[go: up one dir, main page]

CN100446503C - A method and device for enhancing VPN network optimization - Google Patents

A method and device for enhancing VPN network optimization Download PDF

Info

Publication number
CN100446503C
CN100446503C CNB2005100564166A CN200510056416A CN100446503C CN 100446503 C CN100446503 C CN 100446503C CN B2005100564166 A CNB2005100564166 A CN B2005100564166A CN 200510056416 A CN200510056416 A CN 200510056416A CN 100446503 C CN100446503 C CN 100446503C
Authority
CN
China
Prior art keywords
vpn
network
data frame
port
network device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2005100564166A
Other languages
Chinese (zh)
Other versions
CN1838633A (en
Inventor
于洋
王玮
张海涛
庄国强
张检锋
彭昆成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CNB2005100564166A priority Critical patent/CN100446503C/en
Priority to PCT/CN2005/002067 priority patent/WO2006094440A1/en
Publication of CN1838633A publication Critical patent/CN1838633A/en
Application granted granted Critical
Publication of CN100446503C publication Critical patent/CN100446503C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种增强型VPN网络优化的方法,用于使得私网的VLAN从公网透传到需要连接的其他私网,该方法包括如下步骤:(1)在所述网络设备入端口,根据入物理端口将用户数据帧上的VLAN标签映射成VPN ID;(2)将经上述处理后的用户数据帧在运营商网络内部进行转发;(3)在所述网络设备出端口,根据出物理端口将携带有VPN ID的数据帧映射成携带用户VLAN标签的数据帧并进行转发。本发明可以实现4K*4K个VPN;可以做到将一个VPN内部的用户业务种类标记采用两层VLAN标签来表示;而且,不需要采用具有MPLS功能的交换机,并可以只在一台设备上集中配置。

The present invention provides an enhanced VPN network optimization method, which is used to transparently transmit the VLAN of the private network from the public network to other private networks that need to be connected. The method includes the following steps: (1) at the ingress port of the network device, Map the VLAN label on the user data frame into a VPN ID according to the incoming physical port; (2) forward the above-mentioned processed user data frame inside the operator's network; (3) at the outgoing port of the network device, according to the outgoing The physical port maps the data frame carrying the VPN ID into a data frame carrying the user VLAN tag and forwards it. The present invention can realize 4K*4K VPNs; it can realize that the user service type mark inside a VPN can be represented by two layers of VLAN labels; moreover, it does not need to use a switch with MPLS function, and can only be centralized on one device configuration.

Description

一种增强型VPN网络优化的方法及设备 A method and device for enhancing VPN network optimization

技术领域 technical field

本发明涉及网络通信技术领域,具体地说,涉及一种增强型VPN(Virtual Private Network,虚拟租用专线)网络优化的方法及设备。The present invention relates to the technical field of network communication, in particular to an enhanced VPN (Virtual Private Network, virtual leased line) network optimization method and equipment.

背景技术 Background technique

在同一物理形态上的局域网可以分成多个VLAN(VirtualLocal Area Network,虚拟局域网),各VLAN之间不能直接访问,只能通过路由设备来访问,这样可以提高网络的安全性和可靠性。VPN(Virtual Private Networks,虚拟专网)技术是一种通过公众网络来传递私有网络的技术,通过这种技术可以把不同地点的私用网络连接起来,是一种廉价高效的方法。目前常用的二层VPN技术有V-switch技术(VLAN交换技术,使用VLAN标签交换进行转发的一种技术)、QinQ技术(两层IEEE802.1Q标签封装技术,亦即,在一个数据包上打两层VLAN标签,又称802.1Q隧道技术)以及基于MPLS(Multi-Protocol LabelSwitch,多协议标签交换技术)的VPN技术。The local area network in the same physical form can be divided into multiple VLANs (Virtual Local Area Network, Virtual Local Area Network), and each VLAN cannot be accessed directly, but can only be accessed through routing devices, which can improve the security and reliability of the network. VPN (Virtual Private Networks, virtual private network) technology is a technology that transmits private networks through public networks. Through this technology, private networks in different locations can be connected, which is a cheap and efficient method. Currently commonly used Layer 2 VPN technologies include V-switch technology (VLAN switching technology, a technology that uses VLAN label switching for forwarding), QinQ technology (two-layer IEEE802. Two-layer VLAN label, also known as 802.1Q tunnel technology) and VPN technology based on MPLS (Multi-Protocol LabelSwitch, multi-protocol label switching technology).

其中,V-switch技术是一种简单的VPN技术,其实现的基本原理是通过对入端口以太网数据帧的一层或两层VLAN标签直接进行交换成出端口的对应VLAN标签实现。具体地说,就是二层交换设备通过将从入端口进来的数据帧携带的属于某一特定VPN的一层或两层VLAN标签换成为同属该特定VPN的另一局域网的新的一层或两层VLAN标签后,然后从输出端口发出,进而实现将处于不同地域VLAN标签不同的各局域网组成一个大的VPN网络。Among them, the V-switch technology is a simple VPN technology, and the basic principle of its realization is to directly switch one or two layers of VLAN tags of the Ethernet data frame of the ingress port into corresponding VLAN tags of the egress port. Specifically, the layer-2 switching device replaces the one or two-layer VLAN tag belonging to a specific VPN carried by the data frame coming in from the ingress port with a new one or two-layer VLAN tag belonging to another LAN belonging to the specific VPN. Layer VLAN tags, and then send out from the output port, and then realize the formation of a large VPN network of LANs with different VLAN tags in different regions.

然而,采用V-switch实现VPN存在如下缺点:(1)只能实现点到点的VPN;(2)需要靠手工配置来实现运营商的多跳穿越,这样,当需要穿越运营商的多个设备时,那么需要在每个设备上都进行配置,不能做到在运营商网络入口处配置完后,进行自路由转发;(3)不对VPN用户业务进行最终交换,也就是说不进行VPN用户的MAC地址学习和MAC地址转发However, the use of V-switch to implement VPN has the following disadvantages: (1) it can only realize point-to-point VPN; (2) it needs to rely on manual If it is a device, it needs to be configured on each device, and it cannot be self-routing and forwarding after configuration at the entrance of the operator's network; (3) The final exchange of VPN user services is not performed, that is to say, no VPN user services are performed. MAC address learning and MAC address forwarding

QinQ技术是另一种简单的VPN技术,它采用的L2层技术,通过两层IEEE802.1Q标准的标签封装技术,即在使用的私网VLAN标签外再封装一个公网的VLAN标签,使得私网的VLAN能够从公网透传到需要连接的其它私网。由于它不需要额外的信令支持就能实现简单的VPN功能,能够把分散的几个地域的LAN(LocalArea Network,局域网)组成一个大的VPLS(Virtual PrivateLAN Service,虚拟专用局域网服务),因此非常简单方便。QinQ technology is another simple VPN technology. It adopts L2 layer technology, through two layers of IEEE802.1Q standard label encapsulation technology, that is, encapsulates a public network VLAN The VLAN of the network can be transparently transmitted from the public network to other private networks that need to be connected. Because it can realize a simple VPN function without additional signaling support, and can form a large VPLS (Virtual PrivateLAN Service, Virtual Private LAN Service) from scattered LANs (LocalArea Network, local area network), it is very easy and convenient.

然而,该技术只能使用一层VLAN标签来标识用户VPN,当需要两层VLAN标签来确定一个用户VPN的情况则无法支持,而在实际的网络应用中,有很多地方是需要使用两层VLAN来标志一个用户;另外,利用QinQ技术封装的二层VLAN标签,其中外层的VLAN标签由运营商提供代表VPN的标识,内层VLNA标签由用户提供代表每个VPN内部业务的种类。这样,一个VPN及其业务种类的配置就必须由运营商和企业网共同完成,而不能由一方集中完成。还有就是每个VLAN标签由12位比特的二进制来定义是全局的,如此,带来的问题是每个端口只能实现4096个VPN。However, this technology can only use one layer of VLAN tags to identify user VPNs, and it cannot support the situation when two layers of VLAN tags are required to determine a user VPN. However, in actual network applications, there are many places where two layers of VLAN tags are required. To mark a user; in addition, using the Layer 2 VLAN tag encapsulated by QinQ technology, the outer VLAN tag is provided by the operator to represent the identification of the VPN, and the inner VLNA tag is provided by the user to represent the type of each VPN internal service. In this way, the configuration of a VPN and its service types must be completed jointly by the operator and the enterprise network, rather than by one party. What's more, each VLAN label is defined globally by 12 bits of binary, so the problem brought is that each port can only realize 4096 VPNs.

而基于MPLS的VPN技术则是采用MPLS标签实现的。用户业务的数据帧在CE(Consumer Edge,用户边缘设备)内部是以普通的以太网数据帧传输,在进入运营商的PE(Provider Edge,供应商边缘)设备后,PE根据用户的VLAN信息和目的MAC信息,查找转发表后得到一个双层的MPLS标签,根据这个双层MPLS标签再得到一个下一跳的目的MAC和VLAN信息,封装后从本设备的相应发送端口发出,发到对端的PE设备。如下表1显示用户正常数据帧,表2显示MPLS数据帧。MPLS-based VPN technology is implemented using MPLS labels. The data frames of user services are transmitted in ordinary Ethernet data frames inside the CE (Consumer Edge, user edge device). After entering the operator's PE (Provider Edge, provider edge) device, the PE Destination MAC information, get a double-layer MPLS label after searching the forwarding table, and then get a next-hop destination MAC and VLAN information according to this double-layer MPLS label, and send it from the corresponding sending port of the device after encapsulation, and send it to the peer's PE equipment. Table 1 below shows the user's normal data frame, and Table 2 shows the MPLS data frame.

表1用户正常数据帧Table 1 User normal data frame

Figure C20051005641600062
Figure C20051005641600062

表2MPLS数据帧Table 2MPLS data frame

这个MPLS封装的数据包到了对端PE设备以后,PE设备将两层MPLS的标签去掉,并且从这两层MPLS标签的内层标签得到该VPN用户业务在该设备上的最终出端口信息,将用户VPN的二层以太网数据帧原封不动地从相应出物理端口发出。After the MPLS-encapsulated data packet arrives at the peer PE device, the PE device removes the two-layer MPLS label, and obtains the final egress port information of the VPN user service on the device from the inner label of the two-layer MPLS label. The Layer 2 Ethernet data frame of the user VPN is sent out from the corresponding physical port intact.

然而,基于MPLS的VPN技术要求设备必须支持MPLS标签,这就对设备提出了更高的要求;另外,它要求用户同一VPN内部标示同一种业务的标记必须是全局统一的,无法做到在不同的地点(意味着设备的不同出口)、业务标志形式的VLAN数值不同,进而给VPN网络实现带来了困难;最后,由于VPN标志及VPN内部的业务标志分别由运营商和企业客户配置,同样无法由一方集中完成。However, MPLS-based VPN technology requires devices to support MPLS labels, which puts forward higher requirements for devices; in addition, it requires users to mark the same service within the same VPN must be globally unified, which cannot be achieved in different The location (meaning the different exits of the equipment) and the VLAN values in the form of business signs are different, which brings difficulties to the realization of the VPN network; finally, because the VPN signs and the service signs inside the VPN are configured by the operator and the enterprise customer respectively, the same It cannot be done centrally by one party.

发明内容 Contents of the invention

本发明的目的即是克服上述各种现有技术中存在的缺陷和不足,提供一种新的增强型VPN网络优化的方法及其设备。The purpose of the present invention is to overcome the defects and deficiencies in the above-mentioned various prior art, and provide a new enhanced VPN network optimization method and its equipment.

为此本发明提供一种增强型VPN网络优化的方法,用于使得私网的VLAN从公网透传到需要连接的其他私网,其中所述公网上至少包括有一个网络设备入端口及一个网络设备出端口,该方法包括如下步骤:For this reason the present invention provides a kind of enhanced VPN network optimization method, is used to make the VLAN of private network pass through from public network to other private networks that need to be connected, wherein said public network includes at least one network device inlet port and one A network device output port, the method includes the following steps:

(1)在所述网络设备入端口,根据入物理端口处配置的映射表将用户数据帧上的用户VLAN标签映射成VPN ID;(1) at the inlet port of the network equipment, the user VLAN label on the user data frame is mapped into a VPN ID according to the mapping table configured at the physical port;

(2)将经上述处理后的用户数据帧在所述公网内部进行转发;(2) forwarding the user data frame after the above processing within the public network;

(3)在所述网络设备出端口,根据出物理端口处配置的映射表将携带有VPN ID的数据帧映射成携带用户VLAN标签的数据帧并进行转发。(3) at the outgoing port of the network device, according to the mapping table configured at the outgoing physical port, the data frame carrying the VPN ID is mapped into a data frame carrying the user VLAN label and forwarded.

其中,步骤(1)中所述的映射方法具体包括:Wherein, the mapping method described in step (1) specifically includes:

(11)在网络设备入端口,配置一张映射表,使得VPN ID与用户VLAN标签和入端口号对应;(11) Configure a mapping table at the ingress port of the network device so that the VPN ID corresponds to the user VLAN label and ingress port number;

(12)网络设备入端口,接收到携带有用户VLAN标签的数据帧后,对上述映射表进行查询;(12) network equipment enters the port, and after receiving the data frame that carries the user VLAN tag, the above-mentioned mapping table is queried;

(13)根据查询的结果,替换数据帧中携带的用户VLAN标签为VPN ID。(13) According to the result of query, replace the user VLAN tag carried in the data frame as the VPN ID.

其中,步骤(3)中所述的映射方法具体包括:Wherein, the mapping method described in step (3) specifically includes:

(31)在网络设备出端口,配置一张映射表,使得VPN ID和出端口号与用户VLAN标签相对应;(31) Configure a mapping table at the outgoing port of the network device, so that the VPN ID and the outgoing port number correspond to the user VLAN label;

(32)网络设备出端口,接收到携带有VPN ID的数据帧后,对上述映射表进行查询;(32) Network equipment outlet port, after receiving the data frame that carries VPN ID, query above-mentioned mapping table;

(33)根据查询的结果,替换数据帧中携带的VPN ID为用户VLAN标签。(33) According to the result of inquiry, replace the VPN ID carried in the data frame as the user VLAN label.

其中,所述的VPN ID为新的一层或两层VLAN标签;所述网络设备可以是交换机或路由器。Wherein, described VPN ID is a new one or two layers of VLAN label; Described network equipment can be switch or router.

本发明还提供一种为实施上述方法而制成的网络设备,具备CPU及商用转发芯片,并在商用转发芯片前进一步设置一块转换模块,其中:The present invention also provides a network device made for implementing the above method, which is provided with a CPU and a commercial forwarding chip, and a conversion module is further provided before the commercial forwarding chip, wherein:

该模块在网络设备的每个入物理端口,根据配置的用户VLAN标签和入端口号与VPN ID的映射表,将数据帧中携带的用户VLAN标签替换成新的VPN ID,重新计算CRC后交给后面的商用ASIC进行后续转发;On each incoming physical port of the network device, the module replaces the user VLAN tag carried in the data frame with a new VPN ID according to the configured user VLAN tag and the mapping table between the incoming port number and the VPN ID, recalculates the CRC, and delivers Subsequent forwarding to the subsequent commercial ASIC;

该模块在网络设备的相应出物理端口,根据配置的VPN ID和出端口号与该VPN用户的用户VLAN标签的映射表,将携带有VPN ID的数据帧重新生成携带用户VLAN标签的数据帧后,交给商用转发芯片转发。After the module regenerates the data frame carrying the VPN ID into the data frame carrying the user VLAN tag on the corresponding physical port of the network device, according to the mapping table between the configured VPN ID and the outgoing port number and the user VLAN tag of the VPN user , to the commercial forwarding chip for forwarding.

其中,所述VPN ID可以为新的一层或两层VLAN标签;在经处理的数据帧交给商用转发芯片转发前,该转换模块还需重新计算CRC;所述网络设备可以是交换机,也可以是路由器。与现有的技术相比,由于本发明支持在二层数据帧中采用两层VLAN标签来表示VPN ID,因此本发明可以实现4K*4K个VPN,极大的拓展了VPN的数量,为VPN用户的数量增加作了较好的支持。同时,分别在入端口和出端口配置映射表的方法可以改变用户VLAN标签的数值,从而可以使得一个VPN内部的用户业务种类标记在不同物理端口(对应不同物理位置)有不同的表现形式,并可以实现只在一台设备上集中配置,因此简化了网络部署。最后,本发明提供的点到多点VPN的方法,不需要采用具有MPLS功能的交换机,在当前众多的中低端设备上即可应用,因而可以大大降低网络运营商的成本。Wherein, the VPN ID can be a new layer or two layers of VLAN tags; before the processed data frame is handed over to the commercial forwarding chip for forwarding, the conversion module also needs to recalculate the CRC; the network device can be a switch, or Can be a router. Compared with the existing technology, since the present invention supports the use of two layers of VLAN tags in the second-layer data frame to represent the VPN ID, the present invention can realize 4K*4K VPNs, which greatly expands the number of VPNs and provides The increase in the number of users is better supported. Simultaneously, the method for configuring the mapping table at the ingress port and the egress port respectively can change the numerical value of the user VLAN label, thereby can make the user service type mark in a VPN have different manifestations in different physical ports (corresponding to different physical locations), and Centralized configuration can be realized on only one device, thus simplifying network deployment. Finally, the point-to-multipoint VPN method provided by the present invention does not need to use a switch with MPLS function, and can be applied to many low-end and middle-end devices at present, thus greatly reducing the cost of network operators.

附图说明 Description of drawings

附图是采用本发明的设备内部硬件结构原理图。Accompanying drawing is the schematic diagram of internal hardware structure of the device adopting the present invention.

具体实施方式 Detailed ways

为了更好地理解本发明,下面结合具体实施例对本发明做进一步的说明,当然,本具体实施例只是本发明的示范和典型,并不能对本发明所要求保护的范围构成限制。In order to better understand the present invention, the present invention will be further described below in conjunction with specific embodiments. Of course, this specific embodiment is only a demonstration and typical example of the present invention, and cannot limit the scope of protection claimed by the present invention.

本发明提供的增强型VPN网络优化的方法,其典型的实施步骤包括运营商网络入端口处理、运营商网络内部转发和运营商网络出端口处理三个主要步骤。此处,以运营商为例是为了更好的结合实际情形来示范,这里的运营商网络可以是任何具有二层VPN功能的网络。同时此处网络运营商的入端口、出端口可以是在同一网络中不同网络设备上的物理端口,也可以是同一网络中同一网络设备上的不同物理端口,甚至可以是同一网络中同一网络设备上的同一物理端口,此处的网络设备一般为交换机或路由器。The typical implementation steps of the enhanced VPN network optimization method provided by the present invention include three main steps of operator network ingress port processing, operator network internal forwarding and operator network egress port processing. Here, the carrier is taken as an example to better demonstrate in combination with the actual situation, and the carrier network here may be any network with a Layer 2 VPN function. At the same time, the ingress port and egress port of the network operator here can be physical ports on different network devices in the same network, or different physical ports on the same network device in the same network, or even the same network device in the same network The same physical port on the network, where the network device is generally a switch or router.

首先,详细说明本发明中运营商网络入端口处理方法。Firstly, the method for processing an ingress port of an operator network in the present invention will be described in detail.

在运营商网络边缘与用户网络相连接的交换机的入物理端口方向,加入一张表来完成VPN用户的识别和VLAN标签的替换工作。这张表的输入是用户VPN数据帧的入端口和其携带的一层或两层VLAN标签,查表后的输出是代表VPN标志的运营商使用的另外一层或两层VLAN标签。需要说明的是,所述表可以是人工配置,也可以用其它方法实现,只要能实现上述逻辑映射功能即可。同时,如果被替换后的二层数据帧的VLAN标签为一层,那么支持4096个VPN;如果替换后的VLAN标签为两层,那么支持4K*4K个VPN。In the direction of the inbound physical port of the switch connected to the user network at the edge of the carrier network, a table is added to complete the identification of VPN users and the replacement of VLAN tags. The input of this table is the ingress port of the user VPN data frame and one or two layers of VLAN tags carried by it, and the output after the table lookup is another layer or two layers of VLAN tags used by the operator representing the VPN mark. It should be noted that the table can be manually configured or realized by other methods, as long as the above logical mapping function can be realized. At the same time, if the VLAN tag of the replaced Layer 2 data frame is one layer, then 4096 VPNs are supported; if the replaced VLAN tag is two layers, then 4K*4K VPNs are supported.

表3是运营商入端口映射表一个示范例。Table 3 is an example of the carrier inbound port mapping table.

Figure C20051005641600101
Figure C20051005641600101

替换后的一层或两层VLAN标签代表VPN的VPN ID在运营商内部网络中必须是统一的,此处所指的VPN ID是一种逻辑概念,比如在表3中,入物理端口1的用户双VLAN标签被映射成代表VPN标志的301、302,301+302共同组成了VPN ID,假设为VPN1,可以得知,入物理端口3的双VLAN标签也被映射成了301+302的VPN1,因此在表3中,入物理端口1和3代表的用户属于同一个VPN用户。The replaced one or two layers of VLAN tags represent that the VPN ID of the VPN must be unified in the operator's internal network. The VPN ID referred to here is a logical concept. For example, in Table 3, the incoming physical port 1 The double VLAN tag of the user is mapped to 301 and 302 representing the VPN logo, and 301+302 together form a VPN ID. Assuming it is VPN1, it can be known that the double VLAN tag entering physical port 3 is also mapped to VPN1 of 301+302 , so in Table 3, the users represented by ingress physical ports 1 and 3 belong to the same VPN user.

而替换前的VLAN标签由于是根据具体入端口配置来的,有多个不同端口的VLAN标签映射成一个相同VPN ID的情况。Since the VLAN tag before replacement is based on the configuration of the specific ingress port, there are cases where multiple VLAN tags of different ports are mapped to the same VPN ID.

然后,进行运营商网络内部的转发。在运营商网络内部的转发过程中,按照转换后的VLAN标志进行自学习转发,直到转发到运营商网络出口,这个过程和普通运营商提供的二层VPN内部的转发过程没有什么区别,此处不再赘述。Then, the forwarding within the operator's network is performed. During the internal forwarding process of the carrier network, self-learning forwarding is performed according to the converted VLAN flag until it is forwarded to the egress of the carrier network. This process is no different from the forwarding process inside the Layer 2 VPN provided by ordinary carriers. Here No longer.

下面,详细描述运营商出端口处理方法。Next, the method for processing the egress port of the operator will be described in detail.

在运营商双VLAN标签VPN交换机的出口方向,加入一张表来完成运营商使用的VPN标志与用户使用的VLAN标志的转换。这张表的输入是代表VPN ID标志的一层或两层VLAN标签,输出是该VPN在该输出端口的用户表现形式VLAN标签(一层或两层)。In the egress direction of the operator's double-VLAN label VPN switch, add a table to complete the conversion between the VPN label used by the operator and the VLAN label used by the user. The input of this table is to represent one or two layers of VLAN labels of the VPN ID mark, and the output is the VLAN label (one or two layers) of the user's representation of the VPN at the output port.

表4是运营商出端口映射表的一个示范例。Table 4 is an example of an operator's outbound port mapping table.

输出方向的这张表也是按照具体出端口配置的,也就是说一个相同的VPNID,在不同的物理输出端口,翻译后的两层用户VLAN标签可以不同。This table in the output direction is also configured according to the specific output port, that is to say, for the same VPNID, on different physical output ports, the translated user VLAN tags of the two layers can be different.

需要说明的是,本发明提供的技术方案可以支持带有一层或两层VLAN标签的数据帧,如果在上述运营商网络入端口表替换后的标签只有一层,并且随后只是按照该层标签进行MAC地址学习和转发,那么只能支持4096个VPN,这是目前市场上的所有芯片都可以支持的。但如果在入端口表替换后的标签有两层,并且随后按照两层标签进行MAC地址学习和转发,那么就可以支持4096*4096个VPN,这就对运营商网络和用户网络相连的设备的转发芯片功能提出了更高的要求。这是一般普通网络数据交换设备,特别是具有商用L2/L3转发芯片的交换机所不能支持的。It should be noted that the technical solution provided by the present invention can support data frames with one or two layers of VLAN tags, if there is only one layer of tags replaced in the above-mentioned operator network ingress port table, and then only according to the tags of this layer. MAC address learning and forwarding, then only 4096 VPNs can be supported, which is supported by all chips currently on the market. However, if the replaced label in the ingress port table has two layers, and then MAC address learning and forwarding are performed according to the two layers of labels, then 4096*4096 VPNs can be supported, which affects the equipment connected to the carrier network and the user network. The forwarding chip function puts forward higher requirements. This is not supported by ordinary network data exchange equipment, especially switches with commercial L2/L3 forwarding chips.

为此,本发明提供一种专用于实施本发明提供的方法的设备。下面结合附图详细介绍实现本发明采用双VLAN标签提供点到多点二层VPN的方法的设备的内部构成原理。To this end, the present invention provides a device dedicated to implementing the method provided by the present invention. The following describes in detail the internal composition principle of the device implementing the method for providing point-to-multipoint Layer 2 VPN using double VLAN tags in the present invention in conjunction with the accompanying drawings.

目前的商用L2/L3层交换机转发芯片都支持基于VLAN的转发,因此如图1所示,本发明在转发芯片前面附加了一个转换模块,即可实现对带有双VLAN标签用户数据帧转发的支持,此处的转换模块可以用硬件也可以用软件的方法实现。Current commercial L2/L3 layer switch forwarding chips all support VLAN-based forwarding, so as shown in Figure 1, the present invention adds a conversion module in front of the forwarding chip to realize the forwarding of user data frames with double VLAN tags Yes, the conversion module here can be realized by hardware or software.

该模块实现的具体功能描述如下:在交换机每个物理端口入口方向,根据CPU配置的两层VLAN标签到一层(或两层)VLAN标签的映射表,映射成代表二层VPN ID的新VLAN,然后重新计算CRC后交给后面的商用ASIC进行后续转发;在每个GE(千兆以太网)的出口,再根据代表二层VPN ID的新VLAN标签,根据CPU配置在各个端口的映射表,重新生成两层标签,然后重新计算CRC后发出。The specific functions realized by this module are described as follows: In the direction of the entrance of each physical port of the switch, according to the mapping table of two layers of VLAN tags configured by the CPU to one (or two layers) of VLAN tags, it is mapped to a new VLAN representing a Layer 2 VPN ID , and then recalculate the CRC and hand it over to the subsequent commercial ASIC for subsequent forwarding; at the egress of each GE (Gigabit Ethernet), according to the new VLAN tag representing the second-layer VPN ID, according to the mapping table configured on each port by the CPU , regenerate two layers of tags, and then recalculate the CRC and send it out.

转换模块中的FPGA(Field program gate array,现场可编程门阵列)做简单的工作(映射和CRC),其成本较低。并且表格是配置在每个物理端口上的,所以FPGA可以根据需要只完成支持双VLAN标签VPN端口的入/出转换工作,而不是必须在所有端口上都实现。The FPGA (Field program gate array, field programmable gate array) in the conversion module does simple work (mapping and CRC), and its cost is low. And the table is configured on each physical port, so the FPGA can only complete the in/out conversion of the VPN port that supports double VLAN tags as required, rather than all ports must be implemented.

综上所述,采用本发明提供的方法及设备,在较低成本的情况下就可以增强现有二层VPN网络提供的功能,特别是可以处理带有双VLAN标签的二层以太网数据帧,能够实现4K*4K个VPN,同时网络配置方法也更为灵活、简便。In summary, the method and equipment provided by the present invention can enhance the functions provided by the existing Layer 2 VPN network at a relatively low cost, especially the Layer 2 Ethernet data frames with double VLAN tags can be processed , can realize 4K*4K VPNs, and the network configuration method is more flexible and convenient.

Claims (9)

1.一种增强型VPN网络优化的方法,用于使得私网的VLAN从公网透传到需要连接的其他私网,其中所述公网上至少包括有一个网络设备入端口及一个网络设备出端口,其特征在于,该方法包括如下步骤:1. A method for enhancing VPN network optimization, used to make the VLAN of the private network pass through from the public network to other private networks that need to be connected, wherein the public network includes at least one network device inlet port and one network device outlet port Port, it is characterized in that, the method comprises the steps: (1)在所述网络设备入端口,根据入物理端口处配置的映射表将用户数据帧上的用户VLAN标签映射成VPN ID;(1) at the inlet port of the network equipment, the user VLAN label on the user data frame is mapped into a VPN ID according to the mapping table configured at the physical port; (2)将经上述处理后的用户数据帧在所述公网内部进行转发;(2) forwarding the user data frame after the above processing within the public network; (3)在所述网络设备出端口,根据出物理端口处配置的映射表将携带有VPN ID的数据帧映射成携带用户VLAN标签的数据帧并进行转发。(3) at the outgoing port of the network device, according to the mapping table configured at the outgoing physical port, the data frame carrying the VPN ID is mapped into a data frame carrying the user VLAN label and forwarded. 2.根据权利要求1所述的方法,其特征在于,步骤(1)中所述的映射方法具体包括:2. method according to claim 1, is characterized in that, the mapping method described in step (1) specifically comprises: (11)在网络设备入端口,配置一张映射表,使得VPN ID与用户VLAN标签和入端口号对应;(11) Configure a mapping table at the ingress port of the network device so that the VPN ID corresponds to the user VLAN label and ingress port number; (12)网络设备入端口,接收到携带有用户VLAN标签的数据帧后,对上述映射表进行查询;(12) network equipment enters the port, and after receiving the data frame that carries the user VLAN tag, the above-mentioned mapping table is queried; (13)根据查询的结果,替换数据帧中携带的用户VLAN标签为VPN ID。(13) According to the result of query, replace the user VLAN tag carried in the data frame as the VPN ID. 3.根据权利要求1所述的方法,其特征在于,步骤(3)中所述的映射方法具体包括:3. method according to claim 1, is characterized in that, the mapping method described in step (3) specifically comprises: (31)在网络设备出端口,配置一张映射表,使得VPN ID和出端口号与用户VLAN标签相对应;(31) Configure a mapping table at the outgoing port of the network device, so that the VPN ID and the outgoing port number correspond to the user VLAN label; (32)网络设备出端口,接收到携带有VPN ID的数据帧后,对上述映射表进行查询;(32) Network equipment outlet port, after receiving the data frame that carries VPN ID, query above-mentioned mapping table; (33)根据查询的结果,替换数据帧中携带的VPN ID为用户VLAN标签。(33) According to the result of inquiry, replace the VPN ID carried in the data frame as the user VLAN label. 4、根据权利要求2或3所述的方法,其特征在于,所述的VPN ID为新的一层或两层VLAN标签。4. The method according to claim 2 or 3, characterized in that the VPN ID is a new layer or two layers of VLAN tags. 5、根据权利要求1至3中所述的任意一项方法,其特征在于,所述网络设备为交换机或路由器。5. The method according to any one of claims 1-3, wherein the network device is a switch or a router. 6、一种为实施权利要求1所述方法而制成的网络设备,具备CPU及商用转发芯片,其特征在于:在商用转发芯片前进一步设置一块转换模块,其中:6. A network device made for implementing the method of claim 1, equipped with a CPU and a commercial forwarding chip, characterized in that: a conversion module is further provided before the commercial forwarding chip, wherein: 该模块在网络设备的每个入物理端口,根据配置的用户VLAN标签和入端口号与VPN ID的映射表,将数据帧中携带的用户VLAN标签替换成新的VPN ID,重新计算CRC后交给后面的商用ASIC进行后续转发;On each incoming physical port of the network device, the module replaces the user VLAN tag carried in the data frame with a new VPN ID according to the configured user VLAN tag and the mapping table between the incoming port number and the VPN ID, recalculates the CRC, and delivers Subsequent forwarding to the subsequent commercial ASIC; 该模块在网络设备的相应出物理端口,根据配置的VPN ID和出端口号与用户VLAN标签的映射表,将携带有VPN ID的数据帧重新生成携带用户VLAN标签的数据帧后,交给商用转发芯片转发。On the corresponding physical port of the network device, the module regenerates the data frame carrying the VPN ID into a data frame carrying the user VLAN tag according to the configured mapping table between the VPN ID and the outgoing port number and the user VLAN tag, and then delivers it to the commercial Forwarding chip forwarding. 7、根据权利要求6所述的网络设备,其特征在于,所述VPN ID为新的一层或两层VLAN标签。7. The network device according to claim 6, characterized in that, the VPN ID is a new one-layer or two-layer VLAN tag. 8、根据权利要求6或7所述的网络设备,其特征在于,在经出物理端口处理的数据帧交给商用转发芯片转发前,该转换模块还需重新计算CRC。8. The network device according to claim 6 or 7, wherein the conversion module needs to recalculate the CRC before the data frame processed through the outgoing physical port is handed over to the commercial forwarding chip for forwarding. 9、根据权利要求6或7所述的网络设备,其特征在于,所述网络设备为交换机或路由器。9. The network device according to claim 6 or 7, wherein the network device is a switch or a router.
CNB2005100564166A 2005-03-08 2005-03-22 A method and device for enhancing VPN network optimization Expired - Fee Related CN100446503C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNB2005100564166A CN100446503C (en) 2005-03-22 2005-03-22 A method and device for enhancing VPN network optimization
PCT/CN2005/002067 WO2006094440A1 (en) 2005-03-08 2005-12-01 A method of virtual local area network exchange and the network device thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100564166A CN100446503C (en) 2005-03-22 2005-03-22 A method and device for enhancing VPN network optimization

Publications (2)

Publication Number Publication Date
CN1838633A CN1838633A (en) 2006-09-27
CN100446503C true CN100446503C (en) 2008-12-24

Family

ID=37015890

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100564166A Expired - Fee Related CN100446503C (en) 2005-03-08 2005-03-22 A method and device for enhancing VPN network optimization

Country Status (1)

Country Link
CN (1) CN100446503C (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101087236B (en) * 2007-08-09 2010-06-02 杭州华三通信技术有限公司 VPN access method and device
CN101345711B (en) * 2008-08-13 2012-08-08 成都市华为赛门铁克科技有限公司 Packet processing method, fire wall equipment and network security system
CN101588305B (en) * 2009-06-30 2012-02-08 杭州华三通信技术有限公司 message handling method carried with multilayer labels and an exchanger
CN105337851B (en) * 2014-07-02 2018-11-27 新华三技术有限公司 A kind of message processing method and ports-Extending plate
CN105991436B (en) * 2015-02-12 2020-02-07 中兴通讯股份有限公司 Transmission processing method and device for end-to-end service
CN107968749B (en) * 2017-11-21 2021-04-20 锐捷网络股份有限公司 Method for realizing QinQ route termination, switching chip and switch
CN118338332B (en) * 2024-06-12 2024-08-20 新华三技术有限公司 Data transmission method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002016640A (en) * 2000-06-30 2002-01-18 Nec Corp Routing device and virtual private network system used for the same
CN1356806A (en) * 2001-12-31 2002-07-03 刘军民 Data forwarding method for implementing virtual channel transmission in LAN
CN1371202A (en) * 2002-02-28 2002-09-25 威盛电子股份有限公司 Data packet transmission method and network switch applying the method
US20030154259A1 (en) * 2002-02-08 2003-08-14 Marc Lamberton Method of providing a virtual private network service through a shared network, and provider edge device for such network
CN1503514A (en) * 2002-11-21 2004-06-09 华为技术有限公司 Method for realizing virtual specific network in ATM network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002016640A (en) * 2000-06-30 2002-01-18 Nec Corp Routing device and virtual private network system used for the same
CN1356806A (en) * 2001-12-31 2002-07-03 刘军民 Data forwarding method for implementing virtual channel transmission in LAN
US20030154259A1 (en) * 2002-02-08 2003-08-14 Marc Lamberton Method of providing a virtual private network service through a shared network, and provider edge device for such network
CN1371202A (en) * 2002-02-28 2002-09-25 威盛电子股份有限公司 Data packet transmission method and network switch applying the method
CN1503514A (en) * 2002-11-21 2004-06-09 华为技术有限公司 Method for realizing virtual specific network in ATM network

Also Published As

Publication number Publication date
CN1838633A (en) 2006-09-27

Similar Documents

Publication Publication Date Title
US7411904B2 (en) Multiprotocol label switching (MPLS) edge service extraction
US9843507B2 (en) Enhanced hierarchical virtual private local area network service (VPLS) system and method for ethernet-tree (E-tree) services
US8144715B2 (en) Method and apparatus for interworking VPLS and ethernet networks
CN100542122C (en) A kind of multiplexing method of VLAN switching tunnel and VLAN switching domain
EP2541841B1 (en) Method for sending ethernet frames in ethernet tree service and provider edge device
US9166929B1 (en) Performing scalable L2 wholesale services in computer networks using customer VLAN-based forwarding and filtering
US8611347B2 (en) Point-to-multipoint service in a layer two ethernet network
WO2008019630A1 (en) A method, network and node device for data retransmission in network with double-layer
CN103227745B (en) Shortest path bridge net and layer 3 VLAN interoperability methods and common edge device
WO2008092357A1 (en) A method and device for establishing a pseudo wire tunnel and transmitting message using it
WO2008011818A1 (en) Method of realizing hierarchy-virtual private lan service and network system
WO2011054263A1 (en) Access method and access system for layer 3 virtual private networks(vpn)
CN106330499A (en) A transmission method and device for time-division multiplexing data, and network-side edge equipment
CN100433691C (en) A routing method for a virtual private network
CN100428737C (en) A Method to Simplify VPN Network Deployment
CN100446503C (en) A method and device for enhancing VPN network optimization
CN103152276A (en) Port configuration method and Ethernet switch
CN100502341C (en) Implementation method and system for transmitting Ethernet services on RPR network
GB2451738A (en) Method and apparatus for interworking VPLS and Ethernet networks
CN100373892C (en) Routable virtual exchange method
CN1980177A (en) Method for realizing virtual special local network service broadcast
CN102315999A (en) Two-layer virtual private network internetworking method and provider edge (PE) equipment
WO2006094440A1 (en) A method of virtual local area network exchange and the network device thereof
CN107770028B (en) Method for realizing point-to-multipoint virtual local area network service in China telecommunication scene
CN104348693A (en) Method and device for realizing two-layer isolation of user equipment and routing equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20081224