CN112910784A

CN112910784A - Method, device and system for determining route

Info

Publication number: CN112910784A
Application number: CN201911222498.5A
Authority: CN
Inventors: 刘国梁
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2019-12-03
Filing date: 2019-12-03
Publication date: 2021-06-04
Anticipated expiration: 2039-12-03
Also published as: CN112910784B

Abstract

A method, a device and a system for determining a route relate to the technical field of communication and can reduce the probability of user service interruption. The method comprises the following steps: the network device receives a first trusted Media Access Control (MAC) route corresponding to a first MAC address of a first user device and determines one or more trusted MAC routes corresponding to the first MAC address of the first user device. The first trust MAC route comprises first identification information, and the first identification information is used for identifying the first trust MAC route as the trust MAC route. The one or more trusted MAC routes include a first trusted MAC route, the one or more MAC trusted routes respectively corresponding to information of the one or more trusted ports.

Description

Method, device and system for determining route

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for determining a route.

Background

With the continuous expansion of network scale, the network topology structure becomes more and more complex, and the hacking attack becomes more and more frequent, and the Media Access Control (MAC) jump phenomenon is likely to occur in the network.

When the network device detects that a MAC corresponding to a certain MAC address hops, a black hole MAC may be configured to block the traffic of the MAC address, so as to reduce the impact caused by the MAC hopping. This results in traffic disruption for the MAC address and sustained impairment of user traffic.

Disclosure of Invention

The method, the device and the system for determining the route can reduce the probability of user service interruption and improve the safety and the stability of network operation.

In order to achieve the purpose, the technical scheme is as follows:

in a first aspect, the present application provides a method for determining a route, which may be performed by a network device or a component (e.g., a chip) in the network device. The method comprises the following steps: the method comprises the steps that first network equipment receives a trust MAC routing entry issued by second network equipment, wherein the trust MAC routing entry comprises a Media Access Control (MAC) address, information of a first trust port corresponding to the MAC address and indication information, and the indication information indicates that the received trust MAC routing is trusted; the first network device forwards a message based on a determined trusted MAC routing entry, wherein the determined trusted MAC routing entry belongs to a set of trusted MAC routing entries acquired by the first network device, MAC addresses in all trusted MAC routing entries in the set of trusted MAC routing entries are the same, and the set of trusted MAC routing entries comprises trusted MAC routing entries issued by the second network device.

The method and the device can determine the trust MAC route based on the trust port, and the trust MAC route can be used as a basis for subsequently determining the route. Therefore, the control end does not need to block the flow of the designated MAC address, and the continuity of the user service can be ensured.

In one possible design, the information for the first trust port includes a device identification for the second network device.

In one possible design, the set of trusted routing entries includes a local trusted routing entry, where the local trusted routing entry includes the MAC address and information of a second trusted port corresponding to the MAC address, where the second trusted port is a local trusted port, the local trusted port is a port of the first network device, and the local trusted port is determined based on only receiving, by the second trusted port, a packet with a source address as the MAC address within a predetermined time period.

The network device can trigger sending of trusted MAC routes to neighbor network devices after learning to a local trusted port. So that the neighbor network device can know that the trust MAC route is credible, and the message is convenient to be transmitted by utilizing the trust route. Furthermore, even if the neighbor network device detects the MAC jump, the neighbor network device can determine the forwarding path of the message based on the trust route, and the flow of the designated MAC does not need to be discarded or blocked, so that the influence on the user service is reduced, and the user service is not continuously damaged.

In one possible design, when the number of trusted MAC routing entries in the set of trusted MAC routing entries is multiple, the determined trusted MAC routing entry is the trusted MAC routing entry with the largest sequence number in the set of trusted MAC routing entries.

According to the method and the device, the trust MAC route with the largest serial number is used as a basis for subsequent message forwarding, and the accuracy and the reliability of route determination can be improved.

In one possible design, the method further includes the first network device obtaining a dynamic MAC routing entry, the dynamic routing entry including the MAC address. When the route types corresponding to the same MAC address comprise both dynamic routes and trust routes, the user message is forwarded based on the trust routes preferentially, so that the safety of network operation is improved.

In one possible design, the method further includes: the first network equipment acquires a static MAC route corresponding to the MAC address; and the first network equipment forwards the message according to the static MAC route.

The static MAC route is usually a route configured locally by the device, and when the static MAC route and the trusted MAC route exist at the same time, in order to make the route more conform to the configuration rule of the device or the remote device, the message may be forwarded according to the configured static route.

In one possible design, the indication information is provided by a flag bit of a MAC change extended community attribute field of a border gateway protocol BGP message.

The method and the device can multiplex the existing MAC to change the extended community attribute field to indicate the trusted MAC route, do not need to newly add other fields, and reduce the implementation complexity.

In one possible design, the method further includes: the MAC change extended community attribute field further includes a trust enable subfield that identifies an enabled trusted MAC route.

Based on the notification message, the network device can confirm whether the peer supports enabling trusted MAC routing. And only in the case that the opposite end supports the trusted MAC routing, the network equipment determines the forwarding path of the message based on the trusted MAC routing. Under the condition that the opposite terminal does not support the trust MAC route, the network equipment can discard the corresponding message from the opposite terminal without processing the corresponding message, thereby ensuring the robustness of the system operation and improving the operation efficiency of the system.

In a second aspect, the present application provides an apparatus for determining a route, where the apparatus may be a network device or a component (such as a system on a chip) in the network device according to the first aspect, and the apparatus includes: a communication unit, configured to receive a trusted MAC routing entry issued by a second network device, where the trusted MAC routing entry includes a media access control MAC address, information of a first trusted port corresponding to the MAC address, and indication information, and the indication information indicates that the received trusted MAC routing is trusted and is used to forward a packet based on the determined trusted MAC routing; a processing unit, configured to determine a trusted MAC routing entry, where the determined trusted MAC routing entry belongs to a set of trusted MAC routing entries obtained by the first network device, MAC addresses in all trusted MAC routing entries in the set of trusted MAC routing entries are the same, and the set of trusted MAC routing entries includes trusted MAC routing entries issued by the second network device.

In one possible design, the processing unit is further configured to obtain a static MAC routing entry corresponding to the MAC address; and the communication unit is also used for forwarding the message according to the static MAC routing entry.

In one possible design, the processing unit is further configured to obtain a dynamic MAC routing entry, where the dynamic routing entry includes the MAC address.

In one possible design, the MAC change extended community attribute field further includes a trust enable subfield that identifies an enabled trusted MAC route.

In a third aspect, the present application provides an apparatus for determining a route, where the apparatus may be a network device or a component (such as a system on a chip) in a network device according to the first aspect, and the apparatus includes: the transceiver is used for receiving a trust MAC routing entry issued by second network equipment, wherein the trust MAC routing entry comprises a Media Access Control (MAC) address, information of a first trust port corresponding to the MAC address and indication information, and the indication information indicates that the received trust MAC routing is trusted and is used for forwarding a message based on the determined trust MAC routing; a processor, configured to determine a trusted MAC routing entry, where the determined trusted MAC routing entry belongs to a set of trusted MAC routing entries obtained by the first network device, MAC addresses in all trusted MAC routing entries in the set of trusted MAC routing entries are the same, and the set of trusted MAC routing entries includes a trusted MAC routing entry issued by the second network device.

In one possible design, the processor is further configured to determine a static MAC routing entry corresponding to the MAC address;

and the transceiver is also used for forwarding the message according to the static MAC routing entry.

In one possible design, the processor is further configured to obtain a dynamic MAC routing entry, the dynamic routing entry including the MAC address.

In a fourth aspect, the present application provides a route determination device having a function of implementing the route determination method designed in any one of the first aspects. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.

In a fifth aspect, the present application provides a route determining apparatus, including: a processor and a memory; the memory is configured to store computer-executable instructions, and when the route determination device is operating, the processor executes the computer-executable instructions stored in the memory to cause the route determination device to perform the route determination method as designed in any one of the above first aspects.

In a sixth aspect, the present application provides a route determining apparatus, including: a processor; the processor is configured to be coupled to the memory, and after reading the instructions in the memory, execute the route determination method according to any one of the above first aspects according to the instructions.

In a seventh aspect, the present application provides a computer-readable storage medium, having stored therein instructions, which, when run on a computer, enable the computer to execute the route determination method designed in any of the first aspects.

In an eighth aspect, the present application provides a computer program product containing instructions which, when run on a computer, enable the computer to perform the route determination method as designed in any of the first aspects above.

In a ninth aspect, the present application provides a chip comprising a processor. The processor is coupled to a memory, the memory storing program instructions that, when executed by the processor, implement the route determination method as designed in any of the first aspects above.

In a tenth aspect, the present application provides a route determining system, where the system includes a first network device and a second network device, where the first network device may be, for example, the second network device in the first aspect, and the second network device may be, for example, the first network device in the first aspect.

The first network device is configured to issue a trusted MAC routing entry, where the trusted MAC routing entry includes a media access control MAC address, information of a first trusted port corresponding to the MAC address, and indication information, and the indication information indicates that the received trusted MAC routing is trusted;

the second network device is configured to receive the trusted MAC routing entry issued by the first network device; forwarding a message based on a determined trusted MAC routing entry, wherein the determined trusted MAC routing entry belongs to a trusted MAC routing entry set acquired by the second network device, MAC addresses in all trusted MAC routing entries in the trusted MAC routing entry set are the same, and the trusted MAC routing entry set comprises the trusted MAC routing entries issued by the first network device.

In one possible design, the trusted MAC routing entry set obtained by the second network device includes a local trusted routing entry, where the local trusted routing entry includes the MAC address and information of a second trusted port corresponding to the MAC address, the second trusted port is a local trusted port, the local trusted port is a port of the second network device, and the local trusted port is determined based on only receiving, by the second trusted port, a packet whose source address is the MAC address within a predetermined time period.

The technical effects brought by any one of the design manners in the second aspect to the tenth aspect can be referred to the technical effects brought by the different design manners in the first aspect, and are not described herein again.

Drawings

Fig. 1 is a schematic diagram of a MAC hopping principle provided in an embodiment of the present application;

fig. 2 is a schematic structural diagram of an extended community attribute field of a MAC change according to an embodiment of the present application;

fig. 3 is a schematic architecture diagram of a communication system according to an embodiment of the present application;

FIG. 4 is a schematic structural diagram of an apparatus provided in an embodiment of the present application;

fig. 5 is a schematic flowchart of a route determining method according to an embodiment of the present application;

fig. 6 (a) to fig. 6 (c) are schematic scene diagrams of a route determining method provided in the embodiment of the present application;

fig. 7 (a) to fig. 7 (b) are schematic diagrams of MAC routing provided in the embodiment of the present application;

fig. 8 is a schematic flowchart of another route determination method according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a route determining apparatus according to an embodiment of the present application.

Detailed Description

The terms "first" and "second" and the like in the description and drawings of the present application are used for distinguishing different objects or for distinguishing different processes for the same object, and are not used for describing a specific order of the objects.

"at least one" means one or more, "a plurality" means two or more.

"and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural.

Furthermore, the terms "including" and "having," and any variations thereof, as referred to in the description of the present application, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, technical terms related to embodiments of the present application will be described.

MAC address table: the method is used for guiding the network equipment to select a corresponding port for the message of the specified MAC address and forwarding the message from the corresponding port. The MAC address table may include a plurality of MAC address table entries (items), each including at least a MAC address and a corresponding port. For example, if the MAC address 1 corresponds to the port 1, which means that the ue corresponding to the MAC address 1 is connected to the port 1 of the network device, the network device sends a message addressed to the ue having the MAC address 1 through the port 1.

MAC hopping (flipping), which may be referred to as MAC drift (mobility). When the ports corresponding to the same MAC address in the MAC address table of the network device are changed, it indicates that MAC hopping may occur. In some cases, the MAC jump may be caused by an actual loop in the network, and such a loop may cause an abnormality that the access of the network and the application is slow, the network loses packets, and even the service cannot be provided normally. In other cases, there may not be a true loop in the network, and it may be a hacking attack or the like that causes MAC hops.

To discover the MAC hopping, the network device may indicate the hopping MAC through a MAC change extended community attribute (MAC mobility extended community) of a Border Gateway Protocol (BGP) message. And when a certain MAC address correspondingly jumps for a preset number of times within the preset time, the MAC jump is shown to occur. Specifically, each time the sequence number carried by the MAC change extended community attribute field is increased by 1, a jump is correspondingly generated.

As shown in fig. 1, firstly, in EVPN, Provider Edge (PE) device PE101 and PE102 establish a neighbor relationship, and PE101 is connected to user device 104, and PE102 is connected to pseudo user device 105. The user equipment (user device)104 and the pseudo user equipment 105 have the same MAC address MAC 103. The user equipment 104 and the dummy user equipment 105 generate traffic to trigger the PE101 and the PE102 to perform MAC learning through the traffic, respectively.

1) The PE101 receives the traffic of the user equipment 104, the MAC address corresponding to the user equipment 104 is the MAC103, and the traffic triggers the PE101 to learn the MAC103, that is, learn the PE101 port corresponding to the MAC 103. The PE101 may update the MAC address table entry in the MAC address table in the PE101 based on the MAC learning result.

2) PE101 issues a MAC103 Route (MAC103 Route) to PE 102.

Wherein the MAC103 route includes a MAC change extended community attribute field. The structure of the MAC change extended community attribute field is shown in fig. 2. The MAC change extended community attribute field includes a type (type) subfield (general field value is 0x06), a sub-type (sub-type) subfield (general field value is 0x00), an identification bit (flags) subfield, a reserved (reserved) subfield, and a sequence number (Seq) subfield. Wherein a field value of the Seq subfield for the MAC change extended community attribute field may be different, which may be used to distinguish different MAC routes. As a possible implementation, when PE101 learns MAC103 at a port connected to ue 104, PE101 sends MAC103 a route to PE102 with a field value of the Seq subfield of 0. PE101 also needs to form a local MAC route corresponding to MAC103, where the local MAC route includes MAC103 and a corresponding port. The sequence number corresponding to the local MAC route is also 0.

Through the step, the PE101 sends the routing information of the MAC103 to its neighbor, where the routing information includes the MAC change extended community attribute field and may also include the identity information of the PE101, so that the neighbor of the PE101 points the port of the MAC103 to the PE101, that is, when knowing that there is a packet whose destination address is the MAC103, the neighbor may forward the packet to the user equipment corresponding to the MAC103 through the tunnel 110 between the PE101 and the neighbor. As a possible implementation manner, the neighbor may update the address table entry corresponding to the MAC103 in the local MAC address table according to the routing information of the MAC103, that is, change the port corresponding to the MAC103 into the PE 101.

Accordingly, PE102 receives MAC103 routes from PE 101.

3) PE102 receives MAC103 traffic from user device 105, triggers learning MAC103 based on MAC103 traffic, and updates the local MAC address table entry corresponding to MAC 103. In this case, since the MAC103 route is sent by PE101 in the MAC address table entry corresponding to MAC103 already existing in PE102 (i.e., step 2), and the MAC103 address table entry obtained by PE102, PE102 increases the locally stored Seq value to 1.

4) PE102 issues MAC103 routing to PE 101. Wherein, the value of the Seq subfield in the MAC route is 1.

5) The PE101 continuously receives the MAC103 traffic of the user equipment 104, triggers the MAC103 to relearn, and updates the MAC address table entry corresponding to the local MAC103, wherein, since the address table entry corresponding to the MAC103 has been stored in the PE101 through the above steps, the PE101 increases the locally stored Seq value from 1 to 2.

6) PE101 issues MAC103 routing to PE102, with the Seq subfield taking the value 2.

As can be seen from the above steps, the MAC103 route is sent between PE101 and PE102 mutually and multiple times, wherein the field value of the Seq subfield in the MAC103 route is incremented. When the PE101 or the PE102 detects the MAC103 route with Seq reaching the preset value (e.g. 5) within a preset time (e.g. 180 seconds (s)), that is, 5 hops are detected within 180s, it indicates that the MAC hop occurs.

Currently, when the PE101 detects that a certain MAC jumps within a preset time for a preset number of times, there are two general processing manners: 1. the PE101 generates an alert, for example to the network manager. 2. PE101 sends a black hole MAC address (such as MAC103) to block MAC103 traffic. The black hole MAC refers to a MAC address which has a potential threat to the network, that is, a MAC address which is not trusted by the network. The message from the black hole MAC address will be discarded.

In the two processing modes, although the alarm mode can report the MAC jump in the network to the network manager, the network manager needs to manually troubleshoot the specific reason causing the network abnormality, and the operation and maintenance cost is high. Although the way of issuing the MAC black hole and blocking the specified MAC traffic can effectively isolate the untrusted MAC, it is not excluded to block the traffic of the normal user, for example, the traffic of the normal user PC104 may be blocked by mistake due to the attack behavior of the attacker PC 105. That is, when a MAC jump occurs, traffic of a specified MAC address is directly blocked, which may cause service failure.

In order to solve the above technical problem, embodiments of the present application provide a method for determining a route, which may be applied in a network requiring a route determination, such as an EVPN network or the like. Fig. 3 shows an architecture of an EVPN network 30 to which the technical solution of the present embodiment is applied. The EVPN network includes at least two network devices (e.g., network device 310 and network device 320 are shown), a user device (e.g., user device 330 and user device 340 are shown).

The network devices can be interconnected by establishing an EVPN neighbor relationship, and one network device can be connected with one or more user devices.

EVPN neighbors, generally refer to the neighbor relationships between PE devices. The EVPN neighbors may also communicate through an established tunnel (such as tunnel 350 shown in fig. 3), and the type of the tunnel may be, for example, a Label Distribution Protocol (LDP) tunnel, a Virtual Local Area Network (VXLAN) Protocol tunnel, and the like.

The network equipment determines through which port the message of the user equipment is sent according to the MAC address table. In particular implementation, the network device may be any device having a routing function, such as a router or a switch. And operates as PE equipment. The apparatus with routing function may be a stand-alone device, or may be a component in a stand-alone device, such as a chip.

And the user equipment can trigger the network equipment to learn the MAC. In a specific implementation, for example, the user equipment may be a desktop computer, a mobile phone (mobile phone), a tablet computer (Pad), or other user terminal equipment. Alternatively, the user device may also be a Customer Edge (CE) device or the like.

The system architecture and the service scenario described in this application are for more clearly illustrating the technical solution of this application, and do not constitute the only limitation to the technical solution provided in this application, and it can be known by those skilled in the art that the technical solution provided in this application is also applicable to similar technical problems along with the evolution of the system architecture and the appearance of new service scenarios.

Optionally, the user equipment and the network equipment in the embodiment of the present application may be implemented by different devices. For example, the user equipment and the network device in the embodiment of the present application may be implemented by a communication device having the structure described in fig. 4. Fig. 4 is a schematic diagram illustrating a hardware structure of a communication device according to an embodiment of the present application. The communication device 400 includes at least one processor 401, communication lines 402, memory 403 and at least one transceiver 404. Wherein the memory 403 may also be comprised in the processor 401.

The processor 401 may be implemented as one or more processing units, such as a Central Processing Unit (CPU), an application-specific integrated circuit (ASIC), or as one or more integrated circuits configured to control the execution of programs in accordance with the teachings of the present application.

The communication link 402 may include a path for communicating information between the aforementioned components.

A transceiver 404 for communicating with other devices. In the embodiments of the present application, the transceiver may be a module, a circuit, an interface or other apparatuses capable of implementing a communication function, and is used for communicating with other devices. Alternatively, the transceiver may be a separately provided transmitter that can be used to transmit information to other devices, or a separately provided receiver that can be used to receive information from other devices. The transceiver may also be a component that integrates information sending and receiving functions, and the embodiment of the present application does not limit the specific implementation of the transceiver.

The memory 403 may be a read-only memory (ROM) or other type of memory module capable of storing static information and instructions, a Random Access Memory (RAM) or other type of memory module capable of dynamically storing information and instructions, or an electrically erasable programmable read-only memory (EEPROM), an optical disc, a magnetic disc, or other magnetic storage devices. The memory may be separate and coupled to the processor via a communication line 402. The memory may also be integral to the processor.

The memory 403 is used for storing, among other things, computer executable instructions that can be called by one or more processing units in the processor 401 to perform the respective steps in the respective methods provided by the embodiments described below.

Optionally, the computer-executable instructions in the embodiments of the present application may also be referred to as application program codes, instructions, computer programs, or by other names, which are not specifically limited in the embodiments of the present application.

In particular implementations, communication device 400 may include multiple processors, such as processor 401 and processor 407 in fig. 4, for example, as an embodiment. Each of these processors may be a single core processor or a multi-core processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

In particular implementations, communication device 400 may also include an output device 405 and an input device 406, as one embodiment. An output device 405 is in communication with the processor 401 and may display information in a variety of ways. For example, the output device 405 may be a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display device, a Cathode Ray Tube (CRT) display device, a projector (projector), or the like. The input device 406 is in communication with the processor 401 and may receive user input in a variety of ways. For example, the input device 406 may be a mouse, a keyboard, a touch screen device, or a sensing device, among others.

An exemplary block diagram of a communication device is shown in fig. 4. It should be understood that the illustrated communication device is merely an example, and in actual practice a communication device may have more or fewer components than shown in fig. 4, may combine two or more components, or may have a different configuration of components.

The communication device 400 may be a general-purpose device or a special-purpose device, and the embodiment of the present application does not limit the type of the communication device 400. The user equipment or the network device may be a device having a similar structure as in fig. 4.

The embodiment of the application provides a concept of a trust port. The trusted ports may be divided into two categories, wherein the first category of trusted ports may be local ports of the network device, and the local ports may be physical interfaces or logical interfaces (e.g., link aggregation ports). A network device has one or more local ports for receiving messages from a user device. If the network device receives only the packet of the user equipment a from the local port a within a preset time period (for example, 60s), and none of the other local ports receives the packet of the user equipment a, the local port a may be determined as a local trusted port corresponding to the MAC address of the user equipment a. For example, in fig. 6 (a), if the PE101 receives a message sent by the user equipment 602 only from the port621 set on the PE101 within a preset time period, the port621 determines that it is a local trusted port (also referred to as a trusted interface) of the corresponding user equipment 602. Subsequently, PE101 can send a message to user device 602 through the trust interface port 621.

A second type of trusted port may correspond to a device identification of an EVPN neighbor, such as an Internet Protocol (IP) address of the EVPN neighbor. Still taking fig. 6 (a) as an example, after PE101 determines that the local trusted port corresponding to user device 602 is port621, PE101 sends a trusted MAC route to the EVPN neighbors including PE102, the trusted MAC route including the MAC address of user device 602 and trusted port information corresponding to the MAC address, which may be, for example, the IP address of PE 101. This trusted MAC route is used to inform PE102 to: PE101 learns to a local trusted port. As such, PE102 may use EVPN neighbor PE101 as a trusted port (also referred to as a trusted neighbor). PE102 may forward the message to user device 602 through a trusted port, i.e., trusted neighbor PE 101. Because the trusted neighbor of PE102 (i.e., PE101) is notified to PE102 after PE101 determines the local trusted port, the accuracy of forwarding the packet is improved by the mechanism for forwarding the packet by using the trusted neighbor.

In the above implementation, the trusted ports of the network device may include a local trusted port, which is simply referred to as a local trusted port (or called a local trusted interface, a trusted local port, etc.), and a trusted neighbor. In other possible implementation manners, other types of ports and the corresponding trusted judgment mechanism may also be set in combination with the actual scenario.

The following describes a route determination method provided in an embodiment of the present application with reference to the drawings.

Referring to fig. 5, mainly taking network devices as PEs, a first network device as PE101, a second network device as PE102, and the PE101 sends a MAC route to the PE102 as an example, the route determining method provided in the embodiment of the present application includes the following steps:

s501, the first network equipment determines a local trust port corresponding to the MAC address of the user equipment.

As a possible implementation manner, the local trusted port is a port that receives the message of the first user equipment only by the port within a predetermined period.

First, a mechanism for determining a local trust port is explained. Taking PE101 as an example, a local trusted port on PE101 corresponding to a certain MAC address may be a port that receives, within a predetermined period of time, a message sent by a user equipment corresponding to the MAC address. That is, during a predetermined period of time, the PE101 receives only the message of the MAC address through the port, and does not receive the message of the MAC address from other ports in the meantime. As a possible implementation manner, after receiving a first message sent by the user equipment corresponding to the MAC address, the PE101 determines a port for receiving the first message, and starts a timer, and before the timer expires, that is, within a predetermined time period, if the PE101 does not receive a message of the MAC address from another port, the port is used as a local trusted port. It should be noted that, as a possible scenario, before the timer has not expired, the PE101 may continuously receive multiple messages of the MAC address through the local trusted port, and may not receive any message of the MAC address from other ports. As another possible scenario, for example, due to a traffic burst of the ue, etc., a situation may also occur that after the PE101 starts the timer, the PE101 receives only the first packet of the MAC address through the port, and does not receive any other packet at the port within the preset time period, and also does not receive the packet of the MAC address from other ports.

In a preset time period, the PE101 only receives a message from a certain MAC address through the local trusted port, which indicates that the probability that the PE101 receives the MAC address message through the local trusted port is high in the preset time period, and according to the characteristics of the local trusted port, it can be inferred that the success rate of the PE101 sending the message to the MAC address through the local trusted port is correspondingly increased when a route is subsequently determined. Therefore, the subsequent message forwarding of the PE101 can be guided according to the characteristics of the local trust port. That is, when determining the route subsequently, the PE101 may continue to send the message of the MAC address through the local trusted port, so as to improve the success rate of sending the message to the specified MAC address.

For example, as shown in fig. 6 (a), PE101 determines a local trusted port, i.e., port621, corresponding to the MAC 612 address of user device 602 based on the mechanism for learning local trusted ports described above. The PE101 may also learn local trusted ports corresponding to other MAC addresses, such as the local trusted port623 corresponding to the MAC 611 address of the user device 601 in fig. 6 (a), in a similar manner.

S502, the first network equipment determines a local trust route based on the local trust port.

And the local trust MAC route corresponds to the information of the local trust port, namely the information of the local trust port corresponding to the local trust MAC route. Here, the local trusted MAC route corresponds to information of the local trusted port, and specifically, the local trusted MAC route includes information of the local trusted port. In other words, the local trusted MAC route consists of the first MAC address, the local trusted port and possibly some other information.

In an embodiment of the application, the first network device may determine a locally trusted MAC route based on the determined locally trusted port. Wherein the locally trusted MAC route includes a locally trusted port and a corresponding MAC address. Also, in some cases, the first network device may update the MAC address table based on the local trusted MAC route. For example, taking PE101 as an example, PE101 updates an address table entry corresponding to the local trusted MAC route in a MAC address table.

The above mainly takes the PE101 to determine the local trusted MAC route corresponding to the MAC 612 address of the user equipment 602 as an example, and a specific implementation process of determining the local trusted MAC route by the network device is described. PE101 may also determine local trusted MAC routes corresponding to other MAC addresses in a similar manner. For example, referring to fig. 6 (a), PE101 determines a local trusted MAC route 643 corresponding to the MAC 611 address of the user device 601.

Similarly, other network devices in the network, such as PE102, may also employ the same mechanism to determine a locally trusted MAC route.

S503, the first network equipment determines a first trust MAC route corresponding to the MAC address, and the first network equipment issues the first trust MAC route.

The first trusted MAC route includes the MAC address and information of a first trusted port corresponding to the MAC address. The first trust port may be a remote trust port, and the information of the first trust port is used to identify that the first network device is a trusted EVPN neighbor. It can be understood that the first trusted MAC route is a trusted MAC route that is sent to the neighbor network device after the first network device determines the local trusted port, and at this time, information of the first trusted port in the trusted MAC route is used to indicate that a packet can be sent to the user device corresponding to the MAC address through the first network device. Instead of directly carrying information of a local trusted port on the first network device through information of the first trusted port. The information of the first trusted port may be, for example, an IP address of the first network device.

The first trusted MAC route further includes indication information indicating that the first trusted MAC route is a trusted MAC route. And after receiving the first trust route, the second network equipment determines that a message can be sent to the user equipment corresponding to the MAC address through the first network equipment based on the information carried by the first trust route.

As a possible implementation, the indication information is carried in a flag bit (flags) subfield of the MAC change extended community attribute field. Wherein a field value of the flags subfield can be represented by 2 bits. For example, 00 (corresponding to 0 decimal) represents normal (normal) MAC routing, 01 (corresponding to 1 decimal) represents sticky (sticky) MAC routing, and 10 (corresponding to 2 decimal) represents trusted MAC routing. The first identification information carried by the first trusted MAC route may be 10, which is used to represent that the first trusted MAC route is a trusted MAC route. Of course, more bits may also be used to identify the field value of the flags subfield, and different combinations of bits may indicate different meanings, such as 10 identifying trusted MAC routes. Of course, in other implementation manners, the trusted MAC route or the normal MAC route may also be identified by 11 or other bit combinations, which is not limited in this embodiment of the present application.

Optionally, the first trusted MAC route further includes identity information of the first network device. For example, the device identifier of the first network device, etc. is used to characterize the identity of the first network device. Referring to fig. 6 (a), taking the example that PE101 sends a first trusted MAC route (i.e., trusted MAC route 641 shown in fig. 6 (a)) to PE2, the first trusted MAC route includes a MAC change extended community attribute field with flags of 2 and identity information of PE 101. Thus, PE102 determines that PE101 is a second type of trusted port, i.e., a trusted neighbor, corresponding to the MAC 612 address based on the identity information (e.g., device identification, IP address of PE101) in the first trusted MAC route. Referring to fig. 7 (a), PE102 may obtain a trusted MAC route corresponding to the MAC 612 address, and update a trusted port corresponding to the MAC 612 address to be a trusted neighbor PE 101.

In this case, the first trusted MAC route carries identity information of the first network device, which means that the first trusted MAC route corresponds to the second type of trusted port, i.e., the first trusted MAC route may also correspond to a trusted neighbor, i.e., the first network device.

In other possible implementations, the first trusted MAC route may not include identity information of the first network device. In this case, the identity information of the first network device may be sent to the second network device via other messages to inform the second network device of the trusted neighbor of the second network device.

In the embodiment of the present application, for a certain network device, the trusted MAC route includes two types:

the first type of trusted MAC route is the above-mentioned local trusted MAC route of the network device, that is, after the network device learns the local trusted port, the local trusted MAC route is generated or updated.

The second type of trusted MAC route is a far-end MAC route from other network devices. I.e., the MAC route sent to the network device after the neighbor network device learns the trusted port thereon, the MAC route sent by the neighbor network device can be used as the trusted MAC route of the network device. In the embodiment of the present application, a remote trusted MAC route needs to carry specific identification information for indicating that the remote MAC route is a trusted MAC route. For example, the value of the flags subfield in the far-end MAC route is 10 (i.e., 2 decimal). Optionally, the remote MAC route further includes identity information of the sending end.

The specific implementation manner of determining the remote trusted MAC route is mainly described above by taking the PE101 to determine the remote trusted MAC route corresponding to the MAC 612 address, that is, the MAC 612 route as an example. Other network devices in the network, such as PE102, may also determine the far-end trusted MAC route that it sends to the neighbor in a similar manner.

Take the second network device as PE102 shown in fig. 6 (a) as an example.

After learning the local trusted port corresponding to the MAC 612 address, the PE101 generates a local trusted MAC route. PE101 may also determine a first trusted MAC route corresponding to the MAC 612 address, which may be a remote trusted MAC route for PE102, and send the first trusted MAC route to PE 102. As described above, the first trusted MAC route needs to carry indication information (i.e., field value of flags subfield) for indicating that the first trusted MAC route is a trusted MAC route. After receiving the first trusted MAC route, PE102 reads a field value of the flags subfield in the first trusted MAC route, for example, the value is 10 (corresponding to decimal 2), and determines that the first trusted MAC route is a trusted MAC route from a remote end. And PE102 reads the identity information in the first trusted MAC route to learn that it is a trusted neighbor PE101 from the first trusted MAC route. In some cases, PE102 may also update the MAC address table based on the first trusted MAC route, for example, PE102 adds the remote trusted route in fig. 7 (a) and identifies that the trusted port corresponding to the MAC 612 address is updated as the trusted neighbor PE 101.

In this step, the specific implementation manner of sending the remote trusted MAC route is mainly described by taking the case that the PE101 sends the remote trusted MAC route, i.e., the trusted MAC route 641, to the PE 102. Other network devices in the network, such as PE102, may also send far-end trusted MAC routes to neighbors in a similar manner. For example, PE102 may also send PE101 its locally determined trusted MAC route.

S504, the second network device obtains one or more trust MAC routes corresponding to the MAC addresses.

Wherein the one or more trusted MAC routes include the first trusted MAC route from the remote end (i.e., PE101) and/or a local trusted MAC route of PE102, the one or more trusted MAC routes each corresponding to the MAC address. The one or more MAC trusted routes correspond to information of the one or more trusted ports, respectively. And the trust port corresponding to the local trust MAC route refers to a local trust port. As introduced above, for the second network device, the local trusted port is a port that receives, for a predetermined period of time, only one or more messages sent by the user equipment corresponding to the MAC address. And the remote trusted MAC route corresponding to the trusted port refers to the remote EVPN neighbor network equipment.

The mechanism for obtaining the locally trusted MAC route can be seen from the above description of PE101 obtaining the locally trusted MAC route. For example, referring to fig. 6 (c), when the ue 603 goes online, the PE102 learns the local MAC route corresponding to the forged MAC 612 address based on the message sent by the ue 603. In one case, when both the ue 602 and the ue 603 are online, since the ue 602 can continue to perform services, the traffic of the ue 602 can pass through the PE101 and be sent to the PE102 through the port624 of the PE 102. Thus, in a predetermined period of time, PE102 receives not only the message of the MAC 612 address through port625, but also the message of the MAC 612 address through port624, and neither port624 nor port625 satisfies the condition of a trusted port. In this case, PE102 does not learn its local trusted port, i.e., there is no local trusted MAC route corresponding to the local trusted port.

In another case, with continued reference to fig. 6 (b), the user device 602 may not be online, resulting in the PE102 failing to learn, within a certain period, a trusted MAC route through its EVPN neighbor PE101 that can send messages to the user device 602. Thus, during a predetermined period of time, PE102 may only receive messages for MAC 612 addresses via port625, and PE102 may, for a short period of time, regard port625 as its local trusted port and determine a local trusted MAC route 642 that includes local trusted port625 and the corresponding MAC 612 address. The local trusted MAC route corresponds to local trusted port 625. PE102 may update the MAC address table based on the locally trusted route for a short period of time. It should be noted that, in this case, although the PE102 may use the learned port625 as a local trusted port in a short period of time and trigger it to send a remote MAC trusted route to the PE101 through the tunnel 631, it does not mean that the PE101 must subsequently forward a message of the MAC 612 through the tunnel 631. Specifically, as time advances, the PE101 continuously updates trusted MAC routes (including local trusted MAC routes and trusted MAC routes from a remote end), and forwards the packet of the MAC 612 according to the latest trusted MAC route, so as to improve forwarding accuracy. For example, when the user device 602 accessing the PE101 goes online, the PE101 is triggered to learn a local trusted MAC route corresponding to the MAC 612 and update a local MAC address table.

PE102 obtains a far-end trusted MAC route, e.g., see fig. 6 (a), which may be implemented as: PE101 learns a locally trusted MAC route corresponding to the MAC 612 address, including local trusted port621, based on the traffic of the user device 602, e.g., the first packet, and sends trusted MAC route 641 to PE 102. The trusted port corresponding to the trusted MAC route 641 may be a trusted neighbor, i.e., PE 101. PE102 may update the MAC address table based on the remote MAC 612 route.

In this step, a specific implementation manner of determining the trusted MAC route is mainly described by taking, as an example, the PE102 determines one or more trusted MAC routes (including a local trusted MAC route and a remote trusted MAC route) corresponding to the MAC 612 address of the user equipment 602. Other network devices in the network, such as PE101, may also determine a trusted MAC route corresponding to a certain MAC address in a similar manner.

It should be noted that, for a certain network device, after the user equipment is disconnected, the local trusted MAC route corresponding to the user equipment may age, and after the user equipment is connected again, the network device may relearn the local trusted MAC route corresponding to the user equipment. That is, the local trust port corresponding to the user device may change.

In some possible implementations, the route determining method shown in fig. 5 may further include:

s505, a second network device determines a trust MAC route in one or more trust MAC routes, and the second network device forwards the user message based on the determined trust MAC route.

In the embodiment of the present application, as described above, since the trusted MAC route is a route obtained based on the trusted port, a message of a specific user equipment is sent through the trusted port, and the sending success rate is high. But sometimes the second network device may obtain multiple trusted MAC routes including a local trusted route and a remote trusted route. At this point, PE102 determines a trusted MAC route from the one or more trusted MAC routes and sends a message to user device 602 based on the determined trusted MAC route. For example, from the first trusted MAC route and the local trusted MAC route shown in fig. 7 (a), PE102 determines that a message needs to be sent to user equipment 602 based on the first trusted MAC route. At this time, PE102 updates the corresponding MAC address table entry based on the first trusted MAC route to instruct the forwarding plane to forward the packet of the user equipment 602 through the trusted neighbor PE101 according to the table entry of the MAC address table.

As one possible implementation, when there are a plurality of trusted MAC routes corresponding to the second MAC address, the determined trusted MAC route is the trusted MAC route with the largest sequence number (i.e., the largest field value of the Seq subfield). The size of the sequence number may generally characterize the timeliness of the route. The larger the sequence number of a certain route, the closer the time to acquire the route to the current time is generally indicated. In some cases, the accuracy of the newly obtained route may be considered to be higher, so that the trusted MAC route with the largest sequence number may be considered as a basis for subsequently forwarding the packet, thereby improving the accuracy and reliability of determining the route.

In the method for determining a route provided in the embodiment of the present application, the second network device receives a first trusted MAC route corresponding to a first MAC address of the first user device, and determines one or more trusted MAC routes corresponding to the first MAC address. The first trust MAC route comprises first identification information, and the first identification information is used for identifying the first trust MAC route as the trust MAC route; the one or more trusted MAC routes include a first trusted MAC route, the one or more MAC trusted routes respectively corresponding to information of the one or more trusted ports. Compared with the prior art that when MAC jumping occurs, the flow of a designated MAC address is interrupted, and user service is damaged, in the embodiment of the application, a trust MAC route based on a trust port can be determined, and the trust MAC route can be used as a basis for subsequently determining the route. Therefore, the control end does not need to block the flow of the designated MAC address, and the continuity of the user service can be ensured.

In some embodiments, the second network device may also obtain a dynamic MAC route corresponding to the MAC address.

The dynamic MAC route may be a normal (normal) MAC route from the far end, e.g., an untrusted MAC route obtained by the second network device from the EVPN neighbor. The dynamic MAC route of the far end includes a MAC change extended community attribute field, wherein the field value of the flags subfield in the field is, for example, 0, for indicating that the MAC route is the dynamic MAC route. The dynamic MAC route may also be a MAC route learned by the network device itself, and the learned dynamic MAC route includes a MAC address and a corresponding port. It should be noted that the self-learned dynamic MAC route may be any MAC route learned by the network device itself, which is different from the locally trusted MAC route.

Using similar principles, the PE101 may also obtain a dynamic MAC route corresponding to the MAC 612 address and from the remote end. For example, referring to fig. 6 (c), when both the ue 602 and the ue 603 go online, the PE102 may receive the message of the MAC 612 through different ports, and therefore, the port625 learned by the PE102 does not satisfy the condition of trusting a port, that is, does not satisfy the condition that the PE102 sends a trusting MAC route. In this case, PE102 may send a dynamic MAC route to PE 101. Fig. 7 (b) schematically shows a dynamic MAC route received by PE101 from PE 102. For example, in dynamic MAC routing, flags is 0. The dynamic MAC routing may also include identity information of PE 102.

When the MAC route corresponding to the MAC 612 includes both the trusted MAC route and the dynamic MAC route, the priority of the trusted MAC route is higher than that of the dynamic MAC route, that is, the network device preferentially selects to forward the user packet according to the trusted MAC route.

In other embodiments, the network device may further determine a static MAC route corresponding to the MAC address of the first user equipment, and send the message of the first user equipment according to the static MAC route. That is, when there is a static MAC route, the priority of the static MAC route may be higher than one or more trusted MAC routes, and the network device determines the static MAC route as a route for forwarding the user packet.

As a possible implementation manner, when a local static MAC route and a static MAC route from a remote end, such as a sticky route, exist at the same time, the network device determines a specific forwarding path of the packet according to the local static MAC route.

In other embodiments, the first network device and the second network device may further notify whether the trusted MAC route is enabled, and when the trusted MAC route is enabled, the first network device and the second network device may determine the route based on the method flow shown in fig. 5. Specifically, referring to fig. 8, before S501, the following steps may also be performed:

s801, the first network equipment sends a notification message, and the notification message enables the MAC route to be trusted.

Accordingly, the second network device receives the notification message from the first network device.

As follows, the first network device is mainly PE101, and the second network device is PE 102.

The notification message includes information identifying whether the first network device enables trusted MAC routing.

As a possible implementation manner, expanding Tbit based on the MAC hopping extended community attribute Reserve field supports trusted port negotiation between EVPN neighbors.

Optionally, the notification message is carried by a route specifying the MAC and/or IP address. Optionally, MAC addresses and IP addresses that may be used by the user equipment are excluded. For example, the MAC address and the IP address are both 0 routes to carry the notification message. Alternatively, the notification message is carried using a route having an IP address of 255.255.255.255. Of course, other routes of MAC addresses and/or IP addresses may be used to carry the notification message, as long as the route does not affect the normal operation of the current routing mechanism. The route used to carry the notification message includes a MAC change extended community attribute field. Optionally, the sequence number (Seq) subfield of this field may be a specified value, such as 0. Of course, the serial number may also be other values, which is not limited in the embodiment of the present application. Wherein the field value of the reserved subfield in the MAC change extended community attribute field is used to identify whether PE101 enables trusted MAC routing. The reserved subfield includes 8 bits, for example, when a preset bit is set (bit value is 1), it is identified that PE101 enables trusted MAC routing. The preset bit may be any one of 8 bits. Meanwhile, it is also possible that the identification PE101 enables the above-mentioned trusted MAC routing mechanism when the preset bit is 0. In the embodiment of the present application, the identifier enables the trusted MAC route when the bit is specifically 0 or 1, which is not limited.

It can be understood that, after receiving the notification message, if the PE102 reads that the preset bit of the reserved subfield in the notification message is set, it indicates that the PE101 supports the above-mentioned trusted MAC routing mechanism. Thus, when PE102 receives the route carrying the flag of 2 from PE101, PE102 can recognize that the flag of 2 identifies the trusted MAC route, so as to determine the subsequent route according to the trusted MAC route. On the contrary, if PE101 does not send a PE notification message, or the notification message sent by PE101 to PE102 identifies that PE101 does not support the trusted MAC routing mechanism, then PE102 cannot subsequently identify the trusted MAC route from 1. Optionally, PE102 discards the unrecognized trusted MAC route.

The method based on the route determination is beneficial to timely recovery of user services, but complete deployment of a trusted route enabling mechanism cannot be achieved under the scene that equipment of multiple manufacturers coexist or equipment supporting trusted routes and untrusted routes coexist, so that the following three-level network deployment schemes are provided for different requirements of customers on network toughness strength:

1) primary network: for some non-network core locations, such as non-core nodes, traffic suppression is performed based on the user equipment MAC address after detecting a MAC hop. And the alarm can be reported through a telemetry (telemeasurement) technology, so that a user can know the risk of MAC jump. The flow suppression can be controlled according to the use habit of the client and according to the absolute value of the interface bandwidth, or according to the percentage of the interface bandwidth. For example, in a manner of performing traffic suppression by using the interface bandwidth percentage, after the MAC hopping is recovered, the interface bandwidth is recovered to the maximum interface bandwidth.

2) Secondary network: for some non-network core positions, after MAC jumping is detected, black hole MAC is issued based on the MAC address of user equipment, and the flow of the specified MAC address serving as a source MAC or a target MAC is discarded. And an alarm can be reported through telemeasurement, so that the user is informed of the risk of MAC jump, and/or the traffic of the MAC address specified by the user is discarded. As a possible implementation manner, after the MAC hopping is recovered, the black hole MAC is cleared by means of configuration and the like.

3) Three-stage network: and a routing mode based on the trusted MAC routing enabling mechanism is deployed between core nodes of a client network or key EVPN neighbors. Therefore, the problem that large-scale service is damaged or interrupted under the condition that the network environment is unstable is avoided. It should be noted that, in this deployment scheme, the core device is required to support the trusted MAC routing mechanism, and if one of the EVPN neighbors does not support the trusted MAC routing, the user needs to be prompted to replace the device, or upgrade or improve the device, so as to support the trusted MAC routing mechanism.

By adopting a hierarchical deployment mode for the network, network services may not be important at non-core and non-important nodes of the network, and partial traffic can be properly inhibited or the traffic can be directly blocked, so that the safety of the partial network can be improved by inhibiting or blocking the traffic of the non-important services. Services may be importantly deployed in core important nodes of the network, and a routing mode based on a trusted MAC routing mechanism is deployed in the network, so that a forwarding path of a message can be guided through trusted MAC routing, the flow of the important services is not affected, and the toughness of an EVPN two-layer network can be improved.

It is to be understood that, in order to implement the above functions, the network element in the embodiments of the present application includes a corresponding hardware structure and/or software module for performing each function. The elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein may be embodied in hardware or in a combination of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present teachings.

In the embodiment of the present application, the network element may be divided into the functional units according to the above method example, for example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation.

Fig. 9 shows a schematic block diagram of a route determining apparatus provided in an embodiment of the present application, where the route determining apparatus may be the first network device (or a component having the function of the first network device, or the component may be used in cooperation with the first network device to support the first network device to implement the corresponding function) or the second network device (or a component in the second network device, or other components). The route determining apparatus 900 may be in the form of software, and may also be a chip available for a device. The route determining apparatus 900 includes: a processing unit 902 and a communication unit 903. Optionally, the communication unit 903 may be further divided into a transmitting unit (not shown in fig. 9) and a receiving unit (not shown in fig. 9). Wherein, the sending unit is configured to support the route determining apparatus 900 to send information to other network elements. A receiving unit, configured to support the route determining apparatus 900 to receive information from other network elements.

If the route determination apparatus 900 is the first network device mentioned above, the processing unit 902 may be configured to support the first network device to perform S501, S502, etc. in fig. 5, and/or other processes for the schemes described herein. The communication unit 903 is configured to support communication between the first network device and another network element (e.g., the second network device, etc. described above), for example, support the first network device to perform S504 in fig. 5, S801 in fig. 8, and the like. Optionally, the sending unit is configured to support the first network device to send information to another network element, where the communication unit is divided into the sending unit and the receiving unit. A receiving unit, configured to support the first network device to receive information from other network elements.

If the route determination apparatus 900 is the second network device mentioned above, the processing unit 902 may be configured to support the second network device to perform S504, S505, etc. in fig. 5, and/or other processes for the schemes described herein. The communication unit 903 is configured to support communication between the second network device and other network elements (e.g., the network devices described above, etc.). Optionally, the sending unit is configured to support the second network device to send information to another network element, where the communication unit is divided into the sending unit and the receiving unit. A receiving unit, configured to support the second network device to receive information from other network elements.

In one possible approach, the processing unit 902 may be a controller or the

processor

401 or 407 shown in fig. 4. Which may implement or execute the various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein. The communication unit 903 may be the transceiver 404 shown in fig. 4 or the like. The storage unit 901 may be the memory 403 shown in fig. 4.

Those of ordinary skill in the art will understand that: in the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software or firmware, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions according to the embodiments of the present application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, optical fiber, twisted pair) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any medium that can be accessed by a computer or a data storage device including one or more media integrated servers, data centers, and the like. The media may be magnetic media (e.g., floppy disks, hard disks, magnetic tape), optical media (e.g., compact disks), or semiconductor media (e.g., Solid State Disks (SSDs)), among others.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of some interfaces, devices or units, and may be an electric or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may also be distributed on a plurality of network devices (e.g., terminal devices). Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

The above description is only an embodiment of the present application, but the scope of the present application is not limited thereto, and all changes and substitutions within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method for determining a route, the method comprising:

the method comprises the steps that first network equipment receives a trust MAC routing entry issued by second network equipment, wherein the trust MAC routing entry comprises a Media Access Control (MAC) address, information of a first trust port corresponding to the MAC address and indication information, and the indication information indicates that the received trust MAC routing entry is trusted;

the first network device forwards a message based on a determined trusted MAC routing entry, wherein the determined trusted MAC routing entry belongs to a set of trusted MAC routing entries acquired by the first network device, MAC addresses in all trusted MAC routing entries in the set of trusted MAC routing entries are the same, and the set of trusted MAC routing entries comprises trusted MAC routing entries issued by the second network device.

2. The method of claim 1, wherein the information of the first trusted port comprises a device identification of the second network device.

3. The method of claim 1 or 2, wherein the set of trusted MAC routing entries comprises a local trusted routing entry, wherein the local trusted routing entry comprises the MAC address and information of a second trusted port corresponding to the MAC address, wherein the second trusted port is a local trusted port, wherein the local trusted port is a port of the first network device, and wherein the local trusted port is determined based on only receiving packets with source addresses as the MAC address by the second trusted port for a predetermined length of time.

4. The method according to any of claims 1 to 3, wherein when the number of trusted MAC routing entries in the set of trusted MAC routing entries is multiple, the determined trusted MAC routing entry is the trusted MAC routing entry with the largest sequence number in the set of trusted MAC routing entries.

5. The method according to any one of claims 1 to 4, further comprising:

the first network device obtains a dynamic MAC routing entry, the dynamic MAC routing entry including the MAC address.

6. The method according to any of claims 1 to 5, wherein said indication information is provided by a flag bit of a MAC Change extended Community Attribute field of a Border Gateway Protocol (BGP) message.

7. The method of claim 6, further comprising: the MAC change extended community attribute field further includes a trust enable subfield that identifies an enabled trusted MAC route.

8. An apparatus for determining a route, the apparatus comprising:

the transceiver is used for receiving a trust MAC routing entry issued by network equipment, wherein the trust MAC routing entry comprises a Media Access Control (MAC) address, information of a first trust port corresponding to the MAC address and indication information, and the indication information indicates that the received trust MAC routing entry is trusted and is used for forwarding a message based on the determined trust MAC routing;

the processor is configured to determine a trusted MAC routing entry, where the determined trusted MAC routing entry belongs to a set of trusted MAC routing entries acquired by a first network device, MAC addresses in all trusted MAC routing entries in the set of trusted MAC routing entries are the same, and the set of trusted MAC routing entries includes trusted MAC routing entries issued by the network device.

9. The apparatus of claim 8, wherein the information of the first trusted port comprises a device identification of the network device.

10. The apparatus of claim 8 or 9, wherein the set of trusted MAC routing entries comprises a local trusted routing entry comprising the MAC address and information of a second trusted port corresponding to the MAC address, the second trusted port being a local trusted port determined based on receiving a packet with a source address as the MAC address only by the second trusted port for a predetermined length of time.

11. The apparatus according to any of claims 8 to 10, wherein when the number of trusted MAC routing entries in the set of trusted MAC routing entries is multiple, the determined trusted MAC routing entry is the trusted MAC routing entry with the largest sequence number in the set of trusted MAC routing entries.

12. The apparatus according to any one of claims 8 to 11,

the processor is further configured to obtain a dynamic MAC routing entry, the dynamic MAC routing entry including the MAC address.

13. The apparatus according to any of claims 8 to 12, wherein the indication information is provided by a flag bit of a MAC change extended community attribute field of a border gateway protocol BGP message.

14. The apparatus of claim 13, further comprising: the MAC change extended community attribute field further includes a trust enable subfield that identifies an enabled trusted MAC route.

15. A route determination system, the system comprising a first network device and a second network device,

the first network device is configured to, in response to the first request,

issuing a trust MAC routing entry, wherein the trust MAC routing entry comprises a Media Access Control (MAC) address, information of a first trust port corresponding to the MAC address and indication information, and the indication information indicates that the received trust MAC routing entry is trusted;

the second network device is configured to, in response to the request,

receiving the trusted MAC routing entry issued by the first network device;

forwarding a message based on a determined trusted MAC routing entry, wherein the determined trusted MAC routing entry belongs to a trusted MAC routing entry set acquired by the second network device, MAC addresses in all trusted MAC routing entries in the trusted MAC routing entry set are the same, and the trusted MAC routing entry set comprises the trusted MAC routing entries issued by the first network device.

16. The system of claim 15, wherein the set of trusted MAC routing entries obtained by the second network device comprises a local trusted routing entry, the local trusted routing entry comprising the MAC address and information of a second trusted port corresponding to the MAC address, the second trusted port being a local trusted port, the local trusted port being a port of the second network device, the local trusted port being determined based on only the second trusted port receiving packets with source addresses as the MAC address for a predetermined length of time.

17. A computer-readable storage medium, characterized in that the storage medium has stored thereon a computer program for executing the method of any of claims 1-7.