CN100508520C

Movatterモバイル変換

Info

Publication number: CN100508520C
Application number: CNB200410037146XA
Authority: CN
Inventors: 欧阳伟龙
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2004-06-03
Filing date: 2004-06-03
Publication date: 2009-07-01
Anticipated expiration: 2024-06-03
Also published as: CN1705307A

Abstract

A method for realizing layer two special virtual network based on virtual local area network, which contains realizing MAC address conversion by presetting MAC address pool to realizing layer two address conversion, which makes current end user and opposite end user all think they communicate with layer two virtual network, said invention effectively realizes layer two isolation of user and makes the layer two special virtual network more safety.

Description

Implementation method based on the Layer 2 virtual private network of VLAN

Technical field

The present invention relates to communication technical field, relate in particular to a kind of implementation method of the Layer 2 virtual private network based on VLAN.

Background technology

LAN Switch network manufacturers such as (LAN switch) is in order to obtain more commercial advantage in keen competition at present, all selecting the chip that price is low and function satisfies aspect the chip type selecting as far as possible, the LAN switch of therefore present low side is only supported VLAN (VLAN) exchanged form of SVL (sharing the formula VLAN) mode.

SVL (sharing the formula VLAN) and the difference of IVL (free-standing VLAN) just are whether MAC (medium access control) address learning is separate with VLAN: SVL is the mac learning that is independent of VLAN, a unified MAC swap table is arranged in the equipment, whether mac learning and exchange are positioned at definite forwarding of same VLAN or dropping packets according to inbound port and outbound port all according to this table after the MAC exchange again; IVL then is that each VLAN independently carries out mac learning and exchange for each VLAN sets up an independently MAC swap table, directly determines whether to transmit and dropping packets to outbound port after the MAC exchange.

The VLAN exchanged form of the employing SVL of LAN switch thinks that MAC Address can only and be unique in same port access.Like this, such LAN switch does not realize carrying out mac learning by the VLAN+MAC mode, but employing is by the mode of learning (the MAC information table overall situation has only portion) of overall MAC, and it finds outbound port earlier by the MAC exchange, and then transmit by VLAN, replace the exchanged form of VLAN+MAC, but also realized the VLAN exchange.

Along with the region of commerce is broken, the enterprise of constantly thirsting for growing up constantly is distributed to corporate branch office the different cities or the area in the whole nation and even the whole world, how does produced a problem----like this allow each branch interconnect effectively? the boss of enterprise are constantly sought a kind of not only economy but also communication modes efficiently, finally they have found best solution on Internet, that be exactly two-layer VPN (Virtual Private Network) function----two-layer VPN by MPLS L2VPN that can stride geographic restrictions of technical construction such as (multi protocol label exchanges), thereby realize the local area network interconnection of different regions.In fact, widely used two-layer VPN all is to be based upon on the platform of IP Telecommunication Network of telecom operators, and IP Telecommunication Network based on can run, manageable theory is not to distribute a physical port but " logic port " for each user, thereby realize " maximization " of network resource usage.And this " logic port " is exactly VLAN, and this type of two-layer VPN that we provide telecom operators is called the two-layer VPN based on VLAN, and the back will abbreviate VB L2VPN based on the two-layer VPN of VLAN as.

Yet, these VPN technologies neither " perfect in every way ", if LAN switch or DSLAM (Digital Subscriber Line Access Multiplexer) only support the VLAN switch mode of SVL, and the user is by different VLAN access to LAN switches, so just may there be the problem that can't realize VB L2VPN, describes for example below:

Be illustrated in figure 1 as two-layer VPN networking structure figure based on VLAN, LAN switch and DSLAM (Digital Subscriber Line Access Multiplexer) insert the user by VLAN among the figure, thereby realize the isolation between the user, like this, the user under the same LAN switch inserts telecommunications two-layer VPN network by different VLAN and port.Owing to adopt the LAN switch of SVL mode can't realize user's physical isolation completely, be that the MAC layer still is opaque, as shown in Figure 1, two users (PC0, PC1) in this LAN switch insert respectively under the VB L2VPN situation with different MAC Address (MAC0, MAC1) by different VLAN (VLAN0, VLAN1) respectively, when PC0 user want to carry out communication with PCI, step was as follows:

1, at first PC0 fills out oneself MAC Address (being MAC0) with the source MAC of broadcast arp (address resolution protocol) message, and purpose IP fills out the address IP address of PC1, and the port that is connected to L2VPN then sends this message;

2, this ARP message of the Port0 port analysis of LAN switch, learn the MAC Address MAC0 of the PC0 of VLAN0, and increase an exchange table entries in the MAC swap table again, because the target MAC (Media Access Control) address of this ARP is broadcasted, therefore broadcast to all of the port of LAN switch, because have only port10 port and port0 to be positioned at same VLAN, LAN switch sends to VB L2VPN from Port10 by VLAN0 with message;

3, after this, VB L2VPN this VLAN that terminates, and the ARP message learnt, its source MAC is saved in the MAC swap table, then the broadcast arp message is broadcast to the total interface (should be noted that: VB L2VPN is considered as independently physical interface with VLAN) of the PORT10 that comprises LAN switch VLAN1 here;

4, like this, when Port10 receives this ARP message from VB L2VPN, also learnt after the MAC0 of VLAN0, this message is broadcast to the total interface of VLAN1, because LAN switch is carried out the source mac learning, when same message when two ports of same LAN switch receive, after the message that receives can revise the port at original MAC place of learning, so the real physical location of MAC0 has been modified;

5, the user as PC1 receives this ARP message, analysis is to have the people searching the MAC Address of oneself, so structure arp response message, wherein the MAC Address of PC1 is filled out in the address of source MAC, and target MAC (Media Access Control) address is filled out the MAC Address of PC0, this message is sent from the interface that receives again;

6, LAN switch receives the arp response message, and MAC1 learns according to source MAC, and searches the MAC swap table according to target MAC (Media Access Control) address MAC0, and determining port is at Port10, transmits this message to the Port10 of VLAN1 then;

7, after VB L2VPN received message from the Port10 of VLAN1, the study source MAC was searched the MAC swap table according to purpose MAC then and is determined port earlier, transmits this message to the Port10 of LAN switch VLAN0 then;

8, last, the Port10 of LAN switch receives this arp response message, but analyze this message and find that its purpose MAC is exactly the MAC Address of the port, directly with this packet loss, the PC0 MAC Address that can't obtain PC1 can't be carried out communication with PC1 like this, also just can't realize VB L2VPN function.

This problem mainly is because the mac learning mode of LAN switch causes, and the mac learning mode of the LAN switch of IVL mode and SVL's is different, VLAN carries out MAC address learning separately under the IVL mode, when same message when two ports of same LAN switch receive, as long as their VLAN difference can be not influential even if MAC Address is identical yet.

In sum, prior art adopts the LAN switch of SVL mode and VB L2VPN can't realize the two-layer VPN function in conjunction with possibly.

Summary of the invention

Technical problem to be solved by this invention is: overcome prior art and adopt the LAN switch of SVL mode and the deficiency that VB L2VPN combination can't realize the two-layer VPN function, a kind of implementation method of the Layer 2 virtual private network based on VLAN is provided, thereby makes the LAN switch that adopts the SVL mode and VB L2VPN in conjunction with the function that can realize two-layer VPN.

The present invention solves the problems of the technologies described above the technical scheme that is adopted to be:

The implementation method of this Layer 2 virtual private network based on VLAN, when the user respectively by different VLANs and different MAC Address, share two layers of access device of formula VLAN exchanged form by same support, when the access Layer 2 virtual private network carried out communication, step was as follows:

This end subscriber under two layers of access device sends protocol massages and searches end subscriber; This message is analyzed in the connectivity port of two layers of access device and this end subscriber, learns the MAC Address of this this end subscriber, and increases exchange table entries in the MAC swap table again, and message is sent to Layer 2 virtual private network;

Layer 2 virtual private network terminates and carries out the MAC exchange behind this VLAN, from the MAC Address pond of reserving, take out a MAC Address, the source MAC of this message is replaced to new MAC Address, and set up the mapping relations of original source MAC of message and new MAC Address, the message after will changing again is broadcast to all of the port of two layers of access device;

The port that two layers of access device is connected with Layer 2 virtual private network is learnt new MAC Address, and new MAC Address is also just given to the back message using of end subscriber in the back, promptly sends Layer 2 virtual private network back to; Layer 2 virtual private network receives the back message using to end subscriber, the MAC that finds back message using is the address of inside, MAC pond, find original MAC Address, the target MAC (Media Access Control) address of back message using is replaced to original MAC Address, simultaneously, the source MAC of this back message using is replaced to another new MAC Address, and set up the mapping relations of original source MAC of back message using and new MAC Address, back message using after will changing again is broadcast to all of the port of two layers of access device, finds outbound port according to the purpose MAC of back message using;

The port that two layers of access device is connected with Layer 2 virtual private network is learnt the new source MAC of described back message using, this end subscriber of back is issued the message of end subscriber is all issued this new source MAC, make this end subscriber and end subscriber is thought that all they are to carry out communication with Layer 2 virtual private network, thereby make this end subscriber and end subscriber is carried out communication.

Described protocol massages is broadcast address analysis protocol message or dynamic host configuration protocol message.Described new MAC Address is distributed from the MAC Address pond of reserving by Layer 2 virtual private network, and safeguards before the conversion and the corresponding relation of MAC Address after the conversion by Layer 2 virtual private network.

Also can use a MAC Address as the MAC Address pond, and by the user three layers or two layers of information realizes the mapping relations one by one of the MAC Address that MAC Address pool address and user are original, realize the L2 address conversion.Described three layers or two layers of information are VLAN ID or IP address.Two layers of access device that formula VLAN exchanged form is shared in described support are LAN switch or the Digital Subscriber Line Access Multiplexers of supporting to share formula VLAN exchanged form.

Beneficial effect of the present invention is: the present invention realizes the MAC Address conversion by reserving the MAC Address pond, thereby realized the L2 address conversion, do not needing to increase under the situation of equipment, solved the deficiencies in the prior art, made the LAN switch of employing SVL mode and the function that VB L2VPN combination can realize two-layer VPN; And realize two layers of isolation of user more effectively, make VB L2VPN safer.

Description of drawings

Fig. 1 is the two-layer VPN networking structure figure based on VLAN.

Embodiment

With embodiment the present invention is described in further detail with reference to the accompanying drawings below:

The invention provides a kind of conversion method of L2 address, under the situation that does not increase equipment, make LAN switch and the VB L2VPN combination of adopting the SVL mode can realize the two-layer VPN function.

Still the networking diagram shown in 1 describes the bright detailed performing step of we in conjunction with the accompanying drawings, and LAN switch and DSLAM (Digital Subscriber Line Access Multiplexer) insert the user by VLAN, thereby realizes the isolation between the user.User under the same LAN switch inserts telecommunications two-layer VPN network by different VLAN and port.For realizing the present invention,, support the MAC Address conversion go up reservation MAC Address pond based on the two-layer VPN (VB L2VPN) of VLAN.The MAC Address of two user PC0, PC1 of LAN switch is respectively MAC0, MAC1, inserts respectively under the situation of VB L2VPN by different VLAN (VLAN0, VLAN1), and when PC0 user want to carry out communication with PC1, step was as follows:

2, the Port0 of LAN switch analyzes this ARP message, learn the MAC Address MAC0 of the PC0 of VLAN0, and in the MAC swap table, increase an exchange table entries, because the target MAC (Media Access Control) address of this ARP is broadcasted, therefore broadcast to all of the port of LAN switch, because have only port10 port and port0 to be positioned at same VLAN, LAN switch sends to VB L2VPN from Port10 by VLAN0 with message;

3, after this, VB L2VPN terminates and carries out the MAC exchange behind this VLAN, determines to be forwarded to the PORT10 of LAN switch VLAN1; From the MAC Address pond of reserving, take out a MAC Address, the source MAC of this message is replaced to new MAC Address (MAC2), and set up the mapping relations of original source MAC of message and new MAC Address, (this process is called source MAC conversion----SMAT), and the message after will changing again is broadcast to the total interface of the PORT10 that comprises LAN switch VLAN1 simultaneously the source MAC of ARP, DHCP protocol massages inside such as (DHCP) also to be updated to new MAC Address;

4, like this, Port10 has learnt the MAC2 of VLAN1, and the ARP message of back MAC0 user response has also just been given MAC2, has just sent VB L2VPN back to;

5, VB L2VPN finds that the target MAC (Media Access Control) address of message is the address of inside, MAC pond, so just need find original MAC Address, the target MAC (Media Access Control) address of protocol massages inside such as the purpose MAC of message or ARP is all replaced to original MAC Address, be about to MAC2 and replace with MAC0 (this process is called purpose MAC conversion----DMAT).Simultaneously, the source MAC of this message is carried out MAC SMAT equally handle, MAC1 replaces with MAC3 with source MAC, and the purpose MAC according to message finds outbound port again;

6, after this, the PORT10 of LAN switch VLAN0 has learnt MAC3, the user of back PC0 issues PC1 user's message and issues MAC3, simultaneously because the VLAN that the default user of thinking of SVL switch mode inserts is exactly the VLAN that sends, as long as learn the port under the MAC like this, just can carry out MAC exchange and VLAN and isolate.

Like this through after the MAC Address transfer process, two users think that they are carrying out communication with VB L2VPN, can't see two layers of information to end subscriber fully, the LAN switch and the VB L2VPN combination that so just can solve the employing SVL mode of prior art can't realize the problem of two-layer VPN function.

These two addresses of MAC2, MAC3 are distributed automatically by the software of VB L2VPN, then by before the software maintenance conversion and the corresponding relation of the MAC Address after the conversion, above-mentioned handling process and NAT (network address translation) comparing class seemingly, just the NAT conversion is at layer 3 address, and The present invention be directed to L2 address.

The present invention realizes the MAC Address conversion by reserving the MAC Address pond, thereby realized the L2 address conversion, increase under the situation of equipment not needing, solved the deficiencies in the prior art, make the LAN switch that adopts the SVL mode and VB L2VPN in conjunction with the function that can realize two-layer VPN; And realized two layers of isolation of user more effectively, make VB L2VPN safer.

The L2 address conversion method is not limited to the conversion regime with the MAC Address pond, also can be by realize the MAC Address conversion in conjunction with three layers of information, for example, when the MAC inadequate resource, can use a MAC Address as the MAC Address pond, and realize the mapping relations one by one of the MAC Address that MAC Address pool address and user are original by three layers of user's IP address etc. or two layers of information, thus realizing the L2 address conversion, three layers or two layers of information comprise VLAN ID or IP address etc.

Those skilled in the art do not break away from essence of the present invention and spirit, can there be the various deformation scheme to realize the present invention, the above only is the preferable feasible embodiment of the present invention, be not so limit to interest field of the present invention, the equivalent structure that all utilizations specification of the present invention and accompanying drawing content are done changes, and all is contained within the interest field of the present invention.

Claims

Translated fromChinese

1、一种基于虚拟局域网的二层虚拟专用网的实现方法，其特征在于：当用户分别通过不同的虚拟局域网和不同的MAC地址，通过同一个支持共享式虚拟局域网交换方式的二层接入设备，接入二层虚拟专用网进行通讯时，步骤如下：1. A method for implementing a two-layer virtual private network based on a virtual local area network, characterized in that: when users pass through different virtual local area networks and different MAC addresses respectively, they pass through the same two-layer access that supports the shared virtual local area network switching mode When the device is connected to the Layer 2 virtual private network for communication, the steps are as follows:

A、二层接入设备下的本端用户发送协议报文查找对端用户，二层接入设备将该报文发送到二层虚拟专用网；A. The local user under the Layer 2 access device sends a protocol message to find the peer user, and the Layer 2 access device sends the message to the Layer 2 virtual private network;

B、二层虚拟专用网从预留的MAC地址池中取出一个MAC地址，将该报文的源MAC地址替换成新的MAC地址，并建立报文原来的源MAC地址和新MAC地址的对应关系，再将转换后的报文发送出去；B. The Layer 2 virtual private network takes a MAC address from the reserved MAC address pool, replaces the source MAC address of the message with a new MAC address, and establishes the correspondence between the original source MAC address of the message and the new MAC address relationship, and then send the converted message;

C、对端用户接收到该报文后，按新的MAC地址发送回应报文到二层虚拟专用网，二层虚拟专用网根据所述的对应关系查找到原来的MAC地址，将回应报文的目的MAC地址替换成原来的MAC地址，并将该回应报文的源MAC地址替换成另一新的MAC地址，并且建立回应报文原来的源MAC地址和新MAC地址的对应关系，再将转换后的回应报文发送到本端用户；C. After receiving the message, the peer user sends a response message to the Layer 2 virtual private network according to the new MAC address, and the Layer 2 virtual private network finds the original MAC address according to the corresponding relationship, and sends the response message Replace the destination MAC address of the response message with the original MAC address, and replace the source MAC address of the response message with another new MAC address, and establish the corresponding relationship between the original source MAC address of the response message and the new MAC address, and then The converted response message is sent to the local user;

D、本端用户利用所述回应报文的另一新的源MAC地址，向对端用户发送报文，实现本端用户和对端用户的通讯。D. The local user uses another new source MAC address of the response message to send a message to the peer user, so as to realize the communication between the local user and the peer user.

2、根据权利要求1所述的基于虚拟局域网的二层虚拟专用网的实现方法，其特征在于：所述的协议报文是广播地址解析协议报文或动态主机配置协议报文。2. The method for implementing a virtual local area network-based layer-2 virtual private network according to claim 1, wherein said protocol message is a broadcast address resolution protocol message or a dynamic host configuration protocol message.

3、根据权利要求1或2所述的基于虚拟局域网的二层虚拟专用网的实现方法，其特征在于：所述MAC地址池仅包括一个MAC地址，并通过用户的三层或二层信息实现MAC地址池地址和用户原来的MAC地址的一一映射关系，实现二层地址转换。3. The method for implementing a layer-2 virtual private network based on a virtual local area network according to claim 1 or 2, characterized in that: the MAC address pool only includes one MAC address, and is implemented through the user's layer-3 or layer-2 information The one-to-one mapping relationship between the MAC address pool address and the user's original MAC address realizes Layer 2 address translation.

4、根据权利要求3所述的基于虚拟局域网的二层虚拟专用网的实现方法，其特征在于：所述的三层或二层信息是虚拟局域网标识或IP地址。4. The method for implementing a virtual local area network-based layer-2 virtual private network according to claim 3, characterized in that: said layer-3 or layer-2 information is a virtual local area network identifier or an IP address.

5、根据权利要求1或2所述的基于虚拟局域网的二层虚拟专用网的实现方法，其特征在于：所述的支持共享式虚拟局域网交换方式的二层接入设备是支持共享式虚拟局域网交换方式的局域网交换机或数字用户线接入复用器。5. The method for implementing a virtual local area network-based layer-2 virtual private network according to claim 1 or 2, characterized in that: the layer-2 access device supporting the shared virtual local area network switching mode supports shared virtual local area network LAN switch or digital subscriber line access multiplexer in switching mode.