CN108768861A - A kind of method and device sending service message - Google Patents
A kind of method and device sending service message Download PDFInfo
- Publication number
- CN108768861A CN108768861A CN201810698539.7A CN201810698539A CN108768861A CN 108768861 A CN108768861 A CN 108768861A CN 201810698539 A CN201810698539 A CN 201810698539A CN 108768861 A CN108768861 A CN 108768861A
- Authority
- CN
- China
- Prior art keywords
- address
- interface
- virtual interface
- vpn
- user equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application provides a kind of method and devices sending service message, are related to field of communication technology, and this method is applied to safety equipment, and this method includes:Receive the service message of the first user equipment transmission, the destination address of service message is the IP address of second user equipment, according to corresponding first route forwarding table of pre-stored first user equipment, determine corresponding first outgoing interface of the IP address of second user equipment and the first next hop address, first route forwarding table includes destination address, the correspondence of outgoing interface and next hop address, first outgoing interface is corresponding first virtual interface of the first user equipment, first next hop address is the address of corresponding second virtual interface of second user equipment, pass through the first virtual interface, service message is sent to the second virtual interface according to the first next hop address, pass through the second virtual interface, service message is sent to second user equipment.Function of exchanging visits between tenant may be implemented using the application.
Description
Technical field
This application involves fields of communication technology, more particularly to a kind of method and device sending service message.
Background technology
SDN (Software Defined Network, software defined network) can be provided under cloud scene, in cloud platform
Receive guard system, by SDN receive guard system, it can be achieved that the safety equipment (such as firewall box etc. of tenant) to tenant docking
And flow lead.Technical staff can be received guard system by SDN and control instruction is handed down to safety equipment, to realize to multiple rents
The unified management of the safety equipment at family.
Currently, safety equipment generally use multi-tenant shares context modes, realize that tenant divides and is isolated, that is, right
Safety equipment is virtualized, and a safety equipment corresponds to the mode of multiple tenants.In the case where tenant shares context modes, peace
The downstream interface of full equipment is divided into multiple downlink sub-interfaces, each downlink sub-interface binding tenant VPN (Virtual
Private Network, Virtual Private Network).For example, the safety equipment provides service for tenant user01 and user02,
First downlink sub-interfaces of the user01 on fire wall binds VPN_user01, and second downlink of the user02 on fire wall connects
Mouth binding VPN_user02.
In practice, tenant has the demand that across tenant vpc exchanges visits, it is desirable that the flow of different tenants can be realized by configuring
The exchanging visit of the private network network segment, and fire wall is needed to do security protection.For example tenant user01 will access user02.However.?
SDN receives in guard system, and the security domain and address information of variant tenant are mutually sightless, for example, receiving guard system in SDN
In, when technical staff configures user01 corresponding routing tables, it can not see the corresponding next hop address of user02, also, SDN receives
The VPN for binding downlink sub-interface VPN as a purpose are not allowed in guard system yet.SDN receives and can not configure across VPN's in guard system
Static routing cannot achieve function of exchanging visits between tenant.
Invention content
The embodiment of the present application is designed to provide a kind of method and device sending service message, to realize between tenant mutually
Visit function.Specific technical solution is as follows:
In a first aspect, providing a kind of method sending service message, the method is applied to safety equipment, the method
Including:
The service message of the first user equipment transmission is received, the destination address of the service message is second user equipment
IP address;
According to corresponding first route forwarding table of pre-stored first user equipment, determine that the second user is set
Corresponding first outgoing interface of standby IP address and the first next hop address, first route forwarding table include destination address, go out
The correspondence of interface and next hop address, first outgoing interface are that first user equipment corresponding first virtually connects
Mouthful, first next hop address is the address of corresponding second virtual interface of the second user equipment;
By first virtual interface, the service message is sent to described according to first next hop address
Two virtual interfaces;
By second virtual interface, the service message is sent to the second user equipment.
Optionally, described according to corresponding first route forwarding table of pre-stored first user equipment, determine institute
Before corresponding first outgoing interface of IP address and the first next hop address of stating second user equipment, the method further includes:
According to the correspondence of pre-stored downlink sub-interface and VPN, the first downlink sub-interface corresponding first is determined
VPN, the first downlink sub-interface are the downlink sub-interface for receiving the service message;
According to the correspondence of the VPN of default storage and route forwarding table, determine the corresponding first via of the first VPN by
Forwarding table.
Optionally, described by second virtual interface, the service message is sent to the second user equipment,
Including:
According to the correspondence of the virtual interface of default storage and VPN, second virtual interface corresponding second is determined
VPN;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary routes of the 2nd VPN are determined
Forwarding table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, with determining corresponding second next-hop of the IP address of the second user equipment
Location, second next hop address are the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
Optionally, the method further includes:
The virtual interface configuration order that management server is sent is received, the virtual interface configuration order includes described first
The identifying of virtual interface, the address of first virtual interface, the mark of corresponding first VPN of first virtual interface, institute
State the identifying of the second virtual interface, the address of second virtual interface and second virtual interface corresponding described second
The mark of VPN;
Create first virtual interface and second virtual interface;
The address of the address and second virtual interface of first virtual interface is configured, and virtual according to described first
The mark of interface and the mark of the first VPN, establish the correspondence of first virtual interface and the first VPN, root
According to the mark of second virtual interface and the mark of the 2nd VPN, second virtual interface and the 2nd VPN are established
Correspondence.
Optionally, the method further includes:
Receive the routing configuration order for correspondence first route forwarding table that management server is sent, the routing configuration
Order includes the identifying of first virtual interface, the ground of the IP address of the second user equipment and second virtual interface
Location;
It is added using the IP address of the second user equipment as purpose address, with described in first route forwarding table
First virtual interface is outgoing interface, using the address of second virtual interface as the forwarding-table item of next hop address, and will be described
Security strategy between first user equipment and the second user is set as putting logical state.
Second aspect, provides a kind of device sending service message, and described device is applied to safety equipment, described device
Including:
First receiving module, the service message for receiving the transmission of the first user equipment, the destination of the service message
Location is the IP address of second user equipment;
First determining module, for according to corresponding first route forwarding table of pre-stored first user equipment,
Determine corresponding first outgoing interface of the IP address of the second user equipment and the first next hop address, first routing forwarding
Table includes the correspondence of destination address, outgoing interface and next hop address, and first outgoing interface is first user equipment
Corresponding first virtual interface, first next hop address are the ground of corresponding second virtual interface of the second user equipment
Location;
First sending module, for by first virtual interface, according to first next hop address by the industry
Business message is sent to second virtual interface;
Second sending module, for by second virtual interface, the service message being sent to described second and is used
Family equipment.
Optionally, described device further includes:
Second determining module determines the first downlink for the correspondence according to pre-stored downlink sub-interface and VPN
Corresponding first VPN of sub-interface, the first downlink sub-interface are the downlink sub-interface for receiving the service message;
Third determining module determines described first for the correspondence according to the default VPN and route forwarding table stored
Corresponding first route forwarding tables of VPN.
Optionally, second sending module, is specifically used for:
According to the correspondence of the virtual interface of default storage and VPN, second virtual interface corresponding second is determined
VPN;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary routes of the 2nd VPN are determined
Forwarding table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, with determining corresponding second next-hop of the IP address of the second user equipment
Location, second next hop address are the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
Optionally, described device further includes:
Second receiving module, the virtual interface configuration order for receiving management server transmission, the virtual interface are matched
It includes that the identifying of first virtual interface, the address of first virtual interface, first virtual interface correspond to set order
The identifying of the first VPN, the identifying of second virtual interface, the address of second virtual interface and described second virtually connects
The mark of corresponding 2nd VPN of mouth;
Creation module, for creating first virtual interface and second virtual interface;
Module is established, the address of address and second virtual interface for configuring first virtual interface, and root
According to the mark of first virtual interface and the mark of the first VPN, first virtual interface and the first VPN are established
Correspondence, according to second virtual interface mark and the 2nd VPN mark, establish second virtual interface
With the correspondence of the 2nd VPN.
Optionally, described device further includes:
Third receiving module, the routing configuration of correspondence first route forwarding table for receiving management server transmission
Order, the routing configuration order include the identifying of first virtual interface, the IP address of the second user equipment and institute
State the address of the second virtual interface;
Add module, for being added using the IP address of the second user equipment as mesh in first route forwarding table
Address, using first virtual interface as outgoing interface, using the address of second virtual interface as the forwarding of next hop address
List item, and be set as the security strategy between first user equipment and the second user to put logical state.
The third aspect, provides a kind of safety equipment, including including processor, communication interface, memory and communication bus,
Wherein, processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes the method and step described in first aspect.
Fourth aspect provides a kind of machine readable storage medium, is stored with machine-executable instruction, by processor tune
When with executing, the machine-executable instruction promotes the processor:Realize the method and step described in first aspect.
5th aspect provides a kind of computer program product including instruction, when run on a computer so that
Computer realizes the method and step described in first aspect.
The method and device provided by the embodiments of the present application for sending service message, the network equipment receive the first user equipment hair
The service message sent, the destination address of the service message are the IP address of second user equipment, then according to pre-stored the
Corresponding first route forwarding table of one user equipment determines corresponding first outgoing interface of the IP address of second user equipment and first
Next hop address, wherein the first outgoing interface is corresponding first virtual interface of the first user equipment, and the first next hop address is the
The address of corresponding second virtual interface of two user equipmenies, then, the network equipment is next according to first by the first virtual interface
It jumps address and service message is sent to the second virtual interface, and then by the second virtual interface, service message is sent to second
User equipment, to realize the exchanging visit function between the tenant inside same safety equipment.
Description of the drawings
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with
Obtain other attached drawings according to these attached drawings.
Fig. 1 is system framework figure provided by the embodiments of the present application;
Fig. 2 is the method flow diagram provided by the embodiments of the present application for sending service message;
Fig. 3 is the method flow diagram of configuration virtual interface and route forwarding table provided by the embodiments of the present application;
Fig. 4 is the method example flow diagram of configuration virtual interface and route forwarding table provided by the embodiments of the present application;
Fig. 5 is the method example flow diagram provided by the embodiments of the present application for sending service message;
Fig. 6 is a kind of structural schematic diagram of device sending service message provided by the embodiments of the present application;
Fig. 7 is a kind of structural schematic diagram of device sending service message provided by the embodiments of the present application;
Fig. 8 is a kind of structural schematic diagram of device sending service message provided by the embodiments of the present application;
Fig. 9 is a kind of structural schematic diagram of device sending service message provided by the embodiments of the present application;
Figure 10 is the structural schematic diagram of the network equipment provided by the embodiments of the present application.
Specific implementation mode
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.
An embodiment of the present invention provides a kind of method sending service message, this method can be applied to the network equipment, should
The network equipment can be the safety equipments such as firewall box, or routing device.The network equipment can be applied to SDN and receive
Under pipe scene.SDN is a kind of new network framework, and core concept is the control plane and Forwarding plane of separated network equipment,
And collection is carried out to network flow by controller and neutralizes flexibly control, it is good to be provided for the innovation of core network and application
Platform.In the embodiment of the present invention, it is control plane in SDN network that SDN, which receives guard system, and it is whole that technical staff can pass through administrator
Hold to operation have SDN receive guard system management server under send instructions, it is (such as safe to configure the network equipment in SDN network
Equipment or routing device etc.).
As shown in Figure 1, being a kind of schematic diagram of network system provided in an embodiment of the present invention.The network system includes operation
There is SDN to receive management server, directorial area interchanger and administrator terminal, border router, safety equipment, the access of guard system to set
Standby and tenant user equipment.Administrator terminal is received the management server of guard system by directorial area interchanger and SDN and is connect, and manages
Server is managed by directorial area interchanger and access device, is connect with safety equipment.In this way, technical staff can be received by SDN
Control instruction is handed down to safety equipment by guard system, to realize the unified management to the safety equipment of multiple tenants.Safety equipment
Upstream Interface can be connect with border router, internet is accessed by border router.The downstream interface of safety equipment can
To be connect with access device, access device may include core switch and access switch.The user equipment of tenant can be with
Access device connects, and accesses safety equipment will pass through access device, and then carry out network access by the safety equipment.
In practice, safety equipment would generally be virtualized into multiple virtual units (i.e. context, Chinese:Virtual fire prevention
Wall), to provide service for tenant.The network equipment in the embodiment of the present invention can be an independent network equipment, can also
It is by virtualizing obtained context.By taking context as an example, in the case where sharing context modes using multi-tenant,
One network equipment (i.e. context) can provide service for multiple tenants.Between the user equipment and the network equipment of tenant usually
It is communicated by establishing VPN, is based on this, the downstream interface of the network equipment is divided into multiple downlink sub-interfaces, each downlink
Sub-interface binds the VPN of a tenant, to realize and the communication between different user equipmenies.For example, referring to Fig. 1, network is set
Standby to provide service for user01 and user02, the downstream interface of the network equipment can be divided into downlink sub-interface 1 and downlink connects
Mouth 2, the VPN that downlink sub-interface 1 is bound are VPN_user01, and the VPN that downlink sub-interface 2 is bound is VPN_user02, wherein
User01 and user02 belongs to different security domains, for example the security domain belonging to user01 is zone_user01, belonging to user02
Security domain be zone_user02, IP (Internet Protocol, Internet protocol) address of user01 is 2.0.0.0/
24, user02 IP address is 3.0.0.0/24.In practice, VPN be typically for tenant divide, if certain tenant have it is more
A user equipment, then multiple user equipmenies belong to same VPN, corresponding same downlink sub-interface.
In the embodiment of the present invention, the network equipment can be that tenant distributes virtual interface, when the network equipment receives the first use
After the service message that family equipment is sent, according to corresponding first route forwarding table of pre-stored first user equipment, determining should
Corresponding first outgoing interface of destination address (i.e. the IP address of second user equipment) of service message and the first next hop address,
In, the first outgoing interface is corresponding first virtual interface of the first user equipment, and the first next hop address is second user equipment pair
The address for the second virtual interface answered.The network equipment can be by the first virtual interface, according to the first next hop address by business
Message is sent to the second virtual interface, and then by the second virtual interface, service message is sent to second user equipment.This
Sample, the guard system that can be received based on SDN are exchanged visits function between realizing tenant.
As shown in Fig. 2, the processing procedure of this method may comprise steps of:
Step 201, the service message that the first user equipment is sent is received.
Wherein, the destination address of service message is the IP address of second user equipment, second user equipment and the first user
Equipment is to access the user equipment of same safety equipment.
In force, when the first user equipment needs are communicated with second user equipment, the first user equipment can be with
According to preset message generation strategy, using the IP address of the first user equipment as source address, with the IP address of second user equipment
For purpose address, service message is generated.Then, the first user equipment can then be sent out the service message by its corresponding VPN
Give access device.Policybased routing can be previously stored in access device, then according to the policybased routing by the service message
It is sent to the first downlink sub-interface of the network equipment, the network equipment then can receive the business report by the first downlink sub-interface
Text.
Step 202, according to corresponding first route forwarding table of pre-stored first user equipment, determine that second user is set
Corresponding first outgoing interface of standby IP address and the first next hop address.
In force, the corresponding route forwarding table of each user equipment can be previously stored in the network equipment, which turns
It delivers as VPN route forwarding tables, alternatively referred to as VRF (Virtual Routing Forwarding, virtual flow-line forwarding) table.Road
Include the correspondence of destination address, outgoing interface and next hop address by forwarding table.Wherein, outgoing interface can be that the network equipment is
What user equipment created is same as realizing the interface exchanged visits with other users equipment.In the embodiment of the present invention, for need into
The user equipment that row tenant exchanges visits, the network equipment can be that the user equipment creates virtual interface, real by the virtual interface of establishment
The now similar interconnecting interface inside the interconnecting interface function under context (i.e. the network equipment) mode, i.e. context, in this way,
It can realize outgoing interface and next-hop interface all and be this context, and SDN receives guard system and can distribute the ip of virtual interface
The route forwarding table that location, configuration are exchanged visits across VPN.These virtual interfaces are since all in this context, acquiescence inter-domain policies are whole
It is logical to put.Extended meeting is described in detail after the establishment process of outgoing interface and the configuration process of route forwarding table.
After the network equipment receives the service message of the first user equipment transmission, which can be parsed,
The destination address (i.e. the IP address of second user equipment) wherein carried is obtained, is then turned in the corresponding routing of the first user equipment
It delivers in (i.e. the first route forwarding table), searches the corresponding forwarding-table item of IP address of the second user equipment, to obtain
Corresponding first outgoing interface of IP address of two user equipmenies and the first next hop address.Wherein, the first outgoing interface is the first user
Corresponding first virtual interface of equipment, the first next hop address are the address of corresponding second virtual interface of second user equipment.
It should be noted that in the embodiment of the present invention, each VPN corresponds to a virtual interface, that is, each tenant corresponds to
One virtual interface.Technical staff can be realized by configuring route forwarding table between the first tenant and other multiple tenants
It exchanges visits.As shown in table 1, it is a kind of example of route forwarding table provided in an embodiment of the present invention.
Table one
Destination address | Outgoing interface | Next hop address |
3.0.0.0/24 | virtual-if01 | 1.1.1.2 |
4.0.0.0/24 | virtual-if01 | 1.1.1.3 |
Wherein, virtual-if01 is corresponding first virtual interface of the first user equipment, and 3.0.0.0/24 is the second use
The IP address of family equipment, 1.1.1.2 are the address of corresponding second virtual interface of second user equipment, and 4.0.0.0/24 is third
The IP address of user equipment, 1.1.1.3 are the address of the corresponding third virtual interface of third user equipment.
Optionally, the network equipment needs first to determine the first route forwarding table, with then searching the IP of second user equipment again
Corresponding first outgoing interface in location and the first next hop address determine that the process of the first route forwarding table can be as follows:According to advance
The downlink sub-interface of storage and the correspondence of VPN determine that corresponding first VPN of the first downlink sub-interface, the first downlink connect
Mouth is the downlink sub-interface for receiving service message;According to the correspondence of the VPN of default storage and route forwarding table, first is determined
Corresponding first route forwarding tables of VPN.
In force, each downlink sub-interface of the network equipment can bind the VPN of a tenant, that is, in the network equipment
With the correspondence of storage downlink sub-interface and VPN.The corresponding routing of user equipment of the tenant can be also configured in the network equipment
Forwarding table, and establish the VPN of the tenant and the correspondence of the route forwarding table.When the network equipment passes through the first downlink sub-interface
When receiving the service message of the first user equipment transmission, the network equipment can be according to pre-stored downlink sub-interface and VPN
Correspondence, determine corresponding first VPN of the first downlink sub-interface, and then according to the VPN and route forwarding table of default storage
Correspondence, corresponding first route forwarding tables of the first VPN are determined, to search the business report in the first route forwarding table
Corresponding first outgoing interface of destination address and the first next hop address of text.
Step 203, by the first virtual interface, service message is sent to second according to the first next hop address and is virtually connect
Mouthful.
In force, the network equipment can be using the first virtual interface as outgoing interface, and to the first next hop address, (i.e. second uses
The address of corresponding second virtual interface of family equipment) (i.e. second user equipment corresponding second virtually connects for corresponding virtual interface
Mouthful) send the service message.
Step 204, by the second virtual interface, service message is sent to second user equipment.
In force, the network equipment can receive the service message by the second virtual interface, since this is second virtual
Interface is the corresponding virtual interface of second user equipment, and therefore, the network equipment can be by the second virtual interface by the business report
Text is sent to second user equipment.
Optionally, service message is sent to the specific place of second user equipment by the network equipment by the second virtual interface
Reason process may comprise steps of:
Step 1 determines the second virtual interface corresponding according to the correspondence of the virtual interface of default storage and VPN
Two VPN.
It in force, can be by the virtual interface after the network equipment creates virtual interface for the user equipment of a certain tenant
VPN corresponding with the user equipment is bound, that is, the network equipment can establish virtual interface and the correspondence of VPN.When
After the network equipment receives service message by the second virtual interface, the network equipment can according to the virtual interface of default storage and
The correspondence of VPN determines corresponding 2nd VPN of the second virtual interface.
Step 2 determines the 2nd VPN corresponding second according to the correspondence of the VPN of default storage and route forwarding table
Route forwarding table.
In force, as described above, the correspondence of VPN and route forwarding table, net can be prestored in the network equipment
After network equipment determines the 2nd VPN, the 2nd VPN can be determined according to the VPN of default storage and the correspondence of route forwarding table
Corresponding secondary route forwarding table.It is similar with the first route forwarding table, secondary route forwarding table include destination address, outgoing interface and
The correspondence of next hop address.As shown in Table 2, it is a kind of example of route forwarding table provided in an embodiment of the present invention.
Table two
Destination address | Outgoing interface | Next hop address |
3.0.0.0/24 | virtual-if02 | 2.1.1.2 |
2.0.0.0/24 | virtual-if02 | 1.1.1.1 |
Wherein, virtual-if02 is corresponding second virtual interface of second user equipment, and 3.0.0.0/24 is the second use
The IP address of family equipment, 2.1.1.2 are the address of the corresponding downlink sub-interface of second user equipment, and 2.0.0.0/24 is the first use
The IP address of family equipment, 1.1.1.1 are the address of corresponding first virtual interface of the first user equipment.
Step 3, according to secondary route forwarding table, with determining corresponding second next-hop of the IP address of second user equipment
Location.
In force, the network equipment can search the IP address pair of the second user equipment in secondary route forwarding table
The forwarding-table item answered, the corresponding outgoing interface of IP address to obtain second user equipment and the second next hop address.Wherein, go out
Interface is corresponding second virtual interface of second user equipment, and the second next hop address is under second user equipment corresponding second
The address of row sub-interface.
Service message is sent to the second downlink sub-interface by step 4 according to the second next hop address.
In force, the network equipment can be outgoing interface by the second virtual interface, to the second next hop address (i.e. second
The address of the corresponding second downlink sub-interface of user equipment) corresponding interface (i.e. corresponding second downlink of second user equipment
Interface) send the service message.
Service message is sent to second user equipment by step 5 by the second downlink sub-interface.
It in force, can be by this under second after the network equipment receives service message by the second downlink sub-interface
Row sub-interface sends the service message according to the destination address (i.e. the IP address of second user equipment) in the service message
Give second user equipment.
The embodiment of the present invention additionally provides a kind of example that user equipment is exchanged visits.When tenant user01 is needed to tenant
When user02 sends service message, user01 can send service message to access device, and the destination address of the service message is
The address of user02, i.e. 3.0.0.0/24, source address are the address of user01, i.e. 2.0.0.0/24.Access device is by the business
The downlink sub-interface 1 that message is sent to the network equipment is sentenced after the network equipment receives the service message by downlink sub-interface 1
The VPN that fixed and downlink sub-interface 1 is bound is VPN_user01, then inquires corresponding first route forwarding tables of VPN_user01
(i.e. above-mentioned table one) then determines that the corresponding outgoing interfaces of 3.0.0.0/24 are virtual-if01, and next hop address is
1.1.1.2, and then by virtual-if01, the business is sent to the interface (i.e. virtual-if02) that address is 1.1.1.2
Message.Then, the network equipment determines that the VPN of virtual-if02 bindings is VPN_user02, then inquires VPN_user02 pairs
The secondary route forwarding table (i.e. above-mentioned table two) answered determines that the corresponding outgoing interfaces of 3.0.0.0/24 are virtual-if02, next
Jump address is 2.1.1.2, and then using virtual-if02 as outgoing interface, to interface (the i.e. downlink sub-interface that address is 2.1.1.2
2) service message is sent, and then the service message is sent to user02 by downlink sub-interface 2.Tenant user02 is to tenant
The processing procedure that user01 sends service message is similar therewith, repeats no more.
In the embodiment of the present invention, the network equipment receives the service message that the first user equipment is sent, the mesh of the service message
Address be second user equipment IP address, then according to corresponding first routing forwarding of pre-stored first user equipment
Table determines corresponding first outgoing interface of the IP address of second user equipment and the first next hop address, wherein the first outgoing interface is
Corresponding first virtual interface of first user equipment, the first next hop address are corresponding second virtual interface of second user equipment
Address, then, service message is sent to the second void by the network equipment by the first virtual interface, according to the first next hop address
Quasi- interface, and then by the second virtual interface, service message is sent to second user equipment, it is set to realize same safety
Exchanging visit function between standby internal tenant.Also, this programme is by configuring virtual interface in the network device, to realize together
Exchanging visit function between tenant inside one safety equipment, next hop address are corresponding second virtual interface of second user equipment
Address, the network equipment is by corresponding first virtual interface of the first user equipment, according to the first next hop address by business report
Text is sent to the second virtual interface, and then by the second virtual interface, and service message is sent to second user equipment, is avoided
The VPN for binding downlink sub-interface in SDN receives guard system VPN as a purpose, in addition, since the first virtual interface and first are used
Family equipment belongs to same VPN, and the second virtual interface belongs to same VPN with second user equipment, therefore, also avoids receiving in SDN
Configuration is across the static routing of VPN the case where in guard system.
Optionally, the embodiment of the present invention additionally provides a kind of method configuring virtual interface in the network device, such as Fig. 3 institutes
Show, specific processing includes the following steps:
Step 301, the virtual interface configuration order that management server is sent is received.
Wherein, virtual interface configuration order includes the mark of the first virtual interface, the address of the first virtual interface, the first void
Mark, the mark of the second virtual interface, the address of the second virtual interface and the second virtual interface of corresponding first VPN of quasi- interface
The mark of corresponding 2nd VPN.
In force, when the first tenant needs to exchange visits with the second tenant, technical staff can receive piping by SDN
The management server of system is that the user equipment of the first tenant and the user equipment of the second tenant create virtual interface.One kind can
In the realization method of energy, technical staff can issue request to create by administrator terminal to management server, the request to create
In carry the first tenant mark and the second tenant mark.After management server receives the request to create, management clothes
Business device can parse the request to create, obtain the mark of the first tenant and the mark of the second tenant.Wherein, the mark of tenant can be with
For the IP address of the user equipment of the tenant, or preset tenant's title.
After management server gets the mark for obtaining the first tenant, the first tenant corresponding first can be generated and virtually connect
The mark of mouth, such as virtual-if01.In addition, Internet address pond can also be previously stored in management server, such as
1.1.1.0/24.Management server can also randomly select not currently used address from the Internet address pond, by the address
As the address of the first virtual interface, and the VPN that the first virtual interface and the first tenant can be arranged is bound.Management server is matched
The process for setting the second virtual interface is similar therewith, and details are not described herein again.Management server can be generated according to preset order and be advised
Then, virtual interface configuration order is generated, virtual interface configuration order includes the mark of the first virtual interface, the first virtual interface
Address, the mark of corresponding first VPN of the first virtual interface, the mark of the second virtual interface, the second virtual interface address and
The mark of corresponding 2nd VPN of second virtual interface.The virtual interface configuration order can be sent to network by management server
Equipment.The network equipment can then receive the virtual interface configuration order.
In one possible implementation, virtual interface configuration order may include the first virtual interface create order,
Second virtual interface creates order, the first address configuration order, the second address configuration order, the first VPN bind commands and second
VPN bind commands.Wherein, the first virtual interface creates the mark that order includes the first virtual interface, virtual for creating first
Interface;Second virtual interface creates the mark that order includes the second virtual interface, for creating the second virtual interface;First address
Configuration order includes mark and the address of the first virtual interface of the first virtual interface, the ground for configuring the first virtual interface
Location;Second address configuration order includes mark and the address of the second virtual interface of the second virtual interface, empty for configuring second
The address of quasi- interface;First VPN bind commands include the mark of the first virtual interface and the mark of the first VPN, are used for first
The corresponding VPN of virtual interface is configured to the first VPN;2nd VPN bind commands include the mark and the 2nd VPN of the second virtual interface
Mark, for configuring the corresponding VPN of the second virtual interface to the 2nd VPN.
Step 302, the first virtual interface and the second virtual interface are created.
In force, after the network equipment receives the virtual interface configuration order, virtual interface configuration life can be executed
It enables, to create the first virtual interface and the second virtual interface.For example, the network equipment receive the first virtual interface create order and
After second virtual interface creates order, the first virtual interface can be executed and create order, the first virtual interface is created, can also hold
The second virtual interface of row creates order, creates the second virtual interface.
Step 303, the address of the address and the second virtual interface of the first virtual interface of configuration.
In force, the network equipment (can be described as according to the address of the first virtual interface in virtual interface configuration order
First address), it is first address by the address configuration of the first virtual interface, and empty according in virtual interface configuration order second
The address configuration of second virtual interface is second address by the address (can be described as the second address) of quasi- interface.For example, network is set
After receiving the first address configuration order and the second address configuration order, the first address configuration order can be executed, by first
The first address in address configuration order is configured to the address of the first virtual interface, similar, and the network equipment can also configure
The address of two virtual interfaces.
Step 304, according to the mark of the first virtual interface and the mark of the first VPN, the first virtual interface and first are established
The correspondence of VPN, and according to the mark of the second virtual interface and the mark of the 2nd VPN, establish the second virtual interface and second
The correspondence of VPN.
In force, the network equipment can also bind the first virtual interface and the first VPN, and by the second virtual interface with
2nd VPN is bound.Specifically, the network equipment can be according to the mark of the first virtual interface and first in virtual interface configuration order
The mark of VPN establishes the correspondence of the first virtual interface and the first VPN, and according to the mark of the second virtual interface and second
The mark of VPN establishes the correspondence of the second virtual interface and the 2nd VPN.For example, the network equipment receives the first VPN bindings
After order and the 2nd VPN bind commands, the first VPN bind commands can be executed, pair of the first virtual interface and the first VPN is established
It should be related to, similar, the network equipment can also establish the correspondence of the second virtual interface and the 2nd VPN.
For example, the IP address of the user equipment of the first tenant is 2.0.0.1, the IP address of the user equipment of the second tenant is
3.0.0.1.When tenant user01 has the demand for accessing tenant user02, management server can determine the void of tenant user01
Quasi- interface is identified as virtual-if01, and the virtual interface of tenant user02 is identified as virtual-if02, and based on pre-
If Internet address pond 1.1.1.0/24, for virtual-if01 distribute address 1.1.1.1, for virtual-if02 distribute address
1.1.1.2, the VPN at the same time it can also which virtual-if01 bindings are arranged is VPN_user01, virtual-if02 bindings
VPN is VPN_user02.
After the network equipment receives virtual interface configuration order, virtual interface virtual-if01 can be created and virtually connect
Mouth virtual-if02, and the address for configuring virtual-if01 is 1.1.1.1, the address for configuring virtual-if02 is
1.1.1.2, at the same time it can also establish virtual-if01 and VPN_user01 correspondence and virtual-if02 with
The correspondence of VPN_user02.
Optionally, the embodiment of the present invention additionally provides a kind of processing procedure of configuration route forwarding table, correspondingly, above-mentioned step
Can also include step 305~306 after rapid 303.
Step 305, the routing configuration order for the first route forwarding table of correspondence that management server is sent is received.
In in real time, technical staff can also receive the management server of guard system by SDN, and routing is issued to the network equipment
Configuration order realizes the exchanging visit between different tenants.Routing configuration order may include the mark of the first virtual interface, the second use
The address of the IP address of family equipment and the second virtual interface can also carry the mark of the first VPN in the routing configuration order,
So that mark of the network equipment according to the first VPN, configures the first route forwarding table.
For example, may be received in the static routing configuration set on tenant user01:ip route 3.0.0.0
255.255.255.0 1.1.1.2 or ip route 3.0.0.0 255.255.255.0 virtual-if01.Matched by this
It sets, may be implemented and tenant's user02 intercommunications.
It may be received in the static routing configuration set on tenant user02:ip route 2.0.0.0
255.255.255.0 1.1.1.1 or ip route 2.0.0.0 255.255.255.0 virtual-if02.Matched by this
It sets, may be implemented and tenant's user01 intercommunications.
Step 306, it is added using the IP address of second user equipment as purpose address, with first in the first route forwarding table
Virtual interface is outgoing interface, using the address of the second virtual interface as the forwarding-table item of next hop address, and by the first user equipment
Security strategy between second user is set as putting logical state.
It in force, can be according to the routing configuration order in the first via after the network equipment receives routing configuration order
By adding list item in forwarding table, specifically, the network equipment can add in the first route forwarding table with second user equipment
IP address is purpose address, turns using the first virtual interface as outgoing interface, using the address of the second virtual interface as next hop address
Forwarding list item.In addition, the network equipment can also set the security strategy between the first user equipment and second user to put logical shape
State, so that the mutual sending service message between the first user equipment and second user equipment, also, recipient can be set by network
It is standby that safety detection is carried out to the service message received.
For example, being directed to tenant user01, the network equipment can configure following static road in its corresponding first routing table
By:Destination address 3.0.0.0/24, outgoing interface virtual-if01, next hop address 1.1.1.2, also, the network equipment can be with
The security strategy that TongYuan address is 2.0.0.1, destination address is 3.0.0.1 is put, so that source address is 2.0.0.1, destination address
It can be sent in the domains VPN of tenant user02 for the service message of 3.0.0.1.Similar, for tenant user02, network is set
It is standby to configure following static routing in its corresponding secondary route table:Destination address 2.0.0.0/24, outgoing interface
Virtual-if02, next hop address 1.1.1.1, also, the network equipment can be arranged and execute and puts TongYuan address and be
3.0.0.1, destination address is the security strategy of 2.0.0.1, so that the industry that source address is 3.0.0.1, destination address is 2.0.0.1
Business message can be sent in the domains VPN of tenant user01.
The embodiment of the present invention additionally provides a kind of example of configuration inter-domain policies, and inter-domain policies are that one kind of security strategy is answered
With form, specially:It is zone_user01 that source security domain, which can be arranged, and purpose security domain is zone_user02, source IP address
For 2.0.0.1, purpose IP address 3.0.0.1, filtering rule permit;Setting source security domain is zone_user02, purpose
Security domain is zone_user01, source IP address 3.0.0.1, purpose IP address 2.0.0.1, filtering rule permit.This
Sample, based on the inter-domain policies of above-mentioned configuration, after the network equipment receives the service message that tenant user01 is sent, can allow for by
The service message is transmitted to tenant user02, similarly, can after the network equipment receives the service message that tenant user02 is sent
Allow the service message being transmitted to tenant user01.
The embodiment of the present invention additionally provides a kind of method example of configuration virtual interface, as shown in figure 4, specific processed
Journey is as follows:
Step 401, the virtual interface configuration order that management server is sent is received.
Wherein, virtual interface configuration order includes that the first virtual interface creates order, the second virtual interface creates order, the
One address configuration order, the second address configuration order, the first VPN bind commands and the 2nd VPN bind commands.First virtual interface
It includes virtual-if01 to create order, and it includes virtual-if02, the first address configuration life that the second virtual interface, which creates order,
Order includes virtual-if01 and 1.1.1.1, and the second address configuration order includes virtual-if02 and 1.1.1.2, the first VPN
Bind command includes virtual-if01 and VPN_user01, and the 2nd VPN bind commands include virtual-if02 and VPN_
user02。
Step 402, it executes the first virtual interface and creates order, create virtual interface virtual-if01.
Step 403, the first address configuration order is executed, the address for configuring virtual-if01 is 1.1.1.1.
Step 404, the first VPN bind commands are executed, the correspondence of virtual-if01 and VPN_user01 are established.
Step 405, in corresponding first routing tables of tenant user01, exchanging visit static routing is configured:Destination address
3.0.0.0/24, outgoing interface virtual-if01, next hop address 1.1.1.2.
Step 406, it is arranged and executes the security strategy for putting that TongYuan address is 2.0.0.1, destination address is 3.0.0.1.
Step 402 ', it executes the second virtual interface and creates order, create virtual interface virtual-if02.
Step 403 ', the second address configuration order is executed, the address for configuring virtual-if02 is 1.1.1.2.
Step 404 ', the 2nd VPN bind commands are executed, the correspondence of virtual-if02 and VPN_user02 are established.
Step 405 ', in corresponding first routing tables of tenant user02, configure exchanging visit static routing:Destination address
2.0.0.0/24, outgoing interface virtual-if02, next hop address 1.1.1.1.
Step 406 ', it is arranged and executes the security strategy for putting that TongYuan address is 3.0.0.1, destination address is 2.0.0.1.
The embodiment of the present invention additionally provides a kind of method example sending service message, as shown in figure 5, specific processed
Journey is as follows:
Step 501, the service message that the first user equipment is sent is received by downlink sub-interface 1.
Wherein, the source IP address of the service message is 2.0.0.0/24, purpose IP address 3.0.0.0/24.
Step 502, determine that the VPN bound with downlink sub-interface 1 is VPN_user01, and in VPN_user01 corresponding the
In one route forwarding table, the corresponding outgoing interface virtual-if01 and next hop address 1.1.1.2 of inquiry 3.0.0.0/24.
Step 503, by virtual-if01, being sent to the interface (i.e. virtual-if02) that address is 1.1.1.2 should
Service message.
Step 504, determine that the VPN of virtual-if02 bindings is VPN_user02, and in VPN_user02 corresponding the
In one route forwarding table, the corresponding outgoing interfaces of inquiry 3.0.0.0/24 are virtual-if02, next hop address 2.1.1.2.
Step 505, it by outgoing interface virtual-if02, is sent out to the interface (i.e. downlink sub-interface 2) that address is 2.1.1.2
Send service message.
Step 506, which is sent by downlink sub-interface 2.
Based on the same technical idea, as shown in fig. 6, the embodiment of the present application also provides a kind of dresses sending service message
It sets, which is applied to safety equipment, which includes:
First receiving module 610, the service message for receiving the transmission of the first user equipment, the destination address of service message
For the IP address of second user equipment;
First determining module 620 is used for according to corresponding first route forwarding table of pre-stored first user equipment, really
Corresponding first outgoing interface of IP address and the first next hop address, the first route forwarding table for determining second user equipment include purpose
Address, outgoing interface and next hop address correspondence, the first outgoing interface be corresponding first virtual interface of the first user equipment,
First next hop address is the address of corresponding second virtual interface of second user equipment;
First sending module 630, for by the first virtual interface, being sent service message according to the first next hop address
To the second virtual interface;
Second sending module 640, for by the second virtual interface, service message to be sent to second user equipment.
Optionally, as shown in fig. 7, the device further includes:
Second determining module 650 determines first for the correspondence according to pre-stored downlink sub-interface and VPN
Corresponding first VPN of downlink sub-interface, the first downlink sub-interface are the downlink sub-interface for receiving service message;
Third determining module 660 determines first for the correspondence according to the default VPN and route forwarding table stored
Corresponding first route forwarding tables of VPN.
Optionally, the second sending module 640, is specifically used for:
According to the correspondence of the virtual interface of default storage and VPN, corresponding 2nd VPN of the second virtual interface is determined;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary route forwardings of the 2nd VPN are determined
Table, secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to secondary route forwarding table, corresponding second next hop address of the IP address of second user equipment is determined, second
Next hop address is the address of the corresponding second downlink sub-interface of second user equipment;
According to the second next hop address, service message is sent to the second downlink sub-interface;
Service message is sent by downlink sub-interface.
Optionally, as shown in figure 8, the device further includes:
Second receiving module 670, the virtual interface configuration order for receiving management server transmission, virtual interface configuration
Order include the mark of the first virtual interface, the address of the first virtual interface, corresponding first VPN of the first virtual interface mark
Knowledge, the mark of the second virtual interface, the mark of the address of the second virtual interface and corresponding 2nd VPN of the second virtual interface;
Creation module 680, for creating the first virtual interface and the second virtual interface;
Module 690 is established, the address of address and the second virtual interface for configuring the first virtual interface, and according to first
The mark of virtual interface and the mark of the first VPN, establish the correspondence of the first virtual interface and the first VPN, according to the second void
The mark of the mark and the 2nd VPN of quasi- interface, establishes the correspondence of the second virtual interface and the 2nd VPN.
Optionally, as shown in figure 9, the device further includes:
Third receiving module 6100, the routing configuration of the first route forwarding table of correspondence for receiving management server transmission
Order, routing configuration order includes the mark of the first virtual interface, the IP address of second user equipment and the second virtual interface
Address;
Add module 6110, for being added using the IP address of second user equipment as destination in the first route forwarding table
Location, using the first virtual interface as outgoing interface, using the address of the second virtual interface as the forwarding-table item of next hop address, and will be described
Security strategy between first user equipment and the second user is set as putting logical state.
In the embodiment of the present invention, the network equipment receives the service message that the first user equipment is sent, the mesh of the service message
Address be second user equipment IP address, then according to corresponding first routing forwarding of pre-stored first user equipment
Table determines corresponding first outgoing interface of the IP address of second user equipment and the first next hop address, wherein the first outgoing interface is
Corresponding first virtual interface of first user equipment, the first next hop address are corresponding second virtual interface of second user equipment
Address, then, service message is sent to the second void by the network equipment by the first virtual interface, according to the first next hop address
Quasi- interface, and then by the second virtual interface, service message is sent to second user equipment, it is set to realize same safety
Exchanging visit function between standby internal tenant.
The embodiment of the present application also provides a kind of safety equipments, as shown in Figure 10, including processor 1001, communication interface
1002, memory 1003 and communication bus 1004, wherein processor 1001, communication interface 1002, memory 1003 pass through communication
Bus 1004 completes mutual communication,
Memory 1003, for storing computer program;
Processor 1001, when for executing the program stored on memory 1003, so that the safety equipment executes transmission
The step of method of service message, this method include:
The service message of the first user equipment transmission is received, the destination address of the service message is second user equipment
IP address;
According to corresponding first route forwarding table of pre-stored first user equipment, determine that the second user is set
Corresponding first outgoing interface of standby IP address and the first next hop address, first route forwarding table include destination address, go out
The correspondence of interface and next hop address, first outgoing interface are that first user equipment corresponding first virtually connects
Mouthful, first next hop address is the address of corresponding second virtual interface of the second user equipment;
By first virtual interface, the service message is sent to described according to first next hop address
Two virtual interfaces;
By second virtual interface, the service message is sent to the second user equipment.
Optionally, described according to corresponding first route forwarding table of pre-stored first user equipment, determine institute
Before corresponding first outgoing interface of IP address and the first next hop address of stating second user equipment, the method further includes:
According to the correspondence of pre-stored downlink sub-interface and VPN, the first downlink sub-interface corresponding first is determined
VPN, the first downlink sub-interface are the downlink sub-interface for receiving the service message;
According to the correspondence of the VPN of default storage and route forwarding table, determine the corresponding first via of the first VPN by
Forwarding table.
Optionally, described by second virtual interface, the service message is sent to the second user equipment,
Including:
According to the correspondence of the virtual interface of default storage and VPN, second virtual interface corresponding second is determined
VPN;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary routes of the 2nd VPN are determined
Forwarding table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, with determining corresponding second next-hop of the IP address of the second user equipment
Location, second next hop address are the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
Optionally, the method further includes:
The virtual interface configuration order that management server is sent is received, the virtual interface configuration order includes described first
The identifying of virtual interface, the address of first virtual interface, the mark of corresponding first VPN of first virtual interface, institute
State the identifying of the second virtual interface, the address of second virtual interface and second virtual interface corresponding described second
The mark of VPN;
Create first virtual interface and second virtual interface;
The address of the address and second virtual interface of first virtual interface is configured, and virtual according to described first
The mark of interface and the mark of the first VPN, establish the correspondence of first virtual interface and the first VPN, root
According to the mark of second virtual interface and the mark of the 2nd VPN, second virtual interface and the 2nd VPN are established
Correspondence.
Optionally, the method further includes:
Receive the routing configuration order for correspondence first route forwarding table that management server is sent, the routing configuration
Order includes the identifying of first virtual interface, the ground of the IP address of the second user equipment and second virtual interface
Location;
It is added using the IP address of the second user equipment as purpose address, with described in first route forwarding table
First virtual interface is outgoing interface, using the address of second virtual interface as the forwarding-table item of next hop address, and will be described
Security strategy between first user equipment and the second user is set as putting logical state.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component
Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard
Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, controlling bus etc..For just
It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), can also include non-easy
The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also
To be at least one storage device for being located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit,
CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal
Processing, DSP), it is application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing
It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components.
In another embodiment provided by the invention, a kind of computer readable storage medium is additionally provided, which can
It reads to be stored with computer program in storage medium, the computer program realizes any of the above-described transmission business when being executed by processor
The step of method of message.
In another embodiment provided by the invention, a kind of computer program product including instruction is additionally provided, when it
When running on computers so that computer executes any method for sending service message in above-described embodiment.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or its arbitrary combination real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program
Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or
It partly generates according to the flow or function described in the embodiment of the present invention.The computer can be all-purpose computer, special meter
Calculation machine, computer network or other programmable devices.The computer instruction can be stored in computer readable storage medium
In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer
Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center
User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or
Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or
It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with
It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state disk
Solid State Disk (SSD)) etc..
In the embodiment of the present invention, the network equipment receives the service message that the first user equipment is sent, the mesh of the service message
Address be second user equipment IP address, then according to corresponding first routing forwarding of pre-stored first user equipment
Table determines corresponding first outgoing interface of the IP address of second user equipment and the first next hop address, wherein the first outgoing interface is
Corresponding first virtual interface of first user equipment, the first next hop address are corresponding second virtual interface of second user equipment
Address, then, service message is sent to the second void by the network equipment by the first virtual interface, according to the first next hop address
Quasi- interface, and then by the second virtual interface, service message is sent to second user equipment, it is set to realize same safety
Exchanging visit function between standby internal tenant.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, identical similar portion between each embodiment
Point just to refer each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality
For applying example, since it is substantially similar to the method embodiment, so description is fairly simple, related place is referring to embodiment of the method
Part explanation.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection domain of the application.It is all
Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection domain of the application
It is interior.
Claims (12)
1. a kind of method sending service message, which is characterized in that the method is applied to the network equipment, the method includes:
The service message of the first user equipment transmission is received, the destination address of the service message is the interconnection of second user equipment
FidonetFido IP address;
According to corresponding first route forwarding table of pre-stored first user equipment, the second user equipment is determined
Corresponding first outgoing interface of IP address and the first next hop address, first route forwarding table include destination address, outgoing interface
With the correspondence of next hop address, first outgoing interface is corresponding first virtual interface of first user equipment, institute
State the address that the first next hop address is corresponding second virtual interface of the second user equipment;
By first virtual interface, the service message is sent to by second void according to first next hop address
Quasi- interface;
By second virtual interface, the service message is sent to the second user equipment.
2. according to the method described in claim 1, it is characterized in that, described according to pre-stored first user equipment pair
The first route forwarding table answered, with determining corresponding first outgoing interface of the IP address of the second user equipment and the first next-hop
Before location, the method further includes:
According to the correspondence of pre-stored downlink sub-interface and VPN, corresponding first VPN of the first downlink sub-interface is determined,
The first downlink sub-interface is the downlink sub-interface for receiving the service message;
According to the correspondence of the VPN of default storage and route forwarding table, corresponding first routing forwardings of the first VPN are determined
Table.
3. according to the method described in claim 1, it is characterized in that, described by second virtual interface, by the business
Message is sent to the second user equipment, including:
According to the correspondence of the virtual interface of default storage and VPN, corresponding 2nd VPN of second virtual interface is determined;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary route forwardings of the 2nd VPN are determined
Table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, corresponding second next hop address of the IP address of the second user equipment is determined,
Second next hop address is the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
4. according to the method described in claim 3, it is characterized in that, the method further includes:
The virtual interface configuration order that management server is sent is received, the virtual interface configuration order includes described first virtual
The identifying of interface, the address of first virtual interface, the identifying of corresponding first VPN of first virtual interface, described
The identifying of two virtual interfaces, the address of second virtual interface and corresponding 2nd VPN of second virtual interface
Mark;
Create first virtual interface and second virtual interface;
The address of the address and second virtual interface of first virtual interface is configured, and according to first virtual interface
Mark and the first VPN mark, the correspondence of first virtual interface and the first VPN is established, according to institute
The mark of the second virtual interface and the mark of the 2nd VPN are stated, pair of second virtual interface and the 2nd VPN is established
It should be related to.
5. according to the method described in claim 4, it is characterized in that, the method further includes:
Receive the routing configuration order for correspondence first route forwarding table that management server is sent, the routing configuration order
Identifying including first virtual interface, the address of the IP address of the second user equipment and second virtual interface;
It is added using the IP address of the second user equipment as purpose address, with described first in first route forwarding table
Virtual interface is outgoing interface, using the address of second virtual interface as the forwarding-table item of next hop address, and by described first
Security strategy between user equipment and the second user is set as putting logical state.
6. a kind of device sending service message, which is characterized in that described device is applied to safety equipment, and described device includes:
First receiving module, the service message for receiving the transmission of the first user equipment, the destination address of the service message are
The internet protocol address of second user equipment;
First determining module, for according to corresponding first route forwarding table of pre-stored first user equipment, determining
Corresponding first outgoing interface of IP address of the second user equipment and the first next hop address, the first route forwarding table packet
The correspondence of destination address, outgoing interface and next hop address is included, first outgoing interface corresponds to for first user equipment
The first virtual interface, first next hop address be corresponding second virtual interface of the second user equipment address;
First sending module, for by first virtual interface, according to first next hop address by the business report
Text is sent to second virtual interface;
Second sending module, for by second virtual interface, the service message being sent to the second user and is set
It is standby.
7. device according to claim 6, which is characterized in that described device further includes:
Second determining module determines that the first downlink connects for the correspondence according to pre-stored downlink sub-interface and VPN
Corresponding first VPN of mouth, the first downlink sub-interface is the downlink sub-interface for receiving the service message;
Third determining module determines the first VPN for the correspondence according to the default VPN and route forwarding table stored
Corresponding first route forwarding table.
8. device according to claim 6, which is characterized in that second sending module is specifically used for:
According to the correspondence of the virtual interface of default storage and VPN, corresponding 2nd VPN of second virtual interface is determined;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary route forwardings of the 2nd VPN are determined
Table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, corresponding second next hop address of the IP address of the second user equipment is determined,
Second next hop address is the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
9. device according to claim 8, which is characterized in that described device further includes:
Second receiving module, the virtual interface configuration order for receiving management server transmission, the virtual interface configuration life
It includes the identifying of first virtual interface, the address of first virtual interface, first virtual interface corresponding the to enable
The identifying of one VPN, the identifying of second virtual interface, the address of second virtual interface and second virtual interface pair
The mark of the 2nd VPN answered;
Creation module, for creating first virtual interface and second virtual interface;
Module is established, the address of address and second virtual interface for configuring first virtual interface, and according to institute
The mark of the first virtual interface and the mark of the first VPN are stated, pair of first virtual interface and the first VPN is established
It should be related to, according to the mark of second virtual interface and the mark of the 2nd VPN, establish second virtual interface and institute
State the correspondence of the 2nd VPN.
10. device according to claim 9, which is characterized in that described device further includes:
Third receiving module, the routing configuration life of correspondence first route forwarding table for receiving management server transmission
It enables, the routing configuration order includes the identifying of first virtual interface, the IP address of the second user equipment and described
The address of second virtual interface;
Add module, for being added using the IP address of the second user equipment as destination in first route forwarding table
Location, using first virtual interface as outgoing interface, using the address of second virtual interface as the forwarding-table item of next hop address,
And it is set as the security strategy between first user equipment and the second user to put logical state.
11. a kind of safety equipment, which is characterized in that including including processor, communication interface, memory and communication bus, wherein
Processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and steps of claim 1-5.
12. a kind of machine readable storage medium, which is characterized in that be stored with machine-executable instruction, by processor call and
When execution, the machine-executable instruction promotes the processor:Realize any method and steps of claim 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810698539.7A CN108768861B (en) | 2018-06-29 | 2018-06-29 | Method and device for sending service message |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810698539.7A CN108768861B (en) | 2018-06-29 | 2018-06-29 | Method and device for sending service message |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108768861A true CN108768861A (en) | 2018-11-06 |
CN108768861B CN108768861B (en) | 2021-01-08 |
Family
ID=63975144
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810698539.7A Active CN108768861B (en) | 2018-06-29 | 2018-06-29 | Method and device for sending service message |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108768861B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111200559A (en) * | 2018-11-19 | 2020-05-26 | 中国电信股份有限公司 | Routing method and routing device |
CN111614536A (en) * | 2020-04-20 | 2020-09-01 | 视联动力信息技术股份有限公司 | Data forwarding method and device |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020037010A1 (en) * | 2000-09-28 | 2002-03-28 | Nec Corporation | MPLS-VPN service network |
CN1852214A (en) * | 2005-11-02 | 2006-10-25 | 华为技术有限公司 | Routing method of virtual special network |
CN101599901A (en) * | 2009-07-15 | 2009-12-09 | 杭州华三通信技术有限公司 | The method of remotely accessing MPLS VPN, system and gateway |
CN101626338A (en) * | 2009-08-03 | 2010-01-13 | 杭州华三通信技术有限公司 | Method and device for realizing multiple virtual private network (VPN) examples |
CN102082738A (en) * | 2011-03-10 | 2011-06-01 | 迈普通信技术股份有限公司 | Method for extending MPLS VPN access through public network and PE equipment |
CN102325073A (en) * | 2011-07-06 | 2012-01-18 | 杭州华三通信技术有限公司 | VPLS (Virtual Private Local Area Network Service)-based message processing method and device thereof |
CN105049316A (en) * | 2015-08-26 | 2015-11-11 | 华为技术有限公司 | Communication method and communication device |
CN107959611A (en) * | 2016-10-17 | 2018-04-24 | 华为技术有限公司 | A kind of method to E-Packet, apparatus and system |
-
2018
- 2018-06-29 CN CN201810698539.7A patent/CN108768861B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020037010A1 (en) * | 2000-09-28 | 2002-03-28 | Nec Corporation | MPLS-VPN service network |
CN1852214A (en) * | 2005-11-02 | 2006-10-25 | 华为技术有限公司 | Routing method of virtual special network |
CN101599901A (en) * | 2009-07-15 | 2009-12-09 | 杭州华三通信技术有限公司 | The method of remotely accessing MPLS VPN, system and gateway |
CN101626338A (en) * | 2009-08-03 | 2010-01-13 | 杭州华三通信技术有限公司 | Method and device for realizing multiple virtual private network (VPN) examples |
CN102082738A (en) * | 2011-03-10 | 2011-06-01 | 迈普通信技术股份有限公司 | Method for extending MPLS VPN access through public network and PE equipment |
CN102325073A (en) * | 2011-07-06 | 2012-01-18 | 杭州华三通信技术有限公司 | VPLS (Virtual Private Local Area Network Service)-based message processing method and device thereof |
CN105049316A (en) * | 2015-08-26 | 2015-11-11 | 华为技术有限公司 | Communication method and communication device |
CN107959611A (en) * | 2016-10-17 | 2018-04-24 | 华为技术有限公司 | A kind of method to E-Packet, apparatus and system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111200559A (en) * | 2018-11-19 | 2020-05-26 | 中国电信股份有限公司 | Routing method and routing device |
CN111614536A (en) * | 2020-04-20 | 2020-09-01 | 视联动力信息技术股份有限公司 | Data forwarding method and device |
Also Published As
Publication number | Publication date |
---|---|
CN108768861B (en) | 2021-01-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11765057B2 (en) | Systems and methods for performing end-to-end link-layer and IP-layer health checks between a host machine and a network virtualization device | |
CN108471397B (en) | Firewall configuration, message sending method and device | |
CN102334111B (en) | Providing logical networking functionality for managed computer networks | |
CN102473114B (en) | Dynamically migrating computer networks | |
CN103917967B (en) | For configuring the network control system of middleboxes | |
US9009217B1 (en) | Interaction with a virtual network | |
CN103997414B (en) | Generate method and the network control unit of configuration information | |
CN105657081B (en) | The method, apparatus and system of DHCP service are provided | |
JP2023527999A (en) | Loop prevention of virtual L2 network | |
CN104852840B (en) | A kind of method and device exchanged visits between control virtual machine | |
CN106464742A (en) | Programmable network platform for a cloud-based services exchange | |
CN106375214A (en) | SDN-based tiered routing path determination method and device | |
CN111049796A (en) | Method for realizing Overlay multi-tenant CNI (CNI) container network based on Open vSwitch | |
CN108322417A (en) | Processing method, device and system and the safety equipment of network attack | |
CN105915383A (en) | Remote router configuration method | |
CN105939267B (en) | Outband management method and device | |
CN108449272A (en) | A kind of implementation method that port forwarding service is provided based on OpenStack frameworks | |
CN105721487B (en) | Information processing method and electronic equipment | |
CN113783781A (en) | Method and device for interworking between virtual private clouds | |
CN109450905A (en) | Transmit the method and apparatus and system of data | |
KR101527377B1 (en) | Service chaining system based on software defined networks | |
CN108141384A (en) | The automatic arranging of LISP two mobility networks | |
US20240039847A1 (en) | Highly-available host networking with active-active or active-backup traffic load-balancing | |
CN108989071A (en) | Virtual Service providing method, gateway and storage medium | |
KR101746105B1 (en) | Openflow switch capable of service chaining |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |