CN101022394A - Method for realizing virtual local network aggregating method and converging exchanger - Google Patents
Method for realizing virtual local network aggregating method and converging exchanger Download PDFInfo
- Publication number
- CN101022394A CN101022394A CNA2007100920935A CN200710092093A CN101022394A CN 101022394 A CN101022394 A CN 101022394A CN A2007100920935 A CNA2007100920935 A CN A2007100920935A CN 200710092093 A CN200710092093 A CN 200710092093A CN 101022394 A CN101022394 A CN 101022394A
- Authority
- CN
- China
- Prior art keywords
- vlan
- list item
- message
- sign
- acl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
A method for realizing aggregation of virtualized local area network includes storing a corresponding relation of VLAN at different user side to VLAN at one network side and configuration of binding relation table formed by user information carried in message in collection exchange board, sending uplink message to gateway device according to configured VLAN aggregation mapping table at uplink direction and sending downlink message to user host according to binding relation and configured VLAN aggregation mapping table at downlink direction.
Description
Technical field
The present invention relates to the computer network communication technology field, relate in particular to a kind of realization VLAN (Virtual Local Area Networks is called for short VLAN) method of polymerization and the convergence switch of application (Convergence Switch) thereof.
Background technology
At present, the virtual LAN VLAN technology has obtained promotion and application widely, and virtual LAN VLAN is meant on the basis of switched LAN, adopts the crossed over different segment of network management software structure, the logical network end to end of heterogeneous networks.A virtual LAN VLAN is formed a logical subnetwork, i.e. logical broadcast domain, it can cover a plurality of network equipments, allows the network user who is in diverse geographic location to join in the logical subnetwork, thereby the network bandwidth is fully used, and network performance improves greatly; In addition, the virtual LAN VLAN switch is as one screen, and the grouped data that only possesses member of vlan's qualification could be passed through, and therefore, the virtual LAN VLAN technology has also increased the fail safe of network.
See also Fig. 1, Fig. 1 is the structural representation of three layers of group network system of employing vlan technology; As shown in the figure, in this group network system, four client hosts (PC#1, PC# 2, PC#3, PC#4) link to each other with four VLANs (VLAN# 100, VLAN# 200, VLAN# 300, VLAN#400) respectively, and each VLAN is transparent to three-layer network by Layer 2 switch and convergence switch respectively and shuts and terminate.When the VLAN number of user's access is more, need shut at three-layer network and carry out a large amount of VLAN terminations, each VLAN needs to take the routing interface resource that a three-layer network closes, close device processes to three-layer network and caused bigger pressure, simultaneously, the waste that has also caused VLAN resource in the aggregation networks with conflict.
In view of the waste of VLAN resource in the above-mentioned aggregation networks, the method for multiple realization VLAN mapping (polymerization) has been proposed at present, VLAN is mapped as the means by polymerization technique, and a plurality of user side VLAN are mapped to a network side VLAN.
See also Fig. 2, Fig. 2 is the structural representation of three layers of group network system of employing VLAN aggregation technology.The core concept that realizes polymerization technique in the prior art is: the corresponding relation that a plurality of user side virtual LAN VLAN and a network side VLAN are set; Described corresponding relation can be realized by MAC Address in the corresponding Access Control List (ACL) (Access Control List, be called for short ACL) and the relation between the VLAN sign are set in convergence switch.Wherein, user side VLAN is meant and is positioned at the access side, i.e. the VLAN that directly inserts of user; Described network side VLAN is meant and is positioned at network side, i.e. VLAN between convergence switch and the gateway device.
Specifically, be up to the message of convergence switch from user side VLAN (VLAN# 100, VLAN# 200, VLAN# 300 and/or VLAN#400), after the packet filtering technology-mapped processing by access control list ACL, all converging is that a up VLAN (VLAN#1000) is sent to gateway device, and the VLAN sign that is about to carry in the message is transformed to same network side VLAN sign; From the descending message of network side VLAN, according to set corresponding relation and entrained purpose medium access control system (the Medium Access Control of downlink message, be called for short MAC) address, after the employed packet filtering technology-mapped processing of access control list ACL, VLAN sign entrained in the message is transformed to corresponding user side VLAN sign, downlink message is sent to the clients corresponding main frame by its pairing user side VLAN.
From technique scheme as can be seen, between convergence switch and gateway device, carry out message transmissions by the same network side VLAN after the polymerization, reduced the quantity that VLAN resource consumption in the aggregation networks and three-layer network close equipment VLAN routing interface effectively, simultaneously, the also appropriate fail safe that has increased network.
Yet the factor that is used to influence network security is a lot, for example, the more common personation that comprises MAC Address, usurps or address spoofing etc.Owing to the legitimacy of employed MAC Address in the technique scheme, directly influenced the reliability of realization VLAN mapping (polymerization) method, making above-mentioned polymerization still is leaky at secure context.Therefore, how promoting VLAN and converge the height of technology aspect fail safe, is present industry urgent problem.
Summary of the invention
Deficiency in view of above-mentioned technology, the objective of the invention is to, a kind of method and convergence switch of realizing virtual LAN aggregation proposed, it combines with DHCP snooping technology by ACL and realizes many-to-one VLAN mapping, i.e. VLAN mapping (or polymerization) under two layers of exchange networking mode, so that reduce network upstream router (three layers of routing device) consume interface quantity in, significantly promote the fail safe of network.
The objective of the invention is to realize by the following technical solutions:
A kind of method that realizes virtual LAN aggregation comprises:
Step S1: dispose the VLAN aggregation mapping table of a plurality of user side VLAN and a network side VLAN corresponding relation, and set up the binding relationship table that the user profile of being carried by message is formed; Step S2: according to user profile binding relationship table, judge whether the user profile that received message carries is legal, if legal, if execution in step S3 then is illegal with regard to dropping packets;
Step S3: the VLAN sign that message carries is made amendment according to the VLAN aggregation mapping table, be forwarded to then among the corresponding target VLAN.
For the method for above-mentioned realization virtual LAN aggregation, described message is the DHCP protocol massages, and the list item information of described binding relationship table is VLAN sign, MAC Address, port address and/or IP address.
For the method for above-mentioned realization virtual LAN aggregation, the list item in the described binding relationship table is generated by manual static configuration and/or the user profile dynamically obtained from message based on DHCP Snooping reciprocal process when receiving the uplink and downlink message.
The concrete steps of the configuration VLAN aggregation mapping table in the above-mentioned realization virtual LAN aggregation method comprise: set up the list item in the access control list ACL, the matched rule in the ACL list item is set and mates the corresponding relation of a plurality of user side VLAN of action record and a network side VLAN.
Method for above-mentioned realization virtual LAN aggregation, at up direction, the matched rule of described access control list ACL list item is: the information of source MAC that described message is entrained and VLAN sign perhaps is: the information of source MAC, port address and VLAN sign that described message is entrained; The coupling action of described access control list ACL list item is: the user side VLAN that up DHCP message is carried identifies the sign that replaces with described network side VLAN; And, at down direction, the matched rule of described access control list ACL list item is: the information of IP address, source MAC and VLAN sign that described message is entrained perhaps is: the information of IP address, target MAC (Media Access Control) address, port address and VLAN sign that described message is entrained; The coupling action of described access control list ACL list item is: the network side VLAN sign that descending DHCP message is carried replaces with described user side VLAN sign.
The idiographic flow of the up direction of step S2 comprises in the above-mentioned realization virtual LAN aggregation method:
Step S2-1: receive and according to the content in the binding relationship list item list item of the access control list ACL of collocating uplink direction;
Step S2-2: the VLAN that carries according to described up DHCP protocol massages identifies, search the VLAN aggregation mapping table information that is disposed in the corresponding list item of described access control list ACL, if the VLAN that described message carries sign equals the pairing user side VLAN of network side VLAN, execution in step S2-3, otherwise, execution in step S2-4;
Step S2-3: the sign of the VLAN in the described up DHCP protocol massages is replaced to corresponding network side VLAN sign, and, described message is sent to gateway device by network side VLAN;
Step S2-4: described up DHCP protocol massages is sent in original VLAN.
Idiographic flow for the down direction of step S2 in the described realization virtual LAN aggregation method comprises::
Step S2-1 ': receive and according to the content in the binding relationship list item list item of configurating downlink access control list ACL;
Step S2-2 ': the VLAN that carries according to described descending DHCP protocol massages identifies, search the VLAN aggregation mapping table information that is disposed in the corresponding list item of described descending access control list ACL, if the VLAN that described message carries sign equals network side VLAN, execution in step S2-3 ', otherwise, execution in step S2-5 ';
Step S2-3 ':, find out the pairing user side VLAN of target MAC (Media Access Control) address that described message carries according to the recorded information in the binding relationship list item;
Step S2-4 ': the VLAN sign that described descending DHCP protocol massages is carried is revised as the user side VLAN sign at subscriber's main station place; And, described message is sent to subscriber's main station by described user side VLAN;
Step S2-5 ': described descending DHCP protocol massages sends in original VLAN.
The present invention also provides a kind of convergence switch, be used to preserve the configuration of a different user side VLAN and a network side VLAN corresponding relation and set up and carry the binding relationship table that user profile is formed by message, described convergence switch is in order to receive the uplink and downlink message, and judge the legitimacy receive the entrained user profile of message according to user profile binding relationship table, the VLAN sign that legal message carries is made amendment according to the VLAN aggregation mapping table, and described message is forwarded among the corresponding target VLAN.
For described convergence switch, further comprise: Subscriber Interface Module SIM, DHCP intercept module, ACL list item administration module, up transmitting-receiving processing module and descending transmitting-receiving processing module.
Wherein, Subscriber Interface Module SIM in order to the user side VLAN in the configuration VLAN aggregation mapping table and the corresponding relation of network side VLAN, and sends it to ACL list item administration module; DHCP intercepts module, by the DHCP reciprocal process between listen for user main frame and the gateway, dynamically sets up and safeguard the binding relationship table, and, the binding relationship table of setting up is sent to ACL list item administration module; ACL list item administration module is according to the VLAN aggregation mapping table and the binding relationship table that receive, the list item of dynamic-configuration access control list ACL; Up transmitting-receiving processing module, in order to receiving up DHCP message, the matched rule and the coupling action of the ACL list item that is disposed according to the VLAN aggregation mapping table that is disposed are sent to gateway device with up DHCP message; Descending transmitting-receiving processing module, in order to receiving up DHCP message, the matched rule and the coupling action of the ACL list item that is disposed according to binding relationship table and VLAN aggregation mapping table are sent to subscriber's main station with descending DHCP protocol massages.
For described convergence switch, the list item of described access control list ACL is divided into up access control list ACL list item and descending access control list ACL list item; Wherein,
The matched rule of described up ACL list item is: source MAC and VLAN sign perhaps are: the information of source MAC, port address and VLAN sign; The coupling action of described up ACL list item replaces with the sign of described network side VLAN for the user side VLAN sign that up DHCP message is carried;
The matched rule of described descending ACL list item is: IP address, source MAC and VLAN sign, perhaps be: matched rule is the information of IP address, target MAC (Media Access Control) address, port address and VLAN sign, and the coupling action of described descending ACL list item replaces with described user side VLAN sign for the sign of network side VLAN that descending DHCP message is carried.
Intercept module for the DHCP in the described convergence switch, in order to by intercepting the DHCP reciprocal process between each subscriber's main station and the gateway, produce binding list item interpolation and the message of deleting, and binding list item interpolation and the message of deleting are sent to ACL list item administration module.
From technique scheme as can be seen, the invention solves and intercept (DHCP snooping) module with DHCP by the ACL module and combine and realize many-to-one VLAN mapping techniques, the DHCPSnooping module comprises MAC Address, IP address, port numbers and VLAN ID binding relationship table by foundation, and be set in the acl rule the information in the binding relationship table is all or part of, realize strict more binding, in the VLAN mapping (or polymerization) under realizing two layers of (Layer2) networking mode, promoted VLAN and converged the height of technology aspect fail safe.
Description of drawings
Fig. 1 is the structural representation of three layers of group network system of employing vlan technology;
Fig. 2 is the structural representation of three layers of group network system of employing VLAN aggregation technology;
The structural representation of three layers of group network system that Fig. 3 realizes VLAN aggregation for employing ACL combines with DHCP snooping technology;
Fig. 4 is the convergence switch basic structure schematic diagram of the embodiment of the invention;
Fig. 5 is the realization virtual LAN aggregation method flow diagram of the embodiment of the invention;
Fig. 6 is the concrete implementing procedure figure of the step S2 (up direction) of the embodiment of the invention;
Fig. 7 is the concrete implementing procedure figure of the step S2 (down direction) of the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing the present invention is realized that virtual LAN aggregation method and convergence switch are elaborated.
At first, see also Fig. 3, the structural representation of three layers of group network system that Fig. 3 realizes VLAN aggregation for employing ACL combines with DHCP snooping technology.As shown in the figure, 8 subscriber's main stations (PC#11, PC#12, PC#21, PC#22, PC#31, PC#32, PC#41 and PC#42), insert different user side VLAN (VLAN# 1, VLAN# 2, VLAN# 3 and VLAN#4) respectively, 4 user side VLAN realize that by same network side VLAN (VLAN#5) VLAN aggregation carries out message transmissions.
Specifically, employed VLAN sign can identify (for example, VLAN5) for user side VLAN sign (for example, VLAN1, VLAN2, VLAN3, VLAN4) and network side VLAN by class definition in the convergence switch; After handling by the mapping of convergence switch, the VLAN sign of carrying in the message is transformed to same network side VLAN sign from the up message of user side VLAN; After the descending message process convergence switch processing of network side VLAN, the VLAN sign that message carries is transformed to the VLAN sign of relative users side.
Be with the difference shown in Fig. 2, also be connected with DHCP (Dynamic Host Configuration Protocol is called for short DHCP) server on the Layer 2 switch.The DHCP agreement is a kind of IP standard that is used to simplify subscriber's main station IP configuration management.By adopting the DHCP standard, can use Dynamic Host Configuration Protocol server network ip address, mask, gateway, domain name resolution server (Domain Name System to be set as the subscriber's main station of having enabled the DHCP agreement on the network, be called for short DNS) etc. network parameter, simplified the user network setting.After convergence switch has been opened DHCP-Snooping, can intercept the DHCP message, and can reply extraction and record IP address and mac address information (DHCP ACK) message from DHCP request (DHCP Request) or the DHCP that receives.By the DHCP information that gets access to, convergence switch generates a DHCP Snooping binding table in this locality, satisfy the message of binding relationship in this table and can normally be transmitted by convergence switch, does not satisfy the message of binding relationship and can be forbidden by switch.
See also Fig. 4, Fig. 4 is the convergence switch basic structure schematic diagram of the embodiment of the invention; Convergence switch shown in the figure is positioned at convergence-level, can be the Layer 2 switch of band VLAN aggregation function.In an embodiment of the present invention, the function of this convergence switch is: the configuration that is used to preserve a different user side VLAN and a network side VLAN corresponding relation is set up and is carried the binding relationship table that user profile is formed by message, and judge the legitimacy receive the entrained user profile of message according to user profile binding relationship table, the VLAN sign that legal message carries is made amendment according to the VLAN aggregation mapping table, and be forwarded among the corresponding target VLAN.Specifically, this convergence switch receives uplink and downlink DHCP message, and generates the binding relationship list item according to the information that uplink and downlink DHCP protocol massages carries; And, according to user profile binding relationship table, at up direction, judge whether the user profile that received uplink message carries is legal, if it is legal, the user side VLAN sign that uplink message carries is made amendment according to the VLAN aggregation mapping table, then up DHCP message is sent to gateway device by corresponding network side VLAN, if illegal with regard to dropping packets; At down direction, judge whether the user profile that received downlink message carries is legal, if legal, the network side VLAN sign that downlink message carries is made amendment according to the VLAN aggregation mapping table, then descending DHCP message is sent to subscriber's main station by corresponding user side VLAN.
As shown in Figure 4, this convergence switch specifically comprises: Subscriber Interface Module SIM, DHCP intercept module, ACL list item administration module, up transmitting-receiving processing module and descending transmitting-receiving processing module.
Subscriber Interface Module SIM is as the user management interface, corresponding relation by user side VLAN and network side VLAN in this block configuration VLAN mapping group, generate the VLAN aggregation mapping table, preferably, this polymerization mapping table is sent to ACL list item administration module, so as static configuration access control list ACL on convergence switch, and then, association message is carried out the VLAN conversion.
DHCP intercepts module by the DHCP reciprocal process between listen for user main frame and the gateway, can dynamically set up and safeguard the binding relationship table, and produces the message that DHCP Snooping binding list item adds and deletes; Generally comprise following list item in this binding table: VLAN under port and the subscriber's main station under the IP address of subscriber's main station, the MAC Address of subscriber's main station, the subscriber's main station.
Preferably, DHCP intercepts module and comprises binding relationship table administration module, in order to by intercepting the DHCP reciprocal process between each subscriber's main station and the gateway, produce binding list item interpolation and the message of deleting, and binding list item interpolation and the message of deleting are sent to ACL list item administration module.Be that DHCP intercepts message and the DHCPSnooping binding table that module can also be further adds DHCP Snooping binding list item with deletion and be sent to ACL list item administration module.Adopting special chip (ASIC) to carry out in the convergence switch of message forwarding, complete transmitting-receiving step through a message can produce a binding relationship list item, at subscriber's main station (for example, PC#11) through a complete transmitting-receiving step, DHCP snooping intercepts module can obtain complete binding relationship list item for this subscriber's main station (PC#11), this binding relationship list item is effectively to handle the real data message that the user sends, if check that this binding relationship table is legal, this just need be issued to the list item information of the binding relationship table that generates in the hardware chip (ASIC), sends DHCP snooping binding table promptly for ACL list item administration module and adds message; Equally, DHCP snooping intercept module think need the deletion binding table in, also need to send DHCPsnooping binding table deletion message to ACL list item administration module.
ACL list item administration module is according to the VLAN aggregation mapping table and the binding relationship table that receive, the list item of dynamic-configuration access control list ACL.Be that above-mentioned hardware chip is handled according to following principle message: judge IP, MAC, vlan information and message that message carries from port information whether identical with a certain ACL list item, if VLAN sign identical then that message is carried is made amendment, be forwarded to then among the corresponding target VLAN, if inequality with regard to dropping packets; If the up direction message, inspection be user side VLAN, the purpose VLAN of modification is a network side VLAN, if the message of down direction, what then check is network side VLAN, the purpose VLAN of modification is that the user surveys VLAN.
The list item of described access control list ACL is divided into up access control list ACL list item and descending access control list ACL list item; Wherein, the matched rule of described up ACL list item is source MAC and VLAN sign, perhaps, also information such as the source MAC that DHCP snooping module can be provided, port address and VLAN sign all are set in the acl rule, to realize strict more binding; The coupling action of described up ACL list item is: the user side VLAN that up DHCP message is carried identifies the sign that replaces with described network side VLAN; The matched rule of described descending ACL list item is IP address, target MAC (Media Access Control) address and VLAN sign, perhaps, also information such as the source MAC that the DHCPsnooping module can be provided, port address and VLAN sign all are set in the acl rule, to realize strict more binding; The action of the coupling of described descending ACL list item is: (for example, sign VLAN#5) replaces with described user side VLAN (for example, VLAN#1) sign to the network side VLAN that descending DHCP message is carried.
Up transmitting-receiving processing module, in order to receiving up DHCP message, the matched rule and the coupling action of the ACL list item that is disposed according to the VLAN aggregation mapping table that is disposed are sent to gateway device with up DHCP message; Descending transmitting-receiving processing module, in order to receiving up DHCP message, the matched rule and the coupling action of the ACL list item that is disposed according to binding relationship table and VLAN aggregation mapping table are sent to subscriber's main station with descending DHCP protocol massages.
According to top description as can be seen, in an embodiment of the present invention, DHCP in the convergence switch intercepts module and ACL list item administration module can also realize dynamic management to subscriber's main station, promptly when a subscriber's main station inserts user side VLAN and withdraws from user side VLAN, the cooperation of intercepting module and ACL list item administration module by DHCP can realize upgrading dynamically relevant ACL list item, thereby guarantees to utilize the network side VLAN after the polymerization to finish message transmissions exactly.
Method below in conjunction with the realization virtual LAN aggregation of the embodiment of the invention shown in 3 couples of Fig. 5 to Fig. 7 of accompanying drawing is elaborated.
See also Fig. 5, Fig. 5 is the realization virtual LAN aggregation method flow diagram of the embodiment of the invention; The method of realization virtual LAN aggregation in the present embodiment comprises the steps:
Step S1: dispose the VLAN aggregation mapping table of a plurality of user side VLAN and a network side VLAN corresponding relation, and set up the binding relationship table that the user profile of being carried by message is formed;
Step S2: according to user profile binding relationship table, judge whether the user profile that received message carries is legal, if legal, if execution in step S3 then is illegal with regard to dropping packets;
Step S3: the VLAN sign that message carries is made amendment according to the VLAN aggregation mapping table, be forwarded to then among the corresponding target VLAN.
Need to prove, dispose the step of the VLAN aggregation mapping table of a plurality of user side VLAN and a network side VLAN corresponding relation, can be undertaken by interactive means.The present invention provides two kinds of optional technical schemes to be used for generating the binding relationship table that comprises information such as user's IP address, MAC Address, port (PORT), VLAN with record simultaneously; A kind of technical scheme can be static configuration user's IP, MAC, information such as PORT, VLAN, and this mode is applicable to that user terminal passes through the mode access network of static configuration IP address; Another kind of preferable technical scheme is based on DHCP Snooping reciprocal process and obtains user's IP, MAC, information such as PORT, VLAN.Certainly, above-mentioned dual mode also can mix use, for example, in consolidated network, the certain user is adopted the method for DHCP detection of dynamic, the certain user is adopted the mode of manual configuration.
Finish the VLAN aggregation mapping table of a plurality of user side VLAN of above-mentioned configuration and a network side VLAN corresponding relation, and after setting up the binding relationship table that the user profile of being carried by message forms, just can set up the list item in the access control list ACL, matched rule and the coupling a plurality of user side VLAN of action record and a network side VLAN corresponding relation in the ACL list item promptly are set.
For convenience, in the present embodiment, the matched rule of up ACL list item is: source MAC and VLAN sign; The coupling action is: the user side VLAN that up DHCP message is carried identifies the sign that replaces with described network side VLAN; The matched rule of descending ACL list item is: IP address, target MAC (Media Access Control) address and VLAN sign, the coupling action of descending ACL list item is: the sign of the network side VLAN that descending DHCP message is carried replaces with described user side VLAN sign.
Specifically, see also Fig. 6, Fig. 6 is the concrete implementing procedure figure of the step S2 (up direction) of the embodiment of the invention; Step S2 shown in the figure further comprises the steps:
Step S2-1: receive and according to the content in the binding relationship list item list item of the access control list ACL of collocating uplink direction; The list item rule that is ACL is: " message source MAC equals MAC1 ", and " message carries the VLAN sign and equals VLAN1 ";
Step S2-2: the VLAN that carries according to described up DHCP protocol massages identifies, search the VLAN aggregation mapping table information that is disposed in the corresponding list item of described access control list ACL, if the VLAN that described message carries sign equals the pairing user side VLAN of network side VLAN, execution in step S2-3, otherwise, execution in step S2-4;
Step S2-3: the sign of the VLAN in the described up DHCP protocol massages is replaced to corresponding network side VLAN sign, i.e. coupling action is: up DHCP message VLAN sign is revised as VLAN5; And, described message is sent to gateway device by network side VLAN;
Step S2-4: described up DHCP protocol massages is sent in original VLAN.
See also Fig. 7, Fig. 7 is the flow chart of concrete enforcement of the S2 (down direction) of the embodiment of the invention.Step S2 described in the figure further comprises the steps:
Step S2-1 ': receive and according to the content in the binding relationship list item list item of configurating downlink access control list ACL;
Step S2-2 ': the VLAN that carries according to described descending DHCP protocol massages identifies, search the VLAN aggregation mapping table information that is disposed in the corresponding list item of described descending access control list ACL, be that the list item rule is: " message purpose MAC equals MAC1 ", and " message carries the VLAN sign and equals VLAN 5 "; If the VLAN that described message carries sign equals network side VLAN, execution in step S2-3 ', otherwise, execution in step S2-5 ';
Step S2-3 ':, find out the pairing user side VLAN of target MAC (Media Access Control) address that described message carries according to the recorded information in the binding relationship list item;
Step S2-4 ': based on above-mentioned checking result, the VLAN sign that described descending DHCP protocol massages is carried is revised as the user side VLAN sign at subscriber's main station place, and, described message is sent to subscriber's main station by described user side VLAN;
Step S2-5 ': described descending DHCP protocol massages is sent in original VLAN.
In sum, the present invention intercepts (DHCP snooping) technology by ACL and combines and realize many-to-one VLAN mapping with DHCP, DHCP Snooping technology comprises MAC Address, IP address, port numbers and VLAN ID binding relationship table by foundation, and in all or part of acl rule that is set in the Access Control List (ACL) of the information in the binding relationship table, realize strict more binding, in the VLAN mapping (or polymerization) under realizing two layers of (Layer2) networking mode, promoted VLAN and converged the height of technology aspect fail safe.
What need statement is that foregoing invention content and embodiment are intended to prove the practical application of technical scheme provided by the present invention, should not be construed as the qualification to protection range of the present invention.Those skilled in the art are in spirit of the present invention and principle, when doing various modifications, being equal to and replacing or improve.Protection scope of the present invention is as the criterion with appended claims.
Claims (11)
1, a kind of method that realizes virtual LAN aggregation is characterized in that, described method comprises:
Step S1: dispose the VLAN aggregation mapping table of a plurality of user side VLAN and a network side VLAN corresponding relation, and set up the binding relationship table that the user profile of being carried by message is formed;
Step S2: according to user profile binding relationship table, judge whether the user profile that received message carries is legal, if legal, if execution in step S3 then is illegal with regard to dropping packets;
Step S3: the VLAN sign that message carries is made amendment according to the VLAN aggregation mapping table, be forwarded to then among the corresponding target VLAN.
2, the method for realization virtual LAN aggregation according to claim 1 is characterized in that, described message is the DHCP protocol massages, and the list item information of described binding relationship table is VLAN sign, MAC Address, port address and/or IP address.
3, the method for realization virtual LAN aggregation according to claim 2, it is characterized in that the list item in the described binding relationship table is by manual static configuration and/or dynamically obtain user profile based on DHCP Snooping reciprocal process from message generate when receiving the uplink and downlink message.
4, according to the method for the arbitrary described realization virtual LAN aggregation of claim 1-3, it is characterized in that, described configuration VLAN aggregation mapping table step comprises: set up the list item in the access control list ACL, the matched rule in the ACL list item is set and mates the corresponding relation of a plurality of user side VLAN of action record and a network side VLAN.
5, the method for realization virtual LAN aggregation according to claim 4 is characterized in that,
At up direction, the matched rule of described access control list ACL list item is: the information of source MAC that described message is entrained and VLAN sign perhaps is: the information of source MAC, port address and VLAN sign that described message is entrained; The coupling action of described access control list ACL list item is: the user side VLAN that up DHCP message is carried identifies the sign that replaces with described network side VLAN; And
At down direction, the matched rule of described access control list ACL list item is: the information of IP address, source MAC and VLAN sign that described message is entrained perhaps is: the information of IP address, target MAC (Media Access Control) address, port address and VLAN sign that described message is entrained; The coupling action of described access control list ACL list item is: the network side VLAN sign that descending DHCP message is carried replaces with described user side VLAN sign.
6, the method for realization virtual LAN aggregation according to claim 5 is characterized in that, the idiographic flow of the up direction of described step S2 comprises:
Step S2-1: receive and according to the content in the binding relationship list item list item of the access control list ACL of collocating uplink direction;
Step S2-2: the VLAN that carries according to described up DHCP protocol massages identifies, search the VLAN aggregation mapping table information that is disposed in the corresponding list item of described access control list ACL, if the VLAN that described message carries sign equals the pairing user side VLAN of network side VLAN, execution in step S2-3, otherwise, execution in step S2-4;
Step S2-3: the sign of the VLAN in the described up DHCP protocol massages is replaced to corresponding network side VLAN sign, and, described message is sent to gateway device by network side VLAN;
Step S2-4: described up DHCP protocol massages is sent in original VLAN.
7, the method for realization virtual LAN aggregation according to claim 5 is characterized in that, the idiographic flow of the down direction of described step S2 comprises::
Step S2-1 ': receive and according to the content in the binding relationship list item list item of configurating downlink access control list ACL;
Step S2-2 ': the VLAN that carries according to described descending DHCP protocol massages identifies, search the VLAN aggregation mapping table information that is disposed in the corresponding list item of described descending access control list ACL, if the VLAN that described message carries sign equals network side VLAN, execution in step S4-3 ', otherwise, execution in step S2-5 ';
Step S2-3 ':, find out the pairing user side VLAN of target MAC (Media Access Control) address that described message carries according to the recorded information in the binding relationship list item;
Step S2-4 ': the VLAN sign that described descending DHCP protocol massages is carried is revised as the user side VLAN sign at subscriber's main station place, and, described message is sent to subscriber's main station by described user side VLAN;
Step S2-5 ': described descending DHCP protocol massages sends in original VLAN.
8, a kind of convergence switch, be used to preserve the configuration of a different user side VLAN and a network side VLAN corresponding relation and set up and carry the binding relationship table that user profile is formed by message, it is characterized in that, described convergence switch receives the uplink and downlink message, and judge the legitimacy receive the entrained user profile of message according to user profile binding relationship table, the VLAN sign that legal message carries is made amendment according to the VLAN aggregation mapping table, and described message is forwarded among the corresponding target VLAN.
9, convergence switch according to claim 8 is characterized in that, described convergence switch specifically comprises: Subscriber Interface Module SIM, DHCP intercept module, ACL list item administration module, up transmitting-receiving processing module and descending transmitting-receiving processing module; Wherein,
Subscriber Interface Module SIM in order to the user side VLAN in the configuration VLAN aggregation mapping table and the corresponding relation of network side VLAN, and sends it to ACL list item administration module;
DHCP intercepts module, by the DHCP reciprocal process between listen for user main frame and the gateway, dynamically sets up and safeguard the binding relationship table, and, the binding relationship table of setting up is sent to ACL list item administration module;
ACL list item administration module is according to the VLAN aggregation mapping table and the binding relationship table that receive, the list item of dynamic-configuration access control list ACL;
Up transmitting-receiving processing module, in order to receiving up DHCP message, the matched rule and the coupling action of the ACL list item that is disposed according to the VLAN aggregation mapping table that is disposed are sent to gateway device with up DHCP message;
Descending transmitting-receiving processing module, in order to receiving up DHCP message, the matched rule and the coupling action of the ACL list item that is disposed according to binding relationship table and VLAN aggregation mapping table are sent to subscriber's main station with descending DHCP protocol massages.
10, convergence switch according to claim 9 is characterized in that, the list item of described access control list ACL is divided into up access control list ACL list item and descending access control list ACL list item; Wherein,
The matched rule of described up ACL list item is source MAC and VLAN sign, perhaps is: the information of source MAC, port address and VLAN sign; The coupling action of described up ACL list item replaces with the sign of described network side VLAN for the user side VLAN sign that up DHCP message is carried;
The matched rule of described descending ACL list item is IP address, target MAC (Media Access Control) address and VLAN sign, perhaps be: matched rule is the information of IP address, target MAC (Media Access Control) address, port address and VLAN sign, and the coupling action of described descending ACL list item replaces with described user side VLAN sign for the sign of network side VLAN that descending DHCP message is carried.
11, according to the arbitrary described convergence switch of claim 9-10, it is characterized in that, described DHCP intercepts module and also comprises binding relationship table administration module, in order to by intercepting the DHCP reciprocal process between each subscriber's main station and the gateway, produce binding list item interpolation and the message of deleting, and binding list item interpolation and the message of deleting are sent to ACL list item administration module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710092093A CN101022394B (en) | 2007-04-06 | 2007-04-06 | Method for realizing virtual local network aggregating and converging exchanger |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710092093A CN101022394B (en) | 2007-04-06 | 2007-04-06 | Method for realizing virtual local network aggregating and converging exchanger |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101022394A true CN101022394A (en) | 2007-08-22 |
| CN101022394B CN101022394B (en) | 2010-05-26 |
Family
ID=38710050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710092093A Active CN101022394B (en) | 2007-04-06 | 2007-04-06 | Method for realizing virtual local network aggregating and converging exchanger |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101022394B (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009065349A1 (en) * | 2007-11-15 | 2009-05-28 | Huawei Technologies Co., Ltd. | Layer 2 control proxy method, device and system |
| WO2010012143A1 (en) * | 2008-07-26 | 2010-02-04 | 中兴通讯股份有限公司 | Method and system of virtual local area network data forwarding |
| CN101409685B (en) * | 2008-12-01 | 2010-10-27 | 杭州华三通信技术有限公司 | Forwarding method based on virtual LAN mapping and access equipment |
| CN101141304B (en) * | 2007-09-18 | 2010-11-24 | 杭州华三通信技术有限公司 | Management method and equipment of ACL regulation |
| CN101599885B (en) * | 2009-07-03 | 2011-07-27 | 杭州华三通信技术有限公司 | Method for allocating independent VLAN (virtual local area network) for each user and each service as well as system thereof |
| CN101227407B (en) * | 2008-01-25 | 2011-08-10 | 华为技术有限公司 | Method and apparatus for sending message based on two layer tunnel protocol |
| CN102271069A (en) * | 2011-09-08 | 2011-12-07 | 北京网康科技有限公司 | Method, device and system for detecting multi-dimensional information of users |
| CN102333099A (en) * | 2011-10-27 | 2012-01-25 | 杭州华三通信技术有限公司 | Security control method and equipment |
| CN102387225A (en) * | 2011-11-14 | 2012-03-21 | 中兴通讯股份有限公司 | Method for data flow transmission and device employing same |
| CN102104528B (en) * | 2009-12-21 | 2012-10-10 | 中国移动通信集团山西有限公司 | Network system applied in rural area and service message transmission method |
| CN102971992A (en) * | 2010-06-29 | 2013-03-13 | 华为技术有限公司 | Layer two over multiple sites |
| CN101668238B (en) * | 2009-10-20 | 2013-04-17 | 上海市共进通信技术有限公司 | Method, device and optical network unit for realizing N:1 concourse and 1:N conversion of VLAN in EPON |
| CN103109503A (en) * | 2010-08-06 | 2013-05-15 | 阿尔卡特朗讯公司 | Egress processing of ingress vlan acls |
| CN103607432A (en) * | 2013-10-30 | 2014-02-26 | 中兴通讯股份有限公司 | Network establishment method and system, and network control center |
| CN103795581A (en) * | 2012-10-29 | 2014-05-14 | 杭州华三通信技术有限公司 | Address processing method and address processing device |
| CN104052717A (en) * | 2013-03-13 | 2014-09-17 | 中兴通讯股份有限公司 | Message sending method and apparatus |
| CN104104571A (en) * | 2013-04-10 | 2014-10-15 | 中兴通讯股份有限公司 | Method and apparatus for realizing virtual local area network (VLAN) domain mapping and access control |
| CN104506437A (en) * | 2014-12-29 | 2015-04-08 | 杭州华三通信技术有限公司 | Item setup method and device |
| CN104506368A (en) * | 2014-12-30 | 2015-04-08 | 浪潮(北京)电子信息产业有限公司 | Method and equipment for managing switchboard equipment in unified manner |
| CN105187312A (en) * | 2015-08-12 | 2015-12-23 | 北京锐安科技有限公司 | Method, device and router for carrying out network communication on batch terminal equipment |
| CN105553812A (en) * | 2016-01-21 | 2016-05-04 | 盛科网络(苏州)有限公司 | Many-for-one VLAN (Virtual Local Area Network) mapping chip realization method based on hardware study |
| WO2017186181A1 (en) * | 2016-04-29 | 2017-11-02 | 新华三技术有限公司 | Network access control |
| US9912495B2 (en) | 2010-05-28 | 2018-03-06 | Futurewei Technologies, Inc. | Virtual layer 2 and mechanism to make it scalable |
| CN108234272A (en) * | 2011-10-04 | 2018-06-29 | 瞻博网络公司 | For the method and apparatus of the wire/wireless enterprise network architecture of fusion |
| CN112953824A (en) * | 2021-01-28 | 2021-06-11 | 新华三信息安全技术有限公司 | Link aggregation configuration method and device |
| CN114978809A (en) * | 2022-06-23 | 2022-08-30 | 惠州华阳通用电子有限公司 | Vehicle-mounted Ethernet VLAN node configuration method |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561026B (en) * | 2013-11-04 | 2017-03-15 | 神州数码网络(北京)有限公司 | The update method of hardware access control list, updating device and switch |
-
2007
- 2007-04-06 CN CN200710092093A patent/CN101022394B/en active Active
Cited By (44)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141304B (en) * | 2007-09-18 | 2010-11-24 | 杭州华三通信技术有限公司 | Management method and equipment of ACL regulation |
| WO2009065349A1 (en) * | 2007-11-15 | 2009-05-28 | Huawei Technologies Co., Ltd. | Layer 2 control proxy method, device and system |
| CN101227407B (en) * | 2008-01-25 | 2011-08-10 | 华为技术有限公司 | Method and apparatus for sending message based on two layer tunnel protocol |
| US8509243B2 (en) | 2008-01-25 | 2013-08-13 | Huawei Technologies Co., Ltd. | Method and device for sending a packet based on tunneling protocol used in layer 2 |
| CN101325531B (en) * | 2008-07-26 | 2012-05-23 | 中兴通讯股份有限公司 | Forwarding method and system for virtual LAN |
| WO2010012143A1 (en) * | 2008-07-26 | 2010-02-04 | 中兴通讯股份有限公司 | Method and system of virtual local area network data forwarding |
| CN101409685B (en) * | 2008-12-01 | 2010-10-27 | 杭州华三通信技术有限公司 | Forwarding method based on virtual LAN mapping and access equipment |
| CN101599885B (en) * | 2009-07-03 | 2011-07-27 | 杭州华三通信技术有限公司 | Method for allocating independent VLAN (virtual local area network) for each user and each service as well as system thereof |
| CN101668238B (en) * | 2009-10-20 | 2013-04-17 | 上海市共进通信技术有限公司 | Method, device and optical network unit for realizing N:1 concourse and 1:N conversion of VLAN in EPON |
| CN102104528B (en) * | 2009-12-21 | 2012-10-10 | 中国移动通信集团山西有限公司 | Network system applied in rural area and service message transmission method |
| US9912495B2 (en) | 2010-05-28 | 2018-03-06 | Futurewei Technologies, Inc. | Virtual layer 2 and mechanism to make it scalable |
| US10367730B2 (en) | 2010-06-29 | 2019-07-30 | Futurewei Technologies, Inc. | Layer two over multiple sites |
| CN102971992A (en) * | 2010-06-29 | 2013-03-13 | 华为技术有限公司 | Layer two over multiple sites |
| CN102971992B (en) * | 2010-06-29 | 2016-03-09 | 华为技术有限公司 | Virtual special local area network equipment, networking component and data frame forwarding method |
| US10389629B2 (en) | 2010-06-29 | 2019-08-20 | Futurewei Technologies, Inc. | Asymmetric network address encapsulation |
| CN103109503A (en) * | 2010-08-06 | 2013-05-15 | 阿尔卡特朗讯公司 | Egress processing of ingress vlan acls |
| CN103109503B (en) * | 2010-08-06 | 2016-03-16 | 阿尔卡特朗讯公司 | The outlet process of ingress VLAN VCL |
| CN102271069A (en) * | 2011-09-08 | 2011-12-07 | 北京网康科技有限公司 | Method, device and system for detecting multi-dimensional information of users |
| CN108234272A (en) * | 2011-10-04 | 2018-06-29 | 瞻博网络公司 | For the method and apparatus of the wire/wireless enterprise network architecture of fusion |
| CN108234272B (en) * | 2011-10-04 | 2021-02-05 | 瞻博网络公司 | Method and apparatus for converged wired/wireless enterprise network architecture |
| CN102333099A (en) * | 2011-10-27 | 2012-01-25 | 杭州华三通信技术有限公司 | Security control method and equipment |
| CN102333099B (en) * | 2011-10-27 | 2014-09-10 | 杭州华三通信技术有限公司 | Security control method and equipment |
| CN102387225A (en) * | 2011-11-14 | 2012-03-21 | 中兴通讯股份有限公司 | Method for data flow transmission and device employing same |
| CN102387225B (en) * | 2011-11-14 | 2018-01-09 | 中兴通讯股份有限公司 | Data flow sending method and device |
| CN103795581A (en) * | 2012-10-29 | 2014-05-14 | 杭州华三通信技术有限公司 | Address processing method and address processing device |
| CN103795581B (en) * | 2012-10-29 | 2018-05-11 | 新华三技术有限公司 | Address processing method and equipment |
| CN104052717A (en) * | 2013-03-13 | 2014-09-17 | 中兴通讯股份有限公司 | Message sending method and apparatus |
| CN104104571A (en) * | 2013-04-10 | 2014-10-15 | 中兴通讯股份有限公司 | Method and apparatus for realizing virtual local area network (VLAN) domain mapping and access control |
| WO2014166267A1 (en) * | 2013-04-10 | 2014-10-16 | 中兴通讯股份有限公司 | Method and apparatus for implementing virtual local area network (vlan) domain mapping and access control |
| CN104104571B (en) * | 2013-04-10 | 2018-12-07 | 中兴通讯股份有限公司 | The method and apparatus for realizing virtual LAN domain mapping and access control |
| CN103607432A (en) * | 2013-10-30 | 2014-02-26 | 中兴通讯股份有限公司 | Network establishment method and system, and network control center |
| CN104506437A (en) * | 2014-12-29 | 2015-04-08 | 杭州华三通信技术有限公司 | Item setup method and device |
| CN104506437B (en) * | 2014-12-29 | 2018-08-24 | 新华三技术有限公司 | A kind of item establishing method and device |
| CN104506368B (en) * | 2014-12-30 | 2018-04-13 | 浪潮(北京)电子信息产业有限公司 | A kind of method and apparatus for being managed collectively switch device |
| CN104506368A (en) * | 2014-12-30 | 2015-04-08 | 浪潮(北京)电子信息产业有限公司 | Method and equipment for managing switchboard equipment in unified manner |
| CN105187312A (en) * | 2015-08-12 | 2015-12-23 | 北京锐安科技有限公司 | Method, device and router for carrying out network communication on batch terminal equipment |
| CN105187312B (en) * | 2015-08-12 | 2018-05-01 | 北京锐安科技有限公司 | Batch terminal carries out network communication method, device and router |
| CN105553812A (en) * | 2016-01-21 | 2016-05-04 | 盛科网络(苏州)有限公司 | Many-for-one VLAN (Virtual Local Area Network) mapping chip realization method based on hardware study |
| US11025631B2 (en) | 2016-04-29 | 2021-06-01 | New H3C Technologies Co., Ltd. | Network access control |
| WO2017186181A1 (en) * | 2016-04-29 | 2017-11-02 | 新华三技术有限公司 | Network access control |
| CN112953824B (en) * | 2021-01-28 | 2022-03-29 | 新华三信息安全技术有限公司 | Link aggregation configuration method and device |
| CN112953824A (en) * | 2021-01-28 | 2021-06-11 | 新华三信息安全技术有限公司 | Link aggregation configuration method and device |
| CN114978809B (en) * | 2022-06-23 | 2024-01-12 | 惠州华阳通用电子有限公司 | Vehicle-mounted Ethernet VLAN node configuration method |
| CN114978809A (en) * | 2022-06-23 | 2022-08-30 | 惠州华阳通用电子有限公司 | Vehicle-mounted Ethernet VLAN node configuration method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101022394B (en) | 2010-05-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101022394B (en) | Method for realizing virtual local network aggregating and converging exchanger | |
| CN101047618B (en) | Method and system for acquiring network route information | |
| CN102263774B (en) | Method and device for processing source role information | |
| CN101616014B (en) | Method for realizing cross-virtual private local area network multicast | |
| CN100450080C (en) | Method and apparatus for astringing two layer MAC address | |
| CN101326763A (en) | System and method for authentication of SP Ethernet aggregation networks | |
| CN103248720A (en) | Method and device for inquiring physical address | |
| CN102377669B (en) | Method for sending message and switch | |
| CN101043430B (en) | Method for converting network address between equipments | |
| CN101631129B (en) | Method and device for transmitting multicast data | |
| CN104811371A (en) | Brand-new instant messaging system | |
| CN112333713B (en) | 5G ad hoc network system, ad hoc network method, computer device and storage medium | |
| CN110493366A (en) | The method and device of network management is added in a kind of access point | |
| CN102916897A (en) | Method and equipment for realizing VRRP load sharing | |
| CN105635335B (en) | Social resources cut-in method, apparatus and system | |
| CN104168338A (en) | Network address conversion device and network address conversion method | |
| CN101141396B (en) | Packet processing method and network appliance | |
| CN101197779B (en) | Method, device and system for improving address analysis protocol proxy package efficiency | |
| CN100499549C (en) | Apparatus and base station equipment for transmitting IP message in WiMAX network | |
| CN1997036A (en) | Access multiplexer | |
| CN112367263A (en) | Multicast data message forwarding method and equipment | |
| CN102136988A (en) | Multicast data message transferring method and device | |
| WO2008141516A1 (en) | Message transmitting method, transmitting device and transmitting system | |
| CN110719343B (en) | Service acceleration processing method and system, and entrance and exit network equipment | |
| Fuxiang et al. | A security architecture for intranet based on security area division |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230821 Address after: Texas, USA Patentee after: HEWLETT PACKARD ENTERPRISE DEVELOPMENT L.P. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |