WO2015127735A1 - Method and apparatus for implementing ring network user security - Google Patents

Method and apparatus for implementing ring network user security Download PDF

Info

Publication number
WO2015127735A1
WO2015127735A1 PCT/CN2014/080758 CN2014080758W WO2015127735A1 WO 2015127735 A1 WO2015127735 A1 WO 2015127735A1 CN 2014080758 W CN2014080758 W CN 2014080758W WO 2015127735 A1 WO2015127735 A1 WO 2015127735A1
Authority
WO
WIPO (PCT)
Prior art keywords
port
uplink
uplink node
ring network
notification message
Prior art date
Application number
PCT/CN2014/080758
Other languages
French (fr)
Chinese (zh)
Inventor
刘星
曾涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015127735A1 publication Critical patent/WO2015127735A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/42Loop networks
    • H04L12/437Ring fault isolation or reconfiguration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security

Abstract

Disclosed are a method and apparatus for implementing ring network user security. The method includes that: when the ring network is in a normal working status, two-layer isolation is configured for a cascade port and a user port of a non-upper-connection node device, so that the cascade port and the user port only exchange data with the upper-connection port of the non-upper-connection node device; before the ring network performs switching, the two-layer isolation is deleted, and after the ring network performs switching, the locations of the cascade port and the upper-connection port are re-detected and the two-layer isolation between the cascade port and the user port is configured. The present invention can achieve the effect that the network security is enhanced without affecting the performance of the ring network service switch.

Description

环网用户安全的实现方法及装置 技术领域 本发明涉及通信领域, 具体而言, 涉及一种环网用户安全的实现方法及装置。 背景技术 环网保护协议(以 G8032描述的 ERPS协议为例)在网络正常时阻塞 RPL (Ring TECHNICAL FIELD The present invention relates to the field of communications, and in particular to a method and an apparatus for implementing security of a ring network user. BACKGROUND OF THE INVENTION A ring network protection protocol (for example, the ERPS protocol described in G8032) blocks RPL (Ring) when the network is normal.
Protection Link, 环保护链路), 检测到链路故障后阻塞故障链路, 打开 RPL, 以实现 业务保护和快速切换的功能。 用户二层隔离是接入网业务安全的基本要求。 在级联组网时, 可以设置级联端口 和用户端口间的隔离。 但在环网中, 由于保护切换时级联端口和上联端口的角色会发 生动态变化 (请参考图 1A和图 1B, 图 1A是根据相关技术的环网的正常工作状态示 意图, 图 1B是根据相关技术的环网的故障状态示意图), 无法静态设置二层隔离, 跨 OLT (Optical Link Terminal,光线路终端)设备的用户之间是不隔离的,无法防御 ARP (Address Resolution Protocol, 地址解析协议) 欺骗等攻击, 具有较大安全隐患。 针对相关技术中环网中无法设置用户二层隔离导致环网产生较大安全隐患的问 题, 目前尚未提出有效的解决方案。 发明内容 本发明提供了一种环网用户安全的实现方法及装置, 以至少解决上述问题。 根据本发明的一个方面, 提供了一种环网用户安全的实现方法, 包括: 在环网的 正常工作状态下, 对非上联节点设备的级联端口与用户端口配置二层隔离, 使级联端 口和用户端口只与非上联节点设备的上联端口进行数据交换; 在环网执行切换过程之 前, 删除二层隔离, 在环网执行切换过程之后, 重新检测级联端口与上联端口的位置 并配置级联端口与用户端口之间的二层隔离。 优选地, 该方法还包括: 接收上联节点设备发送的上联节点通知报文, 其中, 上 联节点设备是与上游交换设备相连接的设备, 上联节点通知报文在非上联节点设备上 符合以下转发规则: 在阻塞端口丢弃, 在非阻塞端口转发。 优选地, 环网包括一个或多个逻辑环, 其中, 每个逻辑环的上联节点设备为相同 的设备或不同的设备, 每个上联节点设备发送的上联节点通知报文中携带有对应的逻 辑环的信息。 优选地, 上联节点通知报文包括: 以太网保护切换 ERPS协议扩展报文, 其中, ERPS协议扩展报文是将 ERPS协议报文中的 4bit Request/State标志位在标准协议外进 行扩展得到的。 优选地, 上联节点通知报文包括: 除以太网保护切换 ERPS协议扩展报文之外的 其他现有协议报文, 或自定义报文。 优选地,逻辑环的信息包括:逻辑环的环网 ID,或者与逻辑环相对应的其它信息。 优选地, 上联节点通知报文使用上联节点设备的媒体接入控制(MAC)地址作为 源 MAC。 优选地, 根据源 MAC地址将接收到上联节点通知报文的端口确定为上联端口, 将另一个端口确定为级联端口。 优选地, 每个逻辑环中除上联节点设备之外的其它所有非上联节点设备选择是否 配置上联节点设备的媒体接入控制(MAC)地址作为对上联节点通知报文进行校验的 校验 MAC地址。 根据本发明的另一方面, 提供了一种环网用户安全的实现装置, 包括: 隔离模块, 设置为在环网的正常工作状态下, 对非上联节点设备的级联端口与用户端口配置二层 隔离, 使级联端口和用户端口只与非上联节点设备的上联端口进行数据交换; 处理模 块, 设置为在环网执行切换过程之前, 删除二层隔离, 在环网执行切换过程之后, 重 新检测级联端口与上联端口的位置并配置级联端口与用户端口之间的二层隔离。 优选地, 该装置还包括: 接收模块, 设置为接收上联节点设备发送的上联节点通 知报文, 其中, 上联节点设备是与上游交换设备相连接的设备, 上联节点通知报文在 非上联节点设备上符合以下转发规则: 在阻塞端口丢弃, 在非阻塞端口转发。 优选地, 环网包括一个或多个逻辑环, 其中, 每个逻辑环的上联节点设备为相同 的设备或不同的设备, 每个上联节点设备发送的上联节点通知报文中携带有对应的逻 辑环的信息。 通过本发明的上述实施例, 采用根据环网的不同工作状态灵活配置或删除节点设 备的级联端口与用户端口之间的二层隔离的方式, 解决了相关技术中环网中无法设置 用户二层隔离导致环网产生较大安全隐患的问题, 环网内端口可以动态识别上联端口 和级联端口, 实现了环网设备用户口和级联口的动态二层隔离, 进而达到了保证跨设 备用户口之间的二层隔离, 同时不影响环网业务切换性能, 大大提高网络安全性的效 果。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部分, 本发 明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的不当限定。 在附图 中: 图 1A是根据相关技术的环网的正常工作状态示意图; 图 1B是根据相关技术的环网的故障状态示意图; 图 2是根据本发明实施例的环网用户安全的实现方法流程图; 图 3是根据本发明实施例的环网用户安全的实现装置的结构框图; 图 4是根据本发明实施例的优选环网用户安全的实现装置的结构框图; 图 5是根据本发明优选实施例的组网示意图; 图 6是根据本发明优选实施例的正常工作时的示意图; 图 7是根据本发明优选实施例的环网切换时的示意图; 以及 图 8是根据本发明优选实施例的环网切换后的示意图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在不冲突的 情况下, 本申请中的实施例及实施例中的特征可以相互组合。 本发明实施例提供了一种环网用户安全的实现方法。 图 2是根据本发明实施例的 环网用户安全的实现方法流程图, 如图 2所示, 该方法主要包括以下步骤(步骤 S202- 步骤 S204): 步骤 S202, 在环网的正常工作状态下, 对非上联节点设备的级联端口与用户端口 配置二层隔离,使级联端口和用户端口只与非上联节点设备的上联端口进行数据交换; 步骤 S204,在环网执行切换过程之前,删除二层隔离,在环网执行切换过程之后, 重新检测级联端口与上联端口的位置并配置级联端口与用户端口之间的二层隔离。 通过上述各个步骤, 可以根据环网的不同工作状态灵活配置或删除节点设备的级 联端口与用户端口之间的二层隔离, 以保证用户端口的业务流安全。 在本实施例中, 接收上联节点设备发送的上联节点通知报文, 其中, 上联节点设 备是与上游交换设备相连接的设备, 上联节点通知报文在非上联节点设备上符合以下 转发规则: 在阻塞端口丢弃, 在非阻塞端口转发。 在本实施例中, 环网包括一个或多个逻辑环, 其中, 每个逻辑环的上联节点设备 为相同的设备或不同的设备, 每个上联节点设备发送的上联节点通知报文中携带有对 应的逻辑环的信息。 在本实施例的一个优选实方式中, 上联节点通知报文可以包括: 以太网保护切换 ERPS 协议扩展报文, 其中, ERPS 协议扩展报文是将 ERPS 协议报文中的 4bit Request/State标志位在标准协议外进行扩展得到的。 在本实施例的另一个优选实方式 中, 上联节点通知报文还可以包括: 除以太网保护切换 ERPS协议扩展报文之外的其 他现有协议报文, 或自定义报文。 在本实施例中, 逻辑环的信息可以包括: 逻辑环的环网 ID, 或者与逻辑环相对应 的其它信息。 在本实施例中, 上联节点通知报文使用上联节点设备的 MAC ( Media AccessProtection Link (loop protection link), after detecting a link fault, blocking the faulty link and opening the RPL to implement service protection and fast switching. User Layer 2 isolation is a basic requirement for access network service security. When cascading networking, you can set the isolation between the cascade port and the user port. However, in the ring network, the roles of the expansion port and the uplink port change dynamically during the protection switching (refer to FIG. 1A and FIG. 1B, FIG. 1A is a schematic diagram of the normal working state of the ring network according to the related art, FIG. 1B is According to the related art fault state diagram of the ring network, the Layer 2 isolation cannot be statically set. The users of the OLT (Optical Link Terminal) are not isolated and cannot defend against ARP (Address Resolution Protocol). Protocol) Attacks such as spoofing have a major security risk. In view of the problem that the user's Layer 2 isolation cannot be set in the ring network to cause a large security risk in the ring network, an effective solution has not been proposed yet. SUMMARY OF THE INVENTION The present invention provides a method and apparatus for implementing ring network user security to at least solve the above problems. According to an aspect of the present invention, a method for implementing security of a ring network user is provided, including: configuring a Layer 2 isolation of a cascade port and a user port of a non-uplink node device in a normal working state of the ring network, The joint port and the user port exchange data only with the uplink port of the non-uplink node device. Before the ring network performs the switchover process, the Layer 2 isolation is deleted. After the ring network performs the handover process, the cascade port and the uplink port are re-detected. Location and configure Layer 2 isolation between the cascade port and the user port. Preferably, the method further includes: receiving an uplink node notification message sent by the uplink node device, where the uplink node device is a device connected to the upstream switching device, and the uplink node notifying the message at the non-uplink node device The following forwarding rules are met: Drop on blocked port, Forward on non-blocking port. Preferably, the ring network includes one or more logical rings, where the uplink node devices of each logical ring are the same device or different devices, and the uplink node notification message sent by each uplink node device carries Corresponding logical ring information. Preferably, the uplink node notification message includes: an Ethernet protection switching ERPS protocol extension packet, where the ERPS protocol extension packet is obtained by extending a 4-bit Request/State flag bit in the ERPS protocol packet outside the standard protocol. . Preferably, the uplink node notification message includes: an existing protocol message other than the Ethernet protection switching ERPS protocol extension message, or a custom message. Preferably, the information of the logical ring includes: a ring network ID of the logical ring, or other information corresponding to the logical ring. Preferably, the uplink node notifies the message that the media access control (MAC) address of the uplink node device is used as the source MAC. Preferably, the port that receives the uplink node notification message is determined as the uplink port according to the source MAC address, and the other port is determined to be the cascade port. Preferably, all non-uplink node devices except the uplink node device in each logical ring select whether to configure a media access control (MAC) address of the uplink node device as a check for the uplink node notification message. Check the MAC address. According to another aspect of the present invention, a device for implementing security of a ring network user is provided, including: an isolation module, configured to configure a cascade port and a user port of a non-uplink node device in a normal working state of the ring network The Layer 2 isolation allows the cascading port and the user port to exchange data only with the uplink port of the non-uplink node device. The processing module is configured to delete the Layer 2 isolation before performing the handover process on the ring network and perform the handover process on the ring network. After that, re-detect the location of the expansion port and the uplink port and configure the Layer 2 isolation between the cascade port and the user port. Preferably, the device further includes: a receiving module, configured to receive an uplink node notification message sent by the uplink node device, where the uplink node device is a device connected to the upstream switching device, and the uplink node notifies that the packet is The following forwarding rules are met on non-uplink node devices: Dropped on blocked ports, forwarded on non-blocked ports. Preferably, the ring network includes one or more logical rings, where the uplink node devices of each logical ring are the same device or different devices, and the uplink node notification message sent by each uplink node device carries Corresponding logical ring information. According to the foregoing embodiment of the present invention, the Layer 2 isolation between the cascade port and the user port of the node device is flexibly configured or deleted according to different working states of the ring network, and the second layer of the user cannot be set in the ring network in the related art. The isolation causes the ring network to generate a large number of security risks. The ports in the ring network can dynamically identify the uplink port and the expansion port, which implements dynamic Layer 2 isolation of the user interface and the expansion port of the ring network device. The Layer 2 isolation between user interfaces does not affect the switching performance of the ring network service, and greatly improves the network security. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 1A is a schematic diagram of a normal working state of a ring network according to the related art; FIG. 1B is a schematic diagram of a fault state of a ring network according to the related art; FIG. 2 is a method for implementing ring network user security according to an embodiment of the present invention; FIG. 3 is a block diagram showing the structure of a ring network user security implementation apparatus according to an embodiment of the present invention; FIG. 4 is a block diagram showing a structure of a preferred ring network user security implementation apparatus according to an embodiment of the present invention; FIG. 6 is a schematic diagram of a normal operation according to a preferred embodiment of the present invention; FIG. 7 is a schematic diagram of a ring network switching according to a preferred embodiment of the present invention; and FIG. 8 is a preferred embodiment of the present invention. A schematic diagram of the ring network after the example is switched. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. The embodiment of the invention provides a method for implementing security of a ring network user. FIG. 2 is a flowchart of a method for implementing security of a ring network user according to an embodiment of the present invention. As shown in FIG. 2, the method mainly includes the following steps (step S202 - step S204): Step S202: In the normal working state of the ring network, configure the Layer 2 port of the non-uplink node device to be separated from the user port by the Layer 2 port, so that the cascading port and the user port only perform data with the uplink port of the non-uplink node device. In the step S204, before the ring network performs the handover process, the Layer 2 isolation is deleted. After the ring network performs the handover process, the location of the expansion port and the uplink port is re-detected, and the Layer 2 between the cascade port and the user port is configured. isolation. Through the above steps, the Layer 2 isolation between the cascade port and the user port of the node device can be flexibly configured or deleted according to the different working states of the ring network to ensure the service flow security of the user port. In this embodiment, the uplink node notification message sent by the uplink node device is received, where the uplink node device is a device connected to the upstream switching device, and the uplink node notification message is matched on the non-uplink node device. The following forwarding rules: Drop on blocked port, forward on non-blocking port. In this embodiment, the ring network includes one or more logical rings, where the uplink node devices of each logical ring are the same device or different devices, and the uplink node notification message sent by each uplink node device It carries information about the corresponding logical ring. In a preferred embodiment of the present embodiment, the uplink node notification message may include: an Ethernet protection switching ERPS protocol extension packet, where the ERPS protocol extension packet is a 4-bit Request/State flag in the ERPS protocol packet. The extension is obtained outside the standard protocol. In another preferred embodiment of the present embodiment, the uplink node notification message may further include: an existing protocol message other than the Ethernet protection switching ERPS protocol extension message, or a custom message. In this embodiment, the information of the logical ring may include: a ring network ID of the logical ring, or other information corresponding to the logical ring. In this embodiment, the uplink node notifies the message of using the MAC of the uplink node device (Media Access
Control, 媒体接入控制) 地址作为源 MAC。 在本实施例中, 根据源 MAC地址将接收到上联节点通知报文的端口确定为上联 端口, 将另一个端口确定为级联端口。 在实际应用中, 每个逻辑环中除上联节点之外的其他节点设备可以选择是否配置 该逻辑环中上联节点设备的 MAC地址作为对上联节点通知报文进行校验的校验 MAC 地址, 以增强可靠性及抗干扰性。 本发明实施例还提供了一种环网用户安全的实现装置, 用于实现上述环网用户安 全的实现。 图 3是根据本发明实施例的环网用户安全的实现装置的结构框图, 如图 3 所示, 该装置主要包括: 隔离模块 10和处理模块 20。 其中, 隔离模块 10, 设置为在 环网的正常工作状态下, 对非上联节点设备的级联端口与用户端口配置二层隔离, 使 级联端口和用户端口只与非上联节点设备的上联端口进行数据交换; 处理模块 20, 设 置为在环网执行切换过程之前, 删除二层隔离, 在环网执行切换过程之后, 重新检测 级联端口与上联端口的位置并配置级联端口与用户端口之间的二层隔离。 在图 3所示出的环网用户安全的实现装置的基础上, 本发明实施例还提供了一种 优选环网用户安全的实现装置。 图 4是根据本发明实施例的优选环网用户安全的实现装置的结构框图, 如图 4所 示, 该优选环网用户安全的实现装置还可以进一步包括: 接收模块 30, 设置为接收上 联节点设备发送的上联节点通知报文, 其中, 上联节点设备是与上游交换设备相连接 的设备, 上联节点通知报文在非上联节点设备上符合以下转发规则:在阻塞端口丢弃, 在非阻塞端口转发。 优选地, 环网可以包括一个或多个逻辑环, 其中, 每个逻辑环的上联节点设备为 相同的设备或不同的设备, 每个上联节点设备发送的上联节点通知报文中携带有对应 的逻辑环的信息。 采用上述实施例提供的环网用户安全的实现方法及装置, 通过环网内上联节点定 时发送特定协议包, 使其他设备可以感知当前上联口和级联口的位置, 并动态配置级 联口与用户口二层隔离, 保证环网内不同设备用户间的二层隔离, 大大提高网络安全 性。 以下将结合图 5至图 8以及优选实施例对上述实施例提供的环网用户安全的实现 方法进行更加详细的描述和说明。 优选实施例 在结合附图对本优先实施例进行描述之前, 首先对本优先实施例的整个实现过程 进行说明, 该实现过程可以通过以下几个步骤来完成: ( 1 )与上游交换设备相连的设备被人为配置为上联节点, 并定时向非阻塞的环网 端口发送特定协议报文(这里称为上联节点通知报文), 源 MAC为本机 MAC, VLAN (Virtual Local Area Network,虚拟局域网)在 ERPS( Ethernet Ring Protection Switching, 以太网保护切换) 管理的 STP ( spanning tree protocol, 生成树协议) 实例中 (可以直 接配置为 ERPS协议包传输 VLAN, 或其他同一 STP实例下的 VLAN)。 该报文在环 网中非阻塞端口转发, 阻塞端口丢弃, 保证传输路径与业务流相同。 同时上联节点在 环网内的两个端口都被记为级联端口, 配置与用户口二层隔离。 由于同一个物理环网 上可能配置多个逻辑环(配置多个 ERPS实例), 每个逻辑环的上联节点可以是环网内 不同设备, 本发明中所有操作都是针对单个逻辑环, 二层隔离也是隔离级联口与用户 口该逻辑环管理下相应的 VLAN, 同样上联节点通知报文也会携带对应逻辑环的信息 用以区分不同的逻辑环。 Control, Media Access Control) Address as the source MAC. In this embodiment, the port that receives the uplink node notification message is determined as the uplink port according to the source MAC address, and the other port is determined to be the cascade port. In practical applications, the node device other than the uplink node in each logical ring may select whether to configure the MAC address of the uplink node device in the logical ring as the check MAC address for verifying the notification message of the uplink node. Address to enhance reliability and immunity. The embodiment of the invention further provides a device for implementing security of a ring network user, which is used to implement the security of the ring network user. FIG. 3 is a structural block diagram of an apparatus for implementing ring network user security according to an embodiment of the present invention, as shown in FIG. 3 As shown, the device mainly comprises: an isolation module 10 and a processing module 20. The isolation module 10 is configured to be configured to isolate the cascade port and the user port of the non-uplink node device in a normal working state of the ring network, so that the cascade port and the user port are only connected to the non-uplink node device. The uplink port performs data exchange; the processing module 20 is configured to delete the layer 2 isolation before performing the handover process on the ring network, and re-detect the location of the cascade port and the uplink port and configure the cascade port after the ring network performs the handover process. Layer 2 isolation from the user port. On the basis of the implementation device of the ring network user security shown in FIG. 3, the embodiment of the present invention further provides a device for implementing the security of the ring network user. 4 is a structural block diagram of a device for implementing security of a preferred ring network user according to an embodiment of the present invention. As shown in FIG. 4, the device for implementing security of a preferred ring network user may further include: a receiving module 30 configured to receive uplink The uplink node notification message sent by the node device, where the uplink node device is a device connected to the upstream switching device, and the uplink node notification message meets the following forwarding rule on the non-uplink node device: Forward on non-blocking ports. Preferably, the ring network may include one or more logical rings, where the uplink node devices of each logical ring are the same device or different devices, and the uplink node notification message sent by each uplink node device is carried in the notification message. There is information about the corresponding logical ring. The method and the device for implementing the security of the ring network provided by the foregoing embodiment are used to periodically send a specific protocol packet through the uplink node in the ring network, so that other devices can sense the current position of the uplink port and the cascade port, and dynamically configure the cascade. The port is isolated from the user interface at the second layer to ensure Layer 2 isolation between different device users in the ring network, which greatly improves network security. The implementation method of the ring network user security provided by the foregoing embodiment will be described and illustrated in more detail below with reference to FIG. 5 to FIG. 8 and the preferred embodiment. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Before the present preferred embodiment is described with reference to the accompanying drawings, the entire implementation process of the preferred embodiment is first described. The implementation process can be completed by the following steps: (1) The device connected to the upstream switching device is It is configured as an uplink node and periodically sends specific protocol packets (referred to as uplink node notification packets) to the non-blocking ring network port. The source MAC is the local MAC and the virtual local area network (VLAN). In the STP (Spanning Tree Protocol) instance managed by ERPS (Ethernet Ring Protection Switching), you can directly configure the ERPS protocol packet transmission VLAN or other VLANs in the same STP instance. The message is in the ring The non-blocking port is forwarded on the network, and the blocked port is discarded. The transmission path is the same as the service flow. At the same time, both ports of the uplink node in the ring network are recorded as cascade ports, and the configuration is isolated from the user interface layer 2. Since multiple logical rings (configured with multiple ERPS instances) may be configured on the same physical ring network, the uplink nodes of each logical ring may be different devices in the ring network. All operations in the present invention are directed to a single logical ring, and the second layer Isolation is also the corresponding VLAN of the isolated cascade port and the user port under the management of the logical ring. Similarly, the notification message of the uplink node also carries the information of the corresponding logical ring to distinguish different logical rings.
(2)上联节点通知报文可采用 ERPS协议扩展报文, 将报文 4bit的 Request /State 标志位在标准协议外进行扩展, 比如 " 1111 "或者其他与原协议不冲突的值, 来表示 上联节点通知报文, 其中 ERPS报文内容包含相应逻辑环信息(MAC地址最后一个字 节 ring-id与 ERPS环网配置一一对应), 并且 VLAN、 MAC等信息也与上述要求相符 合, 处理流程与原协议报文类似, 只需增加对该报文的解析处理即可, 因此对于 ERPS 环网是较好的选择。 当然, 在实际应用中, 更具有普遍性地, 上联节点通知报文也可采用其他已有协 议报文或自定义报文, 所需要素如下: 报文内容需包含逻辑环信息以保证各个逻辑环 的上联节点通知报文互不影响, 可以是配置的环网 ID (标识)或是其他与逻辑环一一 对应的信息; 报文内容能够标识该报文为上联节点通知报文并易于解析处理, 可以通 过人为定义特定的目的 MAC,或者在现有协议报文某字段中加入标识上联节点通知报 文的信息; 该报文的动作符合阻塞端口丢弃, 非阻塞端口转发。 如: 自定义一种 01 开头的组播 MAC地址(01-XX-XX-XX-XX-XX)用于上联节点通知报文, 报文载荷中加入 相应的环网信息等。 采用该方法定义的上联节点通知报文可应用于大多数环网, 更具 普遍性。 (2) The uplink node notification message can use the ERPS protocol extension packet to extend the 4 bit Request /State flag outside the standard protocol, such as "1111" or other values that do not conflict with the original protocol. The uplink node notifies the message, wherein the ERPS message content includes the corresponding logical ring information (the last byte of the MAC address ring-id corresponds to the ERPS ring network configuration), and the information such as the VLAN and the MAC are also consistent with the foregoing requirements. The processing flow is similar to the original protocol packet, and only needs to increase the parsing process of the packet, so it is a better choice for the ERPS ring network. Of course, in practical applications, it is more common that the uplink node notification message can also use other existing protocol messages or custom messages. The required elements are as follows: The message content needs to contain logical ring information to ensure each The uplink node of the logical ring does not affect the packet, and may be the configured ring network ID (identification) or other information corresponding to the logical ring. The content of the packet can identify the packet as the uplink node notification message. It is easy to parse and process. You can manually define a specific destination MAC address or add information to identify the uplink node notification message in a field of the existing protocol packet. The action of the packet conforms to blocked port discarding and non-blocking port forwarding. For example, you can customize the multicast MAC address (01- XX - XX - XX - XX - XX ) that starts with 01 for the uplink node to notify the packet, and add the corresponding ring network information to the packet payload. The uplink node notification message defined by this method can be applied to most ring networks, and is more universal.
(3 )由于环网内无论正常工作还是故障状态下,某条链路上由上游设备发送来的 业务流方向是该状态下唯一的, 即下行业务由设备的上联口进入, 由级联口转发出去。 环网内其他设备可以选择是否配置上联节点的 MAC地址作为校验, 收到上联节点通 知报文的端口被记为上联端口, 另一个端口则被记为级联端口, 配置用户口与级联端 口二层隔离, 保证环网内不同设备间的用户口二层隔离, 提高网络安全性。 同时该报 文向非阻塞的环网端口转发。 (3) The direction of the service flow sent by the upstream device on a link is unique in this state, that is, the downlink service is entered by the uplink port of the device, and is cascaded. The port is forwarded out. The other devices in the ring network can choose whether to configure the MAC address of the uplink node as the check. The port that receives the notification message from the uplink node is recorded as the uplink port, and the other port is recorded as the cascade port. It is isolated from the Layer 2 port to ensure Layer 2 isolation of user interfaces between different devices in the ring network to improve network security. At the same time, the message is forwarded to the non-blocking ring network port.
(4)环网拓扑发生切换时, 为保证二层隔离不影响业务切换性能, 在环网内设备 执行重新配置端口 STP状态、 清除 MAC地址表等操作之前删除用户口与级联口的二 层隔离配置, 使业务可以正常切换。 ( 5 )切换后环网内除上联节点外各设备启用防护定时器,在一段时间内不处理该 报文, 防止收到网络中延迟干扰等报文, 保证业务稳定。 在防护定时器超时后, 各设 备按照步骤 (3 ), 重新发现级联口并配置用户口与级联口的二层隔离。 以下将结合图 5至图 8对本优选实施例的实现过程进行进一步的描述。 图 5是根据本发明优选实施例的组网示意图, 如图 5所示, 若干台设备组成环网 并运行 ERPS环网保护协议, 其中, RPL链路的配置位置如图 5中所示。 在实际应用 中, 环网内与上游设备相连的上联节点可以是其中任意一台设备。 图 6是根据本发明优选实施例的正常工作时的示意图, 请参考图 6, 由于上联节 点的上联端口 (与上游设备相连端口)和级联端口固定(环网端口), 配置上联节点的 用户口与级联口二层隔离,此时业务流如图所示,用户口只能与上联口进行数据交换, 级联口只能与上联口进行数据交换。 同时, 配置上联节点定时向非阻塞环网端口发送 上联节点通知报文, 方向如图 6中所示, 报文源 MAC地址为本机 MAC。 除上联节点 外的其他设备收到该上联节点通知报文后, 将收包端口记为上联端口, 另一个环网端 口记为级联口, 配置用户口与级联口二层隔离。 同时将上联节点通知报文向非阻塞的 环网端口转发。 此时的业务流如图 6所示, 用户口只能与上联口进行数据交换, 级联 口只能与上联口进行数据交换。 图 7是根据本发明优选实施例的环网切换时的示意图, 如图 7所示, 在环网拓扑 发生切换时, 为保证业务流可以快速切换, 减少业务中断, 非上联节点在收到相关协 议包感知环网状态变化后, 在执行切换动作(改变端口 STP状态, 清除 MAC地址表) 之前清除上联口和级联口的记录, 并删除所配置的用户口和级联口二层隔离, 请参考 图 7。 由于上联节点拓扑固定, 与上游设备相连的端口始终是上联口, 两个环网端口 始终是级联口, 因此无需改变配置。 这样环网业务不会受到所配置的二层隔离的影响 可以正常切换。 图 8是根据本发明优选实施例的环网切换后的示意图, 如图 8所示,环网切换后, 为防止收到网络中延迟干扰等报文, 保证业务稳定, 除上联节点外, 切换后立刻启用 防护定时器, 一段时间内不处理收到的上联节点通知报文。 待防护定时器超时, 重新 开始处理收到的上联节点通知报文, 标记上联口和级联口, 配置用户口与级联口二层 隔离。 通过上述优选实施例, 环网内端口可以动态识别上联端口和级联端口, 实现了环 网设备用户口和级联口的动态二层隔离, 保证跨设备用户口之间的二层隔离, 同时不 影响环网业务切换性能, 大大提高网络安全性。 需要说明的是, 上述各个模块是可以通过硬件来实现的。 例如: 一种处理器, 包 括上述各个模块, 或者, 上述各个模块分别位于一个处理器中。 在另外一个实施例中, 还提供了一种软件, 该软件用于执行上述实施例及优选实 施方式中描述的技术方案。 在另外一个实施例中, 还提供了一种存储介质, 该存储介质中存储有上述软件, 该存储介质包括但不限于: 光盘、 软盘、 硬盘、 可擦写存储器等。 从以上的描述中, 可以看出, 本发明实现了如下技术效果: 本发明主要提供了一 种处理保护切换过程中级联口、 上联口角色切换的用户安全实现方法, 环网内与上游 设备相连的上联节点可以定时向非阻塞的环网端口发送特定协议报文, 环网内其他设 备收到该报文的端口被记为上联端口, 另一个端口被记为级联端口, 此时再配置用户 口与级联端口隔离, 并向非阻塞环网端口转发该报文。 当环网拓扑发生切换时, 下游 设备立刻删除用户口与级联口的隔离配置, 待再次收到上联节点发送的协议报文, 重 新识别端口角色并配置二层隔离。 该方法解决了环网保护切换过程中端口角色切换需 要重新配置二层隔离的问题, 从而达到了增强网络安全性的效果。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可以用通用 的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多个计算装置所 组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码来实现, 从而, 可以 将它们存储在存储装置中由计算装置来执行, 并且在某些情况下, 可以以不同于此处 的顺序执行所示出或描述的步骤, 或者将它们分别制作成各个集成电路模块, 或者将 它们中的多个模块或步骤制作成单个集成电路模块来实现。 这样, 本发明不限制于任 何特定的硬件和软件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本领域的技 术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和原则之内, 所作的 任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。 (4) When the ring network topology is switched, to ensure that the Layer 2 isolation does not affect the service switching performance, delete the Layer 2 of the user interface and the expansion port before performing operations such as reconfiguring the STP state of the port and clearing the MAC address table. Isolate the configuration so that the service can be switched normally. (5) After the switchover, all the devices except the uplink node are enabled with the protection timer. The packet is not processed for a period of time to prevent delays and other packets from being received on the network. After the protection timer expires, each device re-discovers the expansion port and configures the Layer 2 isolation between the user interface and the expansion port according to step (3). The implementation process of the preferred embodiment will be further described below with reference to FIGS. 5 through 8. FIG. 5 is a schematic diagram of networking according to a preferred embodiment of the present invention. As shown in FIG. 5, a plurality of devices form a ring network and run an ERPS ring network protection protocol. The configuration location of the RPL link is as shown in FIG. 5. In an actual application, the uplink node connected to the upstream device in the ring network may be any one of the devices. 6 is a schematic diagram of normal operation according to a preferred embodiment of the present invention. Referring to FIG. 6, the uplink connection port (connected to the upstream device) and the cascade port (the ring network port) of the uplink node are configured to be uplinked. The user interface of the node is isolated from the Layer 2 interface. The service flow is as shown in the figure. The user interface can exchange data with the uplink port. The expansion port can only exchange data with the uplink port. At the same time, the uplink node is configured to send the uplink node notification packet to the non-blocking ring network port. The direction is as shown in Figure 6. The source MAC address of the packet is the local MAC address. After receiving the notification message from the uplink node, the other device, except the uplink node, records the receiving port as the uplink port, and the other ring network port as the expansion port. The user interface is separated from the cascade port. . At the same time, the uplink node notification message is forwarded to the non-blocking ring network port. The service flow at this time is as shown in Figure 6. The user port can only exchange data with the uplink port. The expansion port can only exchange data with the uplink port. FIG. 7 is a schematic diagram of a ring network switching according to a preferred embodiment of the present invention. As shown in FIG. 7, when a ring network topology is switched, a service flow can be quickly switched to reduce service interruption, and a non-uplink node receives After the related protocol packet is aware of the state change of the ring network, clear the records of the uplink port and the expansion port before performing the switching action (changing the STP state of the port and clearing the MAC address table), and deleting the configured user interface and the cascade port. For isolation, please refer to Figure 7. Because the topology of the uplink node is fixed, the port connected to the upstream device is always the uplink port. The two ring ports are always the expansion ports. Therefore, you do not need to change the configuration. In this way, the ring network service can be switched normally without being affected by the configured Layer 2 isolation. FIG. 8 is a schematic diagram of a ring network after being switched according to a preferred embodiment of the present invention. As shown in FIG. 8 , after the ring network is switched, the service is stable to prevent delays in receiving packets in the network, except for the uplink node. The protection timer is enabled immediately after the switchover, and the received uplink node notification message is not processed for a period of time. If the guard timer expires, the received uplink node notification packet is re-processed. The interface is connected to the expansion port and the expansion port. With the above-mentioned preferred embodiment, the ports in the ring network can dynamically identify the uplink port and the cascade port, and implement dynamic Layer 2 isolation of the user interface and the expansion port of the ring network device to ensure Layer 2 isolation between user interfaces across devices. At the same time, it does not affect the switching performance of the ring network service, and greatly improves network security. It should be noted that each of the above modules can be implemented by hardware. For example: a processor, including the above modules, or each of the above modules is located in one processor. In another embodiment, software is also provided for performing the technical solutions described in the above embodiments and preferred embodiments. In another embodiment, a storage medium is provided, the software being stored, including but not limited to: an optical disk, a floppy disk, a hard disk, a rewritable memory, and the like. From the above description, it can be seen that the present invention achieves the following technical effects: The present invention mainly provides a user security implementation method for handling the switching of the cascade port and the uplink port role in the protection switching process, in the ring network and upstream. The uplink node connected to the device can periodically send specific protocol packets to the non-blocking ring network port. The port that receives the packet from other devices in the ring network is recorded as the uplink port, and the other port is recorded as the cascade port. Then, configure the user port to be isolated from the expansion port and forward the packet to the non-blocking ring network port. When the ring network topology is switched, the downstream device immediately deletes the isolation configuration between the user interface and the expansion port. The device receives the protocol packets sent by the uplink node again, re-identifies the port role and configures Layer 2 isolation. The method solves the problem that the port role switching needs to reconfigure the Layer 2 isolation during the ring network protection switching process, thereby achieving the effect of enhancing network security. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 claims
1. 一种环网用户安全的实现方法, 包括: 1. A method for realizing ring network user security, including:
在环网的正常工作状态下, 对非上联节点设备的级联端口与用户端口配置 二层隔离, 使所述级联端口和所述用户端口只与所述非上联节点设备的上联端 口进行数据交换; In the normal working state of the ring network, configure Layer 2 isolation for the cascade port and the user port of the non-uplink node device, so that the cascade port and the user port are only connected to the uplink port of the non-uplink node device. Port for data exchange;
在环网执行切换过程之前,删除所述二层隔离,在环网执行切换过程之后, 重新检测所述级联端口与所述上联端口的位置并配置所述级联端口与所述用户 端口之间的二层隔离。 Before the ring network performs the switching process, delete the second layer isolation, and after the ring network performs the switching process, re-detect the positions of the cascade port and the uplink port and configure the cascade port and the user port Second layer isolation between.
2. 根据权利要求 1所述的方法, 其中, 所述方法还包括: 接收上联节点设备发送的上联节点通知报文, 其中, 所述上联节点设备是 与上游交换设备相连接的设备, 所述上联节点通知报文在所述非上联节点设备 上符合以下转发规则: 在阻塞端口丢弃, 在非阻塞端口转发。 2. The method according to claim 1, wherein the method further includes: receiving an uplink node notification message sent by an uplink node device, wherein the uplink node device is a device connected to an upstream switching device. , the uplink node notification message conforms to the following forwarding rules on the non-uplink node device: discarded on the blocked port and forwarded on the non-blocked port.
3. 根据权利要求 2所述的方法, 其中, 所述环网包括一个或多个逻辑环, 其中, 每个逻辑环的上联节点设备为相同的设备或不同的设备, 每个所述上联节点设 备发送的上联节点通知报文中携带有对应的逻辑环的信息。 3. The method according to claim 2, wherein the ring network includes one or more logical rings, wherein the uplink node device of each logical ring is the same device or a different device, and each of the uplink nodes The uplink node notification message sent by the uplink node device carries the information of the corresponding logical ring.
4. 根据权利要求 2所述的方法, 其中, 所述上联节点通知报文包括: 以太网保护 切换 ERPS协议扩展报文, 其中, 所述 ERPS协议扩展报文是将 ERPS协议报 文中的 4bit Request/State标志位在标准协议外进行扩展得到的。 4. The method according to claim 2, wherein the uplink node notification message includes: an Ethernet protection switching ERPS protocol extension message, wherein the ERPS protocol extension message is a The 4-bit Request/State flag is extended outside the standard protocol.
5. 根据权利要求 2所述的方法, 其中, 所述上联节点通知报文包括: 除以太网保 护切换 ERPS协议扩展报文之外的其他现有协议报文, 或自定义报文。 5. The method according to claim 2, wherein the uplink node notification message includes: other existing protocol messages except the Ethernet protection switching ERPS protocol extension message, or a custom message.
6. 根据权利要求 3所述的方法, 其中, 所述逻辑环的信息包括: 所述逻辑环的环 网 ID, 或者与所述逻辑环相对应的其它信息。 6. The method according to claim 3, wherein the information of the logical ring includes: the ring network ID of the logical ring, or other information corresponding to the logical ring.
7. 根据权利要求 3至 6中任一项所述的方法, 其中, 所述上联节点通知报文使用 所述上联节点设备的媒体接入控制 MAC地址作为源 MAC。 7. The method according to any one of claims 3 to 6, wherein the uplink node notification message uses the media access control MAC address of the uplink node device as the source MAC.
8. 根据权利要求 7所述的方法, 其中, 根据所述源 MAC地址将接收到所述上联 节点通知报文的端口确定为上联端口, 将另一个端口确定为级联端口。 8. The method according to claim 7, wherein the port that receives the uplink node notification message is determined as the uplink port according to the source MAC address, and the other port is determined as the cascade port.
9 根据权利要求 3或 6所述的方法, 其中, 每个逻辑环中除所述上联节点设备之 外的其它所有非上联节点设备选择是否配置所述上联节点设备的媒体接入控制 MAC地址作为对所述上联节点通知报文进行校验的校验 MAC地址。 9 The method according to claim 3 or 6, wherein all other non-uplink node devices in each logical ring except the uplink node device choose whether to configure media access control of the uplink node device. The MAC address is used as a verification MAC address for verifying the uplink node notification message.
10. 一种环网用户安全的实现装置, 包括: 隔离模块, 设置为在环网的正常工作状态下, 对非上联节点设备的级联端 口与用户端口配置二层隔离, 使所述级联端口和所述用户端口只与所述非上联 节点设备的上联端口进行数据交换; 10. A device for realizing ring network user security, including: an isolation module, configured to configure Layer 2 isolation for cascade ports and user ports of non-uplink node devices under normal working conditions of the ring network, so that the level The uplink port and the user port only exchange data with the uplink port of the non-uplink node device;
处理模块, 设置为在环网执行切换过程之前, 删除所述二层隔离, 在环网 执行切换过程之后, 重新检测所述级联端口与所述上联端口的位置并配置所述 级联端口与所述用户端口之间的二层隔离。 The processing module is configured to delete the second layer isolation before the ring network performs the switching process, and after the ring network performs the switching process, re-detect the positions of the cascade port and the uplink port and configure the cascade port. Layer 2 isolation from the user port.
11. 根据权利要求 10所述的装置, 其中, 所述装置还包括: 接收模块, 设置为接收上联节点设备发送的上联节点通知报文, 其中, 所 述上联节点设备是与上游交换设备相连接的设备, 所述上联节点通知报文在所 述非上联节点设备上符合以下转发规则:在阻塞端口丢弃,在非阻塞端口转发。 11. The device according to claim 10, wherein the device further includes: a receiving module configured to receive an uplink node notification message sent by an uplink node device, wherein the uplink node device exchanges with an upstream The device is connected to the device, and the uplink node notification message conforms to the following forwarding rules on the non-uplink node device: discarded on the blocked port and forwarded on the non-blocked port.
12. 根据权利要求 10或 11所述的装置, 其中, 所述环网包括一个或多个逻辑环, 其中, 每个逻辑环的上联节点设备为相同的设备或不同的设备, 每个所述上联 节点设备发送的上联节点通知报文中携带有对应的逻辑环的信息。 12. The device according to claim 10 or 11, wherein the ring network includes one or more logical rings, wherein the uplink node device of each logical ring is the same device or a different device, and each of the uplink node devices is the same device or a different device. The uplink node notification message sent by the above-mentioned uplink node device carries the information of the corresponding logical ring.
PCT/CN2014/080758 2014-02-27 2014-06-25 Method and apparatus for implementing ring network user security WO2015127735A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410068862.8 2014-02-27
CN201410068862.8A CN104883337B (en) 2014-02-27 2014-02-27 The implementation method and device of looped network user security

Publications (1)

Publication Number Publication Date
WO2015127735A1 true WO2015127735A1 (en) 2015-09-03

Family

ID=53950672

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/080758 WO2015127735A1 (en) 2014-02-27 2014-06-25 Method and apparatus for implementing ring network user security

Country Status (2)

Country Link
CN (1) CN104883337B (en)
WO (1) WO2015127735A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105743761A (en) * 2014-12-12 2016-07-06 中兴通讯股份有限公司 Method and network equipment for realizing two-layer isolation and three-layer intercommunication of routing interface

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018090210A1 (en) * 2016-11-15 2018-05-24 华为技术有限公司 Service packet transmission method, and node apparatus
CN108632175B (en) * 2017-03-22 2022-03-01 中兴通讯股份有限公司 Switching method and device for uplink port in multi-form network
CN110048986B (en) * 2018-01-15 2022-02-25 中兴通讯股份有限公司 Method and device for ensuring ring network protocol operation safety

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101588304A (en) * 2009-06-30 2009-11-25 杭州华三通信技术有限公司 Implementation method of VRRP
CN102326370A (en) * 2011-08-05 2012-01-18 华为技术有限公司 Message processing method, apparatus and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100352240C (en) * 2005-05-19 2007-11-28 杭州华三通信技术有限公司 Method for controlling number of Layer2 Ethernet ring equipment MAC address learning

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101588304A (en) * 2009-06-30 2009-11-25 杭州华三通信技术有限公司 Implementation method of VRRP
CN102326370A (en) * 2011-08-05 2012-01-18 华为技术有限公司 Message processing method, apparatus and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105743761A (en) * 2014-12-12 2016-07-06 中兴通讯股份有限公司 Method and network equipment for realizing two-layer isolation and three-layer intercommunication of routing interface

Also Published As

Publication number Publication date
CN104883337B (en) 2019-05-07
CN104883337A (en) 2015-09-02

Similar Documents

Publication Publication Date Title
EP3525405B1 (en) Packet sending method and network device
US7233991B2 (en) Self-healing tree network
JP4020753B2 (en) Ring switching method
US8416696B2 (en) CFM for conflicting MAC address notification
US8411690B2 (en) Preventing data traffic connectivity between endpoints of a network segment
EP2533475B1 (en) Method and system for host route reachability in packet transport network access ring
GB2581929A (en) Virtual converged cable access platform (CCAP) core
EP1994694A2 (en) System and method for preventing loops in the presence of control plane failures
US8331241B2 (en) Routing control method, communication apparatus and communication system
US9800521B2 (en) Network switching systems and methods
KR20100022008A (en) An ethernet protection switching system
CN103684953A (en) Method and device for avoiding data traffic loss in an Ethernet ring multihomed, in an active-standby manner, to a virtual private LAN service transport network
US9515881B2 (en) Method, device, and system for packet processing
CN105490937B (en) Ether virtual network gateway switching method and service provider's edge node devices
WO2015127735A1 (en) Method and apparatus for implementing ring network user security
JP5678678B2 (en) Provider network and provider edge device
WO2019001197A1 (en) Link switching method and apparatus
WO2018090210A1 (en) Service packet transmission method, and node apparatus
CN102209035B (en) Traffic forwarding method and devices
WO2012126412A2 (en) Method, network device and system for ethernet ring protection switching
US8670299B1 (en) Enhanced service status detection and fault isolation within layer two networks
JP2005110253A (en) Method and apparatus for preventing spanning tree loop during traffic overload condition
CN104702498A (en) Method and device for reducing the number of optical connections through coordination protection
US9065756B2 (en) System and method for providing fast and efficient flushing of a forwarding database in a network processor
US10075369B2 (en) Systems and methods for improved switch performance by preventing flooding

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14883971

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14883971

Country of ref document: EP

Kind code of ref document: A1