WO2011160457A1 - Method and system for realizing member access control - Google Patents

Method and system for realizing member access control Download PDF

Info

Publication number
WO2011160457A1
WO2011160457A1 PCT/CN2011/071064 CN2011071064W WO2011160457A1 WO 2011160457 A1 WO2011160457 A1 WO 2011160457A1 CN 2011071064 W CN2011071064 W CN 2011071064W WO 2011160457 A1 WO2011160457 A1 WO 2011160457A1
Authority
WO
WIPO (PCT)
Prior art keywords
group number
communicate
system side
members
same
Prior art date
Application number
PCT/CN2011/071064
Other languages
French (fr)
Chinese (zh)
Inventor
陈世猛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011160457A1 publication Critical patent/WO2011160457A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/1813Arrangements for providing special services to substations for broadcast or conference, e.g. multicast for computer conferences, e.g. chat rooms
    • H04L12/1822Conducting the conference, e.g. admission, detection, selection or grouping of participants, correlating users to one or more conference sessions, prioritising transmission
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/185Arrangements for providing special services to substations for broadcast or conference, e.g. multicast with management of multicast group membership

Definitions

  • the present invention relates to access control techniques, and more particularly to a method and system for implementing member access control. Background technique
  • the Layer 2 VPN mainly includes Virtual Private LAN Service (VPLS) and VPWS (Virtual Private Wire Service).
  • VPWS is a point-to-point Layer 2 VPN technology on Ethernet.
  • VPLS is expanded on the basis of Point-to-connect Layer 2 VPN technology.
  • FIG 1 is a schematic diagram of a VPLS service network.
  • a VPLS link is set up between the PE1 and PE2.
  • the user edge devices CE1, CE2, and CE3 are connected to each other. Side access.
  • CE1, CE2, CE3, and CE4 can communicate with each other. If the local members cannot communicate with each other for certain service requirements, that is, CE1, CE2, and CE3 cannot communicate with each other. In this case, just configuring the normal VPLS service will not satisfy the customer's needs.
  • the existing method is to divide the member's attributes into the client (client) and the server (server).
  • the members of the client attribute can only communicate with the server attribute members, and the client members cannot communicate with each other. It can be seen that this method is a simple method of dividing the members into two groups. It is not flexible to use. For example, if CE1 and CE2 are required to communicate with each other, but CE1 and CE3 cannot communicate with each other, CE2 and CE3 cannot communicate with each other.
  • the method of implementing VPLS member access control will not meet the user requirements, thus affecting the user experience. Summary of the invention
  • the main object of the present invention is to provide a method and system for implementing member access control, which can flexibly control access between members, thereby improving user experience.
  • a method for implementing member access control the system side assigns a group number to the member when the member accesses, and the method includes:
  • the system side determines whether the group number of the first member is the same as the group number of the second member, and if the group number is the same, the first member is allowed to The second member communicates; otherwise, the first member is not allowed to communicate with the second member.
  • the group number is assigned to the member: the members who are allowed to communicate with each other are assigned the same group number, and the members who are not allowed to communicate with each other are assigned different group numbers.
  • the method further includes: the system side writes the group number assigned to the member to the forwarding table and the access attribute table corresponding to the member.
  • the system side acquires the first by searching an access attribute table corresponding to the first member A group number of a member, and obtaining a group number of the second member by searching a forwarding table corresponding to the second member, and determining.
  • the system side is a carrier edge device, and the member is a user edge device.
  • a system for implementing member access control including a system side and a member
  • the system side is configured to allocate a group number to the member when the member accesses, and determine, when the first member needs to communicate with the second member, the group number of the first member and the first Whether the group number of the two members is the same, and the group number is the same, the first member is allowed to communicate with the second member; otherwise, the first member is not allowed to communicate with the second member.
  • the group number is assigned to the member as: Members of the message are assigned the same group number, assigning different group numbers to members who are not allowed to communicate with each other.
  • the system side is further configured to write the group number assigned to the member to the forwarding table and the access attribute table corresponding to the member.
  • the system side acquires the first by searching an access attribute table corresponding to the first member A group number of a member, and obtaining a group number of the second member by searching a forwarding table corresponding to the second member, and determining.
  • the system side is a carrier edge device, and the member is a user edge device.
  • the method and system for implementing member access control of the present invention allocates a group ID (Group ID) to each member when the member accesses, and when a member needs to communicate with other members, it is necessary to determine the group of the member.
  • the number is the same as the group number of the destination member. If they are the same, they can communicate with each other. Otherwise, communication cannot be performed.
  • the present invention distinguishes between members that can communicate with each other and members that cannot communicate with each other, thereby enabling flexible control of access between members and improving the user experience.
  • Figure 1 is a schematic diagram of a VPLS service networking
  • FIG. 2 is a schematic flowchart of a method for implementing member access control according to the present invention
  • FIG. 3 is a schematic flowchart of a method for implementing member access control according to an embodiment of the present invention. detailed description
  • the basic idea of the present invention is: assign a group ID to each member when the member accesses, and when a member needs to communicate with other members, it is necessary to determine the group number of the member and its destination member. Whether the group numbers are the same, if they are the same, they can communicate with each other, otherwise communication cannot be performed.
  • FIG. 2 is a schematic flowchart of a method for implementing member access control according to the present invention, as shown in FIG. 2, Methods include:
  • Step 201 The system side allocates a group number to the member when the member accesses.
  • different members can be assigned the same group number.
  • the member group number is generally set by the staff on the system side, specifically to allow members who communicate with each other to set the same group number, and to set different group numbers for members who are not allowed to communicate with each other.
  • different groups can be assigned to the members that are randomly accessed by the system side.
  • the system side generally writes the group number assigned to the member to the forwarding table and access attribute table corresponding to the member.
  • the system side is the carrier edge device (PE) and the member is the user edge device (CE).
  • PE carrier edge device
  • CE user edge device
  • Step 202 The first member needs to communicate with the second member.
  • the first member when the first member sends a member to the system side with the second member as the destination member, the first member needs to communicate with the second member.
  • Step 203 The system side determines whether the group number of the first member is the same as the group number of the second member. If the same, perform step 204; otherwise, go to step 205.
  • the system side obtains the group number of the first member by searching the access attribute table corresponding to the first member, and obtains the group number of the second member by searching a forwarding table corresponding to the second member. And judge whether they can communicate with each other if they are the same, otherwise communication cannot be performed.
  • Step 204 Allow the first member to communicate with the second member.
  • Step 205 The first member is not allowed to communicate with the second member.
  • the present invention also provides a system for implementing member access control, including a system side and a member;
  • the system side is configured to allocate a group number to the member when the member accesses, and determine, when the first member needs to communicate with the second member, the group number of the first member and the first Whether the group number of the two members is the same, and the group number is the same, the first member is allowed to communicate with the second member; otherwise, the first member is not allowed to communicate with the second member.
  • the group number is assigned to the member: the members who are allowed to communicate with each other are assigned the same group number, and the members who are not allowed to communicate with each other are assigned different group numbers.
  • the system side is further configured to write the group number assigned to the member to the forwarding and access attribute table corresponding to the member.
  • the system side acquires the first by searching an access attribute table corresponding to the first member A group number of a member, and obtaining a group number of the second member by searching a forwarding table corresponding to the second member, and determining.
  • the system side is a carrier edge device, and the member is a user edge device.
  • FIG. 3 is a schematic flowchart of a method for implementing member access control according to an embodiment of the present invention. As shown in FIG. 3, the method includes:
  • Step 301 When CE1 is connected to the PE1 side, PE1 is configured with its group number of 1. When CE2 is connected to the PE1 side, PE1 is configured with its group number of 1. When CE3 is connected to the PE1 side, PE1 configures its group. The number is 2. After the configuration is completed, the group number information of each member is written to the corresponding forwarding table and access attribute table.
  • Step 302 After receiving the packet of CE1, PE1 goes to 303 if the destination of the packet is CE2, and goes to 304 if the destination of the packet is CE3.
  • Step 303 The PE1 extracts the group number of the CE2 from the forwarding table corresponding to the CE2, from the CE1 pair. The group number of the CE1 is taken out and the comparison is performed. If the packets are the same, the packet is forwarded to the CE2; otherwise, the packet is discarded.
  • the group number of CE1 and CE2 is 1 and the group number of the two is the same. Therefore, PE1 can send packets from CE1 to CE2, that is, CE1 and CE2 can communicate.
  • Step 304 The PE1 takes the group number of the CE3 from the forwarding table corresponding to the CE3, and takes the group number of the CE1 from the access attribute table corresponding to the CE1 and compares it. If the same, the packet is forwarded to the CE3. Otherwise, the packet is discarded.
  • the group number of CE1 is 1 and the group number of CE3 is 2, because the group number of the two is different, PE1 discards the packets from CE1 to CE3, CE1 and CE3. Can't communicate.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for realizing member access control is provided. The method includes: the system side assigns a group number for a member when the member accesses the system, the system side judges whether the group number of a first member is the same as the group number of a second member when the first member needs to communicate with the second member; and if the group numbers are the same, then the first member is allowed to communicate with the second member, otherwise, the first member is not allowed to communicate with the second member. A system for realizing member access control is also provided. The solution distinguishes the members that can communicate with each other and the members that can not communicate with each other by assigning the group numbers for the members, so as to control flexibly the access between the members.

Description

一种实现成员访问控制的方法及系统 技术领域  Method and system for implementing member access control
本发明涉及访问控制技术, 尤其涉及一种实现成员访问控制的方法及 系统。 背景技术  The present invention relates to access control techniques, and more particularly to a method and system for implementing member access control. Background technique
二层 VPN主要包括虚拟专用局域网业务( Virtual Private LAN Service, VPLS )和 VPWS ( Virtual Private Wire Service ), 其中, VPWS是以太网上 的点对点的二层 VPN技术, VPLS是在其基础上扩展成了多点互联的二层 VPN技术。  The Layer 2 VPN mainly includes Virtual Private LAN Service (VPLS) and VPWS (Virtual Private Wire Service). Among them, VPWS is a point-to-point Layer 2 VPN technology on Ethernet. VPLS is expanded on the basis of Point-to-connect Layer 2 VPN technology.
图 1为一 VPLS业务组网示意图, 如图 1所示, 运营商边缘设备 PE1 与 PE2之间搭建 VPLS链路, 用户边缘设备 CE1、 CE2、 CE3在 PE1侧接 入, 用户边缘设备 CE4在 PE2侧接入。 在正常的情况下, CE1、 CE2、 CE3、 CE4之间是可以互通的, 如果为了某种业务需求, 要求本地成员之间不能 互相通讯, 即 CE1、 CE2、 CE3之间不能互通, 那么, 在这种情况下只是配 置普通的 VPLS业务就不能满足客户的需求了。  Figure 1 is a schematic diagram of a VPLS service network. As shown in Figure 1, a VPLS link is set up between the PE1 and PE2. The user edge devices CE1, CE2, and CE3 are connected to each other. Side access. Under normal circumstances, CE1, CE2, CE3, and CE4 can communicate with each other. If the local members cannot communicate with each other for certain service requirements, that is, CE1, CE2, and CE3 cannot communicate with each other. In this case, just configuring the normal VPLS service will not satisfy the customer's needs.
针对这种需求, 现有的做法是把成员的属性分为客户 (client )和服务 器( server ), Client属性的成员只能与 server属性成员互通, client成员之 间不能互通。 可以看出, 这种方法是把成员简单的分成了两组, 使用起来 并不灵活, 例如, 如果用户要求 CE1与 CE2可以互通, 但 CE1与 CE3不 能互通, CE2与 CE3也不能互通, 则上述实现 VPLS成员访问控制的方法 将无法满足用户要求, 从而影响用户体验。 发明内容 For this requirement, the existing method is to divide the member's attributes into the client (client) and the server (server). The members of the client attribute can only communicate with the server attribute members, and the client members cannot communicate with each other. It can be seen that this method is a simple method of dividing the members into two groups. It is not flexible to use. For example, if CE1 and CE2 are required to communicate with each other, but CE1 and CE3 cannot communicate with each other, CE2 and CE3 cannot communicate with each other. The method of implementing VPLS member access control will not meet the user requirements, thus affecting the user experience. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种实现成员访问控制的方法 及系统, 能够灵活控制成员间的访问, 从而提高用户体验。  In view of this, the main object of the present invention is to provide a method and system for implementing member access control, which can flexibly control access between members, thereby improving user experience.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
一种实现成员访问控制的方法, 系统侧在成员接入时, 为所述成员分 配组群号, 该方法包括:  A method for implementing member access control, the system side assigns a group number to the member when the member accesses, and the method includes:
第一成员需要与第二成员进行通讯时, 系统侧判断所述第一成员的组 群号与所述第二成员的组群号是否相同, 组群号相同, 则允许所述第一成 员与所述第二成员进行通讯; 否则, 不允许所述第一成员与所述第二成员 进行通讯。  When the first member needs to communicate with the second member, the system side determines whether the group number of the first member is the same as the group number of the second member, and if the group number is the same, the first member is allowed to The second member communicates; otherwise, the first member is not allowed to communicate with the second member.
所述系统侧在成员接入时, 为所述成员分配组群号为: 为允许互相通 讯的成员分配相同的组群号, 为不允许互相通讯的成员分配不同的组群号。  When the system accesses the member, the group number is assigned to the member: the members who are allowed to communicate with each other are assigned the same group number, and the members who are not allowed to communicate with each other are assigned different group numbers.
该方法还包括: 系统侧将为成员分配的组群号写到与所述成员对应的 转发表和接入属性表中。  The method further includes: the system side writes the group number assigned to the member to the forwarding table and the access attribute table corresponding to the member.
所述系统侧判断所述第一成员的组群号与所述第二成员的组群号是否 相同为: 所述系统侧通过查找与所述第一成员对应的接入属性表获取所述 第一成员的组群号, 以及通过查找与所述第二成员对应的转发表获取所述 第二成员的组群号, 并进行判断。  Determining, by the system side, whether the group number of the first member is the same as the group number of the second member: the system side acquires the first by searching an access attribute table corresponding to the first member A group number of a member, and obtaining a group number of the second member by searching a forwarding table corresponding to the second member, and determining.
所述系统侧为运营商边缘设备, 所述成员为用户边缘设备。  The system side is a carrier edge device, and the member is a user edge device.
一种实现成员访问控制的系统, 包括系统侧和成员; 其中,  A system for implementing member access control, including a system side and a member;
所述系统侧, 用于在成员接入时, 为所述成员分配组群号, 并在第一 成员需要与第二成员进行通讯时, 判断所述第一成员的组群号与所述第二 成员的组群号是否相同, 组群号相同, 则允许所述第一成员与所述第二成 员进行通讯; 否则, 不允许所述第一成员与所述第二成员进行通讯。  The system side is configured to allocate a group number to the member when the member accesses, and determine, when the first member needs to communicate with the second member, the group number of the first member and the first Whether the group number of the two members is the same, and the group number is the same, the first member is allowed to communicate with the second member; otherwise, the first member is not allowed to communicate with the second member.
所述系统侧在成员接入时, 为所述成员分配组群号为: 为允许互相通 讯的成员分配相同的组群号, 为不允许互相通讯的成员分配不同的组群号。 所述系统侧, 还用于将为成员分配的组群号写到与所述成员对应的转 发表和接入属性表中。 When the system side accesses the member, the group number is assigned to the member as: Members of the message are assigned the same group number, assigning different group numbers to members who are not allowed to communicate with each other. The system side is further configured to write the group number assigned to the member to the forwarding table and the access attribute table corresponding to the member.
所述系统侧判断所述第一成员的组群号与所述第二成员的组群号是否 相同为: 所述系统侧通过查找与所述第一成员对应的接入属性表获取所述 第一成员的组群号, 以及通过查找与所述第二成员对应的转发表获取所述 第二成员的组群号, 并进行判断。  Determining, by the system side, whether the group number of the first member is the same as the group number of the second member: the system side acquires the first by searching an access attribute table corresponding to the first member A group number of a member, and obtaining a group number of the second member by searching a forwarding table corresponding to the second member, and determining.
所述系统侧为运营商边缘设备, 所述成员为用户边缘设备。  The system side is a carrier edge device, and the member is a user edge device.
本发明实现成员访问控制的方法及系统, 在成员接入的时候为每个成 员分配一个组群号( Group ID ) , 某一成员需要与其他成员进行通讯的时候, 需要判断该成员的组群号与其目的成员的组群号是否相同, 如果相同则可 以互相通讯, 否则不能进行通讯。 本发明通过为成员分配组群号, 对可以 互相通讯的成员和不可以互相通讯的成员进行区分, 从而能够灵活控制成 员间的访问, 提高了用户体验。 附图说明  The method and system for implementing member access control of the present invention allocates a group ID (Group ID) to each member when the member accesses, and when a member needs to communicate with other members, it is necessary to determine the group of the member. The number is the same as the group number of the destination member. If they are the same, they can communicate with each other. Otherwise, communication cannot be performed. By assigning a group number to a member, the present invention distinguishes between members that can communicate with each other and members that cannot communicate with each other, thereby enabling flexible control of access between members and improving the user experience. DRAWINGS
图 1为一 VPLS业务组网示意图;  Figure 1 is a schematic diagram of a VPLS service networking;
图 2为本发明实现成员访问控制的方法流程示意图;  2 is a schematic flowchart of a method for implementing member access control according to the present invention;
图 3为本发明实施例实现成员访问控制的方法流程示意图。 具体实施方式  FIG. 3 is a schematic flowchart of a method for implementing member access control according to an embodiment of the present invention. detailed description
本发明的基本思想是: 在成员接入的时候为每个成员分配一个组群号 ( Group ID ), 某一成员需要与其他成员进行通讯的时候, 需要判断该成员 的组群号与其目的成员的组群号是否相同, 如果相同则可以互相通讯, 否 则不能进行通讯。  The basic idea of the present invention is: assign a group ID to each member when the member accesses, and when a member needs to communicate with other members, it is necessary to determine the group number of the member and its destination member. Whether the group numbers are the same, if they are the same, they can communicate with each other, otherwise communication cannot be performed.
图 2为本发明实现成员访问控制的方法流程示意图, 如图 2所示, 该 方法包括: 2 is a schematic flowchart of a method for implementing member access control according to the present invention, as shown in FIG. 2, Methods include:
步骤 201 : 系统侧在成员接入时, 为所述成员分配组群号。  Step 201: The system side allocates a group number to the member when the member accesses.
这里, 不同的成员可以分配相同的组群号。 成员的组群号一般由工作 人员在系统侧设置, 具体为允许互相通讯的成员设置相同的组群号, 为不 允许互相通讯的成员设置不同的组群号。 不允许所有成员互相进行通讯的 情况下, 也可以由系统侧随机为接入的成员分配不同的组群号。  Here, different members can be assigned the same group number. The member group number is generally set by the staff on the system side, specifically to allow members who communicate with each other to set the same group number, and to set different group numbers for members who are not allowed to communicate with each other. In the case where all members are not allowed to communicate with each other, different groups can be assigned to the members that are randomly accessed by the system side.
系统侧一般会将为成员分配的组群号写到与所述成员对应的转发表和 接入属性表中。  The system side generally writes the group number assigned to the member to the forwarding table and access attribute table corresponding to the member.
在 VPLS业务中, 系统侧为运营商边缘设备(PE ), 成员为用户边缘设 备(CE )。  In the VPLS service, the system side is the carrier edge device (PE) and the member is the user edge device (CE).
步骤 202: 第一成员需要与第二成员进行通讯。  Step 202: The first member needs to communicate with the second member.
例如, 第一成员以第二成员为目的成员向系统侧发送才艮文时, 第一成 员需要与第二成员进行通讯。  For example, when the first member sends a member to the system side with the second member as the destination member, the first member needs to communicate with the second member.
步骤 203: 系统侧判断所述第一成员的组群号与所述第二成员的组群号 是否相同, 如果相同, 执行步骤 204; 否则, 转到步骤 205。  Step 203: The system side determines whether the group number of the first member is the same as the group number of the second member. If the same, perform step 204; otherwise, go to step 205.
系统侧通过查找与所述第一成员对应的接入属性表获取所述第一成员 的组群号, 以及通过查找与所述第二成员对应的转发表获取所述第二成员 的组群号, 并进行判断, 如果二者相同则可以互相通讯, 否则, 不能进行 通讯。  The system side obtains the group number of the first member by searching the access attribute table corresponding to the first member, and obtains the group number of the second member by searching a forwarding table corresponding to the second member. And judge whether they can communicate with each other if they are the same, otherwise communication cannot be performed.
步骤 204: 允许所述第一成员与所述第二成员进行通讯。  Step 204: Allow the first member to communicate with the second member.
步骤 205: 不允许所述第一成员与所述第二成员进行通讯。  Step 205: The first member is not allowed to communicate with the second member.
通过上面步骤的实施, 就可以艮好的限制 VPLS 本地成员之间的通讯 了。  Through the implementation of the above steps, you can limit the communication between VPLS local members.
本发明还提出一种实现成员访问控制的系统, 包括系统侧和成员; 其 中, 所述系统侧, 用于在成员接入时, 为所述成员分配组群号, 并在第一 成员需要与第二成员进行通讯时, 判断所述第一成员的组群号与所述第二 成员的组群号是否相同, 组群号相同, 则允许所述第一成员与所述第二成 员进行通讯; 否则, 不允许所述第一成员与所述第二成员进行通讯。 The present invention also provides a system for implementing member access control, including a system side and a member; The system side is configured to allocate a group number to the member when the member accesses, and determine, when the first member needs to communicate with the second member, the group number of the first member and the first Whether the group number of the two members is the same, and the group number is the same, the first member is allowed to communicate with the second member; otherwise, the first member is not allowed to communicate with the second member.
所述系统侧在成员接入时, 为所述成员分配组群号为: 为允许互相通 讯的成员分配相同的组群号, 为不允许互相通讯的成员分配不同的组群号。  When the system accesses the member, the group number is assigned to the member: the members who are allowed to communicate with each other are assigned the same group number, and the members who are not allowed to communicate with each other are assigned different group numbers.
所述系统侧, 还用于将为成员分配的组群号写到与所述成员对应的转 发表和接入属性表中。  The system side is further configured to write the group number assigned to the member to the forwarding and access attribute table corresponding to the member.
所述系统侧判断所述第一成员的组群号与所述第二成员的组群号是否 相同为: 所述系统侧通过查找与所述第一成员对应的接入属性表获取所述 第一成员的组群号, 以及通过查找与所述第二成员对应的转发表获取所述 第二成员的组群号, 并进行判断。  Determining, by the system side, whether the group number of the first member is the same as the group number of the second member: the system side acquires the first by searching an access attribute table corresponding to the first member A group number of a member, and obtaining a group number of the second member by searching a forwarding table corresponding to the second member, and determining.
所述系统侧为运营商边缘设备, 所述成员为用户边缘设备。  The system side is a carrier edge device, and the member is a user edge device.
下面结合具体实施例对本发明的技术方案作进一步的详细介绍。  The technical solution of the present invention will be further described in detail below with reference to specific embodiments.
参见图 1 , 设备 PE1与 PE2之间搭建 VPLS链路, 设备 CE1、 CE2、 CE3在 PE1侧接入, 设备 CE4在 PE2测接入。 本实施例中, 允许 CE1与 CE2进行通讯且不允许 CE1与 CE3进行通讯。 图 3为本发明实施例实现成 员访问控制的方法流程示意图, 如图 3所示, 该方法包括:  As shown in Figure 1, the VPLS link is set up between PE1 and PE2. The devices CE1, CE2, and CE3 are connected to PE1, and CE4 is connected to PE2. In this embodiment, CE1 is allowed to communicate with CE2 and CE1 and CE3 are not allowed to communicate. FIG. 3 is a schematic flowchart of a method for implementing member access control according to an embodiment of the present invention. As shown in FIG. 3, the method includes:
步骤 301 : CE1在 PE1侧接入时, PE1配置其组群号为 1 , CE2在 PE1 侧接入时, PE1配置其组群号为 1 , CE3在 PE1侧接入时, PE1配置其组群 号为 2,配置完成后会将每个成员的组群号信息写到与之对应的转发表和接 入属性表中。  Step 301: When CE1 is connected to the PE1 side, PE1 is configured with its group number of 1. When CE2 is connected to the PE1 side, PE1 is configured with its group number of 1. When CE3 is connected to the PE1 side, PE1 configures its group. The number is 2. After the configuration is completed, the group number information of each member is written to the corresponding forwarding table and access attribute table.
步骤 302: PE1接收到 CE1的报文后, 如果报文的目的地是 CE2, 则 转到 303处理; 如果报文的目的地是 CE3 , 则转到 304处理。  Step 302: After receiving the packet of CE1, PE1 goes to 303 if the destination of the packet is CE2, and goes to 304 if the destination of the packet is CE3.
步骤 303: PE1从 CE2对应的转发表中取出 CE2的组群号, 从 CE1对 应的接入属性表中取出 CE1的组群号并进行比较, 如果相同的话则将所述 报文转发给 CE2; 否则, 将所述报文丟弃。 Step 303: The PE1 extracts the group number of the CE2 from the forwarding table corresponding to the CE2, from the CE1 pair. The group number of the CE1 is taken out and the comparison is performed. If the packets are the same, the packet is forwarded to the CE2; otherwise, the packet is discarded.
本实施例在配置的时候, CE1和 CE2的组群号都是 1 , 比较后发现两 者的组群号相同, 所以 PE1可以将报文从 CE1发送到 CE2 , 即 CE1与 CE2 可以通讯。  In this embodiment, the group number of CE1 and CE2 is 1 and the group number of the two is the same. Therefore, PE1 can send packets from CE1 to CE2, that is, CE1 and CE2 can communicate.
步骤 304: PE1从 CE3对应的转发表中取出 CE3的组群号, 从 CE1对 应的接入属性表中取出 CE1的组群号并进行比较, 如果相同的话则将所述 报文转发给 CE3; 否则, 将所述报文丟弃。  Step 304: The PE1 takes the group number of the CE3 from the forwarding table corresponding to the CE3, and takes the group number of the CE1 from the access attribute table corresponding to the CE1 and compares it. If the same, the packet is forwarded to the CE3. Otherwise, the packet is discarded.
本实施例在配置的时候, CE1的组群号是 1 , CE3的组群号是 2, 因为 两者的组群号不相同, 所以 PE1会将 CE1到 CE3的报文丟弃, CE1与 CE3 不能通讯。  In this embodiment, the group number of CE1 is 1 and the group number of CE3 is 2, because the group number of the two is different, PE1 discards the packets from CE1 to CE3, CE1 and CE3. Can't communicate.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims

权利要求书 Claim
1、一种实现成员访问控制的方法,其特征在于, 系统侧在成员接入时, 为所述成员分配组群号, 该方法包括:  A method for implementing member access control, wherein the system side allocates a group number to the member when the member accesses, and the method includes:
第一成员需要与第二成员进行通讯时, 系统侧判断所述第一成员的组 群号与所述第二成员的组群号是否相同, 组群号相同, 则允许所述第一成 员与所述第二成员进行通讯; 否则, 不允许所述第一成员与所述第二成员 进行通讯。  When the first member needs to communicate with the second member, the system side determines whether the group number of the first member is the same as the group number of the second member, and if the group number is the same, the first member is allowed to The second member communicates; otherwise, the first member is not allowed to communicate with the second member.
2、 根据权利要求 1所述的方法, 其特征在于, 所述系统侧在成员接入 时, 为所述成员分配组群号为: 为允许互相通讯的成员分配相同的组群号, 为不允许互相通讯的成员分配不同的组群号。  The method according to claim 1, wherein the system side assigns the group number to the member when the member accesses: assigning the same group number to the members that allow communication with each other, Members who are allowed to communicate with each other are assigned different group numbers.
3、 根据权利要求 1所述的方法, 其特征在于, 该方法还包括: 系统侧 将为成员分配的组群号写到与所述成员对应的转发表和接入属性表中。  The method according to claim 1, wherein the method further comprises: the system side writing the group number assigned to the member to the forwarding table and the access attribute table corresponding to the member.
4、 根据权利要求 3所述的方法, 其特征在于, 所述系统侧判断所述第 一成员的组群号与所述第二成员的组群号是否相同为: 所述系统侧通过查 找与所述第一成员对应的接入属性表获取所述第一成员的组群号, 以及通 过查找与所述第二成员对应的转发表获取所述第二成员的组群号, 并进行 判断。  The method according to claim 3, wherein the system side determines whether the group number of the first member is the same as the group number of the second member: The access attribute table corresponding to the first member obtains the group number of the first member, and obtains the group number of the second member by searching a forwarding table corresponding to the second member, and performs determination.
5、 根据权利要求 1至 4任一项所述的方法, 其特征在于, 所述系统侧 为运营商边缘设备, 所述成员为用户边缘设备。  The method according to any one of claims 1 to 4, wherein the system side is a carrier edge device, and the member is a user edge device.
6、 一种实现成员访问控制的系统, 其特征在于, 该系统包括: 系统侧 和成员; 其中,  6. A system for implementing member access control, characterized in that the system comprises: a system side and a member;
所述系统侧, 用于在成员接入时, 为所述成员分配组群号, 并在第一 成员需要与第二成员进行通讯时, 判断所述第一成员的组群号与所述第二 成员的组群号是否相同, 组群号相同, 则允许所述第一成员与所述第二成 员进行通讯; 否则, 不允许所述第一成员与所述第二成员进行通讯。 The system side is configured to allocate a group number to the member when the member accesses, and determine, when the first member needs to communicate with the second member, the group number of the first member and the first Whether the group number of the two members is the same, and the group number is the same, the first member is allowed to communicate with the second member; otherwise, the first member is not allowed to communicate with the second member.
7、 根据权利要求 6所述的系统, 其特征在于, 所述系统侧在成员接入 时, 为所述成员分配组群号为: 为允许互相通讯的成员分配相同的组群号, 为不允许互相通讯的成员分配不同的组群号。 The system according to claim 6, wherein the system side assigns the group number to the member when the member accesses: assigning the same group number to the members who are allowed to communicate with each other, Members who are allowed to communicate with each other are assigned different group numbers.
8、 根据权利要求 6所述的系统, 其特征在于,  8. The system of claim 6 wherein:
所述系统侧, 还用于将为成员分配的组群号写到与所述成员对应的转 发表和接入属性表中。  The system side is further configured to write the group number assigned to the member to the forwarding and access attribute table corresponding to the member.
9、 根据权利要求 8所述的系统, 其特征在于, 所述系统侧判断所述第 一成员的组群号与所述第二成员的组群号是否相同为: 所述系统侧通过查 找与所述第一成员对应的接入属性表获取所述第一成员的组群号, 以及通 过查找与所述第二成员对应的转发表获取所述第二成员的组群号, 并进行 判断。  The system according to claim 8, wherein the system side determines whether the group number of the first member is the same as the group number of the second member: The access attribute table corresponding to the first member obtains the group number of the first member, and obtains the group number of the second member by searching a forwarding table corresponding to the second member, and performs determination.
10、 根据权利要求 6至 9任一项所述的系统, 其特征在于, 所述系统 侧为运营商边缘设备, 所述成员为用户边缘设备。  The system according to any one of claims 6 to 9, wherein the system side is a carrier edge device, and the member is a user edge device.
PCT/CN2011/071064 2010-06-25 2011-02-17 Method and system for realizing member access control WO2011160457A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2010102192648A CN101883011A (en) 2010-06-25 2010-06-25 Method and system for realizing member access control
CN201010219264.8 2010-06-25

Publications (1)

Publication Number Publication Date
WO2011160457A1 true WO2011160457A1 (en) 2011-12-29

Family

ID=43054912

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/071064 WO2011160457A1 (en) 2010-06-25 2011-02-17 Method and system for realizing member access control

Country Status (2)

Country Link
CN (1) CN101883011A (en)
WO (1) WO2011160457A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883011A (en) * 2010-06-25 2010-11-10 中兴通讯股份有限公司 Method and system for realizing member access control

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878115A (en) * 2005-06-07 2006-12-13 中兴通讯股份有限公司 VPN realizing method
US20090093232A1 (en) * 2007-10-08 2009-04-09 Qualcomm Incorporated Provisioning communication nodes
CN101459673A (en) * 2008-12-08 2009-06-17 中兴通讯股份有限公司 Method and equipment for communication between members of VPLN
CN101883011A (en) * 2010-06-25 2010-11-10 中兴通讯股份有限公司 Method and system for realizing member access control

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878115A (en) * 2005-06-07 2006-12-13 中兴通讯股份有限公司 VPN realizing method
US20090093232A1 (en) * 2007-10-08 2009-04-09 Qualcomm Incorporated Provisioning communication nodes
CN101459673A (en) * 2008-12-08 2009-06-17 中兴通讯股份有限公司 Method and equipment for communication between members of VPLN
CN101883011A (en) * 2010-06-25 2010-11-10 中兴通讯股份有限公司 Method and system for realizing member access control

Also Published As

Publication number Publication date
CN101883011A (en) 2010-11-10

Similar Documents

Publication Publication Date Title
US8705363B2 (en) Packet scheduling method and apparatus
TWI330964B (en) Packet processing method and a network device using the method
US9219698B2 (en) Providing a layer-3 interface
US20140230044A1 (en) Method and Related Apparatus for Authenticating Access of Virtual Private Cloud
WO2015172574A1 (en) Packet transmitting method and device
EP2214352A1 (en) Layer two virtual private network cross-domain implementation (l2vpn) method, system and device
WO2015149604A1 (en) Load balancing method, apparatus and system
CN103118149B (en) Communication control method between same tenant's server and the network equipment
WO2015014187A1 (en) Data forwarding method and apparatus that support multiple tenants
WO2012079474A1 (en) Address allocation processing method, apparatus, and system
WO2015149253A1 (en) Data center system and virtual network management method of data center
EP3200399B1 (en) Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling
WO2011153679A1 (en) Method, device and system for service configuration
CN103763310A (en) Firewall service system and method based on virtual network
JP2019515608A (en) Access control
WO2009149646A1 (en) Port switching method, network device and network system
WO2009056039A1 (en) A METHOD AND DEVICE FOR REALIZING AUTOMATICAL DISTRIBUTION OF QinQ BUSINESS LABEL TERMINAL TO TERMINAL
WO2013139270A1 (en) Method, device, and system for implementing layer3 virtual private network
WO2012130049A1 (en) Address processing method and device
CN103220215A (en) Fiber channel over Ethernet (FCoE) message forwarding method and device in TRILL network
EP2897328B1 (en) Method, system and apparatus for establishing communication link
WO2015081551A1 (en) Method, device and system for implementing packet routing in network
EP3200398A1 (en) Automated mirroring and remote switch port analyzer (rspan)/encapsulated remote switch port analyzer (erspan) functions using fabric attach (fa) signaling
WO2014180199A1 (en) Network establishment method and control device
WO2011120381A1 (en) Quality of service processing method and device for virtual private network traffic

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11797488

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11797488

Country of ref document: EP

Kind code of ref document: A1