CN100508520C - Method for implementing VLAN based L2VPN - Google Patents
Method for implementing VLAN based L2VPN Download PDFInfo
- Publication number
- CN100508520C CN100508520C CNB200410037146XA CN200410037146A CN100508520C CN 100508520 C CN100508520 C CN 100508520C CN B200410037146X A CNB200410037146X A CN B200410037146XA CN 200410037146 A CN200410037146 A CN 200410037146A CN 100508520 C CN100508520 C CN 100508520C
- Authority
- CN
- China
- Prior art keywords
- message
- mac address
- mac
- layer
- vlan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method for realizing layer two special virtual network based on virtual local area network, which contains realizing MAC address conversion by presetting MAC address pool to realizing layer two address conversion, which makes current end user and opposite end user all think they communicate with layer two virtual network, said invention effectively realizes layer two isolation of user and makes the layer two special virtual network more safety.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of implementation method of the Layer 2 virtual private network based on VLAN.
Background technology
LAN Switch network manufacturers such as (LAN switch) is in order to obtain more commercial advantage in keen competition at present, all selecting the chip that price is low and function satisfies aspect the chip type selecting as far as possible, the LAN switch of therefore present low side is only supported VLAN (VLAN) exchanged form of SVL (sharing the formula VLAN) mode.
SVL (sharing the formula VLAN) and the difference of IVL (free-standing VLAN) just are whether MAC (medium access control) address learning is separate with VLAN: SVL is the mac learning that is independent of VLAN, a unified MAC swap table is arranged in the equipment, whether mac learning and exchange are positioned at definite forwarding of same VLAN or dropping packets according to inbound port and outbound port all according to this table after the MAC exchange again; IVL then is that each VLAN independently carries out mac learning and exchange for each VLAN sets up an independently MAC swap table, directly determines whether to transmit and dropping packets to outbound port after the MAC exchange.
The VLAN exchanged form of the employing SVL of LAN switch thinks that MAC Address can only and be unique in same port access.Like this, such LAN switch does not realize carrying out mac learning by the VLAN+MAC mode, but employing is by the mode of learning (the MAC information table overall situation has only portion) of overall MAC, and it finds outbound port earlier by the MAC exchange, and then transmit by VLAN, replace the exchanged form of VLAN+MAC, but also realized the VLAN exchange.
Along with the region of commerce is broken, the enterprise of constantly thirsting for growing up constantly is distributed to corporate branch office the different cities or the area in the whole nation and even the whole world, how does produced a problem----like this allow each branch interconnect effectively? the boss of enterprise are constantly sought a kind of not only economy but also communication modes efficiently, finally they have found best solution on Internet, that be exactly two-layer VPN (Virtual Private Network) function----two-layer VPN by MPLS L2VPN that can stride geographic restrictions of technical construction such as (multi protocol label exchanges), thereby realize the local area network interconnection of different regions.In fact, widely used two-layer VPN all is to be based upon on the platform of IP Telecommunication Network of telecom operators, and IP Telecommunication Network based on can run, manageable theory is not to distribute a physical port but " logic port " for each user, thereby realize " maximization " of network resource usage.And this " logic port " is exactly VLAN, and this type of two-layer VPN that we provide telecom operators is called the two-layer VPN based on VLAN, and the back will abbreviate VB L2VPN based on the two-layer VPN of VLAN as.
Yet, these VPN technologies neither " perfect in every way ", if LAN switch or DSLAM (Digital Subscriber Line Access Multiplexer) only support the VLAN switch mode of SVL, and the user is by different VLAN access to LAN switches, so just may there be the problem that can't realize VB L2VPN, describes for example below:
Be illustrated in figure 1 as two-layer VPN networking structure figure based on VLAN, LAN switch and DSLAM (Digital Subscriber Line Access Multiplexer) insert the user by VLAN among the figure, thereby realize the isolation between the user, like this, the user under the same LAN switch inserts telecommunications two-layer VPN network by different VLAN and port.Owing to adopt the LAN switch of SVL mode can't realize user's physical isolation completely, be that the MAC layer still is opaque, as shown in Figure 1, two users (PC0, PC1) in this LAN switch insert respectively under the VB L2VPN situation with different MAC Address (MAC0, MAC1) by different VLAN (VLAN0, VLAN1) respectively, when PC0 user want to carry out communication with PCI, step was as follows:
1, at first PC0 fills out oneself MAC Address (being MAC0) with the source MAC of broadcast arp (address resolution protocol) message, and purpose IP fills out the address IP address of PC1, and the port that is connected to L2VPN then sends this message;
2, this ARP message of the Port0 port analysis of LAN switch, learn the MAC Address MAC0 of the PC0 of VLAN0, and increase an exchange table entries in the MAC swap table again, because the target MAC (Media Access Control) address of this ARP is broadcasted, therefore broadcast to all of the port of LAN switch, because have only port10 port and port0 to be positioned at same VLAN, LAN switch sends to VB L2VPN from Port10 by VLAN0 with message;
3, after this, VB L2VPN this VLAN that terminates, and the ARP message learnt, its source MAC is saved in the MAC swap table, then the broadcast arp message is broadcast to the total interface (should be noted that: VB L2VPN is considered as independently physical interface with VLAN) of the PORT10 that comprises LAN switch VLAN1 here;
4, like this, when Port10 receives this ARP message from VB L2VPN, also learnt after the MAC0 of VLAN0, this message is broadcast to the total interface of VLAN1, because LAN switch is carried out the source mac learning, when same message when two ports of same LAN switch receive, after the message that receives can revise the port at original MAC place of learning, so the real physical location of MAC0 has been modified;
5, the user as PC1 receives this ARP message, analysis is to have the people searching the MAC Address of oneself, so structure arp response message, wherein the MAC Address of PC1 is filled out in the address of source MAC, and target MAC (Media Access Control) address is filled out the MAC Address of PC0, this message is sent from the interface that receives again;
6, LAN switch receives the arp response message, and MAC1 learns according to source MAC, and searches the MAC swap table according to target MAC (Media Access Control) address MAC0, and determining port is at Port10, transmits this message to the Port10 of VLAN1 then;
7, after VB L2VPN received message from the Port10 of VLAN1, the study source MAC was searched the MAC swap table according to purpose MAC then and is determined port earlier, transmits this message to the Port10 of LAN switch VLAN0 then;
8, last, the Port10 of LAN switch receives this arp response message, but analyze this message and find that its purpose MAC is exactly the MAC Address of the port, directly with this packet loss, the PC0 MAC Address that can't obtain PC1 can't be carried out communication with PC1 like this, also just can't realize VB L2VPN function.
This problem mainly is because the mac learning mode of LAN switch causes, and the mac learning mode of the LAN switch of IVL mode and SVL's is different, VLAN carries out MAC address learning separately under the IVL mode, when same message when two ports of same LAN switch receive, as long as their VLAN difference can be not influential even if MAC Address is identical yet.
In sum, prior art adopts the LAN switch of SVL mode and VB L2VPN can't realize the two-layer VPN function in conjunction with possibly.
Summary of the invention
Technical problem to be solved by this invention is: overcome prior art and adopt the LAN switch of SVL mode and the deficiency that VB L2VPN combination can't realize the two-layer VPN function, a kind of implementation method of the Layer 2 virtual private network based on VLAN is provided, thereby makes the LAN switch that adopts the SVL mode and VB L2VPN in conjunction with the function that can realize two-layer VPN.
The present invention solves the problems of the technologies described above the technical scheme that is adopted to be:
The implementation method of this Layer 2 virtual private network based on VLAN, when the user respectively by different VLANs and different MAC Address, share two layers of access device of formula VLAN exchanged form by same support, when the access Layer 2 virtual private network carried out communication, step was as follows:
This end subscriber under two layers of access device sends protocol massages and searches end subscriber; This message is analyzed in the connectivity port of two layers of access device and this end subscriber, learns the MAC Address of this this end subscriber, and increases exchange table entries in the MAC swap table again, and message is sent to Layer 2 virtual private network;
Layer 2 virtual private network terminates and carries out the MAC exchange behind this VLAN, from the MAC Address pond of reserving, take out a MAC Address, the source MAC of this message is replaced to new MAC Address, and set up the mapping relations of original source MAC of message and new MAC Address, the message after will changing again is broadcast to all of the port of two layers of access device;
The port that two layers of access device is connected with Layer 2 virtual private network is learnt new MAC Address, and new MAC Address is also just given to the back message using of end subscriber in the back, promptly sends Layer 2 virtual private network back to; Layer 2 virtual private network receives the back message using to end subscriber, the MAC that finds back message using is the address of inside, MAC pond, find original MAC Address, the target MAC (Media Access Control) address of back message using is replaced to original MAC Address, simultaneously, the source MAC of this back message using is replaced to another new MAC Address, and set up the mapping relations of original source MAC of back message using and new MAC Address, back message using after will changing again is broadcast to all of the port of two layers of access device, finds outbound port according to the purpose MAC of back message using;
The port that two layers of access device is connected with Layer 2 virtual private network is learnt the new source MAC of described back message using, this end subscriber of back is issued the message of end subscriber is all issued this new source MAC, make this end subscriber and end subscriber is thought that all they are to carry out communication with Layer 2 virtual private network, thereby make this end subscriber and end subscriber is carried out communication.
Described protocol massages is broadcast address analysis protocol message or dynamic host configuration protocol message.Described new MAC Address is distributed from the MAC Address pond of reserving by Layer 2 virtual private network, and safeguards before the conversion and the corresponding relation of MAC Address after the conversion by Layer 2 virtual private network.
Also can use a MAC Address as the MAC Address pond, and by the user three layers or two layers of information realizes the mapping relations one by one of the MAC Address that MAC Address pool address and user are original, realize the L2 address conversion.Described three layers or two layers of information are VLAN ID or IP address.Two layers of access device that formula VLAN exchanged form is shared in described support are LAN switch or the Digital Subscriber Line Access Multiplexers of supporting to share formula VLAN exchanged form.
Beneficial effect of the present invention is: the present invention realizes the MAC Address conversion by reserving the MAC Address pond, thereby realized the L2 address conversion, do not needing to increase under the situation of equipment, solved the deficiencies in the prior art, made the LAN switch of employing SVL mode and the function that VB L2VPN combination can realize two-layer VPN; And realize two layers of isolation of user more effectively, make VB L2VPN safer.
Description of drawings
Fig. 1 is the two-layer VPN networking structure figure based on VLAN.
Embodiment
With embodiment the present invention is described in further detail with reference to the accompanying drawings below:
The invention provides a kind of conversion method of L2 address, under the situation that does not increase equipment, make LAN switch and the VB L2VPN combination of adopting the SVL mode can realize the two-layer VPN function.
Still the networking diagram shown in 1 describes the bright detailed performing step of we in conjunction with the accompanying drawings, and LAN switch and DSLAM (Digital Subscriber Line Access Multiplexer) insert the user by VLAN, thereby realizes the isolation between the user.User under the same LAN switch inserts telecommunications two-layer VPN network by different VLAN and port.For realizing the present invention,, support the MAC Address conversion go up reservation MAC Address pond based on the two-layer VPN (VB L2VPN) of VLAN.The MAC Address of two user PC0, PC1 of LAN switch is respectively MAC0, MAC1, inserts respectively under the situation of VB L2VPN by different VLAN (VLAN0, VLAN1), and when PC0 user want to carry out communication with PC1, step was as follows:
1, at first PC0 fills out oneself MAC Address (being MAC0) with the source MAC of broadcast arp (address resolution protocol) message, and purpose IP fills out the address IP address of PC1, and the port that is connected to L2VPN then sends this message;
2, the Port0 of LAN switch analyzes this ARP message, learn the MAC Address MAC0 of the PC0 of VLAN0, and in the MAC swap table, increase an exchange table entries, because the target MAC (Media Access Control) address of this ARP is broadcasted, therefore broadcast to all of the port of LAN switch, because have only port10 port and port0 to be positioned at same VLAN, LAN switch sends to VB L2VPN from Port10 by VLAN0 with message;
3, after this, VB L2VPN terminates and carries out the MAC exchange behind this VLAN, determines to be forwarded to the PORT10 of LAN switch VLAN1; From the MAC Address pond of reserving, take out a MAC Address, the source MAC of this message is replaced to new MAC Address (MAC2), and set up the mapping relations of original source MAC of message and new MAC Address, (this process is called source MAC conversion----SMAT), and the message after will changing again is broadcast to the total interface of the PORT10 that comprises LAN switch VLAN1 simultaneously the source MAC of ARP, DHCP protocol massages inside such as (DHCP) also to be updated to new MAC Address;
4, like this, Port10 has learnt the MAC2 of VLAN1, and the ARP message of back MAC0 user response has also just been given MAC2, has just sent VB L2VPN back to;
5, VB L2VPN finds that the target MAC (Media Access Control) address of message is the address of inside, MAC pond, so just need find original MAC Address, the target MAC (Media Access Control) address of protocol massages inside such as the purpose MAC of message or ARP is all replaced to original MAC Address, be about to MAC2 and replace with MAC0 (this process is called purpose MAC conversion----DMAT).Simultaneously, the source MAC of this message is carried out MAC SMAT equally handle, MAC1 replaces with MAC3 with source MAC, and the purpose MAC according to message finds outbound port again;
6, after this, the PORT10 of LAN switch VLAN0 has learnt MAC3, the user of back PC0 issues PC1 user's message and issues MAC3, simultaneously because the VLAN that the default user of thinking of SVL switch mode inserts is exactly the VLAN that sends, as long as learn the port under the MAC like this, just can carry out MAC exchange and VLAN and isolate.
Like this through after the MAC Address transfer process, two users think that they are carrying out communication with VB L2VPN, can't see two layers of information to end subscriber fully, the LAN switch and the VB L2VPN combination that so just can solve the employing SVL mode of prior art can't realize the problem of two-layer VPN function.
These two addresses of MAC2, MAC3 are distributed automatically by the software of VB L2VPN, then by before the software maintenance conversion and the corresponding relation of the MAC Address after the conversion, above-mentioned handling process and NAT (network address translation) comparing class seemingly, just the NAT conversion is at layer 3 address, and The present invention be directed to L2 address.
The present invention realizes the MAC Address conversion by reserving the MAC Address pond, thereby realized the L2 address conversion, increase under the situation of equipment not needing, solved the deficiencies in the prior art, make the LAN switch that adopts the SVL mode and VB L2VPN in conjunction with the function that can realize two-layer VPN; And realized two layers of isolation of user more effectively, make VB L2VPN safer.
The L2 address conversion method is not limited to the conversion regime with the MAC Address pond, also can be by realize the MAC Address conversion in conjunction with three layers of information, for example, when the MAC inadequate resource, can use a MAC Address as the MAC Address pond, and realize the mapping relations one by one of the MAC Address that MAC Address pool address and user are original by three layers of user's IP address etc. or two layers of information, thus realizing the L2 address conversion, three layers or two layers of information comprise VLAN ID or IP address etc.
Those skilled in the art do not break away from essence of the present invention and spirit, can there be the various deformation scheme to realize the present invention, the above only is the preferable feasible embodiment of the present invention, be not so limit to interest field of the present invention, the equivalent structure that all utilizations specification of the present invention and accompanying drawing content are done changes, and all is contained within the interest field of the present invention.
Claims (5)
1, a kind of implementation method of the Layer 2 virtual private network based on VLAN, it is characterized in that: when the user respectively by different VLANs and different MAC Address, share two layers of access device of formula VLAN exchanged form by same support, when the access Layer 2 virtual private network carried out communication, step was as follows:
This end subscriber under A, the two layers of access device sends protocol massages and searches end subscriber, and two layers of access device send to Layer 2 virtual private network with this message;
B, Layer 2 virtual private network take out a MAC Address from the MAC Address pond of reserving, the source MAC of this message is replaced to new MAC Address, and set up the corresponding relation of original source MAC of message and new MAC Address, the message after will changing again sends;
C, end subscriber received this message after, send back message using to Layer 2 virtual private network by new MAC Address, Layer 2 virtual private network finds original MAC Address according to described corresponding relation, the target MAC (Media Access Control) address of back message using is replaced to original MAC Address, and the source MAC of this back message using replaced to another new MAC Address, and set up the corresponding relation of original source MAC of back message using and new MAC Address, the back message using after will changing again sends to this end subscriber;
D, this end subscriber utilize another new source MAC of described back message using, to end subscriber is sent message, realize this end subscriber and to the communication of end subscriber.
2, the implementation method of the Layer 2 virtual private network based on VLAN according to claim 1, it is characterized in that: described protocol massages is broadcast address analysis protocol message or dynamic host configuration protocol message.
3, the implementation method of the Layer 2 virtual private network based on VLAN according to claim 1 and 2, it is characterized in that: described MAC Address pond only comprises a MAC Address, and by the user three layers or two layers of information realizes the mapping relations one by one of the MAC Address that MAC Address pool address and user are original, realizes the L2 address conversion.
4, the implementation method of the Layer 2 virtual private network based on VLAN according to claim 3 is characterized in that: described three layers or two layers of information are VLAN ID or IP address.
5, the implementation method of the Layer 2 virtual private network based on VLAN according to claim 1 and 2 is characterized in that: two layers of access device that formula VLAN exchanged form is shared in described support are LAN switch or the Digital Subscriber Line Access Multiplexers of supporting to share formula VLAN exchanged form.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB200410037146XA CN100508520C (en) | 2004-06-03 | 2004-06-03 | Method for implementing VLAN based L2VPN |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB200410037146XA CN100508520C (en) | 2004-06-03 | 2004-06-03 | Method for implementing VLAN based L2VPN |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1705307A CN1705307A (en) | 2005-12-07 |
CN100508520C true CN100508520C (en) | 2009-07-01 |
Family
ID=35577791
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB200410037146XA Expired - Fee Related CN100508520C (en) | 2004-06-03 | 2004-06-03 | Method for implementing VLAN based L2VPN |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100508520C (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1946041B (en) * | 2006-06-20 | 2010-08-18 | 杭州华三通信技术有限公司 | VLAN polymerizing method, converging exchanger and system based on ARP detector intercept |
CN101106507B (en) * | 2006-07-14 | 2010-09-08 | 华为技术有限公司 | A method for realizing hierarchical VLAN |
CN101309284B (en) * | 2007-05-14 | 2012-09-05 | 华为技术有限公司 | Remote access communication method, apparatus and system |
CN101378324B (en) * | 2007-08-31 | 2011-05-11 | 华为技术有限公司 | Method, apparatus and system for processing, replacing combined business and invoking concrete business |
CN103139037B (en) | 2011-11-30 | 2016-05-18 | 国际商业机器公司 | For realizing the method and apparatus of VLAN flexibly |
CN103379187B (en) * | 2012-04-28 | 2016-12-14 | 南京中兴新软件有限责任公司 | A kind of data processing method and Gateway Network Element |
CN103023827B (en) * | 2012-11-23 | 2017-04-19 | 杭州华三通信技术有限公司 | Data forwarding method for virtualized data centre and realization equipment of data forwarding method |
US9350607B2 (en) | 2013-09-25 | 2016-05-24 | International Business Machines Corporation | Scalable network configuration with consistent updates in software defined networks |
US9112794B2 (en) | 2013-11-05 | 2015-08-18 | International Business Machines Corporation | Dynamic multipath forwarding in software defined data center networks |
CN104734953B (en) * | 2015-03-24 | 2019-07-23 | 福建星网锐捷网络有限公司 | The method, apparatus and interchanger of two layers of message isolation are realized based on VLAN |
CN106294187B (en) * | 2015-05-15 | 2019-11-08 | 比亚迪股份有限公司 | The control method and device of position accessing operation function |
CN111367844B (en) * | 2019-03-13 | 2020-12-15 | 苏州库瀚信息科技有限公司 | System, method and apparatus for a storage controller having multiple heterogeneous network interface ports |
-
2004
- 2004-06-03 CN CNB200410037146XA patent/CN100508520C/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CN1705307A (en) | 2005-12-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5579853B2 (en) | Method and system for realizing virtual private network | |
CN103227757B (en) | A kind of message forwarding method and equipment | |
KR100694296B1 (en) | System and method for simultaneously offering multicast switching and routing | |
CN102025591B (en) | Method and system for implementing virtual private network | |
CA2296646C (en) | Virtual private networks and methods for their operation | |
AU2013273254B2 (en) | Routing VLAN tagged packets to far end addresses of virtual forwarding instances using separate administrations | |
CN103139037B (en) | For realizing the method and apparatus of VLAN flexibly | |
CN105812259B (en) | A kind of message forwarding method and equipment | |
CN100508520C (en) | Method for implementing VLAN based L2VPN | |
EP2378717B1 (en) | Method for interconnecting with nested backbone provider bridges and system thereof | |
WO2012106919A1 (en) | Routing control method, apparatus and system of layer 3 virtual private network | |
US20130343394A1 (en) | Method and Apparatus for Converting Virtual Local Area Network Identity | |
CN100450080C (en) | Method and apparatus for astringing two layer MAC address | |
EP2584742B1 (en) | Method and switch for sending packet | |
CN102137001B (en) | Routing information exchange method, equipment and system | |
CN106657442A (en) | Method and system for realizing media shared storage network based on VxLAN | |
US20210359879A1 (en) | Packet forwarding method and network device | |
CN100559772C (en) | Mixed virtual private network system and backbone network edge apparatus and collocation method thereof | |
JP2002247089A (en) | Packet routing method and device | |
US8437357B2 (en) | Method of connecting VLAN systems to other networks via a router | |
CN1773949A (en) | Switching in method for virtual special network and realizing apparatus | |
CN102891903A (en) | NAT (Network Address Translation) converting method and equipment | |
EP3086512B1 (en) | Implementation method and apparatus for vlan to access vf network and fcf | |
CN1516401A (en) | Method for implementing multirole main machine based on virtual local network | |
KR100712688B1 (en) | System for and method of simultaneously offering switching and routing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090701 Termination date: 20160603 |