CN107547351A - Address distribution method and device - Google Patents
Address distribution method and device Download PDFInfo
- Publication number
- CN107547351A CN107547351A CN201710686367.7A CN201710686367A CN107547351A CN 107547351 A CN107547351 A CN 107547351A CN 201710686367 A CN201710686367 A CN 201710686367A CN 107547351 A CN107547351 A CN 107547351A
- Authority
- CN
- China
- Prior art keywords
- user
- address
- dhcp message
- equipment
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
This disclosure relates to a kind of address distribution method and device.Wherein, this method includes:Controller receives the first DHCP message of gateway device transmission by VXLAN tunnels, and the identity information of the user is carried in first DHCP message;Whether controller preserves the first IP address corresponding with the user according to identity information inquiry is local;In the case where Query Result is to be, controller replys the second DHCP message by the VXLAN tunnels to the gateway device, second DHCP message includes first IP address, and second DHCP message is used to indicate that first IP address is distributed to the user by the gateway device.User can be assigned to identical IP address by itself remote access specific region network and the equipment access from specific region network internal, advantageously ensure that the inside and outside proper communication of specific region network.
Description
Technical field
This disclosure relates to communication technical field, more particularly to a kind of address distribution method and device.
Background technology
VXLAN (Virtual eXtensible Local Area Network, expansible VLAN) is to be based on IP
Network, using " two-layer VPN (Virtual Private Network, Virtual Private Network) skill of MAC in UDP " packing forms
Art.VXLAN can be based on existing service provider or enterprise IP (Internet Protocol, Internet Protocol) network, be
Scattered physical site provides two layers of interconnection, and business isolation can be provided for different tenants.
VXLAN is mainly used in data center network.VXLAN has following features:
A, substantial amounts of tenant is supported:Using the identifier of 24, it can at most support that 2 24 powers (16777216) are individual
VXLAN, makes tenant's number of support increase on a large scale, solves the problems, such as traditional double layer network VLAN inadequate resources.
B, it is easy to maintain:IP based network sets up big double layer network so that network design and maintenance are more prone to, and can
Fully to utilize existing IP network technology, such as utilize equal-cost route progress load balancing etc..Only IP core network
Edge device needs to carry out VXLAN processing, and network intermediary device need to only E-Packet according to IP heads, reduce the difficulty of network design
Degree and expense.
VXLAN technologies construct virtual using existing three layer physical network as Underlay (bottom) network thereon
Double layer network, i.e. Overlay (top layer) network.What Overlay networks were provided by encapsulation technology, using Underlay networks
Three layers of forward-path, realize that tenant's two layer message transmits across three-layer network between different websites.For tenant,
Underlay networks are transparent, and the different websites of same tenant are just as being operated in a LAN.
Fig. 1 is the structural representation of VXLAN representative network model, as shown in figure 1, VXLAN includes following several parts:
VM (Virtual Machine, virtual machine):More virtual machines, different void can be created on a server
Plan machine may belong to different VXLAN.The virtual machine for belonging to identical VXLAN is in same logic double layer network, each other
Double layer intercommunication.Belong to two layers of isolation between different VXLAN virtual machine.VXLAN is identified by VXLAN ID, and VXLAN ID are again
Claim VNI (VXLAN Network Identifier, VXLAN network identifier), its length is 24 bits.
VTEP (VXLAN Tunnel End Point, VXLAN endpoint of a tunnel):VXLAN edge device.VXLAN phase
Pass processing carried out all on VTEP, such as identification ethernet data frame belonging to VXLAN, based on VXLAN to data frame carry out two
Layer forwarding, encapsulation/decapsulation message etc..VTEP can be the clothes where independent a physical equipment or virtual machine
Business device (Server).
VXLAN tunnels:Point-to-point logical tunnel between two VTEP.VTEP is data frame packaging V XLAN heads, UDP
After (User Datagram Protocol, UDP) head and IP heads, by VXLAN tunnels by the message after encapsulation
Distal end VTEP is transmitted to, distal end VTEP decapsulates to it.
Nucleus equipment:Equipment in IP core network.Nucleus equipment is not involved in VXLAN processing, it is only necessary to after encapsulation
The purpose IP address of message carries out three layers of forwarding to message.
VSI (Virtual Switch Instance, virtual switch instance):On VTEP two layers of friendship are provided for a VXLAN
Change the virtual switch instance of service.The stylobate that VSI can be regarded as on VTEP carries out the virtual switch of two layers of forwarding in VXLAN
Machine.VSI have traditional ethernet interchanger institute it is functional, including:Source MAC study, MAC address aging, flood.
VSI and VXLAN is corresponded.
For user's dynamic access VXLAN business, scheme the most frequently used at present is by DHCP (Dynamic Host
Configuration Protocol, DHCP) server carry out user IP address acquisition.Such as Fig. 2 institutes
Show, for a garden, user A is authenticated accessing after reaching the standard grade by portsec (port security) certification inside garden,
And it is authenticated connecing by SSLVPN (Security Socket Layer VPN, SSL VPN) outside garden
Enter.Under both of these case, the acquisition of IP address is all carried out by Dynamic Host Configuration Protocol server.
Fig. 2 is VXLAN existing realization figure.As shown in Fig. 2 user A inside garden by VXLAN dynamic access, with
And pass through VPN dynamic access outside garden.Dynamic Host Configuration Protocol server can give the IP of both access ways distribution different segment at present
Address, for ensureing the intercommunication of business inside and outside garden.
The content of the invention
In view of this, the present disclosure proposes a kind of address distribution method and device.
According to the one side of the disclosure, there is provided a kind of address distribution method, including:
Controller receives the first DHCP message of gateway device transmission by virtual expansible LAN VXLAN tunnels, its
In, the first DHCP message gateway device is sent when user remotely accesses specific region network by itself,
The identity information of the user is carried in first DHCP message, the VXLAN tunnels are the controller and the gateway
Tunnel between equipment;
The controller is inquired about locally with whether preserving first IP corresponding with the user according to the identity information
Location;
In the case where Query Result is to be, the controller is replied by the VXLAN tunnels to the gateway device
Second DHCP message, second DHCP message include first IP address, and second DHCP message is described for indicating
First IP address is distributed to the user by gateway device.
According to another aspect of the present disclosure, there is provided a kind of address distribution method, including:
Gateway device sends the first DHCP message by VXLAN tunnels to controller, and first DHCP message is described
What gateway device was sent when user remotely accesses specific region network by itself, in first DHCP message described in carrying
The identity information of user, tunnel of the VXLAN tunnels between the controller and the gateway device;
The gateway device receives the second DHCP message that the controller replys by the VXLAN tunnels, and described the
Two DHCP messages include IP address corresponding to the user;
IP address corresponding to the user is distributed to the user by the gateway device.
According to another aspect of the present disclosure, there is provided a kind of address distributing device, including:
First receiving module, for receiving the first of gateway device transmission by virtual expansible LAN VXLAN tunnels
DHCP message, wherein, first DHCP message is that the gateway device remotely accesses specific region net in user by itself
Sent during network, the identity information of the user is carried in first DHCP message, the VXLAN tunnels are the controller
With the tunnel between the gateway device;
Enquiry module, for whether preserving first IP corresponding with the user according to identity information inquiry is local
Address;
First sending module, in the case of being in Query Result, set by the VXLAN tunnels to the gateway
Standby to reply the second DHCP message, second DHCP message includes first IP address, and second DHCP message is used to refer to
Show that first IP address is distributed to the user by the gateway device.
According to another aspect of the present disclosure, there is provided a kind of address distributing device, including:
3rd sending module, for sending the first DHCP message, the first DHCP reports to controller by VXLAN tunnels
The text gateway device is sent when user remotely accesses specific region network by itself, in first DHCP message
Carry the identity information of the user, tunnel of the VXLAN tunnels between the controller and the gateway device;
Second receiving module, for receiving the second DHCP message of the controller reply, institute by the VXLAN tunnels
Stating the second DHCP message includes IP address corresponding to the user;
First distribute module, for IP address corresponding to the user to be distributed into the user.
By the address distribution method and device of the disclosure, user by itself remote access specific region network with from spy
Determine inside Local Area Network equipment access can be assigned to identical IP address, advantageously ensure that specific region network inside and
Outside proper communication.Further, be advantageous to bind user and IP address, follow IP address to move the access rights of user
Move.Furthermore, it is not necessary that it is different according to the access place of user, redistribute User IP and the security domain of user.
According to below with reference to the accompanying drawings becoming to detailed description of illustrative embodiments, the further feature and aspect of the disclosure
It is clear.
Brief description of the drawings
Comprising in the description and the accompanying drawing of a part for constitution instruction and specification together illustrate the disclosure
Exemplary embodiment, feature and aspect, and for explaining the principle of the disclosure.
Fig. 1 is the structural representation of VXLAN representative network model.
Fig. 2 is VXLAN existing realization figure.
Fig. 3 shows the flow chart of the address distribution method according to the embodiment of the disclosure one.
Fig. 4 shows another flow chart of the address distribution method according to the embodiment of the disclosure one.
Fig. 5 shows the flow chart of the address distribution method according to another embodiment of the disclosure.
Fig. 6 shows another flow chart of the address distribution method according to another embodiment of the disclosure.
Fig. 7 shows the application scenarios schematic diagram in the address distribution method according to the embodiment of the disclosure one.
Fig. 8 shows the flow chart of the address distribution method according to another embodiment of the disclosure.
Fig. 9 shows the structural representation of the address distributing device according to the embodiment of the disclosure one.
Figure 10 shows another structural representation of the address distributing device according to the embodiment of the disclosure one.
Figure 11 shows the structural representation of the address distributing device according to another embodiment of the disclosure.
Figure 12 shows another structural representation of the address distributing device according to another embodiment of the disclosure.
Embodiment
Describe various exemplary embodiments, feature and the aspect of the disclosure in detail below with reference to accompanying drawing.It is identical in accompanying drawing
Reference represent the same or analogous element of function.Although the various aspects of embodiment are shown in the drawings, remove
Non-specifically point out, it is not necessary to accompanying drawing drawn to scale.
Special word " exemplary " is meant " being used as example, embodiment or illustrative " herein.Here as " exemplary "
Illustrated any embodiment should not necessarily be construed as preferred or advantageous over other embodiments.
In addition, in order to better illustrate the disclosure, numerous details is given in embodiment below.
It will be appreciated by those skilled in the art that without some details, the disclosure can equally be implemented.In some instances, for
Method, means, element and circuit well known to those skilled in the art are not described in detail, in order to highlight the purport of the disclosure.
In Fig. 2 implementation, for EVPN (Ethernet VPN, Ethernet VPN) networking, if user connects from outside
The IP address for entering specific region network (such as garden) belongs to the difference of phase same network segment with user from the IP address during access of inside
IP address, because SPINE equipment can only issue network segment route, outer net route mutually conflicts with the Host routes of inside, it may appear that nothing
The problem of method communication (such as in garden and can not be communicated outside garden).For example, user A from VPN GW access when, Dynamic Host Configuration Protocol server
IP address for user A distribution is 10.1.1.10.When LEAF equipment of the user A out of garden logs in, Dynamic Host Configuration Protocol server is user
The IP address of distribution is 10.1.1.11.The two addresses belong to the different IP addresses of phase same network segment.SPINE equipment can only select
Route 10.1.1.11 inside 32 main frames is forwarded, without selecting the outer net route 10.1.1.10 of 24 to be turned
Hair.Such that user A can not proper communication in garden and outside garden.
In the disclosed embodiments, Dynamic Host Configuration Protocol server can carry out the distribution of IP address according to user, same to ensure
User no matter inside garden or garden outside all logged in by an IP address, so as to ensure user in garden and
Proper communication outside garden.
Fig. 3 shows the flow chart of the address distribution method according to the embodiment of the disclosure one.As shown in figure 3, this method can be with
Applied in controller, this method can include:
Step 301, controller receive the first DHCP message that gateway device sends by VXLAN tunnels, wherein, described the
The one DHCP message gateway device is sent when user remotely accesses specific region network by itself, and described first
The identity information of the user is carried in DHCP message, the VXLAN tunnels are between the controller and the gateway device
Tunnel;
Step 302, the controller according to identity information inquiry it is local whether preserve it is corresponding with the user
First IP address;
Step 303, in Query Result in the case of being, the controller is by the VXLAN tunnels to the gateway
The DHCP message of device replied second, second DHCP message include first IP address, and second DHCP message is used for
Indicate that first IP address is distributed to the user by the gateway device.
In the disclosed embodiments, gateway device can be the gateway device with VPN functions, such as the VPN in Fig. 2
GW。
In a kind of possible implementation, as shown in figure 4, in step 400, when the user passes through specific region net
In the case of equipment access in network, the Dynamic Host Configuration Protocol server is asked to distribute untapped IP address, the control for the user
Device processed regard the IP address distributed as the user accessed by the equipment in the network of specific region as first IP address,
And record the first corresponding relation of the user and first IP address.
In addition, in step 401, the VXLAN tunnels that can be established between controller and gateway device.Wherein, controller
VXLAN tunnels between gateway device can cause direct communication between controller and gateway device.And the VXLAN tunnels
Can be as the dedicated tunnel for initiating local search IP address, can be first after controller receives DHCP message from the VXLAN tunnels
Local search is initiated, locally searches whether there is IP address corresponding with user in controller.
Also, special VXLAN network identifiers can be set on SPINE equipment and VPN GW.A kind of possible
Implementation in, also include being used for the VXLAN nets for representing that the user carries out VPN access service in first DHCP message
Network identifier;The VXLAN network identifiers be used for indicate the controller for the user distribution locally preserve with it is described
First IP address corresponding to user.After controller receives the first DHCP message from the VXLAN tunnels, from first DHCP message
Middle acquisition special VXLAN network identifiers, you can first initiate local search.
In a kind of possible implementation, as shown in figure 4, being no in the Query Result of step 302 in step 402
In the case of, controller request Dynamic Host Configuration Protocol server is that the user distributes untapped second IP address, and passes through the VXLAN
The 3rd DHCP message is replied in tunnel to the gateway device, and the 3rd DHCP message includes second IP address, and described the
Three DHCP messages are used to indicate that second IP address is distributed to the user by the gateway device.
In a kind of possible implementation, controller records the second corresponding relation of the user and the second IP address,
Make it that the controller can be according to second correspondence when the user is accessed by the equipment in the network of specific region
Relation is that the user distributes second IP address.
As shown in fig. 7, the equipment in the network of specific region can include root device (SPINE equipment) and leaf equipment (LEAF
Equipment) etc..Wherein, SPINE equipment is referred to as backbone equipment, root node etc..LEAF equipment be referred to as access device,
Dynamic access point, leaf node etc..In addition, Dynamic Host Configuration Protocol server can be independent equipment, can also integrate in the controller.
For example, user A is logged in first from such as LEAF equipment of the equipment inside garden when reaching the standard grade, by being set with LEAF
The SPINE equipment access controller (Director) of standby connection.Director can be authenticated to user A, and pass through DHCP
Agreement is that the user A that certification passes through distributes untapped IP address.And record between user A and the first IP address for being its distribution
The first corresponding relation.Such as record first corresponding between the account information of the user, login name etc. and first IP address
Relation.And it is possible to the special VXLAN tunnels between establishing Director and VPN GW.For example, in SPINE equipment and VPN
It is provided for representing the VXLAN network identifiers that user carries out VPN access service, such as VIN 65535 on GW.
If user A remotely accesses garden subsequently through itself, such as log in and reach the standard grade from VPN GW, then VPN GW to
After the certification of family, received VPN messages can be terminated.Then, VPN GW are Resealed based on above-mentioned special VXLAN tunnels again
DHCP VXLAN encapsulated messages (example of the first DHCP message), the message includes VIN 65535.Director, which is received, to be carried
After VIN 65535 message, local the first corresponding relation for whether saving user A is searched.If so, then from the of user A
The first IP address corresponding with the user A is obtained in one corresponding relation.
If Director locally has the first IP address corresponding with the user A, Director is sent to VPN GW
With VIN 65535 and the first IP address corresponding with the user A DHCP provide message (example of the second DHCP message).Such as
Local first IP address not corresponding with the user A of fruit Director, then it is the user A that Director, which asks Dynamic Host Configuration Protocol server,
Distribute a untapped IP address (the second IP address).Then sent to VPN GW again with the IP of VIN 65535 and the 2nd
The DHCP of location provides message.After VPN GW receive DHCP offer messages, the second IP address therein is distributed into the user S.
In addition, Director can also locally preserve user A and the second corresponding relation of the second IP address.Subsequently, such as
Fruit user A is logged in from the LEAF equipment inside garden and reached the standard grade, and controller first locally can search whether to preserve the of user A
Two corresponding relations.If so, then the second IP address corresponding with user A is distributed to user by controller by DHCP offer messages
A.If not provided, controller asks Dynamic Host Configuration Protocol server to distribute untapped IP address for user A again.
Can be after user is assigned with IP address in VPN GW, VPN GW can be sent out by Routing Protocol to SPINE equipment
Host address corresponding to the cloth IP address (or being Host routes).After SPINE equipment receives the host address, it can pass through
The host address is distributed to each LEAF equipment by EVPN.The LEAF equipment of the host address is received, the main frame can be directly generated
Forwarding-table item corresponding to address, and cause the forwarding-table item to point to SPINE equipment.Wherein, VPN GW can be by the host address
In extended community attribute of migrating be arranged to 0, to represent limit priority group attribute.SPINE equipment is received with highest
After the group attribute host address of priority, then the host address is distributed to by each LEAF equipment by EVPN.
If receive the network segment identical local IP existed in the LEAF equipment of the host address with the host address
The forwarding-table item of address, and the forwarding-table item is not directed to SPINE equipment, then can in LEAF equipment the synchronous user road
By.Specifically, local ip address in LEAF equipment can be compared and the host address that receives migrates extended community category
The value of property, forwarding surface is issued by the forwarding-table item for the less address of value that extended community attribute can be migrated in the two.If the two
It can migrate that the value of extended community attribute is identical, then the forwarding-table item of the rear address to LEAF equipment can preferentially be come into force.
In the present embodiment, it is only a kind of example to set the extended community attribute of migrating in host address, can also be adopted
Generate forwarding-table item in other ways.If exist and the main frame for example, receiving in the LEAF equipment of the host address
The forwarding-table item of the network segment identical local ip address of address, the existing forwarding-table item can be deleted, then using the master received
Machine address regenerates corresponding forwarding-table item.
The address distribution method of the present embodiment, user by itself remote access specific region network with from specific region net
Inside network equipment access can be assigned to identical IP address, advantageously ensure that specific region network it is inside and outside just
Normal open is believed.Further, be advantageous to bind user and IP address, follow IP address to migrate the access rights of user.It is not required to
IP address and the security domain of user are redistributed according to the access place difference of user.
Fig. 5 shows the flow chart of the address distribution method according to another embodiment of the disclosure.As shown in figure 5, this method can
So that applied in gateway device, this method can include:
Step 501, gateway device send the first DHCP message, the first DHCP reports by VXLAN tunnels to controller
The text gateway device is sent when user remotely accesses specific region network by itself, in first DHCP message
Carry the identity information of the user, tunnel of the VXLAN tunnels between the controller and the gateway device;
Step 502, gateway device receive the second DHCP message of the controller reply, institute by the VXLAN tunnels
Stating the second DHCP message includes IP address corresponding to the user;
IP address corresponding to the user is distributed to the user by step 503, gateway device.
In a kind of possible implementation, IP address corresponding to the user is with including the first IP address or the 2nd IP
Location;When first IP address is that the user remotely accesses specific region network by itself, the controller is according to local
The first corresponding relation preserved is the IP address of user distribution;Second IP address is that the user is long-range by itself
When accessing specific region network, the controller request Dynamic Host Configuration Protocol server is that the user distributes untapped IP address.
Also include being used to represent that the user is carried out in a kind of possible implementation, in first DHCP message
The VXLAN network identifiers of VPN access service;The VXLAN network identifiers are used to indicate that the controller is the user
Distribute the first IP address corresponding with the user locally preserved.
As shown in fig. 6, in step 601, first equipment of the gateway device into specific region network is issued as the use
The IP address of family distribution, the IP address of user's distribution is issued as from first equipment to each second equipment, with described
Forwarding-table item corresponding with the IP address distributed for the user is generated in second equipment.
For example, as shown in fig. 7, gateway device is issued as by Routing Protocol to the first equipment such as SPINE equipment
User A distribution IP address, from SPINE equipment by EVPN to each LEAF equipment be issued as user A distribution IP address, with
Forwarding-table item corresponding with the IP address distributed for user A is generated in LEAF equipment.Wherein, gateway device can will be user A
Extended community attribute of migrating in the IP address of distribution is arranged to limit priority, for example, being arranged to 0.
The IP address identical local ip address in (if receiving the host address) LEAF equipment with being distributed for user A
Forwarding-table item be not directed to SPINE equipment, then the local ip address and the IP address distributed for the user are moved
The value for extended community attribute of moving.The forwarding-table item for the less address of value that extended community attribute can be migrated in the two is issued into forwarding
Face.If the two value that can migrate extended community attribute is identical, the forwarding-table item of the rear address to LEAF equipment is preferentially given birth to
Effect.
In addition, as shown in fig. 6, in step 602, gateway device is detecting the user from the case that VPN is offline,
Indicate that first equipment issues BGP (the order Gateway for cancelling EVPN synchronization routings to each second equipment
Protocol, Border Gateway Protocol) route messages.As shown in fig. 7, after the VPN GW notice SPINE equipment user A is offline,
SPINE equipment can issue BGP routes to all EVPN far-end neighbors (each LEAF equipment being such as connected with the SPINE equipment)
Message, to cancel EVPN synchronization routings.
Fig. 7 shows the application scenarios schematic diagram in the address distribution method according to the embodiment of the disclosure one.As shown in fig. 7,
In the disclosure, increase a kind of interaction mechanism newly, accessing user's certification is done in SSLVPN accessing gateway equipment (i.e. VPN GW)
Termination operation.And the acquisition of dhcp address is done in local gateway simultaneously.By building between SSLVPN and Director (controller)
Special VXLAN tunnels are found to connect, directly can remove applied address to Dynamic Host Configuration Protocol server.If use was done inside garden before
Family A login is reached the standard grade, then Director (controller) has user's A log-on messages above.Now to the SSLVPN accessing users,
When then carrying out response with IP address logged inside garden, and carrying out VXLAN encapsulation to the IP address simultaneously, in DHCP
Do special marking (such as VNI is arranged to 65535) in the head of VXLAN encapsulated messages.Special marking is done when VPN GW are received
During IP address in DHCP VXLAN encapsulated messages, to garden internal network issue the main frame of IP address by EVPN agreements
Route, ensure that the communication in garden and outside garden is normal.
Fig. 8 shows the flow chart of the address distribution method according to another embodiment of the disclosure.As shown in figure 8, with reference to Fig. 7,
The address distribution method can include:
After step 801, user A reach the standard grade inside garden, accessed by VXLAN dynamic access point (such as LEAF equipment)
Director, IP address, such as 100.1.1.2/32 are obtained from Dynamic Host Configuration Protocol server (can be integrated in Director).Simultaneously
Director can record user A and the corresponding relation of the IP address for user A distribution.
VXLAN tunnels are established between step 802, Director and access SPINE equipment (root device) and VPN GW.Should
VXLAN tunnels are the passages for being authenticated to the user for accessing VPN and address is distributed.Can on SPINE and VPN GW
To carry out VNI 65535 setting, the business represented by the VNI 65535 can refer in particular to user and carry out VPN access service.
Step 803, when user A by SSLVPN access VPN GW when, the user A is recognized above with VPN in GW
Card.Such as whether certification user A account and password are correct, if certification passes through the message for the VPN that can terminate.Then, weight
Newly encapsulate the message in above-mentioned VXLAN tunnels, with to Director application inside IP address (i.e. DHCP VXLAN encapsulated messages).
After Director is receiving the DHCP VXLAN encapsulated messages with VNI 65535 from VPN GW, garden can be inquired about
Area inside local user and the corresponding relation for distributing IP address., can be straight if inquiring the corresponding relation of the user A
Meet the user A that the IP address in the corresponding relation is distributed to VPN accesses.If inquiring about the corresponding relation less than the user A,
A new IP address is distributed for user A.And it is possible to preserve the IP address and user A pair in Director local synchronizations
It should be related to, when logging in (VXLAN) (by LEAF equipment) inside garden so as to subsequent user A with can using identical IP
Location.
, can be according to original while IP address 100.1.1.2/32 is distributed to user A by step 804, Director
XLAN tunnels corresponding to VNI 65535 are sent to VPN GW equipment.VPN GW equipment is receiving the VXLAN of Director transmissions
It is encapsulated as after 65535 DHCP offer (offer) messages, then IP address 100.1.1.2/32 is distributed into user A as VPN
The IP address of access.
User A is assigned to IP address 100.1.1.2/32 and (is referred to as host address, master above step 805, VPN GW
Machine route etc.) after, address 100.1.1.2/32 is distributed to by SPINE equipment by Routing Protocol.The address is also simultaneously
Director distributes to the IP address of VPN accessing users.So when SPINE equipment receives the address, directly pass through EVPN
The address (32 Host routes) is released.Simultaneously because the address is the route for being distributed to outer net, then can be in EVPN
It is middle that the extended community attribute of migrating of the address is arranged to 0, it is limit priority group attribute.Wherein, VPN GW can be first
The extended community attribute of migrating of the address is arranged to 0, then issues SPINE equipment.
All LEAF access points (being referred to as LEAF equipment, leaf equipment etc.) are receiving inside step 806, garden
After IP address 100.1.1.2/32 synchronous EVPN, forwarding-table item corresponding to the IP address is locally generated.If local deposit
In IP address 100.1.1.2/32 forwarding-table item (being properly termed as local forwarding-table item), and local forwarding-table item do not imply that to
SPINE equipment, then relatively the two (for the IP address and local ip address of user A distribution) migrates extended community attribute
Value, forwarding surface is issued with the list item of small person.If the value that can migrate extended community attribute is identical, the ground of LEAF access points is arrived afterwards
Preferentially come into force location.
If step 807, VPN accessing users are offline, issued for example from SPINE equipment to all EVPN far-end neighbors
BGP route messages, to cancel EVPN synchronization routings.
The address distribution method of the present embodiment, VPN user's dynamic access VXLAN networkings DHCP is increased newly and has obtained IP address
Function, and Director has been increased newly to user and the binding function of distribution IP address.For follow-up same subscriber, in different ways
When accessing VXLAN networkings, the IP address distribution of distribution identical provides possibility.In this manner it is ensured that VXLAN/EVPN dynamics connect
In the case of entering networking, user can be assigned to identical IP address inside and outside garden, be advantageous to bind user with IP address, use
The access rights at family can follow IP address to migrate.Need not be again different according to the access place of user, redistribute user
IP and the security domain of user.The address distribution method of the present embodiment, SPINE equipment are issued as VPN by EVPN to LEAF equipment
The IP address of accessing user's distribution, the function that EVPN inserts Host routes for VPN accessing users to EVPN is increased newly.In addition,
The address distribution method of the present embodiment, in LEAF equipment on pair and the forwarding-table item of the IP address identical local ip address received
It is updated, has increased EVPN newly for the VPN accessing users function synchronous with the forwarding-table item of Intranet same subscriber.So, have
Beneficial to the Intranet for ensureing VXLAN networkings and the proper communication of outer net.
Fig. 9 shows the structural representation of the address distributing device according to the embodiment of the disclosure one.As shown in figure 9, the address
Distributor can include:
First receiving module 11, for receive that gateway device sends by virtual expansible LAN VXLAN tunnels the
One DHCP message, wherein, first DHCP message is that the gateway device remotely accesses specific region in user by itself
Sent during network, the identity information of the user is carried in first DHCP message, the VXLAN tunnels are the control
Tunnel between device and the gateway device;
Enquiry module 13, for whether preserving corresponding with the user first according to identity information inquiry is local
IP address;
First sending module 15, in Query Result in the case of being, by the VXLAN tunnels to the gateway
The DHCP message of device replied second, second DHCP message include first IP address, and second DHCP message is used for
Indicate that first IP address is distributed to the user by the gateway device.
In a kind of possible implementation, as shown in Figure 10, the device can also include:
Second sending module 21, in the case of being no in Query Result, request Dynamic Host Configuration Protocol server is the user point
With untapped second IP address, and by the VXLAN tunnels the 3rd DHCP message is replied to the gateway device, described the
Three DHCP messages include second IP address, and the 3rd DHCP message is used to indicate the gateway device by the 2nd IP
The user is distributed in address, and records the second corresponding relation of the user and the second IP address, to cause in the user
Can be user distribution described second according to second corresponding relation when being accessed by the equipment in the network of specific region
IP address.
In a kind of possible implementation, as shown in Figure 10, the device can also include:
Request module 22, in the case of being accessed as the user by the equipment in the network of specific region, ask institute
State Dynamic Host Configuration Protocol server and distribute untapped IP address for the user;
Logging modle 23, for the IP address that will be distributed for the user accessed by the equipment in the network of specific region
As first IP address, and record the first corresponding relation of the user and first IP address.
Also include being used to represent that the user is carried out in a kind of possible implementation, in first DHCP message
The VXLAN network identifiers of VPN access service;The VXLAN network identifiers are used to indicate that the controller is the user
Distribute the first IP address corresponding with the user locally preserved.
Figure 11 shows the structural representation of the address distributing device according to another embodiment of the disclosure.As shown in figure 11, should
Address distributing device can include:
3rd sending module 31, for sending the first DHCP message, the first DHCP to controller by VXLAN tunnels
The message gateway device is sent when user remotely accesses specific region network by itself, first DHCP message
The middle identity information for carrying the user, tunnel of the VXLAN tunnels between the controller and the gateway device;
Second receiving module 33, for receiving the second DHCP message of the controller reply by the VXLAN tunnels,
Second DHCP message includes IP address corresponding to the user;
First distribute module 35, for IP address corresponding to the user to be distributed into the user.
In a kind of possible implementation, IP address corresponding to the user is with including the first IP address or the 2nd IP
Location;When first IP address is that the user remotely accesses specific region network by itself, the controller is according to local
The first corresponding relation preserved is the IP address of user distribution;Second IP address is that the user is long-range by itself
When accessing specific region network, the controller request Dynamic Host Configuration Protocol server is that the user distributes untapped IP address.
In a kind of possible implementation, the VXLAN network identifiers are used to indicate that the controller is the use
The first IP address corresponding with the user that family distribution locally preserves.
In a kind of possible implementation, as shown in figure 12, the device can also include:
3rd receiving module 41, for receiving the second DHCP message from the controller by the VXLAN tunnels,
Second DHCP message includes the controller in the case where the user is accessed by the equipment in the network of specific region,
The Dynamic Host Configuration Protocol server is asked to distribute untapped IP address for the user;
Second distribute module 43, for second IP address to be distributed into the user.
In a kind of possible implementation, as shown in figure 12, the device can also include:
Release module 45, the IP address of user's distribution is issued as the first equipment into specific region network,
The IP address of user distribution is issued as from first equipment to each second equipment, with generated in second equipment with
For forwarding-table item corresponding to the IP address of user distribution.
In a kind of possible implementation, as shown in figure 12, the device can also include:
Module 49 is cancelled, for detecting the user from the case that VPN is offline, indicating first equipment to each
Second equipment issues the BGP route messages for cancelling EVPN synchronization routings.
On each device in above-described embodiment, wherein modules perform the concrete mode of operation in the relevant party
It is described in detail in the embodiment of method, explanation will be not set forth in detail herein.
Using the address distributing device of the embodiment of the present disclosure, by itself remote access specific region network with from given zone
The equipment access of domain network internal can be assigned to identical IP address, advantageously ensure that the inside and outside of specific region network
Proper communication.Further, be advantageous to bind user and IP address, follow IP address to migrate the access rights of user.
IP address and the security domain of user need not be redistributed according to the access place difference of user.
It is described above the presently disclosed embodiments, described above is exemplary, and non-exclusive, and
It is not limited to disclosed each embodiment.In the case of without departing from the scope and spirit of illustrated each embodiment, for this skill
Many modifications and changes will be apparent from for the those of ordinary skill in art field.The selection of term used herein, purport
The principle of each embodiment, practical application or technological improvement to the technology in market are best being explained, or is leading this technology
Other those of ordinary skill in domain are understood that each embodiment disclosed herein.
Claims (18)
- A kind of 1. address distribution method, it is characterised in that including:Controller receives the first DHCP message of gateway device transmission by virtual expansible LAN VXLAN tunnels, wherein, institute State the first DHCP message gateway device to send when user remotely accesses specific region network by itself, described the Carry the identity information of the user in one DHCP message, the VXLAN tunnels be the controller and the gateway device it Between tunnel;Whether the controller preserves the first IP address corresponding with the user according to identity information inquiry is local;In the case where Query Result is to be, the controller replys second by the VXLAN tunnels to the gateway device DHCP message, second DHCP message include first IP address, and second DHCP message is used to indicate the gateway First IP address is distributed to the user by equipment.
- 2. according to the method for claim 1, it is characterised in that also include:In the case where Query Result is no, the controller request Dynamic Host Configuration Protocol server is user distribution untapped second IP address, and the 3rd DHCP message is replied to the gateway device by the VXLAN tunnels, the 3rd DHCP message includes Second IP address, the 3rd DHCP message are used to indicating that the gateway device distributes to second IP address described User, and the second corresponding relation of the user and the second IP address is recorded, to pass through specific region net in the user When equipment in network accesses, the controller can be according to second corresponding relation for user distribution the 2nd IP Location.
- 3. according to the method for claim 1, it is characterised in that also include:In the case that the user is accessed by the equipment in the network of specific region, request Dynamic Host Configuration Protocol server is the user point With untapped IP address, the controller will be the IP of the user distribution accessed by the equipment in the network of specific region Address records the first corresponding relation of the user and first IP address as first IP address.
- 4. according to the method in any one of claims 1 to 3, it is characterised in thatAlso include being used for the VXLAN network identifiers for representing that the user carries out VPN access service in first DHCP message;The VXLAN network identifiers are used to indicate that the controller is locally preserving with the user couple for user distribution The first IP address answered.
- A kind of 5. address distribution method, it is characterised in that including:Gateway device sends the first DHCP message by VXLAN tunnels to controller, and first DHCP message is the gateway What equipment was sent when user remotely accesses specific region network by itself, carry the user in first DHCP message Identity information, tunnel of the VXLAN tunnels between the controller and the gateway device;The second DHCP message that the gateway device is replied by the VXLAN tunnels reception controller, described second DHCP message includes IP address corresponding to the user;IP address corresponding to the user is distributed to the user by the gateway device.
- 6. according to the method for claim 5, it is characterised in that IP address corresponding to the user include the first IP address or Second IP address;When first IP address is that the user remotely accesses specific region network by itself, the controller is according to local The first corresponding relation preserved is the IP address of user distribution;When second IP address is that the user remotely accesses specific region network by itself, the controller asks DHCP Server is that the user distributes untapped IP address.
- 7. the method according to claim 5 or 6, it is characterised in that also include being used to represent in first DHCP message The user carries out the VXLAN network identifiers of VPN access service;The VXLAN network identifiers are used to indicate that the controller is locally preserving with the user couple for user distribution The first IP address answered.
- 8. the method according to any one of claim 5 to 7, it is characterised in that also include:First equipment of the gateway device into specific region network is issued as the IP address of user distribution, by described the One equipment is issued as the IP address of user's distribution to each second equipment, to be generated and for the use in second equipment Forwarding-table item corresponding to the IP address of family distribution.
- 9. the method according to any one of claim 5 to 8, it is characterised in that also include:The gateway device is detecting the user from the case that VPN is offline, and the first equipment of instruction is under each second equipment Hair is in the BGP route messages of revocation EVPN synchronization routings.
- A kind of 10. address distributing device, it is characterised in that including:First receiving module, for receiving the first DHCP of gateway device transmission by virtual expansible LAN VXLAN tunnels Message, wherein, first DHCP message is the gateway device when user remotely accesses specific region network by itself Send, the identity information of the user is carried in first DHCP message, the VXLAN tunnels are controller and the net Close the tunnel between equipment;Enquiry module, for being inquired about locally with whether preserving first IP corresponding with the user according to the identity information Location;First sending module, in the case of being in Query Result, returned by the VXLAN tunnels to the gateway device Multiple second DHCP message, second DHCP message include first IP address, and second DHCP message is used to indicate institute State gateway device and first IP address is distributed into the user.
- 11. device according to claim 10, it is characterised in that also include:Second sending module, in the case of being no in Query Result, request Dynamic Host Configuration Protocol server is that user distribution does not make Second IP address, and the 3rd DHCP message, the 3rd DHCP are replied to the gateway device by the VXLAN tunnels Message includes second IP address, and the 3rd DHCP message is used to indicate the gateway device by second IP address point User described in dispensing, and the second corresponding relation of the user and the second IP address is recorded, to pass through spy in the user , can be according to second corresponding relation when determining the equipment access in Local Area Network for user distribution the 2nd IP Location.
- 12. device according to claim 10, it is characterised in that also include:Request module, in the case of being accessed as the user by the equipment in the network of specific region, ask DHCP service Device is that the user distributes untapped IP address;Logging modle, for regarding the IP address distributed as the user accessed by the equipment in the network of specific region as institute The first IP address is stated, and records the first corresponding relation of the user and first IP address.
- 13. the device according to any one of claim 10 to 12, it is characterised in thatAlso include being used for the VXLAN network identifiers for representing that the user carries out VPN access service in first DHCP message;The VXLAN network identifiers are used to indicate that the controller is locally preserving with the user couple for user distribution The first IP address answered.
- A kind of 14. address distributing device, it is characterised in that including:3rd sending module, for sending the first DHCP message to controller by VXLAN tunnels, first DHCP message is What gateway device was sent when user remotely accesses specific region network by itself, in first DHCP message described in carrying The identity information of user, tunnel of the VXLAN tunnels between the controller and the gateway device;Second receiving module, for receiving the second DHCP message that the controller replys by the VXLAN tunnels, described the Two DHCP messages include IP address corresponding to the user;First distribute module, for IP address corresponding to the user to be distributed into the user.
- 15. device according to claim 14, it is characterised in that IP address corresponding to the user includes the first IP address Or second IP address;When first IP address is that the user remotely accesses specific region network by itself, the controller is according to local The first corresponding relation preserved is the IP address of user distribution;When second IP address is that the user remotely accesses specific region network by itself, the controller asks DHCP Server is that the user distributes untapped IP address.
- 16. the device according to claims 14 or 15, it is characterised in that also include being used for table in first DHCP message Show that the user carries out the VXLAN network identifiers of VPN access service;The VXLAN network identifiers are used to indicate that the controller is locally preserving with the user couple for user distribution The first IP address answered.
- 17. the device according to any one of claim 14 to 16, it is characterised in that also include:Release module, the IP address of user's distribution is issued as the first equipment into specific region network, by described First equipment is issued as the IP address of user's distribution to each second equipment, to be generated in second equipment with being described Forwarding-table item corresponding to the IP address of user's distribution.
- 18. the device according to any one of claim 14 to 17, it is characterised in that also include:Module is cancelled, for detecting the user from the case that VPN is offline, the first equipment of instruction is under each second equipment Hair is in the BGP route messages of revocation EVPN synchronization routings.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710686367.7A CN107547351B (en) | 2017-08-11 | 2017-08-11 | Address allocation method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710686367.7A CN107547351B (en) | 2017-08-11 | 2017-08-11 | Address allocation method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107547351A true CN107547351A (en) | 2018-01-05 |
CN107547351B CN107547351B (en) | 2020-07-07 |
Family
ID=60970259
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710686367.7A Active CN107547351B (en) | 2017-08-11 | 2017-08-11 | Address allocation method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107547351B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109921944A (en) * | 2019-03-21 | 2019-06-21 | 青岛铁木真软件技术有限公司 | Network boundary control method and device for industry internet |
CN110601881A (en) * | 2019-09-04 | 2019-12-20 | 厦门网宿有限公司 | Two-layer private network system, configuration method and equipment |
CN113595847A (en) * | 2021-07-21 | 2021-11-02 | 上海淇玥信息技术有限公司 | Remote access method, system, device and medium |
CN113765904A (en) * | 2021-08-26 | 2021-12-07 | 新华三大数据技术有限公司 | Authentication method and device |
CN113885307A (en) * | 2021-10-12 | 2022-01-04 | 广东安朴电力技术有限公司 | SVG parallel machine redundancy control method, SVG control method and SVG control system |
WO2023280186A1 (en) * | 2021-07-07 | 2023-01-12 | 中兴通讯股份有限公司 | Cross-device link aggregation message processing method and system, switch, and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105592062A (en) * | 2015-10-28 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for remaining IP address unchanged |
CN105763671A (en) * | 2016-04-27 | 2016-07-13 | 杭州华三通信技术有限公司 | IP address distribution method and apparatus |
CN106059888A (en) * | 2016-07-29 | 2016-10-26 | 浪潮(北京)电子信息产业有限公司 | IP (Internet Protocol) address assignment method and device based on open network operating system |
CN106302861A (en) * | 2016-09-27 | 2017-01-04 | 杭州华三通信技术有限公司 | A kind of address distribution method and device |
US20170195225A1 (en) * | 2015-05-08 | 2017-07-06 | Cisco Technology, Inc. | Dynamic host configuration protocol relay in a multipod fabric |
CN107094110A (en) * | 2017-04-19 | 2017-08-25 | 新华三技术有限公司 | A kind of DHCP message retransmission method and device |
-
2017
- 2017-08-11 CN CN201710686367.7A patent/CN107547351B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170195225A1 (en) * | 2015-05-08 | 2017-07-06 | Cisco Technology, Inc. | Dynamic host configuration protocol relay in a multipod fabric |
CN105592062A (en) * | 2015-10-28 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for remaining IP address unchanged |
CN105763671A (en) * | 2016-04-27 | 2016-07-13 | 杭州华三通信技术有限公司 | IP address distribution method and apparatus |
CN106059888A (en) * | 2016-07-29 | 2016-10-26 | 浪潮(北京)电子信息产业有限公司 | IP (Internet Protocol) address assignment method and device based on open network operating system |
CN106302861A (en) * | 2016-09-27 | 2017-01-04 | 杭州华三通信技术有限公司 | A kind of address distribution method and device |
CN107094110A (en) * | 2017-04-19 | 2017-08-25 | 新华三技术有限公司 | A kind of DHCP message retransmission method and device |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109921944A (en) * | 2019-03-21 | 2019-06-21 | 青岛铁木真软件技术有限公司 | Network boundary control method and device for industry internet |
CN109921944B (en) * | 2019-03-21 | 2021-12-14 | 青岛铁木真软件技术有限公司 | Network boundary control method and device for industrial internet |
CN110601881A (en) * | 2019-09-04 | 2019-12-20 | 厦门网宿有限公司 | Two-layer private network system, configuration method and equipment |
CN110601881B (en) * | 2019-09-04 | 2021-10-22 | 厦门网宿有限公司 | Two-layer private network system, configuration method and equipment |
WO2023280186A1 (en) * | 2021-07-07 | 2023-01-12 | 中兴通讯股份有限公司 | Cross-device link aggregation message processing method and system, switch, and storage medium |
CN113595847A (en) * | 2021-07-21 | 2021-11-02 | 上海淇玥信息技术有限公司 | Remote access method, system, device and medium |
CN113765904A (en) * | 2021-08-26 | 2021-12-07 | 新华三大数据技术有限公司 | Authentication method and device |
CN113765904B (en) * | 2021-08-26 | 2023-03-31 | 新华三大数据技术有限公司 | Authentication method and device |
CN113885307A (en) * | 2021-10-12 | 2022-01-04 | 广东安朴电力技术有限公司 | SVG parallel machine redundancy control method, SVG control method and SVG control system |
Also Published As
Publication number | Publication date |
---|---|
CN107547351B (en) | 2020-07-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107547351A (en) | Address distribution method and device | |
CN105978708B (en) | The system and method for vCPE virtualization enterprise network is realized based on NFV | |
CN104780088B (en) | A kind of transmission method and equipment of service message | |
CN103139037B (en) | For realizing the method and apparatus of VLAN flexibly | |
US10931575B2 (en) | Multi-tenant virtual private network based on an overlay network | |
EP3376712B1 (en) | Method and apparatus for implementing communication between virtual machines | |
CN102577256B (en) | For the method and apparatus of transparent cloud computing in virtual network infrastructure situation | |
US8407366B2 (en) | Interconnecting members of a virtual network | |
CN104052666B (en) | The method and apparatus for realizing host routing reachable | |
CN102882758B (en) | Method, network side equipment and the data center apparatus of virtual private cloud access network | |
CN109716717A (en) | From software-defined network controller management virtual port channel switching equipment peer-to-peer | |
CN102447752B (en) | Service access method, system and device based on layer 2 tunnel protocol (L2TP) | |
CN108075956A (en) | A kind of data processing method and device | |
CN107959654A (en) | A kind of data transmission method, device and mixing cloud system | |
CN105577723B (en) | Virtualize the method and apparatus that load balancing is realized in network | |
CN107113219A (en) | VLAN marks in virtual environment | |
CN104506404B (en) | The method and apparatus for establishing VLAN forwarding channel | |
CN107666419B (en) | Virtual broadband access method, controller and system | |
CN104350467A (en) | Elastic enforcement layer for cloud security using SDN | |
CN111612466B (en) | Consensus and resource transmission method, device and storage medium | |
CN107493297B (en) | VxLAN tunnel access authentication method | |
CN107241454B (en) | A kind of method, apparatus that realizing address administration, aaa server and SDN controller | |
CN108199963A (en) | Message forwarding method and device | |
CN106899478B (en) | Method for realizing resource elastic expansion of power test service through cloud platform | |
CN102546349B (en) | A kind of message forwarding method and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |