CN108768861A - A kind of method and device sending service message - Google Patents

A kind of method and device sending service message Download PDF

Info

Publication number
CN108768861A
CN108768861A CN201810698539.7A CN201810698539A CN108768861A CN 108768861 A CN108768861 A CN 108768861A CN 201810698539 A CN201810698539 A CN 201810698539A CN 108768861 A CN108768861 A CN 108768861A
Authority
CN
China
Prior art keywords
address
interface
virtual interface
vpn
user equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810698539.7A
Other languages
Chinese (zh)
Other versions
CN108768861B (en
Inventor
韩超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201810698539.7A priority Critical patent/CN108768861B/en
Publication of CN108768861A publication Critical patent/CN108768861A/en
Application granted granted Critical
Publication of CN108768861B publication Critical patent/CN108768861B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application provides a kind of method and devices sending service message, are related to field of communication technology, and this method is applied to safety equipment, and this method includes:Receive the service message of the first user equipment transmission, the destination address of service message is the IP address of second user equipment, according to corresponding first route forwarding table of pre-stored first user equipment, determine corresponding first outgoing interface of the IP address of second user equipment and the first next hop address, first route forwarding table includes destination address, the correspondence of outgoing interface and next hop address, first outgoing interface is corresponding first virtual interface of the first user equipment, first next hop address is the address of corresponding second virtual interface of second user equipment, pass through the first virtual interface, service message is sent to the second virtual interface according to the first next hop address, pass through the second virtual interface, service message is sent to second user equipment.Function of exchanging visits between tenant may be implemented using the application.

Description

A kind of method and device sending service message
Technical field
This application involves fields of communication technology, more particularly to a kind of method and device sending service message.
Background technology
SDN (Software Defined Network, software defined network) can be provided under cloud scene, in cloud platform Receive guard system, by SDN receive guard system, it can be achieved that the safety equipment (such as firewall box etc. of tenant) to tenant docking And flow lead.Technical staff can be received guard system by SDN and control instruction is handed down to safety equipment, to realize to multiple rents The unified management of the safety equipment at family.
Currently, safety equipment generally use multi-tenant shares context modes, realize that tenant divides and is isolated, that is, right Safety equipment is virtualized, and a safety equipment corresponds to the mode of multiple tenants.In the case where tenant shares context modes, peace The downstream interface of full equipment is divided into multiple downlink sub-interfaces, each downlink sub-interface binding tenant VPN (Virtual Private Network, Virtual Private Network).For example, the safety equipment provides service for tenant user01 and user02, First downlink sub-interfaces of the user01 on fire wall binds VPN_user01, and second downlink of the user02 on fire wall connects Mouth binding VPN_user02.
In practice, tenant has the demand that across tenant vpc exchanges visits, it is desirable that the flow of different tenants can be realized by configuring The exchanging visit of the private network network segment, and fire wall is needed to do security protection.For example tenant user01 will access user02.However.? SDN receives in guard system, and the security domain and address information of variant tenant are mutually sightless, for example, receiving guard system in SDN In, when technical staff configures user01 corresponding routing tables, it can not see the corresponding next hop address of user02, also, SDN receives The VPN for binding downlink sub-interface VPN as a purpose are not allowed in guard system yet.SDN receives and can not configure across VPN's in guard system Static routing cannot achieve function of exchanging visits between tenant.
Invention content
The embodiment of the present application is designed to provide a kind of method and device sending service message, to realize between tenant mutually Visit function.Specific technical solution is as follows:
In a first aspect, providing a kind of method sending service message, the method is applied to safety equipment, the method Including:
The service message of the first user equipment transmission is received, the destination address of the service message is second user equipment IP address;
According to corresponding first route forwarding table of pre-stored first user equipment, determine that the second user is set Corresponding first outgoing interface of standby IP address and the first next hop address, first route forwarding table include destination address, go out The correspondence of interface and next hop address, first outgoing interface are that first user equipment corresponding first virtually connects Mouthful, first next hop address is the address of corresponding second virtual interface of the second user equipment;
By first virtual interface, the service message is sent to described according to first next hop address Two virtual interfaces;
By second virtual interface, the service message is sent to the second user equipment.
Optionally, described according to corresponding first route forwarding table of pre-stored first user equipment, determine institute Before corresponding first outgoing interface of IP address and the first next hop address of stating second user equipment, the method further includes:
According to the correspondence of pre-stored downlink sub-interface and VPN, the first downlink sub-interface corresponding first is determined VPN, the first downlink sub-interface are the downlink sub-interface for receiving the service message;
According to the correspondence of the VPN of default storage and route forwarding table, determine the corresponding first via of the first VPN by Forwarding table.
Optionally, described by second virtual interface, the service message is sent to the second user equipment, Including:
According to the correspondence of the virtual interface of default storage and VPN, second virtual interface corresponding second is determined VPN;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary routes of the 2nd VPN are determined Forwarding table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, with determining corresponding second next-hop of the IP address of the second user equipment Location, second next hop address are the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
Optionally, the method further includes:
The virtual interface configuration order that management server is sent is received, the virtual interface configuration order includes described first The identifying of virtual interface, the address of first virtual interface, the mark of corresponding first VPN of first virtual interface, institute State the identifying of the second virtual interface, the address of second virtual interface and second virtual interface corresponding described second The mark of VPN;
Create first virtual interface and second virtual interface;
The address of the address and second virtual interface of first virtual interface is configured, and virtual according to described first The mark of interface and the mark of the first VPN, establish the correspondence of first virtual interface and the first VPN, root According to the mark of second virtual interface and the mark of the 2nd VPN, second virtual interface and the 2nd VPN are established Correspondence.
Optionally, the method further includes:
Receive the routing configuration order for correspondence first route forwarding table that management server is sent, the routing configuration Order includes the identifying of first virtual interface, the ground of the IP address of the second user equipment and second virtual interface Location;
It is added using the IP address of the second user equipment as purpose address, with described in first route forwarding table First virtual interface is outgoing interface, using the address of second virtual interface as the forwarding-table item of next hop address, and will be described Security strategy between first user equipment and the second user is set as putting logical state.
Second aspect, provides a kind of device sending service message, and described device is applied to safety equipment, described device Including:
First receiving module, the service message for receiving the transmission of the first user equipment, the destination of the service message Location is the IP address of second user equipment;
First determining module, for according to corresponding first route forwarding table of pre-stored first user equipment, Determine corresponding first outgoing interface of the IP address of the second user equipment and the first next hop address, first routing forwarding Table includes the correspondence of destination address, outgoing interface and next hop address, and first outgoing interface is first user equipment Corresponding first virtual interface, first next hop address are the ground of corresponding second virtual interface of the second user equipment Location;
First sending module, for by first virtual interface, according to first next hop address by the industry Business message is sent to second virtual interface;
Second sending module, for by second virtual interface, the service message being sent to described second and is used Family equipment.
Optionally, described device further includes:
Second determining module determines the first downlink for the correspondence according to pre-stored downlink sub-interface and VPN Corresponding first VPN of sub-interface, the first downlink sub-interface are the downlink sub-interface for receiving the service message;
Third determining module determines described first for the correspondence according to the default VPN and route forwarding table stored Corresponding first route forwarding tables of VPN.
Optionally, second sending module, is specifically used for:
According to the correspondence of the virtual interface of default storage and VPN, second virtual interface corresponding second is determined VPN;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary routes of the 2nd VPN are determined Forwarding table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, with determining corresponding second next-hop of the IP address of the second user equipment Location, second next hop address are the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
Optionally, described device further includes:
Second receiving module, the virtual interface configuration order for receiving management server transmission, the virtual interface are matched It includes that the identifying of first virtual interface, the address of first virtual interface, first virtual interface correspond to set order The identifying of the first VPN, the identifying of second virtual interface, the address of second virtual interface and described second virtually connects The mark of corresponding 2nd VPN of mouth;
Creation module, for creating first virtual interface and second virtual interface;
Module is established, the address of address and second virtual interface for configuring first virtual interface, and root According to the mark of first virtual interface and the mark of the first VPN, first virtual interface and the first VPN are established Correspondence, according to second virtual interface mark and the 2nd VPN mark, establish second virtual interface With the correspondence of the 2nd VPN.
Optionally, described device further includes:
Third receiving module, the routing configuration of correspondence first route forwarding table for receiving management server transmission Order, the routing configuration order include the identifying of first virtual interface, the IP address of the second user equipment and institute State the address of the second virtual interface;
Add module, for being added using the IP address of the second user equipment as mesh in first route forwarding table Address, using first virtual interface as outgoing interface, using the address of second virtual interface as the forwarding of next hop address List item, and be set as the security strategy between first user equipment and the second user to put logical state.
The third aspect, provides a kind of safety equipment, including including processor, communication interface, memory and communication bus, Wherein, processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes the method and step described in first aspect.
Fourth aspect provides a kind of machine readable storage medium, is stored with machine-executable instruction, by processor tune When with executing, the machine-executable instruction promotes the processor:Realize the method and step described in first aspect.
5th aspect provides a kind of computer program product including instruction, when run on a computer so that Computer realizes the method and step described in first aspect.
The method and device provided by the embodiments of the present application for sending service message, the network equipment receive the first user equipment hair The service message sent, the destination address of the service message are the IP address of second user equipment, then according to pre-stored the Corresponding first route forwarding table of one user equipment determines corresponding first outgoing interface of the IP address of second user equipment and first Next hop address, wherein the first outgoing interface is corresponding first virtual interface of the first user equipment, and the first next hop address is the The address of corresponding second virtual interface of two user equipmenies, then, the network equipment is next according to first by the first virtual interface It jumps address and service message is sent to the second virtual interface, and then by the second virtual interface, service message is sent to second User equipment, to realize the exchanging visit function between the tenant inside same safety equipment.
Description of the drawings
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with Obtain other attached drawings according to these attached drawings.
Fig. 1 is system framework figure provided by the embodiments of the present application;
Fig. 2 is the method flow diagram provided by the embodiments of the present application for sending service message;
Fig. 3 is the method flow diagram of configuration virtual interface and route forwarding table provided by the embodiments of the present application;
Fig. 4 is the method example flow diagram of configuration virtual interface and route forwarding table provided by the embodiments of the present application;
Fig. 5 is the method example flow diagram provided by the embodiments of the present application for sending service message;
Fig. 6 is a kind of structural schematic diagram of device sending service message provided by the embodiments of the present application;
Fig. 7 is a kind of structural schematic diagram of device sending service message provided by the embodiments of the present application;
Fig. 8 is a kind of structural schematic diagram of device sending service message provided by the embodiments of the present application;
Fig. 9 is a kind of structural schematic diagram of device sending service message provided by the embodiments of the present application;
Figure 10 is the structural schematic diagram of the network equipment provided by the embodiments of the present application.
Specific implementation mode
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
An embodiment of the present invention provides a kind of method sending service message, this method can be applied to the network equipment, should The network equipment can be the safety equipments such as firewall box, or routing device.The network equipment can be applied to SDN and receive Under pipe scene.SDN is a kind of new network framework, and core concept is the control plane and Forwarding plane of separated network equipment, And collection is carried out to network flow by controller and neutralizes flexibly control, it is good to be provided for the innovation of core network and application Platform.In the embodiment of the present invention, it is control plane in SDN network that SDN, which receives guard system, and it is whole that technical staff can pass through administrator Hold to operation have SDN receive guard system management server under send instructions, it is (such as safe to configure the network equipment in SDN network Equipment or routing device etc.).
As shown in Figure 1, being a kind of schematic diagram of network system provided in an embodiment of the present invention.The network system includes operation There is SDN to receive management server, directorial area interchanger and administrator terminal, border router, safety equipment, the access of guard system to set Standby and tenant user equipment.Administrator terminal is received the management server of guard system by directorial area interchanger and SDN and is connect, and manages Server is managed by directorial area interchanger and access device, is connect with safety equipment.In this way, technical staff can be received by SDN Control instruction is handed down to safety equipment by guard system, to realize the unified management to the safety equipment of multiple tenants.Safety equipment Upstream Interface can be connect with border router, internet is accessed by border router.The downstream interface of safety equipment can To be connect with access device, access device may include core switch and access switch.The user equipment of tenant can be with Access device connects, and accesses safety equipment will pass through access device, and then carry out network access by the safety equipment.
In practice, safety equipment would generally be virtualized into multiple virtual units (i.e. context, Chinese:Virtual fire prevention Wall), to provide service for tenant.The network equipment in the embodiment of the present invention can be an independent network equipment, can also It is by virtualizing obtained context.By taking context as an example, in the case where sharing context modes using multi-tenant, One network equipment (i.e. context) can provide service for multiple tenants.Between the user equipment and the network equipment of tenant usually It is communicated by establishing VPN, is based on this, the downstream interface of the network equipment is divided into multiple downlink sub-interfaces, each downlink Sub-interface binds the VPN of a tenant, to realize and the communication between different user equipmenies.For example, referring to Fig. 1, network is set Standby to provide service for user01 and user02, the downstream interface of the network equipment can be divided into downlink sub-interface 1 and downlink connects Mouth 2, the VPN that downlink sub-interface 1 is bound are VPN_user01, and the VPN that downlink sub-interface 2 is bound is VPN_user02, wherein User01 and user02 belongs to different security domains, for example the security domain belonging to user01 is zone_user01, belonging to user02 Security domain be zone_user02, IP (Internet Protocol, Internet protocol) address of user01 is 2.0.0.0/ 24, user02 IP address is 3.0.0.0/24.In practice, VPN be typically for tenant divide, if certain tenant have it is more A user equipment, then multiple user equipmenies belong to same VPN, corresponding same downlink sub-interface.
In the embodiment of the present invention, the network equipment can be that tenant distributes virtual interface, when the network equipment receives the first use After the service message that family equipment is sent, according to corresponding first route forwarding table of pre-stored first user equipment, determining should Corresponding first outgoing interface of destination address (i.e. the IP address of second user equipment) of service message and the first next hop address, In, the first outgoing interface is corresponding first virtual interface of the first user equipment, and the first next hop address is second user equipment pair The address for the second virtual interface answered.The network equipment can be by the first virtual interface, according to the first next hop address by business Message is sent to the second virtual interface, and then by the second virtual interface, service message is sent to second user equipment.This Sample, the guard system that can be received based on SDN are exchanged visits function between realizing tenant.
As shown in Fig. 2, the processing procedure of this method may comprise steps of:
Step 201, the service message that the first user equipment is sent is received.
Wherein, the destination address of service message is the IP address of second user equipment, second user equipment and the first user Equipment is to access the user equipment of same safety equipment.
In force, when the first user equipment needs are communicated with second user equipment, the first user equipment can be with According to preset message generation strategy, using the IP address of the first user equipment as source address, with the IP address of second user equipment For purpose address, service message is generated.Then, the first user equipment can then be sent out the service message by its corresponding VPN Give access device.Policybased routing can be previously stored in access device, then according to the policybased routing by the service message It is sent to the first downlink sub-interface of the network equipment, the network equipment then can receive the business report by the first downlink sub-interface Text.
Step 202, according to corresponding first route forwarding table of pre-stored first user equipment, determine that second user is set Corresponding first outgoing interface of standby IP address and the first next hop address.
In force, the corresponding route forwarding table of each user equipment can be previously stored in the network equipment, which turns It delivers as VPN route forwarding tables, alternatively referred to as VRF (Virtual Routing Forwarding, virtual flow-line forwarding) table.Road Include the correspondence of destination address, outgoing interface and next hop address by forwarding table.Wherein, outgoing interface can be that the network equipment is What user equipment created is same as realizing the interface exchanged visits with other users equipment.In the embodiment of the present invention, for need into The user equipment that row tenant exchanges visits, the network equipment can be that the user equipment creates virtual interface, real by the virtual interface of establishment The now similar interconnecting interface inside the interconnecting interface function under context (i.e. the network equipment) mode, i.e. context, in this way, It can realize outgoing interface and next-hop interface all and be this context, and SDN receives guard system and can distribute the ip of virtual interface The route forwarding table that location, configuration are exchanged visits across VPN.These virtual interfaces are since all in this context, acquiescence inter-domain policies are whole It is logical to put.Extended meeting is described in detail after the establishment process of outgoing interface and the configuration process of route forwarding table.
After the network equipment receives the service message of the first user equipment transmission, which can be parsed, The destination address (i.e. the IP address of second user equipment) wherein carried is obtained, is then turned in the corresponding routing of the first user equipment It delivers in (i.e. the first route forwarding table), searches the corresponding forwarding-table item of IP address of the second user equipment, to obtain Corresponding first outgoing interface of IP address of two user equipmenies and the first next hop address.Wherein, the first outgoing interface is the first user Corresponding first virtual interface of equipment, the first next hop address are the address of corresponding second virtual interface of second user equipment.
It should be noted that in the embodiment of the present invention, each VPN corresponds to a virtual interface, that is, each tenant corresponds to One virtual interface.Technical staff can be realized by configuring route forwarding table between the first tenant and other multiple tenants It exchanges visits.As shown in table 1, it is a kind of example of route forwarding table provided in an embodiment of the present invention.
Table one
Destination address Outgoing interface Next hop address
3.0.0.0/24 virtual-if01 1.1.1.2
4.0.0.0/24 virtual-if01 1.1.1.3
Wherein, virtual-if01 is corresponding first virtual interface of the first user equipment, and 3.0.0.0/24 is the second use The IP address of family equipment, 1.1.1.2 are the address of corresponding second virtual interface of second user equipment, and 4.0.0.0/24 is third The IP address of user equipment, 1.1.1.3 are the address of the corresponding third virtual interface of third user equipment.
Optionally, the network equipment needs first to determine the first route forwarding table, with then searching the IP of second user equipment again Corresponding first outgoing interface in location and the first next hop address determine that the process of the first route forwarding table can be as follows:According to advance The downlink sub-interface of storage and the correspondence of VPN determine that corresponding first VPN of the first downlink sub-interface, the first downlink connect Mouth is the downlink sub-interface for receiving service message;According to the correspondence of the VPN of default storage and route forwarding table, first is determined Corresponding first route forwarding tables of VPN.
In force, each downlink sub-interface of the network equipment can bind the VPN of a tenant, that is, in the network equipment With the correspondence of storage downlink sub-interface and VPN.The corresponding routing of user equipment of the tenant can be also configured in the network equipment Forwarding table, and establish the VPN of the tenant and the correspondence of the route forwarding table.When the network equipment passes through the first downlink sub-interface When receiving the service message of the first user equipment transmission, the network equipment can be according to pre-stored downlink sub-interface and VPN Correspondence, determine corresponding first VPN of the first downlink sub-interface, and then according to the VPN and route forwarding table of default storage Correspondence, corresponding first route forwarding tables of the first VPN are determined, to search the business report in the first route forwarding table Corresponding first outgoing interface of destination address and the first next hop address of text.
Step 203, by the first virtual interface, service message is sent to second according to the first next hop address and is virtually connect Mouthful.
In force, the network equipment can be using the first virtual interface as outgoing interface, and to the first next hop address, (i.e. second uses The address of corresponding second virtual interface of family equipment) (i.e. second user equipment corresponding second virtually connects for corresponding virtual interface Mouthful) send the service message.
Step 204, by the second virtual interface, service message is sent to second user equipment.
In force, the network equipment can receive the service message by the second virtual interface, since this is second virtual Interface is the corresponding virtual interface of second user equipment, and therefore, the network equipment can be by the second virtual interface by the business report Text is sent to second user equipment.
Optionally, service message is sent to the specific place of second user equipment by the network equipment by the second virtual interface Reason process may comprise steps of:
Step 1 determines the second virtual interface corresponding according to the correspondence of the virtual interface of default storage and VPN Two VPN.
It in force, can be by the virtual interface after the network equipment creates virtual interface for the user equipment of a certain tenant VPN corresponding with the user equipment is bound, that is, the network equipment can establish virtual interface and the correspondence of VPN.When After the network equipment receives service message by the second virtual interface, the network equipment can according to the virtual interface of default storage and The correspondence of VPN determines corresponding 2nd VPN of the second virtual interface.
Step 2 determines the 2nd VPN corresponding second according to the correspondence of the VPN of default storage and route forwarding table Route forwarding table.
In force, as described above, the correspondence of VPN and route forwarding table, net can be prestored in the network equipment After network equipment determines the 2nd VPN, the 2nd VPN can be determined according to the VPN of default storage and the correspondence of route forwarding table Corresponding secondary route forwarding table.It is similar with the first route forwarding table, secondary route forwarding table include destination address, outgoing interface and The correspondence of next hop address.As shown in Table 2, it is a kind of example of route forwarding table provided in an embodiment of the present invention.
Table two
Destination address Outgoing interface Next hop address
3.0.0.0/24 virtual-if02 2.1.1.2
2.0.0.0/24 virtual-if02 1.1.1.1
Wherein, virtual-if02 is corresponding second virtual interface of second user equipment, and 3.0.0.0/24 is the second use The IP address of family equipment, 2.1.1.2 are the address of the corresponding downlink sub-interface of second user equipment, and 2.0.0.0/24 is the first use The IP address of family equipment, 1.1.1.1 are the address of corresponding first virtual interface of the first user equipment.
Step 3, according to secondary route forwarding table, with determining corresponding second next-hop of the IP address of second user equipment Location.
In force, the network equipment can search the IP address pair of the second user equipment in secondary route forwarding table The forwarding-table item answered, the corresponding outgoing interface of IP address to obtain second user equipment and the second next hop address.Wherein, go out Interface is corresponding second virtual interface of second user equipment, and the second next hop address is under second user equipment corresponding second The address of row sub-interface.
Service message is sent to the second downlink sub-interface by step 4 according to the second next hop address.
In force, the network equipment can be outgoing interface by the second virtual interface, to the second next hop address (i.e. second The address of the corresponding second downlink sub-interface of user equipment) corresponding interface (i.e. corresponding second downlink of second user equipment Interface) send the service message.
Service message is sent to second user equipment by step 5 by the second downlink sub-interface.
It in force, can be by this under second after the network equipment receives service message by the second downlink sub-interface Row sub-interface sends the service message according to the destination address (i.e. the IP address of second user equipment) in the service message Give second user equipment.
The embodiment of the present invention additionally provides a kind of example that user equipment is exchanged visits.When tenant user01 is needed to tenant When user02 sends service message, user01 can send service message to access device, and the destination address of the service message is The address of user02, i.e. 3.0.0.0/24, source address are the address of user01, i.e. 2.0.0.0/24.Access device is by the business The downlink sub-interface 1 that message is sent to the network equipment is sentenced after the network equipment receives the service message by downlink sub-interface 1 The VPN that fixed and downlink sub-interface 1 is bound is VPN_user01, then inquires corresponding first route forwarding tables of VPN_user01 (i.e. above-mentioned table one) then determines that the corresponding outgoing interfaces of 3.0.0.0/24 are virtual-if01, and next hop address is 1.1.1.2, and then by virtual-if01, the business is sent to the interface (i.e. virtual-if02) that address is 1.1.1.2 Message.Then, the network equipment determines that the VPN of virtual-if02 bindings is VPN_user02, then inquires VPN_user02 pairs The secondary route forwarding table (i.e. above-mentioned table two) answered determines that the corresponding outgoing interfaces of 3.0.0.0/24 are virtual-if02, next Jump address is 2.1.1.2, and then using virtual-if02 as outgoing interface, to interface (the i.e. downlink sub-interface that address is 2.1.1.2 2) service message is sent, and then the service message is sent to user02 by downlink sub-interface 2.Tenant user02 is to tenant The processing procedure that user01 sends service message is similar therewith, repeats no more.
In the embodiment of the present invention, the network equipment receives the service message that the first user equipment is sent, the mesh of the service message Address be second user equipment IP address, then according to corresponding first routing forwarding of pre-stored first user equipment Table determines corresponding first outgoing interface of the IP address of second user equipment and the first next hop address, wherein the first outgoing interface is Corresponding first virtual interface of first user equipment, the first next hop address are corresponding second virtual interface of second user equipment Address, then, service message is sent to the second void by the network equipment by the first virtual interface, according to the first next hop address Quasi- interface, and then by the second virtual interface, service message is sent to second user equipment, it is set to realize same safety Exchanging visit function between standby internal tenant.Also, this programme is by configuring virtual interface in the network device, to realize together Exchanging visit function between tenant inside one safety equipment, next hop address are corresponding second virtual interface of second user equipment Address, the network equipment is by corresponding first virtual interface of the first user equipment, according to the first next hop address by business report Text is sent to the second virtual interface, and then by the second virtual interface, and service message is sent to second user equipment, is avoided The VPN for binding downlink sub-interface in SDN receives guard system VPN as a purpose, in addition, since the first virtual interface and first are used Family equipment belongs to same VPN, and the second virtual interface belongs to same VPN with second user equipment, therefore, also avoids receiving in SDN Configuration is across the static routing of VPN the case where in guard system.
Optionally, the embodiment of the present invention additionally provides a kind of method configuring virtual interface in the network device, such as Fig. 3 institutes Show, specific processing includes the following steps:
Step 301, the virtual interface configuration order that management server is sent is received.
Wherein, virtual interface configuration order includes the mark of the first virtual interface, the address of the first virtual interface, the first void Mark, the mark of the second virtual interface, the address of the second virtual interface and the second virtual interface of corresponding first VPN of quasi- interface The mark of corresponding 2nd VPN.
In force, when the first tenant needs to exchange visits with the second tenant, technical staff can receive piping by SDN The management server of system is that the user equipment of the first tenant and the user equipment of the second tenant create virtual interface.One kind can In the realization method of energy, technical staff can issue request to create by administrator terminal to management server, the request to create In carry the first tenant mark and the second tenant mark.After management server receives the request to create, management clothes Business device can parse the request to create, obtain the mark of the first tenant and the mark of the second tenant.Wherein, the mark of tenant can be with For the IP address of the user equipment of the tenant, or preset tenant's title.
After management server gets the mark for obtaining the first tenant, the first tenant corresponding first can be generated and virtually connect The mark of mouth, such as virtual-if01.In addition, Internet address pond can also be previously stored in management server, such as 1.1.1.0/24.Management server can also randomly select not currently used address from the Internet address pond, by the address As the address of the first virtual interface, and the VPN that the first virtual interface and the first tenant can be arranged is bound.Management server is matched The process for setting the second virtual interface is similar therewith, and details are not described herein again.Management server can be generated according to preset order and be advised Then, virtual interface configuration order is generated, virtual interface configuration order includes the mark of the first virtual interface, the first virtual interface Address, the mark of corresponding first VPN of the first virtual interface, the mark of the second virtual interface, the second virtual interface address and The mark of corresponding 2nd VPN of second virtual interface.The virtual interface configuration order can be sent to network by management server Equipment.The network equipment can then receive the virtual interface configuration order.
In one possible implementation, virtual interface configuration order may include the first virtual interface create order, Second virtual interface creates order, the first address configuration order, the second address configuration order, the first VPN bind commands and second VPN bind commands.Wherein, the first virtual interface creates the mark that order includes the first virtual interface, virtual for creating first Interface;Second virtual interface creates the mark that order includes the second virtual interface, for creating the second virtual interface;First address Configuration order includes mark and the address of the first virtual interface of the first virtual interface, the ground for configuring the first virtual interface Location;Second address configuration order includes mark and the address of the second virtual interface of the second virtual interface, empty for configuring second The address of quasi- interface;First VPN bind commands include the mark of the first virtual interface and the mark of the first VPN, are used for first The corresponding VPN of virtual interface is configured to the first VPN;2nd VPN bind commands include the mark and the 2nd VPN of the second virtual interface Mark, for configuring the corresponding VPN of the second virtual interface to the 2nd VPN.
Step 302, the first virtual interface and the second virtual interface are created.
In force, after the network equipment receives the virtual interface configuration order, virtual interface configuration life can be executed It enables, to create the first virtual interface and the second virtual interface.For example, the network equipment receive the first virtual interface create order and After second virtual interface creates order, the first virtual interface can be executed and create order, the first virtual interface is created, can also hold The second virtual interface of row creates order, creates the second virtual interface.
Step 303, the address of the address and the second virtual interface of the first virtual interface of configuration.
In force, the network equipment (can be described as according to the address of the first virtual interface in virtual interface configuration order First address), it is first address by the address configuration of the first virtual interface, and empty according in virtual interface configuration order second The address configuration of second virtual interface is second address by the address (can be described as the second address) of quasi- interface.For example, network is set After receiving the first address configuration order and the second address configuration order, the first address configuration order can be executed, by first The first address in address configuration order is configured to the address of the first virtual interface, similar, and the network equipment can also configure The address of two virtual interfaces.
Step 304, according to the mark of the first virtual interface and the mark of the first VPN, the first virtual interface and first are established The correspondence of VPN, and according to the mark of the second virtual interface and the mark of the 2nd VPN, establish the second virtual interface and second The correspondence of VPN.
In force, the network equipment can also bind the first virtual interface and the first VPN, and by the second virtual interface with 2nd VPN is bound.Specifically, the network equipment can be according to the mark of the first virtual interface and first in virtual interface configuration order The mark of VPN establishes the correspondence of the first virtual interface and the first VPN, and according to the mark of the second virtual interface and second The mark of VPN establishes the correspondence of the second virtual interface and the 2nd VPN.For example, the network equipment receives the first VPN bindings After order and the 2nd VPN bind commands, the first VPN bind commands can be executed, pair of the first virtual interface and the first VPN is established It should be related to, similar, the network equipment can also establish the correspondence of the second virtual interface and the 2nd VPN.
For example, the IP address of the user equipment of the first tenant is 2.0.0.1, the IP address of the user equipment of the second tenant is 3.0.0.1.When tenant user01 has the demand for accessing tenant user02, management server can determine the void of tenant user01 Quasi- interface is identified as virtual-if01, and the virtual interface of tenant user02 is identified as virtual-if02, and based on pre- If Internet address pond 1.1.1.0/24, for virtual-if01 distribute address 1.1.1.1, for virtual-if02 distribute address 1.1.1.2, the VPN at the same time it can also which virtual-if01 bindings are arranged is VPN_user01, virtual-if02 bindings VPN is VPN_user02.
After the network equipment receives virtual interface configuration order, virtual interface virtual-if01 can be created and virtually connect Mouth virtual-if02, and the address for configuring virtual-if01 is 1.1.1.1, the address for configuring virtual-if02 is 1.1.1.2, at the same time it can also establish virtual-if01 and VPN_user01 correspondence and virtual-if02 with The correspondence of VPN_user02.
Optionally, the embodiment of the present invention additionally provides a kind of processing procedure of configuration route forwarding table, correspondingly, above-mentioned step Can also include step 305~306 after rapid 303.
Step 305, the routing configuration order for the first route forwarding table of correspondence that management server is sent is received.
In in real time, technical staff can also receive the management server of guard system by SDN, and routing is issued to the network equipment Configuration order realizes the exchanging visit between different tenants.Routing configuration order may include the mark of the first virtual interface, the second use The address of the IP address of family equipment and the second virtual interface can also carry the mark of the first VPN in the routing configuration order, So that mark of the network equipment according to the first VPN, configures the first route forwarding table.
For example, may be received in the static routing configuration set on tenant user01:ip route 3.0.0.0 255.255.255.0 1.1.1.2 or ip route 3.0.0.0 255.255.255.0 virtual-if01.Matched by this It sets, may be implemented and tenant's user02 intercommunications.
It may be received in the static routing configuration set on tenant user02:ip route 2.0.0.0 255.255.255.0 1.1.1.1 or ip route 2.0.0.0 255.255.255.0 virtual-if02.Matched by this It sets, may be implemented and tenant's user01 intercommunications.
Step 306, it is added using the IP address of second user equipment as purpose address, with first in the first route forwarding table Virtual interface is outgoing interface, using the address of the second virtual interface as the forwarding-table item of next hop address, and by the first user equipment Security strategy between second user is set as putting logical state.
It in force, can be according to the routing configuration order in the first via after the network equipment receives routing configuration order By adding list item in forwarding table, specifically, the network equipment can add in the first route forwarding table with second user equipment IP address is purpose address, turns using the first virtual interface as outgoing interface, using the address of the second virtual interface as next hop address Forwarding list item.In addition, the network equipment can also set the security strategy between the first user equipment and second user to put logical shape State, so that the mutual sending service message between the first user equipment and second user equipment, also, recipient can be set by network It is standby that safety detection is carried out to the service message received.
For example, being directed to tenant user01, the network equipment can configure following static road in its corresponding first routing table By:Destination address 3.0.0.0/24, outgoing interface virtual-if01, next hop address 1.1.1.2, also, the network equipment can be with The security strategy that TongYuan address is 2.0.0.1, destination address is 3.0.0.1 is put, so that source address is 2.0.0.1, destination address It can be sent in the domains VPN of tenant user02 for the service message of 3.0.0.1.Similar, for tenant user02, network is set It is standby to configure following static routing in its corresponding secondary route table:Destination address 2.0.0.0/24, outgoing interface Virtual-if02, next hop address 1.1.1.1, also, the network equipment can be arranged and execute and puts TongYuan address and be 3.0.0.1, destination address is the security strategy of 2.0.0.1, so that the industry that source address is 3.0.0.1, destination address is 2.0.0.1 Business message can be sent in the domains VPN of tenant user01.
The embodiment of the present invention additionally provides a kind of example of configuration inter-domain policies, and inter-domain policies are that one kind of security strategy is answered With form, specially:It is zone_user01 that source security domain, which can be arranged, and purpose security domain is zone_user02, source IP address For 2.0.0.1, purpose IP address 3.0.0.1, filtering rule permit;Setting source security domain is zone_user02, purpose Security domain is zone_user01, source IP address 3.0.0.1, purpose IP address 2.0.0.1, filtering rule permit.This Sample, based on the inter-domain policies of above-mentioned configuration, after the network equipment receives the service message that tenant user01 is sent, can allow for by The service message is transmitted to tenant user02, similarly, can after the network equipment receives the service message that tenant user02 is sent Allow the service message being transmitted to tenant user01.
The embodiment of the present invention additionally provides a kind of method example of configuration virtual interface, as shown in figure 4, specific processed Journey is as follows:
Step 401, the virtual interface configuration order that management server is sent is received.
Wherein, virtual interface configuration order includes that the first virtual interface creates order, the second virtual interface creates order, the One address configuration order, the second address configuration order, the first VPN bind commands and the 2nd VPN bind commands.First virtual interface It includes virtual-if01 to create order, and it includes virtual-if02, the first address configuration life that the second virtual interface, which creates order, Order includes virtual-if01 and 1.1.1.1, and the second address configuration order includes virtual-if02 and 1.1.1.2, the first VPN Bind command includes virtual-if01 and VPN_user01, and the 2nd VPN bind commands include virtual-if02 and VPN_ user02。
Step 402, it executes the first virtual interface and creates order, create virtual interface virtual-if01.
Step 403, the first address configuration order is executed, the address for configuring virtual-if01 is 1.1.1.1.
Step 404, the first VPN bind commands are executed, the correspondence of virtual-if01 and VPN_user01 are established.
Step 405, in corresponding first routing tables of tenant user01, exchanging visit static routing is configured:Destination address 3.0.0.0/24, outgoing interface virtual-if01, next hop address 1.1.1.2.
Step 406, it is arranged and executes the security strategy for putting that TongYuan address is 2.0.0.1, destination address is 3.0.0.1.
Step 402 ', it executes the second virtual interface and creates order, create virtual interface virtual-if02.
Step 403 ', the second address configuration order is executed, the address for configuring virtual-if02 is 1.1.1.2.
Step 404 ', the 2nd VPN bind commands are executed, the correspondence of virtual-if02 and VPN_user02 are established.
Step 405 ', in corresponding first routing tables of tenant user02, configure exchanging visit static routing:Destination address 2.0.0.0/24, outgoing interface virtual-if02, next hop address 1.1.1.1.
Step 406 ', it is arranged and executes the security strategy for putting that TongYuan address is 3.0.0.1, destination address is 2.0.0.1.
The embodiment of the present invention additionally provides a kind of method example sending service message, as shown in figure 5, specific processed Journey is as follows:
Step 501, the service message that the first user equipment is sent is received by downlink sub-interface 1.
Wherein, the source IP address of the service message is 2.0.0.0/24, purpose IP address 3.0.0.0/24.
Step 502, determine that the VPN bound with downlink sub-interface 1 is VPN_user01, and in VPN_user01 corresponding the In one route forwarding table, the corresponding outgoing interface virtual-if01 and next hop address 1.1.1.2 of inquiry 3.0.0.0/24.
Step 503, by virtual-if01, being sent to the interface (i.e. virtual-if02) that address is 1.1.1.2 should Service message.
Step 504, determine that the VPN of virtual-if02 bindings is VPN_user02, and in VPN_user02 corresponding the In one route forwarding table, the corresponding outgoing interfaces of inquiry 3.0.0.0/24 are virtual-if02, next hop address 2.1.1.2.
Step 505, it by outgoing interface virtual-if02, is sent out to the interface (i.e. downlink sub-interface 2) that address is 2.1.1.2 Send service message.
Step 506, which is sent by downlink sub-interface 2.
Based on the same technical idea, as shown in fig. 6, the embodiment of the present application also provides a kind of dresses sending service message It sets, which is applied to safety equipment, which includes:
First receiving module 610, the service message for receiving the transmission of the first user equipment, the destination address of service message For the IP address of second user equipment;
First determining module 620 is used for according to corresponding first route forwarding table of pre-stored first user equipment, really Corresponding first outgoing interface of IP address and the first next hop address, the first route forwarding table for determining second user equipment include purpose Address, outgoing interface and next hop address correspondence, the first outgoing interface be corresponding first virtual interface of the first user equipment, First next hop address is the address of corresponding second virtual interface of second user equipment;
First sending module 630, for by the first virtual interface, being sent service message according to the first next hop address To the second virtual interface;
Second sending module 640, for by the second virtual interface, service message to be sent to second user equipment.
Optionally, as shown in fig. 7, the device further includes:
Second determining module 650 determines first for the correspondence according to pre-stored downlink sub-interface and VPN Corresponding first VPN of downlink sub-interface, the first downlink sub-interface are the downlink sub-interface for receiving service message;
Third determining module 660 determines first for the correspondence according to the default VPN and route forwarding table stored Corresponding first route forwarding tables of VPN.
Optionally, the second sending module 640, is specifically used for:
According to the correspondence of the virtual interface of default storage and VPN, corresponding 2nd VPN of the second virtual interface is determined;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary route forwardings of the 2nd VPN are determined Table, secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to secondary route forwarding table, corresponding second next hop address of the IP address of second user equipment is determined, second Next hop address is the address of the corresponding second downlink sub-interface of second user equipment;
According to the second next hop address, service message is sent to the second downlink sub-interface;
Service message is sent by downlink sub-interface.
Optionally, as shown in figure 8, the device further includes:
Second receiving module 670, the virtual interface configuration order for receiving management server transmission, virtual interface configuration Order include the mark of the first virtual interface, the address of the first virtual interface, corresponding first VPN of the first virtual interface mark Knowledge, the mark of the second virtual interface, the mark of the address of the second virtual interface and corresponding 2nd VPN of the second virtual interface;
Creation module 680, for creating the first virtual interface and the second virtual interface;
Module 690 is established, the address of address and the second virtual interface for configuring the first virtual interface, and according to first The mark of virtual interface and the mark of the first VPN, establish the correspondence of the first virtual interface and the first VPN, according to the second void The mark of the mark and the 2nd VPN of quasi- interface, establishes the correspondence of the second virtual interface and the 2nd VPN.
Optionally, as shown in figure 9, the device further includes:
Third receiving module 6100, the routing configuration of the first route forwarding table of correspondence for receiving management server transmission Order, routing configuration order includes the mark of the first virtual interface, the IP address of second user equipment and the second virtual interface Address;
Add module 6110, for being added using the IP address of second user equipment as destination in the first route forwarding table Location, using the first virtual interface as outgoing interface, using the address of the second virtual interface as the forwarding-table item of next hop address, and will be described Security strategy between first user equipment and the second user is set as putting logical state.
In the embodiment of the present invention, the network equipment receives the service message that the first user equipment is sent, the mesh of the service message Address be second user equipment IP address, then according to corresponding first routing forwarding of pre-stored first user equipment Table determines corresponding first outgoing interface of the IP address of second user equipment and the first next hop address, wherein the first outgoing interface is Corresponding first virtual interface of first user equipment, the first next hop address are corresponding second virtual interface of second user equipment Address, then, service message is sent to the second void by the network equipment by the first virtual interface, according to the first next hop address Quasi- interface, and then by the second virtual interface, service message is sent to second user equipment, it is set to realize same safety Exchanging visit function between standby internal tenant.
The embodiment of the present application also provides a kind of safety equipments, as shown in Figure 10, including processor 1001, communication interface 1002, memory 1003 and communication bus 1004, wherein processor 1001, communication interface 1002, memory 1003 pass through communication Bus 1004 completes mutual communication,
Memory 1003, for storing computer program;
Processor 1001, when for executing the program stored on memory 1003, so that the safety equipment executes transmission The step of method of service message, this method include:
The service message of the first user equipment transmission is received, the destination address of the service message is second user equipment IP address;
According to corresponding first route forwarding table of pre-stored first user equipment, determine that the second user is set Corresponding first outgoing interface of standby IP address and the first next hop address, first route forwarding table include destination address, go out The correspondence of interface and next hop address, first outgoing interface are that first user equipment corresponding first virtually connects Mouthful, first next hop address is the address of corresponding second virtual interface of the second user equipment;
By first virtual interface, the service message is sent to described according to first next hop address Two virtual interfaces;
By second virtual interface, the service message is sent to the second user equipment.
Optionally, described according to corresponding first route forwarding table of pre-stored first user equipment, determine institute Before corresponding first outgoing interface of IP address and the first next hop address of stating second user equipment, the method further includes:
According to the correspondence of pre-stored downlink sub-interface and VPN, the first downlink sub-interface corresponding first is determined VPN, the first downlink sub-interface are the downlink sub-interface for receiving the service message;
According to the correspondence of the VPN of default storage and route forwarding table, determine the corresponding first via of the first VPN by Forwarding table.
Optionally, described by second virtual interface, the service message is sent to the second user equipment, Including:
According to the correspondence of the virtual interface of default storage and VPN, second virtual interface corresponding second is determined VPN;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary routes of the 2nd VPN are determined Forwarding table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, with determining corresponding second next-hop of the IP address of the second user equipment Location, second next hop address are the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
Optionally, the method further includes:
The virtual interface configuration order that management server is sent is received, the virtual interface configuration order includes described first The identifying of virtual interface, the address of first virtual interface, the mark of corresponding first VPN of first virtual interface, institute State the identifying of the second virtual interface, the address of second virtual interface and second virtual interface corresponding described second The mark of VPN;
Create first virtual interface and second virtual interface;
The address of the address and second virtual interface of first virtual interface is configured, and virtual according to described first The mark of interface and the mark of the first VPN, establish the correspondence of first virtual interface and the first VPN, root According to the mark of second virtual interface and the mark of the 2nd VPN, second virtual interface and the 2nd VPN are established Correspondence.
Optionally, the method further includes:
Receive the routing configuration order for correspondence first route forwarding table that management server is sent, the routing configuration Order includes the identifying of first virtual interface, the ground of the IP address of the second user equipment and second virtual interface Location;
It is added using the IP address of the second user equipment as purpose address, with described in first route forwarding table First virtual interface is outgoing interface, using the address of second virtual interface as the forwarding-table item of next hop address, and will be described Security strategy between first user equipment and the second user is set as putting logical state.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, controlling bus etc..For just It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), can also include non-easy The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also To be at least one storage device for being located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal Processing, DSP), it is application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.
In another embodiment provided by the invention, a kind of computer readable storage medium is additionally provided, which can It reads to be stored with computer program in storage medium, the computer program realizes any of the above-described transmission business when being executed by processor The step of method of message.
In another embodiment provided by the invention, a kind of computer program product including instruction is additionally provided, when it When running on computers so that computer executes any method for sending service message in above-described embodiment.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or its arbitrary combination real It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or It partly generates according to the flow or function described in the embodiment of the present invention.The computer can be all-purpose computer, special meter Calculation machine, computer network or other programmable devices.The computer instruction can be stored in computer readable storage medium In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state disk Solid State Disk (SSD)) etc..
In the embodiment of the present invention, the network equipment receives the service message that the first user equipment is sent, the mesh of the service message Address be second user equipment IP address, then according to corresponding first routing forwarding of pre-stored first user equipment Table determines corresponding first outgoing interface of the IP address of second user equipment and the first next hop address, wherein the first outgoing interface is Corresponding first virtual interface of first user equipment, the first next hop address are corresponding second virtual interface of second user equipment Address, then, service message is sent to the second void by the network equipment by the first virtual interface, according to the first next hop address Quasi- interface, and then by the second virtual interface, service message is sent to second user equipment, it is set to realize same safety Exchanging visit function between standby internal tenant.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, identical similar portion between each embodiment Point just to refer each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality For applying example, since it is substantially similar to the method embodiment, so description is fairly simple, related place is referring to embodiment of the method Part explanation.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection domain of the application.It is all Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection domain of the application It is interior.

Claims (12)

1. a kind of method sending service message, which is characterized in that the method is applied to the network equipment, the method includes:
The service message of the first user equipment transmission is received, the destination address of the service message is the interconnection of second user equipment FidonetFido IP address;
According to corresponding first route forwarding table of pre-stored first user equipment, the second user equipment is determined Corresponding first outgoing interface of IP address and the first next hop address, first route forwarding table include destination address, outgoing interface With the correspondence of next hop address, first outgoing interface is corresponding first virtual interface of first user equipment, institute State the address that the first next hop address is corresponding second virtual interface of the second user equipment;
By first virtual interface, the service message is sent to by second void according to first next hop address Quasi- interface;
By second virtual interface, the service message is sent to the second user equipment.
2. according to the method described in claim 1, it is characterized in that, described according to pre-stored first user equipment pair The first route forwarding table answered, with determining corresponding first outgoing interface of the IP address of the second user equipment and the first next-hop Before location, the method further includes:
According to the correspondence of pre-stored downlink sub-interface and VPN, corresponding first VPN of the first downlink sub-interface is determined, The first downlink sub-interface is the downlink sub-interface for receiving the service message;
According to the correspondence of the VPN of default storage and route forwarding table, corresponding first routing forwardings of the first VPN are determined Table.
3. according to the method described in claim 1, it is characterized in that, described by second virtual interface, by the business Message is sent to the second user equipment, including:
According to the correspondence of the virtual interface of default storage and VPN, corresponding 2nd VPN of second virtual interface is determined;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary route forwardings of the 2nd VPN are determined Table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, corresponding second next hop address of the IP address of the second user equipment is determined, Second next hop address is the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
4. according to the method described in claim 3, it is characterized in that, the method further includes:
The virtual interface configuration order that management server is sent is received, the virtual interface configuration order includes described first virtual The identifying of interface, the address of first virtual interface, the identifying of corresponding first VPN of first virtual interface, described The identifying of two virtual interfaces, the address of second virtual interface and corresponding 2nd VPN of second virtual interface Mark;
Create first virtual interface and second virtual interface;
The address of the address and second virtual interface of first virtual interface is configured, and according to first virtual interface Mark and the first VPN mark, the correspondence of first virtual interface and the first VPN is established, according to institute The mark of the second virtual interface and the mark of the 2nd VPN are stated, pair of second virtual interface and the 2nd VPN is established It should be related to.
5. according to the method described in claim 4, it is characterized in that, the method further includes:
Receive the routing configuration order for correspondence first route forwarding table that management server is sent, the routing configuration order Identifying including first virtual interface, the address of the IP address of the second user equipment and second virtual interface;
It is added using the IP address of the second user equipment as purpose address, with described first in first route forwarding table Virtual interface is outgoing interface, using the address of second virtual interface as the forwarding-table item of next hop address, and by described first Security strategy between user equipment and the second user is set as putting logical state.
6. a kind of device sending service message, which is characterized in that described device is applied to safety equipment, and described device includes:
First receiving module, the service message for receiving the transmission of the first user equipment, the destination address of the service message are The internet protocol address of second user equipment;
First determining module, for according to corresponding first route forwarding table of pre-stored first user equipment, determining Corresponding first outgoing interface of IP address of the second user equipment and the first next hop address, the first route forwarding table packet The correspondence of destination address, outgoing interface and next hop address is included, first outgoing interface corresponds to for first user equipment The first virtual interface, first next hop address be corresponding second virtual interface of the second user equipment address;
First sending module, for by first virtual interface, according to first next hop address by the business report Text is sent to second virtual interface;
Second sending module, for by second virtual interface, the service message being sent to the second user and is set It is standby.
7. device according to claim 6, which is characterized in that described device further includes:
Second determining module determines that the first downlink connects for the correspondence according to pre-stored downlink sub-interface and VPN Corresponding first VPN of mouth, the first downlink sub-interface is the downlink sub-interface for receiving the service message;
Third determining module determines the first VPN for the correspondence according to the default VPN and route forwarding table stored Corresponding first route forwarding table.
8. device according to claim 6, which is characterized in that second sending module is specifically used for:
According to the correspondence of the virtual interface of default storage and VPN, corresponding 2nd VPN of second virtual interface is determined;
According to the correspondence of the VPN of default storage and route forwarding table, the corresponding secondary route forwardings of the 2nd VPN are determined Table, the secondary route forwarding table include the correspondence of destination address, outgoing interface and next hop address;
According to the secondary route forwarding table, corresponding second next hop address of the IP address of the second user equipment is determined, Second next hop address is the address of the corresponding second downlink sub-interface of the second user equipment;
According to second next hop address, the service message is sent to the second downlink sub-interface;
The service message is sent by the downlink sub-interface.
9. device according to claim 8, which is characterized in that described device further includes:
Second receiving module, the virtual interface configuration order for receiving management server transmission, the virtual interface configuration life It includes the identifying of first virtual interface, the address of first virtual interface, first virtual interface corresponding the to enable The identifying of one VPN, the identifying of second virtual interface, the address of second virtual interface and second virtual interface pair The mark of the 2nd VPN answered;
Creation module, for creating first virtual interface and second virtual interface;
Module is established, the address of address and second virtual interface for configuring first virtual interface, and according to institute The mark of the first virtual interface and the mark of the first VPN are stated, pair of first virtual interface and the first VPN is established It should be related to, according to the mark of second virtual interface and the mark of the 2nd VPN, establish second virtual interface and institute State the correspondence of the 2nd VPN.
10. device according to claim 9, which is characterized in that described device further includes:
Third receiving module, the routing configuration life of correspondence first route forwarding table for receiving management server transmission It enables, the routing configuration order includes the identifying of first virtual interface, the IP address of the second user equipment and described The address of second virtual interface;
Add module, for being added using the IP address of the second user equipment as destination in first route forwarding table Location, using first virtual interface as outgoing interface, using the address of second virtual interface as the forwarding-table item of next hop address, And it is set as the security strategy between first user equipment and the second user to put logical state.
11. a kind of safety equipment, which is characterized in that including including processor, communication interface, memory and communication bus, wherein Processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and steps of claim 1-5.
12. a kind of machine readable storage medium, which is characterized in that be stored with machine-executable instruction, by processor call and When execution, the machine-executable instruction promotes the processor:Realize any method and steps of claim 1-5.
CN201810698539.7A 2018-06-29 2018-06-29 Method and device for sending service message Active CN108768861B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810698539.7A CN108768861B (en) 2018-06-29 2018-06-29 Method and device for sending service message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810698539.7A CN108768861B (en) 2018-06-29 2018-06-29 Method and device for sending service message

Publications (2)

Publication Number Publication Date
CN108768861A true CN108768861A (en) 2018-11-06
CN108768861B CN108768861B (en) 2021-01-08

Family

ID=63975144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810698539.7A Active CN108768861B (en) 2018-06-29 2018-06-29 Method and device for sending service message

Country Status (1)

Country Link
CN (1) CN108768861B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200559A (en) * 2018-11-19 2020-05-26 中国电信股份有限公司 Routing method and routing device
CN111614536A (en) * 2020-04-20 2020-09-01 视联动力信息技术股份有限公司 Data forwarding method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020037010A1 (en) * 2000-09-28 2002-03-28 Nec Corporation MPLS-VPN service network
CN1852214A (en) * 2005-11-02 2006-10-25 华为技术有限公司 Routing method of virtual special network
CN101599901A (en) * 2009-07-15 2009-12-09 杭州华三通信技术有限公司 The method of remotely accessing MPLS VPN, system and gateway
CN101626338A (en) * 2009-08-03 2010-01-13 杭州华三通信技术有限公司 Method and device for realizing multiple virtual private network (VPN) examples
CN102082738A (en) * 2011-03-10 2011-06-01 迈普通信技术股份有限公司 Method for extending MPLS VPN access through public network and PE equipment
CN102325073A (en) * 2011-07-06 2012-01-18 杭州华三通信技术有限公司 VPLS (Virtual Private Local Area Network Service)-based message processing method and device thereof
CN105049316A (en) * 2015-08-26 2015-11-11 华为技术有限公司 Communication method and communication device
CN107959611A (en) * 2016-10-17 2018-04-24 华为技术有限公司 A kind of method to E-Packet, apparatus and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020037010A1 (en) * 2000-09-28 2002-03-28 Nec Corporation MPLS-VPN service network
CN1852214A (en) * 2005-11-02 2006-10-25 华为技术有限公司 Routing method of virtual special network
CN101599901A (en) * 2009-07-15 2009-12-09 杭州华三通信技术有限公司 The method of remotely accessing MPLS VPN, system and gateway
CN101626338A (en) * 2009-08-03 2010-01-13 杭州华三通信技术有限公司 Method and device for realizing multiple virtual private network (VPN) examples
CN102082738A (en) * 2011-03-10 2011-06-01 迈普通信技术股份有限公司 Method for extending MPLS VPN access through public network and PE equipment
CN102325073A (en) * 2011-07-06 2012-01-18 杭州华三通信技术有限公司 VPLS (Virtual Private Local Area Network Service)-based message processing method and device thereof
CN105049316A (en) * 2015-08-26 2015-11-11 华为技术有限公司 Communication method and communication device
CN107959611A (en) * 2016-10-17 2018-04-24 华为技术有限公司 A kind of method to E-Packet, apparatus and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200559A (en) * 2018-11-19 2020-05-26 中国电信股份有限公司 Routing method and routing device
CN111614536A (en) * 2020-04-20 2020-09-01 视联动力信息技术股份有限公司 Data forwarding method and device

Also Published As

Publication number Publication date
CN108768861B (en) 2021-01-08

Similar Documents

Publication Publication Date Title
US11765057B2 (en) Systems and methods for performing end-to-end link-layer and IP-layer health checks between a host machine and a network virtualization device
CN108471397B (en) Firewall configuration, message sending method and device
CN102334111B (en) Providing logical networking functionality for managed computer networks
CN102473114B (en) Dynamically migrating computer networks
CN103917967B (en) For configuring the network control system of middleboxes
US9009217B1 (en) Interaction with a virtual network
CN103997414B (en) Generate method and the network control unit of configuration information
CN105657081B (en) The method, apparatus and system of DHCP service are provided
JP2023527999A (en) Loop prevention of virtual L2 network
CN104852840B (en) A kind of method and device exchanged visits between control virtual machine
CN106464742A (en) Programmable network platform for a cloud-based services exchange
CN106375214A (en) SDN-based tiered routing path determination method and device
CN111049796A (en) Method for realizing Overlay multi-tenant CNI (CNI) container network based on Open vSwitch
CN108322417A (en) Processing method, device and system and the safety equipment of network attack
CN105915383A (en) Remote router configuration method
CN105939267B (en) Outband management method and device
CN108449272A (en) A kind of implementation method that port forwarding service is provided based on OpenStack frameworks
CN105721487B (en) Information processing method and electronic equipment
CN113783781A (en) Method and device for interworking between virtual private clouds
CN109450905A (en) Transmit the method and apparatus and system of data
KR101527377B1 (en) Service chaining system based on software defined networks
CN108141384A (en) The automatic arranging of LISP two mobility networks
US20240039847A1 (en) Highly-available host networking with active-active or active-backup traffic load-balancing
CN108989071A (en) Virtual Service providing method, gateway and storage medium
KR101746105B1 (en) Openflow switch capable of service chaining

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant