be distributed in different geographical locations, The client may be connected to the virtual private local area network through at least one carrier edge device in each geographical location; at least one packet forwarding device, in the embodiment of the present invention, is a Super-PE, the newspaper
  • the file forwarding device includes at least one shared virtual switching instance Super-VSI, configured to forward a user request in the virtual private local area network, where the shared virtual switching instance Super-VSI multiple virtual switching instances are used for The shared virtual switching instances are interconnected, which are VSI1 and VSI2 in this embodiment.
  • the packet forwarding device further includes an interface connected to the access server, and the request packet of the user of the virtual private local area network is forwarded to the office through the interface through the processing of the shared virtual switching instance of the packet forwarding device.
  • the access server is authenticated and connected to the Internet.
  • the interface can be configured as a QinQ interface.
  • the interface can be configured as a common interface.
  • the interface can be configured as a common interface.
  • the text forwarding device further includes an arp proxy unit that proxyes all members of the shared virtual switching instance, and the arp request message of the user according to different virtual switching instances of the virtual private local area network is in the sharing.
  • the virtual switch instance and all its members find the destination user MAC address and isolate it at Layer 2 to implement Layer 3 mutual access.
  • the packet forwarding device further includes at least one Layer 3 logical interface, where an IP address belonging to the same network segment as the user of the virtual private local area network is configured, so that the user of the virtual private local area network implements three Layer access.
  • the present invention is a packet forwarding device in a virtual private local area network, for example, setting a shared virtual switching instance on an operator edge device, and starting the arp proxy function and creating a three-layer logical interface to complete the virtual private operation according to requirements.
  • Users of different virtual switching instances in the local area network access the external network or access each other without creating too many virtual switching instances on the carrier edge device and creating many sub-interfaces between the carrier edge device and the external network.
  • the configuration and management of the virtual private local area network is simplified, which makes it easier for users in the virtual private local area network to access the external network and isolate or access each other.

Abstract

A method and a device for transferring message in a Virtual Private LAN are disclosed. The method includes steps as following: receive message from a Virtual Switching Instance (VSI) in the Virtual Private LAN; if the VSI, from which the message comes, is a member of a Super Virtual Switching Instance (Super-VSI) set, the Super-VSI transfers the message to its destination port. According to the invention, set the Super-VSI, enable ARP agent function as required and create Layer 3 logic interfaces, so as users of different VSI in the Virtual Private LAN can access external network or access one another, without creating more VSIs at Provider Edges (PE). Therefore, setting and managing of the Virtual Private LAN is simplified, and it is more convenient for the user in the Virtual Private LAN to access the external network or access one another.

Description

一种虚拟专用局域网的报文转发方法及装置  Message forwarding method and device for virtual private local area network
技术领域 Technical field
本发明涉及虚拟专用局域网, 尤其涉及一种通过设置共享虚拟交换 实例实现多个虚拟交换实例共享的虚拟专用局域网的报文转发方法及 装置。 发明背景  The present invention relates to a virtual private local area network, and more particularly to a message forwarding method and apparatus for a virtual private local area network shared by multiple virtual switching instances by setting a shared virtual switching instance. Background of the invention
虚拟专用局域网业务( VPLS, Virtual Private LAN Services )是一种 二层虚拟专用网 (VPN, Virtual Private Network )技术, 它通过在多协 议标签交换(MPLS, Multi Protocol Label Switching )网络上提供类似局 域网 ( LAN , Local Area Network )业务的功能, 可以使用户从多个地理 位置分散的点同时接入网络, 相互访问, 就像这些点直接接入到局域网 上一样。 VPLS的作用就是一台虚拟的 LAN交换机。  Virtual Private LAN Services (VPLS) is a Layer 2 Virtual Private Network (VPN) technology that provides similar LANs over a Multi Protocol Label Switching (MPLS) network. LAN, Local Area Network) The function of the service allows users to access the network from multiple geographically dispersed points and access each other as if they were directly connected to the LAN. The role of VPLS is a virtual LAN switch.
图 1是 VPLS的典型组网图,如图所示,用户边缘设备(CE, Custom Edge )所在的接口加入 VPLS 中的虚拟交换实例 (VSI, Virtual Switch Instance ), 多个运营商边缘设备( PE, Provider Edge )之间通过伪连线 ( PW, Pseudo Wire ) 互相连接, 对客户形成一个仿真局域网, 每个 PE 在虚拟交换实例内进行用户 MAC地址学习 (包括 CE侧和 PW侧 ), 建 立转发表项, 使得加入相同虚拟交换实例的 CE用户可以在二层进行互 相访问。 VPLS PW通常使用 MPLS 隧道, 也可以使用其他任何隧道, 如 GRE、 L2TPV3 , TE等, 其作用是完成以太网报文的透传。  Figure 1 is a typical networking diagram of VPLS. As shown in the figure, the interface where the user edge device (CE, Custom Edge) resides is added to the virtual switch instance (VSI, Virtual Switch Instance) in the VPLS. The Provider Edge is connected to each other through PW (Pseudo Wire) to form a simulated LAN for the client. Each PE performs user MAC address learning (including the CE side and the PW side) in the virtual switching instance. The item is published so that CE users who join the same virtual switching instance can access each other at the second layer. The VPLS PW usually uses an MPLS tunnel or any other tunnel, such as GRE, L2TPV3, and TE. The function of the VPLS PW is to transparently transmit Ethernet packets.
这里还需对 QinQ (—种两层标签技术, 802.lQ-in-802.lQ )技术进 行筒单介绍。 QinQ又称虚拟局域网堆栈(VLAN-Stack ), 是一种对以太 网报文进行两层虚拟局域网标签(VLAN TAG )封装的技术, 其总的思 想都是将用户私网 VLAN TAG封装在公网 VLAN TAG中, 报文带着 两层 TAG 穿越服务商的骨干网络, 在服务商的骨干网络边缘剥离公网 VLAN TAG, 恢复用户私网 VLAN TAG, 从而为用户提供一种较为筒单 的二层 VLAN TAG隧道。 Here, you need to introduce the QinQ (two-layer label technology, 802.lQ-in-802.lQ) technology. QinQ, also known as the virtual LAN stack (VLAN-Stack), is a technology for encapsulating two layers of virtual local area network tags (VLAN TAGs) for Ethernet packets. The private network VLAN TAG is encapsulated in the public network VLAN TAG. The packet carries the two layers of TAGs to traverse the backbone network of the service provider. The public network VLAN TAG is stripped off at the edge of the service provider's backbone network to restore the private network VLAN TAG. Therefore, the user is provided with a relatively simple single layer VLAN TAG tunnel.
在实际应用中, 个人或企业用户可以通过虚拟专用局域网接入到作 为远端接入认证设备的宽带接入服务器 (BRAS , Broadband Remote Access Server ), 访问 Internet网给。 个人或企业用户内部可以通过虚拟 专用局域网在同一个虚拟交换实例内部进行二层访问, 用户内部还可以 划分 VLAN进行隔离, 但是, 因为不同用户之间不能互通, 因此需要划 分到不同的虚拟交换实例进行管理; 同时, 所有的用户可以访问同一个 宽带接入服务器设备, 宽带接入服务器设备可以为用户分配不同网段的 IP地址, 用户根据该 IP地址接入到宽带接入服务器并且访问 Internet网 络。  In practical applications, an individual or enterprise user can access the Internet access network through a virtual private LAN access to a broadband access server (BRAS, Broadband Remote Access Server) that acts as a remote access authentication device. A user or enterprise user can perform Layer 2 access within the same virtual switching instance through the virtual private LAN. The user can also be isolated by VLANs. However, because different users cannot communicate with each other, they need to be divided into different virtual switching instances. At the same time, all users can access the same broadband access server device, and the broadband access server device can assign users IP addresses of different network segments, and the user accesses the broadband access server according to the IP address and accesses the Internet network. .
如图 2所示,属于同一虚拟交换实例(图中存在两个虚拟交换实例: VSI1和 VSI2 ) 的用户可以通过虚拟专用局域网互访, 需要通过宽带接 入服务器上网时, 则需要在 PE和 BRAS上创建 VLAN子接口, 不同的 子接口需要分别加入 VSI1和 VSI2, 当用户数据携带用户 VLAN时, PE 设备到 BRAS设备的用户数据成为 QinQ报文(携带两层标签 ), 宽带接 入服务器需要终结该 QinQ报文。  As shown in Figure 2, users belonging to the same virtual switching instance (the two virtual switching instances in the figure: VSI1 and VSI2) can access each other through the virtual private LAN. When accessing the Internet through the broadband access server, the PE and BRAS are required. A VLAN sub-interface is created. Different sub-interfaces need to be added to VSI1 and VSI2. When the user data carries the user VLAN, the user data of the PE device to the BRAS device becomes QinQ packets (with two layers of labels). The broadband access server needs to be terminated. The QinQ message.
因此, 不同虚拟交换实例用户通过 PE接入 BRAS上网时, PE上需 要创建许多虚拟交换实例, 并且 PE与 BRAS之间要创建许多子接口, 不同子接口加入到不同虚拟交换实例, 配置和管理都很复杂。 发明内容  Therefore, when users of different virtual switching instances access the BRAS through the PE, many virtual switching instances need to be created on the PE, and many sub-interfaces are created between the PE and the BRAS. Different sub-interfaces are added to different virtual switching instances. Very complicated. Summary of the invention
本发明的主要目的就是通过在虚拟专用局域网的运营商边缘设备 上设置共享虚拟交换实例 ( Super- VSI ), 实现多个虚拟交换实例与一个 共享虚拟交换实例进行互通, 减小虚拟专用局域网接入到三层网络的配 置和管理的复杂度。 另外通过共享虚拟交换实例, 实现不同虚拟交换实 例用户在二层隔离, 但可以方便地实现三层互访。 The main purpose of the present invention is through the operator edge device in the virtual private local area network A shared virtual switching instance (Super-VSI) is set up to implement interworking between multiple virtual switching instances and a shared virtual switching instance to reduce the complexity of configuration and management of virtual private local area network access to the three-layer network. In addition, users of different virtual switching instances are isolated at Layer 2 by sharing virtual switching instances, but Layer 3 mutual access can be easily implemented.
本发明上述目的是这样实现的:  The above object of the present invention is achieved as follows:
一种虚拟专用局域网的报文转发方法, 包括:  A packet forwarding method for a virtual private local area network includes:
接收来自所述虚拟专用局域网中的虚拟交换实例的报文;  Receiving a message from a virtual switching instance in the virtual private local area network;
当所述报文来自的虚拟交换实例为已配置的共享虚拟交换实例的 成员时, 所述共享虚拟交换实例将该报文向其目的端转发。  When the virtual switching instance from which the packet is sent is a member of the configured shared virtual switching instance, the shared virtual switching instance forwards the packet to its destination.
本发明实施例提供的一种虚拟专用局域网的报文转发装置, 包括: 至少一个共享虚拟交换实例, 配置有多个成员, 该成员为所述虚拟专用 局域网中的至少一个虚拟交换实例;  The packet forwarding device of the virtual private local area network is provided by the embodiment of the present invention, including: at least one shared virtual switching instance, configured with multiple members, the member being at least one virtual switching instance in the virtual private local area network;
所述共享虚拟交换实例, 用于接收来自所述虚拟专用局域网中的虚 拟交换实例的报文; 当所述报文来自的虚拟交换实例为已配置的所述成 员时, 将该报文向其目的端转发。  The shared virtual switching instance is configured to receive a packet from the virtual switching instance in the virtual private local area network; and when the virtual switching instance from the packet is the configured member, the packet is sent to the packet Destination forwarding.
本发明的有益效果为:  The beneficial effects of the invention are:
1、 实现虚拟专用局域网中多个虚拟交换实例进行共享或聚合使用, 减小配置和管理的复杂性;  1. Implementing sharing or aggregation of multiple virtual switching instances in a virtual private local area network to reduce the complexity of configuration and management;
2、 共享虚拟交换实例可以实现不同虚拟交换实例内的二层隔离, 但可以进行三层互访, 其应用如基于安全的考虑, 防止虚拟交换实例之 间的二层攻击行为, 但可以通过报文转发装置统一控制不同虚拟交换实 例用户能否互访;  The shared virtual switching instance can implement Layer 2 isolation in different virtual switching instances, but can implement Layer 3 mutual access. Applications such as security-based considerations prevent Layer 2 attacks between virtual switching instances. The text forwarding device uniformly controls whether users of different virtual switching instances can access each other;
3、通过虚拟交换实例接口( VSI-interface ), 即三层逻辑接口实现虚 拟专用局域网接入到三层网络, 解决了如果接入时不通过共享虚拟交换 实例的方式, 对每个虚拟交换实例都建立一个相关的三层逻辑接口, 并 且配置 IP地址, 会消耗大量 IP地址的问题。 附图简要说明 3. The virtual private instance network (VSI-interface), that is, the three-layer logical interface, implements the virtual private local area network access to the three-layer network, and solves the problem of not sharing the virtual exchange instance when accessing, for each virtual exchange instance. All build a related three-tier logical interface, and And configuring an IP address will consume a lot of IP addresses. BRIEF DESCRIPTION OF THE DRAWINGS
图 1是现有技术中虚拟专用局域网典型的组网图;  1 is a typical networking diagram of a virtual private local area network in the prior art;
图 2是现有技术中用户通过虚拟专用局域网接入到宽带接入服务器 上网的示意图;  2 is a schematic diagram of a user accessing a broadband access server through a virtual private local area network in the prior art;
图 3是利用本发明, 用户通过虚拟专用局域网接入到宽带接入服务 器上网的示意图;  3 is a schematic diagram of a user accessing a broadband access server via a virtual private local area network using the present invention;
图 4是利用本发明, 不同虚拟交换实例用户通过虚拟专用局域网和 共享虚拟交换实例实现三层访问的示意图。 实施本发明的方式  FIG. 4 is a schematic diagram of implementing three-layer access by different virtual switching instance users through a virtual private local area network and a shared virtual switching instance by using the present invention. Mode for carrying out the invention
为使本发明的目的、 技术方案、 及优点更加清楚明白, 以下参照附 图并举实施例, 对本发明进一步详细说明。  The present invention will be further described in detail below with reference to the accompanying drawings.
本发明的核心内容是, 通过在虚拟专用局域网的报文转发装置上 (例如运营商边缘设备 PE )设置共享虚拟交换实例, 实现多个虚拟交换 实例与一个共享虚拟交换实例进行互通, 减小虚拟专用局域网接入到三 层网络的配置和管理的复杂度; 另外, 还可以通过在设置有共享虚拟交 换实例的报文转发装置上启动地址解析协议( arp )代理功能及设置三层 逻辑接口, 实现不同虚拟交换实例用户在二层隔离、 三层访问。  The core content of the present invention is that, by setting a shared virtual switching instance on a packet forwarding device of a virtual private local area network (for example, a carrier edge device PE), multiple virtual switching instances are interconnected with one shared virtual switching instance to reduce virtuality. The complexity of the configuration and management of the dedicated local area network to the three-layer network; in addition, the address resolution protocol (ARP) proxy function and the three-layer logical interface can be set up on the packet forwarding device provided with the shared virtual switching instance. Users of different virtual switching instances are connected in Layer 2 and Layer 3 access.
下面结合附图和实施例对本发明进行详细说明。  The invention will now be described in detail in conjunction with the drawings and embodiments.
本发明提供的虚拟专用局域网的报文转发方法主要包括下列步骤: 在虚拟专用局域网中设置报文转发装置, 该报文转发装置包括至少 一个共享虚拟交换实例;  The packet forwarding method of the virtual private local area network provided by the present invention mainly includes the following steps: setting a packet forwarding device in the virtual private local area network, where the packet forwarding device includes at least one shared virtual switching instance;
配置共享虚拟交换实例包括的成员, 该成员为虚拟专用局域网中除 该共享虚拟交换实例之外的任意一个或多个虚拟交换实例; Configure the members of the shared virtual switch instance, which are in the virtual private LAN. Any one or more virtual exchange instances other than the shared virtual exchange instance;
当虚拟专用局域网中的用户经其所属的虚拟交换实例发送"¾文, 即 通过该用户所属的成员虚拟交换实例发送 文时, 通过共享虚拟交换实 例向该 文的目的端转发。  When a user in the virtual private local area network sends a text message through the virtual switching instance to which the user belongs, that is, when the user sends a text through the virtual switching instance of the member to which the user belongs, the virtual virtual switching instance is forwarded to the destination end of the text.
下面以所述 "¾文转发装置为该虚拟专用局域网中的 PE为例进行说 明, 本发明所说的共享虚拟交换实例就是可以共享多个虚拟交换实例的 一个共享虚拟交换实例, 可以称之为超级 VSI 实例 (Super-VSI ), 该 Super-VSI设置于报文转发装置上, 即本实施例中的运营商边缘设备 PE 上, 为了方便说明, 这里将设置有 Super-VSI的报文转发装置称为超级 运营商边缘设备(Super-PE )。  The following describes the PE in the virtual private local area network as an example. The shared virtual switching instance in the present invention is a shared virtual switching instance that can share multiple virtual switching instances. Super-VSI, the Super-VSI is set on the packet forwarding device, that is, the carrier edge device PE in this embodiment. For convenience of explanation, a Super-VSI packet forwarding device is set here. It is called Super Carrier Edge Device (Super-PE).
接下来, 为共享虚拟交换实例配置多个成员, 该成员可称为成员虚 拟交换实例 (Sub-VSI ), 即为虚拟专用局域网中的多个虚拟交换实例, 可以将该虚拟专用局域网中的所有虚拟交换实例配置为共享虚拟交换 实例的成员, 也可以仅配置一部分。 至于配置的方法, 在本发明中不作 限制, 只要建立起 Super-VSI与 Sub-VSI的共享关系, 使得在该虚拟专 用局域网中, 所有的成员虚拟交换实例都可以与共享虚拟交换实例进行 互通即可。  Next, configure multiple members for the shared virtual switching instance. This member can be called a member virtual switching instance (Sub-VSI), that is, multiple virtual switching instances in the virtual private local area network, which can be all in the virtual private local area network. The virtual switch instance is configured to share members of the virtual switch instance, or you can configure only a part. As for the method of configuration, there is no limitation in the present invention. As long as the sharing relationship between the Super-VSI and the Sub-VSI is established, all the virtual switching instances of the member can communicate with the shared virtual switching instance in the virtual private local area network. can.
根据上述设置, 当所述虚拟专用局域网中的用户发送请求时, 即可 通过所述报文转发装置, 进一步说, 通过所述共享虚拟交换实例进行转 发。 下面根据用户的请求不同, 结合附图分别进行说明。 范例一、 虚拟专用局域网的用户请求认证上网:  According to the above setting, when the user in the virtual private local area network sends a request, the packet forwarding device can be further forwarded by the shared virtual switching instance. The following description will be made separately according to the request of the user and the drawings. Example 1. A user of a virtual private LAN requests authentication online:
图 3为利用 Super-VSI实现虚拟专用局域网用户通过宽带接入服务 器上网的示意图。 如图 3所示, Super-PE是虚拟专用局域网与宽带接入 服务器相连的边缘设备,在 Super-PE上配置 Super-VSI, Super-VSI包含 虚拟专用局域网中的 VSI1和 VSI2作为其成员虚拟交换实例,这里并不 限定于此,可以包含所有的虚拟交换实例,此处仅以 Super- VSI包括 VSI1 和 VSI2为例进行说明, 与宽带接入服务器相连的 Super-PE上的接口加 入到 Super- VSI,这样 VSI1和 VSI2的用户都可以将报文发送到 Super-PE 的 Super- VSI , 并且转发给宽带接入服务器进行认证和上网。 FIG. 3 is a schematic diagram of realizing virtual private local area network users accessing the Internet through a broadband access server by using Super-VSI. As shown in Figure 3, Super-PE is an edge device connected to a virtual private LAN and a broadband access server. Super-VSI is configured on the Super-PE. The Super-VSI includes VSI1 and VSI2 in the virtual private local area network are used as member virtual switching instances. This is not limited to this. It can include all virtual switching instances. The Super-VSI includes VSI1 and VSI2 as examples. The interface of the super-PE connected to the server is added to the Super-VSI, so that users of VSI1 and VSI2 can send the packet to the Super-VSI of the Super-PE and forward it to the broadband access server for authentication and Internet access.
因为不同客户端的用户通过虚拟交换实例连接认证接入服务器上 网是现有技术的内容, 而本发明只是以一个共享虚拟交换实例, 即 Super-VSI替代现有技术中与 BRAS连接的虚拟交换实例而实现认证上 网, 因此, 具体的接入过程在这里不再赘述。  Because the users of different clients connect to the authentication access server through the virtual switching instance to access the Internet is the content of the prior art, and the present invention only replaces the virtual switching instance connected with the BRAS in the prior art by using a shared virtual switching instance, that is, Super-VSI. The authentication is implemented on the Internet. Therefore, the specific access process is not mentioned here.
另外, 为了 BRAS 能区分不同的虚拟交换实例的用户, 可以将与 BRAS相连的 Super-PE接口设为 QinQ接口, 不同虚拟交换实例的用户 报文映射到不同的外层 VLAN, 宽带接入服务器进行 QinQ终结并区分 用户, 例如, 可以区分用户所属的不同 VLAN。  In addition, for the BRAS to distinguish users of different virtual switching instances, the super-PE interface connected to the BRAS can be configured as a QinQ interface, and the user packets of different virtual switching instances are mapped to different outer VLANs. QinQ terminates and distinguishes users. For example, you can distinguish different VLANs to which users belong.
一种特殊情况是,在 Super-VSI处理时,对于从其它不属于 Super-VSI 的成员虚拟交换实例发来的所有不带 VLAN 的数据, 统一使用缺省的 VLAN标签进行 QinQ封装。 而当网络规划中不允许用户 VLAN通过虚 拟专用局域网发送时, Super-PE与宽带接入服务器的接口就是普通物理 接口。  A special case is that when the Super-VSI is processed, all the data without VLANs sent from other virtual switching instances that are not members of the Super-VSI are uniformly used to perform QinQ encapsulation. When the user VLAN is not allowed to be sent through the virtual private LAN, the interface between the Super-PE and the broadband access server is the common physical interface.
具体的实现方法为:  The specific implementation method is:
步骤 1: 在 Super-PE上配置 Super-VSI, 并且配置 Super-VSI的成员 Sub-VSI, 在本实施例中, 殳配置了 VSI1和 VSI2作为其成员虚拟交 换实例;  Step 1: Configure the Super-VSI on the Super-PE and configure the member Sub-VSI of the Super-VSI. In this embodiment, VSI1 and VSI2 are configured as virtual exchange instances of the member.
步骤 2: 建立 PE1、 PE2和 Super-PE的虚拟专用局域网的相关元素, 这里, 可以为该虚拟专用局域网中的全部 PE, 而不限于 PE1、 PE2, 例 如可以进一步包括 PE3, 在此, 仅以 PE1和 PE2为例进行说明; 该过程 具体包括建立相互的 VPLS PW隧道, PE1、 PE2上与用户 PC1、 PC2相 关的接口加入到相应的 VSI等, 这个过程是 VPLS的既有处理流程, 在 此不再赘述; Step 2: Establish related elements of the virtual private local area network of the PE1, the PE2, and the super-PE. Here, the PE may be all the PEs in the virtual private local area network, and is not limited to PE1 and PE2. For example, PE3 may be further included. PE1 and PE2 are used as examples. The process Specifically, the VPLS PW tunnels are established, and the interfaces related to the PC1 and PC2 on the PE1 and the PE2 are added to the corresponding VSIs. This process is the existing processing flow of the VPLS, and is not described here.
步骤 3: 用户 PC2发送认证请求报文经该用户所属的虚拟交换实例 VSI2发送到作为报文转发装置的 Super-PE;  Step 3: The user PC2 sends an authentication request message to the Super-PE as the packet forwarding device via the virtual switching instance VSI2 to which the user belongs.
步骤 4: 将与宽带接入服务器相连的接口加入到 Super- VSI, 根据需 要, 将接口类型配置为 QinQ接口或普通接口, 对于 QinQ接口, 需要配 置 VSI到外层标签的对应关系,另外还可以根据需要配置不带 VLAN的 VSI用户报文的缺省外层标签;  Step 4: Add the interface connected to the broadband access server to the Super-VSI. Configure the interface type as a QinQ interface or a common interface. For the QinQ interface, you need to configure the mapping between the VSI and the outer label. Configure the default outer label of VSI user packets without VLANs as required.
步骤 5: 当 Super-PE收到虚拟专用局域网的用户 PC2发送的认证请 求报文后, 检查其所属 VSI2是否是 Super-VSI的成员, 如果是, 则在作 为报文转发装置的该 Super-VSI、 及其配置的所有成员 Sub-VSI ( VSI1 和 VSI2 ) 内查找 MAC转发表项, 找到相应出接口进行发送, 在本实施 例中, 即为与接入服务器相连的接口;  Step 5: After receiving the authentication request packet sent by the user PC2 of the virtual private local area network, the Super-PE checks whether the VSI2 to which it belongs is a member of the Super-VSI. If yes, the Super-VSI is the packet forwarding device. And all the members of the configuration, the sub-VSI (VSI1 and VSI2), find the MAC forwarding entry, and find the corresponding outgoing interface to send, in this embodiment, the interface connected to the access server;
如果出接口为 QinQ接口, 则所述请求报文使用缺省的虚拟局域网 标签进行 QinQ封装, 再进行转发。  If the outbound interface is a QinQ interface, the request packet is encapsulated in QinQ by using the default virtual LAN label and then forwarded.
如果所述报文是首包、 或者查找 MAC转发表项未找到对应的出接 口, 则在 Super-VSI及所有成员 Sub-VSI对应的接口 (包括 PW, 但不 包括接收当前报文的接口) 内发送; 另外, 还要在所属虚拟交换实例范 围进行 MAC地址学习, 保存相关信息, 这个过程也是虚拟专用局域网 的既有处理流程, 在此不再赘述。  If the packet is the first packet, or the corresponding MAC address forwarding entry is not found, the interface corresponding to the Super-VSI and all the member Sub-VSIs (including the PW but not the interface that receives the current packet) In addition, the MAC address learning is performed in the range of the virtual switching instance, and the related information is saved. This process is also the existing processing flow of the virtual private local area network, and will not be described here.
本实施例将配置有 Super-VSI 的 Super-PE与接入服务器,如 BRAS 相连的接口加入 Super-VSI,并根据需要将接口类型配置为 QinQ接口或 普通接口。 对于 QinQ接口, 需要配置 VSI到外层标签的对应关系。 对 于普通接口, 则可以配置不带 VLAN的 VSI用户报文的缺省外层标签。 如此一来, VPLS 网络不同虚拟交换实例的用户即可通过该 Super-VSI 实现轻松接入到 BRAS而上网,从而不需要在 BRAS上设置多个分别与 不同虚拟交换实例对应的子接口, 也减少了 PE上创建的虚拟交换实例 数量, 从而减小配置和管理的复杂性。 范例二、 虚拟专用局域网中不同虚拟交换实例的用户请求互访: 本实施例是当不同虚拟交换实例的用户需要进行三层互访时, 在报 文转发装置, 也即本实施例中的 Super-PE 处启动 arp 代理功能, 即 Super-PE中可以包括 arp代理单元。 In this embodiment, the interface connected to the access server, such as the BRAS, is added to the Super-VSI, and the interface type is configured as a QinQ interface or a common interface. For a QinQ interface, you need to configure the mapping between the VSI and the outer label. For a common interface, you can configure the default outer label of VSI user packets without VLANs. In this way, users of different virtual switching instances of the VPLS network can easily access the BRAS and access the Internet through the Super-VSI, thereby eliminating the need to set multiple sub-interfaces corresponding to different virtual switching instances on the BRAS, and also reduce The number of virtual switching instances created on the PE reduces the complexity of configuration and management. Example 2: Users requesting mutual access of different virtual switching instances in the virtual private local area network: In this embodiment, when users of different virtual switching instances need to perform three-layer mutual access, the packet forwarding device, that is, the Super in this embodiment - The arp proxy function is enabled at the PE, that is, the ARP proxy unit can be included in the Super-PE.
arp代理功能是指:对被其隔离的不同广播域内的 arp请求报文进行 代理应答的过程, 在本发明中, 该 arp代理功能需实现对 Super-VSI的 所有成员 Sub- VSI内的用户进行代理, 要求用户发送 文到本地, 即该 报文转发装置处, 由本地进行转发。  The arp proxy function refers to the process of proxying the arp request message in the different broadcast domains that are isolated by the user. In the present invention, the arp proxy function needs to be implemented for users in the Sub-VSI of all members of the Super-VSI. The proxy asks the user to send the text to the local, that is, the packet forwarding device, and forwards it locally.
如图 4所示, 正常情况下, VSI1和 VSI2的用户不能互相访问, 例如 图中的 PC1和 PC2, IP地址分别为 IP1和 IP2, 属于同一网段, PC1发出的 arp请求报文不能到达 PC2, 因此 PC1不会收到 PC2的 arp响应消息, 因此 就不能获取 PC2的 MAC地址, 因此 PC1不能向 PC2发出 IP报文。  As shown in Figure 4, users of VSI1 and VSI2 cannot access each other. For example, PC1 and PC2 in the figure have IP addresses of IP1 and IP2, which belong to the same network segment. ARP request packets sent by PC1 cannot reach PC2. Therefore, PC1 will not receive the arp response message of PC2, so the MAC address of PC2 cannot be obtained, so PC1 cannot send IP packets to PC2.
当在 Super-PE处配置 Super-VSI时,同时配置与 Super-VSI相关的三层 逻辑接口,并配置该三层逻辑接口的 IP地址和 MAC地址,其中 Super-VSI 的成员包括 VSI1和 VSI2, 此时 PC1的 arp请求报文(广播报文)可以发送 到 Super-PE , Super-PE启动 arp代理功能, 当检查到 PC1的 IP地址为其代 理的 IP地址时, 则在 Super-VSI的范围内 (即 VSI1和 VSI2 )发送 arp请求 消息查找 PC2的 MAC地址, 该 arp请求消息将通过 PE2发送给 PC2, PC2 回送 arp响应消息给 Super-PE, 然后 Super-PE通过 arp代理功能向 PCI回送 arp响应消息, 告知 "PC2的 MAC地址", 请注意, 此时, Super-PE告诉 PCI的 MAC地址并非是真正的 PC2的 MAC地址, 而是三层逻辑接口的 MAC地址, 如此即完成了二层隔离, 随后 PC1向 PC2发送 IP数据报文, 该 IP数据报文将被本地收到并送到三层逻辑接口处理, 通过查路由表转 发到 PC2, PC1和 PC2实现了三层访问。 When the Super-VSI is configured on the Super-PE, the Layer 3 logical interface associated with the Super-VSI is configured, and the IP address and MAC address of the Layer 3 logical interface are configured. The members of the Super-VSI include VSI1 and VSI2. At this time, the arp request message (broadcast message) of PC1 can be sent to Super-PE, and the super-PE starts the arp proxy function. When the IP address of PC1 is checked as the IP address of the proxy, it is in the range of Super-VSI. The internal (ie, VSI1 and VSI2) sends an arp request message to look up the MAC address of PC2. The arp request message will be sent to PC2 through PE2. PC2 sends back an arp response message to Super-PE, and then Super-PE sends back arp to PCI through arp proxy function. In response to the message, inform "PC2's MAC address", please note that at this time, Super-PE tells The MAC address of the PCI is not the real MAC address of the PC2, but the MAC address of the Layer 3 logical interface. This completes the Layer 2 isolation. Then the PC1 sends an IP data packet to the PC2. The IP data packet will be received locally. It is sent to the Layer 3 logical interface for processing, and is forwarded to PC2 by checking the routing table. PC1 and PC2 implement Layer 3 access.
具体的实现方法为:  The specific implementation method is:
步骤 1: 在 Super-PE上配置 Super- VSI, 并且配置 Super- VSI的成员 Sub-VSI, 在本实施例中, 殳配置了 VSI1和 VSI2作为其成员虚拟交 换实例;  Step 1: Configure Super-VSI on the Super-PE and configure the member Sub-VSI of the Super-VSI. In this embodiment, VSI1 and VSI2 are configured as virtual exchange instances of the member.
步骤 2: 设置与 Super- VSI相关的至少一个三层逻辑接口, 并配置 该三层逻辑接口的 IP地址和 MAC地址;  Step 2: Set at least one Layer 3 logical interface related to the Super-VSI, and configure an IP address and a MAC address of the Layer 3 logical interface.
步骤 3: 建立 PE1、 PE2和 Super-PE的虚拟专用局域网的相关元素, 这里, 可以为该虚拟专用局域网中的全部 PE, 而不限于 PE1、 PE2, 例 如可以包括 PE3, 在此, 仅以 PE1和 PE2为例进行说明; 该过程具体包 括建立相互的 VPLS PW隧道, PE1、 PE2上与用户 PC1、 PC2相关的接 口加入到相应的 VSI等, 这个过程是 VPLS的既有处理流程, 在此不再 赘述;  Step 3: Establish related elements of the virtual private local area network of the PE1, the PE2, and the super-PE. Here, all the PEs in the virtual private local area network may be used, and are not limited to PE1 and PE2, and may include, for example, PE3. Here, only PE1 is used. The PE2 is used as an example. The process includes the establishment of a mutual VPLS PW tunnel. The interfaces related to the PC1 and PC2 on PE1 and PE2 are added to the corresponding VSI. This process is the existing processing flow of the VPLS. Again;
步骤 4: 虚拟专用局域网的用户 PC1 发送 arp请求报文要求访问 PC2, 其中, PC1属于 PE1处的 VSI1 , 其 IP地址为 IPl , PC2属于 PE2 处的 VSI2,其 IP地址为 IP2,所述 arp请求 文经该用户 PC1所属的虚 拟交换实例 VSI1发送到所述 文转发装置 Super-PE;  Step 4: The user PC1 of the virtual private local area network sends an arp request message to access PC2, where PC1 belongs to VSI1 at PE1, its IP address is IP1, PC2 belongs to VSI2 at PE2, its IP address is IP2, and the arp request The virtual switching instance VSI1 to which the user PC1 belongs is sent to the text forwarding device Super-PE;
步骤 5: 所述报文转发装置 Super-PE检查所述用户 PC2, 即目的用 户的 IP地址是否是其代理的 IP地址, 即是否是成员虚拟交换实例的用 户的 IP地址, 如果是, 则进行后续步骤。  Step 5: The packet forwarding device Super-PE checks the user PC2, that is, whether the IP address of the destination user is the IP address of the proxy, that is, whether it is the IP address of the user of the member virtual switching instance, and if so, proceed Next steps.
步骤 6: Super-PE执行 arp 代理功能, 该 arp代理功能需实现对 Super-VSI的所有成员 Sub-VSI 内的用户进行代理, 所述才艮文转发装置 Super-PE检查所述 arp请求报文中目的用户 PC2的 IP地址对应的 MAC 地址, 该过程可以通过在该共享虚拟交换实例及其配置的成员内进行查 找, 如果没有查到, 则发送 arp 请求消息到所述共享虚拟交换实例 Super- VSI及其所有的成员 Sub-VSI (可以除了请求用户)进行查找; 步骤 7: Super-PE向 PC1回送 arp响应消息, 告知其 PC2的 MAC 地址, 这里, 该 MAC地址实际为三层逻辑接口的 MAC地址; Step 6: The Super-PE performs the arp proxy function, and the arp proxy function needs to implement proxying for users in the Sub-VSI of all members of the Super-VSI. The super-PE checks the MAC address corresponding to the IP address of the destination user PC2 in the arp request packet, and the process can perform the search by using the shared virtual switching instance and its configured members. If not, the arp request is sent. The message is sent to the shared virtual switching instance Super-VSI and all its members Sub-VSI (can be requested in addition to the requesting user); Step 7: The Super-PE sends an arp response message to the PC1 to inform the PC2 of the MAC address, here, The MAC address is actually the MAC address of the Layer 3 logical interface.
步骤 8: PC1发送数据报文到 Super-PE, Super-PE将该数据报文上 送到三层逻辑接口, 再通过查找路由表转发到 PC2。  Step 8: PC1 sends a data packet to the Super-PE. The Super-PE sends the data packet to the Layer 3 logical interface, and then forwards it to PC2 through the lookup routing table.
在现有技术中, 不同虚拟交换实例的用户在二层是隔离的, 其互相 之间不能进行三层互访, 而利用本发明, 进一步说, 利用本发明设置的 共享虚拟交换实例 Super- VSI,即可方便地实现虚拟专用局域网中不同虚 拟交换实例的用户在二层相互隔离, 但在三层互相访问。 这样, 在实际 应用中, 可以防止虚拟交换实例之间的二层攻击行为, 通过报文转发装 置统一控制不同虚拟交换实例用户能否互访。 范例三、 虚拟专用局域网中的用户请求接入到三层网络:  In the prior art, users of different virtual switching instances are isolated at the second layer, and cannot perform three-layer mutual access between each other. With the present invention, further, the shared virtual switching instance Super-VSI set by the present invention is utilized. Users of different virtual switching instances in the virtual private local area network can be easily isolated on the second layer, but access each other at the third layer. In this way, in actual applications, the Layer 2 attack behavior between virtual switching instances can be prevented. The packet forwarding device can control whether users of different virtual switching instances can access each other. Example 3: A user in a virtual private LAN requests to access a Layer 3 network:
本范例与范例二类似, 都是在三层进行访问, 不同之处在于, 报文 转发装置在检查到目的用户 IP地址为三层逻辑接口的 IP地址时, 直接回 送 arp响应消息, 请求用户再发送数据报文时, 则直接上送到三层逻辑接 口通过查找路由表进行转发。  This example is similar to the second example. It is accessed at Layer 3. The difference is that when the packet forwarding device checks the IP address of the destination user as the IP address of the Layer 3 logical interface, it directly sends back the arp response message to request the user to When a data packet is sent, it is sent directly to the Layer 3 logical interface and forwarded through the lookup routing table.
如图 4所示,图中 Super-PE设备右侧是 IP网,左侧是虚拟专用局域网, 虚拟专用局域网内不同虚拟交换实例的用户(例如为 PC1和 PC2 )要访问 IP网络中的用户时, 可以在报文转发装置上创建三层逻辑接口 (可称为 VSI-interface ) , 然后在 VSI-interface上配置 IP地址, 该 IP地址与 IP1和 IP2 属于同一网段, 这样 PC1、 PC2就可以访问三层 IP网络中的用户了。 具体的实现方法为: As shown in Figure 4, the right side of the Super-PE device is the IP network, and the left side is the virtual private LAN. When users of different virtual switching instances in the virtual private LAN (for example, PC1 and PC2) want to access users in the IP network, You can create a Layer 3 logical interface (called VSI-interface) on the packet forwarding device, and then configure an IP address on the VSI-interface. The IP address belongs to the same network segment as IP1 and IP2, so PC1 and PC2 can Access to users in the three-tier IP network. The specific implementation method is:
步骤 1: 在 Super-PE上配置 Super- VSI, 并且配置 Super- VSI的成员 Sub-VSI, 在本实施例中, 殳配置了 VSI1和 VSI2作为其成员虚拟交 换实例;  Step 1: Configure Super-VSI on the Super-PE and configure the member Sub-VSI of the Super-VSI. In this embodiment, VSI1 and VSI2 are configured as virtual exchange instances of the member.
步骤 2: 建立 PE1、 PE2和 Super-PE的虚拟专用局域网的相关元素, 这里, 可以为该虚拟专用局域网中的全部 PE, 而不限于 PE1、 PE2, 例 如可以进一步包括 PE3, 在此, 仅以 PE1和 PE2为例进行说明; 该过程 具体包括建立相互的 VPLS PW隧道, PE1、 PE2上与用户 PC1、 PC2相 关的接口加入到相应的 VSI等, 这个过程是 VPLS的既有处理流程, 在 此不再赘述;  Step 2: Establish related elements of the virtual private local area network of the PE1, the PE2, and the super-PE. Here, the PE may be all the PEs in the virtual private local area network, and is not limited to PE1 and PE2. For example, PE3 may be further included. PE1 and PE2 are used as an example. The process includes the establishment of mutual VPLS PW tunnels. The interfaces related to users PC1 and PC2 on PE1 and PE2 are added to the corresponding VSI. This process is the existing processing flow of VPLS. No longer;
步骤 3: 在报文转发装置上设置至少一个与 Super-VSI相关的三层 逻辑接口 VSI-interface, 在所述三层逻辑接口上配置与 Sub-VSI用户的 IP地址属于同一网段的 IP地址以及配置 MAC地址; 另外 Super-PE要 实现路由功能, 即可以通过目 的地址如 IP1 找到其出接口为 VSI-interface;  Step 3: Set at least one Layer 3 logical interface VSI-interface associated with the Super-VSI on the packet forwarding device, and configure an IP address on the Layer 3 logical interface that belongs to the same network segment as the IP address of the Sub-VSI user. And configuring the MAC address; in addition, the Super-PE needs to implement the routing function, that is, the outbound interface can be found as the VSI-interface through the destination address such as IP1;
步骤 4: 虚拟专用局域网的用户, 例如 PC1发送数据4艮文经该用户 所属的虚拟交换实例 VSI1发送到所述报文转发装置 Super-PE; 该报文 口的 MAC地址; 如果判断结果为是, 则该报文转发装置将所述接入请 求报文上送三层处理, 查找路由表进行转发;  Step 4: The user of the virtual private local area network, for example, the PC1 sends the data, and the virtual exchange instance VSI1 to which the user belongs is sent to the packet forwarding device Super-PE; the MAC address of the packet; if the judgment result is yes And the packet forwarding device sends the access request packet to the third layer for processing, and searches the routing table for forwarding;
当出接口为三层逻辑接口时, 报文转发装置 Super-PE在 Super-VSI 和所有成员 Sub-VSI范围内查找目的 IP对应的 MAC地址并且通过相应 的 VSI发送消息; 当所述 MAC地址不存在时, 报文转发装置 Super-PE 发送 arp请求报文到所述共享虚拟实例 Super-VSI及其成员 Sub-VSI,以 查找所述 MAC地址。 本范例通过在 Super-PE 上创建 Super-VSI 相关的三层逻辑接口 VSI-interface, 并在该接口上配置与所有 Sub-VSI用户的 IP地址属于同 一网段的 IP地址以及设置 MAC地址, 即可实现该虚拟专用局域网通过 Super-VSI接入到三层网络。 此时, Super-PE要实现路由功能, 就可以 通过目的地址找到其出接口 VSI-interface。 When the outbound interface is a Layer 3 logical interface, the packet forwarding device Super-PE searches for the MAC address corresponding to the destination IP address in the Super-VSI and all member Sub-VSI ranges and sends a message through the corresponding VSI; When present, the packet forwarding device Super-PE sends an arp request message to the shared virtual instance Super-VSI and its member Sub-VSI to find the MAC address. In this example, you can create a super-VSI-related Layer 3 logical interface VSI-interface on the super-PE, and configure an IP address that belongs to the same network segment as the IP addresses of all Sub-VSI users on the interface and set the MAC address. The virtual private local area network can be accessed to the three-layer network through the Super-VSI. At this time, the Super-PE must find its outgoing interface VSI-interface through the destination address to implement the routing function.
这里需要说明的是, 本发明的虚拟专用局域网可以在报文转发装 置, 例如运营商边缘设备上, 创建多个 Super-VSI和多个 VSI-interface , 在单个 Super-VSI和 VSI-interface内应用上述规则, 不同 VSI-interface之间 的访问则按照正常的三层接口的访问来处理, 即进行一般的路由转发。  It should be noted that the virtual private local area network of the present invention can create multiple Super-VSIs and multiple VSI-interfaces on a packet forwarding device, such as a carrier edge device, and apply in a single Super-VSI and VSI-interface. In the above rule, access between different VSI-interfaces is handled according to the access of the normal Layer 3 interface, that is, general route forwarding is performed.
根据以上的说明可知, 本发明另提供一种虚拟专用局域网的报文转 发系统及报文转发装置, 所述系统包括: 多个客户端, 该多个客户端可 以分布于不同的地理位置, 也可以位于同一地理位置, 在每一个地理位 置, 所述客户端都通过至少一个运营商边缘设备连接虚拟专用局域网; 至少一个报文转发装置, 在本发明的实施例中为 Super-PE, 该报文转发 装置包括至少一个共享虚拟交换实例 Super-VSI, 用于转发所述虚拟专 用局域网中的用户请求4艮文, 其中, 所述共享虚拟交换实例 Super-VSI 多个虚拟交换实例, 用于与所述共享虚拟交换实例互通, 在本实施例中 为 VSI1和 VSI2。  According to the above description, the present invention further provides a packet forwarding system and a packet forwarding device of a virtual private local area network, where the system includes: multiple clients, the multiple clients may be distributed in different geographical locations, The client may be connected to the virtual private local area network through at least one carrier edge device in each geographical location; at least one packet forwarding device, in the embodiment of the present invention, is a Super-PE, the newspaper The file forwarding device includes at least one shared virtual switching instance Super-VSI, configured to forward a user request in the virtual private local area network, where the shared virtual switching instance Super-VSI multiple virtual switching instances are used for The shared virtual switching instances are interconnected, which are VSI1 and VSI2 in this embodiment.
其中, 所述报文转发装置还包括一个与接入服务器相连的接口, 所 述虚拟专用局域网的用户的请求报文经由该报文转发装置的共享虚拟 交换实例的处理通过所述接口转发给所述接入服务器进行认证上网, 该 接口可以配置为 QinQ接口, 在该接口上配置有虚拟交换实例到外层标 签的对应关系, 也可以配置为普通接口, 在该接口上配置有不带虚拟局 域网的虚拟交换实例用户报文的缺省外层标签。 另外, 所述 文转发装置还包括对所述共享虚拟交换实例的所有成 员进行代理的 arp代理单元, 用于根据所述虚拟专用局域网的不同虚拟 交换实例的用户的 arp请求报文在所述共享虚拟交换实例及其所有成员 内查找目的用户 MAC地址, 在二层进行隔离, 实现三层互访。 The packet forwarding device further includes an interface connected to the access server, and the request packet of the user of the virtual private local area network is forwarded to the office through the interface through the processing of the shared virtual switching instance of the packet forwarding device. The access server is authenticated and connected to the Internet. The interface can be configured as a QinQ interface. The interface can be configured as a common interface. The interface can be configured as a common interface. Default outer label of the user packet of the virtual switching instance. In addition, the text forwarding device further includes an arp proxy unit that proxyes all members of the shared virtual switching instance, and the arp request message of the user according to different virtual switching instances of the virtual private local area network is in the sharing. The virtual switch instance and all its members find the destination user MAC address and isolate it at Layer 2 to implement Layer 3 mutual access.
此外, 所述报文转发装置还包括有至少一个三层逻辑接口, 在该接 口上配置有与所述虚拟专用局域网的用户属于同一网段的 IP地址, 以便 所述虚拟专用局域网的用户实现三层访问。  In addition, the packet forwarding device further includes at least one Layer 3 logical interface, where an IP address belonging to the same network segment as the user of the virtual private local area network is configured, so that the user of the virtual private local area network implements three Layer access.
综上所述, 本发明是在虚拟专用局域网中的一个报文转发装置, 例 如运营商边缘设备上设置共享虚拟交换实例,并根据需要启动 arp代理功 能及创建三层逻辑接口来完成该虚拟专用局域网内的不同虚拟交换实 例的用户访问外网或互相访问的目的, 而不必在运营商边缘设备上创建 过多的虚拟交换实例及在运营商边缘设备到外网之间创建许多子接口, 从而筒化了虚拟专用局域网的配置和管理, 更方便了虚拟专用局域网内 的用户访问外网及互相隔离或互相访问。  In summary, the present invention is a packet forwarding device in a virtual private local area network, for example, setting a shared virtual switching instance on an operator edge device, and starting the arp proxy function and creating a three-layer logical interface to complete the virtual private operation according to requirements. Users of different virtual switching instances in the local area network access the external network or access each other without creating too many virtual switching instances on the carrier edge device and creating many sub-interfaces between the carrier edge device and the external network. The configuration and management of the virtual private local area network is simplified, which makes it easier for users in the virtual private local area network to access the external network and isolate or access each other.
上述实施例只是为了说明本发明, 而不是限定其应用仅限于此, 任 何根据本发明, 应用共享虚拟交换实例所做的均等变化与修饰, 都应包 含于本发明的保护范围。  The above embodiments are only intended to illustrate the present invention, and are not intended to limit the application thereto. Any changes and modifications made by the application of the shared virtual exchange instance in accordance with the present invention are intended to be included in the scope of the present invention.

Claims

权利要求书 Claim
1、 一种虚拟专用局域网的报文转发方法, 其特征在于, 包括下列 步骤:  A packet forwarding method for a virtual private local area network, characterized in that the method includes the following steps:
接收来自所述虚拟专用局域网中的虚拟交换实例的报文;  Receiving a message from a virtual switching instance in the virtual private local area network;
当所述报文来自的虚拟交换实例为已配置的共享虚拟交换实例的 成员时, 所述共享虚拟交换实例将该报文向其目的端转发。  When the virtual switching instance from which the packet is sent is a member of the configured shared virtual switching instance, the shared virtual switching instance forwards the packet to its destination.
2、 如权利要求 1 所述的方法, 其特征在于, 所述共享虚拟交换实 例将该报文向其目的端转发为: 所述共享虚拟交换实例确定与该报文对 应的出接口, 并通过所确定的出接口将该报文向其目的端转发。  The method of claim 1, wherein the shared virtual switching instance forwards the packet to its destination: the shared virtual switching instance determines an outbound interface corresponding to the packet, and passes The determined outbound interface forwards the message to its destination.
3、 如权利要求 2所述的方法, 其特征在于, 当所述虚拟专用局域 网中的用户请求认证上网时, 所述接收来自所述虚拟专用局域网中的虚 拟交换实例的报文为: 接收来自所述虚拟专用局域网中的虚拟交换实例 的接入请求报文;  The method of claim 2, wherein when the user in the virtual private local area network requests to authenticate to the Internet, the receiving the message from the virtual switching instance in the virtual private local area network is: receiving from An access request message of the virtual switching instance in the virtual private local area network;
当所述报文来自的虚拟交换实例为已配置的共享虚拟交换实例的 成员时, 所述共享虚拟交换实例确定与该报文对应的出接口为: 在所述 共享虚拟交换实例及其所有的成员中查找 MAC 转发表项, 如果所述 MAC 转发表项中存在与接收到的接入请求报文对应的出接口, 则将该 出接口确定为该接入请求报文对应的出接口;  When the virtual switching instance from which the packet is sent is a member of the configured shared virtual switching instance, the shared virtual switching instance determines that the outbound interface corresponding to the packet is: in the shared virtual switching instance and all of the The member is configured to look up the MAC forwarding entry. If the outbound interface corresponding to the received access request packet exists in the MAC forwarding entry, the outbound interface is determined as the outbound interface corresponding to the access request packet.
如果所述 MAC转发表项是首包或者转发表项未找到, 则将所述共 享虚拟交换实例、 及除发送报文的用户所属的虚拟交换实例外的所有成 员虚拟交换实例对应的接口, 均确定为该接入请求报文对应的出接口。  If the MAC forwarding entry is the first packet or the forwarding entry is not found, the shared virtual switching instance and the interface corresponding to all member virtual switching instances except the virtual switching instance to which the user sending the packet belongs are The outbound interface corresponding to the access request packet is determined.
4、 如权利要求 3 所述的方法, 其特征在于, 当所确定的出接口为 QinQ接口时, 所述通过所确定的出接口将该报文向其目的端转发包括: 利用缺省的虚拟局域网标签对所述接入请求报文进行 QinQ封装; 将 QinQ封装后的接入请求报文通过所确定的 QinQ接口转发。The method of claim 3, wherein, when the determined outbound interface is a QinQ interface, the forwarding, by the determined outbound interface, forwarding the packet to the destination end includes: using a default virtual local area network The tag performs QinQ encapsulation on the access request packet. The QinQ encapsulated access request packet is forwarded through the determined QinQ interface.
5、 如权利要求 2所述的方法, 其特征在于, 当所述虚拟专用局域 网中的用户请求进行三层访问时, 所述接收来自所述虚拟专用局域网中 的虚拟交换实例的报文为: 接收来自所述虚拟专用局域网中的虚拟交换 实例的数据报文; The method of claim 2, wherein when the user in the virtual private local area network requests to perform the three-layer access, the receiving the packet from the virtual switching instance in the virtual private local area network is: Receiving a data message from a virtual switching instance in the virtual private local area network;
当所述报文来自的虚拟交换实例为已配置的共享虚拟交换实例的 成员时, 所述共享虚拟交换实例确定与该报文对应的出接口为: 将预先 配置的至少一个三层逻辑接口中, MAC地址与所述数据4艮文对应的一 个确定为该数据报文对应的出接口。  When the virtual switching instance from the packet is a member of the configured shared virtual switching instance, the shared virtual switching instance determines that the outbound interface corresponding to the packet is: at least one Layer 3 logical interface to be pre-configured The MAC address corresponding to the data is determined to be an outbound interface corresponding to the data packet.
6、 如权利要求 5 所述的方法, 其特征在于, 所述通过所确定的出 接口将该报文向其目的端转发为: 将所述数据报文上送到三层逻辑接 口, 查找路由表进行转发。  The method according to claim 5, wherein the packet is forwarded to the destination end by the determined outbound interface to: send the data packet to a layer 3 logical interface, and find a route. The table is forwarded.
7、 如权利要求 5或 6所述的方法, 其特征在于, 所述接收来自所 述虚拟专用局域网中的虚拟交换实例的数据报文之前, 进一步包括下列 步骤:  The method according to claim 5 or 6, wherein the receiving the data packet from the virtual switching instance in the virtual private local area network further comprises the following steps:
接收来自所述虚拟专用局域网中的虚拟交换实例的 arp请求报文; 检查所述 arp请求报文的目的 IP地址是否是所述共享虚拟交换实例 所代理的 IP地址,  Receiving an arp request message from the virtual switching instance in the virtual private local area network; checking whether the destination IP address of the arp request message is an IP address proxyed by the shared virtual switching instance,
如果是, 则查找目的用户 MAC地址, 回送包含有作为查找结果的 三层逻辑接口 MAC地址的 arp响应消息, 将所述数据报文的目的用户 MAC地址告知用户;  If yes, the destination user MAC address is sent, and the arp response message including the MAC address of the Layer 3 logical interface as the search result is sent back, and the destination user MAC address of the data packet is notified to the user;
如果不是, 则在该目的 IP地址为所述三层逻辑接口的 IP地址时, 回送包含有三层逻辑接口的 MAC地址的 arp响应消息, 将所述数据报 文的目的用户 MAC地址告知用户。  If not, if the destination IP address is the IP address of the Layer 3 logical interface, the arp response message including the MAC address of the Layer 3 logical interface is sent back, and the destination user MAC address of the data packet is notified to the user.
8、如权利要求 7所述的方法,其特征在于,所述查找目的用户 MAC 地址的步骤包括: 在所述共享虚拟交换实例及其配置的成员内查找, 如果存在与所述 arp请求报文中的目的用户 IP地址所对应的三层逻 辑接口的 MAC地址, 则将该 MAC地址作为查找结果; 8. The method of claim 7 wherein said looking up a destination user MAC The step of the address includes: searching the member of the shared virtual switching instance and its configuration, if there is a MAC address of a layer 3 logical interface corresponding to the destination user IP address in the arp request packet, the MAC address is Address as the result of the search;
如果不存在与所述 arp请求报文中的目的用户 IP地址所对应的三层 逻辑接口的 MAC地址, 则发送 arp请求报文到所述共享虚拟交换实例 及成员虚拟交换实例进行查找。  If there is no MAC address of the Layer 3 logical interface corresponding to the IP address of the destination user in the arp request packet, the arp request packet is sent to the shared virtual switch instance and the member virtual switch instance for searching.
9、 如权利要求 5或 6所述的方法, 其特征在于, 所述接收来自所 述虚拟专用局域网中的虚拟交换实例的数据报文之前, 进一步包括下列 步骤:  The method according to claim 5 or 6, wherein the receiving the data packet from the virtual switching instance in the virtual private local area network further comprises the following steps:
接收来自所述虚拟专用局域网中的虚拟交换实例的 arp请求报文; 在 arp请求 文的目的 IP地址为所述三层逻辑接口的 IP地址时, 直接回送 arp响应消息, 请求用户发送所述数据报文。  Receiving an arp request message from the virtual switching instance in the virtual private local area network; when the destination IP address of the arp request message is an IP address of the Layer 3 logical interface, directly sending an arp response message, requesting the user to send the data Message.
10、 一种虚拟专用局域网的报文转发装置, 其特征在于包括: 至少一个共享虚拟交换实例, 配置有多个成员, 该成员为所述虚拟 专用局域网中的至少一个虚拟交换实例;  A packet forwarding device for a virtual private local area network, comprising: at least one shared virtual switching instance configured with a plurality of members, the member being at least one virtual switching instance in the virtual private local area network;
所述共享虚拟交换实例, 用于接收来自所述虚拟专用局域网中的虚 拟交换实例的报文; 当所述报文来自的虚拟交换实例为已配置的所述成 员时, 将该报文向其目的端转发。  The shared virtual switching instance is configured to receive a packet from the virtual switching instance in the virtual private local area network; and when the virtual switching instance from the packet is the configured member, the packet is sent to the packet Destination forwarding.
11、 如权利要求 10 所述的报文转发装置, 其特征在于, 所述共享 虚拟交换实例中包括至少一个出接口;  The packet forwarding device according to claim 10, wherein the shared virtual switching instance includes at least one outgoing interface;
所述共享虚拟交换实例所述出接口将该报文向其目的端转发。 The outbound interface of the shared virtual switching instance forwards the packet to its destination.
12、 如权利要求 11 所述的报文转发装置, 其特征在于, 所述出接 口与一接入服务器相连; The packet forwarding device according to claim 11, wherein the egress interface is connected to an access server;
当所述共享虚拟交换实例接收到的报文为用于用户请求认证上网 的接入请求报文时, 所述共享虚拟交换实例通过所述与接入服务器相连 的出接口转发所述接入请求报文。 When the packet received by the shared virtual switching instance is an access request packet for the user to request authentication, the shared virtual switching instance is connected to the access server by using the access server. The outbound interface forwards the access request packet.
13、 如权利要求 12所述的报文转发装置, 其特征在于,  13. The message forwarding device of claim 12, wherein:
所述与接入服务器相连的出接口为 QinQ接口, 在该接口上配置有 虚拟交换实例到外层标签的对应关系。  The outbound interface connected to the access server is a QinQ interface, and the mapping between the virtual switch instance and the outer label is configured on the interface.
14、 如权利要求 12所述的报文转发装置, 其特征在于,  14. The message forwarding device of claim 12, wherein:
所述与接入服务器相连的出接口为普通接口, 在该接口上配置有不 带虚拟局域网的虚拟交换实例用户报文的缺省外层标签。  The outbound interface connected to the access server is a common interface, and the default outer label of the virtual switch instance user packet without the virtual local area network is configured on the interface.
15、 如权利要求 11所述的报文转发装置, 其特征在于,  15. The message forwarding device of claim 11, wherein:
所述共享虚拟交换实例配置有至少一个三层逻辑接口;  The shared virtual switching instance is configured with at least one Layer 3 logical interface;
所述三层逻辑接口上配置有与所述虚拟专用局域网的请求用户属 于同一网段的 IP地址及 MAC地址,用于转发虚拟专用局域网的用户进 行三层访问的数据报文。  The Layer 3 logical interface is configured with an IP address and a MAC address that are in the same network segment as the requesting user of the virtual private local area network, and is used to forward data packets of the user of the virtual private local area network to perform Layer 3 access.
16、 如权利要求 15所述的报文转发装置, 其特征在于,  16. The message forwarding device of claim 15, wherein:
所述共享虚拟交换实例中进一步包括: arp代理单元, 用于根据所 述虚拟专用局域网的不同虚拟交换实例的用户的 arp请求报文查找作为 目的用户 MAC地址的三层逻辑接口的 MAC地址。  The shared virtual switching instance further includes: an arp proxy unit, configured to search for a MAC address of the three-layer logical interface that is the destination user MAC address according to the arp request packet of the user of the different virtual switching instance of the virtual private local area network.
PCT/CN2007/070735 2006-09-28 2007-09-20 Method and device for transferring message in virtual private lan WO2008037210A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2006101599580A CN100514929C (en) 2006-09-28 2006-09-28 Method and device for message transfer of virtual private local area network
CN200610159958.0 2006-09-28

Publications (1)

Publication Number Publication Date
WO2008037210A1 true WO2008037210A1 (en) 2008-04-03

Family

ID=37779020

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070735 WO2008037210A1 (en) 2006-09-28 2007-09-20 Method and device for transferring message in virtual private lan

Country Status (2)

Country Link
CN (1) CN100514929C (en)
WO (1) WO2008037210A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102368735A (en) * 2011-11-07 2012-03-07 杭州华三通信技术有限公司 Virtual private LAN service (VPLS) message processing method and equipment thereof
CN113923162A (en) * 2021-10-09 2022-01-11 新华三信息安全技术有限公司 Message forwarding method, device, equipment and storage medium
CN115334045A (en) * 2022-08-12 2022-11-11 迈普通信技术股份有限公司 Message forwarding method, device, gateway equipment and storage medium

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100466590C (en) * 2007-03-26 2009-03-04 中兴通讯股份有限公司 Method for sharing V-Switch transparent-transferring data load
CN101197779B (en) * 2007-12-27 2012-10-17 华为技术有限公司 Method, device and system for improving address analysis protocol proxy package efficiency
CN101631129B (en) * 2009-08-18 2013-06-05 中兴通讯股份有限公司 Method and device for transmitting multicast data
CN103812959B (en) * 2012-11-15 2017-05-31 中国电信股份有限公司 Manage the method and system of IP address concentratedly
US20160191371A1 (en) * 2013-08-29 2016-06-30 Yogesh Banwarilal Dujodwala Automatically Configuring A Virtual Router
CN104702708B (en) * 2013-12-06 2018-04-27 华为技术有限公司 Obtain method, equipment, system and the network virtualization endpoint of ARP information
CN104954255B (en) * 2014-03-24 2019-12-24 中兴通讯股份有限公司 VPN message processing method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1414749A (en) * 2002-08-23 2003-04-30 华为技术有限公司 Three layer virtual private network and its construction method
US20040151181A1 (en) * 2003-02-04 2004-08-05 Chu Thomas P. Methods and systems for providing MPLS-based layer-2 virtual private network services
US20050190757A1 (en) * 2004-02-27 2005-09-01 Cisco Technology Inc. Interworking between Ethernet and non-Ethernet customer sites for VPLS

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1414749A (en) * 2002-08-23 2003-04-30 华为技术有限公司 Three layer virtual private network and its construction method
US20040151181A1 (en) * 2003-02-04 2004-08-05 Chu Thomas P. Methods and systems for providing MPLS-based layer-2 virtual private network services
US20050190757A1 (en) * 2004-02-27 2005-09-01 Cisco Technology Inc. Interworking between Ethernet and non-Ethernet customer sites for VPLS

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102368735A (en) * 2011-11-07 2012-03-07 杭州华三通信技术有限公司 Virtual private LAN service (VPLS) message processing method and equipment thereof
CN113923162A (en) * 2021-10-09 2022-01-11 新华三信息安全技术有限公司 Message forwarding method, device, equipment and storage medium
CN113923162B (en) * 2021-10-09 2023-04-18 新华三信息安全技术有限公司 Message forwarding method, device, equipment and storage medium
CN115334045A (en) * 2022-08-12 2022-11-11 迈普通信技术股份有限公司 Message forwarding method, device, gateway equipment and storage medium
CN115334045B (en) * 2022-08-12 2023-12-19 迈普通信技术股份有限公司 Message forwarding method, device, gateway equipment and storage medium

Also Published As

Publication number Publication date
CN100514929C (en) 2009-07-15
CN1921441A (en) 2007-02-28

Similar Documents

Publication Publication Date Title
Del Piccolo et al. A survey of network isolation solutions for multi-tenant data centers
WO2008037210A1 (en) Method and device for transferring message in virtual private lan
Lasserre et al. Framework for data center (DC) network virtualization
Narten et al. Problem statement: Overlays for network virtualization
US9900263B2 (en) Non-overlay resource access in datacenters using overlay networks
US9001829B2 (en) Techniques for routing data between network areas
EP1413094B1 (en) Distributed server functionality for emulated lan
JP5579853B2 (en) Method and system for realizing virtual private network
JP4692258B2 (en) Router device and communication system
GB2497202A (en) Transmitting frames between, possibly different, local VLANs by encapsulating frames for global VLAN tunnel
EP2466817A1 (en) Virtual private network implementation method and system
EP2618535A1 (en) Method and system for realizing virtual machine mobility
WO2015123987A1 (en) Packet forwarding method and device
WO2009021458A1 (en) Method, apparatus and system for connecting layer2 network and layer3 network
WO2010151571A2 (en) Method and apparatus for implementing l2 vpns on an ip network
CN113872845B (en) Method for establishing VXLAN tunnel and related equipment
WO2007112691A1 (en) System, method and network device for vpn customer to access public network
WO2008046359A1 (en) Method and apparatus for isolating the different virtual local area network services
WO2007062592A1 (en) A system, a method, and a router device of layer 2 virtual private network for interconnecting point/multi-points and multi-points
WO2021082803A1 (en) Routing information transmission method and apparatus, and data center interconnection network
US20230254183A1 (en) Generating route target values for virtual private network routes
JP4011528B2 (en) Network virtualization system
WO2014186957A1 (en) Multi-tenant network system
JP4100145B2 (en) Server apparatus and IP packet communication method
CN218920438U (en) Internet access control system based on VXLAN

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07816926

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07816926

Country of ref document: EP

Kind code of ref document: A1