CN108768861B - Method and device for sending service message - Google Patents

Method and device for sending service message Download PDF

Info

Publication number
CN108768861B
CN108768861B CN201810698539.7A CN201810698539A CN108768861B CN 108768861 B CN108768861 B CN 108768861B CN 201810698539 A CN201810698539 A CN 201810698539A CN 108768861 B CN108768861 B CN 108768861B
Authority
CN
China
Prior art keywords
address
virtual interface
interface
user equipment
vpn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810698539.7A
Other languages
Chinese (zh)
Other versions
CN108768861A (en
Inventor
韩超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201810698539.7A priority Critical patent/CN108768861B/en
Publication of CN108768861A publication Critical patent/CN108768861A/en
Application granted granted Critical
Publication of CN108768861B publication Critical patent/CN108768861B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method and a device for sending a service message, which relate to the technical field of communication, wherein the method is applied to safety equipment and comprises the following steps: receiving a service message sent by first user equipment, wherein a destination address of the service message is an IP address of second user equipment, determining a first outgoing interface and a first next hop address corresponding to the IP address of the second user equipment according to a prestored first routing forwarding table corresponding to the first user equipment, wherein the first routing forwarding table comprises a corresponding relation of the destination address, the outgoing interface and the next hop address, the first outgoing interface is a first virtual interface corresponding to the first user equipment, the first next hop address is an address of a second virtual interface corresponding to the second user equipment, sending the service message to the second virtual interface according to the first next hop address through the first virtual interface, and sending the service message to the second user equipment through the second virtual interface. By adopting the method and the device, the function of mutual access between tenants can be realized.

Description

Method and device for sending service message
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for sending a service packet.
Background
In a cloud scenario, an SDN (Software Defined Network) admission system is provided in a cloud platform, and the SDN admission system can realize docking and traffic pulling on security devices of tenants (such as firewall devices of tenants). Technical personnel can issue the control command to the safety equipment through the SDN admission management system so as to realize the unified management of the safety equipment of a plurality of tenants.
At present, a security device generally adopts a multi-tenant context sharing mode to realize tenant division and isolation, that is, virtualization is performed on the security device, and one security device corresponds to multiple tenants. In the tenant sharing context mode, a downlink interface of the security device is divided into a plurality of downlink sub-interfaces, and each downlink sub-interface is bound to a tenant VPN (Virtual Private Network). For example, the security device provides services for tenants user01 and user02, user01 binds to VPN _ user01 at the first downstream subinterface on the firewall, and user02 binds to VPN _ user02 at the second downstream subinterface on the firewall.
In practice, tenants have a cross-tenant vpc mutual access requirement, and it is required that flows of different tenants can realize mutual access of private network segments through configuration, and a firewall is required to perform security protection. Such as tenant user01, to access user 02. However. In the SDN hosting system, security domains and address information of different tenants are not visible from each other, for example, in the SDN hosting system, when a technician configures a routing table corresponding to a user01, the technician cannot see a next hop address corresponding to a user02, and the SDN hosting system does not allow a VPN bound to a downstream sub-interface to be a destination VPN. Static routes crossing VPN can not be configured in the SDN admission management system, and the inter-tenant access function can not be realized.
Disclosure of Invention
The embodiment of the application aims to provide a method and a device for sending a service message so as to realize the function of mutual access between tenants. The specific technical scheme is as follows:
in a first aspect, a method for sending a service packet is provided, where the method is applied to a security device, and the method includes:
receiving a service message sent by first user equipment, wherein the destination address of the service message is the IP address of second user equipment;
determining a first outgoing interface and a first next hop address corresponding to the IP address of the second user equipment according to a pre-stored first routing forwarding table corresponding to the first user equipment, where the first routing forwarding table includes a corresponding relationship among a destination address, an outgoing interface, and a next hop address, the first outgoing interface is a first virtual interface corresponding to the first user equipment, and the first next hop address is an address of a second virtual interface corresponding to the second user equipment;
sending the service message to the second virtual interface according to the first next hop address through the first virtual interface;
and sending the service message to the second user equipment through the second virtual interface.
Optionally, before determining, according to a pre-stored first routing forwarding table corresponding to the first user equipment, a first outgoing interface and a first next hop address corresponding to an IP address of the second user equipment, the method further includes:
determining a first VPN corresponding to a first downlink sub-interface according to a pre-stored corresponding relationship between the downlink sub-interface and the VPN, wherein the first downlink sub-interface is a downlink sub-interface for receiving the service message;
and determining a first route forwarding table corresponding to the first VPN according to a preset and stored corresponding relation between the VPN and the route forwarding table.
Optionally, the sending the service packet to the second user equipment through the second virtual interface includes:
determining a second VPN corresponding to the second virtual interface according to a preset and stored corresponding relationship between the virtual interface and the VPN;
determining a second routing forwarding table corresponding to a second VPN according to a preset and stored corresponding relationship between the VPN and the routing forwarding table, wherein the second routing forwarding table comprises a corresponding relationship between a destination address, an outgoing interface and a next hop address;
determining a second next hop address corresponding to the IP address of the second user equipment according to the second routing forwarding table, wherein the second next hop address is the address of a second downlink sub-interface corresponding to the second user equipment;
sending the service message to the second downlink sub-interface according to the second next hop address;
and sending the service message through the downlink sub-interface.
Optionally, the method further includes:
receiving a virtual interface configuration command sent by a management server, wherein the virtual interface configuration command comprises an identifier of the first virtual interface, an address of the first virtual interface, an identifier of a first VPN corresponding to the first virtual interface, an identifier of the second virtual interface, an address of the second virtual interface, and an identifier of a second VPN corresponding to the second virtual interface;
creating the first virtual interface and the second virtual interface;
configuring the address of the first virtual interface and the address of the second virtual interface, establishing a corresponding relationship between the first virtual interface and the first VPN according to the identifier of the first virtual interface and the identifier of the first VPN, and establishing a corresponding relationship between the second virtual interface and the second VPN according to the identifier of the second virtual interface and the identifier of the second VPN.
Optionally, the method further includes:
receiving a routing configuration command corresponding to the first routing forwarding table and sent by a management server, wherein the routing configuration command comprises an identifier of the first virtual interface, an IP address of the second user equipment and an address of the second virtual interface;
adding a forwarding table entry which takes the IP address of the second user equipment as a destination address, the first virtual interface as an outgoing interface and the address of the second virtual interface as a next hop address into the first routing forwarding table, and setting a security policy between the first user equipment and the second user to be in a release state.
In a second aspect, an apparatus for sending a service packet is provided, where the apparatus is applied to a security device, and the apparatus includes:
the first receiving module is used for receiving a service message sent by first user equipment, and the destination address of the service message is the IP address of second user equipment;
a first determining module, configured to determine, according to a pre-stored first route forwarding table corresponding to the first user equipment, a first outgoing interface and a first next hop address corresponding to an IP address of the second user equipment, where the first route forwarding table includes a corresponding relationship between a destination address, an outgoing interface, and a next hop address, the first outgoing interface is a first virtual interface corresponding to the first user equipment, and the first next hop address is an address of a second virtual interface corresponding to the second user equipment;
a first sending module, configured to send the service packet to the second virtual interface according to the first next hop address through the first virtual interface;
and the second sending module is used for sending the service message to the second user equipment through the second virtual interface.
Optionally, the apparatus further comprises:
a second determining module, configured to determine, according to a pre-stored correspondence between a downstream subinterface and a VPN, a first VPN corresponding to the first downstream subinterface, where the first downstream subinterface is a downstream subinterface for receiving the service packet;
and the third determining module is used for determining the first route forwarding table corresponding to the first VPN according to the preset and stored corresponding relation between the VPN and the route forwarding table.
Optionally, the second sending module is specifically configured to:
determining a second VPN corresponding to the second virtual interface according to a preset and stored corresponding relationship between the virtual interface and the VPN;
determining a second routing forwarding table corresponding to a second VPN according to a preset and stored corresponding relationship between the VPN and the routing forwarding table, wherein the second routing forwarding table comprises a corresponding relationship between a destination address, an outgoing interface and a next hop address;
determining a second next hop address corresponding to the IP address of the second user equipment according to the second routing forwarding table, wherein the second next hop address is the address of a second downlink sub-interface corresponding to the second user equipment;
sending the service message to the second downlink sub-interface according to the second next hop address;
and sending the service message through the downlink sub-interface.
Optionally, the apparatus further comprises:
a second receiving module, configured to receive a virtual interface configuration command sent by a management server, where the virtual interface configuration command includes an identifier of the first virtual interface, an address of the first virtual interface, an identifier of a first VPN corresponding to the first virtual interface, an identifier of the second virtual interface, an address of the second virtual interface, and an identifier of a second VPN corresponding to the second virtual interface;
a creation module for creating the first virtual interface and the second virtual interface;
the establishing module is used for configuring the address of the first virtual interface and the address of the second virtual interface, establishing the corresponding relation between the first virtual interface and the first VPN according to the identifier of the first virtual interface and the identifier of the first VPN, and establishing the corresponding relation between the second virtual interface and the second VPN according to the identifier of the second virtual interface and the identifier of the second VPN.
Optionally, the apparatus further comprises:
a third receiving module, configured to receive a routing configuration command corresponding to the first routing forwarding table and sent by a management server, where the routing configuration command includes an identifier of the first virtual interface, an IP address of the second user equipment, and an address of the second virtual interface;
an adding module, configured to add a forwarding table entry in the first routing forwarding table, where the forwarding table entry uses the IP address of the second user equipment as a destination address, the first virtual interface as an outgoing interface, and the address of the second virtual interface as a next-hop address, and set a security policy between the first user equipment and the second user to an open state.
In a third aspect, a security device is provided, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of the first aspect when executing the program stored in the memory.
In a fourth aspect, there is provided a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: the method steps of the first aspect are implemented.
In a fifth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to carry out the method steps of the first aspect.
In the method and apparatus for sending a service packet provided in the embodiment of the present application, a network device receives a service packet sent by a first user equipment, the destination address of the service message is the IP address of the second user equipment, then a first outgoing interface and a first next hop address corresponding to the IP address of the second user equipment are determined according to a first route forwarding table corresponding to the first user equipment which is stored in advance, wherein the first output interface is a first virtual interface corresponding to the first user equipment, the first next hop address is an address of a second virtual interface corresponding to the second user equipment, then, the network device sends the service message to the second virtual interface through the first virtual interface according to the first next hop address, and then the service message is sent to the second user equipment through the second virtual interface, so that the function of mutual access between tenants in the same safety equipment is realized.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a system framework diagram provided by an embodiment of the present application;
fig. 2 is a flowchart of a method for sending a service packet according to an embodiment of the present application;
fig. 3 is a flowchart of a method for configuring a virtual interface and a routing forwarding table according to an embodiment of the present application;
fig. 4 is a flowchart illustrating an exemplary method for configuring a virtual interface and a routing forwarding table according to an embodiment of the present application;
fig. 5 is a flowchart illustrating an exemplary method for sending a service packet according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a device for sending a service packet according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a device for sending a service packet according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a device for sending a service packet according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a device for sending a service packet according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the invention provides a method for sending a service message, which can be applied to network equipment, wherein the network equipment can be security equipment such as firewall equipment and the like, and can also be routing equipment. The network equipment can be applied to the SDN nanotube scene. The SDN is a novel network architecture, and the core idea is to separate a control plane and a forwarding plane of network equipment and perform centralized and flexible control on network traffic through a controller, so that a good platform is provided for innovation of a core network and application. In the embodiment of the present invention, the SDN hosting system is a control plane in the SDN network, and a technician may issue an instruction to a management server running the SDN hosting system through an administrator terminal to configure a network device (such as a security device or a routing device) in the SDN network.
Fig. 1 is a schematic diagram of a network system according to an embodiment of the present invention. The network system comprises a management server running an SDN (software defined network) admission management system, a management area switch, an administrator terminal, a boundary router, a security device, an access device and user equipment of a tenant. The management server is connected with the security equipment through the management area switch and the access equipment. In this way, a technician can issue a control instruction to the security device through the SDN hosting system to realize unified management of the security devices of multiple tenants. The uplink interface of the security device may be connected to the border router, through which the internet is accessed. The downstream interface of the security device may be connected to an access device, which may include a core switch and an access switch. The user equipment of the tenant can be connected with the access equipment so as to access the security equipment through the access equipment, and then network access is carried out through the security equipment.
In practice, a security device is typically virtualized into multiple virtual devices (i.e., context: virtual firewall) to provide services to tenants. The network device in the embodiment of the present invention may be an independent network device, or may be a context obtained through virtualization. Taking context as an example, in the case of adopting a multi-tenant shared context manner, one network device (i.e., context) may provide services for multiple tenants. The user equipment of the tenant and the network equipment are usually communicated by establishing a VPN, and based on this, the downlink interface of the network equipment is divided into a plurality of downlink sub-interfaces, and each downlink sub-interface is bound with the VPN of the tenant, so as to realize communication with different user equipment. For example, referring to fig. 1, a network device provides services for a user01 and a user02, a downstream interface of the network device may be divided into a downstream sub-interface 1 and a downstream sub-interface 2, a VPN bound to the downstream sub-interface 1 is VPN _ user01, and a VPN bound to the downstream sub-interface 2 is VPN _ user02, where the user01 and the user02 belong to different security domains, for example, a security domain to which the user01 belongs is zone _ user01, a security domain to which the user02 belongs is zone _ user02, an IP (Internet Protocol) address of the user01 is 2.0.0.0.0/24, and an IP address of the user02 is 3.0.0.0.0/24. In practice, VPNs are usually divided for tenants, and if a certain tenant has multiple user devices, the multiple user devices belong to the same VPN and correspond to the same downlink sub-interface.
In the embodiment of the present invention, a network device may allocate a virtual interface to a tenant, and after receiving a service packet sent by a first user device, the network device determines, according to a first pre-stored routing forwarding table corresponding to the first user device, a first outgoing interface and a first next hop address corresponding to a destination address of the service packet (i.e., an IP address of a second user device), where the first outgoing interface is a first virtual interface corresponding to the first user device, and the first next hop address is an address of a second virtual interface corresponding to the second user device. The network device can send the service message to the second virtual interface through the first virtual interface according to the first next hop address, and then send the service message to the second user equipment through the second virtual interface. Therefore, the inter-tenant mutual access function can be realized based on the SDN receiving and managing system.
As shown in fig. 2, the processing procedure of the method may include the following steps:
step 201, receiving a service packet sent by a first user equipment.
The destination address of the service message is an IP address of the second user equipment, and the second user equipment and the first user equipment are user equipment accessing to the same security equipment.
In implementation, when the first user equipment needs to communicate with the second user equipment, the first user equipment may generate a service packet according to a preset packet generation policy, with the IP address of the first user equipment as a source address and the IP address of the second user equipment as a destination address. Then, the first user equipment can send the service message to the access equipment through the corresponding VPN. The access device may store a policy route in advance, and then send the service packet to a first downlink sub-interface of the network device according to the policy route, and the network device may receive the service packet through the first downlink sub-interface.
Step 202, according to a pre-stored first routing forwarding table corresponding to the first user equipment, determining a first outgoing interface and a first next hop address corresponding to the IP address of the second user equipment.
In implementation, the network device may store in advance a Routing Forwarding table corresponding to each user equipment, where the Routing Forwarding table is a VPN Routing Forwarding table, and may also be referred to as a Virtual Routing Forwarding (VRF) table. The route forwarding table comprises a corresponding relation of a destination address, an outgoing interface and a next hop address. The output interface can be an interface created by the network device for the user equipment and used for realizing the mutual access with other user equipment. In the embodiment of the invention, for user equipment needing tenant mutual access, network equipment can create a virtual interface for the user equipment, and an interconnection interface function similar to a cross-context (namely the network equipment) mode, namely an interconnection interface in the context is realized through the created virtual interface, so that the interface and a next hop interface are both the context, and an SDN (software defined network) management system can allocate an ip address of the virtual interface and configure a route forwarding table of the cross-VPN mutual access. Since these virtual interfaces are all within this context, the default inter-domain policy is all open. The creation process of the outgoing interface and the configuration process of the route forwarding table will be described in detail later.
After receiving a service message sent by a first user equipment, a network device may analyze the service message to obtain a destination address carried in the service message (i.e., an IP address of a second user equipment), and then search a forwarding table entry corresponding to the IP address of the second user equipment in a routing forwarding table (i.e., a first routing forwarding table) corresponding to the first user equipment, so as to obtain a first outgoing interface and a first next hop address corresponding to the IP address of the second user equipment. The first output interface is a first virtual interface corresponding to the first user equipment, and the first next hop address is an address of a second virtual interface corresponding to the second user equipment.
It should be noted that, in the embodiment of the present invention, each VPN corresponds to one virtual interface, that is, each tenant corresponds to one virtual interface. Technicians can realize mutual access between the first tenant and a plurality of other tenants by configuring the routing forwarding table. As shown in table 1, an example of a routing forwarding table according to an embodiment of the present invention is provided.
Watch 1
Destination address Outlet interface Next hop address
3.0.0.0/24 virtual-if01 1.1.1.2
4.0.0.0/24 virtual-if01 1.1.1.3
Wherein, virtual-if01 is the first virtual interface corresponding to the first user equipment, 3.0.0.0/24 is the IP address of the second user equipment, 1.1.1.2 is the address of the second virtual interface corresponding to the second user equipment, 4.0.0.0/24 is the IP address of the third user equipment, and 1.1.1.3 is the address of the third virtual interface corresponding to the third user equipment.
Optionally, the network device needs to determine the first routing forwarding table first, and then searches for the first outgoing interface and the first next hop address corresponding to the IP address of the second user equipment, where the process of determining the first routing forwarding table may be as follows: determining a first VPN corresponding to a first downlink sub-interface according to a pre-stored corresponding relationship between the downlink sub-interface and the VPN, wherein the first downlink sub-interface is a downlink sub-interface for receiving a service message; and determining a first route forwarding table corresponding to the first VPN according to a preset and stored corresponding relation between the VPN and the route forwarding table.
In implementation, each downstream subinterface of the network device may be bound to a VPN of a tenant, that is, the network device stores a corresponding relationship between the downstream subinterface and the VPN. The network device also configures a route forwarding table corresponding to the user device of the tenant, and establishes a corresponding relationship between the VPN of the tenant and the route forwarding table. When the network device receives a service message sent by the first user device through the first downlink sub-interface, the network device may determine a first VPN corresponding to the first downlink sub-interface according to a pre-stored correspondence between the downlink sub-interface and the VPN, and further determine a first route forwarding table corresponding to the first VPN according to a pre-stored correspondence between the VPN and the route forwarding table, so as to search for a first outgoing interface and a first next hop address corresponding to a destination address of the service message in the first route forwarding table.
Step 203, sending the service message to the second virtual interface according to the first next hop address through the first virtual interface.
In implementation, the network device may use the first virtual interface as an outgoing interface, and send the service packet to a virtual interface corresponding to the first next hop address (i.e., an address of the second virtual interface corresponding to the second user device) (i.e., a second virtual interface corresponding to the second user device).
And step 204, sending the service message to the second user equipment through the second virtual interface.
In implementation, the network device may receive the service packet through the second virtual interface, and since the second virtual interface is a virtual interface corresponding to the second user device, the network device may send the service packet to the second user device through the second virtual interface.
Optionally, the specific processing procedure that the network device sends the service packet to the second user equipment through the second virtual interface may include the following steps:
step one, according to the preset and stored corresponding relation between the virtual interface and the VPN, a second VPN corresponding to the second virtual interface is determined.
In implementation, after the network device creates a virtual interface for a user device of a certain tenant, the virtual interface may be bound to a VPN corresponding to the user device, that is, the network device may establish a correspondence between the virtual interface and the VPN. After the network device receives the service packet through the second virtual interface, the network device may determine a second VPN corresponding to the second virtual interface according to a preset stored correspondence between the virtual interface and the VPN.
And step two, determining a second route forwarding table corresponding to the second VPN according to the preset and stored corresponding relation between the VPN and the route forwarding table.
In implementation, as described above, the network device may store the corresponding relationship between the VPN and the route forwarding table in advance, and after determining the second VPN, the network device may determine the second route forwarding table corresponding to the second VPN according to the preset stored corresponding relationship between the VPN and the route forwarding table. Similar to the first route forwarding table, the second route forwarding table includes a corresponding relationship of a destination address, an egress interface, and a next hop address. As shown in table two, this is an example of a routing forwarding table according to the embodiment of the present invention.
Watch two
Destination address Outlet interface Next hop address
3.0.0.0/24 virtual-if02 2.1.1.2
2.0.0.0/24 virtual-if02 1.1.1.1
Wherein, virtual-if02 is the second virtual interface corresponding to the second user equipment, 3.0.0.0/24 is the IP address of the second user equipment, 2.1.1.2 is the address of the downlink sub-interface corresponding to the second user equipment, 2.0.0.0/24 is the IP address of the first user equipment, and 1.1.1.1 is the address of the first virtual interface corresponding to the first user equipment.
And step three, determining a second next hop address corresponding to the IP address of the second user equipment according to the second route forwarding table.
In implementation, the network device may search a forwarding table entry corresponding to the IP address of the second user equipment in the second routing forwarding table, so as to obtain an egress interface and a second next hop address corresponding to the IP address of the second user equipment. The output interface is a second virtual interface corresponding to the second user equipment, and the second next hop address is an address of a second downlink sub-interface corresponding to the second user equipment.
And step four, sending the service message to a second downlink sub-interface according to the second next-hop address.
In implementation, the network device may send the service packet to an interface corresponding to a second next hop address (i.e., an address of a second downlink sub-interface corresponding to the second user device) (i.e., a second downlink sub-interface corresponding to the second user device) by using the second virtual interface as an outgoing interface.
And step five, sending the service message to second user equipment through a second downlink sub-interface.
In implementation, after receiving the service packet through the second downlink sub-interface, the network device may send the service packet to the second user equipment through the second downlink sub-interface according to a destination address (i.e., an IP address of the second user equipment) in the service packet.
The embodiment of the invention also provides an example of the user equipment mutual access. When tenant user01 needs to send a service packet to tenant user02, user01 sends the service packet to the access device, where the destination address of the service packet is the address of user02, that is, 3.0.0.0/24, and the source address is the address of user01, that is, 2.0.0.0/24. The access device sends the service message to a downlink sub-interface 1 of the network device, after receiving the service message through the downlink sub-interface 1, the network device determines that the VPN bound to the downlink sub-interface 1 is VPN _ user01, then queries a first routing forwarding table (i.e., table one) corresponding to VPN _ user01, and then determines that an outgoing interface corresponding to 3.0.0.0.0/24 is virtual-if01 and a next hop address is 1.1.1.2, and further sends the service message to an interface (i.e., virtual-if02) with an address of 1.1.1.2 through virtual-if 01. Then, the network device determines that the VPN bound by virtual-if02 is VPN _ user02, then queries a second routing forwarding table (i.e., table two) corresponding to VPN _ user02, determines that the outgoing interface corresponding to 3.0.0.0/24 is virtual-if02 and the next hop address is 2.1.1.2, further sends the service packet to the interface with address 2.1.1.2 (i.e., downlink sub-interface 2) by using virtual-if02 as the outgoing interface, and further sends the service packet to user02 through downlink sub-interface 2. The processing procedure of the tenant user02 sending the service message to the tenant user01 is similar to the above, and is not described again.
In the embodiment of the invention, a network device receives a service message sent by a first user device, the destination address of the service message is the IP address of a second user device, then a first outgoing interface and a first next hop address corresponding to the IP address of the second user device are determined according to a prestored first routing forwarding table corresponding to the first user device, wherein the first outgoing interface is a first virtual interface corresponding to the first user device, and the first next hop address is the address of a second virtual interface corresponding to the second user device. In addition, according to the scheme, a virtual interface is configured in the network device to realize a mutual access function between tenants in the same security device, a next hop address is an address of a second virtual interface corresponding to the second user device, the network device sends the service message to the second virtual interface according to the first next hop address through the first virtual interface corresponding to the first user device, and then sends the service message to the second user device through the second virtual interface, so that the situation that a VPN bound with a downlink sub-interface in the SDN admission management system is taken as a destination VPN is avoided, and in addition, the situation that a static route spanning the VPN is configured in the SDN admission management system is also avoided because the first virtual interface and the first user device belong to the same VPN and the second virtual interface and the second user device belong to the same VPN.
Optionally, an embodiment of the present invention further provides a method for configuring a virtual interface in a network device, and as shown in fig. 3, a specific process includes the following steps:
step 301, receiving a virtual interface configuration command sent by a management server.
The virtual interface configuration command comprises an identifier of the first virtual interface, an address of the first virtual interface, an identifier of the first VPN corresponding to the first virtual interface, an identifier of the second virtual interface, an address of the second virtual interface and an identifier of the second VPN corresponding to the second virtual interface.
In implementation, when a first tenant needs to perform an inter-access with a second tenant, a technician may create a virtual interface for a user device of the first tenant and a user device of the second tenant through a management server of the SDN hosting system. In a possible implementation manner, a technician may issue a creation request to the management server through the administrator terminal, where the creation request carries an identifier of the first tenant and an identifier of the second tenant. After the management server receives the creation request, the management server may parse the creation request to obtain the identifier of the first tenant and the identifier of the second tenant. The tenant identifier may be an IP address of the user equipment of the tenant, or may be a preset tenant name.
After acquiring the identifier of the first tenant, the management server may generate an identifier of a first virtual interface, such as virtual-if01, corresponding to the first tenant. In addition, the management server may also store an interconnection address pool in advance, for example, 1.1.1.0/24. The management server can also randomly select a current unused address from the interconnection address pool, use the address as the address of the first virtual interface, and can set the VPN binding of the first virtual interface and the first tenant. The process of configuring the second virtual interface by the management server is similar to that described above, and is not described herein again. The management server may generate a virtual interface configuration command according to a preset command generation rule, where the virtual interface configuration command includes an identifier of the first virtual interface, an address of the first virtual interface, an identifier of the first VPN corresponding to the first virtual interface, an identifier of the second virtual interface, an address of the second virtual interface, and an identifier of the second VPN corresponding to the second virtual interface. The management server may send the virtual interface configuration command to the network device. The network device receives the virtual interface configuration command.
In one possible implementation, the virtual interface configuration command may include a first virtual interface creation command, a second virtual interface creation command, a first address configuration command, a second address configuration command, a first VPN binding command, and a second VPN binding command. The first virtual interface creating command comprises an identifier of the first virtual interface and is used for creating the first virtual interface; the second virtual interface creating command comprises an identifier of the second virtual interface and is used for creating the second virtual interface; the first address configuration command comprises an identifier of the first virtual interface and an address of the first virtual interface, and is used for configuring the address of the first virtual interface; the second address configuration command comprises an identifier of the second virtual interface and an address of the second virtual interface, and is used for configuring the address of the second virtual interface; the first VPN binding command comprises an identifier of the first virtual interface and an identifier of the first VPN, and is used for configuring the VPN corresponding to the first virtual interface as the first VPN; the second VPN binding command includes an identifier of the second virtual interface and an identifier of the second VPN, and is used to configure the VPN corresponding to the second virtual interface as the second VPN.
Step 302, a first virtual interface and a second virtual interface are created.
In implementation, after receiving the virtual interface configuration command, the network device may execute the virtual interface configuration command to create the first virtual interface and the second virtual interface. For example, after receiving the first virtual interface creation command and the second virtual interface creation command, the network device may execute the first virtual interface creation command to create the first virtual interface, and may also execute the second virtual interface creation command to create the second virtual interface.
Step 303, configuring an address of the first virtual interface and an address of the second virtual interface.
In an implementation, the network device may configure an address of the first virtual interface as the first address according to an address of the first virtual interface (which may be referred to as a first address) in the virtual interface configuration command, and configure an address of the second virtual interface as the second address according to an address of the second virtual interface (which may be referred to as a second address) in the virtual interface configuration command. For example, after receiving the first address configuration command and the second address configuration command, the network device may execute the first address configuration command, and configure the first address in the first address configuration command as the address of the first virtual interface.
Step 304, establishing a corresponding relationship between the first virtual interface and the first VPN according to the identifier of the first virtual interface and the identifier of the first VPN, and establishing a corresponding relationship between the second virtual interface and the second VPN according to the identifier of the second virtual interface and the identifier of the second VPN.
In implementations, the network device may also bind the first virtual interface with a first VPN and bind the second virtual interface with a second VPN. Specifically, the network device may establish a corresponding relationship between the first virtual interface and the first VPN according to the identifier of the first virtual interface and the identifier of the first VPN in the virtual interface configuration command, and establish a corresponding relationship between the second virtual interface and the second VPN according to the identifier of the second virtual interface and the identifier of the second VPN. For example, after receiving the first VPN binding command and the second VPN binding command, the network device may execute the first VPN binding command, and establish a corresponding relationship between the first virtual interface and the first VPN, and similarly, the network device may also establish a corresponding relationship between the second virtual interface and the second VPN.
For example, the IP address of the user equipment of the first tenant is 2.0.0.1, and the IP address of the user equipment of the second tenant is 3.0.0.1. When tenant user01 has a need to access tenant user02, the management server may determine that the virtual interface of tenant user01 is identified as virtual-if01, the virtual interface of tenant user02 is identified as virtual-if02, and based on a preset interconnection address pool 1.1.1.0/24, allocate an address 1.1.1.1.1 to virtual-if01 and an address 1.1.1.1.2 to virtual-if02, and at the same time, may set the VPN bound by virtual-if01 to be VPN _ user01 and the VPN bound by virtual-if02 to be VPN _ user 02.
After receiving the virtual interface configuration command, the network device may create a virtual-if01 and a virtual-if02, configure the address of the virtual-if01 to be 1.1.1.1, configure the address of the virtual-if02 to be 1.1.1.2, and simultaneously, may also establish a corresponding relationship between the virtual-if01 and the VPN _ user01, and a corresponding relationship between the virtual-if02 and the VPN _ user 02.
Optionally, an embodiment of the present invention further provides a processing procedure for configuring a routing forwarding table, and correspondingly, after step 303, steps 305 to 306 may further be included.
Step 305, receiving a route configuration command corresponding to the first route forwarding table sent by the management server.
In real time, technicians can also issue a routing configuration command to network equipment through a management server of the SDN admission management system, so that mutual access among different tenants is realized. The routing configuration command may include an identifier of the first virtual interface, an IP address of the second user equipment, and an address of the second virtual interface, and the routing configuration command may further carry an identifier of the first VPN, so that the network device configures the first routing forwarding table according to the identifier of the first VPN.
For example, a static routing configuration set on tenant user01 may be received: ip route 3.0.0.0255.255.255.01.1.1.2 or ip route 3.0.0.0255.255.255.0 virtual-if 01. With this configuration, interworking with tenant user02 can be achieved.
A static routing configuration set on tenant user02 may be received: ip route 2.0.0.0255.255.255.01.1.1.1 or ip route 2.0.0.0255.255.255.0 virtual-if 02. With this configuration, interworking with tenant user01 can be achieved.
Step 306, adding a forwarding table entry which takes the IP address of the second user equipment as a destination address, the first virtual interface as an outgoing interface, and the address of the second virtual interface as a next hop address in the first routing forwarding table, and setting the security policy between the first user equipment and the second user to be in a release state.
In implementation, after receiving the routing configuration command, the network device may add an entry in the first routing forwarding table according to the routing configuration command, and specifically, the network device may add a forwarding entry in the first routing forwarding table, where the IP address of the second user equipment is used as a destination address, the first virtual interface is used as an outgoing interface, and the address of the second virtual interface is used as a next hop address. In addition, the network device may set a security policy between the first user device and the second user device to an open state, so that the first user device and the second user device send service packets to each other, and the receiving party may perform security detection on the received service packets through the network device.
For example, for tenant user01, the network device may configure the following static routes in its corresponding first routing table: the destination address is 3.0.0.0/24, the egress interface virtual-if01, and the next hop address is 1.1.1.2, and the network device may release the security policy with the source address of 2.0.0.1 and the destination address of 3.0.0.1, so that the service packet with the source address of 2.0.0.1 and the destination address of 3.0.0.1 may be sent to the VPN domain of tenant user 02. Similarly, for tenant user02, the network device may configure the following static routes in its corresponding second routing table: destination address 2.0.0.0/24, egress interface virtual-if02, next hop address 1.1.1.1, and the network device may set and execute a security policy with a source address of 3.0.0.1 and a destination address of 2.0.0.1, so that a traffic packet with a source address of 3.0.0.1 and a destination address of 2.0.0.1 may be sent to the VPN domain of tenant user 01.
The embodiment of the present invention further provides an example of configuring an inter-domain policy, where the inter-domain policy is an application form of a security policy, and specifically includes: a source security domain is zone _ user01, a destination security domain is zone _ user02, a source IP address is 2.0.0.1, a destination IP address is 3.0.0.1, and a filtering rule is permit; setting a source security domain as zone _ user02, a destination security domain as zone _ user01, a source IP address as 3.0.0.1, a destination IP address as 2.0.0.1 and a filter rule as permit. Thus, based on the configured inter-domain policy, after receiving the service packet sent by tenant user01, the network device can allow the service packet to be forwarded to tenant user02, and similarly, after receiving the service packet sent by tenant user02, the network device can allow the service packet to be forwarded to tenant user 01.
An example of a method for configuring a virtual interface is further provided in the embodiments of the present invention, as shown in fig. 4, a specific processing procedure is as follows:
step 401, receiving a virtual interface configuration command sent by a management server.
The virtual interface configuration command comprises a first virtual interface creating command, a second virtual interface creating command, a first address configuration command, a second address configuration command, a first VPN binding command and a second VPN binding command. The first virtual interface creation command includes a virtual-if01, the second virtual interface creation command includes a virtual-if02, the first address configuration command includes virtual-ifs 01 and 1.1.1.1, the second address configuration command includes virtual-ifs 02 and 1.1.1.2, the first VPN binding command includes virtual-if01 and VPN _ user01, and the second VPN binding command includes virtual-if02 and VPN _ user 02.
Step 402, executing a first virtual interface creating command to create a virtual-if01 of the virtual interface.
In step 403, a first address configuration command is executed to configure the address of virtual-if01 to be 1.1.1.1.
Step 404, executing the first VPN binding command, and establishing a corresponding relationship between virtual-if01 and VPN _ user 01.
Step 405, configuring a mutual access static route in a first routing table corresponding to the tenant user 01: destination address 3.0.0.0/24, egress interface virtual-if01, next hop address 1.1.1.2.
And step 406, setting and executing a security policy with the source address of 2.0.0.1 and the destination address of 3.0.0.1.
Step 402', executing a second virtual interface creation command to create a virtual-if 02.
Step 403', executing a second address configuration command to configure the address of virtual-if02 to be 1.1.1.2.
Step 404', executing the second VPN binding command, and establishing a corresponding relationship between virtual-if02 and VPN _ user 02.
Step 405', configuring a mutual access static route in a first routing table corresponding to the tenant user 02: destination address 2.0.0.0/24, egress interface virtual-if02, next hop address 1.1.1.1.
Step 406', set and execute the security policy with the source address of 3.0.0.1 and the destination address of 2.0.0.1.
An example of a method for sending a service packet is also provided in the embodiments of the present invention, as shown in fig. 5, a specific processing procedure is as follows:
step 501, receiving a service packet sent by a first user equipment through a downlink sub-interface 1.
Wherein, the source IP address of the service message is 2.0.0.0/24, and the destination IP address is 3.0.0.0/24.
Step 502, determining that the VPN bound to the downlink subinterface 1 is VPN _ user01, and querying an outgoing interface virtual-if01 and a next hop address 1.1.1.2 corresponding to 3.0.0.0/24 in a first routing forwarding table corresponding to VPN _ user 01.
Step 503, sending the service message to the interface with address 1.1.1.2 (i.e. virtual-if02) through virtual-if 01.
Step 504, determining that the VPN bound by virtual-if02 is VPN _ user02, and querying that the egress interface corresponding to 3.0.0.0/24 is virtual-if02 and the next hop address is 2.1.1.2 in the first routing forwarding table corresponding to VPN _ user 02.
Step 505, sending the service packet to the interface with address 2.1.1.2 (i.e. the downlink subinterface 2) through the outbound interface virtual-if 02.
Step 506, the service packet is sent through the downlink sub-interface 2.
Based on the same technical concept, as shown in fig. 6, an embodiment of the present application further provides a device for sending a service packet, where the device is applied to a security device, and the device includes:
a first receiving module 610, configured to receive a service packet sent by a first user equipment, where a destination address of the service packet is an IP address of a second user equipment;
a first determining module 620, configured to determine, according to a pre-stored first route forwarding table corresponding to a first user equipment, a first outgoing interface and a first next hop address corresponding to an IP address of a second user equipment, where the first route forwarding table includes a corresponding relationship between a destination address, an outgoing interface, and a next hop address, the first outgoing interface is a first virtual interface corresponding to the first user equipment, and the first next hop address is an address of a second virtual interface corresponding to the second user equipment;
a first sending module 630, configured to send the service packet to the second virtual interface through the first virtual interface according to the first next hop address;
the second sending module 640 is configured to send the service packet to the second user equipment through the second virtual interface.
Optionally, as shown in fig. 7, the apparatus further includes:
a second determining module 650, configured to determine, according to a pre-stored correspondence between a downlink sub-interface and a VPN, a first VPN corresponding to the first downlink sub-interface, where the first downlink sub-interface is a downlink sub-interface for receiving a service packet;
the third determining module 660 is configured to determine, according to a preset stored correspondence between VPNs and route forwarding tables, a first route forwarding table corresponding to the first VPN.
Optionally, the second sending module 640 is specifically configured to:
determining a second VPN corresponding to the second virtual interface according to a preset and stored corresponding relationship between the virtual interface and the VPN;
determining a second routing forwarding table corresponding to a second VPN according to a preset and stored corresponding relation between the VPN and the routing forwarding table, wherein the second routing forwarding table comprises a corresponding relation between a destination address, an outgoing interface and a next hop address;
determining a second next hop address corresponding to the IP address of the second user equipment according to the second routing forwarding table, wherein the second next hop address is the address of a second downlink sub-interface corresponding to the second user equipment;
sending the service message to a second downlink sub-interface according to the second next-hop address;
and sending the service message through the downlink sub-interface.
Optionally, as shown in fig. 8, the apparatus further includes:
a second receiving module 670, configured to receive a virtual interface configuration command sent by the management server, where the virtual interface configuration command includes an identifier of the first virtual interface, an address of the first virtual interface, an identifier of the first VPN corresponding to the first virtual interface, an identifier of the second virtual interface, an address of the second virtual interface, and an identifier of the second VPN corresponding to the second virtual interface;
a creating module 680, configured to create a first virtual interface and a second virtual interface;
the establishing module 690 is configured to configure an address of the first virtual interface and an address of the second virtual interface, establish a corresponding relationship between the first virtual interface and the first VPN according to the identifier of the first virtual interface and the identifier of the first VPN, and establish a corresponding relationship between the second virtual interface and the second VPN according to the identifier of the second virtual interface and the identifier of the second VPN.
Optionally, as shown in fig. 9, the apparatus further includes:
a third receiving module 6100, configured to receive a routing configuration command corresponding to the first routing forwarding table sent by the management server, where the routing configuration command includes an identifier of the first virtual interface, an IP address of the second user equipment, and an address of the second virtual interface;
an adding module 6110, configured to add a forwarding table entry in the first route forwarding table, where the IP address of the second user equipment is used as a destination address, the first virtual interface is used as an outgoing interface, and the address of the second virtual interface is used as a next hop address, and set the security policy between the first user equipment and the second user to an open state.
In the embodiment of the invention, a network device receives a service message sent by a first user device, the destination address of the service message is the IP address of a second user device, then a first outgoing interface and a first next hop address corresponding to the IP address of the second user device are determined according to a prestored first routing forwarding table corresponding to the first user device, wherein the first outgoing interface is a first virtual interface corresponding to the first user device, and the first next hop address is the address of a second virtual interface corresponding to the second user device.
The embodiment of the present application further provides a security device, as shown in fig. 10, which includes a processor 1001, a communication interface 1002, a memory 1003 and a communication bus 1004, wherein the processor 1001, the communication interface 1002 and the memory 1003 complete mutual communication through the communication bus 1004,
a memory 1003 for storing a computer program;
a processor 1001, configured to enable the secure device to execute the steps of the method for sending a service packet when executing the program stored in the memory 1003, where the method includes:
receiving a service message sent by first user equipment, wherein the destination address of the service message is the IP address of second user equipment;
determining a first outgoing interface and a first next hop address corresponding to the IP address of the second user equipment according to a pre-stored first routing forwarding table corresponding to the first user equipment, where the first routing forwarding table includes a corresponding relationship among a destination address, an outgoing interface, and a next hop address, the first outgoing interface is a first virtual interface corresponding to the first user equipment, and the first next hop address is an address of a second virtual interface corresponding to the second user equipment;
sending the service message to the second virtual interface according to the first next hop address through the first virtual interface;
and sending the service message to the second user equipment through the second virtual interface.
Optionally, before determining, according to a pre-stored first routing forwarding table corresponding to the first user equipment, a first outgoing interface and a first next hop address corresponding to an IP address of the second user equipment, the method further includes:
determining a first VPN corresponding to a first downlink sub-interface according to a pre-stored corresponding relationship between the downlink sub-interface and the VPN, wherein the first downlink sub-interface is a downlink sub-interface for receiving the service message;
and determining a first route forwarding table corresponding to the first VPN according to a preset and stored corresponding relation between the VPN and the route forwarding table.
Optionally, the sending the service packet to the second user equipment through the second virtual interface includes:
determining a second VPN corresponding to the second virtual interface according to a preset and stored corresponding relationship between the virtual interface and the VPN;
determining a second routing forwarding table corresponding to a second VPN according to a preset and stored corresponding relationship between the VPN and the routing forwarding table, wherein the second routing forwarding table comprises a corresponding relationship between a destination address, an outgoing interface and a next hop address;
determining a second next hop address corresponding to the IP address of the second user equipment according to the second routing forwarding table, wherein the second next hop address is the address of a second downlink sub-interface corresponding to the second user equipment;
sending the service message to the second downlink sub-interface according to the second next hop address;
and sending the service message through the downlink sub-interface.
Optionally, the method further includes:
receiving a virtual interface configuration command sent by a management server, wherein the virtual interface configuration command comprises an identifier of the first virtual interface, an address of the first virtual interface, an identifier of a first VPN corresponding to the first virtual interface, an identifier of the second virtual interface, an address of the second virtual interface, and an identifier of a second VPN corresponding to the second virtual interface;
creating the first virtual interface and the second virtual interface;
configuring the address of the first virtual interface and the address of the second virtual interface, establishing a corresponding relationship between the first virtual interface and the first VPN according to the identifier of the first virtual interface and the identifier of the first VPN, and establishing a corresponding relationship between the second virtual interface and the second VPN according to the identifier of the second virtual interface and the identifier of the second VPN.
Optionally, the method further includes:
receiving a routing configuration command corresponding to the first routing forwarding table and sent by a management server, wherein the routing configuration command comprises an identifier of the first virtual interface, an IP address of the second user equipment and an address of the second virtual interface;
adding a forwarding table entry which takes the IP address of the second user equipment as a destination address, the first virtual interface as an outgoing interface and the address of the second virtual interface as a next hop address into the first routing forwarding table, and setting a security policy between the first user equipment and the second user to be in a release state.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above methods for sending a service packet.
In another embodiment of the present invention, a computer program product containing instructions is provided, which when run on a computer causes the computer to perform any of the methods for sending a service message in the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
In the embodiment of the invention, a network device receives a service message sent by a first user device, the destination address of the service message is the IP address of a second user device, then a first outgoing interface and a first next hop address corresponding to the IP address of the second user device are determined according to a prestored first routing forwarding table corresponding to the first user device, wherein the first outgoing interface is a first virtual interface corresponding to the first user device, and the first next hop address is the address of a second virtual interface corresponding to the second user device.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (10)

1. A method for sending service messages is characterized in that the method is applied to network equipment, and the method comprises the following steps:
receiving a virtual interface configuration command sent by a management server, wherein the virtual interface configuration command comprises an identifier of a first virtual interface, an address of the first virtual interface, an identifier of a first VPN corresponding to the first virtual interface, an identifier of a second virtual interface, an address of the second virtual interface and an identifier of a second VPN corresponding to the second virtual interface;
creating the first virtual interface and the second virtual interface;
configuring an address of the first virtual interface and an address of the second virtual interface;
establishing a corresponding relation between the first virtual interface and the first VPN according to the identifier of the first virtual interface and the identifier of the first VPN, and establishing a corresponding relation between the second virtual interface and the second VPN according to the identifier of the second virtual interface and the identifier of the second VPN;
receiving a service message sent by first user equipment, wherein the destination address of the service message is the Internet Protocol (IP) address of second user equipment, and the second user equipment and the first user equipment are user equipment accessed to the same safety equipment;
determining a first outgoing interface and a first next hop address corresponding to the IP address of the second user equipment according to a pre-stored first routing forwarding table corresponding to the first user equipment, where the first routing forwarding table includes a corresponding relationship among a destination address, an outgoing interface, and a next hop address, the first outgoing interface is a first virtual interface corresponding to the first user equipment, and the first next hop address is an address of a second virtual interface corresponding to the second user equipment;
sending the service message to the second virtual interface according to the first next hop address through the first virtual interface;
and sending the service message to the second user equipment through the second virtual interface.
2. The method according to claim 1, wherein before determining, according to a pre-stored first routing forwarding table corresponding to the first user equipment, a first outgoing interface and a first next hop address corresponding to an IP address of the second user equipment, the method further comprises:
determining a first VPN corresponding to a first downlink sub-interface according to a pre-stored corresponding relationship between the downlink sub-interface and the VPN, wherein the first downlink sub-interface is a downlink sub-interface for receiving the service message;
and determining a first route forwarding table corresponding to the first VPN according to a preset and stored corresponding relation between the VPN and the route forwarding table.
3. The method according to claim 1, wherein the sending the service packet to the second user equipment through the second virtual interface includes:
determining a second VPN corresponding to the second virtual interface according to a preset and stored corresponding relationship between the virtual interface and the VPN;
determining a second routing forwarding table corresponding to a second VPN according to a preset and stored corresponding relationship between the VPN and the routing forwarding table, wherein the second routing forwarding table comprises a corresponding relationship between a destination address, an outgoing interface and a next hop address;
determining a second next hop address corresponding to the IP address of the second user equipment according to the second routing forwarding table, wherein the second next hop address is the address of a second downlink sub-interface corresponding to the second user equipment;
sending the service message to the second downlink sub-interface according to the second next hop address;
and sending the service message through the downlink sub-interface.
4. The method of claim 1, further comprising:
receiving a routing configuration command corresponding to the first routing forwarding table and sent by a management server, wherein the routing configuration command comprises an identifier of the first virtual interface, an IP address of the second user equipment and an address of the second virtual interface;
adding a forwarding table entry which takes the IP address of the second user equipment as a destination address, the first virtual interface as an outgoing interface and the address of the second virtual interface as a next hop address into the first routing forwarding table, and setting a security policy between the first user equipment and the second user to be in a release state.
5. An apparatus for sending a service packet, the apparatus being applied to a security device, the apparatus comprising:
a second receiving module, configured to receive a virtual interface configuration command sent by a management server, where the virtual interface configuration command includes an identifier of a first virtual interface, an address of the first virtual interface, an identifier of a first VPN corresponding to the first virtual interface, an identifier of a second virtual interface, an address of the second virtual interface, and an identifier of the second VPN corresponding to the second virtual interface;
a creation module for creating the first virtual interface and the second virtual interface;
an establishing module, configured to configure an address of the first virtual interface and an address of the second virtual interface, establish a correspondence between the first virtual interface and the first VPN according to an identifier of the first virtual interface and an identifier of the first VPN, and establish a correspondence between the second virtual interface and the second VPN according to an identifier of the second virtual interface and an identifier of the second VPN;
the first receiving module is used for receiving a service message sent by first user equipment, wherein the destination address of the service message is an Internet Protocol (IP) address of second user equipment, and the second user equipment and the first user equipment are user equipment accessed to the same safety equipment;
a first determining module, configured to determine, according to a pre-stored first route forwarding table corresponding to the first user equipment, a first outgoing interface and a first next hop address corresponding to an IP address of the second user equipment, where the first route forwarding table includes a corresponding relationship between a destination address, an outgoing interface, and a next hop address, the first outgoing interface is a first virtual interface corresponding to the first user equipment, and the first next hop address is an address of a second virtual interface corresponding to the second user equipment;
a first sending module, configured to send the service packet to the second virtual interface according to the first next hop address through the first virtual interface;
and the second sending module is used for sending the service message to the second user equipment through the second virtual interface.
6. The apparatus of claim 5, further comprising:
a second determining module, configured to determine, according to a pre-stored correspondence between a downstream subinterface and a VPN, a first VPN corresponding to the first downstream subinterface, where the first downstream subinterface is a downstream subinterface for receiving the service packet;
and the third determining module is used for determining the first route forwarding table corresponding to the first VPN according to the preset and stored corresponding relation between the VPN and the route forwarding table.
7. The apparatus of claim 5, wherein the second sending module is specifically configured to:
determining a second VPN corresponding to the second virtual interface according to a preset and stored corresponding relationship between the virtual interface and the VPN;
determining a second routing forwarding table corresponding to a second VPN according to a preset and stored corresponding relationship between the VPN and the routing forwarding table, wherein the second routing forwarding table comprises a corresponding relationship between a destination address, an outgoing interface and a next hop address;
determining a second next hop address corresponding to the IP address of the second user equipment according to the second routing forwarding table, wherein the second next hop address is the address of a second downlink sub-interface corresponding to the second user equipment;
sending the service message to the second downlink sub-interface according to the second next hop address;
and sending the service message through the downlink sub-interface.
8. The apparatus of claim 5, further comprising:
a third receiving module, configured to receive a routing configuration command corresponding to the first routing forwarding table and sent by a management server, where the routing configuration command includes an identifier of the first virtual interface, an IP address of the second user equipment, and an address of the second virtual interface;
an adding module, configured to add a forwarding table entry in the first routing forwarding table, where the forwarding table entry uses the IP address of the second user equipment as a destination address, the first virtual interface as an outgoing interface, and the address of the second virtual interface as a next-hop address, and set a security policy between the first user equipment and the second user to an open state.
9. The safety equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 4 when executing a program stored in the memory.
10. A machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to: carrying out the method steps of any one of claims 1 to 4.
CN201810698539.7A 2018-06-29 2018-06-29 Method and device for sending service message Active CN108768861B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810698539.7A CN108768861B (en) 2018-06-29 2018-06-29 Method and device for sending service message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810698539.7A CN108768861B (en) 2018-06-29 2018-06-29 Method and device for sending service message

Publications (2)

Publication Number Publication Date
CN108768861A CN108768861A (en) 2018-11-06
CN108768861B true CN108768861B (en) 2021-01-08

Family

ID=63975144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810698539.7A Active CN108768861B (en) 2018-06-29 2018-06-29 Method and device for sending service message

Country Status (1)

Country Link
CN (1) CN108768861B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200559B (en) * 2018-11-19 2022-05-10 中国电信股份有限公司 Routing method and routing device
CN111614536A (en) * 2020-04-20 2020-09-01 视联动力信息技术股份有限公司 Data forwarding method and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1852214A (en) * 2005-11-02 2006-10-25 华为技术有限公司 Routing method of virtual special network
CN101599901A (en) * 2009-07-15 2009-12-09 杭州华三通信技术有限公司 The method of remotely accessing MPLS VPN, system and gateway
CN101626338A (en) * 2009-08-03 2010-01-13 杭州华三通信技术有限公司 Method and device for realizing multiple virtual private network (VPN) examples
CN102082738A (en) * 2011-03-10 2011-06-01 迈普通信技术股份有限公司 Method for extending MPLS VPN access through public network and PE equipment
CN102325073A (en) * 2011-07-06 2012-01-18 杭州华三通信技术有限公司 VPLS (Virtual Private Local Area Network Service)-based message processing method and device thereof
CN105049316A (en) * 2015-08-26 2015-11-11 华为技术有限公司 Communication method and communication device
CN107959611A (en) * 2016-10-17 2018-04-24 华为技术有限公司 A kind of method to E-Packet, apparatus and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3654168B2 (en) * 2000-09-28 2005-06-02 日本電気株式会社 Interface identification device, interface identification method, and MPLS-VPN service network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1852214A (en) * 2005-11-02 2006-10-25 华为技术有限公司 Routing method of virtual special network
CN101599901A (en) * 2009-07-15 2009-12-09 杭州华三通信技术有限公司 The method of remotely accessing MPLS VPN, system and gateway
CN101626338A (en) * 2009-08-03 2010-01-13 杭州华三通信技术有限公司 Method and device for realizing multiple virtual private network (VPN) examples
CN102082738A (en) * 2011-03-10 2011-06-01 迈普通信技术股份有限公司 Method for extending MPLS VPN access through public network and PE equipment
CN102325073A (en) * 2011-07-06 2012-01-18 杭州华三通信技术有限公司 VPLS (Virtual Private Local Area Network Service)-based message processing method and device thereof
CN105049316A (en) * 2015-08-26 2015-11-11 华为技术有限公司 Communication method and communication device
CN107959611A (en) * 2016-10-17 2018-04-24 华为技术有限公司 A kind of method to E-Packet, apparatus and system

Also Published As

Publication number Publication date
CN108768861A (en) 2018-11-06

Similar Documents

Publication Publication Date Title
US11973686B1 (en) Virtual performance hub
US10547463B2 (en) Multicast helper to link virtual extensible LANs
US8194570B2 (en) Configuration tool for MPLS virtual private network topologies
CN106161335B (en) A kind for the treatment of method and apparatus of network packet
WO2018000890A1 (en) Method and device for establishing virtual private network
CN104104534A (en) Realization method of virtual network (VN) management and virtual network management system
JP2017522800A (en) Active panel classification
US10659255B1 (en) Identity-based virtual private network tunneling
CN105939267B (en) Outband management method and device
US11711317B1 (en) Remote port for network connectivity for non-colocated customers of a cloud exchange
WO2017143695A1 (en) Sub-network intercommunication method and device
CN111371664B (en) Virtual private network access method and equipment
US10523631B1 (en) Communities of interest in a cloud exchange
CN108768861B (en) Method and device for sending service message
CN106027396B (en) A kind of route control method, device and system
CN107426100B (en) VPN user access method and device based on user group
US11290354B2 (en) Dynamic service provisioning system and method
CN102195947B (en) Lawful interception method and device
EP3836487A1 (en) Internet access behavior management system, device and method
US20180198708A1 (en) Data center linking system and method therefor
WO2016112656A1 (en) Service processing method and device
US20120151572A1 (en) Architecture for network management in a multi-service network
US9344487B2 (en) Method for networking cPaaS components for application on-boarding
CN112671811B (en) Network access method and equipment
US20210084068A1 (en) Distributed denial-of-service mitigation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant