CN109412927A - A kind of more VPN data transmission methods, device and the network equipment - Google Patents

A kind of more VPN data transmission methods, device and the network equipment Download PDF

Info

Publication number
CN109412927A
CN109412927A CN201811472515.6A CN201811472515A CN109412927A CN 109412927 A CN109412927 A CN 109412927A CN 201811472515 A CN201811472515 A CN 201811472515A CN 109412927 A CN109412927 A CN 109412927A
Authority
CN
China
Prior art keywords
gre
data message
tunnel
vpn
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811472515.6A
Other languages
Chinese (zh)
Other versions
CN109412927B (en
Inventor
王守唐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201811472515.6A priority Critical patent/CN109412927B/en
Publication of CN109412927A publication Critical patent/CN109412927A/en
Application granted granted Critical
Publication of CN109412927B publication Critical patent/CN109412927B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention provides a kind of multiple virtual private network (VPN) VPN data transmission method, device and the network equipment.The present invention is based on the source IP address of gre tunneling, purpose IP address and Tunnel Identifiers to distinguish gre tunneling, and establishes the one-to-one relationship of VPN and gre tunneling.When transmitting the data message from VPN, the Tunnel Identifier for carrying tunnel is encapsulated using GRE.Source IP address, purpose IP address and Tunnel Identifier of the receiving device based on the gre tunneling encapsulated in data message identify gre tunneling, and according to the unique corresponding relation of gre tunneling and VPN, by data message forwarding to VPN corresponding with gre tunneling.Further, since the unique corresponding relation of gre tunneling and VPN, can configure the private network IP for belonging to same network segment with corresponding VPN on gre tunnel interface, to realize the dynamic routing study in each VPN.

Description

A kind of more VPN data transmission methods, device and the network equipment
Technical field
The present invention relates to network communication technology fields more particularly to a kind of more VPN data transmission methods, device and network to set It is standby.
Background technique
GRE (Generic Routing Encapsulation, generic route encapsulation) agreement is to certain network layer protocols Data message be packaged, so that packed data message is transmitted in another network layer protocol.Encapsulation front and back number It may be the same or different according to the network layer protocol of message.
The path that data message transmits in a network after encapsulation, referred to as gre tunneling.Gre tunneling is a virtual point pair The connection of point, the equipment at tunnel both ends are packaged and decapsulate to data message respectively.
The quantity for the gre tunneling that can be established between equipment depends on the quantity of the available public network IP of equipment.Due to public network IP Resource is nervous, and usual equipment is only furnished with a public network IP, therefore, between equipment can only establish a gre tunneling.
If the data of multiple VPN (Virtual Private Network, Virtual Private Network) all pass through this GRE tunnel Road transmission then needs to utilize carrying VPN title in GRE.Receiving end is determined belonging to current data by identification VPN title VPN。
In the transmission mode, gre tunneling is not belonging to any one VPN, therefore, it is impossible to support more VPN based on gre tunneling Dynamic routing study.
Summary of the invention
The present invention can not support more VPN dynamic routings based on gre tunneling to solve existing more VPN data transmission modes The problem of study, proposes a kind of more VPN data transmission methods, device and the network equipment, to realize the transmission of more VPN datas, The dynamic routing of more VPN based on gre tunneling can be supported to learn simultaneously.
For achieving the above object, the present invention provides the following technical scheme that
In a first aspect, the present invention provides a kind of more VPN data transmission methods, it is applied to first network equipment, described first It is each equipped on the network equipment and second network equipment and is corresponded to more one-to-one gre tunnel interfaces of VPN, same VPN Gre tunnel interface Tunnel Identifier it is identical, the Tunnel Identifier of the corresponding gre tunnel interface of different VPN is different, the method packet It includes:
If receiving the first data message from target VPN, and determine the outgoing interface for forwarding first data message For the first gre tunnel interface, GRE head is encapsulated for first data message, generates the second data message, described GRE includes The Tunnel Identifier of first gre tunnel interface;
For tunnel source IP address of second data message encapsulation comprising first gre tunnel interface and destination IP The heading of location generates third data message and is sent to second network equipment, so that second network equipment is connecing After receiving the third data message, tunnel source IP address, purpose IP address and tunnel mark based on the third data message Know, determines the second gre tunnel interface, and handle the third data message decapsulation, obtain first data message, it will First data message forwarding extremely target VPN corresponding with second gre tunnel interface.
Optionally, the method also includes:
If receiving the 4th data message of second network equipment forwarding, and determine that the 4th data message is GRE message then obtains the tunnel source IP address of the 4th data message, the tunnel of purpose IP address and third gre tunnel interface Road mark;
The tunnel of tunnel source IP address, purpose IP address and third gre tunnel interface based on the 4th data message Mark, determines the 4th gre tunnel interface;
Decapsulation processing is carried out to the 4th data message, obtains the 5th data message;
According to the corresponding relationship of preconfigured gre tunnel interface and VPN, by the 5th data message forwarding to institute State the corresponding VPN of the 4th gre tunnel interface.
Optionally, the Tunnel Identifier carries in GRE Key fields.
Optionally, the Tunnel Identifier carries in GRE extended fields.
Second aspect, the present invention provide a kind of more VPN data transmitting devices, be applied to first network equipment, described first It is each equipped on the network equipment and second network equipment and is corresponded to more one-to-one gre tunnel interfaces of VPN, same VPN Gre tunnel interface Tunnel Identifier it is identical, the Tunnel Identifier of the corresponding gre tunnel interface of different VPN is different, described device packet It includes:
Encapsulation unit, if for receiving the first data message from target VPN, and determine and forward first data The outgoing interface of message is the first gre tunnel interface, encapsulates GRE head for first data message, generates the second data message, institute State the GRE Tunnel Identifiers including first gre tunnel interface;It include described first for second data message encapsulation The tunnel source IP address of gre tunnel interface and the heading of purpose IP address generate third data message;
First transmission unit, for the third data message to be sent to second network equipment, so that described Two network equipments are after receiving the third data message, tunnel source IP address, purpose based on the third data message IP address and Tunnel Identifier determine the second gre tunnel interface, and handle the third data message decapsulation, obtain described First data message, by first data message forwarding to target VPN corresponding with second gre tunnel interface.
Optionally, described device further include:
Receiving unit, if the 4th data message for receiving second network equipment forwarding, and determine described the Four data messages are GRE message, then obtain tunnel source IP address, purpose IP address and the 3rd GRE of the 4th data message The Tunnel Identifier of tunnel interface;
Determination unit, for tunnel source IP address, purpose IP address and the 3rd GRE tunnel based on the 4th data message The Tunnel Identifier of pipeline joint determines the 4th gre tunnel interface;
Decapsulation unit obtains the 5th data message for carrying out decapsulation processing to the 4th data message;
Second transmission unit, for the corresponding relationship according to preconfigured gre tunnel interface and VPN, by the described 5th Data message forwarding extremely VPN corresponding with the 4th gre tunnel interface.
Optionally, the Tunnel Identifier carries in GRE Key fields.
Optionally, the Tunnel Identifier carries in GRE extended fields.
The third aspect, the present invention provide a kind of network equipment, and the equipment includes processor and machine readable storage medium, The machine readable storage medium is stored with the machine-executable instruction that can be executed by the processor, and the processor is by institute It states machine-executable instruction to promote: realizing above-mentioned more VPN data transmission methods.
Fourth aspect, the present invention provide a kind of machine readable storage medium, are stored in the machine readable storage medium Machine-executable instruction, the machine-executable instruction realize above-mentioned more VPN data transmission methods when being executed by processor.
The present invention is based on the source IP address of gre tunneling, purpose IP address and Tunnel Identifiers it can be seen from above description Gre tunneling is distinguished, therefore, in the case where public network IP address limited (for example, an equipment only one public network IP), can still be built Found a plurality of gre tunneling.Meanwhile the present invention establishes the one-to-one relationship of VPN and gre tunneling.Transmitting terminal is being sent from VPN's When data message, GRE encapsulation is carried out to data message, the Tunnel Identifier in tunnel is carried in GRE encapsulation.Receiving end is based on GRE The source IP address of gre tunneling in encapsulation, purpose IP address and Tunnel Identifier identify gre tunneling, and according to gre tunneling with The unique corresponding relation of VPN, by the data message forwarding after decapsulation to VPN corresponding with gre tunneling.Further, since GRE tunnel The unique corresponding relation in road and VPN can configure the private network IP for belonging to same network segment with corresponding VPN on gre tunnel interface, from And it realizes the dynamic routing in each VPN and learns.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is a kind of more VPN data transmission method flow charts shown in the embodiment of the present invention;
Fig. 2 is a kind of application scenarios schematic diagram shown in the embodiment of the present invention;
Fig. 3 is process flow of the first network equipment as receiving end shown in the embodiment of the present invention;
Fig. 4 A is a kind of structural schematic diagram of more VPN data transmitting devices shown in the embodiment of the present invention;
Fig. 4 B is the structural schematic diagram of the more VPN data transmitting devices of another kind shown in the embodiment of the present invention;
Fig. 5 is a kind of hardware structural diagram of network equipment shown in the embodiment of the present invention.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistented with the present invention.On the contrary, they be only with it is such as appended The example of device and method being described in detail in claims, some aspects of the invention are consistent.
It is only to be not intended to limit the invention merely for for the purpose of describing particular embodiments in terminology used in the present invention. It is also intended in the present invention and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the scope of the invention, negotiation information can also be referred to as the second information, and similarly, the second information, which can also be referred to as, assists Quotient's information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
The embodiment of the present invention provides a kind of more VPN data transmission methods, and in this method, the network equipment can be based on gre tunneling Source IP address, purpose IP address and Tunnel Identifier distinguish gre tunneling, therefore, in the limited feelings of the public network IP of the network equipment Under condition, a plurality of gre tunneling can be still established, and establishes gre tunneling and the unique corresponding relation of VPN.The network equipment is passing through GRE tunnel When road data message transmission, source IP address, purpose IP address and the Tunnel Identifier of gre tunneling are encapsulated for data message, so that Receiving device identifies gre tunneling, and root according to the source IP address of the gre tunneling of encapsulation, purpose IP address and Tunnel Identifier According to the unique corresponding relation of gre tunneling and VPN, by the data message forwarding after decapsulation to VPN corresponding with gre tunneling.
It is with reference to the accompanying drawing and specific real in order to keep the purposes, technical schemes and advantages of the embodiment of the present invention clearer It applies example and detailed description is executed to the embodiment of the present invention:
It is the flow chart of more VPN data transmission methods provided in an embodiment of the present invention referring to Fig. 1.The process is applied to the One network equipment.It is each equipped in the first network equipment and second network equipment and is connect with the one-to-one gre tunneling of more VPN Mouthful, the Tunnel Identifier of the corresponding gre tunnel interface of same VPN is identical, the Tunnel Identifier of the corresponding gre tunnel interface of different VPN It is different.
Here, the name that first network equipment, second network equipment only carry out for ease of description, is not intended to limit It is fixed.
As shown in Fig. 2, for a kind of application scenarios schematic diagram shown in the embodiment of the present invention.Wherein, gateway 231, gateway 232 Respectively first network equipment and second network equipment;Website 211 and website 212 include VPN221 and VPN222, two stations Pass through the data message of gre tunneling transmission VPN (VPN221 and VPN222) between point.
Wherein, there are two gre tunnel interfaces for configuration on gateway 231, are denoted as Tunnel221 and Tunnel222 respectively. The source IP address of Tunnel221 is 1.1.1.1, purpose IP address 2.2.2.2, Tunnel Identifier 221;The source of Tunnel222 IP address is 1.1.1.1, purpose IP address 2.2.2.2, Tunnel Identifier 222.And configure pair of Tunnel221 and VPN221 It should be related to and the corresponding relationship of Tunnel222 and VPN222.
There are two gre tunnel interfaces for configuration on gateway 232, are denoted as Tunnel221 and Tunnel222 respectively.Tunnel221 Source IP address be 2.2.2.2, purpose IP address 1.1.1.1, Tunnel Identifier 221;The source IP address of Tunnel222 is 2.2.2.2, purpose IP address 1.1.1.1, Tunnel Identifier 222.And the corresponding relationship of Tunnel221 and VPN221 are configured, And the corresponding relationship of Tunnel222 and VPN222.
Can be interpreted as between gateway 231 and gateway 232 configured with two independent gre tunnelings (i.e. Tunnel221 and Tunnel222).It should be noted that IP address 1.1.1.1 is the public network IP address of gateway 231, IP address 2.2.2.2 is net Close 232 public network IP address.Since public network IP resource is nervous, the public network IP quantity configured on the usual network equipment is few, for example, Only configure a public network IP.
As shown in Figure 1, the process can comprise the following steps that
Step 101, if receiving the first data message from target VPN, and going out for the first data message of forwarding is determined Interface is the first gre tunnel interface, and first network equipment is that the first data message encapsulates GRE head, generates the second data message.
The GRE Tunnel Identifiers including the first gre tunnel interface.
Here, target VPN, the first data message, the first gre tunnel interface, the second data message are for ease of description And the name carried out, it is not intended to limit.
In specific implementation, the interior network interface of first network equipment can then be connect by the interior network interface with bound targets VPN The data message received belongs to the data message (the first data message) of the target VPN of the interior network interface binding.First network Equipment matches the route table items in target VPN based on the first data message received.If the route table items of hit go out to connect Mouth is gre tunnel interface (the first gre tunnel interface), then is that first data message encapsulates GRE head.It include first in GRE The Tunnel Identifier of gre tunnel interface.
For example, the outgoing interface of the route table items of the first data message hit is Tunnel221, then in first data message It include the Tunnel Identifier 221 of Tunnel221 in the GRE head of encapsulation.
The message that the embodiment of the present invention obtains after the first data message is encapsulated GRE, referred to as the second data message.
Step 102, first network equipment is tunnel source IP of the second data message encapsulation comprising the first gre tunnel interface The heading of location and purpose IP address generates third data message and is sent to second network equipment.
I.e. GRE outer envelope include the first gre tunnel interface tunnel source IP address and purpose IP address it is new IP head.Wherein, the tunnel source IP address of the first gre tunnel interface is the public network IP address of first network equipment, the first gre tunneling The tunnel purpose IP address of interface is the public network IP address of second network equipment.Data message after encapsulation is known as third datagram Text can be based on routing forwarding in public network.
Here, the name that third data message only carries out for ease of description, is not intended to limit.
When second network equipment receives third data message, tunnel source IP address, mesh based on third data message IP address and Tunnel Identifier, determine the second gre tunnel interface.
Here, the name that the second gre tunnel interface only carries out for ease of description, is not intended to limit.
Second gre tunnel interface is the preconfigured gre tunnel interface corresponding with target VPN of second network equipment. The tunnel source IP address of second gre tunnel interface and the tunnel purpose IP address of the first gre tunnel interface are identical, the 2nd GRE The tunnel purpose IP address of tunnel interface and the tunnel source IP address of the first gre tunnel interface are identical, the second gre tunnel interface Tunnel Identifier is identical as the Tunnel Identifier of the first gre tunnel interface.
Second network equipment carries out decapsulation processing to third data message and (removes the source IP of the first gre tunnel interface Address, purpose IP address and GRE), obtain the first data message.By the first data message forwarding to the second gre tunneling The corresponding target VPN of interface.
So far, process shown in Fig. 1 is completed.
As can be seen from the flow chart shown in fig. 1, in the embodiment of the present invention, the network equipment can source IP based on gre tunneling Therefore location, purpose IP address and Tunnel Identifier differentiation gre tunneling in the limited situation of public network IP of the network equipment, still may be used A plurality of gre tunneling is established, and establishes gre tunneling and the unique corresponding relation of VPN.
The network equipment pass through gre tunneling data message transmission when, for data message encapsulate gre tunneling source IP address, Purpose IP address and Tunnel Identifier so that receiving device according to the source IP address of the gre tunneling of encapsulation, purpose IP address with And Tunnel Identifier identifies gre tunneling, and according to the unique corresponding relation of gre tunneling and VPN, the data message after decapsulation is turned It is sent to VPN corresponding with gre tunneling.To realize the data transmission of more VPN.
Further, since the unique corresponding relation between each gre tunneling and each VPN, can be configured on gre tunnel interface with it is right The host ip in VPN answered belongs to the private network IP of same network segment, to realize the dynamic routing study in VPN.
As shown in Fig. 2, the private network IP of Tunnel221 is configured to belong to the host ip in VPN221 on gateway 231 The private network IP (e.g., 10.0.0.1) of same network segment, the private network IP of Tunnel222 is configured to belong to the host ip in VPN222 The private network IP (e.g., 20.0.0.1) of same network segment;Likewise, on gateway 232 by the private network IP of Tunnel221 be configured to Host ip in VPN221 belongs to the private network IP (e.g., 0.0.0.2) of same network segment, by the private network IP of Tunnel222 be configured to Host ip in VPN222 belongs to the private network IP (e.g., 20.0.0.2) of same network segment.In this way, can be real in VPN221 and VPN222 The now dynamic routing study across gre tunneling.
It is process flow of the first network equipment shown in the embodiment of the present invention as receiving end referring to Fig. 3.
As shown in figure 3, the process can comprise the following steps that
Step 301, if receiving the 4th data message of second network equipment forwarding, and determine that the 4th data message is GRE message, then first network equipment obtains tunnel source IP address, purpose IP address and the third gre tunneling of the 4th data message The Tunnel Identifier of interface.
Here, the name that the 4th data message, third gre tunnel interface only carry out for ease of description, is not intended to It limits.
Wherein, the tunnel source IP address of the 4th data message is the public network IP address of second network equipment, the 4th datagram The tunnel purpose IP address of text is the public network IP address of first network equipment.
First network equipment determines that the 4th data message is needs according to the tunnel purpose IP address of the 4th data message The message of this equipment processing.Determine whether the 4th data message is GRE message further according to IP packet protocol number.
If the 4th data message is GRE message (message transmitted by gre tunneling), the 4th number is extracted According to the Tunnel Identifier of the tunnel source IP address of message, purpose IP address and third gre tunnel interface.
Step 302, tunnel source IP address, purpose IP address and third gre tunnel interface based on the 4th data message Tunnel Identifier, first network equipment determine the 4th gre tunnel interface.
Due to having determined that the 4th data message is GRE message in step 301, accordingly, it can be determined that the tunnel of the 4th data message Road source IP address, purpose IP address are the tunnel source IP address and purpose of the third gre tunnel interface of second network equipment encapsulation IP address.
First network equipment according to the tunnel source IP address of the third gre tunnel interface got, purpose IP address and Tunnel Identifier, it may be determined that the 4th gre tunnel interface.
Here, the name that the 4th gre tunnel interface only carries out for ease of description, is not intended to limit.
The tunnel source IP address of 4th gre tunnel interface and the tunnel purpose IP address of third gre tunnel interface are identical, The tunnel purpose IP address of 4th gre tunnel interface and the tunnel source IP address of third gre tunnel interface are identical, the 4th GRE tunnel The Tunnel Identifier of pipeline joint is identical as the Tunnel Identifier of third gre tunnel interface.
For example, if the tunnel source IP address for the gre tunnel interface that gateway 231 is got from the 4th data message 2.2.2.2, a purpose IP address 1.1.1.1, Tunnel Identifier 221, by being carried out with the gre tunnel interface that is locally configured Match, it may be determined that the gre tunnel interface for receiving the data message is Tunnel221.
Step 303, first network equipment carries out decapsulation processing to the 4th data message, obtains the 5th data message.
Here, the name that the 5th data message only carries out for ease of description, is not intended to limit.
Gre tunneling encapsulation is removed by this step, is reduced into the data message that can be forwarded in VPN.
Step 304, according to the corresponding relationship of preconfigured gre tunnel interface and VPN, first network equipment is counted the 5th VPN corresponding with the 4th gre tunnel interface is forwarded to according to message.
Since first network equipment has been pre-configured with gre tunnel interface and the corresponding relationship of VPN, it can be according to correspondence Relationship determines the 5th affiliated VPN of data message, and then the routing table forwarding by inquiring in affiliated VPN.
For example, being pre-configured with the corresponding relationship of Tunnel221 and VPN221, therefore, gateway 231, which can determine, to be passed through The data message that Tunnel221 is received belongs to VPN221, and then based on the routing table forwarding in VPN221.
So far, process shown in Fig. 3 is completed.
The processing to the VPN data message received is realized by process shown in Fig. 3.
Optionally, as one embodiment, the Tunnel Identifier of gre tunnel interface is carried in GRE Key fields.
The Key field is commonly used in examining the legitimacy of message.The network equipment can configure when cooperating gre tunnel interface The Key value of gre tunnel interface.When transmitting terminal is that data message encapsulates GRE, local terminal is carried in GRE Key fields and is matched in advance The Key value for the gre tunnel interface set.Receiving end by the GRE received head Key value and the preconfigured gre tunneling of local terminal The Key value of interface compares, if unanimously, continuing with the message;Otherwise, the message is abandoned.
The embodiment of the present invention can be directly using the Key value of preset gre tunnel interface as the tunnel mark of gre tunnel interface Know.When first network equipment is that the first data message encapsulates GRE, Key value (Tunnel Identifier of tunnel interface) is added to In GRE Key fields.
Second network equipment receive encapsulation third data message (the first data message through GRE encapsulation, gre tunnelings Message after the tunnel source IP address of interface, purpose IP address encapsulation) after, the Key value carried in message and local are matched in advance The Key value for the gre tunnel interface set (is directed to same gre tunneling, the GRE tunnel of second network equipment and first network device configuration The Key value of pipeline joint is identical) it is compared, if unanimously, handling received message.Complete the legitimacy inspection to message It surveys.Meanwhile gre tunneling can be distinguished based on the Key value (Tunnel Identifier of tunnel interface).
Optionally, as one embodiment, the Tunnel Identifier of gre tunnel interface is carried in GRE extended fields. That is, being not take up GRE existing fields, the tunnel of gre tunnel interface is carried by new field (for example, newly-increased VNID field) Mark, to distinguish different gre tunnelings.Key field is still used to verify message validity in GRE.
Method provided in an embodiment of the present invention is described below by specific embodiment:
Still shown in Fig. 2 for networking.It include two VPN (VPN221 and VPN222) in the networking, wherein
There are two gre tunnel interfaces, respectively Tunnel221 and Tunnel222 for the configuration of gateway 231.
Wherein, the source IP address of Tunnel221 is 1.1.1.1, and (this is specific real for purpose IP address 2.2.2.2, Key value For example is applied using Key value as the Tunnel Identifier of gre tunnel interface) it is 221, private network IP address 10.0.0.1, and configure The corresponding relationship of Tunnel221 and VPN221.The source IP address of Tunnel222 be 1.1.1.1, purpose IP address 2.2.2.2, Key value is 222, private network IP address 20.0.0.1, and configures the corresponding relationship of Tunnel222 and VPN222.
There are two gre tunnel interfaces, respectively Tunnel221 and Tunnel222 for the configuration of gateway 232.
Wherein, the source IP address of Tunnel221 is 2.2.2.2, and purpose IP address 1.1.1.1, Key value is 221, private network IP address is 10.0.0.2, and configures the corresponding relationship of Tunnel221 and VPN221.The source IP address of Tunnel222 is 2.2.2.2, purpose IP address 1.1.1.1, Key value be 222, private network IP address 20.0.0.2, and configure Tunnel222 with The corresponding relationship of VPN222.
If gateway 231 receives the data message (being denoted as Packet1) from VPN221, the routing table in VPN221 is searched , if the outgoing interface of the route table items of hit is Tunnel221, GRE head is encapsulated for Packet1, the Key field in GRE Value be 221.In the source IP address (1.1.1.1) and purpose IP address (2.2.2.2) of GRE outer envelope Tunnel221, envelope Message after dress is denoted as Packet12.
Packet12 is based on routing forwarding in public network.When gateway 232 receives Packet12, due to Packet12's Purpose IP address (2.2.2.2) is identical as the public network IP address of gateway 232, and therefore, gateway 232 determines processing Packet12.Net It closes 232 and determines that Packet12 is GRE message according to the protocol number in outer layer IP of Packet12, i.e., transmitted by gre tunneling Message.
Tunnel source IP address (1.1.1.1), purpose IP address (2.2.2.2) and the GRE of the acquisition of gateway 232 Packet12 The value (221) of Key field, matches with the gre tunnel interface being locally configured in head, it is known that, the gre tunneling for receiving Packet12 connects Mouth is Tunnel221.Further according to corresponding relationship (Tunnel221 and VPN221 pairs of the gre tunnel interface and VPN being locally configured Answer), determine that Packet12 belongs to VPN221.
Gateway 232 carries out decapsulation processing to Packet12, i.e. removal tunnel source IP address (1.1.1.1), destination IP Location (2.2.2.2) and GRE head, are reduced to Packet1.The routing table in the VPN221 of local is inquired, Packet1 is forwarded.
Similarly, it when gateway 231 receives data message (being denoted as Packet2) from VPN222, searches in VPN222 Route table items, the outgoing interfaces of the route table items of hit is Tunnel222.GRE head is encapsulated for Packet2, the Key in GRE The value of field is 222.In the source IP address (1.1.1.1) and purpose IP address of GRE outer envelope Tunnel222 (2.2.2.2), the message after encapsulation are denoted as Packet22.
Packet22 is based on routing forwarding in public network.When gateway 232 receives Packet22, according to Packet22's Purpose IP address (2.2.2.2), which is determined, handles Packet22 by itself.Gateway 232 is according to the association in outer layer IP of Packet22 View number determines that Packet22 is GRE message.
Tunnel source IP address (1.1.1.1), purpose IP address (2.2.2.2) and the GRE of the acquisition of gateway 232 Packet22 The value (222) of Key field, matches with the gre tunneling being locally configured in head, it is known that, the gre tunnel interface for receiving Packet22 is Tunnel222.Further according to the corresponding relationship (Tunnel222 is corresponding with VPN222) of the gre tunnel interface being locally configured and VPN, Determine that Packet22 belongs to VPN222.
Gateway 232 carries out decapsulation processing to Packet22, i.e. removal tunnel source IP address (1.1.1.1), destination IP Location (2.2.2.2) and GRE head, are reduced to Packet2.The routing table in the VPN222 of local is inquired, Packet2 is forwarded.
In the embodiment of the present invention, since each VPN has exclusive gre tunneling, and it is configured on gre tunnel interface Belong to the private network IP address of same network segment with corresponding VPN, therefore, it can be achieved that the dynamic routing in each VPN learns.
For example, the private network IP that gateway 231 configures Tunnel221 corresponding with VPN221 is 10.0.0.1, gateway 232 is configured The private network IP of Tunnel221 corresponding with VPN221 is 10.0.0.2, therefore, be can be achieved in VPN221 dynamic across gre tunneling State route learning.Similarly, it is 20.0.0.1, gateway 232 that gateway 231, which configures the private network IP of Tunnel222 corresponding with VPN222, The private network IP for configuring Tunnel222 corresponding with VPN222 is therefore 20.0.0.2 can also be realized in VPN222 across gre tunneling Dynamic routing study.
So far, the description to the present embodiment is completed.
Method provided in an embodiment of the present invention is described above, below to device provided in an embodiment of the present invention into Row description:
A referring to fig. 4 is the structural schematic diagram of device provided in an embodiment of the present invention.More VPN data transmitting device packets It includes: encapsulation unit 401 and the first transmission unit 402, in which:
Encapsulation unit 401, if for receiving the first data message from target VPN, and determine forwarding described first The outgoing interface of data message is the first gre tunnel interface, encapsulates GRE head for first data message, generates the second datagram Text, the described GRE Tunnel Identifier including first gre tunnel interface;It is second data message encapsulation comprising described The tunnel source IP address of first gre tunnel interface and the heading of purpose IP address generate third data message;
First transmission unit 402, for for the third data message to be sent to second network equipment, so that Second network equipment is after receiving the third data message, tunnel source IP based on the third data message Location, purpose IP address and Tunnel Identifier determine the second gre tunnel interface, and handle the third data message decapsulation, obtain To first data message, by first data message forwarding to target corresponding with second gre tunnel interface VPN。
So far, the description of Fig. 4 A shown device is completed.
In the embodiment of the present invention, the network equipment can source IP address, purpose IP address and Tunnel Identifier based on gre tunneling Therefore distinguishing gre tunneling in the limited situation of public network IP of the network equipment, can still establish a plurality of gre tunneling, and establish GRE The unique corresponding relation in tunnel and VPN.
The network equipment pass through gre tunneling data message transmission when, for data message encapsulate gre tunneling source IP address, Purpose IP address and Tunnel Identifier so that receiving device according to the source IP address of the gre tunneling of encapsulation, purpose IP address with And Tunnel Identifier identifies gre tunneling, and according to the unique corresponding relation of gre tunneling and VPN, the data message after decapsulation is turned It is sent to VPN corresponding with gre tunneling.To realize the data transmission of more VPN.
Further, since the unique corresponding relation of gre tunneling and VPN, can configure and corresponding VPN on gre tunnel interface In host ip belong to the private network IP of same network segment, thus realize in each VPN dynamic routing study.
As one embodiment, on the basis of Fig. 4 A described device, which further includes receiving list Member 403, determination unit 404, decapsulation unit 405 and the second transmission unit 406, as shown in Figure 4 B, in which:
Receiving unit 403, if the 4th data message for receiving second network equipment forwarding, and described in determination 4th data message is GRE message, then obtains tunnel source IP address, purpose IP address and the third of the 4th data message The Tunnel Identifier of gre tunnel interface;
Determination unit 404, for tunnel source IP address, purpose IP address and third based on the 4th data message The Tunnel Identifier of gre tunnel interface determines the 4th gre tunnel interface;
Decapsulation unit 405 obtains the 5th data message for carrying out decapsulation processing to the 4th data message;
Second transmission unit 406, for the corresponding relationship according to preconfigured gre tunnel interface and VPN, by described Five data message forwardings extremely VPN corresponding with the 4th gre tunnel interface.
So far, the description of Fig. 4 B shown device is completed.
By Fig. 4 B shown device, the processing to the VPN data message received is realized.
As one embodiment, the Tunnel Identifier is carried in GRE Key fields.
As one embodiment, the Tunnel Identifier is carried in GRE extended fields.
The network equipment provided in an embodiment of the present invention is described below:
It is a kind of hardware structural diagram of the network equipment provided in an embodiment of the present invention referring to Fig. 5.The equipment may include Processor 501, the machine readable storage medium 502 for being stored with machine-executable instruction.Processor 501 and machine readable storage are situated between Matter 502 can be communicated via system bus 503.Also, by read and execute in machine readable storage medium 502 with more VPN numbers According to the corresponding machine-executable instruction of transmission logic, above-described more VPN data transmission methods are can be performed in processor 501.
The machine readable storage medium 502 being mentioned herein can be any electronics, magnetism, optics or other physical stores dress It sets, may include or store information, such as executable instruction, data, etc..For example, the machine readable storage medium 502 can be with Including at least one following kind storage medium: volatile memory, nonvolatile memory, other types of storage media.Wherein, easily The property lost memory can be RAM (Random Access Memory, random access memory), and nonvolatile memory can be sudden strain of a muscle It deposits, memory driver (such as hard disk drive), solid state hard disk, storage dish (such as CD, DVD).
The embodiment of the present invention also provides a kind of machine readable storage medium including machine-executable instruction, such as in Fig. 5 Machine readable storage medium 502, the machine-executable instruction can execute by the processor 501 in the network equipment, to realize More VPN data transmission methods described above.
So far, the description of equipment shown in Fig. 5 is completed.
The foregoing is merely the preferred embodiments of the embodiment of the present invention, are not intended to limit the invention, all in this hair Within the spirit and principle of bright embodiment, any modification, equivalent substitution, improvement and etc. done should be included in protection of the present invention Within the scope of.

Claims (10)

1. a kind of multiple virtual private network (VPN) VPN data transmission method is applied to first network equipment, which is characterized in that described first Be each equipped on the network equipment and second network equipment with more one-to-one generic route encapsulation gre tunnel interfaces of VPN, The Tunnel Identifier of the corresponding gre tunnel interface of same VPN is identical, and the Tunnel Identifier of the corresponding gre tunnel interface of different VPN is not Together, which comprises
If receiving the first data message from target VPN, and determine that forwarding the outgoing interface of first data message is the One gre tunnel interface encapsulates GRE head for first data message, generates the second data message, and described GRE includes described The Tunnel Identifier of first gre tunnel interface;
It include the tunnel source IP address and purpose IP address of first gre tunnel interface for second data message encapsulation Heading generates third data message and is sent to second network equipment, so that second network equipment is receiving After the third data message, based on tunnel source IP address, purpose IP address and the Tunnel Identifier of the third data message, really Fixed second gre tunnel interface, and the third data message decapsulation is handled, first data message is obtained, it will be described First data message forwarding extremely target VPN corresponding with second gre tunnel interface.
2. the method as described in claim 1, which is characterized in that the method also includes:
If receiving the 4th data message of second network equipment forwarding, and determine the 4th data message for GRE report Text then obtains the tunnel source IP address of the 4th data message, the tunnel mark of purpose IP address and third gre tunnel interface Know;
The Tunnel Identifier of tunnel source IP address, purpose IP address and third gre tunnel interface based on the 4th data message, Determine the 4th gre tunnel interface;
Decapsulation processing is carried out to the 4th data message, obtains the 5th data message;
According to the corresponding relationship of preconfigured gre tunnel interface and VPN, by the 5th data message forwarding to described the The corresponding VPN of four gre tunnel interfaces.
3. the method as described in claim 1, which is characterized in that the Tunnel Identifier carries in GRE Key fields.
4. the method as described in claim 1, which is characterized in that the Tunnel Identifier carries in GRE extended fields.
5. a kind of multiple virtual private network (VPN) VPN data transmitting device is applied to first network equipment, which is characterized in that described first Be each equipped on the network equipment and second network equipment with more one-to-one generic route encapsulation gre tunnel interfaces of VPN, The Tunnel Identifier of the corresponding gre tunnel interface of same VPN is identical, and the Tunnel Identifier of the corresponding gre tunnel interface of different VPN is not Together, described device includes:
Encapsulation unit, if for receiving the first data message from target VPN, and determine and forward first data message Outgoing interface be the first gre tunnel interface, for first data message encapsulate GRE head, generate the second data message, it is described The GRE Tunnel Identifiers including first gre tunnel interface;It include the first GRE for second data message encapsulation The tunnel source IP address of tunnel interface and the heading of purpose IP address generate third data message;
First transmission unit, for the third data message to be sent to second network equipment, so that second net Network equipment is after receiving the third data message, tunnel source IP address, destination IP based on the third data message Location and Tunnel Identifier determine the second gre tunnel interface, and handle the third data message decapsulation, obtain described first Data message, by first data message forwarding to target VPN corresponding with second gre tunnel interface.
6. device as claimed in claim 5, which is characterized in that described device further include:
Receiving unit, if the 4th data message for receiving second network equipment forwarding, and determine the 4th number It is GRE message according to message, then obtains tunnel source IP address, purpose IP address and the third gre tunneling of the 4th data message The Tunnel Identifier of interface;
Determination unit connects for tunnel source IP address, purpose IP address and third gre tunneling based on the 4th data message The Tunnel Identifier of mouth, determines the 4th gre tunnel interface;
Decapsulation unit obtains the 5th data message for carrying out decapsulation processing to the 4th data message;
Second transmission unit, for the corresponding relationship according to preconfigured gre tunnel interface and VPN, by the 5th data Message is forwarded to VPN corresponding with the 4th gre tunnel interface.
7. device as claimed in claim 5, which is characterized in that the Tunnel Identifier carries in GRE Key fields.
8. device as claimed in claim 5, which is characterized in that the Tunnel Identifier carries in GRE extended fields.
9. a kind of network equipment, which is characterized in that the equipment includes processor and machine readable storage medium, and the machine can It reads storage medium and is stored with the machine-executable instruction that can be executed by the processor, the processor can be held by the machine Row instruction promotes: realizing any method and step of claim 1-4.
10. a kind of machine readable storage medium, which is characterized in that it is executable to be stored with machine in the machine readable storage medium Claim 1-4 any method and step is realized in instruction when the machine-executable instruction is executed by processor.
CN201811472515.6A 2018-12-04 2018-12-04 Multi-VPN data transmission method and device and network equipment Active CN109412927B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811472515.6A CN109412927B (en) 2018-12-04 2018-12-04 Multi-VPN data transmission method and device and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811472515.6A CN109412927B (en) 2018-12-04 2018-12-04 Multi-VPN data transmission method and device and network equipment

Publications (2)

Publication Number Publication Date
CN109412927A true CN109412927A (en) 2019-03-01
CN109412927B CN109412927B (en) 2021-07-23

Family

ID=65457162

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811472515.6A Active CN109412927B (en) 2018-12-04 2018-12-04 Multi-VPN data transmission method and device and network equipment

Country Status (1)

Country Link
CN (1) CN109412927B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111447132A (en) * 2020-03-16 2020-07-24 广州华多网络科技有限公司 Data transmission method, device, system and computer storage medium
CN111884903A (en) * 2020-07-15 2020-11-03 迈普通信技术股份有限公司 Service isolation method and device, SDN network system and routing equipment
CN112804129A (en) * 2019-11-13 2021-05-14 中兴通讯股份有限公司 Message transmission method and system, VPN (virtual private network) equipment at sending end and GRE (generic routing encapsulation) splicing equipment
WO2021139288A1 (en) * 2020-01-08 2021-07-15 华为技术有限公司 Packet transmission method and apparatus and storage medium
CN113259497A (en) * 2020-02-07 2021-08-13 华为技术有限公司 Method, device, storage medium and system for transmitting message

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1412988A (en) * 2002-05-22 2003-04-23 华为技术有限公司 Packaging retransmission method of message in network communication
CN1468007A (en) * 2002-07-10 2004-01-14 华为技术有限公司 Virtual switch for supplying virtual LAN service and method
CN1553661A (en) * 2003-05-28 2004-12-08 ��Ϊ�������޹�˾ Method for point to point transparent transmission
US20100118882A1 (en) * 2008-11-10 2010-05-13 H3C Technologies Co., Ltd. Method, Apparatus, and System For Packet Transmission
CN102130826A (en) * 2010-11-25 2011-07-20 华为技术有限公司 Message transmitting method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1412988A (en) * 2002-05-22 2003-04-23 华为技术有限公司 Packaging retransmission method of message in network communication
CN1468007A (en) * 2002-07-10 2004-01-14 华为技术有限公司 Virtual switch for supplying virtual LAN service and method
CN1553661A (en) * 2003-05-28 2004-12-08 ��Ϊ�������޹�˾ Method for point to point transparent transmission
US20100118882A1 (en) * 2008-11-10 2010-05-13 H3C Technologies Co., Ltd. Method, Apparatus, and System For Packet Transmission
CN102130826A (en) * 2010-11-25 2011-07-20 华为技术有限公司 Message transmitting method and device

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112804129A (en) * 2019-11-13 2021-05-14 中兴通讯股份有限公司 Message transmission method and system, VPN (virtual private network) equipment at sending end and GRE (generic routing encapsulation) splicing equipment
WO2021093641A1 (en) * 2019-11-13 2021-05-20 中兴通讯股份有限公司 Message transmission method and system, vpn device at sending end and gre splicing device
CN112804129B (en) * 2019-11-13 2023-11-03 中兴通讯股份有限公司 Message transmission method and system, transmitting end VPN equipment and GRE splicing equipment
WO2021139288A1 (en) * 2020-01-08 2021-07-15 华为技术有限公司 Packet transmission method and apparatus and storage medium
US12063155B2 (en) 2020-01-08 2024-08-13 Huawei Technologies Co., Ltd. Packet sending method and apparatus, and storage medium
CN113259497A (en) * 2020-02-07 2021-08-13 华为技术有限公司 Method, device, storage medium and system for transmitting message
CN111447132A (en) * 2020-03-16 2020-07-24 广州华多网络科技有限公司 Data transmission method, device, system and computer storage medium
CN111447132B (en) * 2020-03-16 2021-12-21 广州方硅信息技术有限公司 Data transmission method, device, system and computer storage medium
CN111884903A (en) * 2020-07-15 2020-11-03 迈普通信技术股份有限公司 Service isolation method and device, SDN network system and routing equipment

Also Published As

Publication number Publication date
CN109412927B (en) 2021-07-23

Similar Documents

Publication Publication Date Title
CN109412927A (en) A kind of more VPN data transmission methods, device and the network equipment
CN106878138B (en) A kind of message transmitting method and device
JP7023989B2 (en) Generating transfer entries
CN105827495B (en) The message forwarding method and equipment of VXLAN gateway
US20230090829A1 (en) Virtualized network functions through address space aggregation
CN105591868B (en) A kind of cut-in method and device of Virtual Private Network VPN
JP6633775B2 (en) Packet transmission
CN104202398B (en) The method of remote control, apparatus and system
CN104038422B (en) Message forwarding method and gateway
CN102792651B (en) At the device of MAC layer application service path Route Selection
CN101155130A (en) Method for learning MAC address and system and equipment for conveying VPLS client data
CN107682370A (en) For creating the method and system of the agreement header for embedded second layer packet
CN107645433B (en) Message forwarding method and device
CN107659484B (en) Method, device and system for accessing VXLAN network from VLAN network
CN106209638A (en) From VLAN to the message forwarding method of virtual expansible LAN and equipment
CN107580079A (en) A kind of message transmitting method and device
CN103685032B (en) Message forwarding method and network address translation services device
CN108199968A (en) Route processing method and device
CN109412949A (en) A kind of data message transmission method and device
CN104780090B (en) Method, apparatus, the PE equipment of VPN multicast transmissions
CN109246016B (en) Cross-VXLAN message processing method and device
CN108259295A (en) MAC Address synchronous method and device
CN105610717B (en) A kind of route issuing method and device across SDN network
CN110391984B (en) Message forwarding method and device
CN108632126A (en) A kind of message forwarding channel method for building up, device and message forwarding method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant