CN113596059B - Method and system for realizing real-time three-layer network isolation in identification network - Google Patents
Method and system for realizing real-time three-layer network isolation in identification network Download PDFInfo
- Publication number
- CN113596059B CN113596059B CN202110954805.XA CN202110954805A CN113596059B CN 113596059 B CN113596059 B CN 113596059B CN 202110954805 A CN202110954805 A CN 202110954805A CN 113596059 B CN113596059 B CN 113596059B
- Authority
- CN
- China
- Prior art keywords
- network
- identification
- packet
- router
- grouping
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/04—Interdomain routing, e.g. hierarchical routing
Abstract
The invention discloses a method and a system for realizing real-time three-layer network isolation in an identification network, which are characterized in that an edge identification router is arranged on the basis of the existing identification network system architecture, and the identification network which is intensively controlled by the edge identification router, namely, the edge identification router realizes the function of isolating network communication based on strategies, thereby realizing three-layer isolation in the identification network, and further effectively solving the problem that the network cannot be managed based on multiple identifications well.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a system for realizing real-time three-layer network isolation in an identification network.
Background
With the development of scientific technology, the number of internet users and the application scale are continuously enlarged, and the traditional internet increasingly exposes serious problems of poor safety, mobility, expandability, service quality and the like, so that the requirements of current or future networks cannot be met. Based on the method, an identification network is generated, the identification network is a novel network system architecture, and the problems of multiple identifications, poor mobility and the like of the existing internet system architecture are solved by adopting network communication technologies such as identification definition division, identification analysis mapping, identification protocol stack and the like. However, the existing identification network is not perfect, for example, it cannot effectively realize network isolation. How to implement a wider application of an identification network is a problem that needs to be solved now,
disclosure of Invention
The invention provides a method and a system for realizing real-time three-layer network isolation in an identification network, which are used for solving the problem that the identification network in the prior art cannot realize network isolation well.
In a first aspect, the present invention provides a method for implementing real-time three-layer network isolation in an identification network, where an edge identification router is provided in the identification network, the method includes:
when receiving a routing request sent by a user terminal, judging whether the routing request is routed in a group or between groups by an edge identification router, if the routing request is routed in the group, directly routing the routing request in the group, and if the routing request is the routing request between groups, routing the routing request between the groups according to the routing request;
the method comprises the steps that user terminals in the same group are identified through user terminal group identification NG, and each virtual network number VNID corresponds to one or more groups; the virtual network number VNID is set in the routing request, and the edge identification router performs virtual inter-network routing based on the virtual network number VNID.
Optionally, identifying the user terminal in the packet by a user terminal packet identification NG;
the routing request is provided with the user terminal grouping identifier NG, and the edge identifier router judges whether to route in a group or a component route based on the user terminal grouping identifier NG.
Optionally, the method further comprises: and pre-grouping the user terminals according to preset grouping conditions.
Optionally, the user terminal is pre-grouped according to a preset grouping condition by a preset pre-grouping device.
Optionally, configuring, by the network controller, the packet look-up table;
each edge identification router performs packet inquiry on the user terminal based on a packet inquiry table on the network controller, or the network controller distributes the packet inquiry table to each edge identification router so that the edge identification router performs packet inquiry on the user terminal based on the packet inquiry table.
Optionally, the information between the edge identification routers is synchronized by the network controller.
Optionally, each IP address in the identification network includes an access identifier and a network identifier, and the access identifier and the network identifier are associated through an identifier mapping table.
In a second aspect, the present invention provides a system for implementing any one of the above methods, where the system includes a user terminal and edge identification routers, and each of the edge identification routers uniquely corresponds to a packet of the user terminal;
the user terminal is used for sending a routing request;
and the edge identification router is used for judging whether the routing request is routed in a group or an inter-group when receiving the routing request sent by the user terminal, directly routing the routing request in the group if the routing request is in the group, and routing the inter-group according to the routing request if the routing request is the inter-group routing request.
Optionally, the system further comprises: the network controller and the prepositioning device are respectively and uniquely corresponding to the grouping of the same user terminal;
the pre-grouping device is used for pre-grouping the user terminals according to preset grouping conditions to obtain a user grouping;
the network controller is configured to configure a packet lookup table, so that each edge identification router queries the user terminal in a packet by querying the packet lookup table stored by the network controller itself, or issues the packet lookup table to each edge identification router, so that the edge identification router queries the user terminal in a packet based on the packet lookup table.
The invention has the following beneficial effects:
the invention sets the edge identification router on the existing identification network system architecture, and the identification network which is intensively controlled by the edge identification router, namely, the edge identification router realizes the function of isolating network communication based on strategies, thereby realizing three-layer isolation in the identification network, and further effectively solving the problem that the network cannot be managed based on multiple identifications well in the prior art.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a schematic diagram of a system architecture for implementing real-time three-layer network isolation in an identification network according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a raw data frame format according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a packet format processed by a pre-packet device according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a packet format processed by another pre-packet device according to an embodiment of the present invention;
fig. 5 is a schematic flow chart of partitioning a virtual network according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a processing flow of an edge router on an upstream packet according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a processing flow of an edge router on an upstream packet according to an embodiment of the present invention.
Detailed Description
Aiming at the problem that the network cannot be managed well in the prior art, the embodiment of the invention realizes the function of isolating network communication based on strategies by arranging the identification network which is controlled in a centralized way by the edge identification router, and realizes three-layer isolation in the identification network. The present invention will be described in further detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
A first embodiment of the present invention provides a method for implementing real-time three-layer network isolation in an identification network, where an edge identification router is provided in the identification network, referring to fig. 1, the method includes:
s101, receiving a routing request sent by a user terminal;
in a specific implementation, the edge identifier router of the embodiment of the present invention receives the routing request of the user terminal forwarded by the user router, and because the person skilled in the art can easily know the forwarding process, for brevity, the embodiment of the present invention directly describes that the edge identifier router directly receives the routing request sent by the user terminal;
it should be noted that, the routing request in the embodiment of the present invention includes various signaling and data packets, and the present invention is not limited in detail because the routing request is in the prior art.
S102, judging whether the routing request is routed in a group or between groups through an edge identification router, if the routing request is routed in the group, directly routing the routing request in the group, and if the routing request is the routing request between groups, routing the routing request between the groups according to the routing request;
in specific implementation, the embodiment of the invention judges whether the inter-group cross-network communication corresponding to the routing request is allowed or not through the edge identification router, if so, the routing is carried out, and if not, the method is ended.
By the arrangement, the routes among the groups can be effectively controlled, so that a manager can manage the routes better.
In addition, the invention processes the data packet only at the edge router side, so the embodiment of the invention does not need to change the internal forwarding router, and can control the communication or isolation between virtual networks in real time.
In the embodiment of the invention, each edge identification router uniquely corresponds to the grouping of one user terminal. Identifying the user terminals in the same group through a user terminal group identification NG; each virtual network number VNID corresponds to one or more packets; in the embodiment of the invention, the virtual network number VNID is arranged in the routing request, and the edge identification router performs the routing between virtual networks based on the virtual network number VNID. Finally, any communication can be realized in the same user terminal group, but the communication among different groups is controlled, so that the management of the network is better realized.
Generally, the method according to the embodiment of the present invention includes three kinds of marks, respectively: the system comprises an access identifier, a user group identifier and a network identifier, wherein the calcium access identifier is used for distinguishing each user terminal, the user group identifier is used for distinguishing the group to which the user terminal belongs, and the network identifier is used for routing.
Further, the method of the embodiment of the invention further comprises the following steps: the invention relates to a method for pre-grouping user terminals according to preset grouping conditions, in particular to a method for pre-grouping the user terminals according to preset grouping conditions through a preset pre-grouping device FRONT, wherein FRONTID is a pre-grouping device number, and FRONT PORT is a pre-grouping device PORT number.
That is, the embodiment of the invention carries out the pre-grouping on the user terminal through the pre-grouping equipment, and the operator can better manage the user terminal through setting different groupings according to the needs.
Of course, in implementation, those skilled in the art may also perform inter-group adjustment on already grouped user terminals through the pre-grouping device, and so on.
In specific implementation, the method of the embodiment of the invention further comprises the following steps: configuring, by a network controller, a packet look-up table; and then each edge identification router performs grouping inquiry on the user terminal based on a grouping inquiry table on the network controller, or the grouping inquiry table is issued to each edge identification router through the network controller, so that the edge identification router performs grouping inquiry on the user terminal based on the grouping inquiry table. And synchronizing information between the edge identification routers by the network controller, thereby realizing effective management of the identification network as a whole, wherein RID is an identification router number and RID PORT is an identification router PORT number.
It should be noted that, in the embodiment of the present invention, each IP address in the identification network includes an access identifier AID and a network identifier, and the access identifier and the network identifier are associated through an identifier mapping table.
The method according to the embodiment of the present invention will be explained and illustrated in detail with reference to fig. 2 to 7:
fig. 2 shows a network protocol format according to an embodiment of the present invention, fig. 3 shows a packet format processed by a pre-packet device according to an embodiment of the present invention, for an upstream packet, the pre-packet device queries a user packet table according to a user access identifier or other policies, adds a source packet number between a MAC header and a network header, and a destination packet number as shown in fig. 2 and fig. 3, and then gives the source packet number to an identifier router, that is, the above-mentioned edge identifier router, which is hereinafter simply referred to as an identifier router for simplicity, where the identifier router processes a packet in a routing request according to the packet header and a virtual network table.
The system of the embodiment of the invention comprises a prepositioned grouping device, an identification router and a network controller (also can be simply called a controller);
the front-end grouping device is responsible for marking grouping labels to the user space data packet terminal data packets according to grouping rules, namely user terminal grouping identifiers NG. The network controller is responsible for issuing a grouping rule to the front-end grouping device, wherein the grouping rule is locally arranged on each port of the front-end grouping device; the pre-packet device provides a local configuration interface, and can configure the packet rule locally, and the specific packet processing procedure of the pre-packet device is shown in fig. 6.
The edge identification router is responsible for judging the virtual subnet number where the data packet is located, judging whether to allow communication between users or not, and judging whether virtual subnet separation exists or not. The network controller is responsible for issuing a policy for dividing the virtual sub-network to the router, the identification router also has the capability of locally configuring the policy, and the grouping process of the edge identification router is specifically shown in fig. 7.
The controller is responsible for issuing grouping policies, issuing isolation policies, and synchronizing configuration data of each network element.
As shown in fig. 5, the network system of the embodiment of the present invention uses the user space grouping table to divide the user space into the groupings of the network space according to the grouping policy. The user space packet table includes a sub-packet table and a full packet table. The sub-packet table is located in the front-end packet device and the full packet table is located in the network controller. Grouping policies include partitioning according to access identities, partitioning according to head-end ports, etc.
The group normalization table is specifically shown in table 1, and has the following structure:
table 1 sub-user space packet table structure example
Table 2 is a full user normalization table according to an embodiment of the present invention, and the specific structure is as follows:
table 2 all user space packet table structure example
It should be noted that, all the table structures in the embodiments of the present invention are only one schematic, and in the specific implementation, a person skilled in the art may set the corresponding table according to actual needs, which is not limited in particular, so as to finally implement the policy-based isolated network communication function of the edge identification router.
The grouping is configured in the control center, that is, an entry is added in the global normalization table, for example, the mapping relationship of the IF1 port configured with F2. Then all incoming front-end port 3 packets from the F2 device will be labeled 5.
b) Virtual network table
The virtual network tables are divided into sub virtual network tables and full virtual network tables. The sub virtual network table is positioned on the router and only prescribes the virtual network division strategy of the router; the full virtual network table is located in the controller and defines the virtual network division strategy of the full network.
Table 3 shows a sub-virtual network table according to an embodiment of the present invention, and the specific table structure is as follows:
table 3 sub-virtual network table label structure example
Table 4 is a full virtual network table according to an embodiment of the present invention, and the specific table structure is as follows:
table 4 the fully virtual network table structure is break
The virtual network isolation table controls the communication strategy among the virtual networks, and can control the on-off of the virtual networks in real time and establish the topological relation among the virtual networks by modifying the network isolation table in real time. The virtual network isolation table is located in the router and the controller, and the controller maintains the consistency of the virtual network isolation table on each network device. The table of the virtual network isolation table is specifically shown in table 5:
table 5 virtual network isolation table example
The communication identifier status=0 identifies that communication is not allowed, and status=1 identifies that communication is allowed.
In specific implementation, the forwarding flow processing of the embodiment of the present invention includes the following contents:
1) Network layer isolation
The access identities of the terminal a and the terminal B are A, B and A, B respectively, and the same virtual network N1 is divided. The data packet sent by the terminal a is queried from the identification mapping table to the virtual network N1 of a according to a, and is queried to the virtual network N1 of B according to B, so that the data packet of the terminal a is forwarded to the terminal B. Assuming that terminal C is in virtual network C, a sends a packet to C, and the router directly discards the packet if it finds A, C not in a virtual network.
2) Policy-based quarantine scheme
The access identifiers of the terminal a and the terminal B are A, B respectively, the a is located in the subnet NA, the B is located in the subnet NB, the subnet NA is found according to the (user space packet number, NA of a) at the router, and the NB is found according to the (user space packet number, NB of B). The access router finds that NA is not equal to NB; the system looks up the virtual network isolation table, discovers (NA, NB, 1), and specifies that host communication between NA and NB is allowed, so the packet is retained for forwarding.
3. Partitioning virtual networks
Partitioning virtual networks requires modification of critical data structures including virtual network isolation tables, virtual network tables, user space partition tables.
Adding full virtual network table entries on a controller, and automatically (router number, port number) issuing the entries to a router by a system; the system will automatically issue entries to the pre-packet device by adding user space partition table entries. Then add a virtual network isolation table entry, where an entry in the isolation table with a state of 1 identifies that communication is allowed, and a state of zero or no entry indicates that communication is not allowed.
The user information in the embodiment of the present invention is shown in table 6, and the corresponding relationship among the user, the router, the user packet and the virtual network number VNID can be clearly seen through table 6:
table 6 user grouping example table
| User name | Access identification | Grouping device | Router | User grouping | Virtual network number |
| User 1 | 0x1100001 | F1:IF1 | R1:IF1 | 0x00002 | 0x10003 |
| User 4 | 0x1100004 | F2:IF1 | R2:IF1 | 0x00002 | 0x10003 |
| User 2 | 0x1200002 | F1:IF2 | R1:IF1 | 0x00003 | 0x10004 |
| User 5 | 0x1200005 | F2:IF2 | R2:IF1 | 0x00003 | 0x10004 |
| User 3 | 0x1300003 | F1:IF3 | R1:IF1 | 0x00004 | 0x10005 |
| User 6 | 0x1300006 | F2:IF3 | R2:IF1 | 0x00004 | 0x10005 |
The method according to the invention will be explained and illustrated in detail below by means of a few specific examples:
example 1 partitioning virtual networks according to Access identification
As shown in table 7, according to the access identifier, the steps of dividing the user 1 and the user 4 into the same virtual network are as follows:
1. at the network controller, in the full user space packet table (specifically as shown in table 7), add the entry:
table 7 all user space grouping table example
| FRONTID | PORT | RID | PORT | AID | NG |
| F1 | IF1 | R1 | IF1 | 0x1100001 | 0x00002 |
| F2 | IF1 | R2 | IF1 | 0x1100004 | 0x00002 |
The network controller sends the items to F1 and F2 via the router, respectively, and the pre-packet device F1 holds the items: the front packet device F2 holds an entry:
2. at the network controller, in the virtual network table (specifically as shown in table 8), an entry is added:
table 8 full virtual network table instance
| RID | PORT | NG | VNID |
| R1 | IF1 | 0x00002 | 0x10003 |
| R2 | IF1 | 0x00002 | 0x10003 |
The network controller sends the entries to the identification router 1, the identification router 2, respectively, (R1, IF1,0x00002,0x 10003) to R1, and (R2, IF1,0x00002,0x 10003) to R2.
3. Information synchronization
In addition to basic information synchronization during configuration, data synchronization may also be performed during communication.
Example 2 host communication within virtual network
User 1 communicates with user 4 as follows:
1. the user 1 sends a data packet to the pre-packet device 1, and the pre-packet device 1 finds an entry from the sub-user space packet table (specifically as shown in table 9) according to the AID:
table 9 sub-user space grouping table instance
| FRONTID | PORT | AID | NG |
| F1 | IF1 | 0x1100001 | 0x00002 |
The pre-packet device F1 requests the network controller for the packet policy of the user 4 without finding the entry of the destination AID, and after success, the sub-user space packet table is as follows in table 10:
table 10 sub-user space packet table instance
| FRONTID | PORT | AID | NG |
| F1 | IF1 | 0x1100001 | 0x00002 |
| F2 | IF1 | 0x1100004 | 0x00002 |
After that, the front packet device F1 adds the following fields to the header: (0x00002 ), and then gives the packet to the router R1.
2. After receiving the data packet, the router R1 looks up the source NG and destination NG, looks up the sub-virtual network table, as shown in table 11 in particular,
table 11 virtual network table instance
| NG | VNID |
| 0x00002 | 0x00003 |
The source VNID and the destination VNID are both determined to be 0x00003, allowing communication.
3. The router R1 gives the data packet to the identification mapping module for processing, and the identification mapping network can route the data packet to the user 4;
4. when the pre-packet device requests packet information from the network controller, the controller presumes that both parties are about to communicate, and actively pushes the information of the user 1 to the pre-packet device 2 connected to the user 4.
Example 3 the network isolation configuration process includes:
1. user 2 and user 5 were configured in the same manner, with the data structures shown in tables 12 and 13:
table 12 all user space grouping table instance
| FRONTID | PORT | RID | PORT | AID | NG |
| F1 | IF1 | R1 | IF1 | 0x1100001 | 0x00002 |
| F2 | IF1 | R2 | IF1 | 0x1100004 | 0x00002 |
| F1 | IF2 | R1 | IF1 | 0x1100002 | 0x00003 |
| F2 | IF2 | R2 | IF1 | 0x1100005 | 0x00003 |
Table 13 full virtual network table instance
| RID | PORT | NG | VNID |
| R1 | IF1 | 0x00002 | 0x10003 |
| R2 | IF1 | 0x00002 | 0x10003 |
| R1 | IF1 | 0x00003 | 0x10004 |
| R2 | IF1 | 0x00003 | 0x10004 |
2. Configuring network isolation table
On the network controller, a virtual isolation table is configured, specifically as shown in table 14:
table 14 virtual network isolation table instance
| VNID | VNID | STATUS |
| 0x10003 | 0x10004 | 1 |
After the configuration is finished, the network controller broadcasts the latest network isolation table to all routers, and each router updates the table in real time.
Example 4 virtual inter-subnet communication
User 1 communicates with user 5.
1. The pre-packet device adds a header (0x00002, 0x00003) as shown in fig. 4:
2. the router checks the corresponding virtual network numbers from the virtual network table according to 0x00002 and 0x00003 as follows: 0x10003,0x10004.
3. Since 0x10003 is not equal to 0x10004, the router queries entries (0 x10003,0x10004, 1) from the virtual network isolation table, indicating that communication is allowed. The router gives the packet to the identification mapping module for subsequent processing.
4. In the network isolation table, if there is an entry (0 x10003,0x10004, 0) or there is no entry (0 x10003,0x10004, 1/0), the router discards the packet.
The embodiment of the invention also provides a system for realizing any one of the methods for realizing real-time three-layer network isolation in the identification network, as shown in figure 1, wherein the system comprises user terminals and edge identification routers, and each edge identification router uniquely corresponds to a group of the user terminals;
the user terminal is used for sending a routing request;
and the edge identification router is used for judging whether the routing request is routed in a group or an inter-group when receiving the routing request sent by the user terminal, directly routing the routing request in the group if the routing request is in the group, and routing the inter-group according to the routing request if the routing request is the inter-group routing request.
In specific implementation, the system according to the embodiment of the invention further includes: the network controller and the prepositioning device are respectively and uniquely corresponding to the grouping of the same user terminal;
the pre-grouping device is used for pre-grouping the user terminals according to preset grouping conditions to obtain a user grouping;
the network controller is configured to configure a packet lookup table, so that each edge identification router queries the user terminal in a packet by querying the packet lookup table stored by the network controller itself, or issues the packet lookup table to each edge identification router, so that the edge identification router queries the user terminal in a packet based on the packet lookup table.
The relevant content of the embodiments of the present invention can be understood by referring to the embodiments of the method of the present invention, and will not be discussed in detail herein.
Although the preferred embodiments of the present invention have been disclosed for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, and accordingly the scope of the invention is not limited to the embodiments described above.
Claims (9)
1. A method for implementing real-time three-layer network isolation in an identification network, wherein an edge identification router is provided in the identification network, the method comprising:
when receiving a routing request sent by a user terminal, judging whether the routing request is routed in a group or between groups by the edge identification router, if so, directly routing the routing request in the group, and if so, routing between groups according to the routing request;
wherein, each edge identification router uniquely corresponds to a grouping of a user terminal;
identifying user terminals in the same group through a user terminal group identification NG, wherein each virtual network number VNID corresponds to one or more groups;
the virtual network number VNID is set in the routing request, and the edge identification router performs virtual inter-network routing based on the virtual network number VNID.
2. The method of claim 1, wherein if it is an inter-group routing request, the method further comprises:
judging whether the inter-group cross-network communication corresponding to the routing request is allowed or not through the edge identification router, if so, routing the inter-group according to the routing request by the edge identification router, otherwise, ending.
3. The method according to claim 1, wherein the method further comprises:
and pre-grouping the user terminals according to preset grouping conditions.
4. The method of claim 3, wherein the step of,
and pre-grouping the user terminals according to preset grouping conditions through preset pre-grouping equipment.
5. The method of claim 3, wherein the step of,
configuring, by a network controller, a packet look-up table;
each edge identification router performs packet inquiry on the user terminal based on a packet inquiry table on the network controller, or the network controller distributes the packet inquiry table to each edge identification router so that the edge identification router performs packet inquiry on the user terminal based on the packet inquiry table.
6. The method of claim 5, wherein the step of determining the position of the probe is performed,
synchronizing, by the network controller, information between the edge identification routers.
7. The method according to any one of claims 1 to 6, wherein,
each IP address in the identification network comprises an access identification and a network identification, and the access identification and the network identification are associated through an identification mapping table.
8. A system for implementing the method for implementing real-time three-layer network isolation in an identification network according to any one of claims 1-7, characterized in that the system comprises user terminals and edge identification routers, each of which uniquely corresponds to a packet of a user terminal;
the user terminal is used for sending a routing request;
and the edge identification router is used for judging whether the routing request is routed in a group or an inter-group when receiving the routing request sent by the user terminal, directly routing the routing request in the group if the routing request is in the group, and routing the inter-group according to the routing request if the routing request is the inter-group routing request.
9. The system of claim 8, wherein the system further comprises: the network controller and the prepositioning device are respectively and uniquely corresponding to the grouping of the same user terminal;
the pre-grouping device is used for pre-grouping the user terminals according to preset grouping conditions to obtain a user grouping;
the network controller is configured to configure a packet lookup table, so that each edge identification router queries the user terminal in a packet by querying the packet lookup table stored by the network controller itself, or issues the packet lookup table to each edge identification router, so that the edge identification router queries the user terminal in a packet based on the packet lookup table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110954805.XA CN113596059B (en) | 2021-08-19 | 2021-08-19 | Method and system for realizing real-time three-layer network isolation in identification network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110954805.XA CN113596059B (en) | 2021-08-19 | 2021-08-19 | Method and system for realizing real-time three-layer network isolation in identification network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113596059A CN113596059A (en) | 2021-11-02 |
| CN113596059B true CN113596059B (en) | 2023-06-20 |
Family
ID=78238426
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110954805.XA Active CN113596059B (en) | 2021-08-19 | 2021-08-19 | Method and system for realizing real-time three-layer network isolation in identification network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113596059B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025589A (en) * | 2009-09-18 | 2011-04-20 | 中兴通讯股份有限公司 | Method and system for realizing virtual private network |
| CN107171857A (en) * | 2017-06-21 | 2017-09-15 | 杭州迪普科技股份有限公司 | A kind of network virtualization method and apparatus based on user's group |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001026303A1 (en) * | 1999-09-30 | 2001-04-12 | Fujitsu Limited | Route control method and device for environment where hierarchical network and nonhierarchical network are mixedly present |
| EP1387527A1 (en) * | 2002-07-30 | 2004-02-04 | Agilent Technologies Inc. | Identifying network routers and paths |
| CN102098228B (en) * | 2011-03-04 | 2012-09-05 | 清华大学 | Integrated management system for mobility of identification network and method thereof |
| CN102571591B (en) * | 2012-01-18 | 2014-09-17 | 中国人民解放军国防科学技术大学 | Method, edge router and system for realizing marked network communication |
| CN103561009B (en) * | 2013-10-25 | 2016-06-08 | 北京交通大学 | A kind of integrated identification network transmission method based on connecting mark |
| CN103595710B (en) * | 2013-10-25 | 2016-11-23 | 北京交通大学 | A kind of integrated identification network connection identifier generates method |
-
2021
- 2021-08-19 CN CN202110954805.XA patent/CN113596059B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025589A (en) * | 2009-09-18 | 2011-04-20 | 中兴通讯股份有限公司 | Method and system for realizing virtual private network |
| CN107171857A (en) * | 2017-06-21 | 2017-09-15 | 杭州迪普科技股份有限公司 | A kind of network virtualization method and apparatus based on user's group |
Non-Patent Citations (1)
| Title |
|---|
| 一体化标识网络基于标签转发的QoS保证机制;李玮等;《计算机技术与发展》;20101110(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113596059A (en) | 2021-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8724638B1 (en) | Methods and systems for selectively processing virtual local area network (VLAN) traffic from different networks while allowing flexible VLAN identifier assignment | |
| US6570875B1 (en) | Automatic filtering and creation of virtual LANs among a plurality of switch ports | |
| US5959990A (en) | VLAN frame format | |
| US6914905B1 (en) | Method and system for VLAN aggregation | |
| US6111876A (en) | VLAN frame format | |
| JP3868815B2 (en) | Communications system | |
| US7088689B2 (en) | VLAN data switching method using ARP packet | |
| EP1858212B1 (en) | A MAC Frame Transfer Method, an edge bridge, and a system for reducing flooding | |
| EP2748992B1 (en) | Method for managing network hardware address requests with a controller | |
| EP0903028B1 (en) | Connection aggregation in switched communications networks | |
| US20020181477A1 (en) | System and method of virtual private network route target filtering | |
| WO2007101176A1 (en) | Methods and apparatus for simplified setup of centralized wlan switching | |
| CN110851238A (en) | Implementation method of openstack fully-distributed dhcp service | |
| US20040202185A1 (en) | Multiple virtual local area network support for shared network adapters | |
| KR100299144B1 (en) | Layer-3 ip switching apparatus using layer-2 switch in atmor ethernet and method thereof | |
| CN113596059B (en) | Method and system for realizing real-time three-layer network isolation in identification network | |
| US20020093968A1 (en) | Dynamic LAN boundaries | |
| US20170078193A1 (en) | Communication system, control apparatus, communication apparatus, and communication method | |
| US9025606B2 (en) | Method and network node for use in link level communication in a data communications network | |
| US20030206518A1 (en) | Public access separation in a virtual networking environment | |
| US6882646B2 (en) | IP network over a partially meshed frame relay network | |
| JP2002290441A (en) | Ip-vpn router and method for automatically setting packet transfer path for ip-vpn | |
| US11700173B2 (en) | Dynamic user private networks of a shared virtual network | |
| US9521065B1 (en) | Enhanced VLAN naming | |
| CN117879998A (en) | Management system based on internet export |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |