200931880 九、發明說明: 【發明所屬之技術領域】 本發明係關於一種能跨越不同虛擬區域網路間區隔限制 的網路系統,期使隸屬於不同虛擬區域網路(VirtualLAN,簡 稱VLAN)的兩個網路連接設備的π>應用層協定個體,能利用 一共同且專屬的虛擬區域網路(shared VLAN),跨越所屬虛擬 區域網路間的邊界,進行點對點的溝通。 ❹ 【先前技術】 近年來’由於網路世狀蓬勃發展,各式各樣之網路設備 不斷地被開發出來,且被各行各業廣泛地使用於其生活及工 作環境中,此一發展趨勢,不僅加速丁資訊流通之速度及效 率’且為人們在生活及工作上帶來極大之便利。現今許多的 企業,均使用區域網路或網際網路以進行内部或外部資訊的 傳遞。然而,數量眾多的各式網路設備,卻也為網路管理人 ❹ 員帶來許多管理上之問題。因此,如何使網路管理人員能有 網路設備’即成為相關;^理人員所 需改良的重點之*一。 虛擬區域網路(VirtualLAN,簡稱VLAN)是企業網路中最 基本、最普遍且最重要的網路技術,虛擬區域網路是一種邏 輯網卿gical LAN) ’主要係糊特定的網秘術,將實際 上並不一定連結在一起的網路工作站,以邏輯的方式連結 起來’使得該等網路工作站間之通信(c〇mmunicali()n>^ ‘ 與實際連結在-起時相同。在區域網路中,虛擬區域網路的 6 200931880 主要作用係將一個網路,分割(partition)成複數個虛擬區域網 路,每一個虛擬區域網路形成一個獨立的廣播網域(blOadcast domain),如此’在同一個虛擬區域網路中,任何工作站所發 出的廣播封包,只會被廣播給同一個虛擬區域網路中的所有 成員’而不會傳送到其他的虛擬區域網路,因此,藉由將虛 擬區域網路中所有成員的通訊範圍限定在同一個虛擬區域網 路中’即可有效區隔網路封包的流量,及達成提高每一個虛 ❹ 擬區域網路的網路通訊安全性,大幅降低其他虛擬區域網路 的工作站竊取資料之機率。一個虛擬區域網路相當於一個小 型網路’許多個小型網路堆積起來,即可架構出一個複雜且 龐大的網路系統。一般言’一個網路系統通常包含複數個虛 擬區域網路’在各該虛擬區域網路中的每一台電腦設備,如: 個人電腦等’均屬於各該虛擬區域網路之一成員(member), 意即每一台電腦設備均被限定使用在其所屬的特定虛擬區域 網路中,僅能與所屬特定虛擬區域網路中的其它電腦設備相 ❹ 互溝通(communicate),同理,各該虛擬區域網路中的每一台 網路連接設備(network connection device),如:第二層的網路 交換器(layer two switch),其主要目的在於提供電腦設備連接 到虛擬區域網路的功能,可以將之設定為服務多個虛擬區域 網路,該網路連接設備本身用於提供管理設備本身的正應用 層協定個體,也像網路系統中的其他網路設備一樣,只是— 個屬於某一虛擬區域網路的·一個郎點’亦即每一台網路連接 設備係被限定僅供所屬的特定虛擬區域網路上的網路工作站 所管理。本發明在以下的敘述中’係以「虛擬區域網路jyLAN) 200931880 一詞,代表各該特定的虛擬區域網路,合先陳明。 按,網路連接設備一般均可支援(support)多種不同的網路 通信協定(protocol),以使得網路連接設備能提供多樣化的服 務’在該等網路通信協定中,IP層應用(application)協定會涉 及到一台網路連接設備與另一台網路連接設備間的點對點溝200931880 IX. Description of the Invention: [Technical Field] The present invention relates to a network system capable of spanning different virtual area networks, and is subject to different virtual area networks (Virtual LANs, VLANs for short). The π> application layer protocol entities of the two network connection devices can use a common and exclusive virtual VLAN to share the peer-to-peer communication across the boundaries between the virtual area networks. ❹ 【Prior Art】 In recent years, due to the rapid development of the Internet, various kinds of network equipment have been continuously developed and widely used in various living and working environments by various industries. This trend Not only accelerates the speed and efficiency of Ding's information circulation, but also brings great convenience to people's life and work. Many companies today use local or international networks to communicate internal or external information. However, the large number of various network devices also poses many management problems for network administrators. Therefore, how to enable network administrators to have network equipment becomes a relevant issue; Virtual Local Area Network (VLAN) is the most basic, most common and most important network technology in enterprise networks. Virtual area network is a kind of logical network gical LAN. In fact, network workstations that are not necessarily linked together are logically linked together to make the communication between the network workstations (c〇mmunicali()n>^' the same as the actual link. In the network, the virtual regional network 6 200931880 mainly functions to partition a network into multiple virtual local area networks, and each virtual local area network forms an independent broadcast domain (blOadcast domain). 'In the same virtual local area network, broadcast packets sent by any workstation will only be broadcast to all members of the same virtual local area network' and will not be transmitted to other virtual local area networks. Limiting the communication range of all members in the virtual local area network to the same virtual local area network' can effectively separate the traffic of the network packet and achieve each virtual网路 Network communication security of the proposed regional network greatly reduces the chances of workstations stealing data from other virtual local area networks. A virtual local area network is equivalent to a small network. Many small networks are stacked up to form A complex and huge network system. Generally speaking, 'a network system usually contains multiple virtual local area networks'. Every computer device in each virtual area network, such as: a personal computer, etc. A member of a virtual local area network, meaning that each computer device is restricted to use in a specific virtual local area network to which it belongs, and can only interact with other computer devices in a specific virtual local area network. Communicate, similarly, each network connection device in the virtual area network, such as a layer 2 switch, whose main purpose is to provide The function of connecting a computer device to a virtual local area network can be set to serve multiple virtual local area networks, and the network connection device itself is used to provide management facilities. The individual application layer agreement itself, like other network devices in the network system, is only a single point belonging to a virtual area network, that is, each network connection device is limited to only It is managed by a network workstation on a specific virtual local area network. In the following description, the present invention uses the term "virtual area network jyLAN" 200931880 to represent each of the specific virtual area networks. By pressing, network-connected devices generally support a variety of different network protocols to enable network-connected devices to provide a variety of services. In these network protocols, IP-layer applications The (application) agreement involves a point-to-point ditch between a network connected device and another network connected device.
通,此時,該等應用(application)協定必需被操作在所屬的特 定虛擬區域網路的背景下’以令不同的網路連接設備間,可 彼此通彳§ ’意即該等應用協定之封包的接收及傳送 (transmission)動作必需透過所屬的虛擬區域網路來完成,基於 此一限制,不同網路連接設備間應用協定之封包的溝通 (communication),自然將因所屬虛擬區域網路間不同邊界 (boundary)的區隔,而受到一定程度的限制,也就是,若某 一台網路連接設備的IP層應用協定所屬的虛擬區域網路,不 同於另一台網路連接設備的Π>層應用協定所屬的虛擬區域 網路時,除非透過Π>路由器,否則兩台網路連接設備之正層 應用協定便無法做點對點的溝通,對網路系統之遠端管理造 成極大的不便。 在-個群鮮__料巾,通常包含槪個網路連 接設備,其中-台網路連接設備為總管連接設備(_油 switch),其餘_路連接則連接·(ιη_ —),因此,網路管理工作1 ^ 管理群集官理的網峨内的網路終端設備, 群鮮理時 命 過管理封___,__錢_= 200931880 令透過管理封包,轉發至欲進行管理的會員連接設備,俟會 員連接設備接收到該管理封包’且執行了相對應的管理動作 後,會員連接設備會發出回應資訊,透過管理封包,傳回總 管連接*又備’總官連接設備會進一步透過管理封包,將回應 資訊轉送至網管工作站。如此,網管工作站僅需以總管連接 設備,作為單一窗口,即可對群集管理的網路環境内的其餘 網路連接設備’進行網路管理,意即若該管理封包為JP封包 0 時,網管工作站只需將JP封包送到總管連接設備的JP位址, 總管連接設備即會再透過IP封包,將命令轉發至會員連接設 備,要求該會員連接設備執行相關的管理動作,故此種群集 管理方式涉及了該鮮連接設備和各該會M連接設備間的點 對點溝通技術。 一般而言,在前述群集管理的網路環境中,總管連接設備 會將接收自網管工作站的命令,透過JP封包,轉發至會員連 接設備,但有個限制是,會員連接設備的JP層應用協定個體 ❹ 蘭_擬區域瓣’必須舰管連接設備的π>層應用協定 個體所屬的虛擬區域網路相同,總管連接設備才能透過正封 包,與會員連接設備進行對點的溝通,亦即,總管連接設備 與會員連接設備是透過所屬的虛擬區域網路,進行點對點的 溝通,因此,若總管連接設備的Π>層應用協定個齡屬的虛 擬區域網路,不_會員連接設備的應用協定個體所屬 的虛擬區域網路時,兩台網路連接設備之JP層應用協定個體 間便無法做點對點的溝通,對網路系統之遠端 的不俤。 人 200931880 故,如何設計出一種網路系統,使得隸屬於不同虛擬區 域網路的兩個網路連接設備的π>層應用協定個體’能跨越虛 擬區域網路的邊界區隔,進行點對點的溝通,即成為許多業 者刻正努力研發並亟欲達成的一重要目標。 【發明内容】 有鑑於前述隸屬於不同虛擬區域網路系統的兩個網路連 ❹ 接設備之1ρ層應用協定個體’無法進行點對點溝通之問題, 發明人經過長久努力研究與實驗,終於開發設計出本發明之一 種能跨越不同虛擬區域網路間區隔限制的網路系統,使得隸屬 於不同虛擬區域網路的兩個網路連接設備之JP層應用協定個 體’月b利用一共同和專屬的虛擬區域網路,跨^ 不同虛擬區域網路的邊界區隔,進行點對點的溝通。 本發明之-目的’係提供一種能物不同虛擬區域網路 間區隔限制的網路系統,該網路系統係由一個網管工作站及 ❹ 複數個不同的虛擬區域網路(Virtual LAN,簡稱VLAN)所形 成的一個群集管理的網路環境,其中各該虛擬區域網路包括 至少-個醜連接輯(如:網路交換料),各該網路連接設 備係分別接設有至少一侧路終端設備(如:網_碟機及網 路印表機等)’屬於同-虛擬區域網狄網路終端設備間,係 透3酬屬之網路連接设備’相互連接,各該網路連接設備上 内建有-IP應用層協定個體,以提供管理各該網路連接設備 的功能’且各該網路連接設備上另分別裳設有一共同且專屬 的虛擬區域_編VLAN),透過該共同且專屬的虛擬區 200931880 域網路’各該網路連接設備能得以協調分配到一個私用的 ip ’並據以在該虛擬區域網路上建構一個獨立的虛擬路由領 域,使得各該網路連接設備能在該獨立的虛擬路由領域上分 別使用該私用的IP位址,來形成一個連線通道,當網管工作 站在對群集管理的網路環境内的網路連接設備進行管理時, 該網管工作站會透過本身所屬的虛擬區域網路,透過公用IP 令送達至其中的一個網路連接設備(即總管連接設 ❹ 備)的IP應用層協定個體,該網路連接設備會經該共同且專屬 的虛擬區域網路,在獨立的虛擬路由領域上’透過私用IP位 H別與該群集網路環境内的其餘網路連接設備(即會員連 接設備)的IP應用層協定個體,進行點對點的溝通,將命令轉 父給其餘網路連接設備,以實現跨越不同虛擬區域網路間區 隔限制,進行網路管理的目的。 本發明之另一目的,係該共同且專屬的虛擬區域網路是 各該網路連接設備所共同使用且專屬的虛擬區域網路,並不 ❹ 會與使用者原細設定的各虛擬區域網路環境相互連通,各 該網路連接設備,得以形成-個獨立的虛擬路由領域,以在各 該網路連接設備間進行溝通時,使用所分派到的私用!p位 址’經由該獨立虛擬路由領域及該共同且專屬的虛擬區域網 路’進行點對點的溝通,以有效提升網路管理的安全性和方 便性,且不致發生與公用jp位址衝突的問題。 為能對本㈣之目的、麟雛及其猶,做更進一步 之認識與瞭解’茲舉實施例配合圖式’詳細說明如下·· 200931880 【實施方式】 本發明係一種能跨越不同虛擬區域網路間區隔限制的網 路系統,該網路系統係由一個網管工作站及複數個不同的虛 擬區域網路(VirtualLAN,簡稱VLAN)所形成的一個群集管 理的網路環境’各該虛擬區域網路包括至少一個網路連接設 備(如:網路交換器等)及至少一個網路終端設備(如:設有網 路介面的電腦、網路攝影機、網路電話、網路磁碟機及網路 ❹ 印表機等),該網路終端設備係與該網路連接,冑 於同一虛擬區域網路之網路終端設備間,係透過所屬之網路 連接权備’相互連接’請參閱第1圖所示,在本發明之一最 佳實施例中’触該網路纽i包括兩個虛擬區細路2、3 為例,加以綱,其巾第-個虛擬區_ 2 接設備20與50及四個網路終端設備21、22、5卜52,第二 個虛擬區域網路3亦包括兩個網路連接設備3〇、4〇及四侧 路終端設備3卜32、4卜42,各該網路終端設備2卜二、3卜 〇 32、41、42、51、52係分別與所屬的網路連接設備20、30、 40、50相連接,且各該虛擬區域網路2、3 連接設備20、30、40、50 ’相互連接,使得該等網路連接設 備20、30、40、50形成一群集管理的網路環境,其中該網管 工作站6係與第-個網路連接設備2〇之内建正應用層協定 個體相連接,故第-個網路連接設備2〇即成為該群集管理網 路環境内的總管連接設備’該群集管理網路環境内其餘的網 路連接設備30、40、50即成為會員連接設備;惟,在本發明 之其他實施例中,並不侷限於此。 12 200931880 在該實施例中’復參閱第1圖所示,各該虛擬區域網路 2、3所屬之網路連接設備20、30、40、50上,分別内建有一 IP應用層協定個體,以提供管理該等網路連接設備2〇、%、 40、50的功能,在該實施例中,第一個虛擬區域網路2之管 理系統係^AN, 100 ’第二碱擬區翻路3之管理系統係 yLMOQQ ’第一個網路連接設備20及第四個網路連接設備 50上内建之Π>應用層協定個體係運作在iQQ之匕, ❹ 且为別设疋有各自的公用圧位址,第二個網路連接設備30 及第三個瓣連接設備40城建之!p翻層航個體係運 作在YLAN200 ’且分別設定有各自的公用!p位址,由於, 在該群集管理網路環境内,第一個網路連接設備2〇和第二個 網路連接設備30上内建之jp應用層協定個體係運作在不同 的VLAN上’因此’彼此間無法進行正封包的棘。本發 明乃在各該網路連接設備2〇、3〇、奶、5〇上,另分別安裝一 共同且專屬的虛擬區域網路,各該網路連接設備係透過該共 ❿ 同且專屬的虛擬區域網路,協調分配到一個私用的EP 位址, 並據以在其上建構-個獨立的虛擬路由領域,使得各該網路 連接设備2G、30、40、5G能分別使用雜用的]p位址,來 形成一個連線通道。此外,由於各該網路連接設備2〇、5〇原 隸屬的第一個虛擬區域網路2及各該網路連接設備3〇、4〇原 隸屬的第二個虛擬區域網路3,係與該共同且專屬的虛擬區域 網賴此分隔,使得該虛擬的路由領域能完全獨立於公用路 由領域之外’因此’本發明所敵共同且專屬的虛擬區域網 ^YLAN1000 ’其作用相當於在原隸屬於不肖虛擬區域網路 13 200931880 (如:HANJOO及yLAN 2〇ω的雨個網路連接設備20、30 間建立一連線通道(tunnel),使得原隸屬於不同虛擬區域網路 (如:VLAN 100及^的兩個網路連接設傷20、3〇 間,能透過此一連線通道,使用私用的χρ位址,運作在該獨 立的虛擬路由領域上,進行點對點的溝通。 在前述群集管理的網路環境中,由於各該網路連接設備 20、30、40、50在該共同且專屬的虛擬區域網路 ❹ 上建構一個獨立的虛擬路由領域,並不會與使用者原設定使 用的第一個及第二個虛擬區域網路2與3相互連通,因此, 備20、30'40、50使用所分配到的一個私用 的IP位址,透過該共同且專屬的虛擬區域綢路vlak 100n, 進行點對點的溝通時’不僅不會發生與公用JP位址衝突的問 題,尚能有效提升網路管理的安全性。 在實際運作時,以第1圖所示的第一個及第二個虛擬區 域網路2、3所屬之第一個及第二個網路連接設備2〇、3〇為 〇 例’參閱第2圖所示,當網管工作站6係連接至該第一個網 路連接設備20之内建IP應用層協定個體時,該第一個網路 連接設備20即為總管連接設備,該第二個網路連接設備 即為會員連接設備;在群集管理的網路環境的形成階段中,該 第一個網路連接設備20會額外建構一共同且專屬的虛擬區域 網路VLAN 1000 ’並透過該共同且專屬的虛擬區域網路 1QQQ,尋找群集管理的網路環境内其餘的會員連接設 備,而其餘的網路連接設備30、40、50 (即會員連接設備), 也會各自建構一共同且專屬的虛擬區域網路迦,並 200931880 透過該共同且專屬的虛擬區域網路ΧΜΚΙΜ,尋找總管連 接設備(即第一個網路連接設備20),當該等網路連接設備 20、30、40、50分別完成相關資訊的取得後,第一個網路連 接設備20(即總管連接設備)會透過該共同且專屬的虛擬區域 網路YLAN1000,來分配私用IP位址給自己和其餘的網路 連接設備(即會員連接設備)30、40、50,如此,第一個網路連 接設備20(即總管連接設備)即能使用所分配到的私用jp位 址,運作在該共同且專屬的虛擬區域網路vlaN 1000之卜, 其餘的網路連接設備(即會員連接設備)3〇、40、50亦能使用 所分配到的私用IP位址,運作在該共同且專屬的虛擬區域網 路VLAN 1000夕卜。 如此’當該網管工作站6欲對第二個網路連接設備(即會 員連接設備)30進行管理時,該網管工作站6會先將命令透過 管理封包,傳送到第一個網路連接設備(即總管連接設備)2〇 的公用IP位址,當第一個網路連接設備2〇收到該管理封包, 且發現該命令的對象為第二個網路連接設備3〇時,便會使用 本身的私用IP位址,透過該共同且專屬的虛擬區域網路 ’將該命令透過管理封包,轉送到第二個網路連 接設備30的私用π>位址,俟該第二個網路連接設備3〇收 到該管理封包,且執行了相對應的處理後’即會使用本身的 私用Π>位址,透過該共同且專屬的虛擬區域網路_ 烟’將回應透過管理封包,傳送到第一個網路連接設備2〇 ,私用IP位址,當第-個網路連接設備2〇接收到該回應的 管理封包彳4,便透過其公肖的π>仙:,職回應透過管理封 15 200931880 包,轉送至該網管工作站6。因此,該總管連接設備的ip應 用層協定個體和會員連接設備的IP應用層協定個體間便能跨 越各自所隸屬的不同虛擬區域網路間的區隔,進行點對點的 溝通。 據上所述可知,透過本發明之管理系統,即可使隸屬於 不同虛擬區域網路2、:^如:VLAN 100及VLAK:>〇(})的兩 個網路連接設備20、30間,建立一虛擬的連線通道, 〇 據以進行點對點的溝通,有效增進網管人員對網路系統中遠 端網路連接設備進行管理的便利性。 按’以上所述’僅為本發明最佳之一具體實施例,惟本 發明之技術特徵並不侷限於此,任何熟悉該項技藝者在本發 明領域内,可輕易思及之變化或修飾,皆可涵蓋在以下本案 夂專利範圍。 【圖式簡單說明】 〇 第1圖係本發明之網路系統示意圖;及 第2圖係第1圖所示本發明之網路系統中隸屬於不同虚擬區 域網路的兩個網路連接設備間,進行點對點溝通的示意圖。 【主要元件符號說明】In this case, the application protocol must be operated in the context of the particular virtual local area network to which it belongs to enable different network-connected devices to pass through each other § 'meaning that the application agreement The receiving and transmitting of packets must be done through the virtual local area network. Based on this limitation, the communication of the application protocol packets between different network connected devices will naturally be due to the virtual area network. The boundary of different boundaries is limited to a certain extent, that is, if the virtual area network to which the IP layer application protocol of one network connection device belongs is different from the other network connection device. When the virtual local area network to which the application agreement belongs, unless the router is used, the positive application agreement of the two network connected devices cannot communicate peer-to-peer, which causes great inconvenience to the remote management of the network system. In a group of fresh __ towel, usually contains one network connection device, where - the network connection device is the main pipe connection device (_ oil switch), and the remaining _ road connection is connected (ιη_ -), therefore, Network management work 1 ^ Manage the network terminal equipment in the cluster's official network, the group is dying to manage the seal ___, __ money _= 200931880 to transfer the management packet to the member connection to be managed After the device, the member connection device receives the management packet and performs the corresponding management action, the member connection device will send a response message, and the management packet will be sent back to the master connection* and the official connection device will be further managed. The packet is forwarded to the network management workstation. In this way, the network management workstation only needs to connect the device with the main pipe as a single window, and can perform network management on the remaining network connection devices in the network environment managed by the cluster, that is, if the management packet is JP packet 0, the network management system The workstation only needs to send the JP packet to the JP address of the main pipe connection device, and the main pipe connection device will then forward the command to the member connection device through the IP packet, and ask the member to connect the device to perform related management actions, so the cluster management mode It relates to the point-to-point communication technology between the fresh connection device and each of the M connection devices. Generally speaking, in the network environment managed by the cluster, the master connection device forwards the command received from the network management workstation to the member connection device through the JP packet, but there is a limitation that the JP layer application agreement of the member connection device The individual ❹ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ The connected device and the member connected device communicate peer-to-peer through the virtual local area network. Therefore, if the Π> layer of the connected device is a virtual local area network of the age of the agreement, the application agreement entity of the member connection device is not In the virtual local area network, the JP layer application agreement between the two network connection devices cannot communicate peer-to-peer, and it is not good for the remote end of the network system. People 200931880 Therefore, how to design a network system, so that the π> layer application agreement individuals of two network connection devices belonging to different virtual area networks can communicate across the boundary of the virtual area network for peer-to-peer communication. It has become an important goal that many industry players are striving to develop and want to achieve. SUMMARY OF THE INVENTION In view of the above-mentioned problems of the peer-to-peer communication of the two-layer application protocol of two network connection devices belonging to different virtual area network systems, the inventor has finally developed and designed after long-term efforts and experiments. A network system capable of spanning different network partitions between different virtual areas, so that the JP layer application agreement individuals of the two network connection devices belonging to different virtual area networks utilize a common and exclusive The virtual area network, across the boundaries of different virtual area networks, for peer-to-peer communication. The object of the present invention is to provide a network system capable of partitioning different virtual area networks, which is composed of a network management workstation and a plurality of different virtual area networks (Virtual LANs, referred to as VLANs). a cluster-managed network environment, wherein each of the virtual area networks includes at least one ugly connection (eg, network switching material), each of which is connected to at least one side of the network Terminal devices (such as: network_disc and network printers, etc.) belong to the same-virtual area network network terminal equipment, which is connected to each other through network access devices. The connection device has built-in IP application layer protocol entities to provide functions for managing each of the network connection devices, and each of the network connection devices has a common and exclusive virtual area_VLAN, respectively. The common and exclusive virtual zone 200931880 domain network 'each of the network connection devices can be coordinatedly assigned to a private ip' and a separate virtual routing domain is constructed on the virtual area network, so that the network The connection device can use the private IP address in the independent virtual routing area to form a connection channel. When the network management workstation manages the network connection device in the network environment managed by the cluster, The network management workstation transmits the IP application layer agreement to one of the network connection devices (that is, the main pipe connection device) through the public IP address through the virtual area network to which the network management station belongs, and the network connection device passes through the common And the exclusive virtual local area network, in the independent virtual routing field, through the private IP address H and the IP application layer agreement individuals of the remaining network connection devices (ie member connection devices) in the cluster network environment Peer-to-peer communication, the command is transferred to the rest of the network connection device, in order to achieve the purpose of network management across different virtual area network partition restrictions. Another object of the present invention is that the common and exclusive virtual local area network is a virtual local area network that is commonly used by each of the network connection devices, and does not have a virtual area network that is set with the user's original details. The road environments are interconnected, and each of the network connection devices can form an independent virtual routing domain to use the assigned private use when communicating between the network connected devices! The p-address communicates peer-to-peer via the independent virtual routing domain and the common and exclusive virtual local area network to effectively improve the security and convenience of network management without causing conflicts with public jp addresses. . In order to be able to further understand and understand the purpose of this (4), Lin Qi and its hesitation, the following is a detailed description of the following: · 200931880 [Embodiment] The present invention is capable of spanning different virtual area networks. A network system that is divided by a network management workstation and a plurality of different virtual local area networks (Virtual LANs, referred to as VLANs) to form a cluster-managed network environment. Including at least one network connection device (such as a network switch, etc.) and at least one network terminal device (such as a computer with a network interface, a webcam, a network phone, a network disk drive, and a network) ❹ Printer, etc.), the network terminal equipment is connected to the network, and is connected to the network terminal equipment of the same virtual area network, and is connected to each other through the network connection rights. As shown in the figure, in a preferred embodiment of the present invention, 'touching the network button i includes two virtual area lines 2, 3 as an example, and the first virtual area _ 2 is connected to the device 20 50 and four network terminals 21, 22, 5, 52, the second virtual local area network 3 also includes two network connection devices 3, 4, and four side terminal devices 3, 32, 4, 42, each of the network terminal devices 2, 2, 3, 32, 41, 42, 51, 52 are respectively connected to the associated network connection devices 20, 30, 40, 50, and each of the virtual local area networks 2, 3 is connected to the devices 20, 30 40, 50' are interconnected, such that the network connection devices 20, 30, 40, 50 form a cluster-managed network environment, wherein the network management workstation 6 is connected to the first network connection device 2 The application layer protocol is connected to each other, so the first network connection device 2 becomes the master connection device in the cluster management network environment. The remaining network connection devices 30, 40, 50 in the cluster management network environment That is, it becomes a member connection device; however, in other embodiments of the present invention, it is not limited thereto. 12 200931880 In this embodiment, as shown in FIG. 1 , an IP application layer protocol entity is built in each of the network connection devices 20 , 30 , 40 , and 50 to which the virtual local area networks 2 and 3 belong. To provide the function of managing the network connection devices 2, %, 40, 50, in this embodiment, the management system of the first virtual area network 2 is ^AN, 100 'the second basic area The management system of 3 is yLMOQQ 'The first network connection device 20 and the fourth network connection device 50 are built-in> The application layer protocol system operates after iQQ, and has its own The public network address, the second network connection device 30 and the third valve connection device 40 are built in the city! The p-layer navigation system operates in the YLAN200' and is set to have their own public! The p address, because, within the cluster management network environment, the first network connection device 2 and the built-in jp application layer protocol on the second network connection device 30 operate on different VLANs' Therefore, the spine of the positive package cannot be performed between each other. The invention is to install a common and exclusive virtual area network on each of the network connection devices 2〇, 3〇, milk, 5〇, and each of the network connection devices transmits the same and exclusive The virtual area network is coordinated and assigned to a private EP address, and a separate virtual routing area is constructed thereon, so that the network connection devices 2G, 30, 40, and 5G can respectively use the miscellaneous Use the ]p address to form a connection channel. In addition, the first virtual local area network 2 to which the network connection device 2〇, 5〇 belongs, and the second virtual local area network 3 to which the network connection device 3〇, 4〇 are originally attached are Separated from the common and exclusive virtual area network, the virtual routing domain can be completely independent of the public routing domain. Therefore, the common and exclusive virtual area network ^YLAN1000 of the present invention is equivalent to the original Part of the virtual virtual area network 13 200931880 (such as: HANJOO and yLAN 2〇ω rain network connection devices 20, 30 to establish a connection tunnel (tunnel), so that the original belongs to different virtual area networks (such as: The two network connections of VLAN 100 and ^ are between 20 and 3, and can be used in this independent virtual routing area to communicate peer-to-peer through the connection channel. In the network environment managed by the cluster, each of the network connection devices 20, 30, 40, 50 constructs an independent virtual routing domain on the common and dedicated virtual area network, and does not interact with the user. Setting The first and second virtual local area networks 2 and 3 are connected to each other. Therefore, the standby 20, 30'40, and 50 use the assigned private IP address through the common and exclusive virtual area silk. Road vlak 100n, when conducting peer-to-peer communication, 'not only does it not conflict with the public JP address, but it can effectively improve the security of network management. In actual operation, the first one shown in Figure 1 The first virtual network 2, 3 belongs to the first and second network connection devices 2, 3, for example 'see Figure 2, when the network management workstation 6 is connected to the first When the IP application layer protocol entity is built in the network connection device 20, the first network connection device 20 is a general manager connection device, and the second network connection device is a member connection device; the network managed in the cluster During the formation phase of the environment, the first network connection device 20 additionally constructs a common and exclusive virtual area network VLAN 1000' and seeks a network environment managed by the cluster through the common and exclusive virtual area network 1QQQ. The remaining members connected to the device And the remaining network connection devices 30, 40, 50 (ie, member connection devices) will also construct a common and exclusive virtual area network, and 200931880 seeks through the common and exclusive virtual area network. The main pipe connection device (ie, the first network connection device 20), after the network connection devices 20, 30, 40, 50 respectively complete the acquisition of related information, the first network connection device 20 (ie, the main pipe connection device) Through the common and exclusive virtual area network YLAN1000, the private IP address is assigned to itself and the rest of the network connection devices (ie member connection devices) 30, 40, 50, thus, the first network connection The device 20 (ie, the trunk connection device) can use the allocated private jp address to operate in the common and exclusive virtual area network vlaN 1000, and the remaining network connection devices (ie, member connection devices) 3 〇, 40, 50 can also use the assigned private IP address to operate in the common and exclusive virtual local area network VLAN 1000. Thus, when the network management workstation 6 wants to manage the second network connection device (ie, member connection device) 30, the network management workstation 6 first transmits the command to the first network connection device through the management packet (ie, The switch connects the device to the public IP address of the device. When the first network connection device 2 receives the management packet and finds that the object of the command is the second network connection device, it uses itself. The private IP address, through the common and exclusive virtual local area network, 'transfers the command to the private π> address of the second network connection device 30 through the management packet, and the second network After the connection device 3 receives the management packet and performs the corresponding processing, it will use its own private port> address, and the response will be transmitted through the management packet through the common and exclusive virtual area network _ smoke. Transferred to the first network connection device 2, the private IP address, when the first network connection device 2 receives the response management packet 彳 4, it passes through its π > gt; Responding through the management seal 15 200931880 package, Transfer to the network management workstation 6. Therefore, the IP application layer agreement between the ip application layer agreement entity of the main pipe connection device and the member connection device can communicate peer-to-peerly across the divisions between different virtual area networks to which they belong. According to the above description, through the management system of the present invention, two network connection devices 20, 30 belonging to different virtual area networks 2, such as: VLAN 100 and VLAK: > 〇(}) can be made. In the meantime, a virtual connection channel is established, which is used for peer-to-peer communication, which effectively enhances the convenience of network administrators in managing remote network connection devices in the network system. The above description is only one of the preferred embodiments of the present invention, but the technical features of the present invention are not limited thereto, and any one skilled in the art can easily change or modify it in the field of the present invention. , can be covered in the following patents. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of a network system of the present invention; and FIG. 2 is a diagram showing the two network connection devices belonging to different virtual area networks in the network system of the present invention shown in FIG. A schematic diagram of peer-to-peer communication. [Main component symbol description]
網路系統 ..........I 虛擬區域網路 2、3 網路連接設備 ..........20、30、40、50 網路終端設備 ..........21、22、3卜32、4卜42、 200931880 51 ' 52 網管工作站 ..........6 VLAN 200 虛擬區域網路 VLAN 100、 共同且專屬的虛擬區域網路 ..........VLAN 1000Network system ..........I Virtual area network 2, 3 network connection equipment ..........20, 30, 40, 50 network terminal equipment.... ...21, 22, 3 Bu 32, 4 Bu 42, 200931880 51 ' 52 Network Management Workstation..........6 VLAN 200 Virtual Area Network VLAN 100, common and exclusive virtual area Network..........VLAN 1000
1717