JP2008118577A - Redundant method in communication network and router suitable for the method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To enable realization of redundancy in a communication network when forming a plurality of LANs into one VPN via an IPN in a tunneling technique. <P>SOLUTION: Both ends of a tunnel bus 6 formed on an IPN 3 are provided with a virtual IP address corresponding to a connecting target LAN 2 or LAN 4, and both ends of the tunnel bus 6 are associated with a group of a plurality of routers 11-13 or 14-16, respectively, to make control for redundancy based on a VRRP for each group. Each router can connect to a plurality of tunnel buses by virtue of the VRRP. The routers forming a group includes only one master or actually-used type and the remainder routers being in a stand-by mode as one used for backup. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a redundancy method in a communication network when tunneling technology is used for an IP (Internet Protocol) network and a plurality of LANs (Local Area Networks) are formed as one VPN (Virtual Private Network) via the IP network, And a router using the method.

  As known redundancy means, for example, as described in Japanese Patent Application Laid-Open No. 2003-244197 (Patent Document 1), there is an apparatus in which an apparatus or a function is duplicated and divided into an active system and a standby system. However, VRRP (Virtual Router Redundancy Protocol) technology is used for routers used as gateways in recent communication networks. In VRRP, a plurality of routers are regarded as one virtual router, and one of the plurality of routers is operated as a master and the rest as a backup.

  On the other hand, in order to form a wide area network by forming a plurality of LANs as one private network via the IP network, a fixed communication link is always formed from one to the other using two specific addresses on the network. There is tunneling technology.

  For tunnel redundancy in a conventional network, for example, there is a tunnel gateway device disclosed in Japanese Patent Laid-Open No. 2005-86256 (Patent Document 2). In Patent Document 2, in order to easily introduce the next generation IPv6 (Version 6) into a LAN constructed with IPv4 (Version 4) which is the current IP (Internet Protocol), both are connected between the IPv4 network and the IPv6 network. A tunnel gateway device is installed. The tunnel gateway device is a virtual router, and the VRRP technology is used for redundancy. That is, Patent Document 2 has a configuration in which one of a plurality of tunnel gateway devices is set as a master and the rest is set as a backup, and redundancy by VRRP is realized for a plurality of tunnels.

  As described above, in Patent Document 2, two fixed networks are connected by a plurality of tunnels, and a gateway device that forms the tunnel is used as a router, using VRRP technology, and only one master tunnel is used It is operating.

  However, in such a configuration, the protocol passing through the tunnel is limited to IPv6, and protocols other than IPv6 cannot be used. Therefore, a redundant configuration that can be used is not limited to IPv4 / IPv6 as long as it is a protocol that connects bases separated via the Internet as the same LAN and can be used in the LAN.

JP 2003-244197 A JP 2005-86256 A

  The problem to be solved is that a redundant configuration in a communication network when a tunneling technique is used for the Internet and a plurality of LANs are formed as one virtual private network via the Internet has not been formed.

  In this communication network, a network corresponding to IP such as the Internet is referred to as an IP network or IPN, and a local network such as Ethernet (registered trademark) to which a communication terminal is connected is generically referred to as a LAN. A router is used for connection.

  The present invention uses a tunneling technique for an IP network, and each tunnel formed on the IP network for the purpose of realizing redundancy in the communication network when forming a plurality of LANs into one VPN via the IP network. The main feature is that a virtual IP address corresponding to the connection destination LAN is assigned to each of both ends of the LAN, and redundancy control is performed by making a group of a plurality of routers correspond to both ends of each tunnel. Further, it is desirable that the group of plural routers is controlled by a duplex configuration in the active / standby system or VRRP.

  With such a configuration, only one of a group of a plurality of routers using one tunnel operates as an active system or a master, and the remaining routers operate as a standby system or a backup. Therefore, a redundant router group is configured for one tunnel. Further, by constructing a plurality of tunnels between two LANs and applying VRRP, each tunnel can have a separate virtual IP address, so that further redundancy can be achieved. A common router group can be assigned to each of these multiple tunnels. Therefore, by setting each router as a master for each tunnel in the router group, redundancy can be provided for troubleshooting. At the same time, it can be used to save equipment.

  The router used in this configuration connects the IP network and the LAN, and includes a DB, an active setting unit, and a control unit. In the communication between LANs belonging to the same VPN, the DB stores the location of each communication terminal existing in the LAN based on the LAN address. The virtual IP address previously assigned to the connection destination LAN and the LAN address on the LAN side are stored in association with each other at both ends of each tunnel formed on the IP network. The working setting unit sets and stores whether or not the virtual IP address is working. When accepting a LAN frame on one of the LANs, the control unit extracts a destination LAN address and indexes the corresponding virtual IP address in the DB, and only in the case of the current setting, the indexed virtual The means for encapsulating the LAN frame with respect to the IP address and sending it to the IP network, and receiving the virtual IP address addressed to the other IP network, in the case of the current setting, from the IP capsule to the LAN Means for extracting a frame and sending the extracted LAN frame to the indexed LAN when the LAN is indexed from the DB as an output destination corresponding to the destination LAN address. Further, the working setting unit is set to the working only when it is selected as the working one among a plurality of routers corresponding to one virtual IP address of the tunnel.

  Further, the control unit of the router, when indexing the virtual IP address by accepting a LAN frame for a corresponding tunnel that is not currently used, and when accepting the address to the virtual IP address in an IP network, In some cases, a means for blocking the LAN frame from passing through the corresponding tunnel is provided.

In the redundancy method in the communication network of the present invention and the router suitable for the method,
Only one of a group of plural routers using one tunnel operates as an active system or a master, and the remaining routers operate as a standby system or a backup. Therefore, there is an advantage that a redundant router group is configured for one tunnel.

  Further, by constructing a plurality of tunnels between two LANs and providing each tunnel with a separate virtual IP address, further redundancy can be achieved. A common router group can be assigned to each of the plurality of tunnels. Therefore, by setting each of the different routers in the router group as the current or master of each of the different tunnels, it can be used for troubleshooting. It can be used for redundancy as well as saving equipment.

  The purpose of realizing redundancy in a communication network when a tunneling technology is used for an IP network (abbreviated as IPN) such as the Internet and a plurality of LANs are formed as one VPN (virtual private network) via the IPN. Is realized by assigning a virtual IP address corresponding to the connection destination LAN to each end of each tunnel formed on the IPN, and performing redundancy control by making a group of a plurality of routers correspond to each end of each tunnel.

  Embodiments will be described below with reference to the drawings. However, since the drawings mainly describe portions according to the present invention, there are omissions of components that are functionally essential. Modifications such as separation and merging of functional blocks with respect to the illustration and description, and replacement of the procedure before and after are free as long as the gist and function of the present invention are not impaired, and the following description does not limit the present invention.

  The LAN may be any network, but in the following description, Ethernet (registered trademark) is used. Therefore, the LAN address is a MAC (Media Access Control) address, and the DB is an area for storing the MAC address value of Ethernet (registered trademark) and the tunnel destination of the communication terminal that owns the MAC address. Is shown as FDB (Forwarding Data-Base). In the following description, Ethernet (registered trademark) is abbreviated as LAN. Further, a tunnel in the tunneling technology is regarded as a dedicated bus in VPN and is called a tunnel bus.

  A system configuration of Embodiment 1 of the present invention will be described with reference to FIG.

  FIG. 1 is an explanatory diagram showing in block form an embodiment of a redundant configuration in a communication network according to the present invention.

  The illustrated system is composed of communication terminals 1, 5, LANs 2, 4, IPN 3, and tunnel bus 6, and routers 11-16, LAN 2 to which routers 11-13 are connected, and LAN 4 to which routers 14 to 16 are connected. Is configured as a VPN functioning as the same LAN via the IPN 3. Therefore, a tunnel bus 6 that is a virtual bus using a tunneling technique is established in the IPN 3. That is, a parallel group of routers 11 to 13 is connected to the tunnel bus 6 from the LAN 2, and a parallel group of routers 14 to 16 is connected to the tunnel bus 6 from the LAN 4. In each parallel group of the routers 11 to 13 and the routers 14 to 16, only one master router operates, and the rest stands by. Router redundancy depends on VRRP.

  The communication terminals 1 and 5 are connected to the LANs 2 and 4, respectively, are given MAC addresses, and communicate with other communication terminals using a LAN protocol in Ethernet (registered trademark). LANs 2 and 4 are Ethernet (registered trademark). The IPN 3 is a network controlled by IP, that is, the Internet, and is usually communicated through a network of a plurality of providers.

  The tunnel bus 6 virtually connects the group of routers 11 to 13 and the group of routers 14 to 16 in order to form the LAN 2 and the LAN 4 in the same LAN. In the tunnel bus 6, for example, L2TP (Layer 2 Tunneling Protocol) or EtherIP (Tunnneling Ethernet Frames in IP Datagram) for constructing a VPN standardized for the tunneling technology is used. Therefore, the tunnel bus 6 is given virtual IP addresses at both ends.

  Each of the routers 11 to 16 will be described later as a router 10 with reference to FIG. Each of the routers 11 to 13 and the routers 14 to 16 constitutes one virtual router group, and performs redundancy by making full use of virtual router technology based on, for example, VRRP. Each virtual router group has a virtual IP address, and the IP address is used as the start / end address of the tunnel bus 6. According to VRRP, one of each virtual router group is set as the master router as the current router. One or more remaining routers become backup routers.

  The router 10 will be described with reference to FIG. The illustrated router 10 is arranged and connected between the LAN 2 and the IPN 3, and includes a LANIF (LAN Interface) 21, an IPNIF 22, a control unit 23, an FDB 24, and an active setting unit 25. Although LAN2 is shown in FIG. 2, the same applies to LAN3, and LAN2 may be read as LAN3.

  The LANIF 21 is connected to the LAN 2, takes in the LAN frame on the LAN 2 and notifies the control unit 23, and sends the LAN frame onto the LAN 2 under the control of the control unit 23. The IPNIF 22 takes in the IP packet on the IPN 3 and notifies the control unit 23 while sending the IP packet onto the IPN 3 under the control of the control unit 23.

  The control unit 23 is a processor under program control, and executes the function of the router 20 with reference to the recording data of the FDB 24 and the working setting unit 25 based on the program. The FDB 24 has an area for storing the MAC address value on the LAN 2 and which tunnel bus 6 the communication terminal 1 that owns the MAC address is located on or on the LAN 2 and stores it. Is the output interface name. The working setting unit 25 is set to be used by the router 11 in FIG. 1 and is not set to be used by the routers 12 to 13. Therefore, the router 11 is a master router, and the routers 12 to 13 are backup routers.

  Next, the main operation procedure in the router 10 when the LAN frame addressed to the tunnel bus 6 in the LAN 2 is received will be described with reference to FIG. 3 and FIG. 2 together.

  The router 10 takes in the LAN frame from the LAN 2 and accepts it (step S1). The source MAC address is extracted from the accepted LAN frame and searched by the FDB 24 (step S2). If the source MAC address is not registered in the FDB 24 (NO in step S3), the MAC address is additionally registered in the FDB 24 (step S4).

  When the above step S3 is “YES” and the destination MAC address is registered in the FDB 24, an output interface corresponding to the registered destination MAC address is searched (step S5). When the tunnel bus corresponding to the destination MAC address is registered in the FDB 24 (YES in step S6), the virtual IP address corresponding to the tunnel bus is read (step S7). Next, when the setting of the working setting unit 25 is working and the router 10 is a master router (YES in step S8), the LAN frame received from the LAN 2 is encapsulated with an IP address (step S9), and the encapsulated packet is The IP address is sent to IPN 3 as the destination (step S10), and this procedure ends.

  In the case where the above step S8 is “NO” and the current router is not set and the router is a backup router, the router 10 discards the received LAN frame in the master router (step S11). Although not shown in the figure, when the master router fails, the next-ranked router determined in advance as the highest priority among the plurality of backup routers is switched to the master router.

  When the above step S6 is “NO” and the output interface is not registered, it is unknown which tunnel the communication terminal having the destination address of the LAN frame is ahead. Therefore, the router 10 duplicates the received LAN frame. Distribution to all interfaces except the receiving interface is set (step S12). Next, when the delivery destination is a LAN interface, a LAN frame is sent to the delivery destination (step S13), and the procedure ends. If the delivery destination is an IPN interface, the procedure proceeds to step S7.

  Next, the main operation procedure in the router 10 when an IP packet addressed to the virtual IP address is received from the tunnel bus 6 in the IPN 3 will be described with reference to FIGS. 1 and 2 together with FIG.

  First, the router 10 receives an IP packet addressed to the virtual IP address from the IPN 3 (step S21). If the router 10 is a master router (YES in step S22), the received packet is identified as passing through the tunnel bus 6, and a LAN frame is extracted from the packet (step S23). Next, the accepted transmission source MAC address is registered in the FDB (step S24), and the output destination corresponding to the destination MAC address is searched in the FDB 24 (step S25). At that time, if the output destination is registered in the FDB 24 (YES in step S26) and the output destination is LAN1 (YES in step S27), the previously extracted LAN frame is sent with the output destination as the destination (step S28). And the procedure ends.

  In the case where the above step S22 is “NO” and the current router is not set because the current router is not set, the router 10 discards the IP packet received by the master router when the received packet is identified as being via the tunnel bus 6 (step S31). When the above step S26 is “NO” and the output destination is not registered in the FDB 24 and the output destination is the IPN interface (YES in step S32), the extracted LAN frame is encapsulated with an IP address other than the tunnel bus 6 (step S33). The encapsulated packet is transmitted (step S34), and the procedure ends. When the above step S32 is “NO” and the LAN interface is output, the procedure proceeds to step S28, the previously extracted LAN frame is transmitted with the output destination as the destination, and the procedure ends.

  If step S27 is “NO” and the output destination is not LAN1, the output destination is a LAN via another tunnel bus, so the extracted LAN frame is encapsulated with an IP address corresponding to the output destination tunnel (step S35). The encapsulated packet is transmitted with the IP address as the destination (step S36), and the procedure ends.

  In this way, two LANs are connected by a single tunnel on the IPN to construct one VPN, a plurality of routers are connected as a group between the LAN and the IPN, and the routers are made redundant by the well-known VRRP. Adopted the configuration. Therefore, even if a failure occurs in a router serving as a gateway between the LAN and the IPN, it is only necessary to switch the failed master router to a predetermined backup router. Therefore, compared to a spanning tree protocol in which one route that is normally used is set and other routes are set as detour routes at the time of failure, it becomes possible to switch the route at high speed and easily.

  A plurality of routers connected to one end of each tunnel formed in the IP network can be connected to one LAN, and a plurality of routers connected to another LAN can also be connected at the other end of the tunnel. Are connected with at least one tunnel, and VRRP is used for a plurality of tunnel-compatible routers, for example, a wide-area VPN between a company headquarters and a branch office can be easily constructed, and its redundancy is necessary and indispensable. Not only can it be applied to applications, it can also be applied effectively in a dedicated line configuration between a small branch and its branch office.

It is explanatory drawing which showed one Embodiment of the redundant structure in the communication network by this invention with the block. Example 1 It is explanatory drawing which showed one Embodiment of the structure of the router in FIG. 1 with the block. Example 1 It is explanatory drawing which showed one Embodiment of the procedure at the time of receiving the frame from LAN of the router in FIG. 1 with the flowchart. Example 1 It is explanatory drawing which showed in a flowchart the embodiment of the procedure at the time of receiving the packet from IPN of the router in FIG. Example 1

Explanation of symbols

1, 5 Communication terminal 2, 4 LAN
3 IPN
6 Tunnel bus 10-16 Router 21 LANIF
22 IPNIF
23 Control unit 24 FDB
25 Current setting part

Claims (7)

  A redundancy method in a communication network when tunneling technology is used for an IP (Internet Protocol) network and a plurality of LANs (Local Area Networks) are formed as one VPN (Virtual Private Network) via the IP network, A communication network characterized by assigning a virtual IP address corresponding to a connection destination LAN to both ends of each tunnel formed on the IP network, and performing redundancy control by associating a group of plural routers with each end of each tunnel. Redundancy method.   2. The method for redundancy in a network according to claim 1, wherein the group of plural routers is configured to be duplexed in an active / standby system.   2. The redundancy method in a network according to claim 1, wherein the group of plural routers is controlled by VRRP (Virtual Router Redundancy Protocol). A router for connecting the IP network and the LAN when forming a plurality of LANs (local area networks) into one VPN (virtual private network) using the tunneling technology for the IP (Internet protocol) network. Because
In order to determine a transmission destination of a frame addressed to each terminal, in communication between LANs belonging to the same VPN, a DB (database) that stores the location of each communication terminal existing in the LAN based on the LAN address;
A working setting unit that sets and stores whether or not the virtual IP address is working;
On the other hand, when a LAN frame in the LAN is accepted, the destination LAN address is extracted and the corresponding transmission destination is indexed in the DB. Only when the transmission destination is a tunnel and the current setting is used. Then, the LAN frame is IP-encapsulated for the indexed virtual IP address and sent to the IP network. On the other hand, when accepting the virtual IP address addressed on the IP network, A controller that extracts a LAN frame from the IP capsule and indexes the LAN from the DB for an output destination corresponding to a destination LAN address, and sends the extracted LAN frame to the indexed LAN.
The router, wherein the working setting unit is set to the working only when it is selected as a working one among a plurality of routers grouped corresponding to one virtual IP address of the tunnel.   5. The router according to claim 4, wherein the router is configured to be a duplex of active / standby system corresponding to one virtual address.   5. The router according to claim 4, wherein a plurality of the routers corresponding to one virtual address constitute a group and are controlled by VRRP (Virtual Router Redundancy Protocol).   7. The router according to claim 5, wherein the control unit is configured to index the virtual IP address by accepting a LAN frame, or to perform the virtual IP in an IP network when the current setting is not set by the current setting unit. A router comprising: means for monitoring communication of a working setting router when receiving an address; and means for blocking a LAN frame from passing through the tunnel.

Images