JP4288320B2 - VPN router - Google Patents

Description

  The present invention relates to a search technique for a table in which an output port corresponding to a destination address in a VPN (Virtual Private Network) is recorded.

  FIG. 5 shows the configuration of a conventional VPN network, and FIG. 6 shows the configuration of a conventional router. In a conventional network, a VPN is basically realized by using IP addresses without duplication. The router also performs routing based on this IP address.

When implementing a VPN, it is also monitored that it is a DA (destination address) allowed for a pre-registered SA (source address) and prevents packets from being mixed into the VPN from other VPNs. (For example, refer to Patent Document 1). As shown in FIG. 6, the input IP packet is distributed to a predetermined output port using a table in which the output port number corresponding to the destination address (DA) is recorded.
JP 2001-251351 A

  The VPN router shown in FIG. 6 is provided with a forwarding engine (hereinafter referred to as FE) for each line, and distributes input IP packets to predetermined output ports. In such a conventional router, it is necessary to add FE as the number of lines increases.

  In the table shown in FIG. 6, for example, search is performed in order from the top of the recorded destination address, and the output port is determined when it matches the destination address of the input IP packet. In other words, in order not to allow duplication of IP addresses, one large table consisting of a list of IP addresses is inevitably used. When a search is performed using such a single large table, the amount of data in the table is enormous, and there is a problem that a long processing time is required for the search. Further, as the number of VPNs increases, it is necessary to update all the FE tables, which requires enormous labor and cost.

  Furthermore, in the conventional VPN, as shown in FIG. 6, VPNs are classified by destination address. Therefore, as described above, it is necessary to use IP addresses without duplication. This means that one destination address is not allowed to belong to multiple VPNs.

  However, in recent years when a wide variety of VPN usage forms are required, a VPN usage form in which one destination address belongs to a plurality of VPNs may be required. For example, user # 3 belongs to both VPN # 1 and VPN # 2, and user # 3 receives both IP packets from user # 1 of VPN # 1 and IP packets from user # 2 of VPN # 2. Even if it is going to implement | achieve the VPN utilization form of receiving, it was difficult for the conventional VPN to respond to such a request.

  An IP packet from a user who does not use VPN also arrives at the input interface unit. Even for such IP packets that are unrelated to VPN, a table is searched based on the destination address, and as a result, it becomes clear for the first time that it is unrelated to VPN. It is difficult to spend for.

  The present invention is based on such a background, and by using an independent table corresponding to VPN and searching in parallel for each VPN, a usage form in which one destination address belongs to a plurality of VPNs is allowed. Search time can be reduced, hardware configuration can be reduced, VPN can be easily added, and all the processing power of FE can be spent for VPN construction. An object of the present invention is to provide a VPN router that can be used.

  The present invention is characterized in that an FE is provided for each VPN, and an identification unit for identifying the VPN is provided for each line. As a result, by using a separate table for VPN support and searching in parallel for each VPN, it is possible to allow usage forms in which one destination address belongs to multiple VPNs. it can. Further, since the table classified for each VPN is used, the table size can be reduced as compared with the conventional case, so that the search time can be shortened. In general, since the number of VPNs is smaller than the number of lines, the number of FEs can be reduced as compared with the prior art, and the hardware configuration can be reduced. Further, it is only necessary to amplify the FE every time the number of VPNs increases, and it is possible to save the trouble and cost of updating the tables of all FEs as in the prior art. Further, since there is no input of IP packets unrelated to VPN in FE, all of the processing capacity of FE can be spent for VPN construction.

  That is, the present invention is a VPN router, and the feature of the present invention is that it is provided for each input line, and VPN identification means for identifying the VPN to which the input IP packet belongs, and the identification result by this VPN identification means. Correspondingly, a distribution unit that distributes the input IP packet for each VPN, and an output port of the input IP packet that is provided for the output port of the distribution unit and that is distributed for each VPN by the distribution unit. And a means for determining a path for each VPN.

  Alternatively, the VPN router of the present invention is characterized in that it is provided for each input line, a VPN identifying means for identifying the VPN to which the input IP packet belongs, and this VPN identifying means are provided in a part of the input port, Routing means for distributing the input IP packet for each VPN according to the identification result by the VPN identification means, and a destination of the input IP packet provided for a part of the output port of the routing means and distributed for each VPN by the routing means Means for determining the output route of the input IP packet for each VPN based on the address, and the routing means inputs the IP packet whose output route is determined by the means for determining to a part of the input port. And a means for routing the IP packet according to the output route. That (claim 2).

  In any configuration, the VPN identifying means can include means for identifying the VPN based on the address information of the input IP packet. Alternatively, a VPN identifier is written in the IP packet, and the VPN identifying means can comprise means for identifying the VPN based on the VPN identifier of the input IP packet.

  Another aspect of the present invention is a program that, when installed in an information processing apparatus, causes the information processing apparatus to realize functions corresponding to the respective means of the VPN router of the present invention (claims). 5).

  Still another aspect of the present invention is a recording medium readable by the information processing apparatus on which the program of the present invention is recorded (claim 6). By recording the program of the present invention on the recording medium of the present invention, the information processing apparatus can install the program of the present invention using this recording medium. Alternatively, the program of the present invention can be directly installed in the information processing apparatus via a network from a server holding the program of the present invention.

  As a result, using a general-purpose information processing device and using an independent table corresponding to the VPN and searching in parallel for each VPN, it is possible to allow a usage mode in which one destination address belongs to a plurality of VPNs. A VPN router that can shorten the search time, reduce the hardware configuration, facilitate the addition of VPN, and spend all of the processing power of FE for VPN construction. Can be realized.

  Without providing an FE for each line, the line interface only needs to identify the VPN, and the hardware configuration can be reduced. In addition, it is easy to add a VPN. Further, the multiplexing effect can be obtained up to the limit of the performance of the forwarding engine for each VPN.

(First Example)
FIG. 1 is a configuration example of the VPN router of the first embodiment, and FIGS. 2 and 3 are configuration examples of the VPN identification unit. A first embodiment will be described with reference to FIGS.

  The first embodiment is a VPN router, and the feature of the first embodiment is that, as shown in FIG. 1, a VPN identifying unit (for each input line) for identifying a VPN to which an input IP packet belongs ( FE ′) 1 and a distribution unit 2 that distributes the input IP packet for each VPN according to the identification result by the VPN identification unit 1, and an output port of the distribution unit 2, provided by the distribution unit 2 for each VPN FE3 for determining for each VPN the output route of the input IP packet based on the destination address of the distributed input IP packet (claim 1). Further, the IP packet whose output route is determined is routed by the routing unit 4.

  Next, the operation of the router of the first embodiment will be described. The input packet is first identified by the VPN identifying unit 1 as to which of the VPNs # 1 to # K2. The identified packet is transferred to the FE 3 for each corresponding VPN. In this case, the number K1 of the VPN identification units 1 is determined by the number of input ports, and is total K1 × m, where m is the number of distribution units 2.

  On the other hand, K2 is the number of VPNs, and if it is small, there is generally a relation of K1> K2. Further, as the setting, K1 is determined in accordance with the capability of FE3, so that the scalability is high and the efficiency is high due to the multiplexing effect. That is, by setting K1 >> K2, one FE3 can be shared by a plurality of interfaces.

  As shown in FIG. 2, the VPN identification unit 1 includes a VPN identification table, and can sort and view a specific part of the destination address (DA). In the example, only the destination address (DA) is used, but the source address (SA) can be limited, and illegal entry from the SA into the VPN can be eliminated in this portion.

  In the example of FIG. 3, an example in which a VPN identifier (VPN-ID) is given to the packet is shown. The VPN identifying unit 1 identifies the VPN of the input IP packet based on the VPN-ID. The VPN-ID is dynamically assigned, but can correspond to the FE number for each VPN used in the apparatus.

(Second embodiment)
FIG. 4 is a diagram for explaining the second embodiment. A feature of the VPN router of the second embodiment is that it is provided for each input line, a VPN identifying unit 1 for identifying the VPN to which the input IP packet belongs, and this VPN identifying unit 1 is provided in a part of the input port The routing unit 5 distributes the input IP packet for each VPN according to the identification result by the VPN identifying unit 1 and a part of the output port of the routing unit 5, and is distributed for each VPN by the routing unit 5. And an FE unit 6 that determines an output route of the input IP packet for each VPN based on the destination address of the input IP packet. The determined IP packet is input, and the IP packet is routed according to the output route. When the input IP packet is distributed for each VPN, it is distributed according to a specific part (Claim 3) or VPN-ID (Claim 4) having a destination address (DA) as in the first embodiment.

  Next, the operation of the router of the second embodiment will be described. The VPN identifying unit 1 is also provided for each input line, but the FE unit 6 provided with the FE 3 for each VPN is connected to the switch in a post-trunk form. The VPN identification unit 1 in the preceding stage identifies the FE3 for each corresponding VPN, forwards the packet to the corresponding FE3, determines the output port with the FE3, and outputs the packet with the output port number again with the routing unit 5 Transfer to the line.

(Third embodiment)
The present invention can be implemented as a program that, when installed in a general-purpose information processing apparatus, causes the information processing apparatus to realize a function corresponding to the VPN router of the present invention. This program is recorded in a recording medium and installed in the information processing apparatus, or installed in the information processing apparatus via a communication line, so that the VPN identification unit 1, the distribution unit 2, the FE3, the routing Functions corresponding to the units 4 and 5 and the FE unit 6 can be realized.

  According to the present invention, by using an independent table corresponding to the VPN and searching in parallel for each VPN, it is possible to allow a usage form in which one destination address belongs to a plurality of VPNs, and to shorten the search time. In addition, the hardware configuration can be reduced, the addition of the VPN can be facilitated, and the entire processing capacity of the FE can be spent for the VPN construction.

  Thereby, since it can respond to various VPN utilization forms, the convenience with respect to a user can be improved. Moreover, since the cost for VPN construction can be kept low, it can contribute to the spread of VPN use.

The block diagram of the router of a 1st Example. The block diagram of a VPN identification part. The other block diagram of a VPN identification part. The block diagram of the router of a 2nd Example. The figure which shows the conventional VPN network. The figure which shows the structure of the conventional router.

Explanation of symbols

1 VPN identification part 2 Sorting part 3 FE
4, 5 routing part 6 FE part

Claims (6)

VPN identification means that is provided for each input line and identifies the VPN to which the input IP packet belongs;
A distribution unit that is provided for each of the plurality of VPN identification units, and distributes the input IP packet to the output port for each VPN according to the identification result by the VPN identification unit;
The output route of the input IP packet is determined based on the destination address of the input IP packet that is individually provided for each VPN corresponding to the output port of the distribution unit and is distributed by the distribution unit as belonging to the VPN. A VPN router, characterized by comprising: means. VPN identification means that is provided for each input line and identifies the VPN to which the input IP packet belongs;
Routing means for providing the VPN identification means to a part of the input port, and distributing the input IP packet to the output port for each VPN according to the identification result by the VPN identification means;
Respectively provided at the output port of each of the VPN, means for determine the output path of the input IP packet based on the destination address of the input IP packets that are repeats division by riffs to said routing means as belonging to the VPN With
The routing means includes means for inputting an IP packet whose output route is determined by the determining means to a part of the input port, and routing the IP packet according to the output route. VPN router.   The VPN router according to claim 1 or 2, wherein the VPN identification means includes means for identifying a VPN based on address information of an input IP packet. The VPN identifier is written in the IP packet,
The VPN router according to claim 1 or 2, wherein the VPN identification means includes means for identifying a VPN based on a VPN identifier of an input IP packet.   A program that, when installed in an information processing apparatus, causes the information processing apparatus to realize functions corresponding to the respective means of the VPN router according to any one of claims 1 to 4.   6. A recording medium readable by the information processing apparatus on which the program according to claim 5 is recorded.

Images