RU2319313C2 - Method for realization of protective isolation of ethernet network services - Google Patents

Abstract

FIELD: method for protecting isolation of Ethernet network services, in particular, method for realization of virtual private network (VPN) on Layer 2 Ethernet, which is used by providers of telecommunication services for providing services of Ethernet network.

SUBSTANCE: method for protective isolation of service in Ethernet network is claimed for fulfilling the need of providers of telecommunication services in creation of second virtual private network of Ethernet services, where firstly client identifier is distributed for physical port, used for connecting client service; a service received in physical port is marked by client identifier; after procedure of commutation and routing of service it is determined whether the client identifier in the service coincides with identifier of client in the port, if loading of service from specific physical port is concerned, and only after that appropriate service may be loaded.

EFFECT: solution of problem of limited usage of virtual local network (VLAN) for Ethernet network within limits of one enterprise, solution of problem of protective isolation when providing services of Ethernet/VLAN network to large number of enterprises, and provision of method for realization of VPN technology on Layer 2 Ethernet, and also provision of full virtual bridge for providing transparent data transmission.

13 cl, 2 dwg

Description

Technical field

The present invention relates to a method for insulating Ethernet network services, in particular, to a method for implementing a Virtual Private Network (VPN) on a Layer 2 Ethernet, which is used by telecommunication service providers to provide Ethernet network services.

State of the art

Ethernet was originally used in the local area network (LAN - local area network), the users of which are mainly internal users of the enterprise, which means a small number of users. When the number of users increases, higher-level equipment is used to connect a large number of Ethernet networks.

With the rapid development and widespread use of the Ethernet network, it also began to be used in wide area networks (WANs). To meet the requirements of further development, VLAN (VLAN, virtual local area network) (according to IEEE 802.1Q) was introduced into Ethernet technology. VLANs are used for security isolation to limit the multicast area.

However, the newly introduced VLAN technology is enterprise-oriented, which is efficient and appropriate for one enterprise Ethernet network. If a provider uses VLAN to provide protective isolation of Ethernet network services, providing services to several enterprises, the following complications arise:

The VLAN configuration provided by the provider may conflict with the original enterprise VLAN configuration;

the enterprise uses a large number of VLAN services, some of which do not initially have a valid identifier;

too many VLAN settings can make administration too complicated or even impossible;

the number of VLAN identifiers is limited; in theory, a device can simultaneously support 4096 VLANs that are shared by all users, resulting in insufficient VLANs;

1-2-switch technology using VLAN only performs data isolation, but does not actually implement a full virtual bridge in the MAC address table; and

the two interfaces in traditional L2 devices cannot be looped together, which reduces measurability.

SUMMARY OF THE INVENTION

The aim of the present invention is to overcome the problem of the limited use of VLANs for Ethernet within one enterprise, to solve the problem of protective isolation faced by providers when providing Ethernet / VLAN services to a large number of enterprises, and to provide a method for implementing VPN technology on Layer 2 Ethernet . Using this method, the present invention can provide a complete virtual bridge for transparent data transmission and improve the operability and measurability of Ethernet services.

According to the present invention, the following technical solution.

A method for implementing protective isolation of Ethernet network services includes the following steps:

1) adding an additional segment to the Ethernet frame to identify different user services; moreover, this segment consists of n bytes, and n has a value associated with the format of the segment;

2) entering the user service in the provider's data network and adding the user ID to the additional segment of the Ethernet frame;

3) switching / routing processing;

4) removal of the user ID and restoration of the Ethernet frame when the user service leaves the data network.

At step 2), the user service entering the physical interface of the communication device of the data network is marked in a specific format by the user ID assigned to the physical interface of the communication device of the data network connecting the user service.

In step 4), when the user service is processed in a specific physical interface of the communication device of the data network, the user ID of this user service is compared with the user ID of the physical interface of the communication device of the data network. This user service passes if these two identifiers match, otherwise the service is discarded.

In step 3), based on the user identifier, a table of unique MAC addresses for each user identifier is maintained by identifying and searching for MAC addresses; to form a virtual virtual bridge in the physical interface of the communication device of the data network included in each user identifier, generate a unique spanning tree; moreover, in the indicated virtual bridge the same MAC addresses can be used in the MAC address tables of different user identifiers.

In step 3), a unique spanning tree is generated for each user ID to avoid an avalanche of multicast packets.

In step 3), the use of VLAN identifiers for different user identifiers is completely isolated, and the user can also use VLAN identifiers to implement isolation of the internal network.

At step 3) in the physical interfaces of the communication devices of the data network connecting the user service, the internal isolation of the service is determined depending on whether the VLAN identifier is used or not, choosing how to use the VLAN identifier through network management.

In step 3), for each user identifier, a unique multicast service mode can be provided, in which the multicast service mode includes a dynamic multicast protocol mode and a static multicast configuration mode;

dynamic multicast protocol mode means that the service interface in the multicast service is defined by the dynamic multicast protocol, and the dynamic multicast protocol contains ICMP and GMRP (according to RFC 2236 and IEEE 802.1q);

The static multicast configuration mode defines the service interface in the multicast service through manual configuration of the user through network management.

In step 3), each user identifier configures the multicast service mode through network management. The service mode includes a dynamic multicast protocol protocol mode and a static multicast configuration mode.

In step 2), a user identifier is assigned to each physical interface of the communication device of the data network. Upon entering the interface, the service is marked with a user ID. The user ID does not change throughout the network until the service leaves the interface and reaches the user device. Then the user ID is deleted, and the service finally reaches the user device. In this way, the service is transmitted in a transparent manner.

An additional segment in an Ethernet frame can use the following format: a compatible MPLS format, a stackable VLAN format, or a mutable format to realize a connection between multiple devices.

Configuration parameters are set on the physical interfaces of the communication devices of the data network via network management to provide a compatible MPLS format, an extensible VLAN format, and a variable format for an additional segment in an Ethernet frame.

The method of isolating a service according to the present invention has the following characteristics compared to modern VLAN technologies (IEEE 802.1Q): implements a fully functional virtual bridge regardless of the VLAN in the user service; reduces administration complexity and increases device independence; adapt to Ethernet services provided by telecommunication service providers.

This method has the following advantages:

1. The provider does not need to know the configuration of the original client VLAN. There is no need to change the initial VLAN configuration.

2. The client is free to change the configuration of his VLAN. He can change or add a service without the help of a provider. The user service does not even need to have a VLAN identifier.

3. The provider only configures the user ID, which is easy to perform.

4. If n bits are used for the user ID, 2 ⁿ users can be provided. Each user can independently use 4096 VLANs, which solves the problem of a limited number of VLANs.

5. Determining the MAC address and client ID allows you to implement a full virtual bridge in the MAC address table.

6. Various multicast services can be configured according to customer requirements.

7. Improves the measurability of L2 switching devices. When implementing the aforementioned virtual bridge, the device can be verified by creating a service verification channel between multiple virtual bridges.

Brief Description of the Drawings

Figure 1 shows a diagram of a service check using the method according to the present invention.

Figure 2 is a block diagram of one implementation according to the present invention.

3 is a schematic diagram of client VLAN support using the method of the present invention.

Figure 4 is a schematic diagram of the use of a user identifier to implement service isolation.

5 illustrates an Ethernet VLAN frame format.

6 illustrates a stackable VLAN frame format.

7 shows the MPLS frame header format.

DETAILED DESCRIPTION OF THE INVENTION

The method for isolating Ethernet services according to the present invention includes the following steps.

An additional segment is added to the Ethernet frame, and the data in the segment is specified as a user identifier consisting of n bytes to identify the user service. When a user service enters the provider's data network, the Ethernet frame is changed accordingly. When the user service leaves the data network, the Ethernet frame is restored to its original format.

First, the user identifier is assigned to the physical interface of the communication network device connecting the user service to mark the user ID as the service arriving at the physical interface of the communication network device. Then, when the service enters the physical interface of the communication device of the data network, the user ID of the service is compared with the user ID of the interface. If these two identifiers match, the service passes.

Through the use of a user ID, one Ethernet device turns into multiple virtual Ethernet, and all virtual Ethernet work independently, without interfering with each other.

Due to the presence of a user identifier, a unique MAC address table can be maintained for each client by identifying and searching for a combination of user identifier plus MAC address. Meanwhile, a unique spanning tree is used in the physical interface of a communication device of a data network included in each user identifier. In addition, independent multicast can be used for each user ID, which includes dynamic multicast and static multicast. As a result, a virtual virtual bridge is generated. Through this virtual bridge, different users can use the same MAC address and different dynamic multicast protocols or static multicast configurations, respectively.

Figure 1 shows the loopback test on two devices. Here (a, b) denotes the interfaces, a is the number of the device under test, while b is the number of the interface. (1, 1), (1, 2), (2, 1), (2, 2) - user identifier N, (1, 3), (1, 4), (2, 3), (2, 4 ) is the identifier of the user M, N ≠ M. The service from the device under test goes to (1, 1), here it is marked with user ID N; then the same service leaves (1, 2) and arrives at (2, 1); then it leaves (2, 2) where user id N is deleted. The service leaves (2, 2), then arrives at (2, 4), where it is marked with user ID M; then the same service leaves (2, 3) and arrives at (1, 4); then leaves (1, 3) and enters the device under test, where user ID M is deleted. The same function can be implemented in the opposite direction.

As shown in FIG. 2, first, at the input, the service is marked with a user ID; then it goes through switching / routing; simultaneously determine and find the combination of user ID plus MAC address. When a service processed through switching / routing arrives at the exit, the user ID of the service is compared with the user ID of the interface. If the two identifiers do not match, then the service is discarded.

3, a customer service network is marked with a user identifier. The VLAN n service is transmitted from 2, 3 to 1, while the VLAN m service is transferred from 1 to 2, 3. The VLAN between interfaces 2 and 3 helps isolate the data so that they do not mix.

Figure 4 shows a typical WAN connection. Different lines indicate different services, isolated by user identifiers. Services with different user IDs do not mix. Each user ID has a unique spanning tree, which helps to avoid an avalanche of multicast packets. Using a VLAN identifier among other user identifiers is completely isolated. The client can choose whether to use VLAN identifiers to isolate internal services or not to use them. DUT (device under test) - the device under test.

Below is an embodiment according to the present invention.

Step 1: Labeling the service with a user ID.

A user identifier may be set for each physical interface of a communications device of a data network. When the service enters the interface, it is first marked with the user ID, which remains unchanged on the network until the service leaves the interface and reaches the user device. Then the user ID is removed, and the service reaches the user device. As a result, the service is transmitted in a transparent manner.

Step 2: Isolating the service.

Each physical interface of a communications network communications device has a user identifier configured by a user. When the service needs to leave the interface, the user ID of the service is compared with the user ID of the interface. If these two identifiers do not match, the service is discarded.

Step 3: Implement a virtual virtual bridge.

If the device is a switching bridge, then adding a user identifier to identify and search for a MAC address creates a table of unique MAC addresses for each user identifier. A unique spanning tree for each user ID and unique multicast can also be triggered for each user ID. Unique multicast includes a dynamic multicast protocol and a static multicast configuration. As a result, the interface for each user ID acts as a virtual virtual bridge.

A flowchart of the above procedure is shown in FIG.

Step 4: Isolating the internal user service by using the VLAN ID.

The user can implement the VLAN on the device through configuration. Using a user identifier, VLANs are restricted to interfaces on devices labeled with a user identifier. As a result, there will be no interaction with the service of another user. The user can also not use VLAN, but only transparently transfer the VLAN service.

A flowchart of the above procedure is shown in FIG.

Using the technologies described above, many services can be flexibly isolated, as shown in FIG. 4.

Frame format implementation.

When changing the Ethernet frame format, the international standard must be taken into account, as care must be taken both about compatibility and interconnectivity. Otherwise, devices from different manufacturers will not be able to work together. If a specific international standard does not exist, consider issues such as compatible MPLS and the stackable VLAN format. If the device can connect to many different devices, you can set configuration parameters in the interfaces to support different formats. Configuration parameters for user IDs may include: non-use, use of the MPLS format, use of the stackable VLAN format, and use of a special format.

5, 6 and 7 show possible frame formats.

Figure 5 shows the VLAN frame format defined by IEEE 802.1Q, in which 0x8100 is the VLAN frame identifier, 0xXXXX is the VLAN identifier data in which P, C and V, P denote priorities from 0 to 7; C - LAN type, 0 - Ethernet, 1 - Token-ring. V - VLAN ID with a value from 0 to 4095.

6 shows the frame format used by the stackable VLAN. 0x9100 is the identifier of the stackable VLAN, and 0xXXXX is the VLAN identifier data, which defines the same as the VLAN identifier. All other settings are exactly the same as for IEEE 802.1q.

7 shows the MPLS frame format defined by RFC2236; ID is the MPLS identifier. Exp is intended for storage and is used for verification. EOS shows if this is the end of the MPLS packet. TTL - time to live - "time of life."

Claims (17)

1. A method for implementing protective isolation of Ethernet network services, comprising the following steps: 1.1 adding an additional segment to the Ethernet frame, the data in which is specified as a user identifier, to identify different user services, the segment consists of n bytes, and n has a value associated with the format of the segment; 1.2 entering the user service in the provider's data network and adding the user ID to the additional Ethernet frame segment; 1.3 Ethernet frame switching / routing processing; and 1.4 deletion of the user ID and recovery of the Ethernet frame when the user service leaves the data network. 2. The method according to claim 1, characterized in that in step 1.2, the user service entering the physical interface of the communication device of the data network is marked in a specific format with the user ID assigned to the physical interface of the communication device of the data network connecting this user service. 3. The method according to claim 1 or 2, characterized in that in step 1.4, when the user service is processed in a specific physical interface of the communication device of the data network, the user ID of this user service is compared with the user ID of the physical interface of the communication device of the data network; if these two identifiers match, then the user service passes, otherwise the service is discarded. 4. The method according to claim 1 or 2, characterized in that in step 1.3, based on user identifiers, a unique MAC address table (Media Access Control) is maintained for each user identifier by identifying and searching for MAC addresses; to form a virtual virtual bridge in the physical interface of the communication device of the data network included in each user identifier, generate a unique spanning tree; moreover, in the indicated virtual bridge the same MAC addresses can be used in the MAC address tables of different user identifiers. 5. The method according to claim 3, characterized in that in step 1.3, based on user identifiers, a table of unique MAC addresses for each user identifier is maintained by determining and searching for MAC addresses; to form a virtual virtual bridge in the physical interface of the communication device of the data network included in each user identifier, generate a unique spanning tree; moreover, in the indicated virtual bridge the same MAC addresses can be used in the MAC address tables of different user identifiers. 6. The method according to claim 4, characterized in that in step 1.3 a unique spanning tree is generated for each user identifier in order to avoid an avalanche of multicast packets. 7. The method according to claim 1, characterized in that in step 1.3, the use of VLAN identifiers (Virtual Local Area Network) for different user identifiers is completely isolated, and the user uses VLAN identifiers to implement isolation of the internal network. 8. The method according to claim 7, characterized in that in step 1.3, in the physical interfaces of the communication devices of the data network connecting the user service, the internal isolation of the service is determined depending on whether or not the VLAN identifier is used, choosing how to use the VLAN identifier through management the network. 9. The method according to claim 1, characterized in that in step 1.3, for each user ID, a unique multicast service mode is provided, in which the multicast service mode includes a dynamic multicast protocol mode and a static multicast configuration mode; moreover, the dynamic multicast protocol mode means that the service interface in the multicast service is determined by the dynamic multicast protocol, and the dynamic multicast protocol contains ICMP (Internet Control Message Protocol) and GMRP (Genearl Attribute Multicast Registration Protocol) - Basic Protocol for the Registration of Attributes in Broadcasting); The static multicast configuration mode defines the service interface in the multicast service through manual configuration of the user through network management. 10. The method according to claim 9, characterized in that in step 1.3 each user identifier configures the multicast service mode by managing the network, and the service mode to be selected includes a dynamic multicast protocol mode and a static multicast configuration mode . 11. The method according to claim 1, characterized in that in step 1.2, for the transfer of the service, a user identifier is assigned in a transparent manner to each physical interface of the communication device of the data network, when the service enters the physical interface of the communication device of the data network, it is marked with the user ID does not change throughout the network until the service leaves the interface of the communication device of the data network and reaches the user device, then the user ID is deleted and the service is finished But it reaches the user device. 12. The method according to claim 1, characterized in that the additional segment in the Ethernet frame uses a format that includes a compatible MPLS (Multiprotocol Label Switching) format, a stackable VLAN format, or a mutable format to implement a connection between multiple devices. 13. The method according to p. 12, characterized in that the configuration parameters are set in the physical interfaces of the communication devices of the data transmission network via network management to provide for an additional segment in the Ethernet frame a compatible MPLS format, an extensible VLAN format and a variable format.

Images