CN102480485B - System, method and switching device for realizing cross-device isolation of ports in same VLAN (virtual local area network) - Google Patents
System, method and switching device for realizing cross-device isolation of ports in same VLAN (virtual local area network) Download PDFInfo
- Publication number
- CN102480485B CN102480485B CN201010574627.XA CN201010574627A CN102480485B CN 102480485 B CN102480485 B CN 102480485B CN 201010574627 A CN201010574627 A CN 201010574627A CN 102480485 B CN102480485 B CN 102480485B
- Authority
- CN
- China
- Prior art keywords
- vlan
- port
- flow
- check
- auxiliary
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a system for realizing cross-device isolation of ports in a same VLAN (virtual local area network), and the system can enable flow rate to succeed in ingress VLAN-Check in an auxiliary VLAN and fail in egress VLAN-Check by enabling each Switch to respectively set the PVIDs (port VLAN identifiers), the VLAN allowed to pass and a flow rate passing way of various ports, comprising an uplink port, a cascade port and an isolation port, of each Switch, setting to enable learning MAC (media access control) addresses in the auxiliary VLAN and a main VLAN to perform mutual reproduction and setting the isolation ports of the auxiliary VLAN and the main VLAN so as to enable the flow rate-related Switches to select the combination of the settings against the different flow rates, and isolate the flow rate among all Hosts in the auxiliary VLAN. The invention simultaneously discloses a method and a switching device for realizing cross-device isolation of ports in a same VLAN. Two-layer cross-Switch device isolation of the ports in the same VLAN can be realized under the situation of using a small number of VLAN resources by applying the system, the method and the switching device for realizing the cross-device isolation of the ports in the same VLAN.
Description
Technical field
The present invention relates to isolation technology field, particularly a kind of system, method and switching equipment of realizing same VLAN inner port striding equipment isolation.
Background technology
Growing along with network, also more and more higher to the requirement of network security, therefore, in actual network design, for strengthen flow safe, as the safety of information or network avoid the impact etc. of irrelevant flow, need to carry out two layers of isolation to certain port.Referring to Fig. 1, switch (Switch) A and SwitchB belong to the VRRP backup group that virtual ip address is 202.38.160.111/24 (the Switch is here the three-tier switch with routing function), on Switch A, Switch B, create respectively VLAN20 and VLAN40, configuration Ethernet1/0/1 is uplink port, Ethernet1/0/2~Ethernet1/0/5 is downlink port, and port Ethernet 1/0/2 and port Ethernet 1/0/3 belong to VLAN20, port Ethernet 1/0/4 and port Ethernet 1/0/5 belong to VLAN40; In the time that Switch A normally works, message when user accesses Internet forwards by Switch A, and in the time that the up link of Switch A breaks down, message when user accesses Internet forwards by Switch B.Now require: two layers of isolation between the user in VLAN20, comprise on Switch A that the user in VLAN20 is with isolating between the user in VLAN20 on Switch B; Between user in VLAN40, can meet double layer intercommunication.
At present, can be by the downlink port Ethernet1/0/2 in VLAN20 on Switch A being configured to dedicated vlan edge (PVE) port, uplink port Ethernet1/0/1 on Switch A is configured to Uplink port, and then according in PVE scheme " message that PVE port is received only unconditionally forwards to the Uplink port instructing, and does not forward to other non-Uplink; The message that Uplink port enters can forward all other ports according to normal forwarding process " thought, realize two layers of isolation between downlink port in the upper VLAN20 of SwitchA; Similarly, also need to carry out to configure like same Switch category-A at Switch B.
As can be seen from the above analysis, although adopt the setting of PVE scheme can realize two layers of isolation of port, but the PVE port only configuring on same switch could be realized mutual two layer message isolation; And in same VLAN, between the PVE port between different switches, can not realize isolation.
For this reason, can retain the configuration that uses above-mentioned port isolation group, but by the VLAN20 on Switch B change the VLAN different from VLAN20 on Switch A into, as VLAN200, on the basis arranging in PVE scheme, need the port that carries out two layers of isolation to add different VLAN by before different switches, utilize the isolation characteristic of VLAN to reach the object of isolating between the PVE port of different switches.Although can realize like this isolation of two layer message between the PVE port configuring on different switches, but, need to take more VLAN resource, and the symmetrical Switch A disposing and the configuration of Switch B can not be unified.
Summary of the invention
In view of this, the invention provides a kind of system that realizes same VLAN inner port striding equipment isolation, can, in the situation that using a small amount of VLAN resource, realize two layers of isolation of same VLAN inner port switch-spanning equipment.
The present invention also provides a kind of method and switching equipment of realizing same VLAN inner port striding equipment isolation, can, in the situation that using a small amount of VLAN resource, realize two layers of isolation of same VLAN inner port switch-spanning equipment.
In order to achieve the above object, the technical scheme that the present invention proposes is:
A kind of system that realizes same VLAN inner port striding equipment isolation, this system comprises: server S erver, router Router, the plural switch Switch and the client Host that are connected by cascade port Trunk Port, wherein, some Switch are connected with the downlink port of the Router in same primary vlan by the uplink port of self, each Switch is connected with the multiple Host in same auxiliary vlan by self different isolated port respectively
The downlink port of Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, Trunk Port and isolated port PVID, allow the VLAN passing through and arrange by the form of flow; The MAC Address that each Switch arranges auxiliary vlan and primary vlan learning copies mutually, and the action of the MAC Address that isolated port is learnt amendment object coupling abandons or destination interface is revised as to dead end mouth for object; Each Switch arranges the isolated port of self, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN inspection egress VLAN-Check failure,,
For different flows, Switch selects the combination of above-mentioned setting, makes to isolate between all Host of flow in auxiliary vlan.
The downlink port of described Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, Trunk Port and isolated port PVID, allow the VLAN passing through and comprise by the form setting of flow:
The PVID that Router arranges the downlink port of self is primary vlan, allow primary vlan by and be untagged;
The PVID that the Switch being connected with Router arranges the uplink port of self is primary vlan, allow primary vlan and auxiliary vlan by and be all untagged;
Each Switch arrange Trunk Port allow primary vlan and auxiliary vlan by and be tagged;
The PVID that each Switch arranges isolated port is auxiliary vlan, allow primary vlan and auxiliary vlan by and be untagged.
Described each Switch arranges the isolated port of self, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN and check that egress VLAN-Check unsuccessfully comprises:
Isolated port is added entering in vlan port list ingressVLAN-Port List of auxiliary vlan by described each Switch, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port is deleted from going out vlan port list egress VLAN-Port List of auxiliary vlan, make it in the egress of auxiliary vlan VLAN-Check failure
Or, described each Switch by isolated port enable check that into VLAN ingress VLAN-CheckEnable switch cuts out, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port deleted from the VLAN-Port List of auxiliary vlan and the VLAN that enables out of isolated port is checked to egress VLAN-Check Enable switch open, making its egressVLAN-Check failure in auxiliary vlan.
Described for different flows, Switch selects the combination of above-mentioned setting, makes to isolate and comprise between all Host of flow in auxiliary vlan:
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, in primary vlan, propagate always, the ingress VLAN-Check of each port and egressVLAN-Check be success, and flow arrives Host with untagged form;
The up broadcast of untagged of sending for Host, up unknown unicast and uplink multicast flow, ingress VLAN-Check success in isolated port, be flagged as auxiliary vlan, and then be broadcast to respectively uplink port, isolated port and the Trunk Port of the Switch being connected with Router: in the time that flow is broadcast to uplink port: uplink port allows auxiliary vlan, and be untagged, flow is sent to Router by the form with untagged, is flagged as primary vlan; In the time that flow is broadcast to isolated port: isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped; In the time that flow is broadcast to Trunk Port: egress VLAN-Check passes through, and the tagged traffic transport with auxiliary vlan arrives other Switch, Trunk Port ingress VLAN-Check success on other Switch, be marked as after auxiliary vlan, continue to be broadcast in the isolated port in auxiliary vlan, isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped;
For descending known unicast flow: for Router to the descending known unicast flow in the Host of the Switch being connected with Router, on the Switch being connected with Router, in primary vlan, ingressVLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives Host with untagged form; For Router to the descending known unicast flow in the Host of the Switch not being connected with Router, on the Switch being connected with Router, in primary vlan, ingressVLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives the Switch not being connected with Router with primary vlan tagged, on the Switch not being connected with Router, in primary vlan, ingress VLAN-Check success, matches after the MAC address entries of Host, egressVLAN-Check success, flow arrives Host with untagged;
For up known unicast flow, up known unicast flow for the Host in the Switch being connected with Router to Router, on the Switch being connected with Router, in auxiliary vlan, ingressVLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged, up known unicast flow for the Host in the Switch not being connected with Router to Router, on the Switch not being connected with Router, in auxiliary vlan, ingressVLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives the Switch being connected with Router with auxiliary vlan tagged, on the Switch being connected with Router, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged,
For the known unicast flow between Host, in auxiliary vlan, mate after the Host MAC address entries in corresponding auxiliary vlan, if outbound port is isolated port, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped; If outbound port is Trunk Port, egress VLAN-Check success, the tag of flow band auxiliary vlan arrives another Switch, on another Switch, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped.
Realize a method for same VLAN inner port striding equipment isolation, be applied in the system that realizes same VLAN inner port striding equipment isolation, the method comprises:
The downlink port of Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, cascade port Trunk Port and isolated port PVID, allow the VLAN passing through and arrange by the form of flow; The MAC Address that each Switch arranges auxiliary vlan and primary vlan learning copies mutually, and the action of the MAC Address that isolated port is learnt amendment object coupling abandons or destination interface is revised as to dead end mouth for object; Each Switch arranges the isolated port of self, makes the enter VLAN of flow in auxiliary vlan check ingressVLAN-Check success, go out VLAN inspection egress VLAN-Check failure,,
For different flows, Switch selects the combination of above-mentioned setting, makes to isolate between the Host of flow in auxiliary vlan.
The downlink port of described Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, Trunk Port and isolated port PVID, allow the VLAN passing through and comprise by the form setting of flow:
The PVID that Router arranges the downlink port of self is primary vlan, allow primary vlan by and be untagged;
The PVID that the Switch being connected with Router arranges the uplink port of self is primary vlan, allow primary vlan and auxiliary vlan by and be all untagged;
Each Switch arrange Trunk Port allow primary vlan and auxiliary vlan by and be tagged;
The PVID that each Switch arranges isolated port is auxiliary vlan, allow primary vlan and auxiliary vlan by and be untagged.
Described each Switch arranges the isolated port of self, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN and check that egress VLAN-Check unsuccessfully comprises:
Isolated port is added entering in vlan port list ingressVLAN-Port List of auxiliary vlan by described each Switch, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port is deleted from going out vlan port list egress VLAN-Port List of auxiliary vlan, make it in the egress of auxiliary vlan VLAN-Check failure
Or, described each Switch by isolated port enable check that into VLAN ingress VLAN-CheckEnable switch cuts out, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port deleted from the VLAN-Port List of auxiliary vlan and the VLAN that enables out of isolated port is checked to egress VLAN-Check Enable switch open, making its egressVLAN-Check failure in auxiliary vlan.
Described for different flows, Switch selects the combination of above-mentioned setting, makes to isolate and comprise between all Host of flow in auxiliary vlan:
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, in primary vlan, propagate always, the ingress VLAN-Check of each port and egressVLAN-Check be success, and flow arrives Host with untagged form;
The up broadcast of untagged of sending for Host, up unknown unicast and uplink multicast flow, ingress VLAN-Check success in isolated port, be flagged as auxiliary vlan, and then be broadcast to respectively uplink port, isolated port and the Trunk Port of the Switch being connected with Router: in the time that flow is broadcast to uplink port: uplink port allows auxiliary vlan, and be untagged, flow is sent to Router by the form with untagged, is flagged as primary vlan; In the time that flow is broadcast to isolated port: isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped; In the time that flow is broadcast to Trunk Port: egress VLAN-Check passes through, and the tagged traffic transport with auxiliary vlan arrives other Switch, Trunk Port ingress VLAN-Check success on other Switch, be marked as after auxiliary vlan, continue to be broadcast in the isolated port in auxiliary vlan, isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped;
For descending known unicast flow: for Router to the descending known unicast flow in the Host of the Switch being connected with Router, on the Switch being connected with Router, in primary vlan, ingressVLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives Host with untagged form; For Router to the descending known unicast flow in the Host of the Switch not being connected with Router, on the Switch being connected with Router, in primary vlan, ingressVLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives the Switch not being connected with Router with primary vlan tagged, on the Switch not being connected with Router, in primary vlan, ingress VLAN-Check success, matches after the MAC address entries of Host, egressVLAN-Check success, flow arrives Host with untagged;
For up known unicast flow, up known unicast flow for the Host in the Switch being connected with Router to Router, on the Switch being connected with Router, in auxiliary vlan, ingressVLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged, up known unicast flow for the Host in the Switch not being connected with Router to Router, on the Switch not being connected with Router, in auxiliary vlan, ingressVLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives the Switch being connected with Router with auxiliary vlan tagged, on the Switch being connected with Router, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged,
For the known unicast flow between Host, in auxiliary vlan, mate after the Host MAC address entries in corresponding auxiliary vlan, if outbound port is isolated port, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped; If outbound port is Trunk Port, egress VLAN-Check success, the tag of flow band auxiliary vlan arrives another Switch, on another Switch, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped.
A switching equipment of realizing same VLAN inner port striding equipment isolation, this switching equipment comprises: port arranges module, MAC replication module, filtering module and forwarding module, wherein,
Described port arranges module, for the PVID to uplink port, cascade port Trunk Port and isolated port, allow the VLAN that passes through and arrange by the form of flow;
Described MAC replication module, copies mutually for the MAC Address that auxiliary vlan and primary vlan learning are set, and the action of the MAC Address that isolated port is learnt amendment object coupling abandons or destination interface is revised as to dead end mouth for object;
Described filtering module, for isolated port is set, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN inspection egress VLAN-Check failure;
Described forwarding module, for the flow for different, selects described port that the combination arranging in module, MAC replication module and filtering module is set, and makes to isolate between the Host of flow in auxiliary vlan.
Described the PVID to uplink port, Trunk Port and isolated port in module is set, allows the VLAN that passes through and comprise by the form setting of flow:
The PVID that uplink port is set is primary vlan, allow primary vlan and auxiliary vlan by and be all untagged;
Arrange Trunk Port allow primary vlan and auxiliary vlan by and be all tagged;
The PVID that isolated port is set is auxiliary vlan, allow primary vlan and auxiliary vlan by and be all untagged.
In described filtering module, isolated port is set, ingressVLAN-Check success, the egress VLAN-Check of flow in auxiliary vlan is unsuccessfully comprised:
Isolated port is added to entering in vlan port list ingress VLAN-Port List of auxiliary vlan, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port is deleted from going out vlan port list egress VLAN-Port List of auxiliary vlan, make its failure of egressVLAN-Check at auxiliary vlan
Or, by isolated port enable check that into VLAN ingress VLAN-Check Enable switch cuts out, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port deleted from the VLAN-Port List of auxiliary vlan and the VLAN that enables out of isolated port is checked to egress VLAN-CheckEnable switch open, making its egress VLAN-Check failure in auxiliary vlan.
In described forwarding module, for different flows, select described port that the combination arranging in module, MAC replication module and filtering module is set, make to isolate and comprise between the Host of flow in auxiliary vlan:
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, in auxiliary vlan, propagate always, the ingress VLAN-Check of each port and egressVLAN-Check be success, and flow arrives Host with untagged form;
The up broadcast of untagged of sending for Host, up unknown unicast and uplink multicast flow, ingress VLAN-Check success in isolated port, be flagged as auxiliary vlan, and then be broadcast to respectively uplink port, isolated port and Trunk Port: in the time that flow is broadcast to uplink port: uplink port allows auxiliary vlan, and be untagged, flow is sent to Router by the form with untagged, is flagged as primary vlan; In the time that flow is broadcast to isolated port: isolated port is egressVLAN-Check failure in auxiliary vlan, and flow is dropped; In the time that flow is broadcast to Trunk Port: egressVLAN-Check passes through, and the tagged traffic transport with auxiliary vlan arrives other switching equipment, Trunk Port ingress VLAN-Check success on other switching equipment, be marked as after auxiliary vlan, continue to be broadcast in the isolated port in auxiliary vlan, isolated port is egressVLAN-Check failure in auxiliary vlan, and flow is dropped;
For descending known unicast flow: in primary vlan, ingress VLAN-Check success, matches after MAC address entries, egress VLAN-Check success, flow arrives Host with untagged form; Or, in primary vlan, ingress VLAN-Check success, matches after MAC address entries, egressVLAN-Check success, flow arrives other switching equipment with primary vlan tagged, on other switching equipment, in primary vlan, ingress VLAN-Check success, match the MAC address entries on other switching equipment, egressVLAN-Check success, flow arrives Host with untagged;
For up known unicast flow, in auxiliary vlan, ingress VLAN-Check success, matches after MAC address entries, egress VLAN-Check success, and flow arrives Router with untagged; Or, on other switching equipment, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries on other switching equipment, egress VLAN-Check success, after flow arrives with auxiliary vlan tagged, in auxiliary vlan, ingress VLAN-Check success, match after MAC address entries, egress VLAN-Check success, flow arrives Router with untagged;
For the known unicast flow between Host, in auxiliary vlan, mate after the Host MAC address entries in corresponding auxiliary vlan, if outbound port is isolated port, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped; If outbound port is Trunk Port, egress VLAN-Check success, the tag of flow band auxiliary vlan arrives other switching equipment, on other switching equipment, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped.
In sum, the system that realizes same VLAN inner port striding equipment isolation of the present invention, by respectively each port of self (being comprised to uplink port by each switch, Trunk Port and isolated port) PVID, the VLAN that permission is passed through, and arrange by the form of flow, and the MAC Address that auxiliary vlan and primary vlan learning are set copies mutually, and the isolated port that self is set makes the ingress VLAN-Check success of flow in auxiliary vlan, egressVLAN-Check failure, thereby for different flows, switch can be selected the combination of above-mentioned each setting, make to isolate between all Host of flow in auxiliary vlan.Therefore, the present invention program can, in the situation that using minimum VLAN resource (only having used two kinds of VLAN of auxiliary vlan and primary vlan), realize two layers of isolation between port switch-spanning equipment.
Brief description of the drawings
Fig. 1 is the networking schematic diagram of existing network;
Fig. 2 is the structural representation of the same VLAN inner port of the present invention striding equipment shielding system embodiment;
Fig. 3 is that the present invention realizes the workflow diagram of same VLAN inner port across partition method embodiment;
Fig. 4 is the structural representation of switching equipment of the present invention.
Embodiment
In order to solve problems of the prior art, the invention provides a kind of system that realizes same VLAN inner port striding equipment isolation, by respectively each port of self (being comprised to uplink port by each switch, Trunk Port and isolated port) PVID, the VLAN that permission is passed through, and arrange by the form of flow, and the MAC Address that auxiliary vlan and primary vlan learning are set copies mutually, and the isolated port that self is set makes the ingressVLAN-Check success of flow in auxiliary vlan, egress VLAN-Check failure, thereby for different flows, switch can be selected the combination of above-mentioned each setting, make to isolate between all Host of flow in auxiliary vlan.
Based on above-mentioned introduction, the specific implementation of scheme of the present invention comprises:
The downlink port of Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, Trunk Port and isolated port PVID, allow the VLAN passing through and arrange by the form of flow; The MAC Address that each Switch arranges auxiliary vlan and primary vlan learning copies mutually, and the action of the MAC Address that isolated port is learnt amendment object coupling abandons or destination interface is revised as to dead end mouth for object; Each Switch arranges the isolated port of self, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN inspection egress VLAN-Check failure,,
For different flows, Switch selects the combination of above-mentioned setting, makes to isolate between all Host of flow in auxiliary vlan.
For making the object, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with the accompanying drawings and the specific embodiments.
The structural representation of same VLAN inner port striding equipment shielding system shown in Figure 2, as shown in Figure 2, this system comprises: server (Server), router (Router)-A, (the present embodiment illustrates as an example of two Switch example multiple Switch such as Switch A and Switch B connected by cascade port (Trunk Port), the Switch here only has function of exchange, do not there is routing function, routing function is completed by Router, the situation that multiple Switch exist roughly the same, repeat no more), and client (Host) 1, multiple clients such as Host2.Wherein, Switch A (is that Switch A is connected with Router-A rs Port2 by Port1 by the uplink port of self with being connected in the Router-A rs downlink port of same primary vlan (being VLAN2 here), here also can connect with Router-B for Switch B or other any one Switch, the present embodiment is only connected to example explanation with Switch A with Router-A), Switch A (is the downlink port of Switch A by the isolated port of self respectively, because the present embodiment is two layers of isolation that realize between downlink port, therefore downlink port is called to isolated port) Port11, Port12 and Port13 and the Host1 in same auxiliary vlan (being VLAN20 here), Host2 is connected with Host3, Switch B is respectively by the isolated port Port21 of self, Port22 and Port23 and the Host4 in same auxiliary vlan (being VLAN20 here), Host5 is connected with Host6.
In the present embodiment, require can in VLAN20, realize two layers of isolation between Host1~Host6, but can in VLAN2, carry out flow intercommunication by Port1 and Router-A, and can by Router-A, gateway and Server carry out three layer intercommunications by default, for this reason, need to arrange as follows in advance:
1, the PVID of port Port2 is set is VLAN2 to Router-A, allows VLAN2 to pass through, and is untagged; The PVID that Switch A arranges port Port1 is VLAN2, allows VLAN2 and VLAN20 to pass through, and is all untagged; Switch A and Switch B arrange respectively Trunk Port and allow VLAN2 and VLAN20 to pass through, and are all tagged; The PVID that port Port11~Port13, Port21~Port23 are set is respectively VLAN20, allows VLAN2 and VLAN20 to pass through, and is all untagged.
2, Switch A and Switch B arrange respectively the MAC Address of VLAN2 learning, copy portion in VLAN20, and the MAC Address of VLAN20 learning copies a in VLAN2; And the MAC Address (being the MAC Address of Host1~Host6) of learning for isolated port in VLAN20 (being port Port11~Port13 and Port21~Port23), amendment object coupling is moved for object abandons or destination interface is revised as to dead end mouth, so that the two laminar flow amounts of mating Host1~Host6 in VLAN20 are abandoned.
3, Switch A and Switch B arrange respectively Port11~Port13 and Port21~Port23 in VLAN20 enter VLAN check (ingress VLAN-Check) by, go out VLAN and check (egressVLAN-Check) failure, to make Port11~Port13 and Port21~Port23 in VLAN20 not have outflow, reach the object of Port11~Port13 and Port21~Port23 two layers of isolation in VLAN20.
It should be noted that, in the present embodiment, can realize Port11~Port13 and the ingress VLAN-Check of Port21~Port23 in VLAN20 by the function of, egress VLAN-Check failure with VLAN strobe utility 1 and 2 two kinds of strobe utilities of VLAN strobe utility.In the time using VLAN strobe utility 1, Port11~Port13 and Port21~Port23 need to be added to entering in vlan port list (ingress VLAN-Port List) of VLAN20, its ingress VLAN-Check in VLAN20 is passed through, and Port11~Port13 and Port21~Port23 are deleted from going out vlan port list (egress VLAN-Port List) of VLAN20, make its egress VLAN-Check failure in VLAN20; In the time using VLAN strobe utility 2, need to by Port11~Port13 and Port21~Port23 enable into VLAN check (ingress VLAN-Check Enable) switch close, its ingress VLAN-Check in VLAN20 is passed through, by Port11~Port13 with Port21~Port23 deletes from the VLAN-Port List of VLAN20 and the VLAN that enables out of Port11~Port13 and Port21~Port23 is checked to (egress VLAN-Check Enable) switch open, make its egressVLAN-Check in VLAN20 failure.
After completing above-mentioned setting, for different flows, different Switch selects the combination (can be a few kinds of combinations that arrange) of above-mentioned setting, makes between all Host of flow in auxiliary vlan to isolate, and below different flows is carried out to concrete analysis:
1, in VLAN2, send the flow of untagged for downlink broadcast, descending unknown unicast and descending flux of multicast: Router-A, in VLAN2, propagate always, each port (Port11, Port12, ..., Port23, Trunk Port) ingress VLAN-Check and egress VLAN-Check all pass through, flow arrives one or more in Host1~Host6 with untagged form.
2, for up broadcast, up unknown unicast and uplink multicast flow (sending flow as example explanation taking Host1): Host1 sends the flow of untagged, arrive the isolated port Port11 of Switch-A, on the Port11 of Switch-A, (isolated port Port11 is in the ingressVLAN-Port of VLAN20 List in ingress VLAN-Check success, or isolated port Port11 ingress VLAN-Check switch cuts out), and be flagged as VLAN20, and then be broadcast to respectively the Port1 of Switch-A, the Port12 of Switch-A and Port13, and the Trunk Port of Switch-A and Switch-B, its concrete flow direction is respectively:
In the time that flow is broadcast to the Port1 of Switch-A: because Port1 allows VLAN20, and be untagged, so sent to Router-A rs Port2 with the form of untagged, be flagged as VLAN2;
In the time that flow is broadcast to the Port12 of Switch-A and Port13: because of Port12 and Port13 in VLAN20 egress VLAN-Check failure (port Port12 and Port13 be not in the egress of VLAN20 VLAN-Port List, or port Port12 and Port13 enable egress VLAN-Check switch, but not in the VLAN-Port of VLAN20 List), therefore flow is dropped;
In the time that flow is broadcast to the Trunk Port of Switch-A and Switch-B: egress VLAN-Check success, and the tagged message transmissions with VLAN20 arrives Switch-B, Trunk Portingress VLAN-Check success on Switch-B, be marked as after VLAN20, continue to be broadcast to the Port21 in VLAN20, in Port22 and Port23, similarly, because of Port21, Port22 and Port23 be egress VLAN-Check failure in VLAN20, and therefore flow is dropped.
3,, for descending known unicast flow: the MAC Address of supposing Server, Host1 and Host4 is respectively MAC-R, MAC-1 and MAC-4, because the MAC Address of VLAN2 and VLAN20 learning copies mutually, on Switch-A, have following MAC address entries:
MAC-R+VLAN2+Port1;
MAC-R+VLAN20+Port1 (copying the MAC-R of VLAN2 learning);
MAC-1+VLAN20+CMD-DROP/NULL-PORT (MAC Address that in VLAN20, isolated port is learnt, the coupling action of amendment object abandons or destination interface is revised as to dead end mouth for object);
MAC-1+VLAN2+Port11 (copying the MAC-1 of VLAN20 learning);
MAC-4+VLAN20+TrunkPort;
MAC-4+VLAN2+TrunkPort (copying the MAC-4 of VLAN20 learning).
Similarly, on Switch-B, have following MAC address entries:
MAC-R+VLAN2+TrunkPort;
MAC-R+VLAN20+TrunkPort (copying the MAC-R of VLAN2 learning);
MAC-1+VLAN20+TrunkPort;
MAC-1+VLAN2+TrunkPort (copying the MAC-1 of VLAN20 learning);
MAC-4+VLAN20+CMD-DROP/NULL-PORT (MAC Address that in VLAN20, isolated port is learnt, the coupling action of amendment object abandons or destination interface is revised as to dead end mouth for object);
MAC-4+VLAN2+Port21 (copying the MAC-4 of VLAN20 learning).
Descending known unicast flow for Router-A to Host1: on Switch-A, in VLAN2, because port Port1 is in the ingress of VLAN2 VLAN-Port List, or, port Port1 enables ingress VLAN-Check, and port Port1 is in the VLAN-Port of VLAN2 List, and ingress VLAN-Check is successful; Match after the MAC-1+VLAN2+Port11 on Switch-A, determining port is Port11, goes out VLAN and remains after VLAN2; Because port Port11 is in the egress of VLAN2 VLAN-Port List, or port Port11 has enabled egress VLAN-Check, and port Port11 is in the VLAN-Port of VLAN2 List, egress VLAN-Check success, arrives Host1 with untagged flow;
Descending known unicast flow for Router-A to Host4: on Switch-A, in VLAN2, because port Port1 is in the ingress of VLAN2 VLAN-Port List, or, port Port1 enables ingressVLAN-Check, and port Port1 is in the VLAN-Port of VLAN2 List, and ingress VLAN-Check is successful; Match after the MAC-4+VLAN2+TrunkPort on Switch-A, determining port is TrunkPort, goes out VLAN and keeps after VLAN2; Because port TrunkPort is in the egress of VLAN2 VLAN-PortList, or, TrunkPort has enabled egress VLAN-Check, and TrunkPort is in the VLAN-Port of VLAN2 List, egress VLAN-Check success, flow arrives Switch-B with the form of VLAN2 tagged; On Switch-B, in VLAN2, because TrunkPort is in the ingressVLAN-Port of VLAN2 List, or, TrunkPort enables ingress VLAN-Check, and TrunkPort is in the VLAN-Port of VLAN2 List, ingress VLAN-Check success; Match after the MAC-4+VLAN2+Port21 on Switch-B, determining port is Port21, goes out VLAN and keeps after VLAN2; Because Port21 is in the egress of VLAN2 VLAN-Port List, or Port21 enables egressVLAN-Check, and Port21 is in the VLAN-Port of VLAN2 List, egressVLAN-Check success, and flow arrives Host4 with the form of untagged.
4, for up known unicast flow: the same with descending known unicast flow, the MAC Address of supposing Router-A, Host1 and Host4 is respectively MAC-R, MAC-1 and MAC-4, on Switch-A and Switch-B, also have MAC address entries as above, repeat no more here.
Arrive the up known unicast flow of Router-A rs for Host1: on Switch-A, in VLAN20, because Port11 is in the ingress of VLAN20 VLAN-Port List, or, Port11 does not enable ingress VLAN-Check, and Port11 is not in the VLAN-Port of VLAN20 List, and ingressVLAN-Check is successful; Match after the MAC-R+VLAN20+Port1 on Switch-A, determining port is Port1, goes out VLAN and keeps VLAN20; Due to Port1 in the egressVLAN-Port of VLAN20 List or, Port1 has enabled egress VLAN-Check, and Port1 is in the VLAN-Port of VLAN20 List, and egress VLAN-Check success, in the form arrival Router-A rs Port2 of flow with untagged;
Arrive the up known unicast flow of Router-A rs for Host4: on Switch-B, in VLAN20, because Port21 is in the ingress of VLAN20 VLAN-Port List, or, Port21 does not enable ingressVLAN-Check, and Port21 is not in the VLAN-Port of VLAN20 List, and ingressVLAN-Check is successful; Match the MAC-R+VLAN20+TrunkPort on Switch-B, determining port is TrunkPort, goes out VLAN and keeps VLAN20; Because TrunkPort is in the egressVLAN-Port of VLAN20 List, or, TrunkPort has enabled egress VLAN-Check, and TrunkPort is in the VLAN-Port of VLAN20 List, egress VLAN-Check success, flow arrives Switch-A with the form of VLAN20 tagged; On Switch-A, in VLAN20, because TrunkPort is in the ingress of VLAN20 VLAN-Port List, or, TrunkPort enables ingress VLAN-Check, and TrunkPort is in the VLAN-Port of VLAN20 List, ingress VLAN-Check success; Match the MAC-R+VLAN20+Port1 on Switch-A, determining port is Port1, goes out VLAN and keeps VLAN20; Because Port1 is in the egress of VLAN20 VLAN-Port List, or Port1 has enabled egressVLAN-Check, and Port1 is in the VLAN-Port of VLAN20 List, egress VLAN-Check success, flow arrives in Router-A rs Port2 with the form of untagged.
5, for the known unicast flow between Host1~Host6: in VLAN20, mate after the Host MAC address entries in corresponding VLAN20, there are two kinds of situations: if outbound port is isolated port, due to egress VLAN-Check failure, (port is not in the egress of VLAN20 VLAN-Port List, or port enable egress VLAN-Check switch but port not in the VLAN-Port of VLAN20 List), or (and) the object MAC address entries of coupling is that object abandons or destination interface is dead end mouth, thereby be dropped, if outbound port is Trunk Port, egress VLAN-Check success, the tag of flow band VLAN20 arrives another Switch, on another Switch, due to egress VLAN-Check failure, (port is not in the egress of VLAN20 VLAN-Port List, or port enables egress VLAN-Check switch, but port is not in the VLAN-Port of VLAN20 List), or (and) coupling object MAC address entries be that object abandons or destination interface is dead end mouth, thereby be dropped, thus, can reach the object of two laminar flow amount isolation between Host1~Host6.
So far, obtain the present invention and realized the system that same VLAN inner port striding equipment is isolated.
Based on said system, Fig. 3 is the workflow diagram that the present invention realizes same VLAN inner port striding equipment partition method embodiment.As shown in Figure 3, this flow process comprises:
The downlink port of step 301:Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, Trunk Port and isolated port PVID, allow the VLAN passing through and arrange by the form of flow.
In this step, arrange specifically and can comprise:
The PVID that Router arranges the downlink port of self is primary vlan, allow primary vlan by and be untagged;
The PVID that the Switch being connected with Router arranges the uplink port of self is primary vlan, allow primary vlan and auxiliary vlan by and be all untagged;
Each Switch arrange Trunk Port allow primary vlan and auxiliary vlan by and be tagged;
The PVID that each Switch arranges isolated port is auxiliary vlan, allow primary vlan and auxiliary vlan by and be untagged.
Step 302: the MAC Address that each Switch arranges auxiliary vlan and primary vlan learning copies mutually, and the action of the MAC Address that isolated port is learnt amendment object coupling abandons or destination interface is revised as to dead end mouth for object.
Step 303: the isolated port that each Switch arranges self makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN inspection egress VLAN-Check failure.
It should be noted that, in this step, can realize the enter VLAN of flow in auxiliary vlan with VLAN strobe utility 1 and 2 two kinds of strobe utilities of VLAN strobe utility checks ingressVLAN-Check success, goes out VLAN inspection egress VLAN-Check failure.In the time using VLAN strobe utility 1, isolated port is added entering in vlan port list ingress VLAN-Port List of auxiliary vlan by described each Switch, its ingressVLAN-Check in auxiliary vlan is passed through, isolated port is deleted from going out vlan port list egressVLAN-Port List of auxiliary vlan, make it in the egress of auxiliary vlan VLAN-Check failure; In the time using VLAN strobe utility 2, described each Switch closes the VLAN inspection ingress VLAN-Check Enable switch that enters of isolated port, its ingressVLAN-Check in auxiliary vlan is passed through, isolated port deleted from the VLAN-Port List of auxiliary vlan and the VLAN that enables out of isolated port is checked to egress VLAN-Check Enable switch open, making its egress VLAN-Check failure in auxiliary vlan.
Step 304: for different flows, Switch selects the combination of above-mentioned setting, makes to isolate between all Host of flow in auxiliary vlan.
In this step, have different processing procedures for different flows, below respectively introduce:
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, in primary vlan, propagate always, the ingress VLAN-Check of each port and egressVLAN-Check be success, and flow arrives Host with untagged form;
The up broadcast of untagged of sending for Host, up unknown unicast and uplink multicast flow, ingress VLAN-Check success in isolated port, be flagged as auxiliary vlan, and then be broadcast to respectively uplink port, isolated port and the Trunk Port of the Switch being connected with Router: in the time that flow is broadcast to uplink port: uplink port allows auxiliary vlan, and be untagged, flow is sent to Router by the form with untagged, is flagged as primary vlan; In the time that flow is broadcast to isolated port: isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped; In the time that flow is broadcast to Trunk Port: egress VLAN-Check passes through, and the tagged traffic transport with auxiliary vlan arrives other Switch, Trunk Port ingress VLAN-Check success on other Switch, be marked as after auxiliary vlan, continue to be broadcast in the isolated port in auxiliary vlan, isolated port is egress VLAN-Check failure in two layers, and flow is dropped;
For descending known unicast flow: for Router to the descending known unicast flow in the Host of the Switch being connected with Router, on the Switch being connected with Router, in primary vlan, ingressVLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives Host with untagged form; For Router to the descending known unicast flow in the Host of the Switch not being connected with Router, on the Switch being connected with Router, in primary vlan, ingressVLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives the Switch not being connected with Router with primary vlan tagged, on the Switch not being connected with Router, in primary vlan, ingress VLAN-Check success, matches after the MAC address entries of Host, egressVLAN-Check success, flow arrives Host with untagged;
For up known unicast flow, up known unicast flow for the Host in the Switch being connected with Router to Router, on the Switch being connected with Router, in auxiliary vlan, ingressVLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged, up known unicast flow for the Host in the Switch not being connected with Router to Router, on the Switch not being connected with Router, in auxiliary vlan, ingressVLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives the Switch being connected with Router with auxiliary vlan tagged, on the Switch being connected with Router, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged,
For the known unicast flow between Host, in auxiliary vlan, mate after the Host MAC address entries in corresponding auxiliary vlan, if outbound port is isolated port, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped; If outbound port is Trunk Port, egress VLAN-Check success, the tag of flow band auxiliary vlan arrives another Switch, on another Switch, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped.
So far, completed the whole workflow that realizes same VLAN inner port striding equipment partition method embodiment of the present invention.
Based on said system and method, Fig. 4 has provided the present invention and has realized the switching equipment in same VLAN inner port striding equipment shielding system, and as shown in Figure 4, this switching equipment comprises: port arranges module 41, MAC replication module 42, filtering module 43 and forwarding module 44, wherein
Described port arranges module 41, for the PVID to uplink port, Trunk Port and isolated port, allow the VLAN that passes through and arrange by the form of flow.
Described PVID to uplink port, Trunk Port and isolated port, allow the VLAN passing through and comprise by the form setting of flow:
The PVID that uplink port is set is primary vlan, allow primary vlan and auxiliary vlan by and be all untagged;
Arrange Trunk Port allow primary vlan and auxiliary vlan by and be all tagged;
The PVID that isolated port is set is auxiliary vlan, allow primary vlan and auxiliary vlan by and be all untagged.
Described MAC replication module 42, copies mutually for the MAC Address that auxiliary vlan and primary vlan learning are set, and the action of the MAC Address that isolated port is learnt amendment object coupling abandons or destination interface is revised as to dead end mouth for object.
Described filtering module 43, for isolated port is set, makes the enter VLAN of flow in auxiliary vlan check that the ingress VLAN-Check VLAN that goes out successful, in auxiliary vlan checks egressVLAN-Check failure.
The described isolated port that arranges unsuccessfully comprises the ingress VLAN-Check success of flow in auxiliary vlan, the egress VLAN-Check in auxiliary vlan:
Isolated port is added to entering in vlan port list ingress VLAN-Port List of auxiliary vlan, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port is deleted from going out vlan port list egress VLAN-Port List of auxiliary vlan, make its failure of egressVLAN-Check at auxiliary vlan
Or, by isolated port enable check that into VLAN ingress VLAN-Check Enable switch cuts out, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port deleted from the VLAN-Port List of auxiliary vlan and the VLAN that enables out of isolated port is checked to egressVLAN-Check Enable switch open, making its egress VLAN-Check failure in auxiliary vlan.
Described forwarding module 44, for the flow for different, selects described port that the combination arranging in module 41, MAC replication module 42 and filtering module 43 is set, and makes to isolate between the Host of flow in auxiliary vlan.
Described for different flows, select described port that the combination arranging in module, MAC replication module and filtering module is set, make to isolate and comprise between the Host of flow in auxiliary vlan:
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, in primary vlan, propagate always, the ingress VLAN-Check of each port and egressVLAN-Check be success, and flow arrives Host with untagged form;
The up broadcast of untagged of sending for Host, up unknown unicast and uplink multicast flow, ingress VLAN-Check success in isolated port, be flagged as auxiliary vlan, and then be broadcast to respectively uplink port, isolated port and Trunk Port: in the time that flow is broadcast to uplink port: uplink port allows auxiliary vlan, and be untagged, flow is sent to Router by the form with untagged, is flagged as primary vlan; In the time that flow is broadcast to isolated port: isolated port is egressVLAN-Check failure in auxiliary vlan, and flow is dropped; In the time that flow is broadcast to Trunk Port: egressVLAN-Check passes through, and the tagged traffic transport with auxiliary vlan arrives other switching equipment, Trunk Port ingress VLAN-Check success on other switching equipment, be marked as after auxiliary vlan, continue to be broadcast in the isolated port in auxiliary vlan, isolated port is egressVLAN-Check failure in auxiliary vlan, and flow is dropped;
For descending known unicast flow: in primary vlan, ingress VLAN-Check success, matches after MAC address entries, egress VLAN-Check success, flow arrives Host with untagged form; Or, in primary vlan, ingress VLAN-Check success, matches after MAC address entries, egressVLAN-Check success, flow arrives other switching equipment with primary vlan tagged, on other switching equipment, in primary vlan, ingress VLAN-Check success, match the MAC address entries on other switching equipment, ingress/egressVLAN-Check success, flow arrives Host with untagged;
For up known unicast flow, in auxiliary vlan, ingress VLAN-Check success, matches after MAC address entries, egress VLAN-Check success, and flow arrives Router with untagged; Or, on other switching equipment, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries on other switching equipment, egress VLAN-Check success, after flow arrives with auxiliary vlan tagged, in auxiliary vlan, ingress VLAN-Check success, match after MAC address entries, egress VLAN-Check success, flow arrives Router with untagged;
For the known unicast flow between Host, in auxiliary vlan, mate after the Host MAC address entries in corresponding auxiliary vlan, if outbound port is isolated port, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped; If outbound port is Trunk Port, egress VLAN-Check success, the tag of flow band auxiliary vlan arrives other switching equipment, on other switching equipment, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped.
So far, obtained the switching equipment that the embodiment of the present invention adopts.
In a word, the system that realizes same VLAN inner port striding equipment isolation of the present invention, by respectively each port of self (being comprised to uplink port by each switch, Trunk Port and isolated port) PVID, the VLAN that permission is passed through, and arrange by the form of flow, and the MAC Address that auxiliary vlan and primary vlan learning are set copies mutually, and the isolated port that self is set makes the ingress VLAN-Check success of flow in auxiliary vlan, egressVLAN-Check failure, thereby for different flows, switch can be selected the combination of above-mentioned each setting, make to isolate between all Host of flow in auxiliary vlan.Therefore, the present invention program can, in the situation that using minimum VLAN resource (only having used two kinds of VLAN of auxiliary vlan and primary vlan), realize two layers of isolation between port switch-spanning equipment.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any amendment of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.
Claims (12)
1. realize the system of same VLAN inner port striding equipment isolation for one kind, this system comprises: server S erver, router Router, the plural switch Switch and the client Host that are connected by cascade port Trunk Port, wherein, some Switch are connected with the downlink port of the Router in same primary vlan by the uplink port of self, each Switch is connected with the multiple Host in same auxiliary vlan by self different isolated port respectively, it is characterized in that
The downlink port of Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, Trunk Port and isolated port PVID, allow the VLAN passing through and arrange by the form of flow; The MAC Address that each Switch arranges auxiliary vlan and primary vlan learning copies mutually, and the action of the MAC Address that isolated port is learnt amendment object coupling abandons or destination interface is revised as to dead end mouth for object; Each Switch arranges the isolated port of self, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN inspection egress VLAN-Check failure,,
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, or the Host up broadcast of untagged, up unknown unicast and the uplink multicast flow that send, or descending known unicast flow, or up known unicast flow, or known unicast flow between Host, Switch, according to above-mentioned setting, makes to isolate between all Host of flow in auxiliary vlan.
2. system according to claim 1, it is characterized in that, the downlink port of described Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, Trunk Port and isolated port PVID, allow the VLAN passing through and comprise by the form setting of flow:
The PVID that Router arranges the downlink port of self is primary vlan, allow primary vlan by and be untagged;
The PVID that the Switch being connected with Router arranges the uplink port of self is primary vlan, allow primary vlan and auxiliary vlan by and be all untagged;
Each Switch arrange Trunk Port allow primary vlan and auxiliary vlan by and be tagged;
The PVID that each Switch arranges isolated port is auxiliary vlan, allow primary vlan and auxiliary vlan by and be untagged.
3. system according to claim 1, it is characterized in that, described each Switch arranges the isolated port of self, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN and check that egress VLAN-Check unsuccessfully comprises:
Isolated port is added entering in vlan port list ingress VLAN-Port List of auxiliary vlan by described each Switch, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port is deleted from going out vlan port list egress VLAN-Port List of auxiliary vlan, make it in the egress of auxiliary vlan VLAN-Check failure
Or, described each Switch by isolated port enable check that into VLAN ingress VLAN-Check Enable switch cuts out, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port deleted from the VLAN-Port List of auxiliary vlan and the VLAN that enables out of isolated port is checked to egress VLAN-Check Enable switch open, making its egress VLAN-Check failure in auxiliary vlan.
4. system according to claim 1, it is characterized in that, the described untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, or the Host up broadcast of untagged, up unknown unicast and the uplink multicast flow that send, or descending known unicast flow, or up known unicast flow, or known unicast flow between Host, Switch, according to above-mentioned setting, makes to isolate and comprise between all Host of flow in auxiliary vlan:
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, in primary vlan, propagate always, the ingress VLAN-Check of each port and egress VLAN-Check be success, and flow arrives Host with untagged form;
The up broadcast of untagged of sending for Host, up unknown unicast and uplink multicast flow, ingress VLAN-Check success in isolated port, be flagged as auxiliary vlan, and then be broadcast to respectively uplink port, isolated port and the Trunk Port of the Switch being connected with Router: in the time that flow is broadcast to uplink port: uplink port allows auxiliary vlan, and be untagged, flow is sent to Router by the form with untagged, is flagged as primary vlan; In the time that flow is broadcast to isolated port: isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped; In the time that flow is broadcast to Trunk Port: egress VLAN-Check passes through, and the tagged traffic transport with auxiliary vlan arrives other Switch, Trunk Port ingress VLAN-Check success on other Switch, be marked as after auxiliary vlan, continue to be broadcast in the isolated port in auxiliary vlan, isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped;
For descending known unicast flow: for Router to the descending known unicast flow in the Host of the Switch being connected with Router, on the Switch being connected with Router, in primary vlan, ingress VLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives Host with untagged form, for Router to the descending known unicast flow in the Host of the Switch not being connected with Router, on the Switch being connected with Router, in primary vlan, ingress VLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives the Switch not being connected with Router with primary vlan tagged, on the Switch not being connected with Router, in primary vlan, ingress VLAN-Check success, match after the MAC address entries of Host, egressVLAN-Check success, flow arrives Host with untagged,
For up known unicast flow, up known unicast flow for the Host in the Switch being connected with Router to Router, on the Switch being connected with Router, in auxiliary vlan, ingressVLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged, up known unicast flow for the Host in the Switch not being connected with Router to Router, on the Switch not being connected with Router, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives the Switch being connected with Router with auxiliary vlan tagged, on the Switch being connected with Router, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged,
For the known unicast flow between Host, in auxiliary vlan, mate after the Host MAC address entries in corresponding auxiliary vlan, if outbound port is isolated port, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped; If outbound port is Trunk Port, egress VLAN-Check success, the tag of flow band auxiliary vlan arrives another Switch, on another Switch, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped.
5. realize a method for same VLAN inner port striding equipment isolation, be applied in the system that realizes same VLAN inner port striding equipment isolation as claimed in claim 1, it is characterized in that, the method comprises:
The downlink port of Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, cascade port Trunk Port and isolated port PVID, allow the VLAN passing through and arrange by the form of flow; The MAC Address that each Switch arranges auxiliary vlan and primary vlan learning copies mutually, and the action of the MAC Address that isolated port is learnt amendment object coupling abandons or destination interface is revised as to dead end mouth for object; Each Switch arranges the isolated port of self, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN inspection egress VLAN-Check failure,,
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, or the Host up broadcast of untagged, up unknown unicast and the uplink multicast flow that send, or descending known unicast flow, or up known unicast flow, or known unicast flow between Host, Switch, according to above-mentioned setting, makes to isolate between the Host of flow in auxiliary vlan.
6. method according to claim 5, it is characterized in that, the downlink port of described Router to self, allow the VLAN passing through and arrange by the form of flow, each Switch respectively the uplink port to self, Trunk Port and isolated port PVID, allow the VLAN passing through and comprise by the form setting of flow:
The PVID that Router arranges the downlink port of self is primary vlan, allow primary vlan by and be untagged;
The PVID that the Switch being connected with Router arranges the uplink port of self is primary vlan, allow primary vlan and auxiliary vlan by and be all untagged;
Each Switch arrange Trunk Port allow primary vlan and auxiliary vlan by and be tagged;
The PVID that each Switch arranges isolated port is auxiliary vlan, allow primary vlan and auxiliary vlan by and be untagged.
7. method according to claim 5, it is characterized in that, described each Switch arranges the isolated port of self, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN and check that egress VLAN-Check unsuccessfully comprises:
Isolated port is added entering in vlan port list ingress VLAN-Port List of auxiliary vlan by described each Switch, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port is deleted from going out vlan port list egress VLAN-Port List of auxiliary vlan, make it in the egress of auxiliary vlan VLAN-Check failure
Or, described each Switch by isolated port enable check that into VLAN ingress VLAN-Check Enable switch cuts out, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port deleted from the VLAN-Port List of auxiliary vlan and the VLAN that enables out of isolated port is checked to egress VLAN-Check Enable switch open, making its egress VLAN-Check failure in auxiliary vlan.
8. method according to claim 5, it is characterized in that, the described untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, or the Host up broadcast of untagged, up unknown unicast and the uplink multicast flow that send, or descending known unicast flow, or up known unicast flow, or known unicast flow between Host, Switch, according to above-mentioned setting, makes to isolate and comprise between all Host of flow in auxiliary vlan:
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, in primary vlan, propagate always, the ingress VLAN-Check of each port and egress VLAN-Check be success, and flow arrives Host with untagged form;
The up broadcast of untagged of sending for Host, up unknown unicast and uplink multicast flow, ingress VLAN-Check success in isolated port, be flagged as auxiliary vlan, and then be broadcast to respectively uplink port, isolated port and the Trunk Port of the Switch being connected with Router: in the time that flow is broadcast to uplink port: uplink port allows auxiliary vlan, and be untagged, flow is sent to Router by the form with untagged, is flagged as primary vlan; In the time that flow is broadcast to isolated port: isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped; In the time that flow is broadcast to Trunk Port: egress VLAN-Check passes through, and the tagged traffic transport with auxiliary vlan arrives other Switch, Trunk Port ingress VLAN-Check success on other Switch, be marked as after auxiliary vlan, continue to be broadcast in the isolated port in auxiliary vlan, isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped;
For descending known unicast flow: for Router to the descending known unicast flow in the Host of the Switch being connected with Router, on the Switch being connected with Router, in primary vlan, ingress VLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives Host with untagged form, for Router to the descending known unicast flow in the Host of the Switch not being connected with Router, on the Switch being connected with Router, in primary vlan, ingress VLAN-Check success, match after the MAC address entries of Host, egress VLAN-Check success, flow arrives the Switch not being connected with Router with primary vlan tagged, on the Switch not being connected with Router, in primary vlan, ingress VLAN-Check success, match after the MAC address entries of Host, egressVLAN-Check success, flow arrives Host with untagged,
For up known unicast flow, up known unicast flow for the Host in the Switch being connected with Router to Router, on the Switch being connected with Router, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged, up known unicast flow for the Host in the Switch not being connected with Router to Router, on the Switch not being connected with Router, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives the Switch being connected with Router with auxiliary vlan tagged, on the Switch being connected with Router, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries of Router, egress VLAN-Check success, flow arrives Router with untagged,
For the known unicast flow between Host, in auxiliary vlan, mate after the Host MAC address entries in corresponding auxiliary vlan, if outbound port is isolated port, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped; If outbound port is Trunk Port, egress VLAN-Check success, the tag of flow band auxiliary vlan arrives another Switch, on another Switch, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped.
9. a switching equipment of realizing same VLAN inner port striding equipment isolation, is characterized in that, this switching equipment comprises: port arranges module, MAC replication module, filtering module and forwarding module, wherein,
Described port arranges module, for the PVID to uplink port, cascade port Trunk Port and isolated port, allow the VLAN that passes through and arrange by the form of flow;
Described MAC replication module, copies mutually for the MAC Address that auxiliary vlan and primary vlan learning are set, and the action of the MAC Address that isolated port is learnt amendment object coupling abandons or destination interface is revised as to dead end mouth for object;
Described filtering module, for isolated port is set, makes the enter VLAN of flow in auxiliary vlan check ingress VLAN-Check success, go out VLAN inspection egress VLAN-Check failure;
Described forwarding module, for the primary vlan of untagged downlink broadcast, descending unknown unicast and descending flux of multicast send at to(for) Router, or the Host up broadcast of untagged, up unknown unicast and the uplink multicast flow that send, or descending known unicast flow, or up known unicast flow, or known unicast flow between Host, according to described port, the setting in module, MAC replication module and filtering module is set, make to isolate between the Host of flow in auxiliary vlan.
10. switching equipment according to claim 9, is characterized in that, described the PVID to uplink port, Trunk Port and isolated port in module is set, allows the VLAN that passes through and comprise by the form setting of flow:
The PVID that uplink port is set is primary vlan, allow primary vlan and auxiliary vlan by and be all untagged;
Arrange Trunk Port allow primary vlan and auxiliary vlan by and be all tagged;
The PVID that isolated port is set is auxiliary vlan, allow primary vlan and auxiliary vlan by and be all untagged.
11. switching equipment according to claim 9, is characterized in that, in described filtering module, isolated port are set, and ingress VLAN-Check success, the egress VLAN-Check of flow in auxiliary vlan unsuccessfully comprised:
Isolated port is added to entering in vlan port list ingress VLAN-Port List of auxiliary vlan, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port is deleted from going out vlan port list egress VLAN-Port List of auxiliary vlan, make it in the egress of auxiliary vlan VLAN-Check failure
Or, by isolated port enable check that into VLAN ingress VLAN-Check Enable switch cuts out, its ingress VLAN-Check in auxiliary vlan is passed through, isolated port deleted from the VLAN-Port List of auxiliary vlan and the VLAN that enables out of isolated port is checked to egress VLAN-Check Enable switch open, making its egress VLAN-Check failure in auxiliary vlan.
12. switching equipment according to claim 9, it is characterized in that, the untagged downlink broadcast sending in primary vlan for Router in described forwarding module, descending unknown unicast and descending flux of multicast, or the Host up broadcast of untagged, up unknown unicast and the uplink multicast flow that send, or descending known unicast flow, or up known unicast flow, or known unicast flow between Host, according to described port, the setting in module, MAC replication module and filtering module is set, makes to isolate and comprise between the Host of flow in auxiliary vlan:
The untagged downlink broadcast sending in primary vlan for Router, descending unknown unicast and descending flux of multicast, in primary vlan, propagate always, the ingress VLAN-Check of each port and egress VLAN-Check be success, and flow arrives Host with untagged form;
The up broadcast of untagged of sending for Host, up unknown unicast and uplink multicast flow, ingress VLAN-Check success in isolated port, be flagged as auxiliary vlan, and then be broadcast to respectively uplink port, isolated port and Trunk Port: in the time that flow is broadcast to uplink port: uplink port allows auxiliary vlan, and be untagged, flow is sent to Router by the form with untagged, is flagged as primary vlan; In the time that flow is broadcast to isolated port: isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped; In the time that flow is broadcast to Trunk Port: egress VLAN-Check passes through, and the tagged traffic transport with auxiliary vlan arrives other switching equipment, Trunk Port ingress VLAN-Check success on other switching equipment, be marked as after auxiliary vlan, continue to be broadcast in the isolated port in auxiliary vlan, isolated port is egress VLAN-Check failure in auxiliary vlan, and flow is dropped;
For descending known unicast flow: in primary vlan, ingress VLAN-Check success, matches after MAC address entries, egress VLAN-Check success, flow arrives Host with untagged form; Or, in primary vlan, ingress VLAN-Check success, matches after MAC address entries, egress VLAN-Check success, flow arrives other switching equipment with primary vlan tagged, on other switching equipment, in primary vlan, ingress VLAN-Check success, match the MAC address entries on other switching equipment, egressVLAN-Check success, flow arrives Host with untagged;
For up known unicast flow, in auxiliary vlan, ingress VLAN-Check success, matches after MAC address entries, egress VLAN-Check success, and flow arrives Router with untagged; Or, on other switching equipment, in auxiliary vlan, ingress VLAN-Check success, match after the MAC address entries on other switching equipment, egress VLAN-Check success, after flow arrives with auxiliary vlan tagged, in auxiliary vlan, ingress VLAN-Check success, match after MAC address entries, egress VLAN-Check success, flow arrives Router with untagged;
For the known unicast flow between Host, in auxiliary vlan, mate after the Host MAC address entries in corresponding auxiliary vlan, if outbound port is isolated port, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped; If outbound port is Trunk Port, egress VLAN-Check success, the tag of flow band auxiliary vlan arrives other switching equipment, on other switching equipment, the object MAC address entries of egress VLAN-Check failure or coupling is that object abandons or destination interface is dead end mouth, and flow is dropped.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010574627.XA CN102480485B (en) | 2010-11-30 | 2010-11-30 | System, method and switching device for realizing cross-device isolation of ports in same VLAN (virtual local area network) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010574627.XA CN102480485B (en) | 2010-11-30 | 2010-11-30 | System, method and switching device for realizing cross-device isolation of ports in same VLAN (virtual local area network) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102480485A CN102480485A (en) | 2012-05-30 |
| CN102480485B true CN102480485B (en) | 2014-09-24 |
Family
ID=46092967
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010574627.XA Active CN102480485B (en) | 2010-11-30 | 2010-11-30 | System, method and switching device for realizing cross-device isolation of ports in same VLAN (virtual local area network) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102480485B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103281205B (en) * | 2013-05-23 | 2016-02-03 | 浙江宇视科技有限公司 | A kind of method of configured port isolation information and the network equipment |
| ES2627949T3 (en) | 2013-12-06 | 2017-08-01 | Huawei Technologies Co., Ltd. | Method, device and system to implement packet routing in a network |
| CN103780630B (en) * | 2014-02-18 | 2018-07-10 | 迈普通信技术股份有限公司 | Virtual LAN port separation method and system |
| CN107493234B (en) * | 2016-06-12 | 2021-01-29 | 阿里巴巴集团控股有限公司 | Message processing method and device based on virtual network bridge |
| CN106559268B (en) * | 2016-11-28 | 2019-12-13 | 浙江宇视科技有限公司 | Dynamic port isolation method and device for IP monitoring system |
| CN106789921A (en) * | 2016-11-28 | 2017-05-31 | 成都广达新网科技股份有限公司 | A kind of exchange method and interchanger for supporting that member port is isolated in VLAN |
| CN110912839B (en) * | 2019-12-24 | 2021-11-26 | 北京东土军悦科技有限公司 | Main and standby switch detection method, system, terminal and storage medium |
| CN113438334B (en) * | 2021-06-08 | 2023-02-28 | 新华三技术有限公司 | Port PVID configuration method, device and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1507215A (en) * | 2002-12-11 | 2004-06-23 | 华为技术有限公司 | Two-layer message isolating method |
| CN1777150A (en) * | 2005-12-05 | 2006-05-24 | 杭州华为三康技术有限公司 | Method for realizing user-isolated virtual LAN and its network device |
| EP1755278A1 (en) * | 2004-09-10 | 2007-02-21 | Huawei Technologies Co., Ltd. | A method for raising access capacity of wide-band access equipment user |
| CN101119276A (en) * | 2007-08-22 | 2008-02-06 | 杭州华三通信技术有限公司 | Method and apparatus for implementing VLAN downlink user isolation |
| CN101478496A (en) * | 2009-01-21 | 2009-07-08 | 杭州华三通信技术有限公司 | Data packet forwarding method and switching device |
| CN101702679A (en) * | 2009-11-26 | 2010-05-05 | 福建星网锐捷网络有限公司 | Message processing method and exchange apparatus based on virtual local area network |
-
2010
- 2010-11-30 CN CN201010574627.XA patent/CN102480485B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1507215A (en) * | 2002-12-11 | 2004-06-23 | 华为技术有限公司 | Two-layer message isolating method |
| EP1755278A1 (en) * | 2004-09-10 | 2007-02-21 | Huawei Technologies Co., Ltd. | A method for raising access capacity of wide-band access equipment user |
| CN1777150A (en) * | 2005-12-05 | 2006-05-24 | 杭州华为三康技术有限公司 | Method for realizing user-isolated virtual LAN and its network device |
| CN101119276A (en) * | 2007-08-22 | 2008-02-06 | 杭州华三通信技术有限公司 | Method and apparatus for implementing VLAN downlink user isolation |
| CN101478496A (en) * | 2009-01-21 | 2009-07-08 | 杭州华三通信技术有限公司 | Data packet forwarding method and switching device |
| CN101702679A (en) * | 2009-11-26 | 2010-05-05 | 福建星网锐捷网络有限公司 | Message processing method and exchange apparatus based on virtual local area network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102480485A (en) | 2012-05-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102480485B (en) | System, method and switching device for realizing cross-device isolation of ports in same VLAN (virtual local area network) | |
| US10320671B2 (en) | Extension of logical networks across layer 3 virtual private networks | |
| US10135635B2 (en) | Encoding control plane information in transport protocol source port field and applications thereof in network virtualization | |
| EP3058687B1 (en) | Configurable service proxy mapping | |
| CN108259333B (en) | BUM flow control method, related device and system | |
| CN103763207B (en) | Band control connection establishment method and apparatus in software defined network | |
| WO2023103461A1 (en) | Cross-board message multicast replication and forwarding method and system based on clos architecture | |
| EP3200399B1 (en) | Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling | |
| CN103944828A (en) | Method and equipment for transmitting protocol messages | |
| CN102420762B (en) | Message forwarding method, message forwarding system, network equipment and firewall wire card | |
| EP3200398B1 (en) | Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling | |
| US20140177475A1 (en) | Method and Device for Managing MAC Address Entry in Trill Network | |
| CN102821099B (en) | Message forwarding method, equipment and system | |
| EP2897328B1 (en) | Method, system and apparatus for establishing communication link | |
| CN104579981B (en) | A kind of multicast data packet forwarding method and apparatus | |
| US20120163381A1 (en) | Multiple Label Based Processing of Frames | |
| CN104702498A (en) | Method and device for reducing the number of optical connections through coordination protection | |
| US9602352B2 (en) | Network element of a software-defined network | |
| WO2021042674A1 (en) | Method for configuring port state and network device | |
| CN102244583A (en) | Method and network equipment for forwarding multicast streaming | |
| CN112367263A (en) | Multicast data message forwarding method and equipment | |
| CN110519335B (en) | Data link removing method and system based on video network | |
| CN107770028B (en) | Method for realizing point-to-multipoint virtual local area network service in China telecommunication scene | |
| CN105281953A (en) | Network fault handling method and provider edge routers (PEs) | |
| US8804708B1 (en) | Methods and apparatus for implementing access control at a network switch |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |