CN109474507B - Message forwarding method and device - Google Patents

Message forwarding method and device Download PDF

Info

Publication number
CN109474507B
CN109474507B CN201811426641.8A CN201811426641A CN109474507B CN 109474507 B CN109474507 B CN 109474507B CN 201811426641 A CN201811426641 A CN 201811426641A CN 109474507 B CN109474507 B CN 109474507B
Authority
CN
China
Prior art keywords
vxlan
message
address
tunnel
default
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811426641.8A
Other languages
Chinese (zh)
Other versions
CN109474507A (en
Inventor
程剑锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201811426641.8A priority Critical patent/CN109474507B/en
Publication of CN109474507A publication Critical patent/CN109474507A/en
Priority to PCT/CN2019/121267 priority patent/WO2020108531A1/en
Application granted granted Critical
Publication of CN109474507B publication Critical patent/CN109474507B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/32Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Abstract

The invention provides a message forwarding method and a device, wherein the method comprises the following steps: when a VXLAN message is received and the VXLAN message is determined to be matched with a default VXLAN tunnel, the VXLAN message is unpacked and forwarded; and when a non-VXLAN message is received and the exit port of the non-VXLAN message is determined to be absent, discarding the non-VXLAN message. The embodiment of the invention can realize the one-way transmission between the high-density VTEP equipment and the low-density VTEP equipment, and ensure the data security.

Description

Message forwarding method and device
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and an apparatus for forwarding a packet.
Background
The openness of a network system makes network security become more important, and security protection technologies such as Media Access Control (MAC) authentication, network firewall (firewall) and the like are common technologies for ensuring network security, but these technologies can only meet general security requirements, and are difficult to solve the protection problem of important networks such as a secret information system and the like.
In order to ensure the security of the Network, it is necessary to ensure that data of the low-security level device or Network can flow to the high-security level device or Network, and data of the high-security level device or Network cannot flow to the low-security level device or Network, so that leakage is prevented during unidirectional data forwarding.
Disclosure of Invention
The invention provides a message forwarding method and a message forwarding device, which aim to solve the problem that unidirectional data forwarding between equipment or a network at a high density level and equipment or a network at a low density level cannot be realized.
According to a first aspect of the embodiments of the present invention, a packet forwarding method is provided, which is applied to any VTEP device in a VXLAN networking, a default VXLAN tunnel is created on a VTEP device at a high density level in the VXLAN networking corresponding to a first type VXLAN tunnel, the first type VXLAN tunnel is a VXLAN tunnel from a VTEP device at a low density level to a VTEP device at a high density level, a source IP address of the default VXLAN tunnel is an IP address of the VTEP device at the high density level, and a destination IP address does not exist, the method includes:
when a VXLAN message is received and the VXLAN message is determined to be matched with a default VXLAN tunnel, the VXLAN message is unpacked and forwarded;
and when a non-VXLAN message is received and the exit port of the non-VXLAN message is determined to be absent, discarding the non-VXLAN message.
According to a second aspect of the embodiments of the present invention, there is provided a packet forwarding apparatus, applied to any VTEP device in a VXLAN networking, where a default VXLAN tunnel is created on a VTEP device at a high density level in the VXLAN networking corresponding to a first type VXLAN tunnel, the first type VXLAN tunnel is a VXLAN tunnel from a VTEP device at a low density level to a VTEP device at a high density level, and a source IP address of the default VXLAN tunnel is an IP address of the VTEP device at the high density level and there is no destination IP address, the apparatus including:
a receiving unit, configured to receive a packet;
the determining unit is used for determining whether the VXLAN message is matched with a default VXLAN tunnel or not when the receiving unit receives the VXLAN message;
the decapsulation unit is used for decapsulating the VXLAN message when the VXLAN message is matched with the default VXLAN tunnel;
the forwarding unit is used for forwarding the decapsulated VXLAN message;
the forwarding unit is further configured to discard the non-VXLAN packet when the receiving unit receives the non-VXLAN packet and the determining unit determines that the egress port of the non-VXLAN packet does not exist.
By applying the technical scheme disclosed by the invention, when the VXLAN tunnel is established between the VTEP equipment at the high-density level and the VTEP equipment at the low-density level by configuring the default VXLAN tunnel, the VTEP equipment at the low-density level normally establishes the VXLAN tunnel, and the VTEP equipment at the high-density level establishes the default VXLAN tunnel corresponding to the VXLAN tunnel.
Drawings
Fig. 1 is a schematic flowchart of a message forwarding method according to an embodiment of the present invention;
fig. 2 and fig. 3 are schematic diagrams of specific application scenarios provided by the embodiment of the present invention;
fig. 4 is a schematic structural diagram of a message forwarding apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another packet forwarding apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more comprehensible, the technical solutions in the embodiments of the present invention are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a schematic flow diagram of a message forwarding method provided in an embodiment of the present invention is shown, where the message forwarding method may be applied to any VTEP (VXLAN Tunnel Endpoint) device (hereinafter referred to as a target VTEP device) in a VXLAN networking, and as shown in fig. 1, the message forwarding method may include the following steps:
and 101, when a VXLAN message is received and the VXLAN message is determined to be matched with a default VXLAN tunnel, decapsulating and forwarding the VXLAN message.
In the embodiment of the present invention, in order to ensure that data of a low-density-level device or network in a VXLAN network can flow to a high-density-level device or network, when a VXLAN tunnel is established between a low-density-level VTEP device (a VTEP device connected to the low-density-level device or network) and a high-density-level VTEP device (a VTEP device connected to the high-density-level device or network), the low-density-level VTEP device may normally create the VXLAN tunnel, and the high-density-level VTEP device may create a default VXLAN tunnel corresponding to the VXLAN tunnel.
The source IP address of the default VXLAN tunnel is the IP address of the VTEP device at the high-density level, and there is no destination IP address, and the default VXLAN tunnel can match the external layer destination IP address (the destination IP address in the VXLAN encapsulation header) with the VTEP device at the high-density level, and the source IP address is a VXLAN message at any IP address, so that the VTEP device at the high-density level can receive and process the VXLAN message of the VTEP device at the low-density level, which is sent to the VTEP device at the high-density level through the VXLAN tunnel.
Accordingly, in the embodiment of the present invention, when the target VTEP device receives the VXLAN packet, the target VTEP device may first determine whether the outer-layer destination IP address of the VXLAN packet is the IP address of the device (i.e., the target VTEP device).
If so, the target VTEP device may further perform VXLAN tunnel matching according to the outer layer source IP address and the destination IP address of the VXLAN message (the source IP address and the destination IP address in the VXLAN encapsulation header) to determine whether a VXLAN tunnel matching both the outer layer source IP address and the destination IP address of the VXLAN message exists.
If the VXLAN message does not exist, the VXLAN message is determined to be matched with the default VXLAN tunnel, and at the moment, the target VTEP device can perform the forwarding after the VXLAN package is removed on the VXLAN message.
The specific implementation of the target VTEP device for performing the VXLAN decapsulation and forwarding on the VXLAN packet may refer to related descriptions in the existing related schemes, and the embodiments of the present invention are not described herein again.
It should be noted that, in the embodiment of the present invention, when the target VTEP device determines that the outer layer destination IP address of the received VXLAN packet is not the IP address of the device, the target VTEP device may search a three-layer forwarding entry of an underlay (lower layer) according to the VXLAN packet for forwarding; or, when the target VTEP device matches the VXLAN tunnel according to the outer layer source IP address and the destination IP address of the VXLAN packet, the target VTEP device may decapsulate the VXLAN packet and forward the VXLAN packet, and specific implementation of the forwarding may refer to related descriptions in related existing solutions, which is not described herein in detail in the embodiments of the present invention.
And 102, when the non-VXLAN message is received and the exit port of the non-VXLAN message is determined to be absent, discarding the non-VXLAN message.
In the embodiment of the present invention, when the target VTEP device receives the non-VXLAN message, the target VTEP device may query the forwarding table entry to determine the egress port of the non-VXLAN message.
For example, the target VTEP device may obtain VLAN (Virtual Local Area Network) information carried in the received non-VXLAN message and ingress port information of the non-VXLAN message to determine a corresponding AC (access Circuit) (referred to as a target AC herein), and search a forwarding table in a VSI (Virtual Switch Instance) associated with the target AC to determine an egress port of the non-VXLAN message.
In the embodiment of the present invention, in order to ensure that data of a device or a network at a high density level cannot flow to a device or a network at a low density level, it is required to ensure that a VTEP device at a high density level cannot forward traffic through a default VXLAN tunnel.
In one embodiment of the present invention, the egress direction of the default VXLAN tunnel is a non-existent physical port;
accordingly, the determining that the egress port of the non-VXLAN message does not exist may include:
and when the exit port of the non-VXLAN message is determined to be the default VXLAN tunnel, determining that the exit port of the non-VXLAN message does not exist.
In this embodiment, in order to ensure that data of a device or network at a high density level cannot flow to a device or network at a low density level, the egress direction of the default VXLAN tunnel may be configured as a physical port that does not exist on the VTEP device at the high density level (i.e., a physical port other than the physical port of the VTEP device at the high density level).
Accordingly, when the target VTEP device receives the non-VXLAN message and determines that the egress port of the non-VXLAN message is the default VXLAN tunnel by querying the forwarding table, the target VTEP device may determine that the egress port of the non-VXLAN message does not exist, and at this time, the target VTEP device may discard the non-VXLAN message, thereby preventing data of a device or a network at a high density level from flowing to a device or a network at a low density level.
In another embodiment of the present invention, considering that the default VXLAN tunnel cannot forward traffic, and the egress port of the MAC address learned by the target VTEP device from the message received from the VTEP device of lower security level points to the default VXLAN tunnel, the final message needs to be discarded, so in order to save hardware resources, the default VXLAN tunnel may be configured not to learn the MAC address.
Correspondingly, the message forwarding method may further include:
and when the VXLAN message is received and the VXLAN message is determined to be matched with the default VXLAN tunnel, refusing to learn the MAC address according to the VXLAN message.
In this embodiment, in order to ensure that data of a device or a network at a high density level cannot flow to a device or a network at a low density level, the default VXLAN tunnel may be configured not to learn a MAC address, and further, when the target VTEP device receives traffic sent by the device or the network at the high density level to the device or the network at the low density level, the target VTEP device may not query a matching forwarding entry, that is, a matching egress port, so that the target VTEP device may discard the traffic, and data of the device or the network at the high density level is prevented from flowing to the device or the network at the low density level.
It should be noted that, in the embodiment of the present invention, the setting of the exit direction of the default VXLAN tunnel as a non-existent physical port and the configuring of the default VXLAN tunnel as a non-learning MAC address may also be performed at the same time, so that it may be avoided that traffic is directed to the default VXLAN tunnel for forwarding due to a wrong configuration, and under the condition of saving hardware resources, it is better ensured that data of a device or a network at a high-density level cannot flow to a device or a network at a low-density level, and the specific implementation thereof is not described herein again.
It can be seen that, in the method flow shown in fig. 1, when a VXLAN tunnel is established between a VTEP device at a high-density level and a VTEP device at a low-density level by configuring a default VXLAN tunnel, the VTEP device at the low-density level normally establishes the VXLAN tunnel, and the VTEP device at the high-density level creates the default VXLAN tunnel corresponding to the VXLAN tunnel, because the default VXLAN tunnel has no destination IP address and the VTEP device at the high-density level cannot forward traffic outward through the default VXLAN tunnel, the VTEP device at the high-density level can match VXLAN messages sent by the VTEP device at the low-density level through the default VXLAN tunnel and process the VXLAN messages, and the VTEP device at the high-density level cannot send messages to the VTEP device at the low-density level through the VXLAN tunnel, thereby realizing unidirectional transmission between the VTEP device at the high-density level and the VTEP device at the low-density level (the VTEP device at the low-density level can transmit traffic to the vt, the high-density VTEP device can not transmit the traffic to the low-density VTEP device), and the data security is ensured.
In order to enable those skilled in the art to better understand the technical solution provided by the embodiment of the present invention, the technical solution provided by the embodiment of the present invention is described below with reference to a specific application scenario.
Referring to fig. 2, an architecture diagram of a specific application scenario provided by an embodiment of the present invention is shown in fig. 2, in the application scenario, a Server110 and a Server120 are low-density level servers (the Server110 and the Server120 are servers of the same density level), a Server130 and a Server140 are high-density level servers (the Server130 and the Server140 are servers of the same density level), and the servers 110 to the Server140 access a three-tier core network through VTEPs 210 to VTEPs 240, that is, VTEPs 210 and VTEPs 220 are VTEP devices of the low-density level, and VTEPs 230 and VTEPs 240 are VTEP devices of the high-density level, respectively.
In this embodiment, a VXLAN Tunnel is created between VTEP230 and VTEP240, VXLAN Tunnel34 is created on VTEP230 (the source IP address is the IP address of the device and the destination IP address is the IP address of VTEP240), and VXLAN Tunnel43 is created on VTEP240 (the source IP address is the IP address of the device and the destination IP address is the IP address of VTEP device 230); wherein, the source IP address of Tunnel34 is the destination IP address of Tunnel43, and the destination IP address of Tunnel34 is the source IP address of Tunnel 43.
The specific implementation of creating a VXLAN tunnel between VTEP210 and VTEP220 is similar to the implementation of creating a VXLAN tunnel between VTEP device 230 and VTEP240, and the embodiments are not described herein again.
A VXLAN Tunnel is created between VTEP210 and VTEP240, a VXLAN Tunnel14 is created on VTEP210 (the source IP address is the IP address of the device and the destination IP address is the IP address of VTEP240), and a default VXLAN Tunnel0 is created on VTEP240 (the source IP address is the IP address of the device and the destination IP address does not exist).
The specific implementation of creating a VXLAN tunnel between VTEP210 and VTEP230, VTEP220 and VTEP230, and VTEP220 and VTEP240 is similar to the implementation of creating a VXLAN tunnel between VTEP210 and VTEP240, and this embodiment is not described herein again.
In this embodiment, traffic transfer between VTEP210 and VTEP240 is taken as an example.
Referring to fig. 3, a VSI is created on VTEP240, which binds VXLAN _ ID1, VTEP240 binds the VSI to AC4 between Server140 and VTEP 240; a VSI is created on VTEP210 that binds VXLAN _ ID1, VTEP210 binds the VSI to the AC1 between Server110 and VTEP210, and tunnels 14 to the VSI.
The traffic of the Server110 enters the VTEP210 through the AC1, the VTEP210 determines a corresponding AC (i.e., AC1) according to the received VLAN information and ingress port information of the traffic, and searches a forwarding table in a VSI associated with the AC1, and determines that an egress port of the traffic is a Tunnel14, so that the VTEP210 performs VXLAN encapsulation on the traffic (carries VXLAN _ ID1), and forwards the encapsulated traffic through a Tunnel 14. In the VXLAN encapsulation header of the VXLAN encapsulated traffic, the source IP address is the IP address of VTEP210, and the destination IP address is the IP address of VTEP 240.
When receiving the traffic of the VXLAN encapsulation from the AC1, the VTEP240 obtains the destination IP address in the VXLAN encapsulation header thereof, finds that the destination IP address is the IP address of the device, but does not locally have a VXLAN tunnel matching the source IP address and the destination IP address in the VXLAN encapsulation header (i.e. there is no VXLAN tunnel whose source IP address is the destination IP address in the VXLAN encapsulation header and whose destination IP address is the source IP address in the VXLAN encapsulation header), at this time, the VTEP240 may determine that the traffic of the VXLAN encapsulation matches the default VXLAN tunnel, decapsulate the traffic of the VXLAN encapsulation, determine the corresponding VSI according to the VXLAN _ ID (VXLAN ID1) carried therein, and look up the table in the VSI to be transferred from the AC to the Server 140.
It can be seen that a network or device of a low density level can be forwarded to a network or device of a high density level normally.
When the traffic of the Server140 enters the VTEP240 through the AC4, the VTEP240 determines a corresponding AC (i.e., AC4) according to the received VLAN information and ingress port information of the traffic, and searches a forwarding table in the VSI associated with the AC 4.
Example one
The out direction of the default VXLAN tunnel is a non-existent physical port (assuming the default VXLAN tunnel learns MAC addresses normally).
VTEP240 looks up the forwarding table within the VSI associated with AC4 and finds that the egress port is a default VXLAN tunnel, and VTEP240 discards the traffic since the egress port of the default VXLAN tunnel is a physical port that does not exist on VTEP 240.
Example two
The default VXLAN tunnel is configured to not learn MAC addresses.
Then VTEP240 looks up the forwarding table within the VSI associated with AC4 and finds that there is no matching entry, i.e., that no egress port for the traffic exists, and VTEP240 discards the traffic.
It should be noted that, in the embodiment of the present invention, for specific implementation of an interaction process between VTEP devices at the same density level (for example, VTEP210 and VTEP220 or VTEP230 and VTEP240), reference may be made to relevant descriptions in an existing relevant scheme, and details of the embodiment of the present invention are not described herein.
As can be seen from the above description, in the technical solution provided in the embodiment of the present invention, when a VXLAN tunnel is established between a VTEP device at a high density level and a VTEP device at a low density level by configuring a default VXLAN tunnel, the VTEP device at the low density level normally establishes the VXLAN tunnel, and the VTEP device of the higher security level creates a default VXLAN tunnel for the VXLAN tunnel, since the default VXLAN tunnel does not have a destination IP address, and VTEP devices at high security levels cannot forward traffic out through the default VXLAN tunnel, therefore, the high-density VTEP device can match the VXLAN message sent by the low-density VTEP device through the default VXLAN tunnel and process the VXLAN message, the high-density VTEP device can not send the message to the low-density VTEP device through the VXLAN tunnel, therefore, unidirectional transmission between the high-density VTEP equipment and the low-density VTEP equipment is realized, and the data security is ensured.
Referring to fig. 4, a schematic structural diagram of a message forwarding apparatus according to an embodiment of the present invention is provided, where the apparatus may be applied to a target VTEP device in the foregoing method embodiment, and as shown in fig. 4, the message forwarding apparatus may include:
a receiving unit 410, configured to receive a message;
a determining unit 420, configured to determine whether the VXLAN message matches a default VXLAN tunnel when the receiving unit 410 receives the VXLAN message;
a decapsulating unit 430, configured to decapsulate the VXLAN packet when the VXLAN packet matches the default VXLAN tunnel;
a forwarding unit 440, configured to forward the decapsulated VXLAN packet;
the forwarding unit 440 is further configured to discard the non-VXLAN message when the receiving unit 410 receives the non-VXLAN message and the determining unit 420 determines that an egress port of the non-VXLAN message does not exist.
In an alternative embodiment, the determining unit 420 is specifically configured to determine that the VXLAN packet matches the default VXLAN tunnel when the destination IP address in the VXLAN packet header of the VXLAN packet is the IP address of the device, but there is no VXLAN tunnel matching the source IP address and the destination IP address in the VXLAN packet header.
In an optional embodiment, the determining unit 420 is further configured to determine, when the receiving unit 410 receives the non-VXLAN packet, a corresponding target AC according to VLAN information and ingress port information of the non-VXLAN packet;
the determining unit 420 is further configured to search a forwarding table in the target VSI associated with the target AC to determine an egress port of the non-VXLAN message.
In an alternative embodiment, the egress direction of the default VXLAN tunnel is a non-existent physical port;
the determining unit 420 is specifically configured to determine that an egress port of the non-VXLAN message does not exist when it is determined that the egress port of the non-VXLAN message is the default VXLAN tunnel.
Referring to fig. 5, which is a schematic structural diagram of another message forwarding apparatus provided in the embodiment of the present invention, as shown in fig. 5, on the basis of the message forwarding apparatus shown in fig. 4, the message forwarding apparatus shown in fig. 5 may further include:
the learning unit 450 is configured to refuse to perform MAC address learning according to the VXLAN message when the receiving unit 410 receives the VXLAN message and the determining unit 420 determines that the VXLAN message matches the default VXLAN tunnel.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the invention. One of ordinary skill in the art can understand and implement it without inventive effort.
As can be seen from the foregoing embodiments, when a VXLAN tunnel is established between a VTEP device at a high-density level and a VTEP device at a low-density level by configuring a default VXLAN tunnel, the VTEP device at the low-density level normally establishes the VXLAN tunnel, and the VTEP device at the high-density level establishes the default VXLAN tunnel corresponding to the VXLAN tunnel.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

Claims (8)

1. A message forwarding method is applied to any virtual extensible local area network (VXLAN) tunnel endpoint (VTEP) equipment in a VXLAN networking, and is characterized in that a default VXLAN tunnel is created on the VTEP equipment at a high density level in the VXLAN networking corresponding to a first type VXLAN tunnel from the VTEP equipment at a low density level to the VTEP equipment at a high density level, the source IP address of the default VXLAN tunnel is the IP address of the VTEP equipment at the high density level, and no destination IP address exists, the method comprises the following steps:
when a VXLAN message is received and the VXLAN message is determined to be matched with a default VXLAN tunnel, the VXLAN message is unpacked and forwarded;
when a non-VXLAN message is received and the exit port of the non-VXLAN message does not exist, discarding the non-VXLAN message; wherein the determining that the VXLAN packet matches a default VXLAN tunnel comprises:
and when the destination IP address in the VXLAN encapsulation header of the VXLAN message is the IP address of the equipment and no VXLAN tunnel matched with the source IP address and the destination IP address in the VXLAN encapsulation header exists, determining that the VXLAN message is matched with the default VXLAN tunnel.
2. The method of claim 1, wherein when a non-VXLAN message is received, the method further comprises:
determining a corresponding target access circuit AC according to the virtual local area network VLAN information and the input port information of the non-VXLAN message;
and searching a forwarding table in a target virtual switch instance VSI associated with the target AC to determine an exit port of the non-VXLAN message.
3. The method of claim 1, wherein the egress direction of the default VXLAN tunnel is a non-existent physical port;
the determining that the egress port of the non-VXLAN message does not exist includes:
and when the exit port of the non-VXLAN message is determined to be the default VXLAN tunnel, determining that the exit port of the non-VXLAN message does not exist.
4. The method of claim 1, further comprising:
and when a VXLAN message is received and the VXLAN message is determined to be matched with the default VXLAN tunnel, refusing to carry out Media Access Control (MAC) address learning according to the VXLAN message.
5. A message forwarding device is applied to any virtual extensible local area network tunnel endpoint VTEP equipment in a virtual extensible local area network VXLAN networking, and is characterized in that a default VXLAN tunnel is created on a VTEP equipment at a high density level in the VXLAN networking corresponding to a first type VXLAN tunnel from a VTEP equipment at a low density level to a VXLAN tunnel from the VTEP equipment at the high density level, a source IP address of the default VXLAN tunnel is an IP address of the VTEP equipment at the high density level, and a destination IP address does not exist, the device comprises:
a receiving unit, configured to receive a packet;
the determining unit is used for determining whether the VXLAN message is matched with a default VXLAN tunnel or not when the receiving unit receives the VXLAN message;
the decapsulation unit is used for decapsulating the VXLAN message when the VXLAN message is matched with the default VXLAN tunnel;
the forwarding unit is used for forwarding the decapsulated VXLAN message;
the forwarding unit is further configured to discard the non-VXLAN packet when the receiving unit receives the non-VXLAN packet and the determining unit determines that the egress port of the non-VXLAN packet does not exist; the determining unit is specifically configured to determine that the VXLAN packet matches the default VXLAN tunnel when a destination IP address in a VXLAN encapsulation header of the VXLAN packet is the IP address of the device, but there is no VXLAN tunnel matching a source IP address and a destination IP address in the VXLAN encapsulation header.
6. The apparatus of claim 5,
the determining unit is further configured to determine, when the receiving unit receives a non-VXLAN message, a corresponding target access circuit AC according to the virtual local area network VLAN information and the port information of the non-VXLAN message;
the determining unit is further configured to search a forwarding table in a target virtual switch instance VSI associated with the target AC, so as to determine an egress port of the non-VXLAN packet.
7. The apparatus of claim 5, wherein the egress direction of the default VXLAN tunnel is a non-existent physical port;
the determining unit is specifically configured to determine that the egress port of the non-VXLAN packet does not exist when determining that the egress port of the non-VXLAN packet is the default VXLAN tunnel.
8. The apparatus of claim 5, further comprising:
and the learning unit is used for refusing to carry out Media Access Control (MAC) address learning according to the VXLAN message when the receiving unit receives the VXLAN message and the determining unit determines that the VXLAN message is matched with the default VXLAN tunnel.
CN201811426641.8A 2018-11-27 2018-11-27 Message forwarding method and device Active CN109474507B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811426641.8A CN109474507B (en) 2018-11-27 2018-11-27 Message forwarding method and device
PCT/CN2019/121267 WO2020108531A1 (en) 2018-11-27 2019-11-27 Packet forwarding

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811426641.8A CN109474507B (en) 2018-11-27 2018-11-27 Message forwarding method and device

Publications (2)

Publication Number Publication Date
CN109474507A CN109474507A (en) 2019-03-15
CN109474507B true CN109474507B (en) 2020-12-04

Family

ID=65674266

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811426641.8A Active CN109474507B (en) 2018-11-27 2018-11-27 Message forwarding method and device

Country Status (2)

Country Link
CN (1) CN109474507B (en)
WO (1) WO2020108531A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113286011B (en) * 2021-04-27 2023-08-22 锐捷网络股份有限公司 IP address allocation method and device based on VXLAN
CN113794635B (en) * 2021-08-05 2023-04-07 新华三信息安全技术有限公司 Message forwarding method and device
CN113992582B (en) * 2021-09-17 2023-03-28 新华三信息安全技术有限公司 Message forwarding method and device
CN113872847B (en) * 2021-11-18 2023-05-30 浪潮思科网络科技有限公司 Message forwarding method, device and medium based on VXLAN network
CN114374641B (en) * 2021-12-23 2023-06-16 锐捷网络股份有限公司 Three-layer message forwarding method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106067864A (en) * 2016-06-02 2016-11-02 杭州华三通信技术有限公司 A kind of message processing method and device
CN106130865A (en) * 2016-07-07 2016-11-16 杭州华三通信技术有限公司 The communication means of a kind of terminal room and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127680A (en) * 2007-07-20 2008-02-20 胡德勇 Unidirectional physical separation network brake for USB optical fiber
US9451056B2 (en) * 2012-06-29 2016-09-20 Avaya Inc. Method for mapping packets to network virtualization instances
CN103491072B (en) * 2013-09-06 2017-03-15 中国航天系统科学与工程研究院 A kind of border access control method based on double unidirection insulation network brakes
WO2015085523A1 (en) * 2013-12-11 2015-06-18 华为技术有限公司 Communication method, device and system for virtual extensible local area network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106067864A (en) * 2016-06-02 2016-11-02 杭州华三通信技术有限公司 A kind of message processing method and device
CN106130865A (en) * 2016-07-07 2016-11-16 杭州华三通信技术有限公司 The communication means of a kind of terminal room and device

Also Published As

Publication number Publication date
CN109474507A (en) 2019-03-15
WO2020108531A1 (en) 2020-06-04

Similar Documents

Publication Publication Date Title
CN109474507B (en) Message forwarding method and device
US11870755B2 (en) Dynamic intent-based firewall
US10778464B2 (en) NSH encapsulation for traffic steering establishing a tunnel between virtual extensible local area network (VxLAN) tunnel end points (VTEPS) using a NSH encapsulation header comprising a VxLAN header whose VNI field has been replaced by an NSH shim
CN106936939B (en) Message processing method, related device and NVO3 network system
CN106936777B (en) Cloud computing distributed network implementation method and system based on OpenFlow
CN109257265B (en) Flooding suppression method, VXLAN bridge, gateway and system
US10320838B2 (en) Technologies for preventing man-in-the-middle attacks in software defined networks
CN113261242B (en) Communication system and method implemented by communication system
CN104869042A (en) Message forwarding method and message forwarding device
EP3782336B1 (en) Multi-vrf universal device internet protocol address for fabric edge devices
CN109450905B (en) Method, device and system for transmitting data
CN107547340B (en) Message forwarding method and device
CN112751767B (en) Routing information transmission method and device and data center internet
EP3605959A1 (en) Method, device and computer storage medium for implementing double control plane
US20230283589A1 (en) Synchronizing dynamic host configuration protocol snoop information
EP4189925A1 (en) Normalized lookup and forwarding for diverse virtual private networks
WO2023010110A1 (en) Secure frame encryption as a service
CN114598635A (en) Message transmission method and device
CN112187609B (en) Table entry generation method and device
CN101304338B (en) Method and apparatus for discovering equipment in multi-protocol label switching three-layer VPN
CN107547691B (en) Address resolution protocol message proxy method and device
George et al. A Brief Overview of VXLAN EVPN
CN109756409B (en) Bridge forwarding method
US20220294665A1 (en) Packet Forwarding Between Hybrid Tunnel Endpoints
CN113541924A (en) Method, device and system for detecting message

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant