JP2017005375A - Router device and redundancy configuration method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To efficiently synchronize address conversion information between a master router device and a backup router device which are configured with redundancy using VRRP.SOLUTION: When a router device functions as a master router device, VRRP control packet transmission control means performs dynamic NAT/NAPT address conversion on a packet, which is transmitted and received between networks of different address spaces, to generate first address conversion information to output by including in each VRRP control packet transmitted at predetermined time intervals. When the router device functions as a backup router device, address conversion information synchronous control means extracts the first address conversion information which is included in the VRRP control packet received from the master router device, to retain as second address conversion information for dynamic NAT/NAPT address conversion managed by the backup device.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a router device and a redundancy method, and more particularly to a redundant router device and a redundancy method used for connection between networks having different address spaces.

  In recent years, 32-bit IP (Internet Protocol) addresses are becoming insufficient, and in order to compensate for the shortage of IP addresses, it has become common to connect private networks and the Internet using router devices equipped with NAT or NAPT. Yes.

  NAT is an abbreviation of “Network Address Translation”, and this network address translation is performed in a gateway device that connects a private network and the Internet. The private IP address used in the private network and the global IP address held by the gateway device are converted. NAPT is an abbreviation of “Network Address Port Translation”, and refers to a conversion function that converts a port number in addition to an address and associates it with a global IP address.

  In NAT, a private IP address and a global IP address can be converted only by a one-to-one correspondence. However, in NAPT, one-to-many private IP address conversion can be performed by converting a port number in addition to an address and associating it with a global IP address.

  Such NAT and NAPT are defined in RFC (Request For Comments) 2766, 2663, 3022, etc. of IETF (Internet Engineering Task Force). A technique related to such a NAT device is disclosed in Patent Document 1. NAT and NAPT are hereinafter referred to as NAT / NAPT.

  Also, in order to ensure the reliability of information transmission in the communication path, it is common to duplicate or make redundant the path from the transmission source to the transmission destination.

  In a router apparatus used for connection between networks, it is widely known that a redundant configuration is formed using VRRP (Virtual Router Redundancy Protocol).

  VRRP supports the redundancy of router devices on an IP network, and is a protocol defined by IETF RFC2338, 3768, 5798, and the like. In VRRP, a plurality of router devices are used as a set, and each router device is positioned as either a master or a backup. During normal operation, communication is performed with the master router device. When a failure occurs in the master device, the communication is continued by switching to the backup router device. When a plurality of backup router devices are installed, a backup router device having a high priority set in advance is switched as a master.

  When VRRP is enabled in a plurality of router apparatuses to which VRRP is applied, VRRP control packets (VRRP advertisements) are exchanged between the router apparatuses.

  According to the VRRP advertisement, a master or a backup is assigned to each router device according to the set priority. A virtual IP address is assigned to the master router device.

  If the router device made redundant by VRRP is used for connection between a LAN (Local Area Network) and the Internet, each terminal of the LAN sets a virtual IP address as a default gateway. Accordingly, in normal communication, each terminal of the LAN communicates with a master router device to which a virtual IP address is assigned.

  On the other hand, the VRRP advertisement is also used to check whether or not each other router set in VRRP is operating normally. When the master router device fails and the VRRP advertisement is not received, the backup router device determines that the master router device has failed, takes over the virtual IP address, and starts operating as a master. Each LAN terminal can continue communication using the backup router device as a default gateway with the same virtual IP address, although the physical route has changed.

  A technique relating to such a virtual router based on VRRP is disclosed in Patent Document 2.

  Here, the outline | summary of the technique which patent document 1 and patent document 2 disclose is demonstrated.

  The technology related to the NAT device disclosed in Patent Document 1 is a technology related to the synchronization processing of address translation information between the active NAT device and the standby NAT device in a duplexed NAT device.

  In the NAT device disclosed in Patent Document 1, when the active NAT device generates address translation information for performing address translation, the packet before address translation and the packet after address translation are transferred to the standby NAT apparatus. It is configured as follows. The standby NAT device generates the same address translation information as the address translation information generated by the active NAT device, using the pre-address translation packet and the post-address translation packet received from the active NAT device. It is composed.

  That is, the active NAT device generates address conversion information when there is no address conversion information used for a packet destined for the Internet received from a terminal in the LAN. At this time, the packet before conversion using the private IP address received from the terminal in the LAN as the transmission source is transferred to the backup NAT device. When the setting of the association between the private IP address and the global IP address assigned to the NAT device is completed, the converted packet having the global IP address as the transmission source is transferred to the standby NAT device.

  The standby NAT device holds the IP address information extracted from the pre-address translation packet in the translation information comparison queue. Also, the standby NAT device holds the IP address information extracted from the post-address translation packet in another translation information comparison queue. In the pre-address translation packet and the post-address translation packet, the global IP address that is the destination IP address information is the same. Therefore, the standby NAT device searches the conversion information comparison waiting queue for the pre-address conversion packet and the post-address conversion packet that match the destination IP address information. Then, it knows that the private IP address information of the transmission source packet before the address conversion is converted into the global IP address information of the transmission source of the post-address conversion packet.

  Such processing is repeatedly executed to synchronize the address translation information of the active NAT device and the standby NAT device.

  Further, the technology related to the virtual router based on VRRP disclosed in Patent Document 2 makes it possible to suppress the increase in power consumption even when the number of backup routers is increased and to make the router function redundant so that the normality of the backup router can be confirmed. This is a system technology.

  The technology disclosed in Patent Document 2 is configured by one or more master routers and a plurality of backup routers, and has a configuration in which a backup up router having a low priority is shifted to a standby state in which the power is turned off. In addition, each backup router transmits an advertisement (backup) indicating normalization of its VRRP function at a predetermined time interval.

  The master router of Patent Document 2 can receive the advertisement (backup) from each backup router and know the number of backup routers in operation. When the number of backup routers exceeds a predetermined number, the master router transmits a magic packet to the backup router with a low priority and shifts to the standby state. Also, when the backup router that has been operating fails and becomes less than the predetermined number, the master router transmits an advertisement (wake) to the backup router in the standby state, and shifts to the backup state.

JP 2010-114585 A Japanese Unexamined Patent Publication No. 2014-033384

  When using a plurality of router devices that form a redundant configuration using VRRP for connection between networks having different address spaces, dynamic NAT / NAPT address conversion information cannot be transferred from the master router to the backup router. There is a problem.

  Dynamic NAT / NAPT address translation information is generated as information that associates a pair of IP addresses used in each address space when connecting to an external network in a different address space from a terminal in the LAN, Deleted when no longer needed. The dynamic NAT / NAPT address conversion information is generated and held by a master router that performs dynamic NAT / NAPT address conversion.

  Therefore, even if a failure occurs in the master router and the backup router switches to the master, the backup router cannot take over the session information (dynamic NAT / NAPT address conversion information) held in the master router.

  The NAT device disclosed in Patent Literature 1 performs synchronization processing of address translation information between the active NAT device and the standby NAT device in the duplex NAT device. However, this NAT device requires processing for regenerating address translation information based on these packets in the backup NAT device based on a plurality of packets transferred from the active NAT device. Is not efficient.

  In other words, in the technique disclosed in Patent Document 1, a packet before conversion using a private IP address as a transmission source and a packet after conversion using a global IP address as a transmission source are sequentially transferred to the standby NAT device. Then, the standby NAT device uses the destination IP address information as a key to search for a pair of pre-conversion packets and post-conversion packets, and addresses based on the source IP address information included in those packets. Performs processing to regenerate conversion information.

  Further, the VRRP virtual router disclosed in Patent Document 2 does not mention the synchronization of dynamic NAT / NAPT conversion table information.

  The present invention efficiently synchronizes dynamic NAT / NAPT address translation information between a master router device and a backup router device that form a redundant configuration using VRRP for connection between networks having different address spaces. Provided is a router device and a redundancy method.

  In order to achieve the above object, a router device according to one aspect of the present invention functions as a master device that is deployed between networks in different address spaces and forms a redundant configuration using VRRP (Virtual Router Redundancy Protocol). In this case, first address translation information generated by performing dynamic NAT (Network Address Translation) / NAPT (Network Address Port Translation) address translation of packets transmitted and received between networks in different address spaces is stored at a predetermined time interval. When the VRRP control packet transmission control means that is included in the VRRP control packet that is transmitted in the network and the backup device that is provided between the networks in different address spaces and forms the redundant configuration, the VRRP received from the master device The first address translation information included in the control packet Was removed, characterized in that it comprises a, and address conversion information synchronization control means for holding a second address translation information for the dynamic NAT · NAPT address translation to which the backup device is managed.

  In addition, the redundancy method according to another aspect of the present invention is provided between networks in different address spaces, and functions as a master device in which a redundant configuration is formed using VRRP (Virtual Router Redundancy Protocol). VRRP control for transmitting first address translation information generated by performing dynamic NAT (Network Address Translation) / NAPT (Network Address Port Translation) address translation of packets transmitted and received between spatial networks at predetermined time intervals The first address translation information included in the VRRP control packet received from the master device when functioning as a backup device that is output in a packet and deployed between networks in different address spaces and forms the redundant configuration , And the dynamic NAT / N managed by the backup device Characterized by holding a second address translation information for the PT address translation.

  The present invention can efficiently synchronize address translation information between a master router device and a backup router device that form a redundant configuration using VRRP for connection between networks having different address spaces.

It is a block diagram which shows the structure of the network which uses the router apparatus of the 1st Embodiment of this invention. It is a sequence diagram which shows operation | movement of the redundancy method of the 1st Embodiment of this invention. It is a block diagram which shows the structure of the network which uses the router apparatus of the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the router apparatus of the 2nd Embodiment of this invention. It is a figure which shows an example of a dynamic NAT / NAPT address conversion table. It is a figure which shows the format of a VRRP control packet. It is a flowchart which shows operation | movement of the master router apparatus of the 2nd Embodiment of this invention. It is a flowchart which shows the operation | movement of the synchronization of an address translation table by the master router apparatus of the 2nd Embodiment of this invention. It is a flowchart which shows the operation | movement of the synchronization of an address translation table by the backup router apparatus of the 2nd Embodiment of this invention.

  DESCRIPTION OF EMBODIMENTS Embodiments for carrying out the present invention will be described with reference to the drawings.

The embodiments are examples, and the disclosed apparatus and system are not limited to the configurations of the following embodiments.

(First embodiment)
FIG. 1 is a block diagram showing the configuration of a network that uses the router device of the first embodiment of the present invention.

  The master router device 10 serving as a master device and the backup router device 20 serving as a backup device are arranged between a first network 2 and a second network 3 which are networks of different address spaces, and form a redundant configuration 1. Yes. The redundant configuration 1 is formed using VRRP (Virtual Router Redundancy Protocol).

  The master router apparatus 10 has a VRRP control packet transmission control means 12 and the backup router apparatus 20 has an address translation information synchronization control means 22 as main structures.

  The master router device 10 performs dynamic NAT (Network Address Translation) / NAPT (Network Address Port Translation) address conversion of packets transmitted and received between the first network 2 and the second network 3. The master router device 10 includes the VRRP control packet transmission control means 12 including the first address translation information 11 generated by this address translation in a VRRP control packet 30 that is transmitted at a predetermined time interval and outputs it.

  The backup router device 20 uses the address translation information synchronization control means 22 to extract the first address translation information included in the VRRP control packet 30 received from the master router device 10. Then, it is held as second address translation information 21 for dynamic NAT / NAPT address translation managed by the backup router device 20.

  FIG. 2 is a sequence diagram illustrating the operation of the redundancy method according to the first embodiment of this invention.

  The redundancy method of the first embodiment is realized as an operation of a master router device and a backup router device that are deployed between networks in different address spaces and have a redundant configuration using VRRP.

  The master router device performs dynamic NAT / NAPT address conversion of packets transmitted and received between networks in different address spaces to generate first address conversion information (S101). Then, the first address translation information is included in a VRRP control packet transmitted at a predetermined time interval and output (S102).

  The backup router that has formed a redundant configuration using VRRP together with the master router extracts the first address translation information included in the VRRP control packet received from the master router (S103). The extracted first address translation information is held as second address translation information for dynamic NAT / NAPT address translation managed by the backup router (S104).

  As described above, in the present embodiment, the first address translation information generated by the master router device through dynamic NAT / NAPT address translation is included in the VRRP control packet transmitted to the backup router device at a predetermined time interval in VRRP. Be notified. Then, the backup router device extracts the first address conversion information notified from the received VRRP control packet and holds it as the second address conversion information for dynamic NAT / NAPT address conversion managed by the backup router device. To do. As a result, the first address conversion information generated by the master router device and the second address conversion information managed by the backup router device can be synchronized. Since this VRRP control packet is used for confirming the normal operation of each router device in the redundant configuration set by VRRP, existing transmission control means and reception control means can be used.

Therefore, in the present embodiment, dynamic NAT / NAPT address conversion information is efficiently transmitted between the master router device and the backup router device that form a redundant configuration using VRRP for connection between networks having different address spaces. Can be synchronized.

(Second Embodiment)
Next, a second embodiment of the present invention will be described.

  FIG. 3 is a block diagram illustrating a configuration of a network using the router device according to the second embodiment of this invention.

  In this network 100, the master router device 110 and the backup router device 120 form a redundant configuration 101 using VRRP.

  Although only the master router device 110 and the backup router device 120 are shown here, the redundant configuration 101 may be formed by a plurality of router devices. That is, when a plurality of router devices are activated and are in an initialized state, each router device transmits a VRRP control packet (VRRP advertisement) to a multicast address assigned for VRRP. The router device with the highest priority included in the VRRP control packet becomes the master, and the other router devices become backups. The backup router device stops sending VRRP control packets. Thereafter, the master router device performs packet processing and transmits a VRRP control packet at a predetermined timing. The backup router device shifts to the master when it does not receive the VRRP control packet transmitted by the master for a certain period of time. At this time, the router device having the highest priority among the plurality of backups shifts to the master.

  The master router device 110 and the backup router device 120 forming the redundant configuration 101 are arranged between the private network 102 and the Internet 103 which are networks of different address spaces.

  The private network 102 is connected to the port P31 of the first switch 130. The port P32 of the first switch 130 is connected to the port P11 of the master router device 110, and the port P33 is connected to the port P21 of the backup router device 120.

  The port P12 of the master router device 110 is connected to the port P42 of the second switch 140, and the port P22 of the backup router device 120 is connected to the port P43 of the second switch 140. The port P41 of the second switch 140 is connected to the Internet 103.

  In normal communication, the private network 102 communicates with the Internet 103 via the first switch 130, the master router device 110, and the second switch. When the master router device 110 fails and the backup router device 120 operates as a master, the private network 102 communicates with the Internet 103 via the first switch 130, the backup router device 120, and the second switch.

  In such a network configuration, in normal communication, the master router device 110 of the redundant configuration 101 performs dynamic NAT / NAPT address conversion.

  Dynamic NAT / NAPT address translation assigns pre-pooled global IP addresses to local IP addresses in a specified range as needed for each connection request to an external network, and stores the corresponding information as an address translation table. To do. That is, a private IP address used in the private network 102 as a packet source address is converted into a global IP address held in units of the redundant configuration 101 when connected to the Internet 103.

  In dynamic NAT / NAPT address translation, if communication for address translation does not occur for a certain period of time, a timeout occurs and the corresponding information is deleted from the address translation table. The timeout time can be changed as appropriate for each protocol, and can also be deleted from the address translation table by a command.

  That is, when there is a connection from the private network 102 to the Internet 103, the master router device 110 converts the packet source address from the private IP address to the pooled global IP address and transmits the packet. Further, when receiving a packet from the Internet 103 with the previously converted global IP address as the transmission destination, the master router device 110 converts the global IP address into a private IP address and transmits it to the private network 102.

  Next, the configuration of the router device will be described.

  FIG. 4 is a block diagram illustrating the configuration of the router device according to the second embodiment of this invention. The router device 200 shown in FIG. 4 has a configuration applicable to both the master router device 110 and the backup router device 120 shown in FIG.

  The router apparatus 200 includes a packet reception unit 211, a reception I / F (interface) processing unit 212, a routing unit 213, a transmission I / F (interface) processing unit 214, and a packet transmission unit 215 as a configuration related to packet transmission / reception.

  Further, the router device 200 includes an information management unit 221, an address translation database table 222, a VRRP control packet transmission control unit 223, an address translation information synchronization control unit 224, and a state management unit 225 as configurations relating to address translation and its synchronization control. .

  The configuration related to packet transmission / reception is generally provided as a router, and generally has the following functions.

  The packet reception unit 211 receives a packet input to the reception port and accumulates it in the reception buffer. The reception I / F processing unit 212 performs reception processing such as analyzing header information of a packet extracted from the reception buffer. The routing unit 213 selects a route with reference to the header information and the routing table information. The transmission I / F processing unit 214 rewrites the header information based on the route selection result, and stores the packet in the transmission buffer corresponding to the transmission port. The packet transmission unit 215 takes out the packet from the transmission buffer and transmits it.

  The reception I / F processing unit 212 also performs the following processing depending on whether the router device 200 is a master or a backup. In the case of the master, when the reception I / F processing unit 212 analyzes the received packet and determines that the received packet needs dynamic NAT / NAPT address conversion, the reception I / F processing unit 212 instructs the information management unit 221 to perform the processing. . In the case of backup, if the received packet is identified as a VRRP control packet as a result of analyzing the received packet, the address translation information synchronization control unit 224 is instructed to perform processing related to synchronization control described later. In the case of backup, reception processing of a VRRP control packet defined as a VRRP protocol is also performed, but the illustration and description of the configuration related to this are omitted.

  The configuration relating to the address translation and the synchronization control of the router device 200 has the following functions.

  When a client (not shown) of the private network 102 requests connection to the Internet 103, the information management unit 221 uses a dynamic NAT / NAPT address based on an instruction from the reception I / F processing unit 212 that identifies the request. Perform conversion. That is, the packet source address is converted from a private IP address assigned to the client to a global IP address pooled in advance, and the corresponding information is generated as address conversion information. The source address converted to the global IP address is notified to the routing unit 213 and rewritten together with the route information in the transmission I / F processing unit 214.

  Further, the information management unit 221 stores the address conversion information generated by the dynamic NAT / NAPT address conversion in the address conversion database table 222 as an address conversion table. Furthermore, the information management unit 221 manages the address conversion table. For example, when a packet is received from the Internet 103, the contents of the address translation database table 222 are referred to. When the destination address of the received packet is a global IP address included in the address conversion table, the packet is converted into a corresponding private IP address and output to the routing processing unit 1105. For example, when the correspondence information between the private IP address and the global IP address is deleted from the address conversion table, the address conversion database table 222 is notified of that fact.

  The address conversion database table 222 stores address conversion information generated by the information management unit 221 by dynamic NAT / NAPT address conversion as an address conversion table. When the router device 200 is a master, it is stored as an address conversion table with flag information to be described later.

  The VRRP control packet transmission control unit 223 refers to the address translation database table 222 and, when there is address translation information to be notified to the backup side, generates a VRRP control packet to which the address translation information is added. This operation is executed at a predetermined timing for outputting the VRRP control packet.

  When the address translation information is added to the VRRP control packet received from the master, the address translation information synchronization control unit 224 performs a process of storing the address translation information in the address translation database table 222. By this processing, the contents of the address translation database table 222 on the master side and the contents of the address translation database table 222 on the backup side are synchronized.

  The state management unit 225 outputs display information indicating whether the router device 200 is operating as a master or a backup. As described above, master or backup information determined when VRRP is activated and is in an initialized state is held.

  When the router apparatus 200 is operating as a master, the master display is output to the VRRP control packet transmission control unit 223, and the VRRP control packet transmission control unit 223 executes the operation. When the router device 200 is operating as a backup, a backup display is output to the address translation information synchronization control unit 224, and the address translation information synchronization control unit 224 executes the operation. In other words, in the case of the master, the address translation information synchronization control unit 224 does not operate, and in the case of backup, the VRRP control packet transmission control unit 223 does not operate.

  FIG. 5 is a diagram showing an example of a dynamic NAT / NAPT address conversion table. This address conversion table is stored in the address conversion database table 222.

  In FIG. 5, the top entry is between the port 10000 of the terminal in the private network 102 having the address aa.aa.aa.aa and the port 30000 of the server having the address nn.nn.nn.nn of the Internet 103. Shows a conversion table related to communication. Here, aa.aa.aa.aa is a private IP address, and nn.nn.nn.nn is a global IP address.

  In order for a terminal in the private network 102 to communicate with a server on the Internet 103, dynamic NAT / NAPT address conversion is performed. Then, the private IP address aa.aa.aa.aa held by the terminal is converted into the global IP address gg.gg.gg.gg held by the router device 200. At this time, the port number is converted to 20000. The central entry and the bottom entry are similar conversion tables. The global IP address (hh.hh.hh.hh) is also a global IP address that the router device 200 has.

  In FIG. 5, flag information is information indicating the synchronization state of each entry. “Synchronized” indicates that synchronization with the address conversion table stored in the address conversion database table 222 on the backup side described later is established. “New” indicates that the entry has just been generated by performing dynamic NAT / NAPT address conversion. “Delete” is an entry relating to correspondence information that is no longer used due to timeout or command deletion. “New” and “deletion” are written based on an instruction from the information management unit 221, and “synchronized” is written by the operation of the VRRP control packet transmission control unit 223.

  This flag information is information used in the address conversion table on the master side, but may be provided in the address conversion table on the backup side. When the backup side address conversion table is provided, flag information of “synchronized” is attached to all entries.

  FIG. 6 is a diagram showing the format of the VRRP control packet.

  In FIG. 6, the format shown at the top is a control packet used in VRRP described in the background art. Each field has the following meaning:

  Version indicates the VRRP version. Type indicates the VRRP type, and 1 is set in the advertisement. Vertual Rtr ID is a VRRP value, and routers belonging to the same VRRP group have the same value. Priority is a priority, and the router with the highest priority becomes the master. Count IP Addrs indicates the number of IP addresses advertised in this VRRP packet. Authentication Type indicates an authentication type. Adver Int indicates an advertisement transmission interval. Checksum indicates the checksum of this packet. IP Address indicates an IP address that can be used as a virtual IP address. Authentication Data indicates authentication data.

  In this embodiment, this VRRP control packet is extended and used as an extended VRRP control packet shown at the bottom of FIG. That is, a field of “dynamic nat table” is added, and the contents (entry record) of the address translation table of one entry can be added here.

  Next, an operation when the router apparatus 200 of the present embodiment functions as the master router apparatus 110 will be described with reference to FIG.

  FIG. 7 is a flowchart illustrating the operation of the master router device 110 according to the second embodiment. The configuration of master router device 110 will be described using the configuration of router device 200 in FIG.

  The master router device 110 receives the packet (S201). As described with reference to FIG. 4, the packet reception unit 211 receives the packet input to the reception port and stores the packet in the reception buffer to receive the packet.

  A reception interface process is performed on the received packet (S202). As described with reference to FIG. 4, the reception I / F processing unit 212 performs reception processing such as analysis of header information of the reception packet.

  As a result of this reception processing, it is determined whether or not the received packet requires dynamic NAT / NAPT address conversion (S203).

  For example, by identifying that the transmission destination address is a global IP address of a device in the Internet, it can be determined that the communication is from the private network 102 toward the Internet 103. In this case, dynamic NAT / NAPT address conversion is required (S203, Yes).

  By identifying that the transmission destination address is the global IP address held by the master router device 110, it can be determined that the communication is from the Internet 103 toward the private network 102. Also in this case, dynamic NAT / NAPT address conversion is required (S203, Yes).

  Further, when it is identified that the transmission destination address is a private IP address, it can be determined that the communication is within the private network 102. In this case, address conversion is not necessary (S203, No).

  When address translation is not required (S203, No), the process proceeds to step S208, and the routing unit 213 performs a routing process for selecting a route with reference to header information and routing table information (S208). Then, the transmission I / F processing unit 214 rewrites the header information based on the route selection result, and the packet is accumulated in the transmission buffer corresponding to the transmission port. The packet transmission unit 215 extracts the packet from the transmission buffer and transmits it (S209).

  On the other hand, when dynamic NAT / NAPT address conversion is necessary (S203, Yes), the reception I / F processing unit 212 instructs the information management unit 221 to perform dynamic NAT / NAPT address conversion processing.

  First, the information management unit 221 determines whether it is necessary to create a new entry in the address translation database table 222 (S204).

  Here, in the case of communication from the private network 102 to the Internet 103, it is confirmed whether or not an entry corresponding to the private IP address of the transmission source address exists in the address translation database table 222. If an entry corresponding to the private IP address of the source address already exists in the address translation database table 222, it is not necessary to create a new entry (No in S204).

  In addition, it is not necessary to create a new entry for communication from the Internet 103 toward the private network 102 (S204, No). This is because it can be regarded as a communication paired with a communication from the private network 102 to which the dynamic NAT / NAPT address conversion is performed toward the Internet 103.

  When it is not necessary to create a new entry in the address conversion database table 222 (S204, No), the information management unit 221 refers to the address conversion table of the existing entry and performs address conversion (S205).

  In the case of communication from the private network 102 to the Internet 103, the private IP address (before conversion) of the packet source address may be rewritten to the global IP address (after conversion) associated therewith.

  In the case of communication from the Internet 103 toward the private network 102, the contents of the address conversion table are reversely used. That is, the global IP address and port number of the packet transmission destination address may be rewritten to the private IP address and port number (before conversion) corresponding to the same global IP address and port number (after conversion).

  When address conversion is performed by referring to the address conversion table of an existing entry in the process of step S205, the information management unit 221 notifies the address conversion information to the routing unit 213, and the process proceeds to step S208.

  On the other hand, when the entry corresponding to the private IP address of the packet source address does not exist in the address translation database table 222 (S204, Yes), the information management unit 221 generates address translation information (S206). That is, address translation information in which a private IP address, a port number (before translation), a global IP address that has been pooled in advance, a port number (after translation), a destination global IP address, and a port number are associated with each other. And

  The information management unit 221 registers the address conversion information generated by the dynamic NAT / NAPT address conversion in the address conversion database table 222 (S207). The address conversion information is stored as an address conversion table as described with reference to FIG. At this time, “new” flag information is attached.

  The information management unit 221 notifies the routing unit 213 of the global IP address of the source address that has been converted, and the process proceeds to step S208.

  The routing unit 213 performs routing processing for selecting a route with reference to header information and routing table information (S208).

  The converted address and port number are rewritten in the transmission I / F processing unit 214 together with the route information selected by the routing unit 213. That is, in the case of communication from the private network 102 to the Internet 103, the packet source address and port number are rewritten to the global IP address and port number (after conversion). In the case of communication from the Internet 103 to the private network 102, the packet transmission destination address and port number are rewritten to the private IP address and port number (before conversion).

  The packet transmission unit 215 extracts and transmits the packet stored in the transmission buffer corresponding to the transmission port (S209).

  The above is the operation executed by the master router device 110 of this embodiment.

  Next, the operation of synchronizing the address translation table by the router device 200 of this embodiment will be described with reference to FIGS. The synchronization operation when the router device 200 functions as the master router device 110 is shown in FIG. 8, and the synchronization operation when the router device 200 functions as the backup router device 120 is shown in FIG.

  FIG. 8 is a flowchart showing an operation of synchronizing the address translation table by the master router device 110 according to the second embodiment.

  The flow shown in FIG. 8 is an operation mainly executed by the VRRP control packet transmission control unit 223 of the master router device 110.

  The VRRP control packet transmission control unit 223 receives the master display display information from the state management unit 225 when the router device 200 operates as the master router device 110. Then, the VRRP control packet transmission control unit 223 executes the operation of the flow illustrated in FIG. 8 at a predetermined timing for transmitting the VRRP control packet.

  When the predetermined timing for transmitting the VRRP control packet comes, the VRRP control packet transmission control unit 223 first refers to the contents of the address translation database table 222 (S301).

  Then, it is confirmed whether or not there is updated address translation information in the address translation database table 222 (S302). This is a process of confirming whether there is address translation information to be synchronized with the backup side.

  That is, the VRRP control packet transmission control unit 223 determines the type of flag information of each entry in the address translation database table 222.

  When the flag information is “synchronized”, it means an entry that is already synchronized with the backup side, and is not update information. If the flag information is “new”, it is an entry to be added to the backup side. If the flag information is “deleted”, the entry should be deleted on the backup side. Therefore, when there is an entry whose flag information is “new” and “deleted”, it is determined that there is address conversion information to be synchronized with the backup side (Yes in S302).

  As a result of the confirmation in step S302, if there is updated address translation information (Yes in S302), a VRRP control packet including the updated address translation information is generated (S303). In this case, the corresponding entry record including the flag information is set in the “dynamic nat table” field of the VRRP control packet described with reference to FIG.

  On the other hand, as a result of the confirmation in step S302, if there is no updated address translation information (No in S302), a VRRP control packet is generated without setting information in the “dynamic nat table” field of the VRRP control packet (S304). ). That is, in this case, the flag information of all entries in the address translation database table 222 is “synchronized”.

  When a VRRP control packet including an entry record corresponding to the updated address translation information is generated in step S303, post-processing of the contents of the address translation database table 222 on the master side is performed according to the flag information. That is, it is confirmed whether the flag information of the processed entry is “deleted” or “new” (S305).

  If the flag information is “delete” (S305, delete), the entry is deleted from the address translation database table 222 (S306).

  If the flag information is “new” (S305, new), the flag information of the entry is set to “synchronized” (S307).

  The VRRP control packet generated in step S303 and the VRRP control packet generated in step S304 are transmitted by the transmission I / F processing unit 214 and the packet transmission unit 215 (S308). Since the VRRP control packet is transmitted to the multicast address assigned for VRRP, even if a plurality of backup router apparatuses 120 are installed, all the backup router apparatuses 120 may receive the same information. it can.

  Next, the operation of the backup router device 120 that has received the VRRP control packet generated as described above will be described.

  FIG. 9 is a flowchart illustrating an operation of synchronizing the address translation table by the backup router device 120 according to the second embodiment.

  The flow shown in FIG. 9 is an operation mainly executed by the address translation information synchronization control unit 224 of the backup router device 120.

  The address translation information synchronization control unit 224 receives the display information of the backup display from the state management unit 225 when the router device 200 operates as the backup router device 120. When the VRRP control packet is received at a predetermined timing, the address translation information synchronization control unit 224 executes the operation of the flow shown in FIG. Note that the description of the reception processing specified by the original VRRP protocol of the VRRP control packet by the backup router 120 is omitted.

  When the reception I / F processing unit 212 identifies that the received packet is a VRRP control packet as a result of analyzing the received packet, the reception I / F processing unit 212 instructs the address conversion information synchronization control unit 224 to perform processing related to synchronization control of the address conversion database table 222 To do.

  The address translation information synchronization control unit 224 receives the VRRP control packet (S401), and determines whether the “dynamic nat table” field includes address translation information (entry record) (S402).

  If there is no setting information in the “dynamic nat table” field (S402, No), the synchronization control of the address translation database table 222 is unnecessary, and the process ends.

  If there is setting information in the “dynamic nat table” field (S402, Yes), the address conversion information set in the field is extracted (S403). Then, the type of the extracted flag information (“delete” or “new”) is determined (S404).

  When the flag information identified in step S404 is “delete” (S404, delete), the address translation information synchronization control unit 224 deletes the entry having the same content as the extracted address translation information from the address translation database table 222 (S405). .

  On the other hand, when the flag information identified in step S404 is “new” (S404, new), the address translation information synchronization control unit 224 sets the extracted address translation information as a new entry in the address translation database table 222 (S406). ). When flag information is also provided in the address conversion table on the backup side, the flag information is set to “synchronized” at this time.

  By executing the processing in step S405 or step S406, the contents of the master-side address translation database table 222 and the backup-side address translation database table 222 are synchronized.

  The execution of the process of step S405 or step S406 ends the operation of the address translation information synchronization control unit 224.

  As described above, the present embodiment is configured to transmit the dynamic NAT / NAPT conversion table information held by the master router device to the backup router device using the expanded VRRP control packet. Since the VRRP control packet is used for checking the normal operation of each counterpart router device that is a redundant configuration set by VRRP, the existing configuration can be used. As a result, the same NAT / NAPT conversion table information as that of the master router device can be stored in the backup router device with a simple configuration. Therefore, communication can be continued even if the backup router device is switched to the master when a failure occurs in the master router device.

  Therefore, this embodiment can efficiently synchronize the address translation information between the master router device and the backup router device that form a redundant configuration using VRRP for connection between networks having different address spaces. .

DESCRIPTION OF SYMBOLS 1,101 Redundant structure 2 1st network 3 2nd network 10, 110 Master router apparatus 11 1st address translation information 12 VRRP control packet transmission control means 20, 120 Backup router apparatus 21 2nd address translation information 22 Address Conversion information synchronization control means 100 network 102 private network 103 internet 130 first switch 140 second switch 200 router device 211 packet receiving unit 212 reception I / F processing unit 213 routing unit 214 transmission I / F processing unit 215 packet transmission unit 221 Information management unit 222 Address translation table database 223 VRRP control packet transmission control unit 224 Address translation information synchronization control unit 225 Status management unit

Claims (10)

When functioning as a master device that is deployed between networks in different address spaces and forms a redundant configuration using VRRP (Virtual Router Redundancy Protocol), a dynamic NAT (Network NAT) of packets transmitted and received between the networks in the different address spaces is used. VRRP control packet transmission control means for outputting the first address translation information generated by performing Address Translation (NAPT) and Network Address Port Translation (NAPT) address translation in a VRRP control packet to be transmitted at a predetermined time interval;
When functioning as a backup device that is deployed between networks in different address spaces and forms the redundant configuration, the first address translation information included in the VRRP control packet received from the master device is extracted, and the backup device Address translation information synchronization control means for holding as second address translation information for dynamic NAT / NAPT address translation to be managed;
A router device comprising: A state management unit indicating whether its own router device functions as the master device or the backup device, and an address conversion table database storing the first address conversion information or the second address conversion information And further comprising,
When the state management unit indicates that its router device functions as the master device, the VRRP control packet transmission control means transmits the VRRP control packet at a predetermined time interval. Refer to the database unit, and generate the VRRP control packet in which the first address conversion information stored in the address conversion table database unit is added to a predetermined area,
When the state management unit indicates that its router device functions as the backup device, the address translation information synchronization control means is configured to send the first information added to a predetermined area of the received VRRP control packet. 2. The router device according to claim 1, wherein the address translation information is extracted, and the extracted first address conversion information is stored as the second address conversion information in the address conversion table database unit. The VRRP control packet transmission control means generates the first address translation information stored in the address translation table database unit by adding one entry record to one VRRP control packet. The router device according to claim 2. Each entry of the first address translation information stored in the address translation table database unit is attached with flag information indicating the state of the entry, and the VRRP control packet transmission control means includes the flag information. The router apparatus according to claim 3, wherein an entry record is added to the VRRP control packet. The flag information includes a new flag indicating that it is a newly added entry, a synchronized flag indicating that it is an entry added to the VRRP control packet, and a deletion indicating that it is an entry to be deleted Including flags,
When the VRRP control packet transmission control unit detects an entry with the new flag when referring to the address translation table database unit, the VRRP control packet transmission control unit adds an entry record including the new flag and adds the VRRP Generating a control packet, changing the new flag attached to the entry of the address translation table database unit to the synchronized flag,
When the VRRP control packet transmission control means detects an entry with the deletion flag when referring to the address translation table database unit, the VRRP control with the entry record including the deletion flag added Generate a packet, delete the entry with the deletion flag in the address translation table database part,
When the flag information included in the entry record added to the received VRRP control packet is the new flag, the address translation information synchronization control unit stores the entry record in the address translation table database unit. Stored as address conversion information
When the flag information included in the entry record added to the received VRRP control packet is the deletion flag, the address conversion information synchronization control means is configured to store the second information stored in the address conversion table database unit. 5. The router device according to claim 4, wherein the corresponding entry of the address translation information is deleted. When functioning as a master device that is deployed between networks in different address spaces and forms a redundant configuration using VRRP (Virtual Router Redundancy Protocol), a dynamic NAT (Network NAT) of packets transmitted and received between the networks in the different address spaces is used. Address translation) • NAPT (Network Address Port Translation) The first address translation information generated by performing address translation is included in a VRRP control packet transmitted at a predetermined time interval and output.
When functioning as a backup device that is deployed between networks in different address spaces and forms the redundant configuration, the first address translation information included in the VRRP control packet received from the master device is extracted, and the backup device A redundancy method for storing as second address translation information for dynamic NAT / NAPT address translation to be managed. Storing state management information indicating whether to function as the master device or the backup device;
When the state management information indicates that it functions as the master device, when transmitting the VRRP control packet at a predetermined time interval, refer to an address conversion table database unit that stores the first address conversion information And generating the VRRP control packet in which the first address conversion information stored in the address conversion table database unit is added to a predetermined area;
When the state management information indicates that the device functions as the backup device, the first address conversion information added to a predetermined area of the received VRRP control packet is extracted, and the extracted first address conversion 7. The redundancy method according to claim 6, wherein the information is stored in an address conversion table database unit that stores the second address conversion information. 8. The redundancy method according to claim 7, wherein the first address conversion information is generated by adding one entry record to a predetermined area of one VRRP control packet. Each entry of the address translation table database section that stores the first address translation information is attached with flag information indicating the state of the entry, and the VRRP control packet to which an entry record including the flag information is added is generated. The redundancy method according to claim 8. The flag information includes a new flag indicating that it is a newly added entry, a synchronized flag indicating that it is an entry added to the VRRP control packet, and a deletion indicating that it is an entry to be deleted Including flags,
When an entry with the new flag is detected when referring to the address conversion table database section storing the first address conversion information, an entry record including the new flag is added and the VRRP is added. Generating a control packet, changing the new flag attached to the entry of the address translation table database unit storing the first address translation information to the synchronized flag;
When an entry with the deletion flag is detected when referring to the address conversion table database unit storing the first address conversion information, the VRRP control to which an entry record including the deletion flag is added A packet is generated, and the entry with the deletion flag is deleted from the address translation table database unit storing the first address translation information;
When the VRRP control packet is received, if the flag information included in the entry record added to the received VRRP control packet is the new flag, the second address translation information is stored in the entry record. Store in the address translation table database section,
When the VRRP control packet is received, if the flag information included in the entry record added to the received VRRP control packet is the deletion flag, an address conversion table database that stores the second address conversion information 10. The redundancy method according to claim 9, wherein the corresponding entry of the part is deleted.

Images