CN116032513A

CN116032513A - Method, device, system and storage medium for processing message

Info

Publication number: CN116032513A
Application number: CN202210028914.3A
Authority: CN
Inventors: 张亚伟; 郝建武; 彭书萍; 闫刚
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-10-26
Filing date: 2022-01-11
Publication date: 2023-04-28

Abstract

The application discloses a method, a device, a system and a storage medium for processing a message, belonging to the field of communication. The method comprises the following steps: the first network equipment receives a first message sent by the second network equipment, wherein the first message comprises a first packet identifier, the first packet identifier corresponds to the VPN on the second network equipment, a first source equipment corresponding to the first message belongs to the VPN, and the first source equipment is connected with the second network equipment. The first network device obtains a second packet identifier based on a destination address of the first message, the second packet identifier corresponds to a VPN on the third network device, the first destination device corresponding to the destination address of the first message belongs to the VPN, and the first destination device is connected with the third network device. The first network device processes the first message based on the first packet identity and the second packet identity. The method and the device can meet the requirements of intercommunication of partial network equipment and isolation of partial network.

Description

Method, device, system and storage medium for processing message

The present application claims priority from chinese patent application No. 202111250543.5 entitled "method for network interworking and quarantine policy based on APN 6", filed on 10/26 of 2021, the entire contents of which are incorporated herein by reference.

Technical Field

The present invention relates to the field of communications, and in particular, to a method, an apparatus, a system, and a storage medium for processing a packet.

Background

The current virtual private network (virtual private network, VPN) may include multiple branches, each branch being an access point for access by a device. For example, suppose that a VPN may include a first customer premises equipment (customer premise equipment, CPE), a second CPE, and a third CPE, each CPE representing a branch and each CPE being accessed by at least one customer edge device (CE).

At present, all CPEs belonging to VPN are mutually communicated. However, in actual demand, some CPEs may need to be interconnected and isolated. For example, in a VPN, the first CPE may not be allowed to communicate with the second CPE, or the first CPE may be allowed to communicate with the third CPE. However, the requirement of intercommunication and isolation between partial CPEs cannot be met at present.

Disclosure of Invention

The application provides a method, a device, a system and a storage medium for processing a message, so as to meet the requirements of intercommunication of partial network equipment and isolation of partial network. The technical scheme is as follows:

in a first aspect, the present application provides a method for processing a packet, where a first network device receives a first packet sent by a second network device, where the first packet includes a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the second network device, a first source device corresponding to the first packet belongs to the VPN, and the first source device is connected to the second network device. The first network device obtains a second packet identifier based on a destination address of the first message, the second packet identifier corresponds to the VPN on the third network device, the first destination device corresponding to the destination address of the first message belongs to the VPN, and the first destination device is connected with the third network device. The first network device processes the first message based on the first packet identity and the second packet identity.

In the method, packet identifications corresponding to the CPE are carried on the CPE for the messages, for example, a first message comprises a first packet identification, the first packet identification corresponds to the VPN on a second network device, and further an interworking strategy between CPEs can be confirmed on the network PE based on the packet identifications, for example, the first network device obtains the second packet identification based on a destination address of the first message, and the second packet identification corresponds to the VPN on a third network device. Thus, the first network device processes the first message based on the first packet identifier and the second packet identifier, for example, sends the first message to the third network device or discards the first message based on the first packet identifier and the second packet identifier, thereby connecting the second network device and the third network device, or isolates the second network device and the third network device. Thus, the requirements of intercommunication and isolation of partial network equipment and partial network are met.

In one possible implementation, the first network device obtains the first processing policy based on the first packet identification and the second packet identification. The first network device processes the first message based on the first processing policy. In the method, an interworking policy is configured on a network PE, different processing policies are specified for different branches, and specifically, a first processing policy defines a manner of processing a first packet, for example, a second network device and a third network device are connected through the first processing policy, or the second network device and the third network device are isolated.

In another possible implementation, the first network device obtains the first processing policy based on the first packet identifier, the second packet identifier, and the first correspondence. The interworking policy may be configured based on the packet identifier, and since the first correspondence includes the first packet identifier, the second packet identifier, and the first processing policy, the first processing policy is accurately acquired through the first correspondence, and whether to connect the second network device and the third network device or not may be accurately determined through the first processing policy, or the second network device and the third network device may be isolated.

In another possible implementation manner, when the first processing policy is used to instruct the second network device to communicate with the transmission direction of the third network device, the first network device sends the first message to the third network device, so that the communication of the second network device with the transmission direction of the third network device is implemented through the first processing policy.

In another possible implementation manner, when the first processing policy is used to instruct the second network device to isolate the transmission direction of the second network device to the third network device, the first network device discards the first packet, so that the first processing policy is used to isolate the transmission direction of the second network device to the third network device.

In another possible implementation, the first processing policy is further used to instruct the third network device to communicate to the transmission direction of the second network device, or the first processing policy is further used to instruct the third network device to isolate to the transmission direction of the second network device. The interworking policy is a bidirectional policy, so that whether two transmission directions between the third network device and the second network device are isolated or communicated can be indicated through the first processing policy, and flexibility is improved.

In another possible implementation, the first network device obtains routing information for sending the first message based on a destination address of the first message, where the routing information includes an address of the third network device. The first network device obtains a second packet identifier based on the address of the third network device, the network identifier of the VPN, and a second correspondence. The second corresponding relation comprises the address of the third network device, the network identifier of the VPN and the second packet identifier, and the first network device comprises the routing information for sending the first message, and the routing information comprises the address of the third network device, so that the routing information in the first network device can be multiplexed to obtain the second packet identifier, and the algorithm implementation complexity is simplified.

In another possible implementation, the first packet identity is included in an internet protocol version six IPv6 extension header of the first message.

In another possible implementation, the first packet identity is included in an application-aware network APN identity of the IPv6 extension header. Thus, the APN model can be multiplexed by the first packet identifier, and the complexity of network deployment is simplified.

In another possible implementation manner, the first network device receives a second packet sent by the second network device, where the second packet includes a third packet identifier, the third packet identifier corresponds to the VPN on the second network device, a second source device corresponding to the second packet belongs to the VPN, and the second source device is connected to the second network device. The first network device obtains a fourth packet identifier based on a destination address of the second message, the fourth packet identifier corresponds to the VPN on the fourth network device, the second destination device corresponding to the destination address of the second message belongs to the VPN, and the second destination device is connected with the fourth network device. The first network device processes the second message based on the third packet identity and the fourth packet identity. Wherein processing the first message includes sending the first message to the third network device, and processing the second message includes discarding the second message, that is: and when the second network equipment is communicated with the transmission direction of the third network equipment, the second network equipment is isolated from the transmission direction of the fourth network equipment, so that the requirements of communication among part of network equipment and isolation among part of network equipment are met.

In another possible implementation, the first network device includes a network side edge device PE. The network PE corresponds to a region, for example, one province corresponds to one network PE, or one city corresponds to one network PE, so that the network devices are centrally interconnected or isolated in one region.

In another possible implementation, the second network device comprises a customer premise equipment CPE connected to the first source device and the third network device comprises a CPE connected to the first destination device.

In a second aspect, the application provides a method for processing a packet, in which a second network device obtains a first packet, where the first packet includes a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the second network device, a first source device corresponding to the first packet belongs to the VPN, and the first source device is connected to the second network device. The second network device sends a first message to the first network device.

In the method, packet identifications corresponding to CPEs are carried on CPEs for messages, for example, a first message comprises a first packet identification, the first packet identification corresponds to a VPN on second network equipment, and further interworking strategies among CPEs can be confirmed on network PE based on the packet identifications, for example, after the second network equipment sends the first message, the first network equipment receiving the first message processes the first message based on the first packet identification. For example, based on the first packet identifier, a first message is sent to a third network device or the first message is discarded, so that the second network device and the third network device are connected, or the second network device and the third network device are isolated, and the third network device is a network device to which a first destination device corresponding to the first message is connected. Thus, the requirements of intercommunication and isolation of partial network equipment and partial network are met.

In one possible implementation, the second network device obtains the first packet identifier based on the network identifier of the VPN and the first correspondence. Wherein, because the first corresponding relation comprises the network identifier and the first packet identifier of the VPN, the first packet identifier is accurately obtained through the first corresponding relation.

In another possible implementation, the second network device includes a first interface bound to the VPN, the first interface being connected to the first source device. The second network device receives a third message sent by the first source device through the first interface. The second network device obtains a first message based on the third message, wherein the first message comprises the identifier of the VPN. The VPN can be determined through the first interface, and the first packet identification is obtained based on the VPN.

In another possible implementation, the second network device comprises a customer premise equipment CPE.

In a third aspect, the present application provides an apparatus for processing a packet, where the apparatus includes a transceiver unit and a processing unit.

The receiving and transmitting unit is configured to receive a first packet sent by a second network device, where the first packet includes a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the second network device, a first source device corresponding to the first packet belongs to the VPN, and the first source device is connected to the second network device.

The processing unit is used for acquiring a second packet identifier based on the destination address of the first message, the second packet identifier corresponds to the VPN on the third network device, the first destination device corresponding to the destination address of the first message belongs to the VPN, and the first destination device is connected with the third network device.

The processing unit is further used for processing the first message based on the first packet identifier and the second packet identifier.

In the apparatus, packet identifiers corresponding to the CPEs are carried on the CPEs for the messages, for example, the first message includes a first packet identifier, where the first packet identifier corresponds to the VPN on the second network device, and further, an interworking policy between the CPEs may be confirmed on the network PE based on the packet identifiers, for example, the processing unit obtains the second packet identifier based on the destination address of the first message, and the second packet identifier corresponds to the VPN on the third network device. The processing unit processes the first message based on the first packet identifier and the second packet identifier, for example, sends the first message to the third network device or discards the first message based on the first packet identifier and the second packet identifier, thereby connecting the second network device and the third network device, or isolates the second network device and the third network device. Thus, the requirements of intercommunication and isolation of partial network equipment and partial network are met.

In a possible implementation manner, the processing unit is configured to obtain the first processing policy based on the first packet identifier and the second packet identifier. The processing unit is further used for processing the first message based on the first processing strategy. In the device, an interworking policy is configured on the device, different processing policies are specified for different branches, specifically, a first processing policy defines a manner of processing a first message, for example, a second network device and a third network device are connected through the first processing policy, or the second network device and the third network device are isolated.

In another possible implementation manner, the processing unit is configured to obtain the first processing policy based on the first packet identifier, the second packet identifier, and the first correspondence. The interworking policy may be configured based on the packet identifier, and since the first correspondence includes the first packet identifier, the second packet identifier, and the first processing policy, the first processing policy is accurately acquired through the first correspondence, and whether to connect the second network device and the third network device or not may be accurately determined through the first processing policy, or the second network device and the third network device may be isolated.

In another possible implementation manner, when the first processing policy is used to instruct the second network device to communicate with the transmission direction of the third network device, the transceiver unit is further configured to send a first packet to the third network device, so that the communication between the second network device and the transmission direction of the third network device is implemented through the first processing policy.

In another possible implementation manner, when the first processing policy is used to instruct the second network device to isolate the transmission direction of the third network device, the processing unit is configured to discard the first packet, so that the first processing policy is used to isolate the transmission direction of the second network device to the third network device.

In another possible implementation manner, the processing unit is configured to obtain, based on the destination address of the first packet, routing information for sending the first packet, where the routing information includes an address of the third network device. The processing unit is further configured to obtain a second packet identifier based on the address of the third network device, the network identifier of the VPN, and a second correspondence. Wherein, because the second corresponding relation comprises the address of the third network device, the network identifier of the VPN and the second packet identifier, and the device comprises the routing information for sending the first message, the routing information comprises the address of the third network device, and the routing information in the device can be multiplexed to obtain the second packet identifier, thereby simplifying the algorithm implementation complexity.

In another possible implementation manner, the transceiver unit is further configured to receive a second packet sent by the second network device, where the second packet includes a third packet identifier, the third packet identifier corresponds to the VPN on the second network device, a second source device corresponding to the second packet belongs to the VPN, and the second source device is connected to the second network device.

The processing unit is further configured to obtain a fourth packet identifier based on a destination address of the second packet, where the fourth packet identifier corresponds to the VPN on the fourth network device, a second destination device corresponding to the destination address of the second packet belongs to the VPN, and the second destination device is connected to the fourth network device.

The processing unit is further used for processing the second message based on the third packet identifier and the fourth packet identifier.

Wherein processing the first message includes sending the first message to the third network device, and processing the second message includes discarding the second message, that is: the second network equipment is isolated to the transmission direction of the fourth network equipment while the second network equipment is communicated to the transmission direction of the third network equipment, so that the requirements of communication among part of network equipment and isolation among part of network equipment are met.

In another possible implementation manner, the apparatus includes a network side edge device PE. The network PE corresponds to a region, for example, one province corresponds to one network PE, or one city corresponds to one network PE, so that the network devices are centrally interconnected or isolated in one region.

In a fourth aspect, the present application provides an apparatus for processing a packet, where the apparatus includes a processing unit and a transceiver unit.

The processing unit is configured to obtain a first packet, where the first packet includes a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the device, a first source device corresponding to the first packet belongs to the VPN, and the first source device is connected to the device.

And the receiving and transmitting unit is used for transmitting the first message to the first network equipment.

In the device, packet identifiers corresponding to the CPEs are carried on the CPEs for the messages, for example, the first message comprises first packet identifiers, the first packet identifiers correspond to the VPNs on the device, and further interworking strategies among the CPEs can be confirmed on the network PE based on the packet identifiers, for example, after the receiving and sending unit sends the first message, the first network equipment receiving the first message processes the first message based on the first packet identifiers. For example, based on the first packet identifier, a first message is sent to a third network device or the first message is discarded, so that the device and the third network device are connected, or the device and the third network device are isolated, and the third network device is a network device to which a first destination device corresponding to the first message is connected. Thus, the requirements of intercommunication and isolation of partial network equipment and partial network are met.

In one possible implementation manner, the processing unit is configured to obtain the first packet identifier based on the network identifier of the VPN and the first correspondence. Wherein, because the first corresponding relation comprises the network identifier and the first packet identifier of the VPN, the first packet identifier is accurately obtained through the first corresponding relation.

In another possible implementation, the apparatus includes a first interface bound to the VPN, the first interface being connected to a first source device. The receiving and transmitting unit is further configured to receive a third message sent by the first source device through the first interface.

The processing unit is further configured to obtain a first packet based on the third packet, where the first packet includes an identifier of the VPN.

The VPN can be determined through the first interface, and the first packet identification is obtained based on the VPN.

In another possible implementation, the apparatus includes a customer premise equipment CPE.

In a fifth aspect, the present application provides an apparatus for processing a packet, where the apparatus includes a processor and a memory. The processor and the memory can be connected through internal connection. The memory is for storing a program and the processor is for executing the program in the memory to cause the apparatus to perform the method of the first aspect or any possible implementation of the first aspect.

In a sixth aspect, the present application provides an apparatus for processing a packet, where the apparatus includes a processor and a memory. The processor and the memory can be connected through internal connection. The memory is for storing a program and the processor is for executing the program in the memory to cause the apparatus to perform the method of the second aspect or any possible implementation of the second aspect.

In a seventh aspect, the present application provides a network device comprising: a main control board and an interface board. The main control board includes: a first processor and a first memory. The interface board includes: the system comprises a second processor, a second memory and an interface card. The main control board is coupled with the interface board.

The first memory may be used to store program code and the first processor is used to invoke the program code in the first memory to perform the following operations: and receiving a first message sent by the second network equipment, wherein the first message comprises a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the second network equipment, a first source equipment corresponding to the first message belongs to the VPN, and the first source equipment is connected with the second network equipment.

The second memory may be used to store program code, and the second processor may be used to invoke the program code in the second memory, triggering the interface card to perform the following operations: and acquiring a second packet identifier based on the destination address of the first message, wherein the second packet identifier corresponds to the VPN on the third network device, the first destination device corresponding to the destination address of the first message belongs to the VPN, and the first destination device is connected with the third network device. And processing the first message based on the first packet identifier and the second packet identifier.

In one possible implementation, an inter-process communication protocol (inter-process communication, IPC) channel is established between the host board and the interface board, with communication being performed between the host board and the interface board via the IPC channel.

In an eighth aspect, the present application provides a network device comprising: a main control board and an interface board. The main control board includes: a first processor and a first memory. The interface board includes: the system comprises a second processor, a second memory and an interface card. The main control board is coupled with the interface board.

The first memory may be used to store program code and the first processor is used to invoke the program code in the first memory to perform the following operations: the method comprises the steps of obtaining a first message, wherein the first message comprises a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the network device, a first source device corresponding to the first message belongs to the VPN, and the first source device is connected with the network device.

The second memory may be used to store program code, and the second processor may be used to invoke the program code in the second memory, triggering the interface card to perform the following operations: and sending the first message to the first network equipment.

In a ninth aspect, the present application provides a system for processing a message, the system comprising the apparatus provided in the third aspect and the apparatus provided in the fourth aspect, or the system comprising the apparatus provided in the fifth aspect and the apparatus provided in the sixth aspect, or the system comprising the network device provided in the seventh aspect and the network device provided in the eighth aspect.

In a tenth aspect, the present application provides a computer program product comprising a computer program stored in a computer readable storage medium and loaded by a processor for implementing the above-mentioned first aspect, second aspect, any possible implementation of the first aspect or any possible implementation of the second aspect.

In an eleventh aspect, the present application provides a computer readable storage medium storing a computer program to be loaded by a processor for executing the method of the first aspect, the second aspect, any possible implementation manner of the first aspect or any possible implementation manner of the second aspect.

In a twelfth aspect, the present application provides a chip comprising a memory for storing computer instructions and a processor for calling and executing the computer instructions from the memory to perform the above-described first aspect, second aspect, any possible implementation manner of the first aspect, or a method of any possible implementation manner of the second aspect.

Drawings

Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application;

FIG. 2 is a schematic view of a scenario provided in an embodiment of the present application;

FIG. 3 is a flowchart of a method for processing a message according to an embodiment of the present application;

fig. 4 is a schematic diagram of a first packet according to an embodiment of the present application;

fig. 5 is a schematic diagram of another first packet provided in an embodiment of the present application;

fig. 6 is a schematic diagram of an application aware network (APN) header provided by an embodiment of the present application;

FIG. 7 is a schematic diagram of APN identification (APN-ID) provided by an embodiment of the present application;

fig. 8 is a schematic structural diagram of a device for processing a message according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of another apparatus for processing a message according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of another apparatus for processing a message according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of another apparatus for processing a message according to an embodiment of the present application;

FIG. 12 is a schematic view of a device structure according to an embodiment of the present application;

FIG. 13 is a schematic view of another apparatus according to an embodiment of the present disclosure;

fig. 14 is a schematic diagram of a system structure for processing a message according to an embodiment of the present application.

Detailed Description

Embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

VPN is a private network established over a public network, which can perform encrypted communications and has wide application in enterprise networks. For example, the department networks of different departments of an enterprise communicate over a public network via a VPN, such that the department networks of different departments form an interconnected private enterprise network. For another example, the networks of different branches of one enterprise communicate over a public network via a VPN, such that the networks of different branches form an interconnected private enterprise network.

In some embodiments, the VPN includes an ethernet virtual private network (ethernet virtual private network, EVPN) or the like, e.g., the EVPN may in turn include a hierarchical VPN (HoVPN) or the like.

A VPN may include multiple branches and interworking or isolation between the different branches may be required. For example, the department networks of different departments of the enterprise are different branches of the VPN, and interworking between the department networks of different departments in the enterprise may be required, or isolation may be required. For example, a research and development department in an enterprise may involve privacy, requiring isolation of the department network of the research and development department such that the department network of the research and development department cannot send data to the department networks of other departments. The department network of the research and development department may be able to receive data transmitted by the department network of the other department or may not be able to receive data transmitted by the department network of the other department. The department networks of other departments of the enterprise may allow the department networks of other departments to communicate with each other because they are not involved in privacy. For another example, the networks of the different companies may be different branches, and the networks of the different branches may need to be communicated or may need to be isolated.

Each branch of the VPN includes a network device for each branch, which network device is to be accessed by the terminal devices within the branch, which network device is an access point. The network device is connected to a communication network, which is a public network, such that the terminal devices in the different branches communicate via VPN. For example, referring to fig. 1, the present application provides a network architecture 100 of a VPN, including:

The first network device 101, the second network device 102, the third network device 103, the fourth network device 104, and the like, and the second network device 102, the third network device 103, and the fourth network device 104 communicate with the first network device 101, respectively. The second network device 102, the third network device 103 and the fourth network device 104 are all located at the edge of the communication network, and the first network device 101 is capable of forwarding data between the second network device 102, the third network device 103 and the fourth network device 104.

The second network device 102, the third network device 103 and the fourth network device 104 belong to a first branch, a second branch and a third branch of the VPN, respectively. The terminal devices in the first branch access the second network device 102, the terminal devices in the second branch access the third network device 103, and the terminal devices in the third branch access the fourth network device 104.

In some embodiments, for any of the second network device 102, the third network device 103, and the fourth network device 104, communication is performed between the network device and the first network device 101 through a private slice network, a cellular mobile communication network, radio access network IP (IP radio access network, IP ran), or a metropolitan area network. The cellular mobile communication network includes a 5G network, a 4G network, a 3G network, or the like.

In some embodiments, referring to fig. 1, the first network device 101 includes a network side edge device (PE) or the like located in a cloud backbone network, which may also be referred to as a network PE, for example, the first network device 101 is a network PE. The second network device 102, the third network device 103 and/or the fourth network device 104 are CPE located at the edge of the communication network, etc.

In some embodiments, the cloud backbone network may include, in addition to network PEs, one or more routing devices P, one or more cloud PEs, and other network devices, with which the network PEs communicate.

For example, referring to fig. 1, second network device 102, third network device 103, and fourth network device 104 are three different CPEs (CPE 1, CPE2, and CPE3, respectively). The second network device 102 communicates with the first network device 101 through a slice private network, the third network device 103 communicates with the first network device 101 through a 5G network, and the fourth network device 104 communicates with the first network device 101 through a metropolitan area network. The terminal device accessing the second network device 102, the terminal device accessing the third network device 103, or the terminal device accessing the fourth network device 104 includes a CE.

In some embodiments, the second network device 102 includes at least one interface, and a terminal device accessing the second network device 102 is connected to the interface on the second network device 102. The interface on the second network device 102 binds with the VPN. Alternatively, different interfaces on the second network device 102 may be bound to different VPNs, or may be bound to the same VPN.

In some embodiments, the second network device 102 includes an interface binding correspondence thereon, where the interface binding correspondence is used to save a correspondence between an interface identifier of an interface and a network identifier of a VPN. Each record in the interface binding correspondence includes an interface identification of an interface on the second network device 102 and a network identification of a VPN bound to the interface. The record is used to indicate that the interface is bound to the VPN.

For example, the second network device 102 includes an interface binding correspondence as shown in table 1, where a first record in the interface binding correspondence includes an interface identifier 1 of the first interface and a network identifier 1 of VPN1, and the first record is used to indicate that the first interface on the second network device 102 is bound to VPN 1. The second record in the interface binding correspondence includes an interface identifier 2 of the second interface and a network identifier 2 of VPN2, where the second record is used to indicate that the second interface on the second network device 102 is bound to VPN 2.

TABLE 1

Sequence number	Interface identification	Network identification
				1	Interface identification 1 of a first interface	Network identification	1 of VPN1
2	Interface identifier 2 of the second interface	Network identification	2 of VPN2

For the same VPN, the VPN may be bound to interfaces on different network devices. For example, taking VPN1 as an example, VPN1 binds with a first interface on second network device 102, if VPN1 is also deployed on third network device 103 and fourth network device 104, then there is also an interface on third network device 103 binding with VPN1, and there is also an interface on fourth network device 104 binding with VPN 1.

Also, the interface binding correspondence relationship is included on the third network device 103 and the fourth network device 104. The meaning of the interface binding correspondence comprised on the third network device 103 and the fourth network device 104 is not described in detail here.

The different branches belonging to the VPN may need to be isolated, interworked or some branches need to be isolated and some branches need to be interworked. Between these different branches there may be several scenarios, which are respectively.

Scene 1: all branches belonging to VPN are communicated without isolation.

For example, referring to fig. 2 (a), the communication between the first, second and third branches does not require isolation. I.e. the second network device 102 in the first branch, the third network device 103 in the second branch and the fourth network device 104 in the third branch, interworks two by two. That is, the second network device 102 and the third network device 103 communicate with each other, the third network device 103 and the fourth network device 104 communicate with each other, and the second network device 102 and the fourth network device 104 communicate with each other.

Scene 2: all branches belonging to VPN are isolated and are not communicated with each other.

For example, referring to fig. 2 (b), the first branch, the second branch, and the third branch are isolated from each other, i.e., the second network device 102 in the first branch, the third network device 103 in the second branch, and the fourth network device 104 in the third branch are isolated from each other. That is, the second network device 102 is isolated from the third network device 103, the third network device 103 is isolated from the fourth network device 104, and the second network device 102 is isolated from the fourth network device 104.

Scene 3: all branches belonging to a VPN are divided into two parts, including a branch of a first part and a branch of a second part, the branches of the first part being interworked with each other, the branch of each second part being isolated from the branch of each first part. I.e. there is partial branch isolation in all branches and partial branch interworking.

For example, referring to fig. 2 (c), the second network device 102 in the first branch and the third network device 103 in the second branch interwork. While the fourth network device 104 in the third branch is isolated from the second network device 102 in the first branch and the third network device 103 in the second branch, respectively. That is, the first branch and the second branch are branches of the first portion, and the third branch is a branch of the second portion. The second network device 102 and the third network device 103 are in interworking, the third network device 103 and the fourth network device 104 are isolated, and the second network device 102 and the fourth network device 104 are isolated.

Scene 4: all branches belonging to a VPN have partial branch cross interworking and partial branch isolation.

For example, referring to fig. 2 (d), the second network device 102 in the first branch and the third network device 103 in the second branch interwork, and the third network device 103 in the second branch and the fourth network device 104 in the third branch interwork. While the second network device 102 in the first branch is isolated from the fourth network device 104 in the third branch. That is, the second network device 102 and the third network device 103 communicate with each other, the third network device 103 and the fourth network device 104 communicate with each other, and the second network device 102 and the fourth network device 104 are isolated from each other.

Since all branches belonging to a VPN may need all branch isolation, or all branch interworking, or part of branch isolation and part of branch interworking may need. The partial branch isolation and the partial branch intercommunication are the partial network equipment isolation and the partial network equipment intercommunication, however, the existing problem is that the partial network equipment isolation and the partial network equipment intercommunication cannot be realized. The following may be employed in order to solve this problem.

Access control lists (access control lists, ACLs) may be employed to enable partial network device quarantine partial network device interworking. Referring to fig. 2 (c) above, the second network device 102 interworks with the third network device 103, and the second network device 102 is isolated from the fourth network device 104. A first ACL is configured on the second network device 102, each record in the first ACL including a first address, a second address, and a policy. Assuming that the first ACL includes a first record and a second record, the first address in the first record is the address of CE1 accessing the second network device 102, the second address in the first record is the address of CE2 accessing the third network device 103, and the first policy in the first record is interworking. The first address in the second record is the address of CE1 accessing the second network device 102, the second address in the second record is the address of CE3 accessing the fourth network device 104, and the second policy in the second record is quarantine.

Thus, if CE1 sends a first message to CE2, the second network device 102 receives the first message, and uses the source address (address of CE 1) in the first message as the first address, and uses the destination address (address of CE 2) of the first message as the second address. The second network device 102 obtains the first policy in the first record from the first ACL based on the first address and the second address, the first policy is interworking, the first policy sends a first message to the third network device 103, and the third network device 103 forwards the first message to the CE 2. If CE1 sends the second message to CE3, the second network device 102 receives the second message, and uses the source address (address of CE 1) in the second message as the first address and uses the destination address (address of CE 3) of the second message as the second address. The second network device 102 obtains a second policy in the second record from the first ACL based on the first address and the second address, the second policy being quarantine, and discards the second message.

Likewise, the third network device 103 includes a second ACL, each record of which includes a first address, a second address, and a policy. Assuming that the second ACL includes a third record, the first address in the third record is the address of CE2 accessing the third network device 103, the second address in the third record is the address of CE1 accessing the second network device 102, and the third policy in the third record is interworking. Fourth network device 104 includes a third ACL, each record of which includes a first address, a second address, and a policy. Assuming that the third ACL includes a fourth record, the first address of the fourth record is the address of CE3 accessing the fourth network device 104, the second address in the fourth record is the address of CE1 accessing the second network device 102, and the fourth policy in the fourth record is quarantine. This allows CE1 accessing the second network device 102 to interwork with CE2 accessing the third network device 102, with CE1 accessing the second network device 102 isolated from CE3 accessing the fourth network device 104.

If a new network device is added, content needs to be added to the ACL of the existing network device to interwork or isolate the new network device from the existing network device. For example, a fifth network device is added, if the fifth network device is interworking with the second network device 102 and isolated from the third network device 103 and the fourth network device 104, a fifth record is configured in the first ACL of the second network device 102, the fifth record includes a first address that is an address of CE1 accessing the second network device 102, the fifth record includes a second address that is an address of CE4 accessing the fifth network device, and the fifth record includes a fifth policy that is interworking. Similarly, it is also necessary to configure the sixth record in the second ACL of the third network device 103 and the seventh record in the third ACL of the fourth network device 104. Therefore, when a new network device is added, the new network device needs to be configured on the existing network device, more devices are configured, and the configuration efficiency is low.

The interworking of the isolated part of the network devices of the part of the network devices can be realized by adopting a Route Target (RT) planning mode. For two network devices needing intercommunication, configuring corresponding route information of the two network devices on a first network device, wherein the route information is used for forwarding data between the network devices, and the route information is an end-to-end route. For two network devices needing to be isolated, the routing information corresponding to the two network devices is not configured on the first network device.

For example, referring to fig. 2 (c) above, the second network device 102 communicates with the third network device 103, and the second network device 102 is isolated from the fourth network device 104. The routing information corresponding to the second network device 102 and the third network device 103 is configured in the first network device 101, and the routing information corresponding to the second network device 102 and the fourth network device 104 is not configured in the first network device 101. Thus, if the first network device 101 receives a message sent by the second network device 102 to the third network device 103, the first network device 101 obtains routing information corresponding to the second network device 102 and the third network device 103, and forwards the message to the third network device 103 based on the routing information, so as to realize the connection between the second network device 102 and the third network device 103. If the first network device 101 receives a message sent by the second network device 102 to the fourth network device 104, the first network device 101 cannot obtain the routing information corresponding to the second network device 102 and the fourth network device 104, and discards the message, so as to isolate the second network device 102 from the fourth network device 104.

The route information configured on the first network device 101 in the RT planning manner is end-to-end route information, and when the VPN is a HoVPN, since the HoVPN is a hierarchical VPN model, end-to-end routing information cannot be configured on the first network device 101, so that interworking of the isolated part of the network devices by the part of the network devices cannot be achieved by using RT planning.

The default routing mode can also be adopted, but the default routing mode can only configure intercommunication among the network devices. The first network device obtains default routing information corresponding to the network device and other network devices, and sends the message to the other network devices through the default routing information. The default device can realize intercommunication among all network devices in a mode, but can not realize the isolation of partial network devices in intercommunication part of the network devices.

To meet this requirement, packet identification may be configured on the network device of each branch. For a packet identity on each branched network device, the packet identity corresponds to a VPN on the network device, the group of devices identified by the packet identity comprises the network device and at least one terminal device accessing the network device, and the at least one terminal device is a terminal device belonging to the VPN. This requirement is fulfilled by the packet identification, and detailed implementation will be described in detail in the following embodiments.

In some embodiments, the packet identity on the network device corresponding to the VPN is network management configured. For any two network devices belonging to the VPN, the two packet identifications on the two network devices corresponding to the VPN may be the same or different.

For example, taking VPN1 as an example as described above, the second network device 102 includes packet identification 1 corresponding to VPN1, the third network device 103 includes packet identification 2 corresponding to VPN1, and the fourth network device 104 includes packet identification 3 corresponding to VPN 1. In the case where packet identity 1 and packet identity 2 are the same, it is indicative of the second network device 102 being connected or isolated to the transmission direction of the third network device 103 and/or of the third network device 103 being connected or isolated to the transmission direction of the second network device 102. Alternatively, in the case where the packet identifier 1 and the packet identifier 2 are different, it indicates that the second network device 102 is connected or isolated to the transmission direction of the third network device 103, and/or it indicates that the third network device 103 is connected or isolated to the transmission direction of the second network device 102. The description will not be given for the same meaning between the packet identifier 1 and the packet identifier 3, and for the same meaning between the packet identifier 2 and the packet identifier 3.

In some embodiments, the second network device 102 includes a first packet network correspondence for storing a correspondence between a network identity of the VPN and a packet identity. Alternatively, the second network device 102 includes a second packet network correspondence, where the second packet network correspondence is used to store a correspondence between a network identifier of the VPN, a packet identifier, and an address.

Each record in the first packet network correspondence includes a network identification of a VPN and a packet identification corresponding to the VPN on the second network device 102. Optionally, the packet identity is used to identify a device group comprising the second network device 102 and a terminal device accessing the second network device 102 and belonging to the VPN.

For example, the second network device 102 includes a first packet network correspondence as shown in table 2, and the first record in the first packet network correspondence includes the network identifier 1 of VPN1 and the packet identifier 1 corresponding to VPN1 on the second network device 102. The second record in the first packet network correspondence includes network identification 2 of VPN2 and packet identification 4 corresponding to VPN2 on the second network device 102.

TABLE 2

Sequence number	Network identification	Grouping identification
				1	Network identification 1 of VPN1	Grouping identification	1
2	Network identification 2 of VPN2	Grouping identification	4

Each record in the second packet network correspondence includes a network identification of a VPN, a packet identification and an address corresponding to the VPN on the second network device 102. The address may comprise an address of a terminal device in the access second network device 102 and/or an address of a terminal device within the other branch belonging to the VPN. The other branches are branches other than the branch in which the second network device 102 is located, i.e. the other branches are branches other than the first branch. Optionally, the address includes a source address and/or a destination address of the message sent by the second network device 102.

In some embodiments, where the address comprises an address of a terminal device belonging to a further branch of the VPN, the packet identity is used to identify the first device group and the second device group for at least one record in the second packet network correspondence comprising the same packet identity. The first device group includes the second network device 102 and devices that access the second network device 102 and belong to the VPN. The second device group includes devices corresponding to addresses in each record in the at least one record, the devices in the second device group belong to the VPN and are devices in the other branches, and whether the devices in the first device group are communicated or isolated with the devices in the second device group is controlled through the packet identifier.

For example, the second network device 102 includes a second packet network correspondence as shown in table 3, and the first record in the second packet network correspondence includes the network identifier 1 of VPN1, the packet identifier 1 corresponding to VPN1 on the second network device 102, and the address IP-CE2, where the address IP-CE2 is the address of CE2 in the second branch. The group identification 1 in the first record is used to identify the first device group and the second device group. The first device group comprises the second network device 102 and devices that access the second network device 102 and belong to VPN1, i.e. the first device group comprises the second network device 102 and CE1 that access the second network device 102 and belong to VPN 1. That is to say: the devices in the first device group belong to VPN1 and are devices within the first branch.

The second device group comprises the third network device 103 and devices that access the third network device 103 and belong to VPN1, i.e. the second device group comprises the third network device 103 and CE2 that access the third network device 103 and belong to VPN 1. That is to say: the devices in the second device group belong to VPN1 and are devices within the second branch. Whether the second network device 102 and CE1 in the first device group interworks or is isolated from the third network device 103 and CE2 in the second device group is controlled by the packet identification 1.

The second record in the second packet network correspondence as shown in table 3 includes the network identification 2 of VPN2, the packet identification 4 corresponding to VPN2 on the second network device 102, and the address IP-CE3, address IP-CE3 being the address of CE3 in the third branch.

TABLE 3 Table 3

Sequence number	Network identification	Grouping identification	Address of
				1	Network identification 1 of VPN1	Grouping identification	1	IP-CE2
2	Network identification 2 of VPN2	Grouping identification	4						IP-CE3

Likewise, the third network device 103 and the fourth network device 104 also include a first packet network correspondence or a second packet network correspondence. The meaning of the first packet network correspondence or the second packet network correspondence included on the third network device 103 and the fourth network device 104 is not described in detail here.

In some embodiments, the first network device 101 includes a third packet network correspondence for storing a correspondence between a network identifier, an address, and a packet identifier. Each record in the third packet network correspondence includes a network identification of a VPN, an address of a network device, and a packet identification corresponding to the VPN on the network device. Optionally, the network device is an edge network device of a communication network, such as a CPE or the like.

For example, referring to fig. 1, still taking VPN1 as an example, the first record in the third packet network correspondence shown in table 4 below includes network identification 1 of VPN1, address IP-CPE1 of second network device 102, and packet identification 1 corresponding to VPN1 on second network device 102. The second record in the third packet network correspondence comprises network identification 1 of VPN1, address IP-CPE2 of the third network device 103 and packet identification 2 corresponding to VPN1 on the third network device 103. The third record in the third packet network correspondence includes network identification 1 of VPN1, address IP-CPE3 of fourth network device 104, and packet identification 3 corresponding to VPN1 on fourth network device 104.

TABLE 4 Table 4

Sequence number	Network identification	Address of	Grouping identification
				1	Network identification 1 of VPN1	IP-CPE1	Grouping identification	1
2	Network identification 1 of VPN1	IP-CPE2	Grouping identification						2
				3	Network identification 1 of VPN1	IP-CPE3	Grouping identification	3
……	……	……	……

In some embodiments, the first network device 101 further comprises a grouping policy correspondence for storing a correspondence of the first grouping identification, the second grouping identification and the processing policy. Each record in the packet policy correspondence includes a first packet identifier, a second packet identifier, and a processing policy, where the first packet identifier and the second packet identifier are packet identifiers on two network devices that correspond to a same VPN.

For example, the first network device 101 includes a packet policy correspondence as shown in table 5 below, where a first record in the packet policy correspondence includes packet identification 1, packet identification 2, and processing policy 1. Packet identity 1 corresponds to VPN1 on the second network device 102 and packet identity 2 corresponds to VPN1 on the third network device 103, the processing policy 1 being used to instruct the second network device 102 to communicate or isolate to the transmission direction of the third network device 103. Optionally, the processing policy 1 is further used to instruct the third network device 103 to communicate or isolate to the transmission direction of the second network device 102.

The second record in the grouping policy correspondence includes a grouping identification 1, a grouping identification 3 and a processing policy 2. Packet identity 3 corresponds to VPN1 on fourth network device 104 and processing policy 2 is used to instruct second network device 102 to communicate or isolate to the direction of transmission of fourth network device 104. Optionally, the processing policy 2 is further used to instruct the fourth network device 104 to communicate or isolate to the transmission direction of the second network device 102.

The third record in the grouping policy correspondence includes a grouping identifier 2, a grouping identifier 3 and a processing policy 3. The processing policy 3 is used to instruct the third network device 103 to communicate or isolate to the transmission direction of the fourth network device 104. Optionally, processing

Policy 3 is also used to indicate that the fourth network device 104 is connected or isolated to the transmission direction of the third network device 103.

TABLE 5

Sequence number	First packet identification	Second packet identification	Processing strategies
					1	Grouping identification 1	Grouping identification 2	Processing strategy 1
2	Grouping identification 1	Grouping identification 3	Processing strategy 2
				3	Grouping identification 2	Grouping identification 3	Processing strategy 3
……	……	……	……

The processing strategy can indicate whether two transmission directions between two network devices are isolated or communicated, so that flexibility is improved.

In some embodiments, the first network device 101 further comprises a routing table comprising at least one routing information, the routing information comprising, for each routing information, a destination address and an address of the next hop device. The next hop device is a network device located at the edge of the communication network, e.g. the next hop device is a CPE or the like. The device corresponding to the destination address is accessed to the next-hop device, and the routing information is used to instruct the first network device 101 to send a message to the next-hop device, where the destination address of the message is the destination address in the routing information, so that the next-hop device forwards the message to the destination device corresponding to the destination address. For example, assume that the routing information includes IP-CE2 and IP-CPE2, IP-CE2 being the destination address and IP-CPE2 being the address of the next hop device. The routing information is used to instruct the first network device 101 to send a message to the third network device 103 corresponding to the IP-CPE2, where the message is a message that needs to be sent to the CE2, and the third network device 103 receives the message and forwards the message to the CE 2.

Referring to fig. 3, an embodiment of the present application provides a method 300 for processing a packet, where the method 300 is applied to the network architecture 100 shown in fig. 1, and includes:

step 301: the second network equipment acquires a first message, wherein the first message comprises a first packet identifier, the first packet identifier corresponds to the VPN on the second network equipment, a first source equipment corresponding to the first message belongs to the VPN, and the first source equipment is connected with the second network equipment.

The first source device is a terminal device connected to the second network device. For example, the first source device is a CE connected to the second network device. The second network device includes a first interface, the first source device is connected to the first interface of the second network device, and the first interface is bound to the VPN.

In step 301, a first message is obtained by the following operations 3011-3013, where the operations 3011-3013 are respectively.

3011: the second network device receives a third message sent by the first source device through the first interface.

For example, referring to fig. 4 or fig. 5, assuming that the first source device is CE1, the second network device (CPE 1) receives a third packet of CE1, where the source address in the first packet is address IP-CE1 of CE1 and the destination address is address IP-CE2 of CE2.

3012: the second network device determines a VPN bound to the first interface.

The second network device includes an interface binding correspondence. In 3012, the second network device obtains an interface identifier of the first interface, and obtains a network identifier of the VPN bound to the first interface from the interface binding correspondence based on the interface identifier of the first interface.

For example, the second network device includes an interface binding correspondence as shown in table 1. The second network device obtains the interface identifier 1 of the first interface, and obtains the network identifier 1 of the VPN1 bound to the first interface from the interface binding correspondence shown in table 1 based on the interface identifier 1 of the first interface.

3013: the second network device obtains a first message based on the VPN and the second message bound with the first interface.

The second network device includes a packet network correspondence, where the packet network correspondence includes the first packet network correspondence or the second packet network correspondence. In 3013, the second network device obtains a first packet identifier based on the network identifier of the VPN and the packet network correspondence. Based on the first packet identifier and the second packet, acquiring a first packet, wherein the first packet comprises an IPv6 extension header and a payload, the IPv6 extension header of the first packet comprises the first packet identifier, and the payload of the first packet comprises the second packet or a part of the second packet.

In some embodiments, the IPv6 extension header includes a destination option header (internet protocol version 6 destination options header,DOH), or the like.

In some embodiments, the packet network correspondence is a first packet network correspondence, where the first packet network correspondence is used to store a correspondence between a network identifier of the VPN and a packet identifier. The second network device obtains a corresponding packet identifier from the first packet network correspondence as a first packet identifier based on the network identifier of the VPN.

For example, the second network device includes a first packet network correspondence as shown in table 2. The second network device obtains, based on the network identifier 1 of the VPN, the corresponding packet identifier 1 from the first packet network correspondence as shown in table 2 as a first packet identifier.

In some embodiments, the packet network correspondence is a second packet network correspondence, where the second packet network correspondence is used to store a network identifier of the VPN, a correspondence between the packet identifier and an address. The second network device obtains a first address, wherein the first address comprises a source address and/or a destination address of the second message, and based on the network identifier of the VPN and the first address, a corresponding packet identifier is obtained from the corresponding relation of the second packet network as a first packet identifier.

In some embodiments, the first address includes a destination address of the second message, and for a first packet identification obtained from the second packet network correspondence based on the network identification of the VPN and the first address, the first packet identification is used to identify the first device group and the second device group. The first device group includes a second network device and a terminal device that accesses the second network device and belongs to the VPN. The second device group includes a third network device, and a terminal device that accesses the third network device and belongs to the VPN, where the third network device is a network device to which the first destination device corresponding to the destination address accesses.

For example, the second network device includes a second packet network correspondence as shown in table 3. The second network device obtains the destination address IP-CE2 of the second packet as the first address, and obtains the corresponding packet identifier 1 from the second packet network correspondence as shown in table 3 as the first packet identifier based on the network identifier 1 of the VPN1 and the first address IP-CE 2.

Referring to fig. 4 or fig. 5, after acquiring the first packet identifier, the second network device (CPE 1) encapsulates the IPv6 extension header on the basis of the payload, where the IPv6 extension header includes the first packet identifier, and obtains the first packet, with the second packet or a part of the content of the second packet as the payload.

The IPv6 extension head is located between the IPv6 head of the first message and the payload of the first message. Referring to fig. 4 or 5, the IPv6 extension header includes a DOH including an application-aware network identification (APN-ID) and a segment routing header (segment routing header, SRH), the APN-ID including a first packet identification (i.e., packet identification 1). In some embodiments, the first packet identity may also be included in other fields of the DOH than the APN-ID, e.g. the first packet identity may be included in an optional type field of the DOH, or in other fields of the IPv6 extension header than the DOH, e.g. in a TLV field in the IPv6 extension header.

In some embodiments, referring to fig. 6, the doh includes an APN header comprising the following fields: application aware network identification Type (APN-ID-Type), flags (Flags), application aware network parameter Type (APN-Para-Type) and APN-ID. Optionally, the APN header further includes the following fields: content (Intent) and/or application-aware network parameters (APN-Para). Alternatively, the APN-ID may be 32 bits or 128 bits in length, etc.

In some embodiments, referring to fig. 7, the apn-ID includes the following fields: application Group identity (APP-Group-ID), user Group identity (User-Group-ID) and Reserved (Reserved). Wherein the User-Group-ID comprises a first packet identity, optionally an APN Group identity or a User Group identity, etc.

In some embodiments, referring to fig. 4, the DOH is located before the SRH, i.e., the DOH is located between the IPv6 header and the SRH. Alternatively, referring to fig. 5, the DOH is located after the SRH, i.e., the DOH is located between the SRH and the payload.

Wherein the SRH comprises a segment list comprising segment identities of at least one network device, the segment list being used to indicate a segment path.

For example, referring to fig. 4 or fig. 5, the second network device (CPE 1) obtains a first message, where the DOH in the first message is located after the SRH, and the segment list of the SRH includes the segment identifier of the access node (ACC) 1, the segment identifier of the aggregation node (AGC) 1, the segment identifier of the metro core node (MC), and the segment identifier of the first network device (network PE).

Optionally, the first message further includes a network identifier of the VPN.

Step 302: the second network device sends a first message to the first network device.

There may be at least one other network device between the second network device and the first network device, the other network device forwarding the first message to the first network device after receiving the first message.

For example, referring to fig. 4 or 5, there is a network device such as ACC1, AGC1, or MC between the second network device (CPE 1) and the first network device (network PE). The segment list of the SRH of the first message includes the segment identification of ACC1, the segment identification of AGC1, the segment identification of MC, and the segment identification of the first network device (network PE). After the second network device (CPE 1) sends the first message, the ACC1 receives the first message, acquires the segment identifier of the AGC1 from the segment list of the SRH of the first message, and sends the first message to the AGC 1. The AGC1 receives a first message, acquires a segment identifier of the MC from a segment list of SRH of the first message, and sends the first message to the MC. The MC receives the first message, acquires the segment identification of the first network equipment (network PE) from the segment list of the SRH of the first message, and sends the first message to the first network equipment. The first network device receives a first message.

Wherein the last hop network device of the path indicated by the segment list is the first network device. Referring to fig. 4, in the first packet, when the DOH is located before the SRH, any network device on the path receives the first packet, and may parse the DOH located before the SRH. In this embodiment of the present application, when the network device is not the last hop network device of the path, the network device receives the first packet and parses the DOH located before the SRH, and if it is parsed that the content of the DOH is not the content related to itself, does not process the content of the DOH, continues to parse the SRH, obtains the segment identifier of the next hop network device from the segment list in the SRH, and sends the first packet to the next hop network device based on the segment identifier. For the last hop network equipment of the path, namely the first network equipment receives the first message, analyzes the DOH positioned in front of the SRH to obtain a first packet identifier, and then processes the first message according to the subsequent flow by using the first packet identifier.

Referring to fig. 5, in the first packet, when the DOH is located after the SRH, the other network devices except the first network device on the path receive the first packet, and do not parse the DOH located after the SRH, and only after the first network device receives the first packet, the first network device parses the DOH located after the SRH to obtain a first packet identifier, and then processes the first packet according to the subsequent flow using the first packet identifier. In addition, as the other network equipment does not analyze the DOH, the time delay of the other network equipment for forwarding the first message is reduced, and the computing resources of the other network equipment are reduced.

Step 303: the first network device receives a first message, wherein the first message comprises a destination address, the first destination device corresponding to the destination address belongs to the VPN, and the first destination device is connected with the third network device.

The destination address of the first message is the same as the destination address of the second message.

Step 304: the first network device obtains a second packet identifier based on the destination address of the first message, and the second packet identifier corresponds to the VPN on the third network device

The second packet identifier is used for identifying a device group, and the device group comprises a third network device and a terminal device which accesses the third network device and belongs to the VPN.

In step 304, the first network device obtains the second packet identification through the operations 3041-3042, respectively, of 3041-3042.

3041: the first network device obtains routing information for sending the first message based on the destination address of the first message, where the routing information includes an address of the third network device.

The first network device includes a routing table including at least one routing information, each routing information including a destination address and an address of a next hop device from the first network device to the destination address.

In 3041, the first network device obtains, based on the destination address of the first packet, routing information including the destination address, where the routing information is used to instruct the first network device to send the first packet, and the routing information further includes an address of a next-hop device that arrives at the destination address from the first network device, where the address of the next-hop device is used as an address of the third network device.

For example, there is a piece of routing information including IP-CE2 and IP-CPE2 in the routing table of the first network device. The first network device obtains the routing information including the destination address IP-CE2 based on the destination address IP-CE2 of the first message, the address of the next-hop device included in the routing information is IP-CPE2, and the address IP-CPE2 of the next-hop device is used as the address of the third network device.

3042: the first network device obtains a second packet identifier based on the address of the third network device and the network identifier of the VPN.

The first network device includes a third packet network correspondence. In 3042, the first network device obtains a network identifier of the VPN from the first packet, obtains a corresponding packet identifier from a third packet network correspondence based on an address of the third network device and the network identifier of the VPN, and uses the obtained packet identifier as a second packet identifier.

For example, the first packet includes the network identifier 1 of VPN1, and the first network device includes the third packet network correspondence as shown in table 4. The first network device obtains the network identifier 1 of the VPN1 from the first packet, obtains the corresponding packet identifier 2 from the third packet network correspondence as shown in table 4 based on the network identifier 1 and the address IP-CPE2 of the third network device, and uses the packet identifier 2 as the second packet identifier.

The third packet network correspondence has a record including an address of the third network device, a network identifier of the VPN, and a second packet identifier, and the first network device includes routing information for sending the first packet, where the routing information includes a destination address of the first packet, and the address of the third network device, so that the routing information in the first network device can be multiplexed to obtain the second packet identifier, thereby simplifying algorithm implementation complexity.

Step 305: the first network device processes the first message based on the first packet identity and the second packet identity.

In step 305, the first network device processes the first packet in two ways:

in the first mode, the first network device compares the first packet identifier with the second packet identifier, and if the first packet identifier is the same as the second packet identifier, the first network device determines that the second network device is communicated with the third network device, and sends a first message to the third network device. If the first packet identifier and the second packet identifier are different, each device of the first network determines that the second network device is isolated from the third network device, and discards the first message. Or alternatively, the process may be performed,

The first network device compares the first packet identifier with the second packet identifier, and if the first packet identifier is the same as the second packet identifier, each device of the first network determines that the second network device is isolated from the third network device, and discards the first message. If the first packet identifier is different from the second packet identifier, the first network device determines that the second network device is communicated with the third network device, and sends a first message to the third network device.

In a first manner, the second network device includes a second packet network correspondence, and if the first packet identifier is obtained from the second packet network correspondence based on the network identifier of the VPN and the destination address of the second packet, the first packet identifier is used to identify the first device group and the second device group, and the second master device group identified by the first packet identifier is the same as the device group identified by the second packet identifier. Thus, the network manager controls the first equipment group and the second equipment group to communicate or isolate by configuring whether the first grouping identification and the second grouping identification corresponding to the second equipment group are the same.

In the first mode, the third network device receives the first message, obtains the second message based on the first message, and sends the second message to the first destination device corresponding to the destination address in the second message.

In a first aspect, for packet identifiers corresponding to the same VPN on each network device, the packet identifiers corresponding to the VPN on each network device are the same, which means that the VPN is interworking between the network devices. The corresponding packet identifiers of the VPN are different on each network device, and the isolation between the network devices is shown in the VPN.

Thus, for scenario 1, the packet identifiers of the VPN on the network devices are set to be the same, so that the network devices are interconnected. For example, referring to fig. 2 (a), the corresponding packet identifications on the second network device 102, the third network device 103, and the fourth network device 104 are the same for the same VPN. Taking the example of the second network device 102 sending a message to the third network device 103, the message includes a packet identifier corresponding to the VPN on the second network device 102. The first network device 101 receives the packet and obtains the packet identifier of the VPN on the third network device 103, and since the packet identifier corresponding to the VPN on the second network device 102 is the same as the packet identifier corresponding to the VPN on the third network device 103, the first network device 101 sends the packet to the third network device 103, so that the second network device 102 and the third network device 103 are in interworking.

For the above scenario 2, the packet identifiers of the VPN on the network devices are set to be different, so that the network devices are fully isolated, and the branches are not communicated with each other. For example, referring to fig. 2 (b), the corresponding packet identifications on the second network device 102, the third network device 103, and the fourth network device 104 are all different for the same VPN. Taking the example of the second network device 102 sending a message to the third network device 103, the message includes a packet identifier corresponding to the VPN on the second network device 102. The first network device 101 receives the packet and obtains the packet identifier of the VPN on the third network device 103, and since the packet identifier corresponding to the VPN on the second network device 102 is different from the packet identifier corresponding to the VPN on the third network device 103, the first network device 101 discards the packet, so that the second network device 102 and the third network device 103 are isolated.

For scenario 3 above, for each leg of the first portion, the packet identities corresponding to the VPN's on the network devices of each leg of the first portion are set to be the same. For each branch of the second portion, setting a packet identifier corresponding to the VPN on the network device of each branch of the second portion to be different from a packet identifier corresponding to the VPN on the network device of each branch of the first portion. Thus, the partial isolation parts of the network devices are communicated, even if the partial isolation parts of the branches are communicated.

For example, referring to fig. 2 (c), the VPN's corresponding packet identifications on the second network device 102 and the third network device 103 are the same. But the packet identity corresponding to the VPN at the fourth network device 104 is different from the packet identities corresponding to the VPN at the second network device 102 and the third network device 103. Taking the example of the second network device 102 sending a message to the third network device 103, the message includes a packet identifier corresponding to the VPN on the second network device 102. The first network device 101 receives the packet and obtains the packet identifier of the VPN on the third network device 103, and since the packet identifier corresponding to the VPN on the second network device 102 is the same as the packet identifier corresponding to the VPN on the third network device 103, the first network device 101 sends the packet to the third network device 103, so that the second network device 102 and the third network device 103 are in interworking. Taking the example that the second network device 102 sends a message to the fourth network device 103, the message includes the packet identifier corresponding to the VPN on the second network device 102. The first network device 101 receives the packet and obtains the packet identifier of the VPN on the fourth network device 104, and since the packet identifier corresponding to the VPN on the second network device 102 is different from the packet identifier corresponding to the VPN on the fourth network device 104, the first network device 101 discards the packet, so that the second network device 102 and the fourth network device 104 are isolated.

In the first mode, when two packet identifiers are the same, it means that two network devices are in communication, and when two packet identifiers are different, it means that two network devices are isolated. Of course, it is also possible to indicate that two network devices are in communication when two packet identifications are different, and to indicate that two network devices are isolated when two packet identifications are the same.

For example, the first mode may be: the first network device compares the first packet identifier with the second packet identifier, and if the first packet identifier is the same as the second packet identifier, each device of the first network determines that the second network device is isolated from the third network device, and discards the first message. If the first packet identifier is different from the second packet identifier, the first network device determines that the second network device is communicated with the third network device, and sends a first message to the third network device.

In a second manner, the second network device includes a first packet network correspondence, where the first packet network correspondence is used to store a correspondence between a network identifier of the VPN and a packet identifier. The first network device obtains a first processing policy based on the first packet identifier and the second packet identifier, and processes the first message based on the first processing policy.

In a second manner, the second network device processes the first packet by the following operations 3051-3052, where the operations 3051-3052 are respectively:

3051: the first network device obtains a first processing policy based on the first packet identification and the second packet identification.

The first network device includes a grouping policy correspondence. In 3041, the first network device obtains, based on the first packet identifier and the second packet identifier, a corresponding processing policy from the packet policy correspondence as a first processing policy.

For example, the first network device includes a grouping policy correspondence as shown in table 5. The first network device acquires a first packet identifier from the first message as a packet identifier 1, and acquires a second packet identifier as a packet identifier 2. The first network device obtains a corresponding processing policy 1 from the packet policy correspondence shown in table 5 based on the packet identifier 1 and the packet identifier 2, and takes the processing policy 1 as a first packet policy.

3052: the first network device processes the first message based on the first processing policy.

In some embodiments, the first network device sends the first message to the third network device when the first processing policy is used to instruct the second network device to communicate in a transmission direction to the third network device. The transmission direction of the second network device to the third network device is communicated through the first processing strategy.

In some embodiments, the first network device discards the first message when the first processing policy is used to instruct the second network device to segregate to the transmission direction of the third network device. The transmission direction of the second network device to the third network device is isolated through the first processing strategy.

The first processing strategy is accurately acquired through the grouping strategy corresponding relation, and whether the second network equipment and the third network equipment are communicated or not can be accurately determined through the first processing strategy, or the second network equipment and the third network equipment are isolated.

In the second mode, for two packet identifiers corresponding to the same VPN on two network devices, one or two transmission directions between the two network devices can be intercommunicated or isolated through processing strategies corresponding to the two packet identifiers. The above description will be given taking, as an example, the VPN1 corresponds to the packet identifier 1 on the second network device 102, the VPN1 corresponds to the packet identifier 2 on the third network device 103, and the VPN1 corresponds to the packet identifier 3 on the fourth network device 104.

For scenario 1 described above, referring to fig. 2 (a), the processing policy 1 corresponding to the packet identifier 1 and the packet identifier 2 is used to instruct the second network device 102 to communicate with the transmission direction of the third network device 103 and/or the third network device 103 to communicate with the transmission direction of the second network device 102. The processing policy 2 corresponding to the packet identifier 1 and the packet identifier 3 is used to instruct the second network device 102 to communicate with the transmission direction of the fourth network device 104 and/or the fourth network device 104 to communicate with the transmission direction of the second network device 102. The processing policy 3 corresponding to the packet identifier 2 and the packet identifier 3 is used to instruct the third network device 103 to communicate with the transmission direction of the fourth network device 104 and/or the fourth network device 104 to communicate with the transmission direction of the third network device 103. Taking the example of the second network device 102 sending a message to the third network device 103, the message comprises the packet identity 1. The first network device 101 receives the packet, acquires the packet identifier 2 of the VPN1 on the third network device 103, and acquires the processing policy 1 corresponding to the packet identifier 1 and the packet identifier 2. Since the processing policy 1 indicates that the second network device 102 communicates with the transmission direction of the third network device 103, the first network device 101 sends the packet to the third network device 103, so as to implement the communication of the second network device 102 with the transmission direction of the third network device 103.

For scenario 2 described above, referring to fig. 2 (b), the processing policy 1 corresponding to packet identification 1 and packet identification 2 is used to instruct the second network device 102 to isolate to the transmission direction of the third network device 103 and/or the third network device 103 to isolate to the transmission direction of the second network device 102. The processing policy 2 corresponding to the packet identifier 1 and the packet identifier 3 is used to instruct the second network device 102 to isolate to the transmission direction of the fourth network device 104 and/or the fourth network device 104 to isolate to the transmission direction of the second network device 102. The processing policy 3 corresponding to the packet identifier 2 and the packet identifier 3 is used to instruct the third network device 103 to isolate to the transmission direction of the fourth network device 104 and/or the fourth network device 104 to isolate to the transmission direction of the third network device 103. Taking the example of the second network device 102 sending a message to the third network device 103, the message comprises the packet identity 1. The first network device 101 receives the packet, acquires the packet identifier 2 of the VPN1 on the third network device 103, and acquires the processing policy 1 corresponding to the packet identifier 1 and the packet identifier 2. Since the processing policy 1 indicates the transmission direction isolation of the second network device 102 to the third network device 103, the first network device 101 discards the packet, thereby implementing the transmission direction isolation of the second network device 102 to the third network device 103.

For scenario 3 above, for the network devices in each branch of the first portion, i.e. for the second network device 102 and the third network device 103, packet identity 1 corresponding to VPN1 on the second network device 102, packet identity 2 corresponding to VPN1 on the third network device 103, and processing policy 1 corresponding to packet identity 1 and packet identity 2 are used to instruct the second network device 102 to communicate in the transmission direction of the third network device 103 and/or the third network device 103 to communicate in the transmission direction of the second network device 102. For network devices in each branch of the second portion, i.e. for packet identity 3 corresponding to VPN1 on the fourth network device 104, the processing policy 2 corresponding to packet identity 1 and packet identity 3 is used to indicate that the second network device 102 is isolated to the transmission direction of the fourth network device 104 and/or that the fourth network device 104 is isolated to the transmission direction of the second network device 102.

Taking the example of the second network device 102 sending a message to the third network device 103, the message includes the packet identifier 1 corresponding to VPN1 on the second network device 102. The first network device 101 receives the packet, acquires the packet identifier 2 of the VPN1 on the third network device 103, and acquires the processing policy 1 corresponding to the packet identifier 1 and the packet identifier 2. Since the processing policy 1 indicates that the second network device 102 communicates with the transmission direction of the third network device 103, the first network device 101 sends the packet to the third network device 103, so as to implement the communication of the second network device 102 with the transmission direction of the third network device 103. Taking the example that the second network device 102 sends a message to the fourth network device 104, the message includes the packet identifier 1 corresponding to the VPN1 on the second network device 102. The first network device 101 receives the packet, acquires the packet identifier 3 of the VPN1 on the fourth network device 104, and acquires the processing policy 2 corresponding to the packet identifier 1 and the packet identifier 3. Since processing policy 2 indicates the transmission direction isolation of the second network device 102 to the fourth network device 104, the first network device 101 discards the message, thereby achieving the transmission direction isolation of the second network device 102 to the fourth network device 104.

For scenario 4 above, for the second network device 102 and the third network device 103, the packet identifier 1 corresponding to VPN1 on the second network device 102, and the packet identifier 2 corresponding to VPN1 on the third network device 103, where the processing policy 1 corresponding to packet identifier 1 and packet identifier 2 is used to instruct the second network device 102 to communicate in the transmission direction of the third network device 103 and/or the third network device 103 to communicate in the transmission direction of the second network device 102. For the second network device 102 and the fourth network device 104, for the packet identifier 3 on the fourth network device 104 corresponding to VPN1, the processing policy 2 corresponding to the packet identifier 1 and the packet identifier 3 is used to instruct the second network device 102 to isolate to the transmission direction of the fourth network device 104 and/or the fourth network device 104 to isolate to the transmission direction of the second network device 102. For the third network device 103 and the fourth network device 104, the packet identifier 2 corresponding to the VPN1 on the third network device 103, and the packet identifier 3 corresponding to the VPN1 on the fourth network device 104, the processing policy 3 corresponding to the packet identifier 2 and the packet identifier 3 is used to instruct the third network device 103 to communicate with the transmission direction of the fourth network device 104 and/or the fourth network device 104 to communicate with the transmission direction of the third network device 103.

Taking the example of the second network device 102 sending a message to the third network device 103, the message includes the packet identifier 1 corresponding to VPN1 on the second network device 102. The first network device 101 receives the packet, acquires the packet identifier 2 of the VPN1 on the third network device 103, and acquires the processing policy 1 corresponding to the packet identifier 1 and the packet identifier 2. Since the processing policy 1 indicates that the second network device 102 communicates with the transmission direction of the third network device 103, the first network device 101 sends the packet to the third network device 103, so as to implement the communication of the second network device 102 with the transmission direction of the third network device 103. Taking the example that the second network device 102 sends a message to the fourth network device 104, the message includes the packet identifier 1 corresponding to the VPN1 on the second network device 102. The first network device 101 receives the packet, acquires the packet identifier 3 of the VPN1 on the fourth network device 104, and acquires the processing policy 2 corresponding to the packet identifier 1 and the packet identifier 3. Since processing policy 2 indicates the transmission direction isolation of the second network device 102 to the fourth network device 104, the first network device 101 discards the message, thereby achieving the transmission direction isolation of the second network device 102 to the fourth network device 104. Also taking the example of the third network device 103 sending a message to the fourth network device 104, the message includes the packet identifier 2 corresponding to VPN1 on the third network device 103. The first network device 101 receives the packet, acquires the packet identifier 3 of the VPN1 on the fourth network device 104, and acquires the processing policy 3 corresponding to the packet identifier 2 and the packet identifier 3. Since the processing policy 3 indicates the transmission direction of the third network device 103 to the fourth network device 104 to communicate, the first network device 101 sends the message to the fourth network device 104, thereby implementing the transmission direction of the third network device 103 to the fourth network device 104 to communicate.

The process of steps 301-305 is repeated to connect or isolate a portion of the branched network devices. For example, the second network device sends a second packet to the first network device, where the second packet includes a third packet identifier, where the third packet identifier corresponds to the VPN on the second network device, and a second source device corresponding to the second packet belongs to the VPN, where the second source device is connected to the second network device. The first network device receives a second message, a destination address of the second message, and a fourth packet identifier is obtained, the fourth packet identifier corresponds to the VPN on the fourth network device, a second destination device corresponding to the destination address of the second message belongs to the VPN, and the second destination device is connected with the fourth network device. The first network device processes the second message based on the third packet identifier and the fourth packet identifier; it is assumed that processing the first message includes sending the first message to the third network device, and processing the second message includes discarding the second message. And the communication of the transmission direction from the second network equipment to the third network equipment is realized, and the transmission direction from the second network equipment to the fourth network equipment is isolated.

The following description is needed: when adding a new branch, if the new branch is communicated with an existing branch, a packet identifier is configured on the network equipment in the new branch, wherein the packet identifier is the same as the packet identifier on the network equipment in the branch, or a processing strategy which corresponds to the packet identifier on the network equipment in the branch together is used for indicating the communication. If the new branch is isolated from an existing branch, a packet identity is configured on the network device within the new branch, the packet identity being different from the packet identity on the network device within the branch, or a processing policy that the packet identity corresponds in common with the packet identity on the network device within the branch is used to indicate the isolation. When a new branch is added, only the network equipment in the new branch is required to be configured, the network equipment and the first network equipment in the existing branch are not required to be configured, the number of the network equipment required to be configured is reduced, and the configuration efficiency is improved.

In this embodiment of the present application, the first packet sent by the second network device includes a first packet identifier, where the first packet identifier corresponds to a VPN on the second network device, and a source device corresponding to the first packet belongs to the VPN. After the first network device receives the first message, based on the destination address of the first message, a second packet identifier is obtained, and the second packet identifier corresponds to the VPN on the third network device. The first network device determines whether the transmission direction of the second network device to the third network device is connected or isolated based on the first packet identification and the second packet identification. And if the second network equipment is communicated with the transmission direction of the third network equipment, the first message is sent to the third network equipment, and if the second network equipment is isolated from the transmission direction of the third network equipment, the first message is discarded. Thus, the intercommunication among the partial branches and the isolation requirement among the partial branches are realized through the packet identification.

Referring to fig. 8, an embodiment of the present application provides an apparatus 800 for processing a packet, where the apparatus 800 may be deployed on a first network device 101 in the network architecture 100 shown in fig. 1, the first network device 101 in the scenario shown in fig. 2, or the first network device in the method 300 shown in fig. 3. The device 800 comprises a transceiver unit 801 and a processing unit 802.

The transceiver 801 is configured to receive a first packet sent by a second network device, where the first packet includes a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the second network device, and a first source device corresponding to the first packet belongs to the VPN, where the first source device is connected to the second network device.

The processing unit 802 is configured to obtain, based on a destination address of the first packet, a second packet identifier, where the second packet identifier corresponds to the VPN on the third network device, a first destination device corresponding to the destination address of the first packet belongs to the VPN, and the first destination device is connected to the third network device.

The processing unit 802 is further configured to process the first packet based on the first packet identifier and the second packet identifier.

Optionally, the detailed implementation process of the receiving and transmitting unit 801 for receiving the first message is referred to as related content in step 303 of the method 300 shown in fig. 3, and will not be described in detail herein.

Optionally, the detailed implementation process of the second packet identifier obtained by the processing unit 802 is referred to in step 304 of the method 300 shown in fig. 3, and will not be described in detail herein.

Optionally, the detailed implementation of the processing unit 802 to process the first packet, see the relevant content in step 305 of the method 300 shown in fig. 3, will not be described in detail here.

Optionally, the processing unit 802 is configured to obtain the first processing policy based on the first packet identifier and the second packet identifier.

The processing unit 802 is further configured to process the first packet based on the first processing policy.

Optionally, the processing unit 802 obtains the first processing policy, and a detailed implementation procedure of processing the first packet based on the first processing policy, which is referred to in step 305 of the method 300 shown in fig. 3, is not described in detail herein.

Optionally, the processing unit 802 is configured to obtain a first processing policy based on the first packet identifier, the second packet identifier, and the first correspondence.

Optionally, the processing unit 802 obtains detailed implementation procedures of the first processing policy, see relevant content in step 305 of the method 300 shown in fig. 3, which will not be described in detail herein.

Optionally, when the first processing policy is used to instruct the second network device to communicate with the transmission direction of the third network device, the transceiver unit 801 is further configured to send a first packet to the third network device.

Optionally, the detailed implementation process of the transmitting/receiving unit 801 for transmitting the first message is referred to as related content in step 305 of the method 300 shown in fig. 3, and will not be described in detail herein.

Optionally, when the first processing policy is used to instruct the second network device to isolate to the transmission direction of the third network device, the processing unit 802 is configured to discard the first packet.

Optionally, the first processing policy is further used to instruct the third network device to communicate to the transmission direction of the second network device, or the first processing policy is further used to instruct the third network device to isolate to the transmission direction of the second network device.

Optionally, the processing unit 802 is configured to obtain, based on the destination address of the first packet, routing information for sending the first packet, where the routing information includes an address of the third network device.

The processing unit 802 is further configured to obtain a second packet identifier based on the address of the third network device, the network identifier of the VPN, and the second correspondence.

Optionally, the detailed implementation process of the processing unit 802 to obtain the routing information, see the relevant content in step 304 of the method 300 shown in fig. 3, will not be described in detail here.

Optionally, the processing unit 802 obtains a detailed implementation procedure of the second packet identifier based on the address of the third network device, the network identifier of the VPN, and the second correspondence, which is referred to in step 304 of the method 300 shown in fig. 3, and will not be described in detail herein.

Optionally, the first packet identifier is included in an internet protocol version six IPv6 extension header of the first packet.

Optionally, the first packet identity is included in an application-aware network APN identity of the IPv6 extension header.

Optionally, the transceiver 801 is further configured to receive a second packet sent by a second network device, where the second packet includes a third packet identifier, the third packet identifier corresponds to the VPN on the second network device, and a second source device corresponding to the second packet belongs to the VPN, and the second source device is connected to the second network device.

The processing unit 802 is further configured to obtain a fourth packet identifier based on a destination address of the second packet, where the fourth packet identifier corresponds to a VPN on the fourth network device, a second destination device corresponding to the destination address of the second packet belongs to the VPN, and the second destination device is connected to the fourth network device.

The processing unit 802 is further configured to process the second packet based on the third packet identifier and the fourth packet identifier.

Wherein processing the first message includes sending the first message to a third network device, and processing the second message includes discarding the second message.

Optionally, the apparatus 800 includes a network side edge device PE.

Optionally, the second network device comprises a customer premise equipment CPE connected to the first source device and the third network device comprises a CPE connected to the first destination device.

Optionally, the detailed implementation process of the receiving and transmitting unit 801 for receiving the second message is referred to as related content in step 305 of the method 300 shown in fig. 3, and will not be described in detail herein.

Optionally, the processing unit 802 obtains a detailed implementation procedure of the fourth packet identifier, see related content in step 305 of the method 300 shown in fig. 3, which is not described in detail herein.

Optionally, the detailed implementation of the processing unit 802 to process the second message is referred to in step 305 of the method 300 shown in fig. 3, and will not be described in detail herein.

In this embodiment of the present application, since the first packet includes a first packet identifier, the first packet identifier corresponds to the VPN on the second network device, the processing unit obtains the second packet identifier based on the destination address of the first packet, and the second packet identifier corresponds to the VPN on the third network device. The processing unit processes the first message based on the first packet identifier and the second packet identifier, for example, sends the first message to the third network device or discards the first message based on the first packet identifier and the second packet identifier, thereby connecting the second network device and the third network device, or isolates the second network device and the third network device. Thus, the requirements of intercommunication and isolation of partial network equipment and partial network are met.

Referring to fig. 9, an embodiment of the present application provides an apparatus 900 for processing a packet, where the apparatus 900 may be deployed on a second network device 102 in the network architecture 100 shown in fig. 1, the second network device 102 in the scenario shown in fig. 2, or the second network device in the method 300 shown in fig. 3. The apparatus 900 comprises a processing unit 901 and a transceiving unit 902.

The processing unit 901 is configured to obtain a first packet, where the first packet includes a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the device, a first source device corresponding to the first packet belongs to the VPN, and the first source device is connected to the device.

A transceiver unit 902, configured to send a first message to a first network device.

Optionally, the detailed implementation process of the first message obtained by the processing unit 901 is referred to as related content in step 301 of the method 300 shown in fig. 3, and will not be described in detail herein.

Optionally, the detailed implementation process of the transceiver unit 902 for transmitting the first message is referred to as related content in step 302 of the method 300 shown in fig. 3, and will not be described in detail herein.

Optionally, the processing unit 901 is configured to obtain a first packet identifier based on the network identifier of the VPN and the first correspondence.

Optionally, the detailed implementation process of the processing unit 901 to obtain the first packet identifier, see the relevant content in step 301 of the method 300 shown in fig. 3, which will not be described in detail here.

Optionally, the apparatus 900 includes a first interface bound to the VPN, the first interface being connected to the first source device.

The transceiver unit 902 is further configured to receive, through the first interface, a third packet sent by the first source device.

The processing unit 901 is further configured to obtain a first packet based on the third packet, where the first packet includes an identifier of the VPN.

Optionally, the detailed implementation process of the transceiver unit 902 for receiving the third message is referred to in operation 3011 of the method 300 shown in fig. 3, and will not be described in detail herein.

Optionally, the detailed implementation process of the processing unit 901 to obtain the first message based on the third message is referred to in operations 3012-3013 of the method 300 shown in fig. 3, which will not be described in detail herein.

Optionally, the apparatus 900 comprises a customer premise equipment CPE.

Optionally, the first network device includes a network side edge device PE.

In this embodiment of the present application, since the first packet includes a first packet identifier, the first packet identifier corresponds to the VPN on the device, so that after the transceiver unit sends the first packet, the first network device that receives the first packet processes the first packet based on the first packet identifier. For example, based on the first packet identity, sending the first message to the third network device or discarding the first message, thereby connecting the apparatus and the third network device, or isolating the apparatus and the third network device. Thus, the requirements of intercommunication and isolation of partial network equipment and partial network are met.

Referring to fig. 10, an embodiment of the present application provides a schematic diagram of an apparatus 1000 for processing a message. The apparatus 1000 may be the first network device provided in any of the foregoing embodiments, for example, the apparatus 1000 may be the first network device 101 in the network architecture 100 shown in fig. 1, the first network device 101 in the scenario shown in fig. 2, or the first network device in the method 300 shown in fig. 3. The device 1000 comprises at least one processor 1001, an internal connection 1002, a memory 1003 and at least one transceiver 1004.

The apparatus 1000 is a hardware-structured apparatus that can be used to implement the functional modules in the apparatus 800 illustrated in fig. 8. For example, those skilled in the art will appreciate that the functions corresponding to the processing unit 802 and the transceiving unit 801 in the apparatus 800 shown in fig. 8 may be implemented by the at least one processor 1001 invoking code in the memory 1003.

The apparatus 1000 may also be used to implement the functionality of the first network device in any of the embodiments described above.

The processor 1001 may be a general purpose central processing unit (central processing unit, CPU), network processor (network processor, NP), microprocessor, application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the programs of the present application.

The internal connection 1002 may include a pathway to transfer information between the components. The internal connection 1002 may be a board or bus, etc.

The at least one transceiver 1004 is configured to communicate with other devices or communication networks.

The memory 1003 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (compact disc read-only memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be stand alone and coupled to the processor via a bus. The memory may also be integrated with the processor.

The memory 1003 is used for storing application code for executing the present application, and is controlled to be executed by the processor 1001. The processor 1001 is configured to execute application code stored in the memory 1003 and cooperate with at least one transceiver 1004 to cause the apparatus 1000 to perform the functions of the method.

In a particular implementation, the processor 1001 may include one or more CPUs, such as CPU0 and CPU1 in fig. 10, as one embodiment.

In a specific implementation, the apparatus 1000 may include a plurality of processors, such as the processor 1001 and the processor 1007 in fig. 10, as an embodiment. Each of these processors may be a single-core (single-CPU) processor or may be a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

Referring to fig. 11, an embodiment of the present application provides a schematic diagram of an apparatus 1100 for processing a message. The apparatus 1100 may be the second network device provided in any of the foregoing embodiments, for example, the apparatus 1100 may be the second network device 102 in the network architecture 100 shown in fig. 1, the second network device 102 in the scenario shown in fig. 2, or the second network device in the method 300 shown in fig. 3. The device 1100 comprises at least one processor 1101, an internal connection 1102, a memory 1103 and at least one transceiver 1104.

The apparatus 1100 is a hardware-structured apparatus that can be used to implement the functional modules in the apparatus 900 described in fig. 9. For example, it will be appreciated by those skilled in the art that the functions of the processing unit 901 and the transceiving unit 902 in the apparatus 900 shown in fig. 9 may be implemented by the at least one processor 1101 invoking code in the memory 1103.

The apparatus 1100 may also be used to implement the functionality of the second network device in any of the embodiments described above.

The processor 1101 may be a general purpose central processing unit (central processing unit, CPU), network processor (network processor, NP), microprocessor, application Specific Integrated Circuit (ASIC), or one or more integrated circuits for controlling the execution of the programs of the present application.

The internal connection 1102 may include a pathway to transfer information between the components. The internal connection 1102 may be a board or bus, etc.

The at least one transceiver 1104 is configured to communicate with other devices or communication networks.

The memory 1103 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (compact disc read-only memory) or other optical disk storage, a compact disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be stand alone and coupled to the processor via a bus. The memory may also be integrated with the processor.

The memory 1103 is used for storing application program codes for executing the present application, and the processor 1101 controls execution. The processor 1101 is configured to execute application code stored in the memory 1103 and cooperate with at least one transceiver 1104 to cause the apparatus 1100 to perform the functions of the method.

In a particular implementation, the processor 1101 may include one or more CPUs, such as CPU0 and CPU1 of FIG. 11, as an embodiment.

In a specific implementation, the apparatus 1100 may include multiple processors, such as the processor 1101 and the processor 1107 in fig. 11, as an embodiment. Each of these processors may be a single-core (single-CPU) processor or may be a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

Referring to fig. 12, fig. 12 shows a schematic structural diagram of an apparatus 1200 according to an exemplary embodiment of the present application, and optionally, the apparatus 1200 is a first network device according to any of the foregoing embodiments. For example, the device 1200 may be the first network device 101 in the network architecture 100 shown in fig. 1, the first network device 101 in the scenario shown in fig. 2, the first network device in the method 300 shown in fig. 3, the apparatus 800 shown in fig. 8, or the apparatus 1000 shown in fig. 10. In other words, the first network device in the method 300 shown in fig. 3 described above may be implemented by the device 1200.

The device 1200 is, for example, a network device, such as the device 1200 is a switch, router, or the like. As shown in fig. 12, the apparatus 1200 includes: a main control board 1201 and an interface board 1202.

The main control board 1201 is also called a main processing unit (main processing unit, MPU) or a routing processing card (route processor card), and the main control board 1201 is used for controlling and managing various components in the device 1200, including routing computation, device management, device maintenance, and protocol processing functions. The main control board 1201 includes: a central processing unit 12011 and a memory 12012.

The interface board 1202 is also referred to as a line interface unit card (line processing unit, LPU), line card, or service board. The interface board 1202 is used to provide various service interfaces and to enable forwarding of data packets. The service interfaces include, but are not limited to, ethernet interfaces, such as flexible ethernet service interfaces (Flexible Ethernet Clients, flexE Clients), POS (Packet over SONET/SDH) interfaces, etc. The interface board 1202 includes: a central processor 12021, a network processor 12022, a forwarding table entry memory 12023, and a physical interface card (physical interface card, PIC) 12024.

The central processor 12021 on the interface board 1202 is used for control management of the interface board 1202 and communication with the central processor 12011 on the main control board 1201.

The network processor 12022 is configured to implement forwarding processing of the packet. The network processor 12022 may be in the form of a forwarding chip. The forwarding chip may be a network processor (network processor, NP). In some embodiments, the forwarding chip may be implemented by an application-specific integrated circuit (ASIC) or a field programmable gate array (field programmable gate array, FPGA). Specifically, the network processor 12022 is configured to forward the received message based on the forwarding table stored in the forwarding table entry memory 12023, and if the destination address of the message is the address of the device 1200, upload the message to a CPU (e.g. the central processing unit 12021) for processing; if the destination address of the message is not the address of the device 1200, the next hop and the outbound interface corresponding to the destination address are found from the forwarding table according to the destination address, and the message is forwarded to the outbound interface corresponding to the destination address. The processing of the uplink message may include: processing a message input interface and searching a forwarding table; the processing of the downlink message may include: forwarding table lookup, etc. In some embodiments, the central processor may also perform the function of a forwarding chip, such as implementing software forwarding based on a general purpose CPU, so that no forwarding chip is needed in the interface board.

The physical interface card 12023 is used to implement the docking function of the physical layer, from which the original traffic enters the interface board 1202, and from which the processed messages are sent out. The physical interface card 12023, also referred to as a daughter card, may be mounted on the interface board 1202 and is responsible for converting the photoelectric signals into messages, performing validity check on the messages, and forwarding the messages to the network processor 12022 for processing. In some embodiments, the central processor may also perform the functions of the network processor 12022, such as implementing software forwarding based on a general purpose CPU, so that the network processor 12022 is not required in the physical interface card 12023.

Optionally, the device 1200 comprises a plurality of interface boards, e.g. the device 1200 further comprises an interface board 1203, the interface board 1203 comprising: a central processor 12031, a network processor 12032, a forwarding table entry memory 12033, and a physical interface card 12034. The function and implementation of the components in the interface board 1203 are the same as or similar to those of the interface board 1202, and will not be repeated here.

Optionally, device 1200 also includes switch board 1204. Switch fabric 1204 may also be referred to as a switch fabric unit (switch fabric unit, SFU). In the case of device 1200 having multiple interface boards, switch board 1204 is used to complete the exchange of data between the interface boards. For example, interface board 1202 and interface board 1203 may communicate via switch board 1204.

The main control board 1201 is coupled to the interface board 1202. For example. The main control board 1201, the interface board 1202 and the interface board 1203 are connected with the system backboard through a system bus to realize intercommunication among the exchange boards 1204. In one possible implementation, an inter-process communication protocol (inter-process communication, IPC) channel is established between the main control board 1201 and the interface board 1202, and communication is performed between the main control board 1201 and the interface board 1202 through the IPC channel.

Logically, the device 1200 includes a control plane including a main control board 1201 and a central processor, and a forwarding plane including various components performing forwarding, such as a forwarding table entry memory 12023, a physical interface card 12024, and a network processor 12022. The control plane performs the functions of router, generating forwarding table, processing signaling and protocol messages, configuring and maintaining the state of the device, etc., and the control plane issues the generated forwarding table to the forwarding plane, where the network processor 12022 performs table lookup forwarding on the messages received by the physical interface card 12024 based on the forwarding table issued by the control plane. The forwarding table issued by the control plane may be stored in forwarding table entry memory 12023. In some embodiments, the control plane and the forwarding plane may be completely separate and not on the same device.

It should be noted that the main control board 1201 may have one or more blocks, and the main control board and the standby main control board may be included when there are multiple blocks. The interface boards may have one or more, the more data processing capabilities of the device 1200, the more interface boards are provided. The physical interface card on the interface board may also have one or more pieces. Switch board 1204 may have none, one or more blocks, and load sharing redundancy backup may be implemented jointly when there are more blocks. In the centralized forwarding architecture, the device 1200 may not need a switch fabric, and the interface board may take on the processing functions of the service data of the entire system. In a distributed forwarding architecture, device 1200 may have at least one switch fabric 1204, enabling data exchange between multiple interface fabrics through switch fabric 1204, providing high capacity data exchange and processing capabilities. Therefore, the data access and processing capabilities of the distributed architecture device 1200 are greater than those of the centralized architecture device. Alternatively, the device 1200 may be in the form of only one board card, i.e. there is no switch board, and the functions of the interface board and the main control board are integrated on the one board card, where the central processor on the interface board and the central processor on the main control board may be combined into one central processor on the one board card, so as to perform the functions after stacking the two, where the data exchange and processing capabilities of the device in this form are low (for example, network devices such as a low-end switch or a router). The specific architecture employed is not limited in any way herein, depending on the specific networking deployment scenario.

Referring to fig. 13, fig. 13 shows a schematic structural diagram of an apparatus 1300 according to an exemplary embodiment of the present application, and optionally, the apparatus 1300 is a second network device according to any of the foregoing embodiments. For example, the device 1300 may be the second network device 102 in the network architecture 100 shown in fig. 1, the second network device 102 in the scenario shown in fig. 2, the second network device in the method 300 shown in fig. 3, the apparatus 900 shown in fig. 9, or the apparatus 1100 shown in fig. 11. In other words, the second network device in the method 300 shown in fig. 3 described above may be implemented by the device 1300.

The device 1300 is, for example, a network device, such as where the device 1300 is a switch, router, or the like. As shown in fig. 13, the apparatus 1300 includes: a master board 1301 and an interface board 1302.

The main control board 1301 is also called a main processing unit (main processing unit, MPU) or a routing processing card (route processor card), and the main control board 1301 is used for controlling and managing various components in the apparatus 1300, including routing computation, apparatus management, apparatus maintenance, and protocol processing functions. The main control board 1301 includes: a central processor 13011 and a memory 13012.

The interface board 1302 is also referred to as a line interface unit card (line processing unit, LPU), line card, or service board. The interface board 1302 is used to provide various service interfaces and to implement forwarding of data packets. The service interfaces include, but are not limited to, ethernet interfaces, such as flexible ethernet service interfaces (Flexible Ethernet Clients, flexE Clients), POS (Packet over SONET/SDH) interfaces, etc. The interface board 1302 includes: a central processor 13021, a network processor 13022, a forwarding table entry memory 13023, and a physical interface card (physical interface card, PIC) 13024.

The central processor 13021 on the interface board 1302 is used for controlling and managing the interface board 1302 and communicating with the central processor 13011 on the main control board 1301.

The network processor 13022 is configured to implement forwarding processing of the packet. The network processor 13022 may be in the form of a forwarding chip. The forwarding chip may be a network processor (network processor, NP). In some embodiments, the forwarding chip may be implemented by an application-specific integrated circuit (ASIC) or a field programmable gate array (field programmable gate array, FPGA). Specifically, the network processor 13022 is configured to forward the received message based on the forwarding table stored in the forwarding table entry memory 13023, and if the destination address of the message is the address of the device 1300, upload the message to the CPU (e.g. the central processor 13021) for processing; if the destination address of the message is not the address of the device 1300, the next hop and the outbound interface corresponding to the destination address are found from the forwarding table according to the destination address, and the message is forwarded to the outbound interface corresponding to the destination address. The processing of the uplink message may include: processing a message input interface and searching a forwarding table; the processing of the downlink message may include: forwarding table lookup, etc. In some embodiments, the central processor may also perform the function of a forwarding chip, such as implementing software forwarding based on a general purpose CPU, so that no forwarding chip is needed in the interface board.

The physical interface card 13023 is used to implement the docking function of the physical layer, from which the original traffic enters the interface board 1302, and from which the processed messages are sent out. A physical interface card 13023, also referred to as a daughter card, may be mounted on the interface board 1302 and is responsible for converting the photoelectric signals into messages and forwarding the messages to the network processor 13022 for processing after a validity check is performed on the messages. In some embodiments, the central processor may also perform the functions of the network processor 13022, such as implementing software forwarding based on a general purpose CPU, so that the network processor 13022 is not required in the physical interface card 13023.

Optionally, the device 1300 includes a plurality of interface boards, for example, the device 1300 further includes an interface board 1303, and the interface board 1303 includes: central processor 13031, network processor 13032, forwarding table entry memory 13033, and physical interface card 13034. The function and implementation of the components in the interface board 1303 are the same as or similar to those of the interface board 1302, and will not be described again here.

Optionally, the apparatus 1300 further comprises a switch mesh plate 1304. The switch fabric 1304 may also be referred to as a switch fabric unit (switch fabric unit, SFU). In the case of the apparatus 1300 having a plurality of interface boards, the switch board 1304 is used to perform data exchange between the interface boards. For example, the interface board 1302 and the interface board 1303 may communicate through the switch board 1304.

The master board 1301 is coupled to the interface board 1302. For example. The main control board 1301, the interface board 1302 and the interface board 1303 are connected with the system back board through a system bus to realize intercommunication among the switch board 1304. In one possible implementation, an inter-process communication protocol (inter-process communication, IPC) channel is established between the master 1301 and interface 1302 boards, and communication is performed between the master 1301 and interface 1302 boards via the IPC channel.

Logically, the device 1300 includes a control plane including a main control board 1301 and a central processor, and a forwarding plane including various components performing forwarding, such as a forwarding table entry memory 13023, a physical interface card 13024, and a network processor 13022. The control plane performs the functions of router, generating forwarding table, processing signaling and protocol message, configuring and maintaining the state of the device, etc., and the control plane issues the generated forwarding table to the forwarding plane, where the network processor 13022 forwards the message received by the physical interface card 13024 based on the forwarding table issued by the control plane. The forwarding table issued by the control plane may be stored in forwarding table entry memory 13023. In some embodiments, the control plane and the forwarding plane may be completely separate and not on the same device.

It should be noted that the master control board 1301 may have one or more blocks, and the multiple blocks may include a main master control board and a standby master control board. The more data processing capabilities of the device 1300, the more interface boards can be provided. The physical interface card on the interface board may also have one or more pieces. The switch board 1304 may have none, one or more blocks, and may collectively implement a load sharing redundancy backup when there are more blocks. In a centralized forwarding architecture, the device 1300 may not need a switch fabric, and the interface board may take on the processing functions of the service data of the entire system. In a distributed forwarding architecture, the device 1300 may have at least one switch fabric 1304, and data exchange between multiple interface boards is implemented through the switch fabric 1304, providing high capacity data exchange and processing capabilities. Therefore, the data access and processing capabilities of the distributed architecture device 1300 are greater than those of the centralized architecture device. Alternatively, the device 1300 may be in the form of only one board, i.e. there is no switch board, the functions of the interface board and the main control board are integrated on the one board, and the central processor on the interface board and the central processor on the main control board may be combined into one central processor on the one board, so as to perform the functions after stacking the two, where the data exchange and processing capability of the device in this form are low (for example, network devices such as a low-end switch or a router). The specific architecture employed is not limited in any way herein, depending on the specific networking deployment scenario.

Referring to fig. 14, an embodiment of the present application provides a system 1400 for processing a message, where the system 1400 includes an apparatus 800 as shown in fig. 8 and an apparatus 900 as shown in fig. 9, or where the system 1400 includes an apparatus 1000 as shown in fig. 10 and an apparatus 1100 as shown in fig. 11, or where the system 1400 includes a device 1000 as shown in fig. 10 and a device 1300 as shown in fig. 13.

The apparatus 800 as described in fig. 8, or the apparatus 1000 as described in fig. 10, or the device 1000 as described in fig. 10 is a first network device 1401. The apparatus 900 as described in fig. 9, or the apparatus 1100 as described in fig. 11, or the device 1300 as described in fig. 13 is the second network device 1402.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The foregoing description of the preferred embodiments is merely illustrative of the principles of the present application, and not in limitation thereof, and any modifications, equivalents, improvements and/or the like may be made without departing from the spirit and scope of the present application.

Claims

1. A method for processing a message, the method comprising:

the method comprises the steps that first network equipment receives a first message sent by second network equipment, wherein the first message comprises a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the second network equipment, first source equipment corresponding to the first message belongs to the VPN, and the first source equipment is connected with the second network equipment;

the first network device obtains a second packet identifier based on a destination address of the first message, the second packet identifier corresponds to the VPN on a third network device, a first destination device corresponding to the destination address of the first message belongs to the VPN, and the first destination device is connected with the third network device;

the first network device processes the first message based on the first packet identity and the second packet identity.

2. The method of claim 1, wherein the first network device processing the first message based on the first packet identification and the second packet identification comprises:

the first network device obtains a first processing strategy based on the first packet identifier and the second packet identifier;

The first network device processes the first message based on the first processing policy.

3. The method of claim 2, wherein the first network device obtains a first processing policy based on the first packet identification and the second packet identification, comprising:

the first network device obtains a first processing policy based on the first packet identifier, the second packet identifier and a first corresponding relation, wherein the first corresponding relation comprises the first packet identifier, the second packet identifier and the first processing policy.

4. A method according to claim 2 or 3, wherein the first network device processing the first message based on the first processing policy comprises:

when the first processing strategy is used for indicating that the transmission direction of the second network equipment to the third network equipment is communicated, the first network equipment sends a first message to the third network equipment; or alternatively, the process may be performed,

and when the first processing strategy is used for indicating the second network equipment to isolate to the transmission direction of the third network equipment, the first network equipment discards the first message.

5. The method of claim 4, wherein the first processing policy is further for indicating that the third network device is communicating to the transmission direction of the second network device, or wherein the first processing policy is further for indicating that the third network device is isolated to the transmission direction of the second network device.

6. The method according to any of claims 1-5, wherein the first network device obtaining a second packet identity based on a destination address of the first message comprises:

the first network device obtains routing information for sending the first message based on the destination address of the first message, wherein the routing information comprises the address of the third network device;

the first network device obtains the second packet identifier based on the address of the third network device, the network identifier of the VPN, and a second corresponding relationship, where the second corresponding relationship includes the address of the third network device, the network identifier of the VPN, and the second packet identifier.

7. The method of any of claims 1-6, wherein the first packet identification is included in an internet protocol version six IPv6 extension header of the first message.

8. The method of claim 7, wherein the first packet identification is included in an application-aware network APN identification of the IPv6 extension header.

9. The method of any one of claims 1-8, wherein the method further comprises:

the first network device receives a second message sent by the second network device, wherein the second message comprises a third packet identifier, the third packet identifier corresponds to the VPN on the second network device, a second source device corresponding to the second message belongs to the VPN, and the second source device is connected with the second network device;

The first network device obtains a fourth packet identifier based on the destination address of the second message, the fourth packet identifier corresponds to the VPN on a fourth network device, a second destination device corresponding to the destination address of the second message belongs to the VPN, and the second destination device is connected with the fourth network device;

the first network device processes the second message based on the third packet identifier and the fourth packet identifier;

wherein processing the first message includes sending the first message to the third network device, and processing the second message includes discarding the second message.

10. The method according to any of claims 1-9, wherein the first network device comprises a network side edge device PE.

11. The method according to any of claims 1-10, wherein the second network device comprises a customer premise equipment CPE connected to the first source device and the third network device comprises a CPE connected to the first destination device.

12. A method for processing a message, the method comprising:

the method comprises the steps that a second network device obtains a first message, wherein the first message comprises a first packet identifier, the first packet identifier corresponds to a virtual private network VPN on the second network device, a first source device corresponding to the first message belongs to the VPN, and the first source device is connected with the second network device;

The second network device sends a first message to the first network device.

13. The method of claim 12, wherein the method further comprises:

the second network device obtains a first packet identifier based on the network identifier of the VPN and a first corresponding relation, wherein the first corresponding relation comprises the network identifier of the VPN and the first packet identifier.

14. The method of claim 13, wherein the first correspondence further comprises a first address, the first address comprising one or more of: the source address of the first message or the destination address of the first message;

the second network device obtains a first packet identifier based on the network identifier of the VPN and a first correspondence, including:

the second network device obtains the first packet identifier based on the network identifier of the VPN, the first address and the first correspondence.

15. The method of any of claims 12-14, wherein the second network device includes a first interface bound to the VPN, the first interface being connected to the first source device, the method further comprising:

the second network device receives a third message sent by the first source device through the first interface;

The second network device obtaining a first message includes:

the second network device obtains the first message based on the third message, wherein the first message comprises the identifier of the VPN.

16. The method according to any of claims 12-15, wherein the second network device comprises a customer premise equipment CPE.

17. The method according to any of claims 12-16, wherein the first network device comprises a network side edge device PE.

18. An apparatus for processing a message, the apparatus comprising:

a processor and a memory for storing a program, the processor for executing the program in the memory, causing the apparatus to perform the method of any one of claims 1-11.

19. An apparatus for processing message information, the apparatus comprising:

a processor and a memory for storing a program, the processor for executing the program in the memory, causing the apparatus to perform the method of any one of claims 12-17.

20. A system for processing messages, the system comprising: a first network device for performing the method of any of claims 1-11 and a second network device for performing the method of any of claims 12-17.

21. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a computer, implements the method according to any of claims 1-17.

22. A computer program product, characterized in that the computer program product comprises a computer program stored in a computer readable storage medium and that the computer program is loaded by a processor to implement the method of any of claims 1-17.