CN102932342A - Method and network equipment for isolating multi-user virtual local area network - Google Patents

Method and network equipment for isolating multi-user virtual local area network Download PDF

Info

Publication number
CN102932342A
CN102932342A CN2012104169838A CN201210416983A CN102932342A CN 102932342 A CN102932342 A CN 102932342A CN 2012104169838 A CN2012104169838 A CN 2012104169838A CN 201210416983 A CN201210416983 A CN 201210416983A CN 102932342 A CN102932342 A CN 102932342A
Authority
CN
China
Prior art keywords
vlan
network equipment
numerical value
user
sign
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012104169838A
Other languages
Chinese (zh)
Other versions
CN102932342B (en
Inventor
阴元斌
纪晓峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201210416983.8A priority Critical patent/CN102932342B/en
Publication of CN102932342A publication Critical patent/CN102932342A/en
Application granted granted Critical
Publication of CN102932342B publication Critical patent/CN102932342B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method and network equipment for isolating a multi-user virtual local area network. The method comprises the following steps that: first network equipment receives the data which is sent from a user; the first network equipment determines the number of virtual local area networks (VLAN) according to the VLAN MASK value of the set virtual local area network identification range; the first network equipment encapsulates the data into an ether head so as to obtain the ether message, and the ether head carries the VLAN MASK value and the number of the VLAN; the first network equipment configures VLAN identifications for users according to the number of the VLAN; and the first network equipment sends the ether message to second network equipment, and the ether message carries the corresponding VLAN identifications of the users. According to the method for isolating the multi-user virtual local area network, the VLAN range can be flexibly defined in accordance with the practical requirements so as to satisfy the isolation of multiple users.

Description

Realize method and the network equipment of isolation multi-user virtual local area network (LAN)
Technical field
The embodiment of the invention relates to communication technical field, relates in particular to a kind of method and network equipment of realizing isolating the multi-user virtual local area network (LAN).
Background technology
The arrival in cloud computing epoch has changed traditional IT working way, has also changed the information-based networking mode of the IT of existing enterprise.In the cloud computing epoch, can there be a lot of large-scale publicly-owned clouds, these superhuge clouds provide rental service can for a lot of medium-sized and small enterprises or personal user, the Internet resources that medium-sized and small enterprises can be rented publicly-owned cloud are finished the IT informatization of oneself, the IT that will greatly reduce like this Enterprise Network changes into this, and this pattern is the major way of following medium-sized and small enterprises ITization.But satisfy this commercial system, one of them problem needs to provide service to a lot of users in same network exactly, need to isolate each user, to guarantee the safety of user data.
Existing multi-user's isolation scheme is exactly by VLAN (Virtual Local Area Network in double layer network, hereinafter to be referred as: VLAN) realize, by provide different VLAN to realize different users is isolated for each user, the scope maximum of VLAN is 4094, so data central site network uses can only at most 4094 users, demand that can't the satisfying magnanimity user.
Summary of the invention
The embodiment of the invention provides a kind of method and network equipment of realizing isolating the multi-user virtual local area network (LAN), comes the satisfying magnanimity user isolation by flexible definition VLAN scope.
On the one hand, a kind of method that realizes isolating the multi-user virtual local area network (LAN) comprises:
First network equipment receives the data that the user sends;
Described first network equipment is determined the quantity of described virtual LAN VLAN according to the VLAN ID scope VLAN MASK numerical value of setting;
Described first network equipment obtains Ethernet message with described data encapsulation Ethernet header, carries described VLAN MASK numerical value and described VLAN quantity in the described Ethernet header;
Described first network equipment is that described user disposes the VLAN sign according to described VLAN quantity;
Described first network equipment sends to second network equipment with described Ethernet message, carries VLAN sign corresponding to described user in the described Ethernet message.
In conjunction with first aspect, described first network equipment is determined the quantity of described virtual LAN VLAN according to the virtual LAN VLAN MASK numerical value of setting, and comprising:
Described first network equipment is determined the quantity of described outer virtual LAN VLAN according to described VLAN MASK numerical value; Perhaps,
Described first network equipment is determined quantity and the inner VLAN quantity of described outer virtual LAN VLAN according to described VLAN MASK numerical value.
In conjunction with first aspect, described VLAN MASK numerical value is 5 bits, and span is 0-31.
In conjunction with first aspect, comprise type sign and at least one tag identifier in the described Ethernet header, described type sign is used to indicate the type of described Ethernet header;
If comprise a described tag identifier, then described tag identifier comprises: precedence information, described VLAN MASK numerical information, described outside VLAN quantity information and described inner VLAN quantity information; Perhaps, if comprise two described tag identifiers, then a described tag identifier comprises: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, described VLAN MASK numerical information, another described tag identifier comprises: described outside VLAN quantity information and described inner VLAN quantity information.
On the other hand, a kind of method that realizes isolating the multi-user virtual local area network (LAN) comprises:
Second network equipment receives the Ethernet message that first network equipment sends, and carries virtual LAN VLAN sign corresponding to user in the described Ethernet message;
The described Ethernet message of described second network device parses is obtained VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the described Ethernet message, mates with the VLAN sign of the above configuration of second network equipment interface.
In conjunction with second aspect, described VLAN sign comprises outer VLAN identification, perhaps, comprises outer VLAN identification and inner VLAN identification.
In conjunction with second aspect, described VLAN MASK numerical value is 5 bits, and span is 0-31.
In conjunction with second aspect, comprise type sign and at least one tag identifier in the described Ethernet header, described type sign is used to indicate the type of described Ethernet header;
If comprise a described tag identifier, then described tag identifier comprises: precedence information, described VLAN MASK numerical information, described outside VLAN quantity information and described inner VLAN quantity information; Perhaps, if comprise two described tag identifiers, then a described tag identifier comprises: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, described VLAN MASK numerical information, another described tag identifier comprises: described outside VLAN quantity information and described inner VLAN quantity information.
On the one hand, a kind of network equipment comprises again:
Receiver module is used for first network equipment and receives the data that the user sends;
Determination module is used for described first network equipment according to the virtual LAN VLAN MASK numerical value of setting, and determines the quantity of described virtual LAN VLAN;
Processing module is used for described first network equipment described data encapsulation Ethernet header is obtained Ethernet message, carries described VLAN MASK numerical value and described VLAN quantity in the described Ethernet header;
Configuration module, being used for described first network equipment is that described user disposes the VLAN sign according to described VLAN quantity;
Sending module is used for described first network equipment described Ethernet message is sent to second network equipment, carries VLAN sign corresponding to described user in the described Ethernet message.
In conjunction with the third aspect, determination module specifically is used for described first network equipment is determined described outer virtual LAN VLAN according to described VLAN MASK numerical value quantity; Perhaps,
Determination module specifically is used for described first network equipment is determined described outer virtual LAN VLAN according to described VLAN MASK numerical value quantity and inner VLAN quantity.
In conjunction with the third aspect, described VLAN MASK numerical value is 5 bits, and span is 0-31.
In conjunction with the third aspect, comprise type sign and at least one tag identifier in the described Ethernet header, described type sign is used to indicate the type of described Ethernet header;
If comprise a described tag identifier, then described tag identifier comprises: precedence information, described VLAN MASK numerical information, described outside VLAN quantity information and described inner VLAN quantity information; Perhaps, if comprise two described tag identifiers, then a described tag identifier comprises: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, described VLAN MASK numerical information, another described tag identifier comprises: described outside VLAN quantity information and described inner VLAN quantity information.
Another aspect, a kind of network equipment comprises:
Receiver module is used for second network equipment and receives the Ethernet message that first network equipment sends, and carries virtual LAN VLAN sign corresponding to user in the described Ethernet message;
Processing module is used for the described Ethernet message of described second network device parses, obtains VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the described Ethernet message, mates with the VLAN sign of the above configuration of second network equipment interface.
In conjunction with fourth aspect, described VLAN sign comprises outer VLAN identification, perhaps, comprises outer VLAN identification and inner VLAN identification.
In conjunction with fourth aspect, described VLAN MASK numerical value is 5 bits, and span is 0-31.
In conjunction with fourth aspect, comprise type sign and at least one tag identifier in the described Ethernet header, described type sign is used to indicate the type of described Ethernet header;
If comprise a described tag identifier, then described tag identifier comprises: precedence information, described VLAN MASK numerical information, described outside VLAN quantity information and described inner VLAN quantity information; Perhaps, if comprise two described tag identifiers, then a described tag identifier comprises: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, described VLAN MASK numerical information, another described tag identifier comprises: described outside VLAN quantity information and described inner VLAN quantity information.
Method and the network equipment of the realization isolation multi-user virtual local area network (LAN) of the embodiment of the invention, determine the quantity of virtual LAN VLAN by setting in advance according to actual needs VLAN ID scope VLAN MASK numerical value, first network equipment encapsulates data into the Ethernet header that carries VLAN MASK numerical value and VLAN quantity and obtains Ethernet message, then first network equipment disposes the VLAN sign according to VLAN quantity for the user, the Ethernet message that will carry again VLAN sign corresponding to user sends to second network equipment, the message of different user just has different VLAN signs in data center, therefore just different user is isolated to the message of second network equipment from first network equipment.Realized that the scope that can define flexibly according to actual needs VLAN comes satisfying magnanimity user's isolation.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do one to the accompanying drawing of required use in embodiment or the description of the Prior Art and introduce simply, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the flow chart that the present invention realizes isolating the embodiment of the method one of multi-user virtual local area network (LAN);
Fig. 2 is the flow chart that the present invention realizes isolating the embodiment of the method two of multi-user virtual local area network (LAN);
Fig. 3 is the flow chart that the present invention realizes isolating the embodiment of the method three of multi-user virtual local area network (LAN);
Fig. 4 is the structural representation of Ethernet header embodiment one of the present invention;
Fig. 5 is the structural representation of Ethernet header embodiment two of the present invention;
Fig. 6 is that the present invention realizes isolating that data center is the schematic diagram of the embodiment one of two layers of networking in the method for multi-user virtual local area network (LAN);
Fig. 7 is the structural representation of network equipment embodiment one of the present invention;
Fig. 8 is the structural representation of network equipment embodiment two of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
Method and the network equipment of the realization isolation multi-user virtual local area network (LAN) of the embodiment of the invention are mainly used in number of users and surpass under 4094 the scene.
Fig. 1 is the flow chart that the present invention realizes isolating the embodiment of the method one of multi-user virtual local area network (LAN), and as shown in Figure 1, the method for present embodiment can comprise:
S101, first network equipment receive the data that the user sends.
In S101, first network equipment is server.
S102, first network equipment are determined the quantity of virtual LAN VLAN according to the VLAN ID scope VLAN MASK numerical value of setting.
In S102, the setting of the value of VLAN MASK numerical value is to set according to the quantity of the required user's of reality VLAN, is disposed according to reality is required in advance by the network manager.For example: VLAN MASK numerical value can be set to 5 bits, and span is 0-31.
First network equipment can according to the virtual LAN VLAN MASK numerical value of setting, be determined the quantity of virtual LAN VLAN.As a kind of optional execution mode, first network equipment can be determined according to VLAN MASK numerical value the quantity of outer virtual LAN VLAN; As the optional execution mode of another kind, first network equipment can also be determined according to VLAN MASK numerical value quantity and the inner VLAN quantity of outer virtual LAN VLAN, concrete definite method is: VLAN MASK value is X, the quantity of outside VLAN is 2 X power so, and the quantity of inner VLAN is (32-X) power of 2.The value of VLAN MASK numerical value has just determined the quantitative range of outer virtual LAN VLAN herein, value such as VLAN MASK numerical value is configured to 20, so outer virtual LAN VLAN just is 20 bits (bits), the internal layer virtual LAN VLAN is 12bits just, the maximum magnitude of outer virtual LAN VLAN is 2 20 powers, the maximum magnitude of internal layer virtual LAN VLAN is 2 12 powers, if the value of VLAN MASK numerical value is configured to 0, then expression is outer virtual LAN VLAN all, does not have the internal layer virtual LAN VLAN.Need to prove that outside VLAN can be used for the isolation of different user, the internal layer virtual LAN VLAN can be used for user inside and isolates, and can set according to actual needs.
S103, first network equipment encapsulate data Ethernet header and obtain Ethernet message, carry VLAN MASK numerical value and VLAN quantity in the Ethernet header.
In S103, can comprise type sign and at least one tag identifier in the Ethernet header (Ethernet header), the type sign is used to indicate the type of Ethernet header.As a kind of optional execution mode, can comprise a tag identifier in the Ethernet header, this tag identifier comprises: precedence information, VLAN MASK numerical information, outside VLAN quantity information and inner VLAN quantity information.As the optional execution mode of another kind, can comprise two tag identifiers in the Ethernet header, wherein the first tag identifier can comprise: canonical format indicator CFI(Canonical Format Indicator, be called for short: CFI), the outside VLAN priority, the inner VLAN priority, keep the position, VLAN MASK numerical information, the second tag identifier can comprise: outside VLAN quantity information and inner VLAN quantity information, because the second tag identifier is 4 bytes (Bytes), if the value of VLAN MASK numerical value is configured to 0, it then all is outside VLAN, the maximum magnitude of outside VLAN is 2 24 powers, can satisfy the demand of more users isolation.
S104, first network equipment dispose the VLAN sign according to VLAN quantity for the user.
In S104, first network equipment comprises that for the user disposes the VLAN sign first network equipment disposes the VLAN sign according to outside VLAN quantity and/or inner VLAN quantity for the user according to VLAN quantity.Value such as VLAN MASK numerical value is configured to 20, so outer virtual LAN VLAN is 20bits just, the internal layer virtual LAN VLAN is 12bits just, the maximum magnitude of outer virtual LAN VLAN is 2 20 powers, can reach 1,000,000 number of users, be configured to outside VLAN 100000 such as user 1, user 2 is configured to outer 100001, the maximum magnitude of internal layer virtual LAN VLAN is 2 12 powers, quantitative range is 0-4096, generally need not 0, therefore can reach 4096 quantity, be configured to inner VLAN 4093 by the enterprises demand such as internal layer VLAN internal user 1, internal user 2 is configured to VLAN4094.
S105, first network equipment send to second network equipment with Ethernet message, carry VLAN sign corresponding to user in the Ethernet message.
Second network equipment can be switch or router, and the Ethernet message that first network equipment will carry VLAN sign corresponding to user sends to second network equipment, and the message of different user just has different VLAN signs in data center like this.
The method of the realization isolation multi-user virtual local area network (LAN) of present embodiment, determine the quantity of virtual LAN VLAN by setting in advance according to actual needs VLAN ID scope VLAN MASK numerical value, first network equipment encapsulates data into the Ethernet header that carries VLAN MASK numerical value and VLAN quantity and obtains Ethernet message, then first network equipment disposes the VLAN sign according to VLAN quantity for the user, the Ethernet message that will carry again VLAN sign corresponding to user sends to second network equipment, the message of different user just has different VLAN signs in data center, therefore just different user is isolated to the message of second network equipment from first network equipment.Realized that the scope that can define flexibly according to actual needs VLAN comes satisfying magnanimity user's isolation.
Fig. 2 is the flow chart that the present invention realizes isolating the embodiment of the method two of multi-user virtual local area network (LAN), and as shown in Figure 2, the method for present embodiment can comprise:
S201, second network equipment receive the Ethernet message that first network equipment sends, and carry virtual LAN VLAN sign corresponding to user in the Ethernet message.
In the present embodiment, second network equipment can be switch or router, first network equipment is server, second network equipment receives the Ethernet message that carries VLAN sign corresponding to user that first network equipment sends, the message of different user just has different VLAN signs in data center like this, therefore just different user is isolated to the message of second network equipment from first network equipment.
S202, second network device parses Ethernet message are obtained VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the Ethernet message, mate with the VLAN sign that disposes on the second network equipment interface.
In S202, the VLAN sign comprises outer VLAN identification or comprises outer VLAN identification and inner VLAN identification, the setting of the value of VLAN MASK numerical value is to set according to the quantity of the required user's of reality VLAN, is disposed according to reality is required in advance by the network manager.For example: VLAN MASK numerical value can be set to 5 bits, and span is 0-31, comprises type sign and at least one tag identifier in the Ethernet header, and the type sign is used to indicate the type of Ethernet header.As a kind of optional execution mode, can comprise a tag identifier in the Ethernet header, this tag identifier comprises: precedence information, VLAN MASK numerical information, outside VLAN quantity information and inner VLAN quantity information; As the optional execution mode of another kind, can also comprise two tag identifiers in the Ethernet header, a tag identifier comprises: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, VLAN MASK numerical information, another tag identifier comprises: outside VLAN quantity information and inner VLAN quantity information.
Second network equipment is resolved the Ethernet message that first network equipment sends, obtain VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the Ethernet message, mate with the VLAN sign that disposes on the second network equipment interface, if coupling then is for further processing, abandon if can not mate then.
The method of the realization isolation multi-user virtual local area network (LAN) of present embodiment, by second network equipment the Ethernet message that first network equipment sends is resolved, obtain VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the Ethernet message, mate with the VLAN sign that disposes on the second network equipment interface, if coupling then is for further processing, abandon if can not mate then, so just realized in data center the isolation to the user.
The below adopts several specific embodiments, and the technical scheme of embodiment of the method illustrated in figures 1 and 2 is elaborated.
Fig. 3 is the flow chart that the present invention realizes isolating the embodiment of the method three of multi-user virtual local area network (LAN), and as shown in Figure 3, the method for present embodiment can comprise:
S301, first network equipment receive the data that the user sends.
In the present embodiment, first network equipment is server, and second network equipment can be switch or router.
S302, first network equipment are determined the quantity of virtual LAN VLAN according to the VLAN ID scope VLAN MASK numerical value of setting.
In S302, the setting of the value of VLAN MASK numerical value is to set according to the quantity of the required user's of reality VLAN, is disposed according to reality is required in advance by the network manager.For example: VLAN MASK numerical value can be set to 5 bits, and span is 0-31.Fig. 4 is the structural representation of Ethernet header embodiment one of the present invention, and as shown in Figure 4, Ethernet header comprises:
ETYPE: the type sign, 2Bytes can oneself define, and such as 0X8500, the tag identifier TAG that expression is followed later is 4Bytes.
TAG: tag identifier, 4Bytes is defined as follows:
Priority: precedence information, span are 0 ~ 7, and it is higher to be worth larger priority.
VLAN MASK: numerical information, 5bits, span is 0 ~ 31,0 identical with value 24 with the implication of 25-31.The figure place of this value representation back outside VLAN is made as 18 such as VLAN MASK value, and expression back outside VLAN is 18bits, and inner VLAN is exactly 6Bits, if VLAN MASK value is made as 24, just represents that next 24 all are expressed as outside VLAN.
Outside VLAN: numerical value decides according to the value of VLAN MASK.
Inner VLAN: numerical value decides according to the value of VLAN MASK.
As the optional mode of another kind, Fig. 5 is the structural representation of Ethernet header embodiment two of the present invention, and as shown in Figure 5, Ethernet header comprises:
ETYPE: the type sign is a kind of new ETYPE, can define as required, and such as 0X8500 etc., the tag identifier TAG of expression two 4Bytes in back.
Wherein, a TAG:
CFI: canonical format indicator (Canonical Format Indicator, be called for short: CFI), and 1bits, the value of CFI is 0 in Ethernet.
The outside VLAN priority: the priority of expression outside VLAN frame, 3bits, span is 0~7, it is higher to be worth larger priority.
The inner VLAN priority: the priority of expression inner VLAN frame, 3bits, span is 0~7, it is higher to be worth larger priority.
Keep the position: 6bits is later use.
VLAN MASK: numerical information, 5bits, span is 0-31.The figure place of the TAG ectomesoderm VLAN of this value representation back 4Bytes is made as 18 such as VLAN MASK value, and expression back outside VLAN is 20bits, and inner VLAN is exactly 12Bits.If be 0, represent that 32 all is outside VLAN.
The 2nd TAG, 4Bytes:
Outside VLAN: numerical value decides according to the value of VLAN MASK.
Inner VLAN: numerical value decides according to the value of VLAN MASK.The TAG of second 4Bytes is in order to outside VLAN and inner VLAN, and scope can be larger.
First network equipment is determined the quantity of virtual LAN VLAN according to the virtual LAN VLAN MASK numerical value of setting, and comprising: first network equipment is determined the quantity of outer virtual LAN VLAN according to VLAN MASK numerical value; Perhaps, first network equipment is determined quantity and the inner VLAN quantity of outer virtual LAN VLAN according to VLAN MASK numerical value.The value of VLAN MASK numerical value has just determined the quantitative range of outer virtual LAN VLAN herein, value such as VLAN MASK numerical value is configured to 20, so outer virtual LAN VLAN is 20bits just, the internal layer virtual LAN VLAN is 12bits just, the maximum magnitude of outer virtual LAN VLAN is 2 20 powers, the maximum magnitude of internal layer virtual LAN VLAN is 2 12 powers, if the value of VLAN MASK numerical value is configured to 0, then expression all is outer virtual LAN VLAN, there is not the internal layer virtual LAN VLAN, the internal layer virtual LAN VLAN can be used for user inside and isolates, and can set according to actual needs.
S303, first network equipment encapsulate data Ethernet header and obtain Ethernet message, carry VLAN MASK numerical value and VLAN quantity in the Ethernet header.
S304, first network equipment dispose the VLAN sign according to VLAN quantity for the user.
In S304, first network equipment comprises that for the user disposes the VLAN sign first network equipment disposes the VLAN sign according to outside VLAN quantity or inner VLAN quantity for the user according to VLAN quantity.Value such as VLAN MASK numerical value is configured to 20, so outer virtual LAN VLAN is 20bits just, the internal layer virtual LAN VLAN is 12bits just, the maximum magnitude of outer virtual LAN VLAN is 2 20 powers, can reach 1,000,000 number of users, be configured to outside VLAN 100000 such as user 1, user 2 is configured to outer 100001, the maximum magnitude of internal layer virtual LAN VLAN is 2 12 powers, can reach 4096 quantity, be configured to inner VLAN 4093 such as internal layer VLAN internal user 1, internal user 2 is configured to VLAN4094.
S305, first network equipment send to second network equipment with Ethernet message, carry VLAN sign corresponding to user in the Ethernet message.
Second network equipment can be switch or router, and the Ethernet message that first network equipment will carry VLAN sign corresponding to user sends to second network equipment, and the message of different user just has different VLAN signs in data center like this.
S306, second network equipment receive the Ethernet message that first network equipment sends, and carry virtual LAN VLAN sign corresponding to user in the Ethernet message.
In the present embodiment, second network equipment can be switch or router, second network equipment receives the Ethernet message that carries VLAN sign corresponding to user that first network equipment sends, the message of different user just has different VLAN signs in data center like this, therefore just different user is isolated to the message of second network equipment from first network equipment.
S307, second network device parses Ethernet message are obtained VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the Ethernet message, mate with the VLAN sign that disposes on the second network equipment interface.
Second network equipment is resolved the Ethernet message that first network equipment sends, obtain VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the Ethernet message, mate with the VLAN sign that disposes on the second network equipment interface, if coupling then is for further processing, abandon if can not mate then.
The below describes the process that realizes user isolation in detail with a specific embodiment, Fig. 6 is that the present invention realizes isolating that operator's data center network is the schematic diagram of the embodiment one of two layers of networking in the method for multi-user virtual local area network (LAN), as shown in Figure 6, two users are arranged, user 1 and user 2, TOR1, TOR2, TOR3, TOR4, TOR5, TOR6 are respectively switch, and AGG1, AGG2 are two switches, and Core1, Core2 are two routers.The process that realizes user isolation is as follows:
On TOR1, TOR2, TOR3, TOR4, TOR5, TOR6, can enable flexible VLAN(Flexible-VLAN) function, that is, can carry out flexible configuration to the numerical value of VLAN MASK, to expand VLAN quantity.Present embodiment configuration VLAN MASK is configured to 20, can support that 2 20 powers subtract a user, and concrete value can be defined by client oneself.After each TOR receives the data of user's transmission, can dispose the VLAN sign for the user.For example: at TOR1, TOR5, TOR6 is upper can be each user's flexible configuration (Flexible) outer VLAN identification according to VLAN MASK numerical value, for example: can be user 1 configuration VLAN sign: VLAN10000, be user 2 configuration VLAN sign: VLAN10001.On TOR2, can dispose the Flexible outer VLAN identification for each user according to VLAN MASK numerical value, for example can be user 1 configuration VLAN sign: VLAN10000, at TOR3, TOR4 is upper can to dispose the Flexible outer VLAN identification for each user according to VLAN MASK numerical value, and for example be user's 2 configuration VLAN signs: VLAN 10001.
Wherein, all VLAN module and forwarding module can be set on TOR1, TOR2, TOR3, TOR4, TOR5, the TOR6.The VLAN module is obtained the enable flag of the Flexible-VLAN that sets in advance on the switch, and obtains the VLAN MASK numerical value of setting.The VLAN module can be according to VLAN MASK numerical computations outside VLAN quantity and inner VLAN quantity.And with the Flexible-VLAN enable flag, VLAN MASK numerical value is handed down to forwarding module.
Forwarding module can read Flexible-VLAN enable flag and the VLAN MASK numerical value that issues from the VLAN module.Under a kind of enforcement scene, when interface is received the Ethernet header message, can be according to the format analysis message such as Fig. 4 or Fig. 5 definition, obtain outside VLAN and inner VLAN according to VLAN MASK numerical value, mate with the outside VLAN quantity that disposes on this interface and inner VLAN quantity, if coupling is then carried out next step forwarding operation, then abandon this message if can not mate.Another kind of enforcement under the scene when interface need to send the Ethernet header message, can according to VLAN MASK number range, according to the form encapsulated message such as Fig. 4 or Fig. 5 definition, to this message encapsulation Ethernet header, be transmitted the message of encapsulation Ethernet header again.
On AGG1 and AGG2, can enable the Flexible-VLAN function, that is, can carry out flexible configuration to the numerical value of VLAN MASK, to expand VLAN quantity.Present embodiment configuration VLAN MASK is 20, can be user 1 configuration VLAN sign: VLAN10000 according to VLAN MASK numerical value on AGG1 and AGG2, is user 2 configuration VLAN sign: VLAN10001.
Enable the Flexible-VLAN function at Core1 and Core2, disposing two virtual routing forwarding (is called for short: VRF), VRF1 representative of consumer 1, VRF2 representative of consumer 2, the interface that links to each other with AGG1 at Core1 creates two sub-interfaces, identifies according to VLAN MASK numerical value configuration VLAN on the sub-interface 1: VLAN10000, and binding VRF1, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 2: VLAN10001, and binding VRF2.Identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 1: VLAN10000, and binding VRF1, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 2: VLAN10001, and binding VRF2 also creates two sub-interfaces equally on Core2 and interface that AGG2 links to each other, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 1: VLAN10000, and binding VRF1 identifies according to VLAN MASK numerical value configuration VLAN on the sub-interface 2: VLAN10001, and binding VRF2.
After finishing above-mentioned configuration, user 1 and user 2 are from multi-protocol sign exchange virtual private network (Multiprotocol Label Switching Virtual Private Network, hereinafter to be referred as: the message that MPLS/VPN) enters data center is stamped respectively the tag identifier of VLAN10000 and VLAN10001, in data center network, just user 1 and user's 2 message is isolated like this, realized multi-user's function, by the above-mentioned definition of the embodiment of the invention, the VLAN scope can be very large.
On the basis of Fig. 6, when operator's data center network is three layers of networking, realize that the process of user isolation is as follows:
On TOR1, TOR2, TOR3, TOR4, TOR5, TOR6, can enable the Flexible-VLAN function, that is, can carry out flexible configuration to the numerical value of VLAN MASK, to expand VLAN quantity.Present embodiment configuration VLAN MASK is configured to 20, can support that 2 20 powers subtract a user, and concrete value can be defined by client oneself.After each TOR receives the data of user's transmission, can dispose the VLAN sign for the user.For example: at two VRF of TOR1 configuration, create two sub-interfaces on TOR1 and the interface that AGG1 links to each other, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 1: VLAN10000, be tied on the VRF1, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 2: VLAN10001 is tied to VRF2.Dispose VRF1 at TOR2, create a sub-interface on TOR1 and the interface that AGG2 links to each other, on the sub-interface according to VLAN MASK numerical value configuration VLAN sign: VLAN10000 is tied to VRF1.At TOR3, the upper configuration of TOR4 VRF2, the interface that links to each other with AGG1 at TOR3, the interface that TOR4 links to each other with AGG2 create a sub-interface, on the sub-interface according to VLAN MASK numerical value configuration VLAN sign: VLAN10001 is tied to VRF2.At TOR5, two VRF of the upper configuration of TOR6, create two sub-interfaces on the interface that TOR5 links to each other with AGG1, TOR6 and the interface that AGG2 links to each other, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 1: VLAN10000, be tied on the VRF1, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 2: VLAN10001 is tied to VRF2.
Then enable the Flexible-VLAN function at AGG1 and AGG2, that is, can carry out flexible configuration to the numerical value of VLAN MASK, to expand VLAN quantity.Present embodiment configuration VLAN MASK is 20, at AGG1 and two VRF of AGG2 configuration, at AGG1 and TOR1, create sub-interface 1 and sub-interface 2 on the interface that TOR5 links to each other, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 1: VLAN10000, be tied on the VRF1, representative of consumer 1, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 2: VLAN10001, be tied to VRF2, representative of consumer 2, the interface that links to each other with TOR3 at AGG1 creates a sub-interface, identifies according to VLAN MASK numerical value configuration VLAN on the sub-interface: VLAN10001, be tied to VRF2, representative of consumer 2; The interface that links to each other with TOR5, TOR6 at AGG2 creates sub-interface 1 and sub-interface 2, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 1: VLAN10000, be tied on the VRF1 representative of consumer 1, sub-interface 2 configuration VLAN sign: VLAN10001, be tied to VRF2, representative of consumer 2, the interface that links to each other with TOR2 at AGG2 creates a sub-interface, identifies according to VLAN MASK numerical value configuration VLAN on the sub-interface: VLAN10000, be tied to VRF1, representative of consumer 1; The interface that links to each other with TOR3, TOR4 at AGG2 creates a sub-interface, and identify according to VLAN MASK numerical value configuration VLAN on the sub-interface: VLAN10001 is tied to VRF2, representative of consumer 2.
Enable the Flexible-VLAN function at AGG1 and AGG2 at last, configuration VLAN MASK is 20, at Core1 and two VRF of Core2 configuration, VRF1 representative of consumer 1, VRF2 representative of consumer 2, the interface that links to each other with AGG1 at Core1 creates sub-interface 1 and sub-interface 2, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 1: VLAN10000, and binding VRF1 identifies according to VLAN MASK numerical value configuration VLAN on the sub-interface 2: VLAN10001, and binding VRF2.Equally on Core2 and interface that AGG2 links to each other, also create two sub-interfaces, identify according to VLAN MASK numerical value configuration VLAN on the sub-interface 1: VLAN 10000, and binding VRF 1 identifies according to VLAN MASK numerical value configuration VLAN on the sub-interface 2: VLAN10001, and binding VRF2.
After finishing above-mentioned configuration, user 1 can enter two different VRF instances with user 2 from the message that the MPLS/VPN network enters data center, stamp respectively the tag identifier of VLAN10000 and VLAN10001, in data center network, just user 1 and user's 2 message is isolated like this, realized multi-user's function.
The method of the realization isolation multi-user virtual local area network (LAN) of present embodiment, by enabling the Flexible-VLAN function at each TOR, AGG, Core respectively, and carry out every configuration by the number of users of actual demand, thereby so that different user is stamped respectively the different tag identifier that sets in advance from the message that the MPLS/VPN network enters data center, in data center network, just the message of different user is isolated like this, realized multi-user's function, standard definition by the embodiment of the invention, the VLAN scope can be very large, but satisfying magnanimity user's demand.
One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each embodiment of the method can be finished by the relevant hardware of program command.Aforesaid program can be stored in the computer read/write memory medium.This program is carried out the step that comprises above-mentioned each embodiment of the method when carrying out; And aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
Fig. 7 is the structural representation of network equipment embodiment one of the present invention, and as shown in Figure 7, the network equipment of present embodiment can comprise: receiver module 11, determination module 12, processing module 13, configuration module 14, sending module 15;
Wherein, receiver module 11 is used for the data that first network equipment receives user's transmission.
Determination module 12 is used for first network equipment according to the virtual LAN VLAN MASK numerical value of setting, determine the quantity of virtual LAN VLAN, the setting of the value of VLAN MASK numerical value is to set according to the quantity of the required user's of reality VLAN, is disposed according to reality is required in advance by the network manager.For example: VLAN MASK numerical value can be set to 5 bits, and span is 0-31.The determination module 12 concrete quantity of determining described outer virtual LAN VLAN for described first network equipment according to described VLAN MASK numerical value; Perhaps, determination module 12 concrete quantity and the inner VLAN quantity of determining described outer virtual LAN VLAN for described first network equipment according to described VLAN MASK numerical value.
Processing module 13 encapsulates data Ethernet header for first network equipment and obtains Ethernet message, carries VLAN MASK numerical value and VLAN quantity in the Ethernet header.Can comprise type sign and at least one tag identifier in the Ethernet header, the type sign is used to indicate the type of Ethernet header.As a kind of optional execution mode, can comprise a tag identifier in the Ethernet header, this tag identifier comprises: precedence information, VLAN MASK numerical information, outside VLAN quantity information and inner VLAN quantity information; As the optional execution mode of another kind, can also comprise two tag identifiers in the Ethernet header, one of them tag identifier can comprise: canonical format indicator CFI, the outside VLAN priority, the inner VLAN priority, keep the position, VLAN MASK numerical information, another tag identifier can comprise: outside VLAN quantity information and inner VLAN quantity information, this kind situation is because another tag identifier is 4 bytes (Bytes), if the value of VLAN MASK numerical value is configured to 0, then expression all is outer virtual LAN VLAN, the maximum magnitude of outer virtual LAN VLAN is 2 24 powers, can satisfy the demand of more users isolation.
Configuration module 14 is used for first network equipment and disposes the VLAN sign according to VLAN quantity for the user.
Sending module 15 is used for first network equipment Ethernet message is sent to second network equipment, carries VLAN sign corresponding to user in the Ethernet message.
The network equipment of present embodiment can be for the technical scheme of carrying out embodiment of the method shown in Figure 1, and it realizes that principle is similar, repeats no more herein.
The network equipment of present embodiment, set in advance according to actual needs the quantity that VLAN ID scope VLAN MASK numerical value is determined virtual LAN VLAN by determination module, processing module encapsulates data into the Ethernet header that carries VLAN MASK numerical value and VLAN quantity and obtains Ethernet message, then configuration module disposes the VLAN sign according to VLAN quantity for the user, the Ethernet message that sending module will carry VLAN sign corresponding to user again sends to second network equipment, the message of different user just has different VLAN signs in data center, therefore just different user is isolated to the message of second network equipment from first network equipment, realized that the scope that can define flexibly according to actual needs VLAN comes satisfying magnanimity user's isolation.
Fig. 8 is the structural representation of network equipment embodiment two of the present invention, and as shown in Figure 8, the network equipment of present embodiment comprises: receiver module 16 and processing module 17; Wherein, receiver module 16 is used for second network equipment and receives the Ethernet message that first network equipment sends, carry virtual LAN VLAN corresponding to user sign in the Ethernet message, the VLAN sign comprises and outer VLAN identification perhaps comprises outer VLAN identification and inner VLAN identification.
Processing module 17 is used for second network device parses Ethernet message, obtains VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the Ethernet message, mates with the VLAN sign that disposes on the second network equipment interface.The setting of the value of VLAN MASK numerical value is to set according to the quantity of the required user's of reality VLAN, is disposed according to reality is required in advance by the network manager.For example: VLAN MASK numerical value can be set to 5 bits, and span is 0-31.Can comprise type sign and at least one tag identifier in the Ethernet header, the type sign is used to indicate the type of Ethernet header.As a kind of optional execution mode, can comprise a tag identifier in the Ethernet header, this tag identifier comprises: precedence information, VLAN MASK numerical information, outside VLAN quantity information and inner VLAN quantity information; As the optional execution mode of another kind, can also comprise two tag identifiers in the Ethernet header, one of them tag identifier can comprise: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, VLAN MASK numerical information, another tag identifier can comprise: outside VLAN quantity information and inner VLAN quantity information.
The network equipment of present embodiment can be for the technical scheme of carrying out embodiment of the method shown in Figure 2, and it realizes that principle is similar, repeats no more herein.
The network equipment of present embodiment, receive the Ethernet message that first network equipment sends by receiver module, processing module is resolved the Ethernet message that receives, obtain VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the Ethernet message, mate with the VLAN sign that disposes on the second network equipment interface, if coupling then is for further processing, if can not mate then dropping packets, so just realized that the scope that can define flexibly according to actual needs VLAN comes satisfying magnanimity user's isolation.
In the cloud computing epoch, can there be a lot of large-scale publicly-owned clouds, these superhuge clouds provide rental service can for a lot of medium-sized and small enterprises or personal user, medium-sized and small enterprises can the publicly-owned cloud of tenant Internet resources finish oneself IT informatization, need not oneself buy the network equipment again, oneself recruits the network personnel, and oneself is safeguarded, the IT that greatly reduces Enterprise Network is changed into this, and this pattern is the major way of following medium-sized and small enterprises ITization in the future.But satisfy this commercial system, super large cloud (data center) need to possess such ability, but present network technology can't support and realize such function, one of them topmost problem needs to provide service to a lot of tenants in same network exactly, need to isolate each tenant, to guarantee the safety of tenant data, following tenant can be magnanimity, can reach 100,000 grades scale, this has proposed very large challenge to current technology, currently go back neither one good technology can solve this problem, above all embodiment among the application all can be applicable to exist a plurality of extensive publicly-owned clouds to rent a plurality of users' scene.
It should be noted that at last: above each embodiment is not intended to limit only in order to technical scheme of the present invention to be described; Although with reference to aforementioned each embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps some or all of technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the scope of various embodiments of the present invention technical scheme.

Claims (16)

1. a method that realizes isolating the multi-user virtual local area network (LAN) is characterized in that, comprising:
First network equipment receives the data that the user sends;
Described first network equipment is determined the quantity of described virtual LAN VLAN according to the VLAN ID scope VLAN MASK numerical value of setting;
Described first network equipment obtains Ethernet message with described data encapsulation Ethernet header, carries described VLAN MASK numerical value and described VLAN quantity in the described Ethernet header;
Described first network equipment is that described user disposes the VLAN sign according to described VLAN quantity;
Described first network equipment sends to second network equipment with described Ethernet message, carries VLAN sign corresponding to described user in the described Ethernet message.
2. method according to claim 1 is characterized in that, described first network equipment is determined the quantity of described virtual LAN VLAN according to the virtual LAN VLAN MASK numerical value of setting, and comprising:
Described first network equipment is determined the quantity of described outer virtual LAN VLAN according to described VLAN MASK numerical value; Perhaps,
Described first network equipment is determined quantity and the inner VLAN quantity of described outer virtual LAN VLAN according to described VLAN MASK numerical value.
3. according to right 1 or 2 described methods, it is characterized in that described VLAN MASK numerical value is 5 bits, span is 0-31.
4. according to claim 2 or 3 described methods, it is characterized in that comprise type sign and at least one tag identifier in the described Ethernet header, described type sign is used to indicate the type of described Ethernet header;
If comprise a described tag identifier, then described tag identifier comprises: precedence information, described VLAN MASK numerical information, described outside VLAN quantity information and described inner VLAN quantity information; Perhaps, if comprise two described tag identifiers, then a described tag identifier comprises: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, described VLAN MASK numerical information, another described tag identifier comprises: described outside VLAN quantity information and described inner VLAN quantity information.
5. a method that realizes isolating the multi-user virtual local area network (LAN) is characterized in that, comprising:
Second network equipment receives the Ethernet message that first network equipment sends, and carries virtual LAN VLAN sign corresponding to user in the described Ethernet message;
The described Ethernet message of described second network device parses is obtained VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the described Ethernet message, mates with the VLAN sign of the above configuration of second network equipment interface.
6. method according to claim 5 is characterized in that, described VLAN sign comprises outer VLAN identification, perhaps, comprises outer VLAN identification and inner VLAN identification.
7. according to claim 5 or 7 described methods, it is characterized in that described VLAN MASK numerical value is 5 bits, span is 0-31.
8. according to claim 6 or 7 described methods, it is characterized in that comprise type sign and at least one tag identifier in the described Ethernet header, described type sign is used to indicate the type of described Ethernet header;
If comprise a described tag identifier, then described tag identifier comprises: precedence information, described VLAN MASK numerical information, described outside VLAN quantity information and described inner VLAN quantity information; Perhaps, if comprise two described tag identifiers, then a described tag identifier comprises: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, described VLAN MASK numerical information, another described tag identifier comprises: described outside VLAN quantity information and described inner VLAN quantity information.
9. a network equipment is characterized in that, comprising:
Receiver module is used for first network equipment and receives the data that the user sends;
Determination module is used for described first network equipment according to the virtual LAN VLAN MASK numerical value of setting, and determines the quantity of described virtual LAN VLAN;
Processing module is used for described first network equipment described data encapsulation Ethernet header is obtained Ethernet message, carries described VLAN MASK numerical value and described VLAN quantity in the described Ethernet header;
Configuration module, being used for described first network equipment is that described user disposes the VLAN sign according to described VLAN quantity;
Sending module is used for described first network equipment described Ethernet message is sent to second network equipment, carries VLAN sign corresponding to described user in the described Ethernet message.
10. the network equipment according to claim 9 is characterized in that, determination module specifically is used for described first network equipment is determined described outer virtual LAN VLAN according to described VLAN MASK numerical value quantity; Perhaps,
Determination module specifically is used for described first network equipment is determined described outer virtual LAN VLAN according to described VLAN MASK numerical value quantity and inner VLAN quantity.
11., it is characterized in that described VLAN MASK numerical value is 5 bits according to right 9 or the 10 described network equipments, span is 0-31.
12. according to claim 10 or the 11 described network equipments, it is characterized in that comprise type sign and at least one tag identifier in the described Ethernet header, described type sign is used to indicate the type of described Ethernet header;
If comprise a described tag identifier, then described tag identifier comprises: precedence information, described VLAN MASK numerical information, described outside VLAN quantity information and described inner VLAN quantity information; Perhaps, if comprise two described tag identifiers, then a described tag identifier comprises: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, described VLAN MASK numerical information, another described tag identifier comprises: described outside VLAN quantity information and described inner VLAN quantity information.
13. a network equipment is characterized in that, comprising:
Receiver module is used for second network equipment and receives the Ethernet message that first network equipment sends, and carries virtual LAN VLAN sign corresponding to user in the described Ethernet message;
Processing module is used for the described Ethernet message of described second network device parses, obtains VLAN MASK numerical value and the VLAN sign of carrying in the Ethernet header in the described Ethernet message, mates with the VLAN sign of the above configuration of second network equipment interface.
14. the network equipment according to claim 13 is characterized in that, described VLAN sign comprises outer VLAN identification, perhaps, comprises outer VLAN identification and inner VLAN identification.
15. according to claim 13 or the 14 described network equipments, it is characterized in that described VLAN MASK numerical value is 5 bits, span is 0-31.
16. according to claim 14 or the 15 described network equipments, it is characterized in that comprise type sign and at least one tag identifier in the described Ethernet header, described type sign is used to indicate the type of described Ethernet header;
If comprise a described tag identifier, then described tag identifier comprises: precedence information, described VLAN MASK numerical information, described outside VLAN quantity information and described inner VLAN quantity information; Perhaps, if comprise two described tag identifiers, then a described tag identifier comprises: canonical format indicator CFI, outside VLAN priority, inner VLAN priority, reservation position, described VLAN MASK numerical information, another described tag identifier comprises: described outside VLAN quantity information and described inner VLAN quantity information.
CN201210416983.8A 2012-10-26 2012-10-26 Realize method and the network equipment of isolation multi-user virtual local area network (LAN) Active CN102932342B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210416983.8A CN102932342B (en) 2012-10-26 2012-10-26 Realize method and the network equipment of isolation multi-user virtual local area network (LAN)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210416983.8A CN102932342B (en) 2012-10-26 2012-10-26 Realize method and the network equipment of isolation multi-user virtual local area network (LAN)

Publications (2)

Publication Number Publication Date
CN102932342A true CN102932342A (en) 2013-02-13
CN102932342B CN102932342B (en) 2015-08-26

Family

ID=47647044

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210416983.8A Active CN102932342B (en) 2012-10-26 2012-10-26 Realize method and the network equipment of isolation multi-user virtual local area network (LAN)

Country Status (1)

Country Link
CN (1) CN102932342B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103841186A (en) * 2014-02-25 2014-06-04 汉柏科技有限公司 Private cloud grouping method and system
CN104113460A (en) * 2014-02-20 2014-10-22 西安未来国际信息股份有限公司 Design of tenant exclusive VPN under cloud computation
CN104618209A (en) * 2013-11-05 2015-05-13 华为技术有限公司 Virtual local area network interface processing method and network device
CN104734953A (en) * 2015-03-24 2015-06-24 福建星网锐捷网络有限公司 Method and device for achieving message layer-2 isolation based on VLAN and interchanger
CN105591874A (en) * 2015-12-22 2016-05-18 杭州华三通信技术有限公司 Data sending method and device
WO2017000604A1 (en) * 2015-06-29 2017-01-05 中兴通讯股份有限公司 Virtual network addressing method and apparatus
CN108197493A (en) * 2017-12-30 2018-06-22 中建材信息技术股份有限公司 A kind of upgrade method of publicly-owned cloud system
CN114024898A (en) * 2021-11-09 2022-02-08 湖北天融信网络安全技术有限公司 Message transmission method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6681262B1 (en) * 2002-05-06 2004-01-20 Infinicon Systems Network data flow optimization
CN1897568A (en) * 2005-07-15 2007-01-17 华为技术有限公司 Method and device for realizing virtual exchange
CN101127696A (en) * 2006-08-15 2008-02-20 华为技术有限公司 Data forwarding method for layer 2 network and network and node devices
CN101510855A (en) * 2009-04-10 2009-08-19 华为技术有限公司 Method and apparatus for processing QinQ message
CN101567854A (en) * 2009-05-26 2009-10-28 武汉烽火网络有限责任公司 Ethernet data frame VLAN double-layer label processing device and method based on flow classification

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6681262B1 (en) * 2002-05-06 2004-01-20 Infinicon Systems Network data flow optimization
CN1897568A (en) * 2005-07-15 2007-01-17 华为技术有限公司 Method and device for realizing virtual exchange
CN101127696A (en) * 2006-08-15 2008-02-20 华为技术有限公司 Data forwarding method for layer 2 network and network and node devices
CN101510855A (en) * 2009-04-10 2009-08-19 华为技术有限公司 Method and apparatus for processing QinQ message
CN101567854A (en) * 2009-05-26 2009-10-28 武汉烽火网络有限责任公司 Ethernet data frame VLAN double-layer label processing device and method based on flow classification

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618209A (en) * 2013-11-05 2015-05-13 华为技术有限公司 Virtual local area network interface processing method and network device
WO2015067157A1 (en) * 2013-11-05 2015-05-14 华为技术有限公司 Virtual local area network interface processing method and network device
CN104113460A (en) * 2014-02-20 2014-10-22 西安未来国际信息股份有限公司 Design of tenant exclusive VPN under cloud computation
CN103841186A (en) * 2014-02-25 2014-06-04 汉柏科技有限公司 Private cloud grouping method and system
CN103841186B (en) * 2014-02-25 2018-05-01 汉柏科技有限公司 The group technology and system of a kind of private clound
CN104734953A (en) * 2015-03-24 2015-06-24 福建星网锐捷网络有限公司 Method and device for achieving message layer-2 isolation based on VLAN and interchanger
WO2017000604A1 (en) * 2015-06-29 2017-01-05 中兴通讯股份有限公司 Virtual network addressing method and apparatus
CN106331199A (en) * 2015-06-29 2017-01-11 中兴通讯股份有限公司 Virtual network addressing method and apparatus
CN106331199B (en) * 2015-06-29 2019-08-06 中兴通讯股份有限公司 The addressing method and device of virtual network
CN105591874A (en) * 2015-12-22 2016-05-18 杭州华三通信技术有限公司 Data sending method and device
CN105591874B (en) * 2015-12-22 2020-10-13 新华三技术有限公司 Data sending method and device
CN108197493A (en) * 2017-12-30 2018-06-22 中建材信息技术股份有限公司 A kind of upgrade method of publicly-owned cloud system
CN114024898A (en) * 2021-11-09 2022-02-08 湖北天融信网络安全技术有限公司 Message transmission method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN102932342B (en) 2015-08-26

Similar Documents

Publication Publication Date Title
CN102932342B (en) Realize method and the network equipment of isolation multi-user virtual local area network (LAN)
CN105634986B (en) A kind of interchanger implementation method and system
CN105284080B (en) The virtual network management method and data center systems of data center
CN102857416B (en) A kind of realize the method for virtual network, controller and virtual network
EP2569908B1 (en) A method to pass virtual local area network information in virtual station interface discovery and configuration protocol
CN105553849B (en) A kind of traditional IP and SPTN network intercommunication method and system
CN102255903B (en) Safety isolation method for virtual network and physical network of cloud computing
US20110085560A1 (en) System and Method for Implementing a Virtual Switch
CN103369027A (en) Location-aware virtual service provisioning in a hybrid cloud environment
CN102263646B (en) Multicasting within a distributed control plane of a switch
CN107370642A (en) One kind is based on cloud platform multi-tenant network smoothness monitoring system and method
CN102801599A (en) Communication method and system
CN103067245A (en) Flow table spatial isolation device and method for network virtualization
CN106941437A (en) A kind of information transferring method and device
CN107566237A (en) A kind of data message processing method and device
CN106685903A (en) Data transmission method based on SDN, SDN controller and SDN system
CN108616487A (en) Based on the sound mixing method and device regarding networking
WO2012092817A1 (en) Method and system for message transmission
CN107005479A (en) The method, apparatus and system of data forwarding in software defined network SDN
CN103580979B (en) The virtual bridged website in method for building up and system, edge and bridge of logical channel
CN105284083A (en) OpenFlow device and IP network device communication method, device and system
CN103905285A (en) Method for dividing users with the same MAC address into multiple different VLANs
CN109743265A (en) A kind of method and apparatus obtaining certificate information
CN101304337A (en) Method and apparatus for generating access topology of service VPN
CN105516116A (en) System for controlling OpenFlow exchanger based on ForCES control element and protocol conversion method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant