JP5784447B2 - Network setting device, VPN termination device, network setting method, and program - Google Patents

Description

  The present invention relates to a network setting technique capable of easily switching a communication path used by a VPN tunnel in a virtual closed network (VPN).

  As an example of VPN technology, in recent years, VPLS (Virtual Private LAN Service) technology that implements wide area Ethernet (registered trademark) service using MPLS (Multi-Protocol Label Switching) has begun to be used. FIG. 1A shows an example of a network configuration using VPLS.

  The network shown in FIG. 1A includes PE (provider edge) devices 10, 20, and 30 that are communication devices on the telecommunications carrier (provider) side, and CE (customer edge) devices that are communication devices on the user's base side. 40, 50, and 60 are connected by a communication path. In the example of FIG. 1A, the user terminal A is connected to the CE device 40, the user terminal B is connected to the CE device 50, and the user terminal C is connected to the CE device 60. Each CE device is a router for routing IP packets. Each PE device is a device having a function of performing packet switching by a MAC address and performing transfer using an MPLS logical path (LSP: Label Switched Path) as a tunnel. In this specification and claims, the term “packet” is used in a broad sense including “frame” and the like. However, in the following description of the prior art and the description of the embodiments, most In this case, “packet” is an Ethernet frame, and when referring to a specific type of packet, a description such as “IP packet” or “MPLS packet” is used.

  Each device is assigned an IP address and a MAC address as shown in FIG. For example, the MAC address: 2222 and the IP address: 192.168.0.1 are assigned to the interface (physical interface): eth0 in the CE device 40, and the MAC address: αααα and the IP address: 172.16.0 are assigned to eth1. .1 is assigned. As shown in FIG. 1A, each CE device includes a routing table. The routing table shown here is for routing to the MPLS backbone side.

  In the MPLS backbone 70 on the telecommunications carrier side, PE devices are fully mesh-connected by LSP.

  In the network shown in FIG. 1A, an MPLS backbone 70 connecting PE devices is a public network that passes various user traffic. In a PE device, packets sent from user bases are expressed by MPLS labels. It is encapsulated and the MPLS packet is transferred to the opposite PE apparatus. Since MPLS label values are strictly managed so that users can be uniquely identified between PE devices, confidentiality of user communication is ensured. A network configured by connecting CE devices appears to a user as an IP closed network dedicated to the user. However, since this closed network is a virtual network using a public network, it is called a virtual closed network (also referred to as a VPN: Virtual Private Network) 80.

  Hereinafter, with reference to the sequence diagram of FIG. 1B, an operation example when IP packet communication is performed from the user terminal A to the user terminal B in the network shown in FIG.

  Step 1) The user terminal A sends a packet including an IP packet having the IP address of the user terminal B as the destination IP address to the CE device 40 that is the default gateway of the user terminal A.

  Step 2) The CE device 40 that has received the packet from the user terminal A refers to the routing table, recognizes that the IP address of the next hop is 172.16.0.2, and performs the next hop (172. 16. Know that the MAC address of 16.0.2) is ββββ.

  Step 3) The CE device 40 transmits a packet including the above IP packet and having the destination MAC address ββββ to the PE device 10 connected to eth1.

  Step 4) At this point, if the PE device 10 has already learned the correspondence between the MAC address: ββββ and the interface to which the packet is to be output, the packet received from the CE device 40 based on this correspondence is MPLS-encapsulated. (LSP label is attached) and transferred to the counter PE device 20. Note that if the MAC learning is not performed at this time (for example, when the contents of the learning table are deleted due to timeout), the PE device 10 floods the packet to all the LSPs to obtain the MAC address: ββββ. The interface corresponding to (LSP to be used) is learned.

  Step 5) Upon receiving the MPLS packet, the PE device 20 transfers the packet obtained by removing the MPLS capsule from the MPLS packet to the CE device 50.

  Step 6) The CE device 50 transfers the IP packet to the user terminal B.

  As described above, each PE apparatus in the MPLS backbone has a MAC address learning table for each user, and determines which LSP should forward a packet addressed to which MAC address. The packet is tunnel-transferred by the LSP, and is transferred by looking only at the label in the relay section (via a plurality of provider devices (hereinafter referred to as P devices)).

JP 2004-274142 A

  FIG. 2 is a diagram showing in detail a physical configuration example of the MPLS backbone 70 in the network shown in FIG. In the example of FIG. 2, four P devices 91, 92, 93, 94 are included and connected to each other as shown. In this configuration, for example, when a path (LSP) from the PE device 10 to the PE device 20 is set, various routes can be taken depending on which P device is passed.

  There is a service in which a carrier sets a quality class of a path and sets a quality class path according to a user's request. Examples of the quality class include high quality and general quality. The high quality path is, for example, a path that passes through an optimum route with a low delay, and the general quality path is, for example, a path that passes through a route other than the route of the high quality path, and the route selection depending on IP routing control is performed. Pass.

  As an example, in FIG. 2, PE device 10-> P device 91-> P device 92-> LSP1 passing through the route of PE device 20 is a high quality LSP, and PE device 10-> P device 93-> P device 94- > P device 92-> LSP2 passing through the route of PE device 20 is defined as a general quality LSP.

  Here, it is assumed that the VPN tunnel between the CE devices 40 and 50 is set using the general quality LSP2, and the user of the VPN tunnel needs to perform important communication through the VPN tunnel, so that more communication is performed. Suppose that the VPN tunnel is requested to be changed from the general quality LSP2 to the high quality LSP1 in order to improve the quality of the network.

  In the prior art, in this case, the user of the VPN tunnel applies to the network operator managing the MPLS backbone 70 for changing the LSP route, and the network operator allows each of the VPN tunnels of the user to pass through the high-quality LSP1. The PE device setting is changed.

  As described above, the conventional technique has a problem that a complicated procedure is required to change the path of the path used in the VPN, and the path cannot be changed quickly. Further, the conventional technique has the following problems.

  Generally, communication devices such as routers and switches have a traffic measurement function in units of physical interfaces and sub-interfaces (vlan). However, since traffic between various bases flows on these interfaces, traffic between these two bases cannot be measured by measuring traffic on these interfaces.

  Therefore, in the configuration shown in FIGS. 1 and 2, for example, when measuring communication traffic between the user base A and the user base B, in the related art, for each IP address of the communication device included in the user base A, Therefore, it is necessary to measure the traffic volume with respect to the IP address of each communication device included in the user base B and to aggregate the measured traffic volume. However, it is generally difficult to accurately grasp the IP address of a communication device that performs communication at each user site. For example, an unknown communication device that does not manage an IP address is frequently incorporated into a user base network and communication is started. In this case, the traffic amount related to the communication device is not reflected in the measurement. As described above, the conventional technique has a problem that it is difficult to accurately measure the traffic amount between the user bases.

  The present invention has been made in view of the above points, and an object of the present invention is to provide a technique that makes it possible to easily change a communication path used by a VPN tunnel. Another object of the present invention is to provide a technique that enables simple and accurate measurement of traffic between user bases in a VPN.

In order to solve the above-described problems, the present invention provides a network system in which a VPN tunnel is established between VPN terminating devices, accommodated in a communication path established between edge devices of a backbone network. A network setting device configured to set a VPN tunnel from the connected start point VPN terminator to the end point VPN terminator connected to the end point user base for the network system;
VPN termination device information storage that stores an output interface for sending a packet from the start point VPN termination device and an address of the destination VPN termination device that is a destination address of the packet for each type of communication path that accommodates the VPN tunnel. Means,
Based on the type of communication path designated by the user, the output interface of the start point VPN terminator corresponding to the type from the VPN terminator information storage means, and the address of the end point VPN terminator corresponding to the type A setting unit configured to acquire and set the output interface, the address, and the network identification information of the end-point user base designated by the user as routing table information in the start-point VPN terminal device; Configured as a network setting device.

  A table in which a communication path and an address of the end point VPN terminator are associated with each other is set in the edge device connected to the start point VPN terminator, and the start point VPN terminator receives an IP address from the user point of the start point. When a packet is received, the address and output interface corresponding to the destination IP address of the IP packet are determined with reference to the routing table information set by the setting unit, and the address including the IP packet is set as the destination The packet having the address is transferred from the output interface to the edge device, and the edge device that has received the packet refers to the table, determines a communication path corresponding to the destination address of the packet, and Works to transfer.

  For example, the address of the end point VPN terminator is a MAC address, and the output interface of the start point VPN terminator is a subinterface identified by VLAN identification information in the physical interface.

  When a type different from the type of the communication path is designated by the user for the network setting device, the setting unit responds to the different type from the VPN termination device information storage unit based on the different type. The output interface of the start point VPN terminator and the address of the end point VPN terminator corresponding to the different type are acquired, and the output already set in the start point VPN terminator with the output interface and the address. Update the interface and address.

  The present invention is also a VPN terminator as the start point VPN terminator set by the network setting device, wherein the start point user base and the end point user are measured by measuring the traffic of the output interface. It can also be configured as a VPN terminator characterized by having a traffic measuring means for measuring traffic between bases.

Further, the present invention provides a start point VPN terminator connected to a start point user base in a network system that is accommodated in a communication path constructed between edge devices of a backbone network and a VPN tunnel is constructed between the VPN terminators. A network setting method executed by a network setting device that sets a VPN tunnel to the end point VPN terminator connected to the end point user base from the network to the network system,
VPN termination device information storage means for each type of communication path used by the VPN tunnel, an output interface for sending a packet from the start point VPN termination device and an address of the end point VPN termination device which is a destination address of the packet Storing step to store in,
Based on the type of communication path designated by the user, the output interface of the start point VPN terminator corresponding to the type from the VPN terminator information storage means, and the address of the end point VPN terminator corresponding to the type A network setting method comprising: a setting step of acquiring and setting the output interface, the address, and the network identification information of the user base at the end point designated by the user in the start point VPN terminating device. It can also be configured.

  The present invention can also be configured as a program for causing a computer to function as each means of the network setting device.

  According to the present invention, there is provided a technique capable of easily changing a communication path that accommodates a VPN tunnel quickly, for example, by a user's own setting work without intervention of a setting work by a communication carrier. It becomes possible to do. Further, according to the present invention, it is possible to easily and accurately measure the traffic amount between user bases in the VPN by providing the traffic measuring means of the output interface of the VPN terminating device.

It is a figure for demonstrating a prior art. It is a figure for demonstrating a prior art. It is a figure which shows the network structural example which concerns on embodiment of this invention. It is a figure which shows the function structural example of the VPN termination device which concerns on embodiment of this invention. It is a figure which shows an example of the MAC routing table which concerns on embodiment of this invention. It is a figure which shows the function structural example of the PE apparatus which concerns on embodiment of this invention. It is a figure which shows an example of the MAC learning table which concerns on embodiment of this invention. It is a figure for demonstrating the packet transfer process which concerns on embodiment of this invention. It is a figure which shows the function structural example of the NW operation apparatus which concerns on embodiment of this invention. It is a figure for demonstrating the network setting method which concerns on embodiment of this invention. It is a figure for demonstrating the network setting method which concerns on embodiment of this invention. It is a figure for demonstrating the network setting method which concerns on embodiment of this invention. It is a figure which shows the example of a table setting in a NW operation apparatus. It is a figure which shows the network setting corresponding to the table setting example of FIG. 13A. It is a figure for demonstrating the modification of embodiment of this invention.

  Embodiments of the present invention will be described below with reference to the drawings. The embodiment described below is only an example, and the embodiment to which the present invention is applied is not limited to the following embodiment.

(System configuration)
FIG. 3 shows a network configuration example including VPN according to the embodiment of the present invention. As shown in FIG. 3, the network according to the present embodiment is configured by connecting PE apparatuses 201 and 202 and VPN termination apparatuses 101 and 102 via a communication path. Further, a user terminal X is connected to the VPN termination device 101, and a user terminal Y is connected to the VPN termination device 102. Each VPN terminating device is common to the CE device shown in FIG. 1A in that it is arranged at the same network location and routes IP packets, but there are differences in their functions. . Each PE device is the same as the PE device shown in FIG. 1A regarding the communication processing, but the MAC learning table setting method is different. Details will be described later.

  As shown in FIG. 3, a VPN 400 is configured by the VPN termination devices 101 and 102, and an MPLS backbone 300 is configured by the PE devices 201 and 202. In FIG. 3, only the VPN termination devices 101 and 102 and the PE devices 201 and 202 are shown. However, these are only examples, and a large number of devices may actually exist.

  As shown in FIG. 3, in this embodiment, the NW operation device 500 is connected to the communication network 600 and can communicate with each VPN terminal device and each PE device.

  FIG. 4 shows a functional configuration example of the VPN terminating device 101 according to the present embodiment. Other VPN terminators have the same functional configuration. As illustrated in FIG. 4, the VPN terminating device 101 includes a user side packet processing unit 110, a provider side packet processing unit 120, interfaces 131 and 132, and a traffic measurement unit 140. In the example of FIG. 4, the number of interfaces on the user side and the provider (communication carrier) side is one, but this is only an example, and there may be a plurality of interfaces. Each interface can set a sub-interface by VLAN.

  The user-side packet processing unit 110 is a functional unit that transfers a packet received from the user-side device and a packet received from the provider-side packet processing unit 120 by a normal IP routing process. For example, if the destination IP address of the packet is the IP address of the user side network in the same site, the packet is transferred to the user side, and if the destination IP address of the packet is the IP address of the user side network of the site different, The packet is passed to the provider side packet processing unit 120. Note that default routing may be used as routing management related to user-side network information at different locations. Alternatively, the user-side packet processing unit 110 may be separated from the VPN termination device 101 and provided in the user's network as another device connected to the VPN termination device 101.

  The provider side packet processing unit 120 includes a MAC routing table setting instruction receiving unit 121, a MAC routing table storage unit 122, and a packet transfer processing unit 123.

  The MAC routing table setting instruction receiving unit 121 receives a setting instruction including setting information (entry) of the MAC routing table from the NW operation device 500, and uses the received setting information as an entry of the MAC routing table. It is a functional part stored in. The MAC routing table storage unit 122 stores a MAC routing table.

  FIG. 5 shows an example of the MAC routing table according to the present embodiment. As shown in FIG. 5, the MAC routing table is a table in which IP subnetwork information for identifying a destination network, a MAC address of a next hop, and an interface for outputting a packet are associated with each other. In addition to the information shown in FIG. 5, metric information for each destination network may be inserted. Further, “eth1.vlan1” in FIG. 5 means that the sub-interface “vlan1” by VLAN is set to the interface “eth1”.

  Returning to FIG. 4, the packet transfer processing unit 123 converts the packet received via the interface 132 connected to the PE device 201 serving as the provider side device and the packet received from the user side packet processing unit 110 into the MAC routing table. It is a functional unit that transfers according to the table information stored in the storage unit 122.

  In the present embodiment, the setting information of the table is received from the NW operation device 500 and stored, but the setting information is received from the operation terminal connected to the VPN terminal device 101 via the MAC routing table setting instruction receiving unit 121. May be received and stored in the MAC routing table storage unit 122.

  The traffic measurement unit 140 according to the present embodiment has a function of measuring traffic transmitted / received to / from a connected PE device in units of vlan. For example, the traffic measurement value may be notified to the NW operation device 500 or the like as needed, or may be stored in a storage unit such as a memory in the VPN termination device 101 and read according to an external command. May be.

  FIG. 6 shows a functional configuration example of the PE apparatus 201. Other PE apparatuses have the same configuration. As shown in FIG. 6, the PE device 201 includes a MAC learning table setting instruction receiving unit 210, a MAC learning table storage unit 220, a packet transfer processing unit 230, and interfaces 241 and 242. In the example of FIG. 6, the number of interfaces on the VPN terminating device side and the MPLS backbone side is one, but this is only an example, and there may be a plurality of interfaces. In addition, the VLAN-ID set in the connection destination VPN terminating device is set in the interface 241 of the PE device 201.

  In this embodiment, in order to facilitate understanding of the technology according to the present invention, the functional configuration of the PE apparatus 201, the contents of the table, and the operation thereof will be described as relating to one VPN user. The apparatus 201 can accommodate a plurality of users. For this purpose, for example, the packet transfer processing unit 230 and the MAC learning table storage unit 220 may be provided for each user. In this configuration, for example, the user is identified by predetermined information (information that can identify the user) in the received packet, the received packet is distributed to the packet transfer processing unit 230 corresponding to the user, and the packet transfer processing unit 230 transfers the received packet. Process. When the packet transfer processing unit 230 transfers a packet to the LSP, a label corresponding to the identified user may be added in addition to the label corresponding to the LSP.

  In addition, instead of such a configuration, a table for each user may be provided in the MAC learning table storage unit 220. In this case, the packet transfer processing unit 230 performs transfer processing by referring to a table corresponding to the user of the received packet.

  The configuration for identifying the user and performing the transfer process is not limited to the above, and various configurations other than the above can be adopted.

  The MAC learning table setting instruction receiving unit 210 receives a setting instruction including setting information (entry) of the MAC learning table from the NW operation device 500, and uses the received setting information as an entry of the MAC learning table. It is a functional part stored in. The MAC learning table storage unit 220 stores a MAC learning table.

  FIG. 7 shows an example of the MAC learning table according to the present embodiment. As shown in FIG. 7, the MAC learning table is a table in which a destination MAC address is associated with an interface that outputs a packet.

  Returning to FIG. 6, the packet transfer processing unit 230 is a functional unit that transfers a packet received via each interface according to the table information stored in the MAC learning table storage unit 242. The packet transfer processing unit 230 has an MPLS function, and when transferring a packet to another PE apparatus, performs packet transfer by performing MPLS encapsulation. That is, when transferring a packet to another PE device, the packet transfer processing unit 230 transfers the packet via the LSP tunnel corresponding to the transfer destination. In the present embodiment, for the transfer to the LSP, the identification information of the LSP is recorded as an “interface” in the MAC learning table. For the transfer to the Ethernet line, the identification information (such as eth0) of the physical interface of Ether is recorded as the “interface”.

  As in the case of the VPN terminating device 101, in the present embodiment, the table setting information is received from the NW operation device 500 and the setting is performed, but the MAC is sent from the operation terminal connected to the PE device 201. The setting information may be received via the learning table setting instruction receiving unit 210 and stored in the MAC learning table storage unit 220.

  Each functional unit of the VPN termination device 101 can be realized by causing a communication device having a computer configuration (including a CPU, a memory, and the like) to execute a program corresponding to each functional unit. Similarly, each functional unit of the PE device 201 can be realized by causing a communication device having a computer configuration (including a CPU, a memory, and the like) to execute a program corresponding to each functional unit. Moreover, you may implement | achieve all or one part function of the VPN termination device 101 and PE apparatus 201 with a hardware logic circuit.

  The program may be installed in a computer from a recording medium such as a portable memory, or may be downloaded from a server on a network.

  The functional configuration of the NW operation device 500 will be described immediately before the description of the network setting operation.

(System operation)
Before describing the network setting method according to the embodiment of the present invention, first, the packet transfer processing operation of the network according to the present embodiment will be described with reference to FIGS. FIG. 8A is a diagram more specifically showing the network shown in FIG. As shown in FIG. 8A, in this example, VPN termination devices 101, 102, and 103 are included, and PE devices 201 and 202 are included. The user terminal A (base: Osaka) is connected to the VPN terminal 101, the user terminal B (base: Tokyo) is connected to the VPN terminal 102, and the user terminal C (base: Shizuoka) is connected to the VPN terminal 103. ing. As shown in the figure, P devices 151 to 154 exist between the PE devices 201 and 202, and LPS1, which is a high-quality path, is set by a route of PE device 201-> P device 151-> P device 153-> PE device 202. LPS2, which is a general quality path, is set in the route of PE device 201-> P device 152-> P device 154-> PE device 202.

Each device is assigned an IP address and a MAC address as shown in FIG. Further, it is assumed that the table setting of each device has already been completed, and the table information shown in the drawing is set in each device. FIG. 8A shows only main table information.
Hereinafter, an operation example in the case where IP packet communication is performed from the user terminal A to the user terminal B in the network shown in FIG. 8A will be described with reference to the sequence diagram of FIG. In the following description, the functional units in the configuration shown in FIGS. In this example, since communication from the user terminal A (Osaka) to the user terminal B (Tokyo) is set to pass through the high quality path (LSP1), the communication is performed using the high quality path (LSP1). Via.

  Step 101) The user terminal A sends a packet including an IP packet having the IP address of the user terminal B as a destination IP address to the VPN terminating device 101 which is the default gateway of the user terminal A.

  Step 102) In the VPN terminating device 101 that has received the packet from the user terminal A, the user side packet processing unit 110 determines that the destination IP address of the IP packet is the IP address of the network of the user base B that is not the user base A. The received packet is passed to the provider side packet processing unit 120.

  The packet transfer processing unit 123 in the provider-side packet processing unit 120 refers to the MAC routing table storage unit 122, and the MAC address of the next hop corresponding to the destination IP address (192.168.1.B) is βββ1. Is output as eth1. It is grasped that it is vlan1. Then, the packet transfer processing unit 123 sets the source MAC address to eth1. The packet with ααα1 corresponding to vlan1 and the destination MAC address βββ1 is set to eth1. It is transmitted from the interface of vlan1 (sub interface vlan1 in eth1).

  Step 103) In the PE device 201 that has received the packet from the VPN terminating device 101, the packet transfer processing unit 230 refers to the MAC learning table storage unit 220 and confirms that the interface corresponding to the destination MAC address (βββ1) is LSP1. To grasp. That is, in order to transmit a packet addressed to the MAC address (βββ1), LSP1 determines to transfer the packet. Then, the packet transfer processing unit 230 transmits the packet via the LSP1. More specifically, the packet transfer processing unit 230 encapsulates the packet with a label corresponding to LSP1, and transmits the encapsulated packet (referred to as an MPLS packet) from the physical interface corresponding to LSP1.

  Step 104) The MPLS packet transmitted from the PE device 201 reaches the PE device 202. The PE device 202 decapsulates the MPLS packet, and transmits the packet extracted by the decapsulation to the opposite VPN termination device 102 based on the MAC learning table.

  Step 105) In the VPN terminating device 102 that has received the packet, the packet transfer processing unit 123 in the provider side packet processing unit 120 passes the packet to the user side packet processing unit 110 based on the MAC routing table, and the user side packet processing unit 110 transmits an IP packet to the user terminal B by a normal IP routing process.

(Configuration example of NW operation device)
FIG. 9 shows a functional configuration example of the NW operation apparatus 500 according to the embodiment of the present invention. As shown in FIG. 9, the NW operation device 500 includes a user operation function providing unit 510, a user base information table storage unit 520, an inter-base quality class information table storage unit 530, a VPN terminal device information table storage unit 540, a MAC routing. A table information generation unit 550, a communication device setting instruction transmission unit 560, and a provider side input / output unit 570 are provided.

  The user operation function providing unit 510 is a function unit that provides an operation function such as table setting to the user, and displays a menu-type user input screen, for example. Further, the user operation function providing unit 510 may be accessed from a terminal such as a PC via a network, and the user operation function providing unit 510 may provide a user input screen to the PC as a Web page.

  The user base information table storage unit 520 is a functional unit that stores a user base information table. The inter-base quality class information table storage unit 530 is a functional part that stores the inter-base quality class information table. The VPN termination device information table storage unit 540 is a functional unit that stores a VPN termination device information table. The contents of the tables stored in these storage units will be described later.

  The MAC routing table information generation unit 550 generates and generates the setting information of the MAC routing table based on the information stored in each storage unit based on an instruction from the user via the user operation function providing unit 510 This is a functional unit that passes the setting information to the communication device setting instruction transmission unit 560. The communication device setting instruction transmission unit 560 is a functional unit that transmits and sets a setting information setting instruction to a communication device to be set.

  The provider side input / output unit 570 is a functional unit for inputting table information and the like that need to be set on the provider side.

  Each function unit of the NW operation device 500 can be realized by causing a computer (including a CPU, a memory, and the like) to execute a program corresponding to each function unit. The program may be installed in a computer from a recording medium such as a portable memory, or may be downloaded from a server on the network.

  In the example described in the present embodiment, in order to make the technology easy to understand, an example is shown in which one user uses the NW operation device 500 to set and change the network. The operation device 500 is used by a plurality of users, and each of the plurality of users can configure and change his / her network.

(Network setting operation example)
Hereinafter, it will be described how the table information is set in the network configuration shown in FIG. In the following, in order to make the explanation easy to understand, a part related to communication from Osaka to Tokyo of a specific user (A user) will be described. In the following, it is assumed that the address setting, VLAN setting, and VPLS setting for each device have already been completed. Further, the configuration of the NW operation device 500 illustrated in the following description shows only a portion related to the corresponding processing.

  First, the setting procedure when opening a VPN tunnel from Osaka to Tokyo will be described. In this setting procedure, data setting is first performed on the provider side, and then data setting is performed on the user side.

  FIG. 10 is a diagram for explaining a data setting process performed on the provider side. As shown in FIG. 10, in the data setting process on the provider side, the MAC learning table in the PE device 201 and the PE device 202 is set. That is, as shown in FIG. 10, in the PE apparatus 201, the setting is made such that the interface: LSP1 is associated with the destination MAC address: βββ1, and the interface: LSP2 is associated with the destination MAC address: βββ2. . In the PE apparatus 202, an interface: eth0. vlan1 is associated with the destination MAC address: βββ2 and the interface: eth0. Settings are made to associate vlan2. These settings may be performed from the NW operation device 500 or from an operation terminal connected to each PE device.

  Also, a part of the user base information table and the VPN termination device information table are set by the provider side input / output unit 570 in the NW operation device 500 by the provider side operator. As shown in FIG. 10, it is set in the user base information table that the bases of the A user are Osaka and Tokyo. In the VPN termination device information table, a base name, a quality class, a MAC address, and a VLAN-ID are set in association with each other. For example, in “Tokyo”, the MAC address corresponding to the high-quality path is set to βββ1, and the VLAN-ID is set to vlan1. In this embodiment, since it is assumed that the VPN termination device and the PE device are connected by a single physical link, each physical interface between the VPN termination device and the PE device is fixed to one. Is done. Therefore, it is only necessary to have VLAN-ID information in the VPN termination device information table.

  In order to construct a VPN tunnel from Osaka to Tokyo, the VPN termination device information table is assigned to the output interface (VLAN-ID) for sending packets from the VPN termination device 101 at the start point (Osaka) and the output interface. MAC address (including the MAC address of the VPN terminating device 102 at the end point (Tokyo) that is the destination MAC address of the packet) for each type of communication path (LSP) that accommodates the VPN tunnel (high quality, general quality) ).

  FIG. 11 is a diagram for explaining a data setting process performed on the user side. Here, an operator on the A user side (hereinafter, simply referred to as a user) uses the user input screen displayed by the user operation function providing unit 510 to display information in the inter-base quality class information table and the user base information table. Is set as shown in the figure. In FIG. 11, in order to make it easy to understand which information is set by the user, the information is underlined. As shown in FIG. 11, in the inter-base quality class information table, it is set that the transmission source base is Osaka, the destination base is Tokyo, and the quality class is general quality. In the user base information table, it is set that the Osaka subnet is 192.168.0.0/24 and the Tokyo subnet is 192.168.1.0/24.

  When the setting to each table is completed, the user issues a MAC routing table setting instruction from the user input screen displayed by the user operation function providing unit 510. The MAC routing table setting instruction is received by the MAC routing table information generation unit 550 of the NW operation device 500.

  Upon receiving the MAC routing table setting instruction, the MAC routing table information generation unit 550 stores the table information stored in the user base information table storage unit 520, the inter-base quality class information table storage unit 530, and the VPN termination device information table storage unit 540. MAC routing table information is automatically generated from the communication device setting instruction transmission unit 560, and the VPN terminal device 101 transmits a setting instruction for setting the MAC routing table information.

  As a result, a MAC routing table as illustrated is set in the VPN terminating device 101. First, the setting destination VPN terminating device of the MAC routing table is specified by acquiring the transmission source base “Osaka” from the inter-base quality class information table. Furthermore, by acquiring the destination base “Tokyo”, the destination network to be entered in the MAC routing table is grasped. With respect to this grasping method, the MAC routing table information generation unit 550 acquires the subnet “192.168.1.0/24” of the Tokyo base from the user base information table. In addition, it is understood from the inter-base quality class information table that the quality class is “general quality”, and the MAC address “βββ2” of the destination base (Tokyo) corresponding to “general quality” is determined from the VPN terminating device information table. Obtained as the destination MAC address (NextHop), and further obtains the MAC address “ααα2” on the source base (Osaka) side corresponding to “general quality” as the source MAC address, and at the output interface (VLAN-ID) A certain “vlan2” is acquired, and information in which these are associated is generated as MAC routing table information and set in the VLAN terminating device 101. As described above, in this example, since there is one physical link between the VPN termination apparatus 101 and the PE apparatus 201, the interface on the PE apparatus 201 side in the VPN termination apparatus 101 is determined as one as “eth1”. Therefore, the illustrated MAC routing table whose interface is “eth1.vlan2” is obtained.

(Operation when the quality class setting is changed)
A procedure when the user changes the quality class from the general quality to the high quality after the VPN tunnel with the general quality from Osaka to Tokyo is set by the above procedure will be described with reference to FIG.

  In this case, data setting on the provider side is not necessary, and data setting may be performed only on the user side.

  The user uses the user input screen displayed by the user operation function providing unit 510 of the NW operation device 500 to change the quality class of communication from Osaka to Tokyo in the inter-base quality class information table from “general quality” to “ Change to "High quality". After the change, the user issues a MAC routing table setting instruction from the user input screen displayed by the user operation function providing unit 510. The MAC routing table setting instruction is received by the MAC routing table information generation unit 550 of the NW operation device 500.

  Upon receiving the MAC routing table setting instruction, the MAC routing table information generation unit 550 stores the table information stored in the user base information table storage unit 520, the inter-base quality class information table storage unit 530, and the VPN termination device information table storage unit 540. MAC routing table information is automatically generated from the communication device setting instruction transmission unit 560, and the VPN terminal device 101 transmits a setting instruction for setting the MAC routing table information. Thereby, the table shown in the figure is set in the VPN terminating device 101. In FIG. 12, the information changed from the case of “general quality” is shown with an underline. That is, as a result of “high quality”, the next hop in the MAC routing table of the VPN terminating device 101 is changed from “βββ2” corresponding to “general quality” to “βββ1” corresponding to “high quality”. The interface is changed from “eth1.vlan2” to “eth1.vlan1”. Furthermore, the MAC address on the transmission source base (Osaka) side corresponding to “high quality” is also changed from “ααα2” to “ααα1” as the transmission source MAC address.

  Thus, by using the technology according to the present invention, the user can easily change the VPN quality class. That is, the path used by the VPN tunnel can be easily changed.

(About traffic measurement between bases)
In the present embodiment, it is possible to measure traffic for each subinterface (vlan) on the backbone side of each VPN terminating device. Accordingly, for example, traffic between bases between Tokyo and Osaka can be measured by measuring the traffic of vlan1 (eth1.vlan1) of the VPN terminating device 102 at the Tokyo base in the configuration shown in FIG. However, in the configuration of FIG. 8, when both the Osaka-Tokyo VPN tunnel and the Osaka-Shizuoka VPN tunnel are of high quality, the vlan1 of the Osaka-based VPN termination device 101 includes the Osaka-Tokyo connection, In addition, since two VPN tunnels between Osaka and Shizuoka are accommodated, it is not possible to obtain traffic between two specific bases in this vlan1 traffic measurement.

  In order to make it possible to measure traffic between any two specific sites at all sites, vlan is set as shown in FIGS. 13A and 13B, and each table is set. By registering each table in FIG. 13A, the MAC routing table shown in FIG. 13B is automatically set.

  In other words, in a VPN terminating device at a certain installation site, a MAC address is set for each quality class, and vlan is assigned so that the VLAN-ID is unique for each quality class and each opposite site (ground). The association is set in the VPN termination device information table.

For example, in the Osaka base, in correspondence with “high quality”, the MAC address is “ααα1”, the VLAN-ID corresponding to the ground: “Tokyo” is “vlan1”, and the VLAN- corresponding to the ground: “Shizuoka” The ID is “vlan2”. Further, in correspondence with “general quality”, the MAC address is “ααα2”, the VLAN-ID corresponding to the ground: “Tokyo” is “vlan3”, and the VLAN-ID corresponding to the ground: “Shizuoka” is “vlan4”. " The output interface (VLAN-ID) of the VPN terminal at the Osaka base is a unique vlan. Similarly, vlan is set for each quality base and each ground. In this setting, assuming that the number of quality classes at a certain base is N and the number of grounds is M, N × M vlans are set at the same base. As a result, the vlan and the ground are associated with each other on a one-to-one basis for each quality class. Therefore, by measuring traffic in a specific vlan at the same base, the local base and the opposite base corresponding to the vlan It is possible to measure traffic between the two.

  13A and 13B, as shown in the inter-base quality class information table, high-quality VPN tunnels are set between Osaka and Tokyo and between Osaka and Shizuoka. In this setting, for example, traffic in the high-quality class between Osaka and Tokyo can be measured by measuring vlan1 traffic of the VPN terminating device 101 in Osaka.

(Modification)
In the above-described embodiment, an example in which the MPLS backbone 300 using MPLS is applied as the backbone network of the VPN 400 is shown, but the network configuration of the VPN 400 is not limited to this. For example, as shown in FIG. 14, an L2 network 350 (a wide area Ethernet network or the like) can be used. The L2 network 350 is a network configured by connecting L2 switches (such as an Ethernet switch). In FIG. 14, four L2 switches 701, 702, 703, and 704 are shown. The MAC learning table (association between the MAC address and the interface) in each L2 switch is set statically. In addition, in order to make the explanation easy to understand, the MAC learning table in the figure also describes an individual table image of a 1VPN user in this modification, but actually, for example, a table is provided for each user, A transfer process can be performed by referring to a table corresponding to the user identified from the information of the received packet.

  In the configuration of FIG. 14, for example, when packets are to be transferred from the VPN terminating device 101 to the VPN terminating device 102 (ββββ) via the route of L2 switches 701-> 703-> 702, the MAC of each L2 switch An entry shown in the figure may be set in the learning table. In the example shown in FIG. 14 as well, IP packet transfer between the user terminals A and B can be performed in the same manner as in the example shown in FIG.

  In addition, among various routes in the L2 network, for example, by setting a specific route as a high quality path and other routes as general quality paths, the quality class ( It is possible to easily switch the communication path to be used.

(Summary of the embodiment, effects)
In the present embodiment, a network system (VPN) that is accommodated in a communication path (corresponding to various LSPs) established between edge devices (corresponding to PE devices) of the backbone network and a VPN tunnel is established between VPN terminating devices. Network setting device (NW operation device) for setting a VPN tunnel for the network system from the start point VPN terminator connected to the start point user site to the end point VPN terminator connected to the end point user site. 500).

  Here, in the present embodiment, a table (MAC routing table) in which a communication path and an address of the end point VPN terminator are associated is set in the edge device connected to the start point VPN terminator.

  Then, the network setting device, for each type of communication path that accommodates the VPN tunnel, outputs the interface from which the packet is transmitted from the start point VPN end device and the address of the end point VPN end device that is the destination address of the packet. Based on the stored VPN terminator information storage means (corresponding to the VPN terminator information table storage unit 540) and the type of communication path specified by the user, the VPN termination device information storage means stores the start point corresponding to the type. Obtaining the output interface of the VPN termination device and the address of the end point VPN termination device corresponding to the type, the network identification information of the output base, the address, and the user base of the end point specified by the user, The starting point VP as routing table information Comprising setting means for setting the termination device (corresponding to the MAC routing table information generation unit 550 and the counter communication device setting instruction transmitting unit 560).

  With such a configuration, it is possible to easily set and change a path that accommodates the VPN tunnel only by specifying the type of the communication path. In addition, it is possible to easily set and change the communication path that accommodates the VPN tunnel quickly, for example, by the user's own setting work without the intervention of the setting work by the communication carrier. Furthermore, according to the present embodiment, there is an effect that the setting information on the telecommunications carrier side can be hidden from the user.

  The “communication path type” is a type of attribute when the communication path is distinguished by a certain attribute. For example, as described in the embodiment, when distinguishing a path into a “high quality path” and a “general quality path”, the attribute is “quality”, and the attribute type (that is, the communication path type) is “ “High quality” and “General quality”. A path with high / low “security”, a path with / without a redundant route, and the like are also examples of “type of communication path”. Of course, these are merely examples of “communication path type”.

  In the present embodiment, the address of the end point VPN terminator is a MAC address, and the output interface of the start point VPN terminator is a sub-interface configured with VLAN identification information in the physical interface. With this configuration, it is possible to realize a technology for easily setting and changing a path for accommodating a VPN tunnel by utilizing a widely used Ethernet technology.

  In the present embodiment, the traffic between the output user interface of the start point and the end point of the user base is measured by measuring the traffic of the output interface of the start point VPN end device set by the network setting device. Traffic measurement means (traffic measurement unit 140) is provided.

  As described with reference to FIGS. 13A and 13B, in this embodiment, it is possible to uniquely set vlan and the ground at each base so as to be associated with a quality class (for each type of communication path). By performing this setting, traffic between an arbitrary base and an arbitrary ground can be measured by measuring the corresponding vlan traffic.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible within the scope of the claims.

10, 20, 30 PE equipment 40, 50, 60 CE equipment 70 VPLS backbone 80 VPN
91, 92, 93, 94 P equipment 101, 102, 103 VPN termination equipment 151, 152, 153, 154 P equipment 201, 202, 203 PE equipment 300 VPLS backbone 400 VPN
500 NW operation device 600 Communication network 110 User side packet processing unit 120 Provider side packet processing unit 121 MAC routing table setting instruction receiving unit 122 MAC routing table storage unit 123 Packet transfer processing unit 131, 132 Interface 140 Traffic measurement unit 210 MAC learning table Setting instruction receiving unit 220 MAC learning table storage unit 230 Packet transfer processing unit 241 and 242 Interface 350 L2 network 510 User operation function providing unit 520 User base information table storage unit 530 Inter-base quality class information table storage unit 540 VPN terminator information Table storage unit 550 MAC routing table information generation unit 560 Communication device setting instruction transmission unit 570 Side input-output unit 701,702,703,704 L2 switch

Claims (7)

In a network system that is accommodated in a communication path constructed between edge devices of a backbone network and a VPN tunnel is constructed between VPN terminating devices, the starting point VPN terminating device connected to the starting user site is changed to the ending user site. A network setting device for setting a VPN tunnel to a connected end point VPN terminal device for the network system,
VPN termination device information storage that stores an output interface for sending a packet from the start point VPN termination device and an address of the destination VPN termination device that is a destination address of the packet for each type of communication path that accommodates the VPN tunnel. Means,
Based on the type of communication path designated by the user, the output interface of the start point VPN terminator corresponding to the type from the VPN terminator information storage means, and the address of the end point VPN terminator corresponding to the type get, the output interface, the address, and, the network identification information of the user base for the end point specified by the user, the network setting device comprising setting means for setting the start point VPN termination device as the routing table information, the Yes,
The network setting device, wherein the edge device connected to the start point VPN termination device includes a table that holds different addresses for each type of communication path for the end point VPN termination device of one user base . A table in which a communication path and an address of the end point VPN terminator are associated with each other is set in the edge device connected to the start point VPN terminator.
When the start point VPN terminating device receives an IP packet from the start point user base, the start point VPN terminating device refers to the routing table information set by the setting unit, and the address and output corresponding to the destination IP address of the IP packet Determine an interface, and forward a packet with the address including the IP packet as a destination address from the output interface to the edge device;
The network setting device according to claim 1, wherein the edge device that has received the packet refers to the table, determines a communication path corresponding to a destination address of the packet, and forwards the packet. . The address of the end point VPN terminator is a MAC address, and the output interface of the start point VPN terminator is a sub-interface identified by VLAN identification information in a physical interface. The network setting device described. When a type different from the type of the communication path is designated by the user for the network setting device, the setting unit responds to the different type from the VPN termination device information storage unit based on the different type. An output interface of the start point VPN terminator and an address of the end point VPN terminator corresponding to the different type are acquired, and the output interface and the output interface already set in the start point VPN terminator with the address The network setting device according to any one of claims 1 to 3, wherein the address is updated. A VPN terminator as the start point VPN terminator set by the network setting device according to any one of claims 1 to 4 ,
A VPN termination device comprising traffic measuring means for measuring traffic between the user base at the start point and the user base at the end point by measuring traffic on the output interface. In a network system that is accommodated in a communication path constructed between edge devices of a backbone network and a VPN tunnel is constructed between VPN terminating devices, the starting point VPN terminating device connected to the starting user site is changed to the ending user site. A network setting method executed by a network setting device for setting a VPN tunnel to a connected end point VPN termination device for the network system,
VPN termination device information storage means for each type of communication path used by the VPN tunnel, an output interface for sending a packet from the start point VPN termination device and an address of the end point VPN termination device which is a destination address of the packet Storing step to store in,
Based on the type of communication path designated by the user, the output interface of the start point VPN terminator corresponding to the type from the VPN terminator information storage means, and the address of the end point VPN terminator corresponding to the type Obtaining the output interface, the address, and the network identification information of the end point user base designated by the user in the start point VPN termination device, and a network setting method comprising:
The network setting method, wherein the edge device connected to the start point VPN terminator includes a table that holds different addresses for each type of communication path for the end point VPN terminator of one user base . The program for functioning a computer as each means of the network setting apparatus of any one of Claims 1 thru | or 4 .

Images