[go: up one dir, main page]

CN111740961B - Communication method and device - Google Patents

Communication method and device Download PDF

Info

Publication number
CN111740961B
CN111740961B CN202010454475.3A CN202010454475A CN111740961B CN 111740961 B CN111740961 B CN 111740961B CN 202010454475 A CN202010454475 A CN 202010454475A CN 111740961 B CN111740961 B CN 111740961B
Authority
CN
China
Prior art keywords
savi
border router
attribute
interface
network segment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010454475.3A
Other languages
Chinese (zh)
Other versions
CN111740961A (en
Inventor
李�昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing H3C Technologies Co Ltd
Original Assignee
Beijing H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing H3C Technologies Co Ltd filed Critical Beijing H3C Technologies Co Ltd
Priority to CN202010454475.3A priority Critical patent/CN111740961B/en
Publication of CN111740961A publication Critical patent/CN111740961A/en
Application granted granted Critical
Publication of CN111740961B publication Critical patent/CN111740961B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a communication method and a device, wherein the method is applied to a border router and comprises the following steps: receiving a Link Layer Discovery Protocol (LLDP) message sent by an access switch, wherein the LLDP message comprises a first attribute, and the first attribute is used for indicating whether the access switch starts source address validity check (SAVI) or not; and sending a first route notification message to an inter-domain border router according to the first attribute, wherein the first route notification message comprises a second attribute, and the second attribute is used for indicating whether a network segment corresponding to an interface address of the first interface is correspondingly protected by the SAVI or not, so that the inter-domain border router sends a second route notification message to an exit gateway, and the second route notification message comprises network segment information correspondingly protected by the SAVI.

Description

Communication method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a communication method and apparatus.
Background
Currently, network security has been an important concern, and network hackers often disguise themselves as other innocent users and launch network attacks. In order to accurately trace the network traffic or attack behavior, a network user cannot imitate the IP addresses of other network users by deploying a Source Address validity verification (SAVI) technology.
The SAVI technology specifically refers to: and starting a message interception function in the access switch, and creating a binding table item comprising an IP address field, an MAC address field and a switch port field in the access switch by intercepting the ND message and the DHCP message. When the access switch receives the network message sent by the user terminal, the source address of the network message is checked whether to be legal or not through the binding table entry. If the user terminal A imitates the IP address of the user terminal B, the network message sent by the user terminal A comprises IP (B), MAC (A) and Port (A), and the check result of the access switch on the network message is not passed because the binding table items corresponding to IP (B), MAC (B) and Port (B) in the access switch are IP (B), MAC (B) and Port (A).
In actual networking, the deployment of SAVI technology is typically step-by-step. At this time, it may appear in a network, where one sub-network (network segment) deploys the SAVI technology, and the sub-network is protected by the SAVI technology; and the other sub-network (network segment) is not provided with the SAVI technology, and the sub-network is not protected by the SAVI technology. As shown in fig. 1, it is assumed that both the subnet 1 and the subnet 3 deploy the SAVI technology, and the subnet 2 does not deploy the SAVI technology, so that at the egress gateway, a high priority process is given to the network packet in the subnet (e.g., subnet 1 and subnet 3) in which the SAVI technology is deployed; for the network packet of the subnet 2, the priority of the network packet is reduced, and the processing is delayed.
According to the above example, at the egress gateway, it is necessary to specify which network segments in the networking are deployed with the SAVI technology and protected by the SAVI technology, so as to create a corresponding message processing policy. At present, the situation that each access switch deploys the SAVI technology can be obtained by deploying an SDN controller, and the access switch deploying the SAVI technology corresponds to a subnet (network segment). And the controller converges the finally obtained SAVI deployment information to an exit gateway, and the exit gateway establishes a message processing strategy.
However, in the conventional method, the following drawbacks occur: firstly, for a large-scale network, a large number of access switches need to be deployed, and communication interaction between the large number of access switches and an SDN controller is supported, so that excessive network bandwidth is occupied; secondly, with the advance of the SAVI technology deployment and the adjustment of networking, the range of the trusted network segment is dynamically changed, the number of the access switches is huge, the access switches belong to a plurality of manufacturers, and the management and deployment difficulty is increased.
Disclosure of Invention
In view of this, the present application provides a communication method and apparatus, so as to solve the problems of bandwidth waste, increased management and difficult deployment in the prior art.
In a first aspect, the present application provides a communication method, which is applied to a border router, and the method includes:
receiving a Link Layer Discovery Protocol (LLDP) message sent by an access switch through a first interface, wherein the LLDP message comprises a first attribute, and the first attribute is used for indicating whether the access switch starts source address validity check (SAVI) or not;
and sending a first route notification message to an inter-domain border router according to the first attribute, wherein the first route notification message comprises a second attribute, and the second attribute is used for indicating whether a network segment corresponding to an interface address of the first interface is correspondingly protected by the SAVI or not, so that the inter-domain border router sends a second route notification message to an exit gateway, and the second route notification message comprises the network segment correspondingly protected by the SAVI.
In a second aspect, the present application provides a communication apparatus, which is applied to a border router, and includes:
a receiving unit, configured to receive, through a first interface, an LLDP message sent by an access switch, where the LLDP message includes a first attribute, and the first attribute is used to indicate whether the access switch starts a source address validity check SAVI;
a sending unit, configured to send a first route advertisement message to an inter-domain border router according to the first attribute, where the first route advertisement message includes a second attribute, and the second attribute is used to indicate whether a network segment corresponding to an interface address of the first interface is protected by the corresponding SAVI, so that the inter-domain border router sends a second route advertisement message to an egress gateway, where the second route advertisement message includes the network segment protected by the corresponding SAVI.
In a third aspect, the present application provides a network device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to perform the method provided by the first aspect of the present application.
Therefore, by applying the communication method and the communication device provided by the present application, the border router receives, through the first interface, an LLDP message that is sent by the access switch and includes the first attribute, where the first attribute is used to indicate whether the access switch opens the source address validity check SAVI. According to the first attribute, if the border router determines that the SAVI of the access switch is started, the border router sends a first route notification message including a second attribute to the inter-domain border router, wherein the second attribute is used for indicating whether a network segment corresponding to an interface address of the first interface is correspondingly protected by the SAVI or not, so that the inter-domain border router sends a second route notification message carrying the network segment correspondingly protected by the SAVI to the exit gateway. And the exit gateway generates a set of all legal network segments according to the second route notification message. The problem of bandwidth waste caused by a large number of access switches and SDN controllers in the communication interaction process in the prior art is solved, and the problems of increasing management and difficulty in deployment caused by large number of access switches and belonging to multiple manufacturers are solved.
Drawings
Fig. 1 is a schematic networking diagram of a deployed SAVI technology provided in the prior art;
fig. 2 is a flowchart of a communication method according to an embodiment of the present application;
fig. 3 is a schematic networking diagram of a deployment SAVI technology provided in an embodiment of the present application;
fig. 4 is a structural diagram of a communication device according to an embodiment of the present application;
fig. 5 is a hardware structure diagram of a network device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The following describes the communication method provided in the embodiments of the present application in detail. Referring to fig. 2, fig. 2 is a flowchart illustrating a communication method according to an embodiment of the present application. The method is applied to the border router. The communication method provided by the embodiment of the application can comprise the following steps.
Step 210, receiving, through a first interface, an LLDP message sent by an access switch, where the LLDP message includes a first attribute, and the first attribute is used to indicate whether the access switch starts a source address validity check SAVI.
Specifically, as shown in fig. 3, a networking schematic diagram of the deployed SAVI technology provided in the embodiment of the present application is shown. The networking comprises an access switch, a border router, an inter-domain border router and an exit gateway. Each subnet comprises at least one access switch, and the access switch can be specifically a two-layer switch, an access controller AC, and the like. The access switch is directly connected with the border router. The access switch and the border router both start a Link Layer Discovery Protocol (LLDP), and the access switch supports the situation that whether the boundary router itself enables the SAVI or not through the LLDP.
The Border router and the inter-domain Border router in the Autonomous System (AS) in which the Border router is located advertise routes mutually in an Internal Gateway Protocol (IGP) mode or an Internal Border Gateway Protocol (IBGP) mode.
In fig. 3, the border routers are specifically RA, RB, RC; the inter-domain border router is concretely RE and RF; the egress gateway is X.
In the embodiment of the present application, when a certain subnet (e.g., subnet 1) deploys SAVI, an access switch in the subnet turns on LLDP. The access switch generates an LLDP message. The LLDP message includes a first attribute, where the first attribute is used to indicate whether the access switch opens the SAVI.
It is understood that the LLDP message includes a destination MAC address field, a source MAC address field, a message Type field Type, a Data field Data, and a Frame Check Sequence (FCS) field. The Data field is used to carry a Link Layer Discovery Protocol Data Unit (Link Layer Discovery Protocol Data Unit, abbreviated as LLDPDU). The LLDPDU is composed of a plurality of TLVs (Type-length-value), each of which represents certain attribute information of the access switch. The access switch encapsulates the attribute information of whether the SAVI is opened into a TLV format, and then the TLV is combined in the LLDPDU.
It should be noted that, in the embodiment of the present application, the access switch generates the LLDP message similarly to the existing generation process, and a detailed description thereof is omitted here.
Further, after receiving the LLDP packet sent by the access switch through the first interface, the border router obtains the first attribute from the LLDP packet. And the boundary router determines whether the access switch opens the SAVI or not according to the first attribute. The boundary router acquires an interface address of the first interface and determines a network segment corresponding to the interface address.
If the boundary router determines that the access switch opens the SAVI, the boundary router determines that the network segment corresponding to the interface address of the first interface connected with the access switch is protected by the SAVI. If the boundary router determines that the access switch does not start the SAVI, the boundary router determines that the network segment corresponding to the interface address of the first interface connected with the access switch is not protected by the SAVI.
Step 220, according to the first attribute, sending a first route notification message to an inter-domain border router, where the first route notification message includes a second attribute, and the second attribute is used to indicate whether a network segment corresponding to an interface address of the first interface is protected by the SAVI, so that the inter-domain border router sends a second route notification message to an egress gateway, where the second route notification message includes the network segment protected by the SAVI.
Specifically, after obtaining the first attribute, the border router determines whether the access switch opens the SAVI according to the first attribute. The border router generates a first route advertisement message. The first route notification message includes a second attribute, and the second attribute is used for indicating whether a network segment corresponding to an interface address of the first interface is correspondingly protected by an SAVI.
The first router sends a first route notification message to the inter-domain border router. And after receiving the first route notification message, the inter-domain border router determines the network segment correspondingly protected by the SAVI according to the second attribute. And the inter-domain border router generates a second route notification message. The second route notification message includes a network segment correspondingly protected by the SAVI.
And the inter-domain border router sends a second route notification message to the exit gateway. And after receiving the second route notification message, the exit gateway determines the network segment correspondingly protected by the SAVI and generates a network segment set correspondingly protected by the SAVI.
Further, in this step, the border router is within the same AS the interdomain border router. The border router sends a first route notification message to the inter-domain border router, and the specific process is as follows: and sending a first route notification message to the inter-domain border router by the border router by using an IGP (integrated gate protocol) mode, wherein the first route notification message comprises a Tag field, and the value of the Tag field indicates whether a network segment corresponding to the interface address of the first interface is correspondingly protected by SAVI or not.
Or, the foregoing border router sends a first route advertisement message to the inter-domain border router, and the specific process is as follows: and sending a first route notification message to the inter-domain border router by using an IBGP mode, wherein the first route notification message comprises an extended community attribute field, and the value of the extended community attribute field indicates whether a network segment corresponding to an interface address of the first interface is correspondingly protected by SAVI.
It is understood that, according to the foregoing description, in the embodiment of the present application, the second attribute may be specifically a Tag field or an extended community attribute field.
After receiving a first route notification message sent by the border router by using IGP or IBGP, the inter-domain border router determines a network segment protected by the SAVI according to the value of the Tag field or the value of the extended group attribute field.
Further, in this step, the interdomain border router and the egress gateway are in different ASs; the second route notification message is sent by the border router between domains by using a border gateway protocol BGP, and includes an extended community attribute field, where a value of the extended community attribute field indicates a network segment correspondingly protected by the SAVI.
Therefore, by applying the communication method provided by the present application, the border router receives, through the first interface, an LLDP message that is sent by the access switch and includes the first attribute, where the first attribute is used to indicate whether the access switch turns on the source address validity check SAVI. According to the first attribute, if the border router determines that the SAVI of the access switch is started, the border router sends a first route notification message including a second attribute to the inter-domain border router, wherein the second attribute is used for indicating whether a network segment corresponding to an interface address of the first interface is correspondingly protected by the SAVI or not, so that the inter-domain border router sends a second route notification message carrying the network segment correspondingly protected by the SAVI to the exit gateway. And the exit gateway generates a set of all legal network segments according to the second route notification message. The problem of bandwidth waste caused by a large number of access switches and SDN controllers in the communication interaction process in the prior art is solved, and the problems of increasing management and difficulty in deployment caused by large number of access switches and belonging to multiple manufacturers are solved.
Optionally, in this embodiment of the present application, before the border router sends the first route advertisement packet to the inter-domain border router, the method further includes a process of determining, by the border router, a legal network segment correspondingly protected by the SAVI.
Specifically, after the border router determines that the access switch has started the SAVI or has not started the SAVI according to the first attribute, the border router acquires an interface address of the first interface, that is, an interface address of the first interface directly connected between the border router and the access switch. And the boundary router determines the network segment corresponding to the interface address and determines whether the network segment corresponding to the interface address is correspondingly protected by SAVI or not according to the first attribute. For example, if the access switch has started the SAVI, the border router determines that the network segment corresponding to the interface address is protected by the SAVI; if the access switch does not start the SAVI, the boundary router determines that the network segment corresponding to the interface address is not protected by the SAVI correspondingly.
In fig. 3, after the RA receives the LLDP message sent by the access switch 1 in the subnet 1, the RA determines that the access switch 1 has started the SAVI according to the first attribute. The RA obtains the interface address (e.g., 11.126.1.1/16) of the first interface directly connected to the access switch 1. RA determines the network segment (for example, 11.126.0.0/16) where the interface address is located, and RA takes the network segment as the network segment protected by SAVI.
Similarly, the RB and the RC determine whether the network segment corresponding to the interface address of the interface directly connected to the access switch is protected by the SAVI.
It can be understood that, in this embodiment of the present application, if the border router determines that a network segment corresponding to an interface address of an interface directly connected to the access switch is not protected by the SAVI, the border router may also send a first route advertisement message to the inter-domain border router, and the border router may indicate that the network segment corresponding to the interface address is not protected by the SAVI through a value of a Tag field or a value of an extended group attribute field. For example, when the value of the Tag field is 0, it indicates that the network segment corresponding to the interface address is not protected by the corresponding SAVI; and when the value of the Tag field is 1, the network segment corresponding to the interface address is correspondingly protected by SAVI.
RA, RB, RC send the first route to announce message to RE, RF separately. RE and RF respectively send a second route notification message to the exit gateway X. And the RE and the RF determine the network segment correspondingly protected by the SAVI according to the value of the Tag field or the value of the extended community attribute field. And the RE and the RF generate a second route notification message, wherein the second route notification message comprises the network segment correspondingly protected by the SAVI.
In an example, if the access switch 2 in the subnet 2 does not start the SAVI, the RB determines that the network segment corresponding to the interface address for connecting the second interface of the access switch 2 is not protected by the SAVI, and the RB sets the value of the Tag field to 0 in the first route advertisement message sent to the RE. And the RE determines that the network segment corresponding to the interface address of the second interface in the RB is not correspondingly protected by the SAVI according to the value of the Tag field. The RE sends a second route advertisement message to the egress gateway X, which no longer issues the route information about whether the subnet 2 is correspondingly protected by the SAVI, but only carries the route information about the subnet 1 that is correspondingly protected by the SAVI. And the exit gateway X generates a network segment set protected by SAVI according to the second route notification message sent by the RE and the RF. As shown in table 1 below.
TABLE 1 SAVI protected set of network segments
Sub-network Whether to turn on SAVI Boundary router Boundary router interface address Corresponding network segment
Subnet 1 Starting SAVI A 11.126.1.1/16 11.126.0.0/16
Subnet 3 Starting SAVI C 11.128.1.1/16 11.128.0.0/16
Based on the same inventive concept, the embodiment of the application also provides a communication device corresponding to the communication method. Referring to fig. 4, fig. 4 is a structural diagram of a communication device according to an embodiment of the present application, where the device is applied to a border router, and the device includes:
a receiving unit 410, configured to receive, through a first interface, an LLDP message sent by an access switch, where the LLDP message includes a first attribute, and the first attribute is used to indicate whether the access switch starts a source address validity check SAVI;
a sending unit 420, configured to send a first route advertisement packet to an inter-domain border router according to the first attribute, where the first route advertisement packet includes a second attribute, and the second attribute is used to indicate whether a network segment corresponding to an interface address of the first interface is protected by the sai, so that the inter-domain border router sends a second route advertisement packet to an egress gateway, where the second route advertisement packet includes the network segment protected by the sai.
Optionally, the apparatus further comprises: a determining unit (not shown in the figure) configured to determine whether the access switch has started the SAVI according to the first attribute;
an obtaining unit (not shown in the figure) configured to obtain an interface address of the first interface, and determine a network segment corresponding to the interface address.
Optionally, the border router and the interdomain border router are in the same autonomous system AS;
the sending unit 420 is specifically configured to send, by using an interior gateway protocol IGP, a first route advertisement packet to the inter-domain border router, where the first route advertisement packet includes a flag field, and a value of the flag field indicates whether a network segment corresponding to an interface address of the first interface is protected by the saii.
Optionally, the sending unit 420 is specifically configured to send, by using an interior border gateway protocol IBGP, a first route advertisement message to the inter-domain border router, where the first route advertisement message includes an extended community attribute field, and a value of the extended community attribute field indicates whether a network segment corresponding to an interface address of the first interface is protected by the saii.
Optionally, the interdomain border router is in a different AS than the egress gateway;
the second route notification message is sent by the inter-domain border router by using a Border Gateway Protocol (BGP), and the second route notification message comprises an extended community attribute field, and the value of the extended community attribute field indicates the network segment correspondingly protected by the SAVI.
Therefore, by applying the communication device provided by the embodiment of the present application, the device receives, through the first interface, an LLDP message that is sent by the access switch and includes the first attribute, where the first attribute is used to indicate whether the access switch turns on the source address validity check SAVI. According to the first attribute, if the device determines that the access switch has started the SAVI, the device sends a first route notification message including a second attribute to the inter-domain border router, wherein the second attribute is used for indicating whether a network segment corresponding to an interface address of the first interface is correspondingly protected by the SAVI or not, so that the inter-domain border router sends a second route notification message carrying the network segment correspondingly protected by the SAVI to the exit gateway. And the exit gateway generates a set of all legal network segments according to the second route notification message. The problem of bandwidth waste caused by a large number of access switches and SDN controllers in the communication interaction process in the prior art is solved, and the problems of increasing management and difficulty in deployment caused by large number of access switches and belonging to multiple manufacturers are solved.
Based on the same inventive concept, the embodiment of the present application further provides a network device, as shown in fig. 5, including a processor 510, a transceiver 520, and a machine-readable storage medium 530, where the machine-readable storage medium 530 stores machine-executable instructions capable of being executed by the processor 510, and the processor 510 is caused by the machine-executable instructions to perform the communication method provided by the embodiment of the present application. The communication apparatus shown in fig. 5 can be implemented by using the hardware structure of the network device shown in fig. 5.
The computer-readable storage medium 530 may include a Random Access Memory (RAM) or a Non-volatile Memory (NVM), such as at least one disk Memory. Alternatively, the computer-readable storage medium 530 may also be at least one storage device located remotely from the processor 510.
The Processor 510 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In the embodiment of the present application, the processor 510 reads the machine executable instructions stored in the machine readable storage medium 530, and the machine executable instructions cause the processor 510 itself and the call transceiver 520 to perform the communication method described in the embodiment of the present application.
Additionally, embodiments of the present application provide a machine-readable storage medium 530, the machine-readable storage medium 530 storing machine-executable instructions that, when invoked and executed by the processor 510, cause the processor 510 itself and the invoking transceiver 520 to perform the communication methods described in embodiments of the present application.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
As for the embodiments of the communication apparatus and the machine-readable storage medium, since the contents of the related methods are substantially similar to those of the foregoing embodiments of the methods, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the methods.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A communication method applied to a border router, the method comprising:
receiving a Link Layer Discovery Protocol (LLDP) message sent by an access switch through a first interface, wherein the LLDP message comprises a first attribute, and the first attribute is used for indicating whether the access switch starts source address validity check (SAVI) or not;
and sending a first route notification message to an inter-domain border router according to the first attribute, wherein the first route notification message comprises a second attribute, and the second attribute is used for indicating whether a network segment corresponding to an interface address of the first interface is correspondingly protected by the SAVI or not, so that the inter-domain border router sends a second route notification message to an exit gateway, and the second route notification message comprises the network segment correspondingly protected by the SAVI.
2. The method of claim 1, wherein prior to sending the first route advertisement message to the interdomain border router, the method further comprises:
determining whether the SAVI has been turned on by the access switch according to the first attribute;
and acquiring an interface address of the first interface, and determining a network segment corresponding to the interface address.
3. The method of claim 1, wherein the border router is within the same Autonomous System (AS) AS the interdomain border router;
the sending of the first route advertisement packet to the inter-domain border router specifically includes:
and sending a first route notification message to the inter-domain border router by using an Interior Gateway Protocol (IGP), wherein the first route notification message comprises a mark field, and the value of the mark field indicates whether a network segment corresponding to the interface address of the first interface is correspondingly protected by the SAVI.
4. The method according to claim 3, wherein the sending the first route advertisement packet to the inter-domain border router specifically comprises:
and sending a first route notification message to the inter-domain border router by using an Internal Border Gateway Protocol (IBGP), wherein the first route notification message comprises an extended community attribute field, and the value of the extended community attribute field indicates whether a network segment corresponding to an interface address of the first interface is correspondingly protected by the SAVI.
5. The method of claim 1, wherein the interdomain border router is within a different AS than the egress gateway;
the second route notification message is sent by the inter-domain border router by using a Border Gateway Protocol (BGP), and the second route notification message comprises an extended community attribute field, and the value of the extended community attribute field indicates the network segment correspondingly protected by the SAVI.
6. A communication apparatus, wherein the apparatus is applied to a border router, the apparatus comprising:
a receiving unit, configured to receive, through a first interface, an LLDP message sent by an access switch, where the LLDP message includes a first attribute, and the first attribute is used to indicate whether the access switch starts a source address validity check SAVI;
a sending unit, configured to send a first route advertisement message to an inter-domain border router according to the first attribute, where the first route advertisement message includes a second attribute, and the second attribute is used to indicate whether a network segment corresponding to an interface address of the first interface is protected by the corresponding SAVI, so that the inter-domain border router sends a second route advertisement message to an egress gateway, where the second route advertisement message includes the network segment protected by the corresponding SAVI.
7. The apparatus of claim 6, further comprising:
a determining unit, configured to determine whether the access switch has started the SAVI according to the first attribute;
and the acquisition unit is used for acquiring the interface address of the first interface and determining the network segment corresponding to the interface address.
8. The apparatus of claim 6, wherein the border router is within the same Autonomous System (AS) AS the interdomain border router;
the sending unit is specifically configured to send, by using an interior gateway protocol IGP, a first route advertisement packet to the inter-domain border router, where the first route advertisement packet includes a flag field, and a value of the flag field indicates whether a network segment corresponding to an interface address of the first interface is protected by the saii.
9. The apparatus according to claim 8, wherein the sending unit is specifically configured to send, by using an interior border gateway protocol IBGP, a first route advertisement packet to the inter-domain border router, where the first route advertisement packet includes an extended community attribute field, and a value of the extended community attribute field indicates whether a network segment corresponding to an interface address of the first interface is protected by the SAVI association.
10. The apparatus of claim 6, wherein the interdomain border router is within a different AS than the egress gateway;
the second route notification message is sent by the inter-domain border router by using a Border Gateway Protocol (BGP), and the second route notification message comprises an extended community attribute field, and the value of the extended community attribute field indicates the network segment correspondingly protected by the SAVI.
CN202010454475.3A 2020-05-26 2020-05-26 Communication method and device Active CN111740961B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010454475.3A CN111740961B (en) 2020-05-26 2020-05-26 Communication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010454475.3A CN111740961B (en) 2020-05-26 2020-05-26 Communication method and device

Publications (2)

Publication Number Publication Date
CN111740961A CN111740961A (en) 2020-10-02
CN111740961B true CN111740961B (en) 2022-02-22

Family

ID=72647763

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010454475.3A Active CN111740961B (en) 2020-05-26 2020-05-26 Communication method and device

Country Status (1)

Country Link
CN (1) CN111740961B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935004B (en) * 2020-10-12 2020-12-22 网络通信与安全紫金山实验室 Automatic traffic diversion extension method, router and system based on SR Policy
EP4216506A4 (en) * 2020-10-28 2024-01-24 Huawei Technologies Co., Ltd. Routing advertisement method, routing loop detection method, and device
CN114006910B (en) * 2021-10-26 2023-11-07 新华三信息安全技术有限公司 Information synchronization method and device
CN115002748B (en) * 2022-06-02 2024-02-02 清华大学 An address configuration method, system and network equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108881308A (en) * 2018-08-09 2018-11-23 下代互联网重大应用技术(北京)工程研究中心有限公司 A kind of user terminal and its authentication method, system, medium
CN109089263A (en) * 2018-07-25 2018-12-25 新华三技术有限公司 A kind of message processing method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487742B (en) * 2015-08-24 2020-01-03 阿里巴巴集团控股有限公司 Method and device for verifying source address validity

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109089263A (en) * 2018-07-25 2018-12-25 新华三技术有限公司 A kind of message processing method and device
CN108881308A (en) * 2018-08-09 2018-11-23 下代互联网重大应用技术(北京)工程研究中心有限公司 A kind of user terminal and its authentication method, system, medium

Also Published As

Publication number Publication date
CN111740961A (en) 2020-10-02

Similar Documents

Publication Publication Date Title
CN111740961B (en) Communication method and device
CN109525601B (en) Method and device for isolating transverse flow between terminals in intranet
EP3378205A1 (en) Service based intelligent packet-in buffering mechanism for openflow switches by having variable buffer timeouts
CN115225568B (en) Fast reroute to an ethernet vpn-vpn
CN111541616A (en) Flow control method and device
US20210351956A1 (en) Customer premises lan expansion
US12143293B2 (en) Fast reroute for BUM traffic in ethernet virtual private networks
CN112688873B (en) Deploy Secure Neighbor Discovery in EVPN
WO2020212998A1 (en) Network address allocation in a virtual layer 2 domain spanning across multiple container clusters
WO2017089945A1 (en) Mechanism to improve control channel efficiency by distributing packet-ins in an openflow network
WO2021213185A1 (en) Routing processing method and apparatus
US20190215191A1 (en) Deployment Of Virtual Extensible Local Area Network
CN107911495B (en) MAC address synchronization method and VTEP
CN107948066A (en) DF electoral machinery, system and device
CN111865795A (en) Control method and device
CN113726653A (en) Message processing method and device
CN116346445B (en) Method and device for supporting HaVip of traditional bare metal access scene
CN111698154A (en) Method and device for inhibiting frequent migration of host route
CN116566899A (en) Routing processing method and device
US20240195657A1 (en) Message sending method and apparatus, message receiving method and apparatus, and storage medium
CN115460140B (en) Network intercommunication method and device
CN115460138B (en) Network intercommunication method and device
CN115460139B (en) Network intercommunication method and device
CN115460141B (en) Network intercommunication method and device
US8867405B2 (en) Voice service discovery

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant