JP2002335274A - Packet relaying apparatus and relaying method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a packet relaying apparatus easily capable of setting/ revising the relaying policy and reducing the consumed amount of a memory used by the apparatus. SOLUTION: The packet relaying apparatus 100 is structured to comprise a network relaying means 52 for selecting one or more networks allowed to relay an received packet based on the transmission source network identifier corresponding to the received packet, a domain relaying function 53 for selecting one or more routing domains corresponding to one or more networks, a routing information management function 54 for collating the transmission destination address of the packet with each routing domain information of one or more routing domains the next hop router address for transmitting the packet to the next packet relaying apparatus, and a packet relaying function 51 for transmitting the packet to the transmission destination address.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a packet relay device and a packet relay method for providing a communication service.
In particular, virtual private networks (Virtual Private Networks)
The present invention relates to a packet relay apparatus and a packet relay method for relaying a packet between networks and between route domains. Hereinafter, the route domain may be referred to as a domain.

[0002]

2. Description of the Related Art In recent years, with the spread of the Internet, users (for example, companies and universities) have been using ATM (Async).
(Hronous Transfer Mode) and FR
Virtual dedicated line (Vi)
rtual Path / Virtual Channel
Without using 1), it is now possible to communicate between the dispersed bases via the Internet. In this communication, V
A PN may be constructed. Hereinafter, the VPN may be referred to as a virtual closed network.

[0003] Some users have been independently assigning and operating IP addresses only within the user's network. When a private IP address is used in such a user's network, a packet having the private IP address cannot be directly transmitted to the Internet having a global IP address.

[0004] This is because a private IP address and a global IP address are used redundantly on the Internet, and there is a possibility that communication via the Internet cannot be performed normally.

[0005] Therefore, when communication is performed between the bases of such a user's private network via the Internet, the connection from the private network within the user to the Internet requires, for example,
The packet is encapsulated (tunneled) with an IP packet having a global IP address, transferred to the Internet, and the packet encapsulated by the Internet connection router at the receiving site is received and decapsulated at the same time. A mechanism such as routing to the destination host is required.

[0006] In this case, the user needs a private IP.
It is necessary to provide a device that tunnels an IP packet having an address using a global IP address (encapsulation on the transmission side and decapsulation on the reception side). That is, introduction of a new device occurs.

[0007] In addition, since a process for encapsulation and decapsulation is newly required, there is a possibility that the performance is reduced.
In the following description, the relay device may be described as a router.

[0008] Further, when a user connects each site to the Internet, setting of route control, logical interface, and the like at the router of each site becomes more complicated as the number of combinations of settings between the sites increases. . In this case, there is a problem in that introduction and maintenance of network devices and training of network administrators are costly.

Therefore, when a user introduces a VPN for communicating between each site via the Internet, the VPN
By outsourcing (outsourcing) the introduction and maintenance of the network to the provider (including the carrier in the present invention), the user can receive the VPN service with almost no modification to the existing network.

In this VPN service, the function of starting and terminating a tunnel is realized by a router of a provider. When a user has a plurality of bases, the provider router has a route control function for determining which destination user base network the IP packet received from the source user base should be encapsulated and transmitted. I have.

This function is provided by the provider's router by outsourcing. Thus, depending on the provider, V
When the PN service is performed, the edge router of the provider transfers the IP packet by a route control function unique to the user network, separately from the route control function of the Internet network. Note that such a VPN service is, for example, an IPv4 configured only with a global IP address.
And IPv6 networks.

Therefore, the VPN provided by the provider
The setting of the service is very complicated because it is necessary to independently manage the route control function for each base network of each user. That is, the burden of the setting work for the provider is increased.

[0013] Sometimes a user constructs a VPN,
Here, the description will be given on the assumption that the provider constructs a VPN and provides a VPN service to the user. This VPN may be established via the Internet. When classified from the viewpoint of the entity that manages the network (for example, the owner of the network), a network in which the administration entity of a plurality of sites is the same is referred to as an “intranet”.
, For example, indicates a network in which the management entity is operated by the same company.

A network in which the management entities at a plurality of sites are not the same is referred to as an “extranet”.
, For example, indicates a network operated by different independent companies. The classification can also be made from the viewpoint of what route domain each of the intranet and the extranet is composed of. That is, a case where one network is configured with a single route domain is called a single domain, and a case where one network is configured with a plurality of route domains is called a multi-domain. FIG. 1 shows an example of a network configuration based on a combination of a single domain / multi-domain and an intranet / extranet. Note that the same reference numerals throughout the drawings indicate the same or equivalent.

However, in general, it is rare that a plurality of route domains exist in a network managed by a single management entity in an intranet. Therefore, in this specification, a single domain intranet will be referred to as an intranet hereinafter. Shall be shown.

Also, in an extranet, it is considered that each network managed by a plurality of management entities often has a different relay rule (policy). Is an extranet.

Next, FIG. 2 and FIG. 3 explain how the router accommodating the single-domain and multi-domain VPNs shown in FIG. 1 constitutes a relay table. -First Prior Art FIG. 2 is a diagram illustrating an example of the configuration of a relay table of a router that accommodates a single domain intranet VPN connected via a provider.

In the figure, the packet receiving unit 113 refers to the domain identification table 109 to identify the source route domain of the input packet. If the packet is a routing packet, the packet is sent to the intranet domain route information processing unit 101.

For example, a path domain # 1 not shown
In the case where the packet is a routing packet from No. 1, the intranet domain route information management unit 102 (left side in the figure)
Then, the routing packet is received and written in the intranet domain relay table 104 (left side in the figure) corresponding to VPN # 11 provided corresponding to each VPN. That is, a packet from the route domain # 11 can be relayed only to the route domain # 11.

On the other hand, a path domain # 12 not shown
Intranet domain route information management unit 10 corresponding to
2 (right side in the figure) writes to the intranet domain relay table 104 (left and right side in the figure) of VPN # 11 and VPN # 12. That is, route domain #
12 can be relayed to both the route domain # 11 and the route domain # 12. As described above, the process of determining whether or not the connectivity between the route domains # 11 and # 12 has been performed in cooperation with the intranet domain route information management unit 102 and the corresponding intranet domain relay table 104.

The packet relay unit 111 is a packet receiving unit 1
When a packet is received from the router 13, the IP address of the next hop router to which the packet should be transferred is obtained by sequentially searching the intranet domain relay table 104 corresponding to each VPN based on the destination IP address.

The packet having the IP address of the transmission destination is transmitted to the packet transmission unit 112 together with the output interface information of the packet transmission unit 112. The packet transmitting unit 112 selects the specified output interface and transmits the packet. If the destination IP address does not exist in the intranet domain relay table 104 corresponding to each VPN, the packet is discarded.

Each intranet domain relay table 1
04 is configured to include a destination IP address, IP address mask information, output interface information, a next hop router IP address, and the like.

The routing domain information held by the intranet domain routing information processing unit 101 is periodically included in a routing packet and transmitted to the packet transmitting unit 112, and the packet transmitting unit 112 distributes the routing packet to an adjacent router. I do. -Second Prior Art FIG. 3 is a diagram for explaining an example of the configuration of a relay table of a router accommodating an extranet VPN having a multi-domain configuration. The essential difference between FIG. 2 and FIG. 3 is that the intranet is changed to be compatible with the extranet, and the extranet and the domain definition unit 1
Extranet relay policy 1 for associating with 05A
07A is newly provided. Focusing on this difference,
explain.

In the figure, the extranet domain route information management unit 102A of the extranet domain route information processing unit 101A usually has the same number as the number of route domains managed by the router. The extranet domain route information management unit 102A corresponding to the source route domain receives the routing packet, and writes the routing information to the extranet domain relay table 104A corresponding to the source route domain of the packet.

The packet relay unit 111 is a packet receiving unit 1
When a packet is received from the packet 13, a search is made for the extranet domain relay policy 107 A corresponding to the route domain information of the transmission source of the packet, and a list of route domains that can relay the packet is searched. Then, the domain definition unit 105A is called using the obtained list of the route domains and the transmission destination IP address as parameters.

The domain definition unit 105A sequentially extracts path domains from the list of path domains given as parameters, searches the extranet domain relay table 104A corresponding to the extracted path domain using the destination IP address, and Find the IP address of the next hop router to which the packet should be forwarded.

Then, the packet having the IP address of the transmission destination is transmitted to the packet transmission section 112 together with the output interface information of the packet transmission section 112. The packet transmitting unit 112 selects the specified output interface and transmits the packet.

As described above, in the packet relay processing, if it is desired to define a relay policy from an intranet VPN or an extranet VPN as a certain source to another extranet composed of multi-domains as a destination or to the same intranet as follows: There are issues.

[0030]

In the configuration shown in the first prior art, the route information corresponding to the destination VPN is written in each VPN relay table for each source route domain. Therefore, for the same destination VPN, multiple source V
If the PN attempts to define connectivity, multiple source Vs
The route information of the same destination VPN is copied to the relay table for the PN, and a large amount of memory is consumed as a whole.

In the configuration shown in the second prior art, it is necessary to individually define a relay policy for all combinations of a domain constituting a source VPN and a plurality of domains of a destination VPN. Setting / changing the policy is complicated.

As described above, a first object of the present invention is to facilitate setting / change of a relay policy, and a second object of the present invention is to reduce the amount of memory used in a relay device. It is intended to solve at least one of the first and second problems.

[0033]

The present invention has the following arrangement to solve the above-mentioned problems.

The packet relay apparatus according to the present invention provides identification information of a source virtual closed network corresponding to a received packet (for example,
Identification information of one or more destination virtual closed networks based on the source virtual closed network identifier (eg, destination virtual closed network identifier)
First means for selecting one or more of the route domains corresponding to the identification information of the one or more destination virtual closed networks .
Second for selecting identification information (eg, route domain identifier)
Third means for comparing a destination address of the packet with path information relating to the identification information of one or more path domains, and selecting an output interface for sending the packet to a next packet relay device. And fourth means for transmitting the packet from the output interface.

In addition, the first means may include identification information (for example, a source temporary closed network) of a transmission source virtual closed network related to a received packet.
Identification information (eg, destination virtual closed network identification) of one or more destination virtual closed networks according to respective priorities assigned to one or more destination virtual closed networks corresponding to virtual closed network identifiers
Child ).

According to the packet relay method of the present invention , identification information of a source virtual closed network (for example,
Identification information of one or more destination virtual closed networks based on the source virtual closed network identifier (eg, destination virtual closed network identifier)
A second step of selecting identification information (eg, a path domain identifier) of one or more path domains corresponding to the identification information of the one or more destination virtual closed networks; and A third step of comparing the destination address of the packet with routing information related to the identification information of one or more of the routing domains, and selecting an output interface for sending the packet to the next packet relay device; A fourth step of transmitting the packet from

The packet relay device of the present invention is a packet relay device that relays a received packet to a next relay device according to a policy, and includes one or more source virtual closed networks and one or more destination virtual closed networks. First means for managing the relationship of
Identification information of one or more destination virtual identification closed networks capable of relaying the received packet based on the source virtual closed network associated with the received packet by cooperating with the first means (for example,
Second means for selecting a destination virtual closed network identifier, for example , and identification information of the source virtual closed network based on a command from the terminal (eg,
For example, a source virtual private network identifier is transmitted to the second means, and identification information of one or more destination virtual private networks corresponding to the identification information of the source virtual private network (e.g.,
Third means for receiving a destination virtual closed network identifier) and displaying the correspondence between the source virtual closed network and one or more destination virtual closed networks on a terminal. The data is transmitted to any one of the relay devices of one or more destination virtual closed networks selected by the means.

The packet relay device of the present invention is a packet relay device for relaying a received packet to a next relay device according to a policy, and includes at least one source virtual closed network and one or more destination virtual closed network. First means for managing the relationship of
By cooperating with the first means, the identification information of the source virtual closed network relating to the received packet (for example, the source virtual closed network
Identification information for one or more destination virtual identification private network capable of relaying the received packet based on the frequency network identifier) (for example, destination tentative
Second means and, routing domain policy table based on a command having the identification information of one or more destination virtual identification private network as operand from the terminal (e.g., the destination virtual private network identifier) that selects a virtual private network identifier) Identification information of one or more destination route domains corresponding to each of the one or more destination virtual closed networks set in (e.g., a route domain identifier)
Means for requesting a list of the destination virtual closed network, and identification information of one or more destination virtual closed networks corresponding to each identification information of the destination virtual closed network (for example, destination virtual closed network).
And fourth means for extracting identification information (for example, a route domain identifier) of the destination route domain from the route domain policy table based on the request received from the third means for extracting the identifier). Identification information of each extracted destination virtual closed network (eg, route domain identifier)
And a list of one or more destination route domains corresponding to the identification information of each destination virtual closed network is displayed on the terminal.

[0039]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The principle of operation of the present invention and preferred embodiments will be described below with reference to the drawings. In addition,
Hereinafter, the source VPN identifier is called a virtual closed network identifier,
The destination VPN identifier may be referred to as a destination virtual private network identification, and the destination VPN identifier may be referred to as a destination virtual private network identifier. Also, the source VPN identifier may be called a source VPN, the destination VPN identifier may be called a destination VPN, and the route domain may be called a domain.

FIG. 4 is a diagram for explaining the operation principle of the relay device 100 according to the present invention.

In the figure, a packet relay means 51 sends an input routing packet to a route information management means 54, and transmits an input packet to the inter-domain relay means 53, the inter-network relay means 52 and the route information management means 54. The packet to be relayed is transmitted to a desired transfer destination based on the information obtained by the cooperation of (1). The routing information may be manually set in the route information management unit 54 without depending on the routing information included in the routing packet. In addition, the inter-network relay means 52 includes a virtual closed network (VP) accommodating one or more route domains.
N).

The inter-network relay means 52 is called from the packet relay means 51 and receives header information and attribute information of the packet as parameters. Next, based on the source virtual private network identifier (source VPN identifier) corresponding to the packet, a virtual private network identifier (destination VPN identifier) that can be relayed is searched for.

Then, the inter-domain relay means 53 is called. At this time, header information, attribute information, and a relayable virtual private network identifier (transmission destination VPN identifier) of the packet are passed as parameters. Inter-domain relay means 53
Means for specifying each route domain in which a relayable virtual private network is accommodated, and based on the destination IP address, a desired transfer destination IP address and output interface information or the like, or information indicating that relay is not possible, Obtained from 54. Finally, the packet relay means 5
Notify 1. The packet relay unit 51 sends the packet to a desired transfer destination based on the information, or
Discard. <Embodiment 1> FIG. 5 is a diagram illustrating an example of a first embodiment of the present invention.

The receiving interface 13 receives a packet from a connected network (for example, LAN, WAN or the Internet) and sends it to the packet receiving unit 10.
To send to.

The source VPN identification table 9 is a table for identifying a source domain and a source VPN of a packet received via the reception interface 13 (an example of a table format will be described later).

The packet receiving unit 10 receives the IP received from the network via the receiving interface 13.
The destination IP address set in the header of the packet is analyzed, and it is determined whether the packet is to be relayed or received by the own station (own router).

The packet receiving unit 10 searches the source VPN identification table 9 using the identifier (for example, port number) of the receiving interface 13 that has received this packet as a key, and finds out which route domain and which Identify if received from VPN. If a source IP address field is added to the source VPN identification table 9, a similar result can be obtained even if the source IP address of the IP packet header is used as the search key.

The packet receiving unit 10 sends a routing packet (for example, BGP-4 [b
order gateway protocol v
4) When the packet is received, the packet is transmitted to the route information processing unit 1. If the received packet is a packet to be relayed to another relay device, the packet is sent to the packet relay unit 11. It should be noted that other data packets addressed to the own station are known to those skilled in the art and will not be described.

The route information processing unit 1 has a plurality of intra-domain relay tables 4, and usually exists in correspondence with the number of route domains managed by the router. The route information processing unit 1 receives route information (routing information) via the packet receiving unit 10.
Received, and the route domain to which the route information belongs (determined from the source VPN identification table 9)
Is updated in the intra-domain relay table 4 (an example of the table format will be described later) corresponding to.

For example, the packet receiving unit 10 refers to the transmission source VPN identification table 9 from the reception interface 13 of the received packet and specifies the transmission source route domain. Then, the specified route domain information and the received route information are sent to the route information processing unit 1.

In the route information processing unit 1, the packet receiving unit 1
One corresponding intra-domain route information management unit 2 is selected based on the route domain specified by 0. The selected intra-domain path information management unit 2 updates the intra-domain relay table 4 corresponding to the path domain information based on the path information. The route information set in the relay device 100 is transmitted to another relay device (such as a router) via the packet transmission unit 12.
Distributed to

Each intra-domain relay table 4 is a table that exists in correspondence with a path domain and manages path information necessary for relaying (routing) a packet in the path domain. Each intra-domain relay table 4 may be constructed manually. When each intra-domain relay table 4 is manually constructed, the intra-domain route information management unit 1 can be omitted.

The packet relay unit 11 includes an inter-VPN relay policy enforcement unit 6, a VPN definition unit 5, and each of the following: in order to obtain information necessary for relaying a packet received from the packet receiving unit 10 to another relay device. Cooperates with the intra-domain relay table 4 to generate header information of an output packet,
The output interface of the transmission interface 14 is determined, and the output packet is sent to the packet transmission unit 12.

More specifically, the packet relay unit 11 uses the source route domain, the source VPN identifier (source virtual private network identifier) and the destination IP address of the packet to be relayed as a calling parameter to implement an inter-VPN relay policy. Call the part 6.

The inter-VPN relay policy enforcement unit 6 determines whether the source V
PN identifier (source virtual private network identifier) and destination VPN
Manages the connection relationship (correspondence relationship) with the identifier,
The inter-VPN relay policy table 8 is searched using the VPN identifier and the destination IP address, and a list of VPN identifiers capable of relaying this packet and IP address information attached to each VPN identifier are obtained.

Although not shown, for example, the VPN identifier of the transmission source of the packet is VPN # 1, and this VP
VP as a relayable VPN identifier corresponding to N # 1
Assuming that N # 1, VPN # 2, and VPN # 4 are defined in the inter-VPN relay policy table 8, the inter-VPN relay policy execution unit 6 acquires the VPN # 2, the VPN # 1, and the VPN # 4.

At this time, it is assumed that VPN # 2 has the highest priority and VPN # 4 has the lowest priority. Also, VPN #
10.100.1 as IP address information accompanying 1
If it is defined as 23.0 / 24, this IP address information can also be obtained. This IP address information may be one or more. Also, a logical product (AND) is added to the IP address information,
Logical expressions such as logical sum (OR), logical negation (NOT), parentheses, and / or the like, and / or instructions related to connection (for example, permission [Permit], non-permission [Deny]), etc., may be included. .

That is, a VPN identifier capable of relaying the packet is obtained, and IP address information can be specified as a condition attached to the VPN identifier. This is, for example,
Even if a packet can be relayed to VPN # 2, the packet cannot be relayed unless the IP address information specified as the incidental condition matches the specified condition. For example, if the destination IP address of the packet is 10.10.50.5
If it is 0, it can be relayed as VPN # 2,
According to the IP address information designated as “10.10.50.0/24 Deny”, the packet cannot be relayed.

Next, the inter-VPN relay policy enforcer 6 (FIG. 5) transmits the destination I received from the packet relay 11.
P address, the source route domain, and one or more destination Vs obtained from the inter-VPN relay policy table 8
The VPN definition unit 5 (FIG. 5) is called using the PN identifier and the IP address information attached to each destination VPN identifier as parameters.

The VPN definition unit 5 manages the connection relationship (correspondence relationship) between the destination VPN identifier and the route domain identifier, and also controls the inter-domain relay policy corresponding to each destination VPN identifier passed as a parameter. With reference to Table 7, each intra-domain relay table 4 is assigned a priority. Then, the intra-domain relay table 4 is searched according to the priority using the destination IP address passed as a parameter. At this time, the IP address information attached to each destination VPN identifier is also evaluated. In the search result, information on the IP address and output interface of the next hop router detected first, or information indicating that relaying is not possible (the relevant information could not be obtained as a result of the search) is obtained. In addition, filtering information and NAT (Netwo
(rk Address Translation) information can also be obtained.

The information is transferred to the packet transmitting unit 12 via the inter-VPN relay policy executing unit 6 and the packet relay unit 11. At this time, the packet relay unit 11
When receiving the information that the packet cannot be relayed, the packet is discarded.

When the packet transmitting unit 12 receives the IP address of the next hop router to which the packet is to be transmitted and the information of the output interface, it uses the received information from the packet relay unit 11 to replace the header information of the packet (the destination IP address). Address, etc.), and sends out related transmission interface information (output interface, etc.) to the transmission interface 14.

When a packet including path information is received from the path information processing section 1, the packet is transmitted to the designated transmission interface 14. Since this technique is known, its details are omitted.

The transmission interface 14 transmits the packet received from the packet transmission unit 12 according to the output interface based on the transmission interface information.
Then, it is transmitted to the network connected to the relay device.

As described above, the source VPN identifier set in the inter-VPN relay policy table 8 and the destination VP
It is possible to easily process whether or not to relay a packet based on a policy regarding the connection availability with the N identifier and the policy regarding the connection availability between the destination VPN identifier and the route domain set in the inter-domain relay policy table 7.

Further, since the inter-domain relay policy table 7 and the inter-VPN relay policy table 8 are configured in a hierarchical structure, it is possible to easily set / change the policy. <Embodiment 2> FIG. 6 is a diagram for explaining an example of a second embodiment of the present invention.

The essential difference between the first embodiment (FIG. 5) and the second embodiment (FIG. 6) lies in the provision of a path filter 3 in the path information processing section 1. The route filter 3 is a filter for limiting (filtering) the route information set in the intra-domain relay table 4 by the intra-domain route information management unit 2.

For example, in the example shown in FIG. 6, the route filter 3 is provided for only one route domain, but the route information processing unit 1 corresponds to a plurality or all of the intra-domain route information management units 2. It may be provided.

The route filter 3 sets the route information in the corresponding intra-domain relay table 4 from the intra-domain route information management unit 2. At this time, if the route filter 3 is interposed, the route filter 3 specifies the route information. Only the route information of the specified condition is passed.

When 192.169.30.0/24 is specified as an IP address in the route filter 3, for example, 24 bits from the first bit (IP
IP address (192.169.30. *) [*
Indicates an arbitrary value from 0 to 255]). By explicitly prohibiting the setting of the route information related to the above) or by permitting the setting of only the IP address, only the route information permitted by this route filter can be set in the domain. It can be set in the route information management unit 2.

In this way, the IP addresses are grouped into one or more groups using the upper n bits (the first 24 bits in the above example) for one path domain by the path filter 3, and the logical sum of the groups is obtained. By performing the above processing, it becomes possible to set a policy by grouping IP addresses more finely in setting a policy in the same domain. <Embodiment 3> The third embodiment is one of modified examples of the second embodiment, and FIG. 7 is a diagram for explaining an example of the third embodiment of the present invention.

The essential difference between the third embodiment (FIG. 7) and the second embodiment (FIG. 6) is that a plurality of intra-domain relay tables 4A divided by the route filter 3A correspond to the route information. In that it can be set.

That is, when one route domain having a certain IP address group is divided into two or more and operated, the route filter 3A is provided in the corresponding intra-domain route information management unit 2 of the route information processing unit 1. With a small amount of work, a plurality of intra-domain relay tables 4 corresponding to the divided route domains can be efficiently constructed.

For example, when one route domain is divided into two route domains and a new operation is performed, it is assumed that there are two IP address groups corresponding to each divided route domain. The IP address of the first group, not shown, is 192.168.10.0.0 / 24,
The group shall be 192.168.2.0.0 / 24.

In such a case, the route information of the first group is stored in the intra-domain relay table 4A by the route filter 3A.
And the route information of the second group can be set in the corresponding intra-domain relay table 4B.

As described above, when one route domain is divided into two or more route domains, as described above,
The setting of the path information can be controlled in the plurality of intra-domain relay tables 4 corresponding to the P address group units. <Embodiment 4> The fourth embodiment is a modification of the first embodiment, and FIG. 8 shows a diagram for explaining an example of the fourth embodiment of the present invention.

The essential differences between the fourth embodiment (FIG. 8) and the first embodiment (FIG. 3) are the cooperation between the VPN definition unit 5 and the configuration information setting display unit 15, and the inter-VPN relay policy. This is in cooperation between the execution unit 6 and the configuration information setting display unit 15.

That is, the information set in the inter-domain relay policy table 7 and the inter-VPN relay policy table 8 based on a command from a terminal 16 (for example, a workstation) connected to the configuration information setting display section 15 is transmitted to the terminal 16. Display / update (change,
Add, delete).

The terminal 16 may be a remote terminal (for example, a PC) connected via a line (WAN, LAN, Internet, telephone line, etc.).

More specifically, the configuration information setting display unit 15 receives each source VPN identifier defined in the inter-VPN relay policy table 8 by a command such as a command from the terminal 16 connected to the configuration information setting display unit 15. A request for a list of the (source virtual closed network identifier) and the destination VPN identifier (destination virtual closed network identifier) corresponding to each of the source VPN identifiers is requested to the inter-VPN relay policy enforcement unit 6.

Based on the request, the inter-VPN relay policy enforcement unit 6 refers to the inter-VPN relay policy table 8 to search for all the set VPN identifiers, and checks each of the source VPN identifiers (the source virtual closed network). A list of the destination VPN identifiers corresponding to the identifiers is passed to the configuration information setting display unit 15.

Then, the source VP shown in FIG.
An example of a many (window) displaying a list of N is displayed.

When a specific destination VPN identifier is input from the screen (window) of the terminal 16, for example, when “VPN2” is clicked as the source VPN shown in FIG. 9, “source VPN2” is displayed. The information is input to the configuration information setting display unit 15.

The configuration information setting display unit 15 displays the source VPN
It requests the inter-VPN relay policy enforcement unit 6 to acquire information on the destination VPN (destination VPN) corresponding to No. 2.

The inter-VPN relay policy enforcement unit 6 obtains a destination VPN identifier (destination virtual closed network identifier) corresponding to the specified source VPN identifier (source virtual closed network identifier) “VPN2”. The inter-VPN relay policy table 8 is searched, and the result is displayed on the configuration information setting display unit 15.
Notify.

If the number of the notified destination VPN identifiers is one or more, the configuration information setting display section 15 displays each destination VP.
VPN search for destination route domain corresponding to N identifier
Request to the definition unit 5. The VPN definition unit 5 performs the above-mentioned destination VP
The inter-VPN relay policy table 7 is searched based on the N identifier, and the corresponding route domain identifier is obtained.

The VPN definition unit 5 includes a configuration information setting display unit 15
, Each destination VPN identifier and each route domain identifier are associated with each other and notified. The configuration information setting display unit 15 displays the source VPN identifier, each destination VPN identifier corresponding thereto, and each route domain identifier corresponding to each destination VPN identifier in a GUI (Graphical UserIn).
This is displayed on the screen of the terminal 16 as “terface”.
FIG. 10 shows an example of display on the window of the screen.

In the above description, the display on the terminal screen has been mainly described. However, additional information to the displayed information (source VPN identifier, destination VPN identifier (destination VPN identifier), destination route domain identifier) is added. , Change and deletion methods will be described.

For example, an example in which a source VPN identifier (source virtual closed network identifier) is additionally registered will be described.

In the state where the many (window) shown in FIG. 9 is displayed on the screen of the terminal 16, among the function keys (PF1 to PF12), for example, PF5
When is pressed, an instruction for inputting additional registration of a new transmission source VPN identifier is displayed below "VPN3" as shown in FIG. 11, for example.

Source V to be additionally registered in accordance with the instruction
When the PN identifier is input, the configuration information setting display unit 15
Requests the VPN relay policy enforcer 6 to add the source VPN identifier based on this input. And V
The inter-PN relay policy execution unit 6 additionally registers the source VPN identifier in the inter-VPN relay policy table 8. Then, the terminal 16 waits for the next instruction input.

To delete the source VPN identifier, for example, by pressing the PF6 key in the state shown in FIG. 9, for example, a menu shown in FIG. 12 is displayed.

When the source VPN identifier to be deleted is input, the configuration information setting display unit 15 requests the inter-VPN relay policy execution unit 6 to delete the specified source VPN identifier based on this instruction. I do. Then, the inter-VPN relay policy execution unit 6 deletes the source VPN identifier from the inter-VPN relay policy table 8. Then, the terminal 16 waits for the next instruction input.

To change the source VPN identifier, for example, in the state shown in FIG. 9, for example, place the cursor on the source VPN identifier to be changed, and
By pressing the 7 key, for example, a menu (window) shown in FIG. 13 is displayed.

When an instruction to change the source VPN identifier is input, the configuration information setting display unit 15 instructs the inter-VPN relay policy enforcement unit 6 based on the instruction to change the current source VPN identifier before the change. A change is requested using the later new transmission source VPN identifier as a parameter.

The configuration information setting display unit 15 requests the inter-VPN relay policy enforcement unit 6 to change the current source VPN identifier designated to the new source VPN identifier based on this parameter. Then, the inter-VPN relay policy implementation unit 6
The current source VPN identifier in the inter-PN relay policy table 8 is changed. Then, the terminal 16 waits for the next instruction input.

When the configuration information setting display unit 15 receives an input of addition / deletion / change of the destination VPN identifier (right side in FIG. 10) from the terminal 16, the configuration information setting display unit 15 performs the VPN based on this instruction. It requests the inter-relay policy enforcement unit 6 to update (add, delete, or change) the list of designated destination VPN identifiers.

Although not shown, the request to change the destination VPN identifier is also made in the same manner as described above by placing the cursor on the destination PF key 8 (addition) and the PF key 9 (adding). Press (Delete), place the cursor on the destination VPN identifier to be changed, and place the cursor on the PF key 1.
Similarly, by using 0 (change), the configuration information setting display unit 15 requests the inter-VPN relay policy execution unit 6 to update (add, delete, or change) the destination VPN identifier.

The inter-VPN relay policy execution unit 6 updates (adds, adds, and updates) the inter-VPN relay policy table 8 based on the request.
Delete or change).

FIG. 14 is an example of information displayed when the transmission source VPN 3 is clicked on the menu (window) shown in FIG. 9, and the main information structure is the same as that of FIG. However, FIG. 14 shows that the attribute information items 1 to 4 are displayed, but not shown in FIG. Note that the attribute information 1 to 4 are not displayed on the initial screen.

For these pieces of attribute information, the cursor is moved to the source VPN identifier or the destination VPN identifier, or when the cursor is clicked, the attribute information relating to the VPN identifier is displayed on the terminal 16.

More specifically, for example, the source VPN identifier (VPN3) displayed on the screen of the terminal 16 and the destination V
When the cursor is moved over the PN identifier (VPN3, VPN1) and the domain name (domain 4, domain 1, and domain 2), the configuration information setting display unit 15 is notified that the cursor has moved to the display target. .

The configuration information setting display section 15 specifies a VPN identifier based on the notified information. For example, if the specified target is the source VPN 3, the inter-VPN relay policy table 8 is searched for the attribute information 1 regarding the VPN 3 as described above, and the obtained attribute information 1 is displayed on the screen.

Similarly, when the attribute information 2 is displayed, the configuration information setting display unit 15 responds to the notified instruction by displaying the destination V
The VPN definition unit 5 is called with PN2 as a parameter, and a request is made to extract the corresponding attribute information 2. Then, the VPN definition unit 5 extracts the attribute information 2 and notifies the configuration information setting display unit 15.

The configuration information setting display section 15 displays the notified attribute information 2 of the destination VPN 2 on the terminal 16. FIG. 14 shows an example of display on the terminal device 16.

Furthermore, the configuration information setting display unit 15
For example, if the PF11 key is pressed while the attribute information 2 is being displayed on the screen, the display information can be updated.

Each item of the displayed attribute information 2 can be changed by
It can be changed by overwriting. For example,
"Domain 4" is displayed on the right side of the destination access priority 1, but if this is reset to "Domain 3" (type in), "Domain 4" can be changed to "Domain 3". it can.

When the displayed “domain 4” is deleted using the delete key or overwritten with a blank, “domain 4” is deleted.

When the PF12 key is pressed, a new input field appears below "domain 4", and it becomes possible to input a destination route domain to be additionally registered. When, for example, “domain 5” is entered in this input field, “domain 5” can be additionally registered in addition to “domain 4” that has already been set.

Similarly, the field values of Owner, access rules, and filter conditions can be changed.

Further, editing (addition, deletion, or change) of the destination route domain from the screen (window) of the terminal 16
Is assumed. For example, when “domain 4” under the destination VPN 3 displayed on the window of the terminal 16 is clicked on “domain 4”, “domain 4 of destination VPN 3” is input to the configuration information setting display unit 15.

The configuration information setting display section 15 displays “Destination VPN”
Using the “3 domain 4” as a parameter, the VPN definition unit 5 is requested to acquire the attribute information 3. The VPN definition unit 5 acquires the destination VPN identifier, which is the destination VPN identifier, and the attribute information 3 of the domain 4 from the inter-domain relay policy table 7, and notifies the configuration information setting display unit 15.

The configuration information setting display section 15 displays the notified attribute information 3 on the terminal 16. An example of the display is shown in the upper right of FIG.

In FIG. 15, it is clear that information on the source VPN identifier (source VPN identifier, destination VPN identifier, route domain identifier) can be obtained by the same procedure as described above. Therefore, a method of displaying the information will be described with reference to FIG.

In the figure, three windows are displayed.
Window 1 is a root window and has the same display content as the screen display content shown in FIG. The window 2 is newly displayed by left-clicking on the display target (the VPN 3 in this figure) of the transmission source VPN identifier displayed in the window 1. Right-clicking displays attribute information 1.

When Windows 2 is displayed, right-clicking on a display target (the destination VPN 3 in the upper part in this figure) displays attribute information 2. On the other hand, when left-clicked, a window 3 is newly displayed, and a route domain 4 corresponding to the destination VPN 3 is displayed in the window.

Right-clicking on the route domain 4 in the window 3 displays the attribute information 3.

As described above, the relationship between the source VPN identifier, destination VPN identifier (destination VPN identifier), and destination (destination) route domain identifier is hierarchically shown, for example, in windows 1 to 3. By displaying the setting information on the terminal 16, the setting information related to the source VPN can be easily confirmed.

In particular, information corresponding to the hierarchized source VPN identifier can be displayed on a terminal screen as visually organized information via a GUI. In addition,
When there is a lot of information, one window (logical screen) is divided into a plurality of physical screens (terminal screens), and each is displayed as one screen, or continuously moved and displayed by a scroll function, so that the entire information is displayed. It can be easily grasped.

As described above, setting information can be easily confirmed by displaying / updating the information of the inter-domain relay policy table 7 and the inter-VPN relay policy table 8 on the terminal 16. Furthermore, if the user wants to change the confirmed setting information, the user can easily change, add, or delete the information while checking the value. <Embodiment 5> FIG. 16 is a diagram for explaining an example in which a router to which the first embodiment of the present invention is applied is employed in a network provided by an Internet service provider. In this embodiment, when the carrier provides a VPN service equivalent to the VPN service provided by the provider, the carrier is included in the provider.

FIG. 17 is a diagram for explaining the domain configuration of the network shown in FIG.

FIG. 18 is a view for explaining an example of the source VPN identification table 9 for managing the correspondence between the receiving interface, the source domain and the source VPN in the router 1 shown in FIG.

FIG. 19 is a view for explaining an example of the format of a table for setting a relay policy between VPNs.

FIG. 20 is a diagram for explaining the format of a table for setting an inter-domain relay policy and an example of set values. FIGS. 21, 22, and 23 are diagrams illustrating examples of the format and setting values of the relay table between the route domains.

An operation example of the router to which the present invention is applied will be described with reference to FIGS.

In the network in which the provider network shown in FIG. 16 provides the VPN service, there are four route domains (domain # 1 to domain # 4) and three routers (router 1 to router 3). I have.

A description will be given of an operation example of the router 1 to which the present invention is applied, focusing on the router 1 (IP address is 192.168.254.1) which manages the domains # 1, # 2, and # 4. The present invention is not necessarily applied to the router 2 or the router 3, but may be applied. First, a general operation of the router 1 that provides a VPN service will be described.
A description of the process of determining whether or not connectivity between routes and between route domains will be described later.

The router 1 has an intra-domain relay table corresponding to each route domain to be accommodated, and is managed independently. FIGS. 21 to 23 show examples of the format of the intra-domain relay table 4 constructed corresponding to the route domains # 1, # 2, and # 4.

The router 1 has the receiving interfaces IF0 to IF2.
When each packet is received from (FIG. 16), the source VPN identification table 9 (for example, FIG. 8) is referred to for each packet to check the route domain to which the received packet belongs, and the intra-domain relay table 4 corresponding to the route domain.
Referring to FIGS. 21 to 23, the IP address and output interface of the next hop router to be relayed next are obtained. Then, a header of the packet is created, and the packet is sent to the next hop router from one of the output interfaces IF10 to IF12 (FIG. 16).

For example, if the router 1
From F0 (FIG. 16), the destination IP address is 192.168.100.10
When receiving the data packet that is (route domain # 2, VPN # 1), the router 1 first refers to the source VPN identification table 9 (FIG. 18) and checks the reception interface IF0.
It identifies that the packet received from (FIG. 16) belongs to domain # 2 and the source VPN identifier is VPN # 1.

Next, the router 1 refers to the inter-VPN relay policy table 8 and checks the VP which is the source VPN identifier.
A domain # 1 and a domain # 2 that can be relayed to N # 1 are obtained.

Next, connectivity between VPN # 1 and the route domain is searched. That is, the inter-domain relay policy table 7 (FIG. 20) is searched using VPN # 1 as a search key. As a result, duplicate information is deleted, and domain # 1 and domain # 2 are obtained.

Next, using the destination IP address (192.168.100.10) of the received packet as a key, the intra-domain relay table 4 (FIGS. 21 and 22) corresponding to the domain # 1 and the domain # 2 is searched according to the priority order. I do. Although it is a technique known to those skilled in the art, first, regarding the first row of the intra-domain relay table 4 (FIG.
The logical product of the P address (192.168.100.10) and the mask (255.255.255.0) of the intra-domain relay table 4 is obtained.
As a result, 192.168.100.0 can be obtained. This 192.168.100.0 and the destination (Destination) value of 192.16
Compare with 8.30.0 to determine if they match.
This determination result does not match. Then, the next line (second line) is processed. In this figure, the destination (Destina
tion) value is 192.168.100.0, and this destination value matches the destination address obtained by the logical product. Therefore,
Based on the route information (Destination, mask, output interface, next hop router) on the second line, 192.168.254.3 is set as the next hop router address (next relay device address).
And IF10 can be obtained as an output interface. This search may be performed in parallel using a plurality of processors. As a result of this search, the first hop router address detected first is adopted.

From the intra-domain relay table 4 of the routing domain 2 (FIG. 22), as the IP address of the next hop router
Get 192.168.254.3 and IF10 as output interface. That is, this packet can be relayed.

Then, router 3 is used as the next hop router.
(192.168.254.3).

Also, in the present embodiment, for example, the provider allows / disables connection between the routing domains shown in FIG.
It is assumed that the non-permission defines the connectivity as shown in FIG. The route domain # 1 (10.25.0.0) and the route domain # 2 (192.168.0.0) have mutual connectivity as a VPN # 1, and constitute an extranet via a provider network. The route domain # 2 (192.168.0.0) and the route domain # 3 (10.30.0.0) have mutual connectivity as a VPN # 2 and constitute an extranet via a provider network.

The connectivity between the routing domain # 1 (10.25.0.0) and the routing domain # 3 (10.30.0.0) is not defined. Route domain # 4 (192.172.0.0)
Is composed of a single route domain, and configures VPN # 3 as an intranet.

In the above network, for example,
Defines an inter-VPN communication policy (filter condition, address conversion processing, etc.) between PN # 1 (extranet connection between route domains # 1 and # 2) and VPN # 3 (intranet connection in route domain # 4) And The address translation process means that a local IP address used only in the intranet is uniquely assigned and operated, and when a packet is transmitted / received between the intranet and the Internet, the local IP address and the global IP address in the intranet are compared. The process of mutually converting is shown. Regarding this address conversion, IETF (Internet Enginee
Ring Task Force) has already been defined in standardized RFC1631, etc., so please refer to this for details.

Next, FIG. 19 shows that the VPN #
FIG. 9 is a diagram for describing an example of setting a relay policy between 1 and VPN # 3. According to this, the router 1 has a VPN #
When a packet is received from VPN # 1, VPN # 1 can relay the packet to VPN # 1 unconditionally,
N (for example, VPN # 3) packets cannot be relayed.

On the other hand, the router 1 receiving the packet from the VPN # 3 can unconditionally relay the packet to the VPN # 3. However, the destination is VPN # 1
Is 192.172.10.0/24 as the destination address
Is shown to filter out packets with

First, it is assumed that the relay policy between the domains constituting VPN # 1 and VPN # 3 is set as shown in FIG. This setting indicates that the VPN # 1 has connectivity between the domain # 1 and the domain # 2, and is unconditionally relayable (permit) to either domain. At this time, the domain # 1 is replaced with the domain # 2
This indicates that the intra-domain relay table is referred to with higher priority.

For VPN # 3, domain #
4 (the connection between the IF2 of the router 1 and the IF2 of the router 2), indicating that unconditional relay is permitted for packet transfer within the domain # 4.

As described above, by applying the router to which the first embodiment is applied to the provider network as described above, the provider can provide the VPN service to the end user.

(Supplementary Note 1) First means for selecting identification information of one or more destination virtual closed networks based on identification information of a source virtual closed network corresponding to a received packet, and one or more destination virtual closed networks Second means for selecting identification information of one or more route domains corresponding to the identification information of the virtual closed network;
Third means for comparing a destination address of the packet with route information of one or more route domains, and selecting an output interface for sending the packet to a next packet relay device; A packet relay device comprising a fourth means for transmitting a packet.

(Supplementary Note 2) In the supplementary note 1, the first means may select one or more destination virtual closed networks based on identification information of a source virtual closed network corresponding to the receiving interface that received the packet. A packet relay device characterized by the above-mentioned.

(Supplementary Note 3) In the supplementary note 1, the first means selects one or more destination virtual closed networks based on the identification information of the source virtual closed network corresponding to the source address that received the packet. A packet relay device characterized by the above-mentioned.

(Supplementary Note 4) In the supplementary note 1, the first means may be configured such that each priority assigned to one or more destination virtual closed networks corresponding to each identification information of the source virtual closed network associated with the received packet. A packet relay apparatus for selecting identification information of one or more destination virtual closed networks according to the order.

(Supplementary Note 5) In the supplementary note 1, the second means may store the identification information of one or more destination route domains corresponding to the identification information of one or more destination virtual closed networks, respectively. A packet relay device for selecting according to the priority of a destination route domain.

(Supplementary Note 6) In the supplementary note 1, the first means further includes a route filter for filtering the route domain information, and sets the route domain information selected by the route filter in the third means. A packet relay device.

(Supplementary Note 7) In the supplementary note 1, the first means further includes a route filter for filtering the route domain information, and sets the route information in the intra-domain relay table managed by the inter-domain packet relay means. A packet relay device that divides and writes the route information into a plurality of intra-domain relay tables.

(Supplementary Note 8) A first step of selecting identification information of one or more destination virtual closed networks based on identification information of a source virtual closed network associated with a received packet, and one or more destination virtual closed networks. A second step of selecting identification information of one or more route domains corresponding to the identification information of the virtual closed network, collating a destination address of the packet with routing information of one or more routing domains, A packet relay method, comprising: a third step of selecting an output interface for transmitting a packet to a next packet relay device; and a fourth step of transmitting the packet from the output interface.

(Supplementary Note 9) A packet relay device for relaying a received packet to a next relay device according to a policy,
A first means for managing a relationship between one or more source virtual closed networks and one or more destination virtual closed networks; and a source virtual closed network associated with a received packet by cooperating with the first means. A second means for selecting one or more destination virtual identification closed networks capable of relaying the received packet based on the command, and transmitting identification information of a source virtual closed network to the second means based on a command from a terminal, Receiving identification information of one or more destination virtual closed networks corresponding to the identification information of the original virtual closed network, and associating a terminal with a correspondence between the source virtual network and one or more destination virtual closed networks; And a third means for displaying the packet. The packet relay apparatus sends the received packet to one of the relay apparatuses of one or more destination virtual closed networks selected by the second means.

(Supplementary Note 10) In the supplementary note 9, the first means may further include a table for holding a correspondence relationship between the source virtual closed network and one or more destination virtual closed networks related to the received packet. A packet relay device characterized by the above-mentioned.

(Supplementary Note 11) In the supplementary note 9, the third means receives identification information of a transmission source virtual closed network to be additionally registered and identification information of one or more corresponding destination virtual closed networks, Ask the second means for additional registration,
The second means stores the identification information of one or more destination virtual closed networks corresponding to the identification information of the source virtual closed network to the first
A packet relay device registered in a means.

(Supplementary Note 12) In the supplementary note 9, the third means may request the second means to delete the identification information of the transmission source virtual closed network to be deleted, which is received from the terminal, and the second means Wherein the identification information of the transmission source virtual closed network is deleted.

(Supplementary Note 13) In the supplementary note 9, the third means may send a request to change the identification information of the source virtual closed network received from the terminal to the identification information of a new source virtual closed network. The packet relay device according to claim 2, wherein the second means changes the identification information of the source virtual closed network to the new identification information of the source virtual closed network.

(Supplementary Note 14) A packet relay device that relays a received packet to a next relay device according to a policy, and manages a relationship between one or more source virtual closed networks and one or more destination virtual closed networks. Selecting the identification information of one or more destination virtual identification closed networks capable of relaying the received packet based on the identification information of the source virtual closed network associated with the reception packet by cooperating with the first means. And a second means for performing at least one destination virtual private network set in the route domain policy table based on a command having one or more destination virtual identification closed network identification information from the terminal as an operand. Third means for requesting the second means for a list relating to identification information of one or more destination route domains, and one or more destinations corresponding to each identification information of the destination virtual closed network A fourth means for extracting identification information of a destination path domain from a path domain policy table based on a request received from the third means for extracting identification information of a virtual closed network, wherein the third means A packet relay device displaying, on the terminal, identification information of each destination virtual closed network and one or more destination route domains corresponding to the identification information of each destination virtual closed network. (Supplementary Note 15) First means for selecting one or more destination virtual closed networks based on the source virtual closed network identifier corresponding to the input packet, and 1 corresponding to one or more destination virtual closed networks. Second means for selecting one or more routing domains, and an output interface for comparing a destination address of the packet with routing information of one or more routing domains, and sending the packet to the next packet relay device And a fourth means for transmitting the packet to the destination address. (Supplementary note 16) The packet relay device according to supplementary note 15, wherein at least one of the source virtual closed network and one or more of the destination virtual closed networks related to the packet is a virtual private network. (Supplementary Note 17) The packet relay device according to supplementary note 15, wherein the third means includes a route filter for filtering route information, and sets the route information selected by the route filter in an intra-domain relay table. . (Supplementary Note 18) In the supplementary note 15, the third means includes a route filter for filtering the route information, and sets a plurality of pieces of the route information when setting the route information in the intra-domain relay table managed by the third means. A packet relay device that divides and writes the divided data in the intra-domain relay table. (Supplementary Note 19) A step of selecting one or more destination virtual closed networks capable of relaying the packet based on a source virtual closed network identifier of the input packet, and corresponding to the one or more destination virtual closed networks. Selecting one or more routing domains to perform, comparing a destination address of the packet with destination information associated with the one or more routing domains, and selecting a destination address of the packet; Sending a packet to a destination address. (Supplementary Note 20) First means for managing a plurality of source virtual private network identifiers and one or more destination virtual private network identifiers corresponding to each of the source virtual private network identifiers, and one or more from the policy management unit. Receiving the source virtual private network identifier and the one or more source virtual private network identifiers in association with each other,
A packet relay device comprising: a second unit that displays one or more of the source virtual private network identifiers and one or more of the source virtual private network identifiers on a terminal in association with each other. (Supplementary note 21) In Supplementary note 20, the first means may include one or more destination virtual private network identifiers corresponding to one source virtual private network identifier received by the second means from the terminal, as the second virtual means. The packet relay device sends the packet to the terminal, wherein the second unit displays one of the source virtual private network identifier and one or more of the destination virtual private network identifier in association with each other. (Supplementary Note 22) In Supplementary Note 20, each destination virtual private network identifier and one corresponding to each destination virtual private network identifier.
A third means for managing one or more route domain identifiers, wherein the third means corresponds to one destination virtual private network identifier inputted from the terminal and one or more destination virtual private network identifiers corresponding to the one destination virtual private network identifier And transmitting the route domain identifiers to the second means, wherein the second means includes one destination virtual private network identifier and one or more route domain identifiers corresponding to one destination virtual private network identifier. And a second means for displaying the information on the terminal in correspondence with the terminal. (Supplementary note 23) In Supplementary note 20, the second means receives a source virtual private network identifier to be additionally registered from the terminal, and requests the first means for additional registration. A packet relay apparatus for registering an original virtual closed network identifier in an inter-VPN relay policy table. (Supplementary Note 24) In the supplementary note 20, the display unit may include:
Requesting the first means to delete the source virtual closed network identifier to be deleted received from the terminal, wherein the first means deletes the source virtual closed network identifier from the inter-VPN relay policy table. Packet relay device. (Supplementary note 25) In Supplementary note 20, the second means transmits the name of the current source virtual private network identifier and the new source virtual private network identifier to be renamed received from the terminal to the first means. Request, the first means is a VPN
A packet relay apparatus, wherein the name of the current source virtual closed network identifier existing in the inter-relay policy table is changed to a new source virtual closed network identifier. (Supplementary Note 26) Means for requesting each source virtual closed network identifier set in the inter-domain relay policy table based on an instruction from a terminal and a list of path domains corresponding to each of the source virtual closed network identifiers, Means for extracting one or more source virtual private network identifiers from the inter-domain relay policy table based on the above, and extracting a list of route domains corresponding to each of the source virtual private network identifiers; A packet relay device, comprising: means for displaying, on the terminal, a list of source virtual closed network identifiers and route domains corresponding to each of the source virtual closed network identifiers. (Supplementary Note 27) Means for requesting a list of each destination virtual private network identifier set in the inter-domain relay policy table and one or more route domain identifiers corresponding to each destination virtual private network identifier according to an instruction from the terminal Means for retrieving a domain identifier from an inter-domain relay policy table based on the request and extracting a list of domain identifiers corresponding to each destination virtual private network identifier; and providing the terminal with each destination virtual private network identifier. Means for displaying a list of domain identifiers corresponding to the above and receiving an instruction for additional registration of a destination virtual closed network identifier from a terminal, and additionally registering a destination virtual closed network identifier received from the terminal in the inter-domain relay policy table A packet relay device comprising: (Supplementary Note 28) A means for requesting a list of each destination virtual private network identifier set in the inter-domain relay policy table and a domain identifier corresponding to each destination virtual private network identifier in accordance with an instruction from the terminal, Means for searching for a destination virtual private network identifier set with reference to the inter-domain relay policy table based on the destination virtual private network identifier, and creating a list of domain identifiers corresponding to each destination virtual private network identifier; Means for displaying a list of domain identifiers corresponding to the closed network identifiers on the terminal and receiving an instruction to add a destination virtual closed network identifier or delete the list of domain identifiers for the list of the domain identifiers; and Means for updating the inter-domain relay policy table based on the deletion. apparatus.

[0158]

According to the present invention, when defining a mutual relay policy between a plurality of route domains, it is possible to divide a plurality of route domains into some groups and define them as a relay policy between groups. I do. As a result, the number of relay policies to be defined is reduced, so that setting / change can be easily performed, and the definition contents can be accurately grasped by displaying the definition information of the relay policy of the consultation packet on the terminal.

Further, it is possible to reduce the size of a table for storing path information necessary for relaying a packet.

[Brief description of the drawings]

FIG. 1 is a diagram illustrating an example of a network configuration based on a combination of a single domain / multi-domain and an intranet / extranet.

FIG. 2 Extranet VP with a single domain configuration
FIG. 3 is a diagram illustrating a configuration example of a relay table of a router accommodating N.

FIG. 3 shows a multi-domain extranet VPN.
Is a diagram for explaining an example of the configuration of a relay table of a router accommodating a router.

FIG. 4 is a diagram illustrating the operation principle of the present invention.

FIG. 5 is a diagram illustrating an example of the first embodiment of the present invention.

FIG. 6 is a diagram illustrating an example of a second embodiment of the present invention.

FIG. 7 is a diagram illustrating an example of a third embodiment of the present invention.

FIG. 8 is a diagram illustrating an example of a fourth embodiment of the present invention.

FIG. 9 shows a source V in an example of the fourth embodiment of the present invention.
The figure explaining the example of a display of PN.

FIG. 10 is a view for explaining an example of display of a correspondence relationship between a source VPN, a destination VPN, and a destination domain in an example of the fourth embodiment of the present invention.

FIG. 11 is an exemplary view for explaining an example of display of a many for adding a source VPN in the example of the fourth embodiment of the present invention;

FIG. 12 is an exemplary view for explaining an example of a display of many for inputting a source VPN to be deleted in the example of the fourth embodiment of the present invention;

FIG. 13 is an exemplary view for explaining an example of a display of a many for inputting a source VPN whose secret code should be changed in the example of the fourth embodiment of the present invention;

FIG. 14 is an exemplary view for explaining an example of display of VPN management information in a tree structure in an example of the fourth embodiment of the present invention.

FIG. 15 is an exemplary view for explaining an example of display of VPN management information by a multi-window in the example of the fourth embodiment of the present invention.

FIG. 16 is a diagram illustrating an example in which a router to which the first embodiment of the present invention is applied is employed in a network provided by a provider.

17 is a diagram illustrating a domain configuration of the network illustrated in FIG. 16;

18 is a diagram illustrating an example of a source VPN identification table that manages a correspondence between a reception interface, a source domain, and a source VPN identifier in the router 1 illustrated in FIG.

FIG. 19 is a diagram illustrating an example of a format of a table for setting a relay policy between VPNs.

FIG. 20 is a diagram illustrating an example of a format and a setting value of a table for setting an inter-domain relay policy.

FIG. 21 is a diagram illustrating an example of a format and a setting value of a relay table between route domains.

FIG. 22 is a diagram illustrating an example of a format and a setting value of a relay table between route domains.

FIG. 23 is a diagram illustrating an example of a format and a setting value of a relay table between route domains.

[Description of Signs] 1 route information processing unit 2 intra-domain route information management unit 3 route filter 4 intra-domain relay table 5 VPN definition unit 6 inter-VPN relay policy execution unit 7 inter-domain relay policy table 8 inter-VPN relay policy table 9 transmission Original VPN identification table 10 Packet receiving unit 11 Packet relay unit 12 Packet transmitting unit 14 Transmission interface 51 Packet relay unit 52 Inter-network relay unit 53 Inter-domain relay unit 54 Route information management unit 100 Relay device

Claims (5)

[Claims] A first means for selecting identification information of one or more destination virtual closed networks based on identification information of a source virtual closed network corresponding to a received packet; and one or more destination virtual closed networks A second step of selecting identification information of one or more route domains corresponding to the identification information of the network;
Third means for comparing a destination address of the packet with path information relating to the identification information of one or more path domains, and selecting an output interface for transmitting the packet to a next packet relay device. And a fourth means for transmitting the packet from the output interface. 2. The priority given to one or more destination virtual closed networks corresponding to each identification information of a source virtual closed network associated with a received packet, according to claim 1, wherein And selecting one or more identification information of the destination virtual closed network according to the following. 3. A first step of selecting identification information of one or more destination virtual closed networks based on identification information of a source virtual closed network associated with a received packet, and one or more destination virtual closed networks. A second step of selecting identification information of one or more route domains corresponding to the identification information of the network;
And a third step of comparing a destination address of the packet with path information relating to the identification information of one or more path domains, and selecting an output interface for transmitting the packet to a next packet relay device. And a fourth step of transmitting the packet from the output interface. 4. A packet relay device for relaying a received packet to a next relay device according to a policy, wherein the packet relay device manages a relationship between one or more source virtual closed networks and one or more destination virtual closed networks. A second means for selecting identification information of one or more destination virtual identification closed networks capable of relaying the received packet based on a source virtual closed network associated with the received packet by cooperating with the first means; Transmitting identification information of a transmission source virtual closed network to the second means based on a command from a terminal, and transmitting identification information of one or more transmission destination virtual closed networks corresponding to the identification information of the transmission source virtual closed network; A third means for receiving and displaying, on a terminal, a correspondence relationship between the source virtual closed network and one or more destination virtual closed networks, wherein the received packet is one selected by the second means. The above Packet relay apparatus characterized by sending to one of the relay device Shin destination virtual private network. 5. A packet relay device for relaying a received packet to a next relay device according to a policy, wherein the packet relay device manages a relationship between one or more source virtual closed networks and one or more destination virtual closed networks. Means for selecting one or more identification information of one or more destination virtual identification closed networks capable of relaying the received packet based on identification information of a source virtual closed network associated with the reception packet by cooperating with the first means A second means, corresponding to each of one or more destination virtual closed networks set in the route domain policy table based on a command having one or more destination virtual identification closed network identification information as an operand from a terminal; Third means for requesting the second means for a list relating to identification information of one or more destination route domains to be executed, and one or more destination virtual closures corresponding to each identification information of the destination virtual closed network Fourth extracting the identification information of the destination routing domain from the routing domain policy table based on the received request from the third means for extracting the identification information of the network
Means, the third means corresponding to the extracted identification information of each destination virtual closed network and the identification information of each destination virtual closed network.
A packet relay device, wherein a list related to the identification information of one or more destination route domains is displayed on the terminal.