CN101572675B - Method for finding operating VRRP network equipment in directly connected network segment and device thereof - Google Patents

Method for finding operating VRRP network equipment in directly connected network segment and device thereof Download PDF

Info

Publication number
CN101572675B
CN101572675B CN2009101481525A CN200910148152A CN101572675B CN 101572675 B CN101572675 B CN 101572675B CN 2009101481525 A CN2009101481525 A CN 2009101481525A CN 200910148152 A CN200910148152 A CN 200910148152A CN 101572675 B CN101572675 B CN 101572675B
Authority
CN
China
Prior art keywords
vrrp
message
router
access switch
group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009101481525A
Other languages
Chinese (zh)
Other versions
CN101572675A (en
Inventor
袁亚屏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2009101481525A priority Critical patent/CN101572675B/en
Publication of CN101572675A publication Critical patent/CN101572675A/en
Application granted granted Critical
Publication of CN101572675B publication Critical patent/CN101572675B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method for finding operating VRPP network equipment in a directly connected network segment, and is applicable to a router system comprising an access switch and at least oneVRRP group. The method comprises the following steps: the access switch receives and intercepts a VRRP notification message sent by a router of each VRRP group, and confirms members of each VRRO rout er group and a connected port according to a port which receives the notification message and VRRP ID in the notification message so that the access switch transmits messages between members which belong to the same VRRP router group by the port. The method help avoid broadcasting the VRRP messages of the same group to other routers, or PC (host computer) which is connected to the switch does not join in the VRRP network equipment, thus reducing bandwidth waste.

Description

A kind of method and device of finding the operation VRRP network equipment in the directly connected subnet
Technical field
The present invention relates to communication technical field, relate in particular to a kind of method and device of finding the operation VRRP network equipment in the directly connected subnet.
Background technology
In the prior art; Main frame is with the gateway that is connected with this main frame default route as next jumping; Main frame is as shown in Figure 1 through the communication mode that gateway connects network; All hosts (Host A, Host B and Host C) in the same network segment all is provided with one respectively and identical be the default route of next jumping with Gateway (gateway), and main frame mails to gateway with this message through default route earlier when other network segments transmission messages; Again by gateway forwards to external network, thereby realize communicating by letter of main frame and external network.Default route is that the configuration operation of subscriber's main station provides convenience; The user is when sending message; Directly message is sent to this gateway; But this has proposed very high stability requirement to this gateway, when gateway breaks down, in this network segment all with this gateway be default route main frame can't with external network communication.
In order to address the above problem, prior art proposes to adopt VRRP (Virtual Router Redundancy Protocol, Virtual Router Redundancy Protocol) to carry out communicating by letter of main frame and external network.As shown in Figure 2; The set of network devices (router Router A, router Router B and router Router C) that VRRP can bear gateway function joins in the VRRP backup group; This VRRP backup group is a virtual router (Virtual router) for main frame; In this VRRP backup group, bear the forwarding task by election mechanism decision any platform router of VRRP, the main frame in the local area network (LAN) only needs virtual router is configured to default gateway; When needing to send message, send message to this virtual router and get final product.
VRRP has simplified the configuration of main frame when improving reliability.In the local area network (LAN) with multicast or broadcast-capable (like Ethernet); The default link of high reliability can, certain router still be provided when breaking down by VRRP; Effectively avoid the problem that network interrupts after the single link occurs fault, and need not to revise configuration informations such as dynamic routing protocol, route discovery protocols.
The operate as normal of VRRP backup group depends on the advertise message of VRRP.The purpose MAC of the advertise message of VRRP (Media Access Control, medium access control) address is specific multicast address, on two layers of access switch, is broadcast to other routers.But this broadcast mechanism; Not only make the network equipment (like router) of participating in VRRP can receive this advertise message; And all are connected the network equipment that PC (main frame) on this switch etc. do not participate in VRRP also can receive this message, when the operate as normal of VRRP backup group; Because the VRRP message amount maybe be more, therefore possibly cause certain bandwidth waste.
Simultaneously, on two layers of Ethernet (access switch aspect), more common to the attack of this system through counterfeit gateway MAC Address.Fig. 3 is a typical local area network building: wherein Router-1 and Router-2 move the VRRP agreement; As a VRRP backup group; The port-1 and the port-2 port that connect access switch respectively; Common virtual ip address 10.1.1.3, the virtual mac address 0000-5e00-0101 of using is for the user provides gateway service; The IP address of access switch is 10.1.1.4.This VRRP backup group is as the gateway device of PC, and all users want normal access Internet Internet service, and gateway that all must PC is set to 10.1.1.3.
Please continue with reference to shown in Figure 3; Under the normal situation of network topology, two Router have only one the service of forwarding is provided in this VRRP backup group, as main equipment (master); And another is as alternate device (slaver); For example Router-1 is as the master equipment of VRRP, and Router-2 is as the slaver equipment of VRRP, and this moment, Router-1 provided gateway service; Access switch should be the port-1 port through the access switch MAC Address that virtual-MAC (virtual MAC) learns; After the packet of the visit Internet that all PC send is searched this virtual-MAC through switch, mail to Router-1, transmit to the Internet network via Router-1 from port-1.
Yet, adopt the VRRP system configured also to have some defectives, like main frame as the assailant; Perhaps revise the method for network interface card MAC through on PC, using the common software of giving out a contract for a project; Make port except that the port-1 port learn the MAC Address of port-1 port, this address is 0000-5e00-0101, supposes that this port is port-3; At this moment; After the packet of the visit Internet that all validated users send is searched virtual-MAC through switch, will send, can't arrive Internet from assailant's port-3.
In order to stop the undelegated false mac learning of assailant, prior art proposes through enabling functions such as MAC or 802.1x authentication on the access switch.If dispose the MAC authentication, need obtain all users' MAC Address, and be recorded on the access switch one by one and be configured; If dispose the 802.1x authentication, the 802.1x client need be installed on all users' PC, and still need obtain all users' MAC Address, the user name of MAC Address and authentication is bound.Therefore, dispose MAC authentication or 802.1x authentication and realize more complicated.
In order to stop the undelegated false mac learning of assailant; Prior art also proposes the static MAC through h.323-configured gateway on access switch; Promptly MAC Address of a port binding can not on-the-fly modify, and the assailant can't change the MAC Address of this port through the MAC Address of revising other ports.Yet static configuration gateway MAC is only applicable to single up link, promptly has only the situation of a port, and can realize normal forwarding with this port and MAC binding this moment; And for present application two up or many ascending networks environment of VRRP comparatively widely; Comprise a plurality of ports; Because realize that in most exchanger chip realization and software a MAC does not allow to be tied on a plurality of ports, static configuration gateway MAC can't realize.
Summary of the invention
The invention provides a kind of method and device of finding the operation VRRP network equipment in the directly connected subnet, realize the autotelic forwarding of VRRP message, thereby reduced bandwidth waste.
The invention provides a kind of method of finding the operation VRRP network equipment in the directly connected subnet, be applied to comprise in the system of access switch and at least one VRRP group, said method comprising the steps of:
Said access switch receives and intercepts the VRRP notice message of the router transmission of each VRRP group, and said notice message carries the ID of VRRP router;
Said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRP ID in the said notice message;
The virtual MAC that said access switch is controlled specific VRRP group is bundled in the port that connects the router that belongs to said VRRP group;
Said access switch is transmitted the message between the member who belongs to same VRRP group through said port;
Wherein, store the list item of the ID of the router that belongs to same VRRP group in the said access switch; Said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRP ID in the said notice message, specifically comprises:
Said access switch is confirmed to belong to the router that same VRRP organizes according to the VRRP ID and the said list item that receive in the said notice message, and the port of the notice message of the router of the said same VRRP group of recorder.
Wherein, said VRRP notice message is a VRA message, and said access switch receives and intercept the VRRP notice message of the router transmission of each VRRP group, also comprises before:
Said access switch is inquired about and the direct-connected VRRP router of said access switch to all VRRP router broadcast VRS message;
Said VRRP router according to verification with and the said VRS message of purpose IP Address Confirmation legal, and receive have at least on the port of VRS message a VRRP group be in main with or during Status of Backups, said VRRP router sends VRA message to said access switch.
Wherein, for IPv6, said VRRP router need be that link local address confirms that VRS message is legal according to source address also.
Wherein, said VRRP notice message is a VRA message, and said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRP ID in the said notice message, specifically comprises:
Said access switch according to verification with and the said VRA message of purpose IP Address Confirmation legal;
Said access switch is resolved the content of VRRP Entry in the said VRA message, is each VRRP group maintenance port tabulation.
Wherein, said VRRP notice message is a VRT message, and said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRP ID in the said notice message, specifically comprises:
Said access switch according to verification with and the said VRT message of purpose IP Address Confirmation legal;
Said access switch is resolved the content of VRID in the VRT message, and the state of the corresponding VRRP backup group of the port of receiving said VRT message is removed.
The invention provides a kind of access switch, be applied to comprise in the system of access switch and at least one VRRP router, comprising:
Receiver module is used to receive and intercept the VRRP notice message that the router of each VRRP group sends, and said notice message carries the ID of VRRP router;
Processing module; Be connected with said receiver module; Store the list item of the ID of the router that belongs to same VRRP group; Be used for confirming to belong to the router of same VRRP group according to the VRRP ID that receives said notice message and said list item, the port of the notice message of the router of the said same VRRP group of recorder, and transmit the message between the member who belongs to same VRRP group through said port;
Binding module is connected with said processing module, and the virtual MAC that is used to control specific VRRP group is bundled in the port that connects the router that belongs to said VRRP group.
Wherein, also comprise:
Enquiry module is used for to all VRRP router broadcast VRS message, inquiry and the direct-connected VRRP router of said access switch.
Wherein, the VRRP notice message comprises VRA message or VRT message, and said access switch also comprises:
Inspection module is connected with said processing module with said receiver module, according to verification with and the said VRA message of purpose IP Address Confirmation or VRT message legal;
Said processing module specifically is used for resolving the content of said VRA message VRRP Entry, is each VRRP backup group maintenance interface tabulation; Or resolve the content of VRID in the VRT message, the state of the corresponding VRRP backup group of the interface of receiving said VRT message is removed.
The invention provides a kind of VRRP router, be applied to comprise in the system of access switch and at least one VRRP group, comprising:
Trigger module is used to detect the state of local VRRP configuration or receives the request message that access switch sends;
Sending module is connected with said trigger module, is used for when satisfying the triggering state, sending the VRRP notice message to access switch, notifies the variation of said access switch VRRP configuration, and said notice message carries the ID of VRRP router.
Compared with prior art, the present invention has the following advantages:
Among the present invention; Access switch receives and intercepts the VRRP notification packet of the router transmission of each VRRP group; Confirm the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRP ID in the said notice message, thereby access switch is transmitted the message between the member who belongs to same VRRP group through said port.Avoided the VRRP message in same group is broadcast to other routers, or all are connected PC (main frame) on this switch etc. and do not participate in the network equipment of VRRP, thereby reduced bandwidth waste.
Description of drawings
Fig. 1 is that main frame is the communication scheme of the default route of next jumping with gateway in the prior art;
Fig. 2 joins a set of network devices in the backup group in the prior art, forms a virtual router sketch map;
Fig. 3 is a kind of local area network building sketch map in the prior art;
Fig. 4 is a kind of method flow diagram of finding the operation VRRP network equipment in the directly connected subnet among the present invention;
Fig. 5 is VRS message structure figure among the present invention;
Fig. 6 is VRA message structure figure among the present invention;
Fig. 7 is VRRP Entry message structure figure among the present invention;
Fig. 8 is VRT message structure figure among the present invention;
Fig. 9 does not have the networking sketch map that sends VRS message capability access switch among the present invention;
Figure 10 is a kind of access switch structure chart among the present invention;
Figure 11 is a kind of VRRP router topology figure among the present invention.
Embodiment
Core thinking of the present invention is: the network equipment (for example VRRP router) that moves VRRP regularly sends the existence of VRA (VRRP Router Advertisement) message declaration oneself and the variation of VRRP configuration, or organizes the not information of revival of interior router through some or all VRRP of VRT (VRRP Router Terminate) message announcement.Access switch is through receiving and monitor these VRA or VRT message; Confirm the member of each VRRP group and the port of connection according to port that receives said VRA or VRT and the VRRP ID among said VRA or the VRT; When transmitting the advertise message of VRRP; Only transmit the message between the member who belongs to same VRRP group, avoided unrelated equipment to receive the situation of VRRP message through the port that has connected the VRRP router.
In addition; Because such scheme is passive monitoring VRA message at access switch; The ability that does not have active probe; Complete machine is restarted in case access switch occurs, the function of interface UP/DOWN, the present invention definition is by the situation that (again) enables, and just can not understand timely and the information of own direct-connected VRRP router (length possibly need to wait for that a VRA announces the cycle).Therefore, access switch can be inquired about the VRRP router direct-connected with this access switch through sending VRS (VRRP Router Solicitation) message, and the VRRP router uses VRA message to reply.
The invention provides a kind of method of finding the operation VRRP network equipment in the directly connected subnet, be applied to comprise that said method is as shown in Figure 4, may further comprise the steps in the system of access switch and at least one VRRP group:
Step 401, said access switch receive and intercept the VRRP notice message of the router transmission of said VRRP group.Comprise the master with VRRP router and at least one subsequent use VRRP router in the VRRP group, each VRRP router can send the VRRP notice message to access switch, carries the ID of VRRP router in this notice message.
Step 402, said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notification packet and the VRRP ID in the said notification packet; Said access switch is transmitted the message between the member who belongs to same VRRP group through said port.Said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRP ID in the said notice message, specifically comprises: the list item that stores the ID of the router that belongs to same VRRP group in the said access switch; Said access switch is confirmed to belong to the router that same VRRP organizes according to the VRRP ID and the said list item that receive in the said notice message, and the port of the notice message of the router of the said same VRRP group of recorder.
For example, a VRRP group comprises VRRP router-A and VRRP router B, wherein; The VRRP router-A is main usefulness, and VRRP router B is subsequent use, and access switch receives the notice message from the VRRP router-A through port one; Through the notice message of port 2 receptions from VRRP router B; Carry the ID of VRRP router-A and the ID of VRRP router B in the notice message respectively, access switch finds to belong to same VRRP group through comparing two ID; Therefore, can with on the port one from transmitting from the message of VRRP router B on the message of VRRP router-A and the port 2.
The VRRP message of access switch is transmitted principle: after access switch was received VRRP advertise message, at first the corresponding VRRP group of inspection was receiving on the port of message whether exist, and does not then abandon this message if do not exist; If exist, then exist the port of this VRRP group to transmit to other this message.
Access switch is after the distributed intelligence that obtains the VRRP router in addition; The virtual-MAC that can control specific VRRP group can only learn on the interface that has connected the router that belongs to this VRRP group, therefore can effectively prevent the MAC address spoofing to gateway.Be specially, the virtual MAC that said access switch is controlled specific VRRP group can only be bundled in the port that connects the router that belongs to said VRRP group.
Wherein, The MAC address learning rule of access switch: access switch is when the virtual MAC of the known VRRP group correspondence of study self; Need to judge to be about to learn whether this VRRP group exists on the port of MAC; If do not exist, do not carry out the study of this MAC Address, then normally carry out the study of MAC Address if exist.
According to above-mentioned principle, the method for the operation VRRP network equipment is following at the scene implementation that access switch has transmission VRS message capability in the discovery directly connected subnet of the present invention:
1, access switch regularly sends VRS message, and the configuration that the router of request operation VRRP is replied the VRRP backup group is connected situation with interface; The condition that VRS message is sent out comprises: the interface of access switch is initialised or reinitializes; This initialization is to make this interface power down (shutdown) through pulling out the interface connecting line, or the management platform through access switch issues operational order and restarts this interface; The function of access switch definition is enabled on interface.
Wherein, the concrete form of VRS message is as shown in Figure 5: the source MAC of VRS message is the MAC Address of the interface of this message of transmission; Source IP address is for the IP address of the interface that sends this message, for IPv6 (Internet protocol the 6th version), must use link local address (range of transmission that can restriction of message, make its effective at link-local); Purpose IP address is the address (224.0.0.18, FF02::12) of all VRRP routers; TTL/Hop limit is 1; The next packet header of IPv4 protocol type or IPv6 is 112 (0x70).
In Fig. 5, VRS message comprises a plurality of fields, and wherein, Version (version) field is 2 for IPv4 (Internet protocol the 4th version); For IPv6 is 3.
Type (type) is 2, representes that this message is VRS message.
Auth Type representes auth type, be represented not authentication at 0 o'clock, be represented plaintext authentication at 1 o'clock, be to represent the AH authentication at 2 o'clock, for the VRRP of IPv6, this field length is 4bit, the reserved of back (reservation) field length is 12bit.
Authentication data field is 1 at Auth Type only, has used under the situation of plaintext authentication effectively, has carried the authentication word here.
2, after the router of operation VRRP is received VRS message, at first check its legitimacy: the VRS message is carried out verification, guarantee that verification is correct; Purpose IP address is checked, guaranteed purpose IP address right; For IPv6, also should check source address, be link local address to guarantee it; Can not will be dropped through the VRS message of these inspections.
3, if VRS message through the legitimacy verification, when having at least a VRRP group to be in master or backup state on the interface of receiving VRS message, selects main VRRP router wherein to respond with VRA message.Wherein, the condition that VRA message is sent out comprises: periodically send, promptly this router cycle is sent VRA message to access switch; Interface is initialised or reinitializes; The configuration of VRRP group changes on the interface; The state of VRRP group change (refering in particular to the migration between coming into force and not coming into force) on the interface; The function of definition is enabled on interface.
Wherein, the structure of VRA message is as shown in Figure 6: the source MAC of VRA message is the MAC Address of the interface of this message of transmission; Source IP address for IPv6, must use link local address for sending the interface IP address of this message; Purpose IP address is the address (224.0.0.18, FF02::12) of all VRRP routers; TTL/Hop limit is 1; The next packet header of IPv4 protocol type/IPv6 is 112 (0x70).
In Fig. 6, VRA message comprises a plurality of fields, and wherein, the Version field is 2 for IPv4; For IPv6 is 3.
Type (type) is 3, representes that this message is VRA message.
The quantity of the VRRP Entry that Count VRRP Entries field is represented to carry in this VRA message.
AuthType representes auth type, be represented not authentication at 0 o'clock, be represented plaintext authentication at 1 o'clock, be to represent the AH authentication at 2 o'clock.For the VRRP of IPv6, this field length is 4bit.
Adver Int field is represented the periodically time interval of the VRA message of transmission, and for IPv6 VRRP, this field length is 12bit.This time interval difference and difference as the case may be.
The Authentication field is only effective under the situation of having used plaintext authentication, has carried the authentication word here.
VRRP entry field is represented the specifying information of VRRP group, and the form of VRRP Entry is as shown in Figure 7:
VRRP entry field also comprises a plurality of son fields, and wherein, Virtual Rtr ID is the ID of VRRP backup group; Priority is the configuration preference level of backup group, Adver Int be VRRP Advertisement message transmission at interval, this time interval difference and difference as the case may be; Count IP Addrs is this backup group corresponding virtual IP quantity; Virtual MAC is this backup group corresponding virtual MAC; IP Address is the virtual ip address of this backup group.
When the VRRP configuration that connects the interface of access switch when a certain VRRP router changed, the VRRP router needed to send the configuration that VRA message announced this variation at this interface to access switch immediately.
Need to prove that if initialization Initialize state is deleted or moved to some or all VRRP backup group of interface, then have special case, need announce this change this moment through VRT message, can not pass through VRA message.
4, after access switch is received VRA message, also need carry out verification, verification is used to guarantee: verification is with correct; Purpose IP address right; For IPv6, source IP address must be a link local address; If VRA message is not through top inspection, access switch should abandon this message.
5, the VRA message through top verification after, access switch is resolved the content of VRRP Entry in this VRA message, be that each VRRP backup group maintenance interface is tabulated and interface timer according to the content of VRRP Entry.
After if certain interface of access switch receives a preceding VRA message of its router transmission that connects the VRRP group; Also do not receive the VRA message of this interface through neighbours dead (3.5 times VRAAdver Int) at interval, just think that this VRRP group has not existed at this interface to certain VRRP group.
Among the present invention, the VRRP router can be organized the not information of revival through some or all VRRP of VRT message announcement, and the form of VRT message is as shown in Figure 8: the source MAC of VRT message is the MAC Address of the interface of this message of transmission; Source IP address for IPv6, must use link local address for sending the interface IP address of this message; Purpose IP address is the address (224.0.0.18, FF02::12) of all VRRP routers; TTL/Hop limit is 1; The next packet header of IPv4 protocol type/IPv6 is 112 (0x70).
In Fig. 8, VRT message comprises a plurality of fields, and wherein, the Version field is 2 for IPv4; For IPv6 is 3.
Type is 4, representes that this message is VRT message.
The quantity of the VRID that Count Virtual Rtr field is represented to carry in this VRA message.
Auth Type representes auth type, be represented not authentication at 0 o'clock, be represented plaintext authentication at 1 o'clock, be to represent the AH authentication at 2 o'clock, for the VRRP of IPv6, this field length is 4bit, the length of the checksum field of back is 12bit.
The ID of router in the VRRP backup group that VRID1~n field is represented no longer to come into force.
Authentication data field is 1 at Auth Type only, has used under the situation of plaintext authentication effectively, has carried the authentication word here.
The VRRP router is comparatively similar to the flow process that access switch sends VRS message with the VRRP router to access switch transmission VRT message, and wherein, after access switch is received VRT message, also need carry out verification to guarantee: verification is with correct; Purpose IP address right; For IPv6, source IP address must be a link local address.If VRT message is not through top inspection, access switch should abandon this message.
VRT message through top verification after, access switch is resolved the content of VRID in the VRT message, and the state of the VRRP backup group of the correspondence of the interface of receiving this VRT message is removed.
According to Fig. 4 principle, do not have the scene of the ability of sending VRS message at access switch, the realization that the method for the operation VRRP network equipment is concrete in the discovery directly connected subnet of the present invention is following:
1, the VRRP router sends VRA message.Wherein, the definition of VRA message (as the field that comprises and each field comprise content), send mode and access switch have in the scene of sending the VRS message capability, and it is roughly the same that the VRRP router sends VRA message, repeats no more at this.
2, access switch carries out verification to VRA message.Wherein, the mode of verification, verification principle and access switch have in the scene of the ability of sending VRS message, and it is roughly the same that the VRRP router sends VRA message, repeats no more at this.
3, access switch is resolved the content of VRRP Entry in the VRA message, be that each VRRP backup group maintenance interface is tabulated and interface timer according to the content of VRRP Entry.After if certain interface of access switch receives a preceding VRA message of its router transmission that connects the VRRP group; Also do not receive the VRA message of this interface through neighbours dead (3.5 times VRA Adver Int) at interval, just think that this VRRP group has not existed at this interface to certain VRRP group.
According to the principle of the said method of Fig. 4, do not have the field of sending the VRS message capability with access switch and be combined into example, this method is done further narration, networking is as shown in Figure 9.RT1~RT4 is for supporting the router of VRRP, and LSW1 is an access switch, and PC1 is a subscriber's main station.This networking comprises two VRRP backup groups; Be respectively VRRP backup group 1 and VRRP backup group 2; Wherein VRRP backup group 1 comprises RT1 and RT2; RT1 receives or sends VRA message, the information such as the table 1 of the VRRP backup group of safeguarding among the LSW1 1 through Port1, the Port2 interface that is connected LSW1 respectively with RT2:
Table 1:
?VRID 1
Interface Port1、Port2
The virtual MAC address 0000-5E00-0101
When setting RT1 was master, RT1 sent the VRA message to LSW1, and LSW1 will be transmitted to the RT2 in the VRRP backup group 1 through Port2 from the VRA message of this RT1, and RT2 knows that according to this VRA message in this VRRP backup group 1, RT1 is master.Because this VRA message is only broadcasted in VRRP backup group 1, therefore other members such as RT3, RT4 can not receive this VRA message, thereby reduce the quantity forwarded of VRRP message owing to do not belong to VRRP backup group 1.
VRRP backup group 2 comprises RT3 and RT4, and RT3 sends VRA message, the information such as the table 2 of the VRRP backup group of safeguarding among the LSW1 like this 2 through Port3, the Port4 interface that is connected LSW1 respectively with RT4:
Table 2:
?VRID 2
Interface Port3、Port4
The virtual MAC address 0000-5E00-0102
When setting RT3 was master, RT3 sent the VRA message to LSW1, and LSW1 will be transmitted to the RT4 in the VRRP backup group 2 through Port4 from the VRA message of this RT3, and RT4 knows that according to this VRA message in this VRRP backup group 2, RT3 is master.
Need join VRRP backup group 2 if be positioned at the RT2 of VRRP backup group 1; Then RT2 at first (also can be Network Management Equipment from far-end server; Be used to dispose the backup group information of RT) obtain the configuration information of VRRP backup group 2, RT2 sends the VRA message to access switch, and this VRA message carries two VRRP Entry of VRRP backup group 1 and backup group 2; LSW1 revises the content of former table 2 according to two VRRP Entry of VRRP backup group 1 and backup group 2, and amended table 2 becomes:
Table 3:
?VRID ?2
Interface ?Port2、Port3、Port4
The virtual MAC address ?0000-5E00-0102
RT3 sends the VRA message to LSW1, sends to RT2 and RT4 in the VRRP backup group 2 through LSW1.
Equally; When RT4 need revise own configuration at VRRP backup group 2 (such as revising the configuration preference level); RT4 can send the VRA message to LSW1; Variation has taken place in the VRRP configuration of announcing oneself, and in VRRP Entry with on value after changing, LSW1 revises the list item of VRRP backup group 2 according to the VRRP Entry that revises.
When RT4 need withdraw from VRRP backup group 2; The configuration of RT4 oneself deletion VRRP the backup group 2 or state transition of own backup group arrived init state (Initialize); And to LSW1 transmission VRT message; Inform that this RT4 of LSW1 withdraws from VRRP backup group 2, the list item of VRRP backup group 2 becomes shown in the table 4:
Table 4:
?VRID 2
Interface Port2、Port3
The virtual MAC address 0000-5E00-0102
If PC1 is the assailant; It is the VRA message of 0000-5E00-0101 that PC1 has constructed source MAC; This VRA message is sent to LSW1, and LSW1 inspection is about the router interface information of VRRP backup group 1 and VRRP backup group 2, learns that the interface in the interface list of the VRRP backup group 1 that MAC Address 0000-5E00-0101 is corresponding is Port1, Port2 (like table 1); Do not have Port5, therefore can be to interface Port5 with this MAC address learning.
The occasion that has the ability of sending VRS message for access switch; Comparing with above occasion, initiatively send the step of VRS message except having increased access switch, is example with networking shown in Figure 9 also; When for a certain reason LSW1 is gone up realization VRRP backup group list item of the present invention close enable again after; LSW1 sends VRS message through total interface to RT immediately, after all VRRP routers are received this message, responds according to the VRRP configuring condition structure VRA message of this locality; LSW1 disposes corresponding VRRP backup group list item according to the VRA message of responding.Narration basically identical in other realization and the above-mentioned occasion repeats no more at this.
The invention provides a kind of access switch, be applied to comprise in the system of access switch and at least one VRRP router, shown in figure 10, comprising:
Receiver module 1010 is used to receive and intercept the VRRP notice message that the router of each VRRP group sends, and said notice message carries the ID of VRRP router; This VRRP notice message can be VRA message or the VRT message from the VRRP router, through the existence of VRA message declaration router and the variation of VRRP configuration, or passes through the not information of revival of the interior router of some or all VRRP group of VRT message announcement.
Processing module 1020; Be connected with receiver module 1010; Be used for confirming the member of each VRRP group and the port of connection, transmit the message between the member who belongs to same VRRP group through said port according to the VRRP ID of port that receives said notice message and said notice message.
Binding module 1030 is connected with processing module 1020, and the virtual MAC that is used to control specific VRRP group can only be bundled in the port that connects the router that belongs to said VRRP group.
Enquiry module 1040 is used for to all VRRP router broadcast VRS message, inquiry and the direct-connected VRRP router of said access switch.The VRRP backup group tabulation that enquiry module 1040 is safeguarded through the inquiry access switch, inquiry and the direct-connected VRRP router of said access switch.
Inspection module 1050 is connected with processing module 1020 with receiver module 1010, according to verification with and the said VRA message of purpose IP Address Confirmation or VRT legal; After access switch is received VRA message, also need carry out verification, verification is used to guarantee: verification is with correct; Purpose IP address right.
Processing module 1020 specifically is used for resolving the content of said VRA message VRRP Entry, is each VRRP backup group maintenance interface tabulation; Or resolve the content of VRID in the VRT message, the state of the corresponding VRRP backup group of the interface of receiving said VRT message is removed.For different VRRP backup groups, maintenance module 1060 is that each VRRP backup group is safeguarded an interface list.
The invention provides a kind of VRRP router, be applied to comprise in the system of access switch and at least one VRRP group, shown in figure 11, comprising:
Trigger module 1110 is used to detect the state of local VRRP configuration or receives the request message that access switch sends; The request message that access switch sends is a VRS message.
Sending module 1120 is connected with trigger module 1110, is used for when satisfying the triggering state, sending the VRRP notice message to access switch, notifies the variation of said access switch VRRP configuration, and said notice message carries the ID of VRRP router.This VRRP notice message can be VRA message or the VRT message from the VRRP router, through the existence of VRA message declaration router and the variation of VRRP configuration, or passes through the not information of revival of the interior router of some or all VRRP group of VRT message announcement.
Through the description of above execution mode, those skilled in the art can be well understood to the present invention and can realize through hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding; Technical scheme of the present invention can be come out with the embodied of software product, this software product can be stored in a non-volatile memory medium (can be CD-ROM, USB flash disk; Portable hard drive etc.) in; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the sketch map of a preferred embodiment, module in the accompanying drawing or flow process might not be that embodiment of the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above sequence number is not represented the quality of embodiment just to description.
More than disclosedly be merely several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (8)

1. a method of finding the operation Virtual Router Redundancy Protocol VRRP network equipment in the directly connected subnet is applied to comprise in the system of access switch and at least one VRRP group, it is characterized in that, said method comprising the steps of:
Said access switch receives and intercepts the VRRP notice message of the router transmission of each VRRP group, and said notice message carries the ID of VRRP router;
Said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRP ID in the said notice message;
The virtual MAC that said access switch is controlled specific VRRP group is bundled in the port that connects the router that belongs to said VRRP group;
Said access switch is transmitted the message between the member who belongs to same VRRP group through said port;
Wherein, store the list item of the ID of the router that belongs to same VRRP group in the said access switch; Said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRPID in the said notice message, specifically comprises:
Said access switch is confirmed to belong to the router that same VRRP organizes according to the VRRP ID and the said list item that receive in the said notice message, and the port of the notice message of the router of the said same VRRP group of recorder.
2. the method for claim 1; It is characterized in that; Said VRRP notice message is a Virtual Router Redundancy Protocol advertising of route VRA message, and said access switch receives and intercept the VRRP notice message of the router transmission of each VRRP group, also comprises before:
Said access switch is inquired about and the direct-connected VRRP router of said access switch to all VRRP router broadcast Virtual Router Redundancy Protocol route requests VRS message;
Said VRRP router according to verification with and the said VRS message of purpose IP Address Confirmation legal, and receive have at least on the port of VRS message a VRRP group be in main with or during Status of Backups, said VRRP router sends VRA message to said access switch.
3. method as claimed in claim 2 is characterized in that, for IPv6, said VRRP router need be that link local address confirms that VRS message is legal according to source address also.
4. the method for claim 1; It is characterized in that; Said VRRP notice message is a VRA message, and said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRP ID in the said notice message, specifically comprises:
Said access switch according to verification with and the said VRA message of purpose IP Address Confirmation legal;
Said access switch is resolved the content of VRRP Entry in the said VRA message, is each VRRP group maintenance port tabulation.
5. the method for claim 1; It is characterized in that; Said VRRP notice message is Virtual Router Redundancy Protocol route termination VRT message; Said access switch is confirmed the member of each VRRP group and the port of connection according to port that receives said notice message and the VRRP ID in the said notice message, specifically comprises:
Said access switch according to verification with and the said VRT message of purpose IP Address Confirmation legal;
Said access switch is resolved the content of VRID in the VRT message, and the state of the corresponding VRRP backup group of the port of receiving said VRT message is removed.
6. an access switch is applied to comprise in the system of access switch and at least one VRRP router, it is characterized in that, comprising:
Receiver module is used to receive and intercept the VRRP notice message that the router of each VRRP group sends, and said notice message carries the ID of VRRP router;
Processing module; Be connected with said receiver module; Store the list item of the ID of the router that belongs to same VRRP group; Be used for confirming to belong to the router of same VRRP group according to the VRRP ID that receives said notice message and said list item, the port of the notice message of the router of the said same VRRP group of recorder, and transmit the message between the member who belongs to same VRRP group through said port;
Binding module is connected with said processing module, and the virtual MAC that is used to control specific VRRP group is bundled in the port that connects the router that belongs to said VRRP group.
7. access switch as claimed in claim 6 is characterized in that, also comprises:
Enquiry module is used for to all VRRP router broadcast VRS message, inquiry and the direct-connected VRRP router of said access switch.
8. access switch as claimed in claim 6 is characterized in that, the VRRP notice message comprises VRA message or VRT message, and said access switch also comprises:
Inspection module is connected with said processing module with said receiver module, according to verification with and the said VRA message of purpose IP Address Confirmation or VRT message legal;
Said processing module specifically is used for resolving the content of said VRA message VRRP Entry, is each VRRP backup group maintenance interface tabulation; Or resolve the content of VRID in the VRT message, the state of the corresponding VRRP backup group of the interface of receiving said VRT message is removed.
CN2009101481525A 2009-06-23 2009-06-23 Method for finding operating VRRP network equipment in directly connected network segment and device thereof Expired - Fee Related CN101572675B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009101481525A CN101572675B (en) 2009-06-23 2009-06-23 Method for finding operating VRRP network equipment in directly connected network segment and device thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101481525A CN101572675B (en) 2009-06-23 2009-06-23 Method for finding operating VRRP network equipment in directly connected network segment and device thereof

Publications (2)

Publication Number Publication Date
CN101572675A CN101572675A (en) 2009-11-04
CN101572675B true CN101572675B (en) 2012-01-04

Family

ID=41231913

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101481525A Expired - Fee Related CN101572675B (en) 2009-06-23 2009-06-23 Method for finding operating VRRP network equipment in directly connected network segment and device thereof

Country Status (1)

Country Link
CN (1) CN101572675B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102946348B (en) * 2012-11-09 2016-01-20 杭州华三通信技术有限公司 VRRPE message processing method and equipment in a kind of double layer network
CN104135440B (en) * 2014-08-11 2018-07-20 新华三技术有限公司 Method and apparatus for inhibiting host migration
CN110572318B (en) * 2019-09-29 2021-11-26 迈普通信技术股份有限公司 Main/standby switching method and router

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1006702A2 (en) * 1998-12-04 2000-06-07 Nortel Networks Corporation Method and apparatus providing for an improved VRRP (Virtual Router Redundancy Protocol)
CN1848807A (en) * 2005-11-29 2006-10-18 华为技术有限公司 Group broadcasting business realizing method
CN101035058A (en) * 2007-04-28 2007-09-12 杭州华三通信技术有限公司 Transfer method and device of the virtual router redundancy protocol message

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1006702A2 (en) * 1998-12-04 2000-06-07 Nortel Networks Corporation Method and apparatus providing for an improved VRRP (Virtual Router Redundancy Protocol)
CN1848807A (en) * 2005-11-29 2006-10-18 华为技术有限公司 Group broadcasting business realizing method
CN101035058A (en) * 2007-04-28 2007-09-12 杭州华三通信技术有限公司 Transfer method and device of the virtual router redundancy protocol message

Also Published As

Publication number Publication date
CN101572675A (en) 2009-11-04

Similar Documents

Publication Publication Date Title
CN100474824C (en) Apparatus and method of searching for DNS server in outer net
CN101692674B (en) Method and equipment for double stack access
CN101179566B (en) Method and apparatus for preventing ARP packet attack
CN101635628B (en) Method and device for preventing ARP attacks
KR100908320B1 (en) Method for protecting and searching host in internet protocol version 6 network
US9705845B2 (en) Network access device and method for automatically establishing connection to a wide area network
KR100886433B1 (en) IPv6 Support Method for Bridge Extension Using Wireless Communications System
EP1773008B1 (en) Method and system for implementing virtual router redundancy protocol on a resilient packet ring
CN100583904C (en) Automatic configuration method for host address in IPV6 network
CN107317752B (en) Method and device for forwarding data message
CN102025799A (en) Method for discovery and automatic configuration for IP address of device
CN101577723B (en) Method for preventing neighbor discovery protocol message attack and device
CN100488201C (en) Link backup method based on route
US10454884B2 (en) Terminal and multicast address distribution server
CN101572675B (en) Method for finding operating VRRP network equipment in directly connected network segment and device thereof
CN101924698A (en) Method, system and equipment for balancing two-layer domain load based on IP unicast route
JP2003069640A (en) Method and apparatus for explicit multicast service on ethernet (r)
CN109842692B (en) VxLAN switch, system and method for obtaining host information in physical network
CN109150711A (en) The pretection switch method, apparatus and storage medium of point-to-multipoint Layer 2 Multicast business
JP4873556B2 (en) Topology detection method, communication device, management device, and program for detecting logical topology of network
CN101309154B (en) Datagram sending method, sending apparatus and transmission system
CN101686265B (en) Network equipment, network system and method for establishing data communication
CN112737946B (en) Route advertising method, device, storage medium and system for IPv6 network
Cisco Novell IPX Commands
Cisco Novell IPX Commands

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CP03 Change of name, title or address
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120104

Termination date: 20200623

CF01 Termination of patent right due to non-payment of annual fee