JP6392134B2 - Communication system and communication method - Google Patents

Description

  The present invention relates to a communication system and a communication method that enable high-speed communication in a communication system including a plurality of VLANs (Virtual Local Area Networks).

  An IP-VPN (Internet Protocol-Virtual Private Network) provided by a carrier as a dedicated network is divided into VLANs in order to separate communication between users. For example, as shown in FIG. 1, the VLAN 10 that connects the user networks # 11 and # 12, the VLAN 20 that connects the user networks # 21 and # 22, and the VLAN 30 that connects the user networks # 31 and # 32 are divided. ing.

  On the other hand, in TCP / IP (Transmission Control Protocol / Internet Protocol) communication, in order to increase throughput, a TCP device W1 is provided at the boundary between the user network # 11 and the WAN line, and a TCP device W2 is provided at the boundary between the user network # 12 and the WAN. There is proposed an invention in which the TCP device W1 and the TCP device W2 perform proxy responses (see, for example, Patent Document 1). In the invention of Patent Document 1, as shown in FIG. 2, the TCP device W1 transmits an ACK to the terminal of the user network # 11 in place of the terminal of the user network # 12, and the TCP device W2 transmits to the terminal of the user network # 11. Instead, ACK is transmitted to the terminal of user network # 12. This prevents a decrease in TCP / IP communication throughput caused by packet transfer delay time.

  When the TCP devices W1 and W2 are introduced into the carrier providing network, it is necessary to terminate the TCP once at the TCP devices W1 and W2. Therefore, it is necessary to assign IP addresses to the TCP devices W1 and W2. However, since the user manages the IP address in the VPN or VLAN, the carrier needs to agree with the user in order to assign the IP addresses of the TCP devices W1 and W2 in the VPN or VLAN.

  Moreover, even if the consent can be obtained, it is necessary not to overlap with the IP address used by the user, and it is difficult to operate because the IP address must be assigned for each user. For this reason, it is difficult to increase the speed of TCP / IP communication in a VPN in which a WAN is interposed.

  Such a problem is not limited to a TCP device that makes a proxy response, but is the same even when an encryption device or the like is introduced as shown in FIG. Encryption devices are also placed at both ends of the WAN line to encrypt specific communications and decrypt on the other side. The IP address used by these encryption devices must also be assigned in the VPN or VLAN.

JP 7-177177 A

  In the present invention, in a network in which VPNs and VLANs are multiplexed on a WAN, it is possible to assemble packets from both ends of the WAN and disassemble the data into packets without assigning IP addresses in the VPN or VLAN. The purpose is to.

Specifically, the communication system of the present invention includes:
A communication system having a plurality of VLANs (Virtual Local Area Networks) in which WAN (Wide Area Network) lines are connected between two LANs (Local Area Networks),
A transmission side inter-network connection device common to the plurality of VLANs is connected between one of the two LANs and the WAN line,
A receiving-side network connecting device common to the plurality of VLANs is connected between the WAN line and the other of the two LANs,
The transmitting-side network connecting device and the receiving-side network connecting device are connected to the plurality of VLANs by a common or individual WAN transfer VLAN,
The WAN-side transmission port to which the WAN transfer VLAN is connected of the transmission-side network connection device and the reception-side network connection device is extracted from the terminated TCP packet independent of the plurality of VLANs. TCP termination IP address for transferring the received data to the WAN side is assigned,
The transmission-side network connection device is:
A VLAN termination table in the transmission side inter-network connection device that defines the correspondence between the TCP termination IP address and the plurality of VLANs;
In accordance with the VLAN termination table in the transmission side inter-network connection device, a TCP packet received from a LAN side reception port that constitutes one of the VLANs and is connected to one of the two LANs. Terminates and outputs the data after termination to the WAN transmission port connected to the WAN transfer VLAN, and responds to one of the two LANs on the TCP protocol instead of the other of the two LANs A transmission-side control circuit that performs
The receiving-side network connection device is:
A VLAN termination table in the receiving-side network connecting device synchronized with the VLAN termination table in the transmitting-side network connecting device;
In accordance with the VLAN termination table in the receiving-side network connecting device, the data received by the WAN-side receiving port connected to the WAN transfer VLAN is returned to the format of the TCP packet of the VLAN to which the LAN-side receiving port belongs, A TCP protocol for the other of the two LANs instead of one of the two LANs, which constitutes a VLAN to which the LAN side reception port belongs and outputs to the LAN side transmission port connected to the other of the two LANs A receiving-side control circuit that performs the above response.

In the communication system of the present invention,
The transmission side control circuit performs a protocol response to one of the two LANs instead of the other of the two LANs when outputting the packet received by the LAN side reception port to the WAN side transmission port. ,
When the reception side control circuit outputs a packet received by the WAN side reception port to the LAN side transmission port, the reception side control circuit performs a protocol response to the other of the two LANs instead of one of the two LANs. May be.

Specifically, the communication method of the present invention includes:
A plurality of VLANs each having a WAN line connected between two LANs, a transmission-side network connecting device common to the plurality of VLANs being connected between one of the two LANs and the WAN line; A receiving-side network connecting device common to the plurality of VLANs is connected between the WAN line and the other of the two LANs, and the transmitting-side network connecting device and the receiving-side network connecting device are connected to the plurality of VLANs. A communication method in a communication system connected to a VLAN by a VLAN for common or individual WAN transfer,
The WAN-side transmission port to which the WAN transfer VLAN of the transmitting-side network connecting device and the receiving-side network connecting device is connected is extracted from the terminated TCP packet independent of the plurality of VLANs. TCP termination IP address is assigned to transfer the received data to the WAN side ,
The VLAN on one of the plurality of VLANs according to the VLAN termination table in the transmission-side network connecting device that defines the correspondence between the TCP termination IP address and the WAN transfer VLAN. And terminates the received TCP packet of the LAN side reception port connected to one of the two LANs, and sends the terminated data to the WAN side transmission port connected to the WAN transfer VLAN. And outputting a TCP protocol response to one of the two LANs on behalf of the other of the two LANs,
The receiving side network connecting device is connected to the WAN forwarding VLAN according to the receiving side network connecting device VLAN termination table synchronized with the transmitting side network connecting device VLAN termination table. Data received by the port is returned to the TCP packet format of the VLAN to which the LAN side reception port belongs, and constitutes the VLAN to which the LAN side reception port belongs and is connected to the other of the two LANs. In response to a TCP protocol response to the other of the two LANs instead of one of the two LANs.

  According to the present invention, in a network in which VPNs and VLANs are multiplexed on a WAN, packet-to-data assembly and data-to-packet decomposition are performed at both ends of the WAN without assigning IP addresses in the VPN or VLAN. Can be made possible.

An example of VPN intervening WAN is shown. An example of a data transfer method using TCP / IP communication proposed in Patent Document 1 will be described. An example of the data transfer method using the apparatus which performs encryption is shown. 1 shows an example of a communication system according to a first embodiment. 2 illustrates exemplary configurations of a transmission-side apparatus and a reception-side apparatus according to Embodiment 1. An example of the communication system which concerns on Embodiment 2 is shown. 4 illustrates an example configuration of a transmission-side device and a reception-side device according to a second embodiment.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited to embodiment shown below. These embodiments are merely examples, and the present invention can be implemented in various modifications and improvements based on the knowledge of those skilled in the art. In the present specification and drawings, the same reference numerals denote the same components.

(Embodiment 1)
FIG. 4 shows an example of a communication system according to the present embodiment. The communication system according to the present embodiment includes a plurality of VLANs in which WAN lines are connected between two LANs. For example, the communication system according to the present embodiment includes three VLANs 10, 20 and 30.

  User network # 11 and user network # 12 are connected by VLAN10. The IP address from the user network # 11 to the user network # 12 is managed by the VLAN 10 user. The VLAN user who manages the user network # 21 and the user network # 22 and the VLAN 30 which connects the user network # 31 and the user network # 32 also manage IP addresses by VLAN users.

  In the VLAN 10, a WAN line is connected between the user network # 11 and the user network # 12. In the VLAN 20, a WAN line is connected between the user network # 21 and the user network # 22. In the VLAN 30, a WAN line is connected between the user network # 31 and the user network # 32.

  The communication system according to this embodiment includes a transmission-side device W1 that functions as a transmission-side network connection device and a reception-side device W2 that functions as a reception-side network connection device. A transmission side device W1 common to each VLAN is connected between the user networks # 11, # 21 and # 31 and the WAN line. A common receiving side device W2 is connected to each of the VLANs 10, 20, and 30 between the user networks # 12, # 22, and # 32 and the WAN line. The transmission side device W1 and the reception side device W2 are connected to the respective VLANs 10, 20, and 30 by a common WAN transfer VLAN 100. Note that a WAN transfer VLAN may be provided individually in each of the VLANs 10, 20, and 30 (for example, like the VLANs 110, 120, and 130).

  In the present embodiment, a WAN transfer VLAN 100 that is not used by a user is provided, and the WAN transfer VLAN 100 is used during data transfer between the transmission side device W1 and the reception side device W2. As described above, the WAN line between the transmission side device W1 and the reception side device W2 uses the out-band WAN transfer VLAN 100 different from the VLANs 10, 20, and 30 used by the user, and is used by the user. There is no need to assign an IP address to the network.

  An example of packet transfer is shown below. Although the packet is arbitrary, the invention according to the present embodiment is a packet that is transmitted and received based on a protocol that needs to transmit a response signal such as ACK, such as a TCP packet that is transmitted and received based on TCP. High effect is obtained.

The TCP packet output from the user NW # 11 to the VLAN 10 is terminated at the transmission side device W1. The TCP packet terminated at the transmission side device W1 is transferred to the reception side device W2 through the WAN transfer VLAN 100 network by TCP acceleration processing.
The packet transferred to the receiving apparatus W2 is returned to the original TCP packet format, and transferred to the VLAN 10 toward the user NW # 12. The TCP packet from the user NW # 21 to the user NW # 22 and the TCP packet from the user NW # 31 to the user NW # 32 are similarly transferred.

FIG. 5 shows a configuration example of the transmission side device W1 and the reception side device W2.
The transmission-side device W1 includes ports PL11, PL21, and PL31 that function as LAN-side reception ports, ports PW12, PW22, PW32, and PS100 that function as WAN-side transmission ports, and a transmission-side control circuit 11. The ports PL11 and PW12 are included in the VLAN 10, the ports PL21 and PW22 are included in the VLAN 20, and the ports PL31 and PW32 are included in the VLAN 30.

  The reception side device W2 includes ports PW11, PW21, PW31, and PR100 that function as WAN side reception ports, ports PL12, PL22, and PL32 that function as LAN side transmission ports, and a reception side control circuit 21. The ports PW11 and PL12 are included in the VLAN 10, the ports PW21 and PL22 are included in the VLAN 20, and the ports PW31 and PL32 are included in the VLAN 30.

  Here, the transmission side control circuit 11 is an information processing circuit such as a CPU (Central Processing Unit). The ports PL11 to PL31, PW12 to 32, and PS100 in the transmission side device W1 may be realized by causing a computer to function as these ports. In this case, each configuration is realized by the CPU in the transmission-side apparatus W1 executing a computer program stored in a storage unit (not shown). The same applies to the receiving side device W2.

  The WAN transfer VLAN 100 is a VLAN that is not used by any user. The TCP end IP address of the WAN transfer VLAN 100 is set in each of the transmission side device W1 and the reception side device W2 in the WAN transfer VLAN 100. For example, the IP address of PS100 is set to 192.168.1.2, and the IP address of PR100 is set to 192.168.1.3.

  The transmission side device W1 and the reception side device W2 include a VLAN termination table that defines the correspondence between the IP address of each port and the VLAN. In the VLAN termination table, both a case where the VLANs 10 to 30 are used as they are and a case where the WAN transfer VLAN 100 is used are defined. Each user of the VLAN can select which one to use.

  When a packet is transmitted from the user NW # 11 to the user NW # 12 using the WAN transfer VLAN 100, the transmission side control circuit 11 performs protocol termination of the packet received by the port PL11 according to the VLAN termination table. The term “end” refers to, for example, arranging data divided into packets in order and assembling them, or disassembling data into packets. Then, the transmission side control circuit 11 outputs the packet received by the port PL11 to the WAN side transmission port PS100 according to the VLAN termination table. Thereby, the packet from the user NW # 11 is transmitted toward the port PR100. For example, the source IP address of the TCP packet of VLAN 10 is set to 192.168.1.2, the destination IP address is set to 192.168.1.3, and the packet is transmitted together with the session information. When the terminating protocol is TCP, the transmission-side control circuit 11 performs a protocol response to the user NW # 11 terminal in place of the user NW # 12 terminal.

  When the PR 100 receives the packet, the reception-side control circuit 21 transmits the packet from the port PL12 to the user NW # 12. At this time, the reception-side control circuit 21 performs processing according to TCP with the user NW # 12 instead of the user NW # 11 while referring to the VLAN termination table.

  When a packet is transmitted from the user NW # 11 to the user NW # 12 using the VLAN 10 as it is, the transmission side control circuit 11 outputs the packet received by the port PL11 to the port PW12. Thereby, the packet is transmitted toward the port PW11. In this case, the transmission side control circuit 11 does not terminate the packet received by the port PL11.

  When the port PW11 receives the packet, the reception-side control circuit 21 transmits the packet from the port PL12 to the user NW # 12. At this time, the reception-side control circuit 21 does not perform processing according to TCP with the user NW # 12, instead of the user NW # 11.

  It is preferable that each user of the VLAN can select which of the VLANs 10 to 30 or the WAN transfer VLAN 100 is used for each transmission data. In this case, based on the description of the packet received by the port PL11, PL21 or PL31, the transmission-side control circuit 11 determines which of the WAN-side transmission ports of the VLAN 10, 20 or 30 to which the LAN-side reception port belongs and the WAN transfer VLAN 100 belongs. Decide whether to output. The packet description is, for example, a packet header.

  The VLAN termination tables in the transmission side device W1 and the reception side device W2 are synchronized. For example, when there is a connection request from the user NW # 11 to the user NW # 12, the sessions established by the user NW # 11 and the user NW # 12 in the VLAN termination table of the transmission side device W1 and the reception side device W2 Register.

(Embodiment 2)
FIG. 6 shows an example of a communication system according to the present embodiment. FIG. 7 shows a configuration example of the transmission side device W1 and the reception side device W2. In the communication system according to the present embodiment, the link connecting the transmission side device W1 and the reception side device W2 has a redundant configuration. In the present embodiment, the transmission-side apparatus W1 transfers the TCP packet terminated at the transmission-side apparatus W1 to the reception-side apparatus W2 for a valid link between the transmission-side apparatus W1 and the reception-side apparatus W2.

  When a packet is transmitted from the user NW # 11 to the user NW # 12 using the VLAN 10 as it is, the transmission side control circuit 11 transmits the packet from the terminal of the user NW # 11 input to the port PL11 according to the VLAN termination table. The TCP communication is terminated and output to the port PW12A or PW12B. Whether to output to port PW12A or PW12B depends on the link aggregation setting.

  When a packet is transmitted from the user NW # 11 to the user NW # 12 using the WAN transfer VLAN 100, it is as described in the first embodiment. The WAN transfer VLAN 100 is used for a valid link (port PS100A or PS100B) between the transmission side device W1 and the reception side device W2.

  When the port PW11A, PW11B, PR100A, or PR100B receives the packet, the reception-side control circuit 21 returns the packet to the original TCP packet format according to the VLAN termination table, and transmits the packet from the port PL12 to the user NW # 12. At this time, the reception-side control circuit 21 performs processing according to TCP with the user NW # 12 instead of the user NW # 11 while referring to the VLAN termination table.

  The case where the packet is transmitted / received based on a protocol that needs to transmit a response signal such as ACK has been described above, but the present invention is not limited to this, and an arbitrary VPN or VLAN multiplexed on the WAN. Can be applied to any network.

  The present invention can be applied to the information communication industry.

11: Transmission side control circuit 21: Reception side control circuit 30: User networks W1, W2, W1A, W1B, W2A, W2B: Transmission side device W2: Reception side devices 10, 10A, 10B, 20, 20A, 20B, 30, 30A, 30B, 100, 100A, 100B: VLAN
R1, R2: Routers PL11, PL21, PL31, PW12, PW22, PW32, PS100, PW11, PW21, PW31, PL12, PL22, PL32, PR100: Port

Claims (5)

A communication system having a plurality of VLANs (Virtual Local Area Networks) in which WAN (Wide Area Network) lines are connected between two LANs (Local Area Networks),
A transmission side inter-network connection device common to the plurality of VLANs is connected between one of the two LANs and the WAN line,
A receiving-side network connecting device common to the plurality of VLANs is connected between the WAN line and the other of the two LANs,
The transmitting-side network connecting device and the receiving-side network connecting device are connected to the plurality of VLANs by a common or individual WAN transfer VLAN,
The WAN-side transmission port to which the WAN transfer VLAN is connected of the transmission-side network connection device and the reception-side network connection device is extracted from the terminated TCP packet independent of the plurality of VLANs. TCP termination IP address for transferring the received data to the WAN side is assigned,
The transmission-side network connection device is:
A VLAN termination table in the transmission side inter-network connection device that defines the correspondence between the TCP termination IP address and the plurality of VLANs;
In accordance with the VLAN termination table in the transmission side inter-network connection device, a TCP packet received from a LAN side reception port that constitutes one of the VLANs and is connected to one of the two LANs. Terminates and outputs the data after termination to the WAN transmission port connected to the WAN transfer VLAN, and responds to one of the two LANs on the TCP protocol instead of the other of the two LANs A transmission-side control circuit that performs
The receiving-side network connection device is:
A VLAN termination table in the receiving-side network connecting device synchronized with the VLAN termination table in the transmitting-side network connecting device;
In accordance with the VLAN termination table in the receiving-side network connecting device, the data received by the WAN-side receiving port connected to the WAN transfer VLAN is returned to the format of the TCP packet of the VLAN to which the LAN-side receiving port belongs, A TCP protocol for the other of the two LANs instead of one of the two LANs, which constitutes a VLAN to which the LAN side reception port belongs and outputs to the LAN side transmission port connected to the other of the two LANs A receiving side control circuit for performing the above response,
Communications system. Whether the transmission side inter-network connection device internal VLAN termination table is output to the WAN side transmission port belonging to any of the plurality of VLANs based on the description of the packet received at the LAN side reception port, or the WAN transfer To determine whether to output to the WAN side transmission port belonging to the VLAN for use,
The communication system according to claim 1. The WAN transfer VLAN is not used by any of the plurality of VLANs.
The communication system according to claim 1 or 2. In the transmission-side inter-network connection device internal VLAN termination table, the correspondence relationship between the IP address of each WAN-side transmission port and the VLAN when the plurality of VLANs are used as they are and when the WAN transfer VLAN is used is defined. And
When using the WAN transfer VLAN,
The transmission side control circuit includes:
When outputting a packet received by the LAN side reception port to the WAN side transmission port, a TCP termination IP address of the WAN side transmission port connected to the WAN transfer VLAN is set as a source IP address, and the WAN transfer is performed. A protocol response to one of the two LANs is performed instead of the other of the two LANs, with the TCP termination IP address of the WAN side reception port connected to the VLAN for the destination as the destination IP address,
The receiving side control circuit is:
4. When outputting a packet received by the WAN reception port to the LAN transmission port, a protocol response is made to the other of the two LANs instead of one of the two LANs. 5. A communication system according to claim 1. A plurality of VLANs each having a WAN line connected between two LANs, a transmission-side network connecting device common to the plurality of VLANs being connected between one of the two LANs and the WAN line; A receiving-side network connecting device common to the plurality of VLANs is connected between the WAN line and the other of the two LANs, and the transmitting-side network connecting device and the receiving-side network connecting device are connected to the plurality of VLANs. A communication method in a communication system connected to a VLAN by a VLAN for common or individual WAN transfer,
The WAN-side transmission port to which the WAN transfer VLAN of the transmitting-side network connecting device and the receiving-side network connecting device is connected is extracted from the terminated TCP packet independent of the plurality of VLANs. TCP termination IP address is assigned to transfer the received data to the WAN side ,
The VLAN on one of the plurality of VLANs according to the VLAN termination table in the transmission-side network connecting device that defines the correspondence between the TCP termination IP address and the WAN transfer VLAN. And terminates the received TCP packet of the LAN side reception port connected to one of the two LANs, and sends the terminated data to the WAN side transmission port connected to the WAN transfer VLAN. And outputting a TCP protocol response to one of the two LANs on behalf of the other of the two LANs,
The receiving side network connecting device is connected to the WAN forwarding VLAN according to the receiving side network connecting device VLAN termination table synchronized with the transmitting side network connecting device VLAN termination table. Data received by the port is returned to the TCP packet format of the VLAN to which the LAN side reception port belongs, and constitutes the VLAN to which the LAN side reception port belongs and is connected to the other of the two LANs. In response to a TCP protocol response to the other of the two LANs on behalf of one of the two LANs.
Communication method.

Images