CN106059994B - Data transmission method and network equipment - Google Patents

Data transmission method and network equipment Download PDF

Info

Publication number
CN106059994B
CN106059994B CN201610286483.5A CN201610286483A CN106059994B CN 106059994 B CN106059994 B CN 106059994B CN 201610286483 A CN201610286483 A CN 201610286483A CN 106059994 B CN106059994 B CN 106059994B
Authority
CN
China
Prior art keywords
home
message
packet
forwarding
mac address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610286483.5A
Other languages
Chinese (zh)
Other versions
CN106059994A (en
Inventor
李娟�
牛承光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201610286483.5A priority Critical patent/CN106059994B/en
Publication of CN106059994A publication Critical patent/CN106059994A/en
Priority to PCT/CN2017/081552 priority patent/WO2017186069A1/en
Application granted granted Critical
Publication of CN106059994B publication Critical patent/CN106059994B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/16Multipoint routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/66Layer 2 routing, e.g. in Ethernet based MAN's

Abstract

The embodiment of the invention discloses a data transmission method and network equipment, wherein the data transmission method is applied to virtual customer premises equipment (vCPE), the vCPE supports a two-layer data forwarding function, and the method comprises the following steps: receiving a first message from a first home terminal, wherein the first message comprises a first home identifier; if the first message is the first message of the first family matched with the first family identification, sending a family authentication request to a remote user dial-up authentication server (RADIUS); receiving the family authentication success information returned by the RADIUS; and if a second message from the first home terminal is received, sending the second message to a value added service platform (VSP) server. The embodiment of the invention can improve the network security.

Description

Data transmission method and network equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data transmission method and a network device.
Background
Currently, virtual Customer Premise Equipment (vCPE) is mainly used to support a three-layer data forwarding function, and the two-layer data forwarding function depends on hardware Equipment. Based on the vCPE architecture, an operator can add a terminal (such as a smart phone) and a Value-added Service Platform (VSP) in a home to the same Virtual Private Network (VPN) to implement two-layer interworking between the terminal and the VSP, so that the terminal in the home can directly play cloud music and videos through a Digital Living Network Alliance (DLNA) protocol. However, in the existing vCPE architecture, in the intercommunication manner between the terminal and the VSP, the terminal in a home can directly access the network, and different homes can communicate with each other, which easily causes network attack and has certain potential safety hazard.
Disclosure of Invention
The embodiment of the invention provides a data transmission method and network equipment, which can improve the security of a network.
The first aspect of the embodiments of the present invention discloses a data transmission method, which is applied to a virtual customer premises equipment (vCPE), wherein the vCPE supports a two-layer data forwarding function, and the method includes:
receiving a first message from a first home terminal, where the first message includes a first home identifier, where the first home identifier may be QinQ information, and the QinQ information is used to represent information (such as physical location information) of a first home;
if the first message is the first message of the first family matched with the first family identification, sending a family authentication request to a remote user dial-up authentication server (RADIUS);
receiving the family authentication success information returned by the RADIUS;
and if a second message from the first home terminal is received, sending the second message to a value added service platform (VSP) server.
It can be seen that after receiving a first message sent by a first home terminal, the vCPE may identify a first home through a first home identifier, and if the first message is a first message of the first home, the vCPE needs to request authentication for the first home, and if the first home authentication passes, the vCPE may send a message to the VSP server, so that the first home terminal may access the network, thereby improving the security of the network.
In a possible implementation manner, after the BRAS receives the home authentication success information returned by the RADIUS, the method further includes:
creating a multicast forwarding table entry, wherein the multicast forwarding table entry comprises an association relation between a multicast matching entry and at least two interfaces, the multicast matching entry comprises the first family identification and first Virtual Private Network (VPN) information to which the first family belongs, the at least two interfaces comprise an interface to the first family terminal and an interface to the VSP server, and the multicast forwarding table entry is used for forwarding a multicast message based on the first family.
In a possible implementation manner, if receiving a second message from the first home terminal, sending the second message to a VSP server includes:
receiving a second message from the first home terminal, wherein the second message comprises a first destination MAC address, the first home identifier and the first VPN information;
if the first destination MAC address is a multicast MAC address, determining that the message forwarding mode of the second message is multicast message forwarding based on the first family;
obtaining the interface to the VSP server associated with the first home identification and the first VPN information from the multicast forwarding entry;
and sending the second message to a value added service platform (VSP) server through the interface to the VSP server.
Therefore, in this embodiment, after the vCPE creates the multicast forwarding table entry, the multicast packet can be accurately copied based on the family granularity to implement multicast packet forwarding, so that the multicast packet forwarding across families is not caused, and thus the problem that the packet cannot be normally forwarded due to the overlapping of MAC addresses between the families can be solved, and meanwhile, network attacks between different families can be reduced, and the network bandwidth can be saved.
In one possible embodiment, the method further comprises:
receiving a first response message returned by the VSP server aiming at the second message, wherein the first response message comprises a second destination MAC address, the first family identification and the first VPN information;
if the second destination MAC address is a multicast MAC address, determining that the message forwarding mode of the second response message is multicast message forwarding based on the first family;
acquiring the interface to the first home terminal associated with the first home identifier and the first VPN information from the multicast forwarding table entry;
and sending the first response message to the first home terminal through the interface to the first home terminal.
In this embodiment, the vCPE may identify the first home through the first home identifier, and for the first response packet returned by the VSP server, the vCPE may forward the multicast packet by using the previously created multicast forwarding entry.
In a possible implementation manner, after receiving the home authentication success information returned by the RADIUS, the method further includes:
creating a first unicast forwarding table entry of the first home terminal, where the first unicast forwarding table entry includes an association relationship between a first unicast matching entry and an interface to the first home terminal, the first unicast matching entry includes the first home identifier, first Virtual Private Network (VPN) information to which the first home belongs, and an MAC address of the first home terminal, and the first unicast forwarding table entry is used for forwarding a unicast message based on the first home terminal.
In one possible embodiment, the method further comprises:
receiving a second response message returned by the VSP server aiming at the second message, wherein the second response message comprises a third destination MAC address, the first home identifier and the first VPN information;
if the third destination MAC address is the MAC address of the first home terminal, determining that the message forwarding mode of the second response message is unicast message forwarding based on the first home terminal;
acquiring the interface to the first home terminal associated with the MAC address of the first home terminal, the first home identifier, and the first VPN information from the first unicast forwarding table entry;
and sending the second response message to the first home terminal through the interface to the first home terminal.
In this embodiment, the vCPE may identify the first home through the first home identifier, and after the vCPE creates the first unicast forwarding entry of the first home terminal, the vCPE may forward the unicast packet by using the first unicast forwarding entry for the second response packet returned by the VSP server.
In a possible implementation manner, the sending, to the VSP server, the second packet if the second packet is received from the first home terminal includes:
receiving a second message from the first home terminal, wherein the second message comprises a fourth destination MAC address, the first home identifier and first Virtual Private Network (VPN) information;
if the fourth destination MAC address is the MAC address of a value added service platform (VSP) server, determining that the message forwarding mode of the second message is unicast message forwarding based on the VSP server;
obtaining MAC address with the VSP server from pre-learned server unicast forwarding table entries,
An interface to the VSP server associated with the first home identification and the first VPN information;
sending the second packet to the VSP server via the interface to the VSP server.
In this embodiment, the vCPE may identify the first home through the first home identifier, and may forward the unicast packet by using a server unicast forwarding table entry learned in advance for the second packet sent by the first home terminal.
In one possible embodiment, the method further comprises:
receiving a third message from a second home terminal, wherein the third message comprises a second home identifier, second Virtual Private Network (VPN) information of a second home matched with the second home identifier, and an MAC (media access control) address of the second home terminal; if the second family is consistent with the first family, the second VPN information is the same as the first VPN information; if the second home is not consistent with the first home, the second VPN information may be the same as the first VPN information, for example: the second family and the first family are two different families located under the same VPN, or the second VPN information and the first VPN information may be different, for example: the second family and the first family are two families respectively located under two different VPNs.
Judging whether the second family identifier is consistent with the first family identifier or not;
if so, determining that the second family is consistent with the first family;
creating a second unicast forwarding table entry of the second home terminal, where the second unicast forwarding table entry includes an association relationship between a second unicast matching entry and an interface to the second home terminal, the second unicast matching entry includes the second home identifier, the second VPN information, and an MAC address of the second home terminal, and the second unicast forwarding table entry is used for forwarding a unicast packet based on the second home terminal.
In this embodiment, if the second home identifier is consistent with the first home identifier, it indicates that the first home is consistent with the second home, that is, the first home terminal and the second home terminal are terminals in the same home, and the first home is authenticated before, so that after receiving the third packet sent by the second home terminal, the vCPE may directly create the second unicast forwarding entry of the second home terminal without authenticating the second home to which the second home terminal belongs.
A second aspect of the present invention discloses a network device, where the network device includes a functional unit configured to perform part or all of the steps of any of the methods in the first aspect of the present invention. The network equipment can be a physical remote broadband access server BRAS integrated with virtual customer premises equipment vCPE; alternatively, the network device may be a physical server with a general hardware structure integrated with the virtual remote broadband access servers vbars and vCPE. Wherein the network device performs the function of the vCPE, and may improve the security of the network when performing part or all of the steps of any of the methods of the first aspect.
A third aspect of the embodiments of the present invention discloses a network device, where the network device includes: a processor, a receiver, a transmitter, and a memory, the memory configured to store instructions, the processor configured to execute the instructions, the processor executing the instructions to perform some or all of the steps of any of the methods of the first aspect of the embodiments of the present invention. Wherein, the network device can improve the security of the network when executing part or all of the steps of any one of the methods of the first aspect.
A fourth aspect of the embodiments of the present invention discloses a computer storage medium, which stores a program, where the program specifically includes instructions for executing some or all of the steps of any of the methods of the first aspect of the embodiments of the present invention.
Therefore, in the embodiment of the present invention, after receiving the first message sent by the first home terminal, the vCPE may identify the first home through the first home identifier, and if the first message is the first message of the first home, the vCPE needs to request authentication for the first home, and if the first home authentication passes, the vCPE may send a message to the VSP server, so that the first home terminal may access the network, thereby improving the security of the network.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a network architecture of a data transmission system according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a data transmission method disclosed in the embodiment of the present invention;
fig. 2.1 is a message structure diagram of a QinQ frame encapsulation format disclosed in the embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another network device disclosed in the embodiment of the present invention;
fig. 5 is a schematic structural diagram of another network device disclosed in the embodiment of the present invention;
fig. 6 is a schematic structural diagram of another network device disclosed in the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," and "third," etc. in the description and claims of the present invention and the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the invention. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The embodiment of the invention discloses a data transmission method and network equipment, which can improve the security of a network. The following are detailed below.
In order to better understand a data transmission method disclosed in the embodiment of the present invention, a network architecture suitable for the embodiment of the present invention is described below. Referring to fig. 1, fig. 1 is a schematic diagram of a network architecture of a data transmission system according to an embodiment of the present invention. As shown in fig. 1, the data transmission system may include: a home terminal, a virtual customer premises Equipment (vCPE), and a Value-added service platform (VSP) server. In the Network architecture shown in fig. 1, the home terminal and the VSP server may be added to the same Virtual Private Network (VPN) based on the home granularity, and the home terminal and the VSP may be regarded as members of a home.
The home terminal may include a two-layer CPE and a user terminal, where the two-layer CPE is a CPE device having a physical hardware structure, the two-layer CPE has a two-layer bridging function, and does not have three-layer and/or more than three-layer functions (such as routing, firewall, NAT, and other functions); the user terminal may include, but is not limited to, various electronic devices such as a smart phone, a notebook computer, a Personal Computer (PC), a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and an intelligent wearable Device (e.g., a smart watch and a smart band).
The vCPE may also be application software that supports both the two-layer data forwarding function and the three-layer and/or more-than-three-layer functions. The vCPE may be integrated on a physical Remote Broadband Access Server (BRAS), or may be integrated with a virtual Remote Broadband Access Server (vbrs) and deployed on a physical Server having a general hardware structure. In the network architecture shown in fig. 1, the vCPE may implement the original user management and data forwarding functions of the conventional CPE. At this time, the vCPE identifies all the user terminals hooked to the same two-layer CPE as terminals in the same home, and accesses the network based on home authentication and charging. In general, the vCPE may identify the home by using a home identifier carried in a message sent by the home terminal, where the home identifier may be identity information of the home, such as: the QinQ information is used for indicating the physical location information of the home, so that the vCPE can regard the home terminals carrying the same home identifier as the same home.
The BRAS is a novel Access gateway for broadband network application, is located at an edge layer of a backbone network, can complete data Access of an Internet Protocol (IP) and Asynchronous Transfer Mode (ATM) network interconnected among networks of a user bandwidth, and plays a role in connecting Access layer devices such as a Digital Subscriber Line Access Multiplexer (DSLAM) and the like with the backbone network. The method mainly has two functions, namely a network bearing function: the function of connecting Point-to-Point protocol Over Ethernet (PPPoE) and converging the flow of the user; secondly, the control and realization functions are as follows: and the authentication, charging and management functions of user access are realized by matching with an authentication system, a charging system, a client management system and a service policy control system. A BRAS may include a number of interfaces thereon, such as: a binding (Trunk) interface, a ge (gigabit ethernet) interface, wherein one interface can bind a plurality of VLANs.
The VSP server can comprise a diagnosis server of an operator and a service server for providing value-added services, wherein the diagnosis server is mainly used for detecting the condition of the terminal through operations such as address resolution protocol ARP, PING, port scanning and the like, so that most network faults of the terminal are directly positioned; the business server can provide various resources of the cloud, such as: music, video, etc.
In the network architecture shown in fig. 1, the vCPE may receive a first message sent by a first home terminal, and if the first message is a first message of a first home that matches a first home identifier, the vCPE may send a home authentication request to a remote user dial-up authentication server RADIUS, and further, the vCPE may receive a home authentication success message returned by the RADIUS; and if the second message sent from the first home terminal is received, the vCPE can send the second message to the VSP server. It can be seen that, by implementing the network architecture shown in fig. 1, a virtual switch function based on a vCPE home subscriber can be implemented, and two-layer intercommunication between a home terminal and a VSP server is implemented, and meanwhile, when a first message of a first home is received, after the first home is successfully authenticated, the vCPE sends the message to the VSP server, so that the first home terminal can access the network, thereby improving the security of the network.
In addition, based on the vCPE architecture, after the home terminal and the VSP server realize two-layer intercommunication, the home terminal can directly play cloud music and videos without installing APP application software, so that operators can deploy value-added services more easily, the deployment cost of new services is reduced, and the simplicity of value-added service deployment can be improved. In addition, the operator uses the diagnosis function provided by the diagnosis service server to detect the terminal condition through the operations of ARP, PING, port scanning and the like, thereby directly positioning most network faults of the home terminal and reducing the maintenance cost of the network.
It should be noted that, although only one home terminal and one VSP server are shown in fig. 1, the present invention is not limited thereto, and more home terminals and VSP servers than those shown in the drawings may be included. In addition, fig. 1 may also include other devices, such as: the remote authentication dial in user server RADIUS.
Referring to fig. 2, fig. 2 is a schematic flow chart of a data transmission method according to an embodiment of the present invention. Wherein the data transmission method is written from multiple sides of the first home terminal, the vCPE, the RADIUS and the VSP server, and the data transmission method can be based on the network architecture described in fig. 1. As shown in fig. 2, the data transmission method may include the following steps.
201. And the first home terminal sends a first message to the vCPE.
In the embodiment of the present invention, the first home terminal may be a two-layer CPE, the two-layer CPE is a CPE device having a physical hardware structure, the two-layer CPE has a two-layer bridging function, and does not have three-layer and/or more than three-layer functions (such as functions of routing, firewall, NAT, and the like); alternatively, the first home terminal may also be a user terminal, and the user terminal may include but is not limited to various electronic devices such as a smart phone, a notebook Computer, a Personal Computer (PC), a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and an intelligent wearable Device (e.g., a smart watch and a smart band).
The first message may include, but is not limited to, an Internet Protocol (IP) message, an Address Resolution Protocol (ARP) message, and a Neighbor Discovery (ND) message. The first message includes a first home identifier, where the first home identifier is used to uniquely represent identity information of a first home, such as: a first home ID, and QinQ information of the first home, the QinQ information indicating physical location information of the first home. In addition, optionally, the first packet may further include VPN information and a destination MAC address. Generally, the home identifier and the VPN information carried in the message sent by the home terminal in the same home are the same. Such as: the first home terminal and the VSP server are located in the same home, the home identifier carried by the message sent by the first home terminal is the same as the home identifier carried by the message sent by the VSP server, and the VPN information carried by the message sent by the first home terminal is also the same as the VPN information carried by the message sent by the VSP server.
The QinQ information is usually two-layer Virtual Local Area Network (VLAN) information in a message, and the QinQ is a new 802.1Q VLAN Tag header Tag added to the conventional 802.1Q VLAN Tag header Tag.
Please refer to fig. 2.1 together, and fig. 2.1 is a message structure diagram of a QinQ frame encapsulation format according to an embodiment of the present invention. As shown in fig. 2.1, the message includes a Destination Address (DA), a source Address (SourceAddress, SA), two layers of 802.1Q Tag, a length/Type, DATA, and a Frame Check Sequence (FCS). Wherein, two layers of 802.1Q Tag carried in the message are QinQ information. The QinQ frame encapsulation process converts a single layer 802.1Q Tag data frame into a dual layer 802.1Q Tag data frame. Usually, QinQ information in a message is written when a two-layer CPE accesses a two-layer carrier network, and has information representing a physical location of a home, and a vCPE can determine whether the message is a message in the same home according to whether the message carries the same QinQ information. For example, all messages with an outer vlan 1 and an inner vlan 2 may be considered as messages in the same home.
202. And if the first message is the first message of the first family matched with the first family identification, the vCPE sends a family authentication request to the RADIUS.
In the embodiment of the present invention, after receiving a first message sent by a first home terminal, a vCPE may identify, according to a first home identifier carried by the first message, whether a first home matched with the first home identifier creates a multicast forwarding entry (i.e., a two-layer forwarding entry), and if not, the vCPE may determine that the first message is a first message of the first home. At this time, the vCPE needs to send a home authentication request to RADIUS. The home authentication request may carry a home identifier (e.g., QinQ information) and interface information, where the interface information may be Trunk interface information, GE interface information, and the like.
203. And the RADIUS returns the successful information of the home authentication to the vCPE.
In the embodiment of the present invention, the RADIUS may pre-store the home identifier (such as QinQ information) and interface information of each home authorized by the operator.
After the RADIUS receives the home authentication request sent by the vCPE, the RADIUS can judge whether the home identifier is consistent with the home identifier pre-authorized by the operator and whether the interface information is consistent with the interface information pre-authorized by the operator according to the home identifier and the interface information carried in the home authentication request, if the home identifier is consistent with the home identifier pre-authorized by the operator, the success of home authentication is determined, and the RADIUS can return the success information of home authentication to the vCPE.
It can be seen that after receiving a first message sent by a first home terminal, the vCPE may identify a first home through a first home identifier, and if the first message is a first message of the first home, the vCPE needs to request authentication for the first home, and if the first home authentication passes, the vCPE may send a message to the VSP server, so that the first home terminal may access the network, thereby improving the security of the network.
204. The vCPE creates a multicast forwarding entry.
In this embodiment of the present invention, after receiving the home authentication success information returned by the RADIUS, the vCPE may create a multicast forwarding entry, where the multicast forwarding entry includes an association relationship between a multicast matching entry and at least two interfaces on the vCPE, the multicast matching entry includes a first home identifier and first virtual private network VPN information to which the first home belongs, the at least two interfaces include an interface to the first home terminal and an interface to the VSP server, and the multicast forwarding entry is used for forwarding a multicast packet based on the first home. Typically, there is only one interface to the first home terminal, while there may be more interfaces to the VSP server.
Wherein, if the vCPE is integrated on a physical BRAS, the at least two interfaces may be physical interfaces on the physical BRAS; if the vccpe and the vbrs are integrally deployed on a physical server having a general hardware structure, the at least two interfaces may be virtual interfaces on the vbrs, and the virtual interfaces on the vbrs are mapped to physical interfaces on the physical server.
Referring to table 1, table 1 is a multicast forwarding table entry according to an embodiment of the present invention. Wherein, the multicast forwarding table entry is a two-layer forwarding table entry for the home. As shown in table 1, the multicast matching item includes VPN information and QinQ information, where the VPN information is used to identify a virtual private network VPN where a home is located, and the QinQ information is used to identify the home, and generally, there is only one interface to the home terminal, and the number of interfaces to the VSP servers is the number of VSP servers, where table 1 may represent an association relationship between the multicast matching item and at least two interfaces on the vCPE, and this table 1 is used for multicast packet forwarding based on the home.
TABLE 1
Figure BDA0000979493110000111
Typically, before creating table 1, a home deployment entry may be configured, and table 1 may be maintained according to the home deployment entry. Please refer to table 2, where table 2 is a home deployment entry disclosed in the embodiment of the present invention. There are multiple families under a VPN, and QinQ information of each family is different, for example: the QinQ information of the family 1 is 1:1 (i.e. the outer vlan is 1 and the inner vlan is 1), the QinQ information of the family 2 is 1:2, and the QinQ information of different VSP servers (e.g. VSP1 server and VSP2 server) for the same family (e.g. family 1) is generally the same as the QinQ information of the family (e.g. family 1).
TABLE 2
Figure BDA0000979493110000112
After the vCPE creates the multicast forwarding table entry, the vCPE can forward the packet based on the home granularity in the same VPN. For example, a message sent by the home terminal to the VSP server may be multicast message forwarding based on the home, and a response message returned by the VSP server to the home terminal may also be multicast message forwarding based on the home.
Wherein, the multicast comprises multicast and broadcast. If the transmission is carried out in a broadcast mode, the vCPE forwards the message to all users in the VPN. Once the broadcast is sent, any device in the VPN (e.g., home terminal, VSP server) receives the broadcasted message, i.e., the broadcast message, regardless of their need. A broadcast message is a message/frame sent to all devices in the VPN. The broadcast packet describes in the broadcast message that the data for the destination MAC address is set to all 1, and is in the form of a MAC address ff-ff-ff-ff-ff.
If the multicast mode is adopted for transmission, when some users in the VPN need specific messages, the vCPE only sends the messages once, a multicast distribution tree is established for multicast data packets by means of a multicast routing protocol, and the transmitted messages start to be copied and distributed at nodes as close as possible to the terminal. The destination address in the message is usually a group of hosts, and the message sent by the group can be received only when the multicast group is added. The 8 th bit of the data of the destination MAC address described in the multicast message of the multicast packet is 1.
205. The vCPE creates a first unicast forwarding table entry for the first home terminal.
In this embodiment of the present invention, the vCPE may create a first unicast forwarding table for the first home terminal, where the first unicast forwarding table entry includes an association relationship between a first unicast matching entry and an interface to the first home terminal, the first unicast matching entry includes a first home identifier, first VPN information to which the first home belongs, and an MAC address of the first home terminal, and the first unicast forwarding table entry is used for forwarding a unicast packet based on the first home terminal.
Please refer to table 3, where table 3 is a unicast forwarding table entry disclosed in the embodiment of the present invention. Wherein, the unicast forwarding table entry is a two-layer forwarding table entry for the home terminal. As shown in table 3, the unicast matching entry includes VPN information, QinQ information, and a MAC address of the home terminal, where the VPN information is used to identify a virtual private network VPN in which a home to which the home terminal belongs is located, and the QinQ information is used to identify a home, and generally, only one interface to the home terminal is provided. This table 3 may represent the association between the unicast matching entry and the interface to the first home terminal.
TABLE 3
It should be noted that the execution sequence of step 204 and step 205 is not limited, and may be executed simultaneously, or may be executed before step 204 is executed 205, or may be executed before step 205 is executed 204.
206. And the first home terminal sends a second message to the vCPE.
In this embodiment of the present invention, after the first home authentication is successful, the second message sent by the first home terminal to the vCPE may be a service message, for example: voice messages, video messages, picture messages, and the like. The second packet may include the first destination MAC address, the first home identifier, and the first VPN information.
207. And if the first destination MAC address is the multicast MAC address, the vCPE determines that the message forwarding mode of the second message is multicast message forwarding based on the first family.
In the embodiment of the invention, the destination MAC addresses carried in the message mainly have two types, wherein the first type is a unicast MAC address, and the second type is a multicast MAC address. If the destination MAC address carried in the message is an address of a certain device (i.e., a unicast MAC address), it indicates that the message needs to be unicast-forwarded, and if the destination MAC address carried in the message is a multicast MAC address, it indicates that the message needs to be multicast-forwarded.
In the embodiment of the present invention, after receiving the second message sent by the first home terminal, the vCPE may determine a message forwarding manner of the second message according to the first destination MAC address carried by the second message. For example, if the first destination MAC address is a unicast MAC address, the packet forwarding method of the second packet is unicast packet forwarding; and if the first destination MAC address is the multicast MAC address, the message forwarding mode of the second message is multicast message forwarding based on the first family. The unicast message forwarding may be unicast message forwarding based on a home terminal, or unicast message forwarding based on a VSP server, and the multicast message forwarding is generally multicast message forwarding based on a home.
208. The vCPE obtains an interface to the VSP server associated with the first home identification and the first VPN information from the multicast forwarding entry.
Specifically, the vCPE may query, from the multicast forwarding table entry (e.g., table 1), a plurality of interfaces associated with the first home identifier and the first VPN information, and remove an ingress interface corresponding to the second packet from the plurality of interfaces (i.e., an interface of the home terminal through which the second packet is received), so that the vCPE may obtain an interface to the VSP server.
For example, assuming that the plurality of interfaces queried by the vCPE are interface 1 to interface 10, respectively, where interface 1 is an interface to the home terminal, interfaces 2 to 10 are interfaces to the VSP server, and the vCPE receives the second message from interface 1, here "interface 1" may be understood as that the incoming interface vCPE corresponding to the second message may remove interface 1 from interfaces 1 to 10, and obtain interfaces to the VSP server, that is, interfaces 2 to 10.
209. The vCPE sends a second message to the VSP server via an interface to the VSP server.
In the embodiment of the invention, the home terminal and the VSP server are deployed in the same VPN. After the vCPE acquires the interface to the VSP server associated with the first home identifier and the first VPN information, the vCPE may copy the second packet in the interface to the VSP server. For example, assuming that there are n interfaces to the VSP server, the vCPE needs to copy the second packet (n-2) times, and each interface to the VSP server obtains one second packet at this time. Further, the vCPE may shield the packet forwarding error through a "pruning optimization algorithm", that is, perform pruning based on the home identifier (e.g., QinQ information) carried by the second packet, so as to avoid forwarding the second packet to other homes. The pruning optimization algorithm is determined by a certain judgment, and unnecessary traversal processes are avoided.
The vCPE may send the second message to the VSP server via each interface to the VSP server, so that the second message sent by the first home terminal to the vCPE may be forwarded to the VSP server, and the first home terminal may access the network.
Therefore, after the vCPE creates the multicast forwarding table entry, the multicast message can be accurately copied based on the family granularity to realize the multicast message forwarding, the cross-family multicast message forwarding cannot be caused, the problem that the message cannot be normally forwarded due to the overlapping of MAC addresses among families can be solved, meanwhile, the network attack among different families can be reduced, and the network bandwidth can be saved.
210. And the VSP server sends a second response message returned for the second message to the vCPE.
The second response message includes a third destination MAC address, a first home identifier, and first VPN information.
211. And if the third destination MAC address is the MAC address of the first home terminal, the vCPE determines that the message forwarding mode of the second response message is unicast message forwarding based on the first home terminal.
212. And the vCPE acquires an interface to the first home terminal, which is associated with the MAC address of the first home terminal, the first home identifier and the first VPN information, from the first unicast forwarding table entry.
213. And the vCPE sends a second response message to the first home terminal through the interface to the first home terminal.
As an optional implementation manner, in the embodiment of the present invention, the following steps may be used instead of 206 to 209:
11) and the first home terminal sends a second message to the vCPE, wherein the second message comprises a fourth destination MAC address, a first home identifier and first VPN information.
12) And if the fourth destination MAC address is the MAC address of the VSP server, the vCPE determines that the message forwarding mode of the second message is unicast message forwarding based on the VSP server.
13) And the vCPE acquires an interface to the VSP server, which is associated with the MAC address of the VSP server, the first home identifier and the first VPN information, from the pre-learned server unicast forwarding table entry.
14) And the vCPE sends the second message to the VSP server through an interface to the VSP server.
In this optional embodiment, the vCPE may learn, in advance, a server interface corresponding to the MAC address of the VSP server based on the ARP protocol, and establish a server unicast forwarding entry.
Please refer to table 4, where table 4 is a server unicast forwarding table entry disclosed in the embodiment of the present invention. Wherein, the server unicast forwarding table entry is a two-layer forwarding table entry for the VSP server. As shown in fig. 4, the unicast matching entry includes VPN information for identifying a virtual private network VPN where a home to which the VSP server belongs is located, QinQ information for identifying the home, and a MAC address of the VSP server. This table 4 is used to represent the association between unicast matching entries and the interface to the VSP server.
TABLE 4
Figure BDA0000979493110000151
After receiving the second packet sent by the first home terminal, if the fourth destination MAC address is the MAC address of the VSP server, the vCPE may determine that the packet forwarding manner of the second packet is unicast packet forwarding based on the VSP server, and further, the vCPE may query a server unicast forwarding table entry (e.g., table 4) to obtain an interface to the VSP server associated with the MAC address of the VSP server, the first home identifier, and the first VPN information, and send the second packet to the VSP server via the interface to the VSP server, so that the first home terminal may access the network.
As another alternative implementation, in the embodiment of the present invention, steps 210 to 213 may be replaced with the following steps:
21) and the VSP server sends a first response message returned aiming at the second message to the vCPE, wherein the first response message comprises a second destination MAC address, a first home identification and first VPN information.
22) And if the second destination MAC address is the multicast MAC address, the vCPE determines that the message forwarding mode of the second response message is multicast message forwarding based on the first family.
23) And the vCPE acquires an interface which is associated with the first home identification and the first VPN information and is destined for the first home terminal from the multicast forwarding table entry.
24) The vCPE sends a first response message to the first home terminal via an interface to the first home terminal.
In this optional embodiment, the vCPE receives a first response packet returned by the VSP server for the second packet, and if the second destination MAC address is the multicast MAC address, the vCPE may determine that the packet forwarding manner of the second response packet is multicast packet forwarding based on the first home. The vCPE may query the multiple interfaces associated with the first home identifier and the first VPN information from the multicast forwarding table entry (e.g., table 1), and remove an incoming interface corresponding to the first response packet from the multiple interfaces (i.e., an interface of the VSP server through which the first response packet is received), so that the vCPE may obtain the interface to the first home terminal and send the first response packet to the first home terminal via the interface to the first home terminal.
As another optional implementation manner, in the embodiment of the present invention, the data transmission method may further include the following steps:
31) and the second home terminal sends a third message to the vCPE, wherein the third message comprises a second home identifier, second VPN information matched with the second home identifier and to which a second home belongs, and the MAC address of the second home terminal.
32) And the vCPE judges whether the second home identification is consistent with the first home identification, if so, step 33) is executed, and if not, the process is ended.
33) The vCPE determines that the second household is consistent with the first household.
34) And the second unicast forwarding table entry of the second home terminal of the vCPE includes an association relationship between a second unicast matching entry and an interface to the second home terminal, the second unicast matching entry includes a second home identifier, second VPN information and an MAC address of the second home terminal, and the second unicast forwarding table entry is used for forwarding a unicast message based on the second home terminal.
In this optional embodiment, after receiving the third packet sent by the second home terminal, the vCPE may determine whether the second home identifier is consistent with the first home identifier, and if so, the vCPE may determine that the second home is consistent with the first home, that is, it may indicate that the first home terminal and the second home terminal are terminals in the same home, and the first home to which the first home terminal belongs has been authenticated before, so that after receiving the third packet sent by the second home terminal, the vCPE does not need to authenticate the second home to which the second home terminal belongs, and may create a second unicast forwarding entry for the second home terminal, where a specific form of the second unicast forwarding entry is similar to table 3, and is not described here. When it is determined that the second home is identical to the first home, the second VPN information is identical to the first VPN information.
Optionally, if the vCPE determines that the second home identifier is inconsistent with the first home identifier, the vCPE may determine that the second home is inconsistent with the first home, that is, it may be indicated that the first home terminal and the second home terminal are terminals in two different homes, at this time, the vCPE needs to send a home authentication request for the second home to the RADIUS, and after the second home authentication is successful, the second home terminal may communicate with the VSP server to further access the network. When it is determined that the second home is inconsistent with the first home, the second VPN information may be the same as the first VPN information, for example: the second family and the first family are two different families located under the same VPN, or the second VPN information and the first VPN information may be different, for example: the second family and the first family are two families respectively located under two VPNs.
Optionally, after step 33), the vCPE may receive a third response packet returned by the VSP server for the third packet, further, the vCPE may determine a packet forwarding manner of the third response packet according to a destination MAC address carried by the third response packet, and if the packet forwarding manner of the third response packet is unicast packet forwarding based on the second home terminal, the vCPE may obtain an interface to the second home terminal associated with the MAC address of the second home terminal, the second home identifier, and the second VPN information from the second unicast forwarding table entry, and send the third response packet to the second home terminal through the interface to the second home terminal.
In the method flow described in fig. 2, after receiving a first message sent by a first home terminal, if the first message is a first message of a first home, the vCPE needs to request authentication for the first home, and if the first home authentication passes, the vCPE can send a message to the VSP server, so that the first home terminal can access the network, thereby improving the security of the network.
Based on the network architecture shown in fig. 1, the embodiment of the invention discloses a network device. Referring to fig. 3, fig. 3 is a schematic structural diagram of a network device disclosed in an embodiment of the present invention, where the network device 300 performs a function of a virtual customer premises equipment vCPE, and may be used to perform all or part of the steps in the data transmission method disclosed in fig. 2, and specific description please refer to fig. 2, which is not repeated herein. As shown in fig. 3, the network device 300 may include:
a receiving unit 301, configured to receive a first message from a first home terminal, where the first message includes a first home identifier;
a first sending unit 302, configured to send a home authentication request to a remote user dial-up authentication server RADIUS if the first packet is a first packet of a first home that matches the first home identifier;
the receiving unit 301 is further configured to receive the successful home authentication information returned by the RADIUS;
a second sending unit 303, configured to send the second packet to a VSP server if the second packet from the first home terminal is received.
Optionally, the network device 300 shown in fig. 3 may further include:
a first creating unit 304, configured to create, after the receiving unit 301 receives the home authentication success information returned by the RADIUS, a multicast forwarding entry, where the multicast forwarding entry includes an association relationship between a multicast matching entry and at least two interfaces, the multicast matching entry includes the first home identifier and first virtual private network VPN information to which the first home belongs, the at least two interfaces include an interface to the first home terminal and an interface to the VSP server, and the multicast forwarding entry is used for forwarding a multicast packet based on the first home.
The second transmitting unit 303 may include:
a first receiving subunit 3031, configured to receive a second packet from the first home terminal, where the second packet includes a first destination MAC address, the first home identifier, and the first VPN information;
a first determining subunit 3032, configured to determine, if the first destination MAC address is a multicast MAC address, that a packet forwarding manner of the second packet is multicast packet forwarding based on the first household;
a first obtaining subunit 3033, configured to obtain, from the multicast forwarding table entry, the interface to the VSP server associated with the first home identifier and the first VPN information;
a first sending subunit 3034, configured to send the second packet to a value added service platform VSP server through the interface to the VSP server.
Optionally, the receiving unit 301 is further configured to receive a first response packet returned by the VSP server for the second packet, where the first response packet includes a second destination MAC address, the first home identifier, and the first VPN information;
the network device 300 shown in fig. 3 may further include:
a first determining unit 305, configured to determine, if the second destination MAC address is a multicast MAC address, that a packet forwarding manner of the second response packet is multicast packet forwarding based on the first home;
a first obtaining unit 306, configured to obtain the interface to the first home terminal associated with the first home identifier and the first VPN information from the multicast forwarding table entry;
the first sending unit 302 is further configured to send the first response packet to the first home terminal via the interface to the first home terminal.
In the network device 300 depicted in fig. 3, after receiving the first packet sent by the first home terminal, if the first packet is the first packet of the first home, the vCPE needs to request authentication for the first home, and if the first home authentication passes, the vCPE can send a packet to the VSP server, so that the first home terminal can access the network, thereby improving the security of the network.
Based on the network architecture shown in fig. 1, the embodiment of the invention discloses a network device. Referring to fig. 4, fig. 4 is a schematic structural diagram of another network device disclosed in the embodiment of the present invention, where the network device 400 performs a function of a virtual customer premises equipment vCPE, and may be used to perform all or part of the steps in the data transmission method disclosed in fig. 2, and the detailed description refers to fig. 2, and is not repeated here. As shown in fig. 4, the network device 400 may include:
a receiving unit 401, configured to receive a first message from a first home terminal, where the first message includes a first home identifier;
a first sending unit 402, configured to send a home authentication request to a remote user dial-up authentication server RADIUS if the first packet is a first packet of a first home that matches the first home identifier;
the receiving unit 401 is further configured to receive the successful home authentication information returned by the RADIUS;
a second sending unit 403, configured to send the second packet to a VSP server if the second packet from the first home terminal is received.
Optionally, the network device 400 shown in fig. 4 may further include:
a second creating unit 404, configured to create a first unicast forwarding entry of the first home terminal after the receiving unit receives the home authentication success information returned by the RADIUS, where the first unicast forwarding entry includes an association relationship between a first unicast matching entry and an interface to the first home terminal, the first unicast matching entry includes the first home identifier, first virtual private network VPN information to which the first home belongs, and a MAC address of the first home terminal, and the first unicast forwarding entry is used for forwarding a unicast packet based on the first home terminal.
Optionally, the receiving unit 401 is further configured to receive a second response packet returned by the VSP server for the second packet, where the second response packet includes a third destination MAC address, the first home identifier, and the first VPN information;
the network device 400 shown in fig. 4 may further include:
a second determining unit 405, configured to determine, if the third destination MAC address is the MAC address of the first home terminal, that a packet forwarding manner of the second response packet is unicast packet forwarding based on the first home terminal;
a second obtaining unit 406, configured to obtain the interface to the first home terminal, which is associated with the MAC address of the first home terminal, the first home identifier, and the first VPN information, from the first unicast forwarding entry;
the first sending unit 402 is further configured to send the second response packet to the first home terminal via the interface to the first home terminal.
In the network device 400 depicted in fig. 4, after receiving the first packet sent by the first home terminal, if the first packet is the first packet of the first home, the vCPE needs to request authentication for the first home, and if the first home authentication passes, the vCPE can send a packet to the VSP server, so that the first home terminal can access the network, thereby improving the security of the network.
Based on the network architecture shown in fig. 1, the embodiment of the invention discloses a network device. Referring to fig. 5, fig. 5 is a schematic structural diagram of another network device disclosed in the embodiment of the present invention, where the network device 500 performs a function of a virtual customer premises equipment vCPE, and may be used to perform all or part of the steps in the data transmission method disclosed in fig. 2, and the detailed description refers to fig. 2, and is not repeated here. As shown in fig. 5, the network device 500 may include:
a receiving unit 501, configured to receive a first message from a first home terminal, where the first message includes a first home identifier;
a first sending unit 502, configured to send a home authentication request to a remote user dial-up authentication server RADIUS if the first packet is a first packet of a first home that matches the first home identifier;
the receiving unit 501 is further configured to receive the successful home authentication information returned by the RADIUS;
a second sending unit 503, configured to send the second packet to the VSP server if the second packet from the first home terminal is received.
Optionally, the second sending unit 503 shown in fig. 5 may include:
a second receiving sub-unit 5031, configured to receive a second packet from the first home terminal, where the second packet includes a fourth destination MAC address, the first home identifier, and first virtual private network VPN information;
a second determining sub-unit 5032, configured to determine, if the fourth destination MAC address is an MAC address of a VSP server, that a packet forwarding manner of the second packet is unicast packet forwarding based on the VSP server;
a second obtaining sub-unit 5033, configured to obtain, from a pre-learned server unicast forwarding entry, an interface to the VSP server associated with the MAC address of the VSP server, the first home identifier, and the first VPN information;
a second sending sub-unit 5034 configured to send the second packet to the VSP server via the interface to the VSP server.
Optionally, the receiving unit 501 is further configured to receive a third packet from a second home terminal, where the third packet includes a second home identifier, second virtual private network VPN information to which a second home matched with the second home identifier belongs, and an MAC address of the second home terminal;
the network device 500 shown in fig. 5 may further include:
a determining unit 504, configured to determine whether the second home identifier is consistent with the first home identifier;
a third determining unit 505, configured to determine that the second family is consistent with the first family when the determining unit 504 determines that the second family identifier is consistent with the first family identifier;
a third creating unit 506, configured to create a second unicast forwarding entry of the second home terminal, where the second unicast forwarding entry includes an association relationship between a second unicast matching entry and an interface to the second home terminal, the second unicast matching entry includes the second home identifier, the second VPN information, and the MAC address of the second home terminal, and the second unicast forwarding entry is used for forwarding a unicast packet based on the second home terminal.
In the network device 500 depicted in fig. 5, after receiving the first packet sent by the first home terminal, if the first packet is the first packet of the first home, the vCPE needs to request authentication for the first home, and if the first home authentication passes, the vCPE can send a packet to the VSP server, so that the first home terminal can access the network, thereby improving the security of the network.
Based on the network architecture shown in fig. 1, the embodiment of the invention discloses a network device. Referring to fig. 6, fig. 6 is a schematic structural diagram of another network device disclosed in the embodiment of the present invention, where the network device 600 performs a function of a virtual customer premises equipment vCPE, and may be used to perform all or part of the steps in the data transmission method disclosed in fig. 2, and the detailed description refers to fig. 2, and is not repeated here. As shown in fig. 6, the network device 600 may include: at least one processor 601, for example a Central Processing Unit (CPU), at least one receiver 602, at least one transmitter 603 and a memory 604, wherein the processor 601, the receiver 602, the transmitter 603 and the memory 604 are respectively connected to a communication bus. The memory 604 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory). Those skilled in the art will appreciate that the configuration of the network device 600 shown in fig. 6 is not intended to limit the present invention, and may be a bus architecture, a star architecture, a network device including more or less components than those shown in fig. 6, a combination of certain components, or a different arrangement of components.
The processor 601 is a control center of the network device 600, and may be a Central Processing Unit (CPU), and the processor 601 connects various parts of the entire network device 600 by using various interfaces and lines, and executes or executes software programs and/or modules stored in the memory 604 and calls program codes stored in the memory 604 to perform the following operations:
receiving a first message from a first home terminal through the receiver 602, where the first message includes a first home identifier;
if the first message is the first message of the first family matched with the first family identifier, sending a family authentication request to a remote user dial-up authentication server RADIUS through the sender 603;
receiving, by the receiver 602, the home authentication success information returned by the RADIUS;
and if a second message from the first home terminal is received, sending the second message to a value added service platform (VSP) server through the sender 603.
Optionally, after receiving the information of success in home authentication returned by the RADIUS through the receiver 602, the processor 601 may further call the program code stored in the memory 604, so as to perform the following operations:
creating a multicast forwarding table entry, wherein the multicast forwarding table entry comprises an association relation between a multicast matching entry and at least two interfaces, the multicast matching entry comprises the first family identification and first Virtual Private Network (VPN) information to which the first family belongs, the at least two interfaces comprise an interface to the first family terminal and an interface to the VSP server, and the multicast forwarding table entry is used for forwarding a multicast message based on the first family.
Optionally, if a second packet from the first home terminal is received, the sending, by the sender 603, the second packet to the VSP server includes:
receiving, by the receiver 602, a second packet from the first home terminal, where the second packet includes a first destination MAC address, the first home identifier, and the first VPN information;
if the first destination MAC address is a multicast MAC address, determining that the message forwarding mode of the second message is multicast message forwarding based on the first family;
obtaining the interface to the VSP server associated with the first home identification and the first VPN information from the multicast forwarding entry;
sending, by the sender 603, the second message to a value added service platform (VSP) server via the interface to the VSP server.
Optionally, the processor 601 may also call the program code stored in the memory 604 for performing the following operations:
receiving, by the receiver 602, a first response packet returned by the VSP server for the second packet, where the first response packet includes a second destination MAC address, the first home identifier, and the first VPN information;
if the second destination MAC address is a multicast MAC address, determining that the message forwarding mode of the second response message is multicast message forwarding based on the first family;
acquiring the interface to the first home terminal associated with the first home identifier and the first VPN information from the multicast forwarding table entry;
sending, by the sender 603, the first response packet to the first home terminal via the interface to the first home terminal.
Optionally, after receiving the home authentication success information returned by the RADIUS through the receiver 602, the processor 601 may further call the program code stored in the memory 604, so as to perform the following operations:
creating a first unicast forwarding table entry of the first home terminal, where the first unicast forwarding table entry includes an association relationship between a first unicast matching entry and an interface to the first home terminal, the first unicast matching entry includes the first home identifier, first Virtual Private Network (VPN) information to which the first home belongs, and an MAC address of the first home terminal, and the first unicast forwarding table entry is used for forwarding a unicast message based on the first home terminal.
Optionally, the processor 601 may also call the program code stored in the memory 604 for performing the following operations:
receiving, by the receiver 602, a second response packet returned by the VSP server for the second packet, where the second response packet includes a third destination MAC address, the first home identifier, and the first VPN information;
if the third destination MAC address is the MAC address of the first home terminal, determining that the message forwarding mode of the second response message is unicast message forwarding based on the first home terminal;
acquiring the interface to the first home terminal associated with the MAC address of the first home terminal, the first home identifier, and the first VPN information from the first unicast forwarding table entry;
sending, by the sender 603, the second response packet to the first home terminal via the interface to the first home terminal.
Optionally, if a second packet from the first home terminal is received, the sending, by the sender 603, the second packet to the VSP server includes:
receiving, by the receiver 602, a second packet from the first home terminal, where the second packet includes a fourth destination MAC address, the first home identifier, and first virtual private network VPN information;
if the fourth destination MAC address is the MAC address of a value added service platform (VSP) server, determining that the message forwarding mode of the second message is unicast message forwarding based on the VSP server;
obtaining an interface to the VSP server associated with the MAC address of the VSP server, the first home identifier and the first VPN information from a pre-learned server unicast forwarding table entry;
sending, by the sender 603, the second packet to the VSP server via the interface to the VSP server.
Optionally, the processor 601 may also call the program code stored in the memory 604 for performing the following operations:
receiving, by the receiver 602, a third packet from a second home terminal, where the third packet includes a second home identifier, second virtual private network VPN information to which a second home matched with the second home identifier belongs, and a MAC address of the second home terminal;
judging whether the second family identifier is consistent with the first family identifier or not;
if so, determining that the second family is consistent with the first family;
creating a second unicast forwarding table entry of the second home terminal, where the second unicast forwarding table entry includes an association relationship between a second unicast matching entry and an interface to the second home terminal, the second unicast matching entry includes the second home identifier, the second VPN information, and an MAC address of the second home terminal, and the second unicast forwarding table entry is used for forwarding a unicast packet based on the second home terminal.
It should be noted that, for simplicity of description, the above-mentioned embodiments of the method are described as a series of acts or combinations, but those skilled in the art should understand that the present application is not limited by the order of acts described, as some steps may be performed in other orders or simultaneously according to the present application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and elements referred to are not necessarily required in this application.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims (20)

1. A data transmission method is applied to virtual customer premises equipment (vCPE), the vCPE supports a two-layer data forwarding function, and the method is characterized by comprising the following steps:
receiving a first message from a first home terminal, wherein the first message comprises a first home identifier;
if the first message is the first message of the first family matched with the first family identification, sending a family authentication request to a remote user dial-up authentication server (RADIUS);
receiving the family authentication success information returned by the RADIUS;
and after receiving the home authentication success information returned by the RADIUS, if receiving a second message from the first home terminal, sending the second message to a value added service platform (VSP) server.
2. The method according to claim 1, wherein after receiving the home authentication success information returned by the RADIUS, the method further comprises:
creating a multicast forwarding table entry, wherein the multicast forwarding table entry comprises an association relation between a multicast matching entry and at least two interfaces, the multicast matching entry comprises the first family identification and first Virtual Private Network (VPN) information to which the first family belongs, the at least two interfaces comprise an interface to the first family terminal and an interface to the VSP server, and the multicast forwarding table entry is used for forwarding a multicast message based on the first family.
3. The method according to claim 2, wherein said sending a second packet to a VSP server if the second packet is received from the first home terminal comprises:
receiving a second message from the first home terminal, wherein the second message comprises a first destination MAC address, the first home identifier and the first VPN information;
if the first destination MAC address is a multicast MAC address, determining that the message forwarding mode of the second message is multicast message forwarding based on the first family;
obtaining the interface to the VSP server associated with the first home identification and the first VPN information from the multicast forwarding entry;
and sending the second message to a value added service platform (VSP) server through the interface to the VSP server.
4. The method of claim 2, further comprising:
receiving a first response message returned by the VSP server aiming at the second message, wherein the first response message comprises a second destination MAC address, the first family identification and the first VPN information;
if the second destination MAC address is a multicast MAC address, determining that the message forwarding mode of the second response message is multicast message forwarding based on the first family;
acquiring the interface to the first home terminal associated with the first home identifier and the first VPN information from the multicast forwarding table entry;
and sending the first response message to the first home terminal through the interface to the first home terminal.
5. The method of claim 3, further comprising:
receiving a first response message returned by the VSP server aiming at the second message, wherein the first response message comprises a second destination MAC address, the first family identification and the first VPN information;
if the second destination MAC address is a multicast MAC address, determining that the message forwarding mode of the second response message is multicast message forwarding based on the first family;
acquiring the interface to the first home terminal associated with the first home identifier and the first VPN information from the multicast forwarding table entry;
and sending the first response message to the first home terminal through the interface to the first home terminal.
6. The method according to claim 1, wherein after receiving the home authentication success information returned by the RADIUS, the method further comprises:
creating a first unicast forwarding table entry of the first home terminal, where the first unicast forwarding table entry includes an association relationship between a first unicast matching entry and an interface to the first home terminal, the first unicast matching entry includes the first home identifier, first Virtual Private Network (VPN) information to which the first home belongs, and an MAC address of the first home terminal, and the first unicast forwarding table entry is used for forwarding a unicast message based on the first home terminal.
7. The method of claim 6, further comprising:
receiving a second response message returned by the VSP server aiming at the second message, wherein the second response message comprises a third destination MAC address, the first home identifier and the first VPN information;
if the third destination MAC address is the MAC address of the first home terminal, determining that the message forwarding mode of the second response message is unicast message forwarding based on the first home terminal;
acquiring the interface to the first home terminal associated with the MAC address of the first home terminal, the first home identifier, and the first VPN information from the first unicast forwarding table entry;
and sending the second response message to the first home terminal through the interface to the first home terminal.
8. The method according to claim 1, wherein said sending a second packet to a VSP server if the second packet is received from the first home terminal comprises:
receiving a second message from the first home terminal, wherein the second message comprises a fourth destination MAC address, the first home identifier and first Virtual Private Network (VPN) information;
if the fourth destination MAC address is the MAC address of a value added service platform (VSP) server, determining that the message forwarding mode of the second message is unicast message forwarding based on the VSP server;
obtaining an interface to the VSP server associated with the MAC address of the VSP server, the first home identifier and the first VPN information from a pre-learned server unicast forwarding table entry;
sending the second packet to the VSP server via the interface to the VSP server.
9. The method according to any one of claims 1 to 8, further comprising:
receiving a third message from a second home terminal, wherein the third message comprises a second home identifier, second Virtual Private Network (VPN) information of a second home matched with the second home identifier, and an MAC (media access control) address of the second home terminal;
judging whether the second family identifier is consistent with the first family identifier or not;
if so, determining that the second family is consistent with the first family;
creating a second unicast forwarding table entry of the second home terminal, where the second unicast forwarding table entry includes an association relationship between a second unicast matching entry and an interface to the second home terminal, the second unicast matching entry includes the second home identifier, the second VPN information, and an MAC address of the second home terminal, and the second unicast forwarding table entry is used for forwarding a unicast packet based on the second home terminal.
10. A network device, wherein the network device is a virtual customer premises equipment, vCPE, that supports two-layer data forwarding functionality, the network device comprising:
a receiving unit, configured to receive a first packet from a first home terminal, where the first packet includes a first home identifier;
a first sending unit, configured to send a home authentication request to a remote user dial-up authentication server RADIUS if the first packet is a first packet of a first home that matches the first home identifier;
the receiving unit is further configured to receive the successful home authentication information returned by the RADIUS;
and the second sending unit is used for sending the second message to a VSP (value added service platform) server if the second message from the first home terminal is received after the receiving unit receives the home authentication success information returned by the RADIUS.
11. The device of claim 10, wherein the network device further comprises:
a first creating unit, configured to create a multicast forwarding entry after the receiving unit receives the home authentication success information returned by the RADIUS, where the multicast forwarding entry includes an association relationship between a multicast matching entry and at least two interfaces, the multicast matching entry includes the first home identifier and first virtual private network VPN information to which the first home belongs, the at least two interfaces include an interface to the first home terminal and an interface to the VSP server, and the multicast forwarding entry is used for forwarding a multicast packet based on the first home.
12. The apparatus of claim 11, wherein the second sending unit comprises:
a first receiving subunit, configured to receive a second packet from the first home terminal, where the second packet includes a first destination MAC address, the first home identifier, and the first VPN information;
a first determining subunit, configured to determine, if the first destination MAC address is a multicast MAC address, that a packet forwarding manner of the second packet is multicast packet forwarding based on the first home;
a first obtaining subunit, configured to obtain, from the multicast forwarding table entry, the interface to the VSP server associated with the first home identifier and the first VPN information;
a first sending subunit, configured to send the second packet to a value added service platform VSP server via the interface to the VSP server.
13. The apparatus according to claim 11, wherein the receiving unit is further configured to receive a first response packet returned by the VSP server for the second packet, and the first response packet includes a second destination MAC address, the first home identifier, and the first VPN information;
the network device further includes:
a first determining unit, configured to determine that a packet forwarding manner of the second response packet is multicast packet forwarding based on the first home if the second destination MAC address is a multicast MAC address;
a first obtaining unit, configured to obtain, from the multicast forwarding table entry, the interface to the first home terminal, where the interface is associated with the first home identifier and the first VPN information;
the first sending unit is further configured to send the first response packet to the first home terminal via the interface to the first home terminal.
14. The apparatus according to claim 12, wherein the receiving unit is further configured to receive a first response packet returned by the VSP server for the second packet, and the first response packet includes a second destination MAC address, the first home identifier, and the first VPN information;
the network device further includes:
a first determining unit, configured to determine that a packet forwarding manner of the second response packet is multicast packet forwarding based on the first home if the second destination MAC address is a multicast MAC address;
a first obtaining unit, configured to obtain, from the multicast forwarding table entry, the interface to the first home terminal, where the interface is associated with the first home identifier and the first VPN information;
the first sending unit is further configured to send the first response packet to the first home terminal via the interface to the first home terminal.
15. The device of claim 10, wherein the network device further comprises:
a second creating unit, configured to create a first unicast forwarding entry of the first home terminal after the receiving unit receives the home authentication success information returned by the RADIUS, where the first unicast forwarding entry includes an association relationship between a first unicast matching entry and an interface to the first home terminal, the first unicast matching entry includes the first home identifier, first virtual private network VPN information to which the first home belongs, and an MAC address of the first home terminal, and the first unicast forwarding entry is used for forwarding a unicast packet based on the first home terminal.
16. The apparatus according to claim 15, wherein the receiving unit is further configured to receive a second response packet returned by the VSP server for the second packet, and the second response packet includes a third destination MAC address, the first home identifier, and the first VPN information;
the network device further includes:
a second determining unit, configured to determine that a packet forwarding manner of the second response packet is unicast packet forwarding based on the first home terminal if the third destination MAC address is the MAC address of the first home terminal;
a second obtaining unit, configured to obtain, from the first unicast forwarding entry, the interface to the first home terminal, where the interface is associated with the MAC address of the first home terminal, the first home identifier, and the first VPN information;
the first sending unit is further configured to send the second response packet to the first home terminal via the interface to the first home terminal.
17. The apparatus of claim 10, wherein the second sending unit comprises:
a second receiving subunit, configured to receive a second packet from the first home terminal, where the second packet includes a fourth destination MAC address, the first home identifier, and first virtual private network VPN information;
a second determining subunit, configured to determine, if the fourth destination MAC address is an MAC address of a VSP server, that a packet forwarding manner of the second packet is unicast packet forwarding based on the VSP server;
a second obtaining subunit, configured to obtain, from a pre-learned server unicast forwarding entry, a MAC address of the VSP server,
An interface to the VSP server associated with the first home identification and the first VPN information;
a second sending subunit to send the second packet to the VSP server via the interface to the VSP server.
18. The device according to any one of claims 10 to 17, wherein the receiving unit is further configured to receive a third packet from a second home terminal, where the third packet includes a second home identifier, second virtual private network VPN information to which a second home matching the second home identifier belongs, and a MAC address of the second home terminal;
the network device further includes:
the judging unit is used for judging whether the second family identifier is consistent with the first family identifier or not;
a third determining unit, configured to determine that the second family is consistent with the first family when the determining unit determines that the second family identifier is consistent with the first family identifier;
a third creating unit, configured to create a second unicast forwarding entry of the second home terminal, where the second unicast forwarding entry includes an association relationship between a second unicast matching entry and an interface to the second home terminal, the second unicast matching entry includes the second home identifier, the second VPN information, and an MAC address of the second home terminal, and the second unicast forwarding entry is used for forwarding a unicast packet based on the second home terminal.
19. A computer-readable storage medium, characterized in that it stores a computer program which is executed by a processor to perform the method of any one of claims 1 to 9.
20. A network device, comprising a processor and a memory;
the processor is configured to call program code stored in the memory to perform the method of any of claims 1 to 9.
CN201610286483.5A 2016-04-29 2016-04-29 Data transmission method and network equipment Active CN106059994B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201610286483.5A CN106059994B (en) 2016-04-29 2016-04-29 Data transmission method and network equipment
PCT/CN2017/081552 WO2017186069A1 (en) 2016-04-29 2017-04-22 Data transmission method and network device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610286483.5A CN106059994B (en) 2016-04-29 2016-04-29 Data transmission method and network equipment

Publications (2)

Publication Number Publication Date
CN106059994A CN106059994A (en) 2016-10-26
CN106059994B true CN106059994B (en) 2020-02-14

Family

ID=57176149

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610286483.5A Active CN106059994B (en) 2016-04-29 2016-04-29 Data transmission method and network equipment

Country Status (2)

Country Link
CN (1) CN106059994B (en)
WO (1) WO2017186069A1 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059994B (en) * 2016-04-29 2020-02-14 华为技术有限公司 Data transmission method and network equipment
CN108234253A (en) * 2016-12-21 2018-06-29 中兴通讯股份有限公司 The management method and message forwarding method of BRAS, message transmitting controller and BRAS
CN109962831B (en) * 2017-12-14 2021-08-17 中国电信股份有限公司 Virtual client terminal device, router, storage medium, and communication method
JP6966700B2 (en) * 2018-03-02 2021-11-17 日本電信電話株式会社 Communication device, communication method and communication program
JP6962293B2 (en) * 2018-08-13 2021-11-05 日本電信電話株式会社 Communication control device, communication control system, communication control method and communication control program
CN111131350B (en) * 2018-10-31 2022-07-22 中国移动通信有限公司研究院 End-to-end connection establishment method and controller
CN109617906B (en) * 2019-01-03 2020-12-29 中国联合网络通信集团有限公司 Access method and device of hybrid cloud
CN111314200B (en) * 2020-02-29 2023-10-20 新华三技术有限公司 Message forwarding method and device
CN114189767B (en) * 2020-08-31 2023-09-19 中国移动通信集团浙江有限公司 Authentication method and device for broadband value-added service
CN117318961A (en) * 2022-06-17 2023-12-29 中兴通讯股份有限公司 Communication protection method, system, electronic equipment and storage medium
CN116248595B (en) * 2023-03-15 2024-02-02 安超云软件有限公司 Method, device, equipment and medium for communication between cloud intranet and physical network

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286876A (en) * 2008-06-03 2008-10-15 中兴通讯股份有限公司 Configuring method and device for customer premise device
CN101399718A (en) * 2007-09-29 2009-04-01 上海贝尔阿尔卡特股份有限公司 Method and device for controlling multicast service access by customer device in access network
CN101562621A (en) * 2009-05-25 2009-10-21 阿里巴巴集团控股有限公司 User authorization method and system and device thereof
CN101998398A (en) * 2009-08-11 2011-03-30 中兴通讯股份有限公司 System and method for accessing service provider in accessing place
CN102195988A (en) * 2011-05-31 2011-09-21 中兴通讯股份有限公司 Method and device for realizing combination of enterprise network AAA (authentication, authorization and accounting) server and public network AAA server
CN103051626A (en) * 2012-12-21 2013-04-17 华为技术有限公司 Authentication method and network device
US8565208B2 (en) * 2008-02-27 2013-10-22 Samsung Electronics Co., Ltd. Apparatus and method for transmitting coexistence beacon protocol in a cognitive radio system
EP2747350A1 (en) * 2012-12-21 2014-06-25 Telefónica, S.A. Method and system for access to cloud network services
CN105306353A (en) * 2014-07-29 2016-02-03 华为技术有限公司 Method, equipment and system for forwarding message
JP2016057672A (en) * 2014-09-05 2016-04-21 日本電信電話株式会社 Terminal-categorized authentication discharge control device, authentication key discharge function setting device, method, and program

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105323229B (en) * 2014-07-31 2019-01-08 中国移动通信集团公司 A kind of data transmission method based on CPE, network element, platform and system
CN106059994B (en) * 2016-04-29 2020-02-14 华为技术有限公司 Data transmission method and network equipment

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399718A (en) * 2007-09-29 2009-04-01 上海贝尔阿尔卡特股份有限公司 Method and device for controlling multicast service access by customer device in access network
US8565208B2 (en) * 2008-02-27 2013-10-22 Samsung Electronics Co., Ltd. Apparatus and method for transmitting coexistence beacon protocol in a cognitive radio system
CN101286876A (en) * 2008-06-03 2008-10-15 中兴通讯股份有限公司 Configuring method and device for customer premise device
CN101562621A (en) * 2009-05-25 2009-10-21 阿里巴巴集团控股有限公司 User authorization method and system and device thereof
CN101998398A (en) * 2009-08-11 2011-03-30 中兴通讯股份有限公司 System and method for accessing service provider in accessing place
CN102195988A (en) * 2011-05-31 2011-09-21 中兴通讯股份有限公司 Method and device for realizing combination of enterprise network AAA (authentication, authorization and accounting) server and public network AAA server
CN103051626A (en) * 2012-12-21 2013-04-17 华为技术有限公司 Authentication method and network device
EP2747350A1 (en) * 2012-12-21 2014-06-25 Telefónica, S.A. Method and system for access to cloud network services
CN105306353A (en) * 2014-07-29 2016-02-03 华为技术有限公司 Method, equipment and system for forwarding message
JP2016057672A (en) * 2014-09-05 2016-04-21 日本電信電話株式会社 Terminal-categorized authentication discharge control device, authentication key discharge function setting device, method, and program

Also Published As

Publication number Publication date
CN106059994A (en) 2016-10-26
WO2017186069A1 (en) 2017-11-02

Similar Documents

Publication Publication Date Title
CN106059994B (en) Data transmission method and network equipment
US8875233B2 (en) Isolation VLAN for layer two access networks
US9112725B2 (en) Dynamic VLAN IP network entry
US8953601B2 (en) Internet protocol version six (IPv6) addressing and packet filtering in broadband networks
CN101326763B (en) System and method for authentication of SP Ethernet aggregation networks
US20180205575A1 (en) Broadband access
CN101179603B (en) Method and device for controlling user network access in IPv6 network
CN112039920B (en) Communication method, communication device, electronic device and storage medium
WO2009094928A1 (en) A method and equipment for transmitting a message based on the layer-2 tunnel protocol
US7593397B2 (en) Method for securing communication in a local area network switch
CN102710485B (en) Transparent proxy method and proxy server
US10404648B2 (en) Addressing for customer premises LAN expansion
CN111756565B (en) Managing satellite devices within a branched network
CN103220276B (en) A kind of method of network insertion, gateway and system
WO2011147342A1 (en) Method, equipment and system for exchanging routing information
EP4096294A1 (en) Route advertising method, network elements, system, and device
CN102098278B (en) Subscriber access method and system as well as access server and device
CN108702324B (en) Device for client LAN expansion
CN107547467B (en) Circuit authentication processing method, system and controller
US9025606B2 (en) Method and network node for use in link level communication in a data communications network
EP2073506B1 (en) Method for resolving a logical user address in an aggregation network
WO2008119289A1 (en) Method and device for sending mac
Khan The media layers of the OSI (Open Systems Interconnection) Reference model: A tutorial
CN115987719A (en) Edge cloud gateway system
Sequeira CompTIA Network+ N10-006 Quick Refernce

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant