WO2015158113A1 - 跨虚拟局域网的报文转发方法、装置及系统 - Google Patents
跨虚拟局域网的报文转发方法、装置及系统 Download PDFInfo
- Publication number
- WO2015158113A1 WO2015158113A1 PCT/CN2014/087475 CN2014087475W WO2015158113A1 WO 2015158113 A1 WO2015158113 A1 WO 2015158113A1 CN 2014087475 W CN2014087475 W CN 2014087475W WO 2015158113 A1 WO2015158113 A1 WO 2015158113A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- vlan
- data packet
- virtual bridge
- forwarding
- tag
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
Definitions
- the present invention relates to the field of data communications, and in particular, to a packet forwarding method, apparatus, and system across a virtual local area network.
- the implementation technologies of the Layer 2 forwarding of the virtual local area network include: configuring the trunk permit, the SUPERVLAN, and implementing the IGMP snooping protocol. If you configure the trunk permit to implement inter-VLAN Layer 2 forwarding, the device is configured to forward packets between a pair of VLANs. Each pair of VLANs needs to be configured. The configuration is complicated. A lot of configuration.
- the present invention provides a method, device, and system for forwarding packets across VLANs to solve the above problems.
- a packet forwarding system is provided across a virtual local area network VLAN, including: one or more virtual bridges, one or more forwarding VLANs, and a plurality of external VLANs; wherein each of the virtual bridges A forwarding VLAN and a plurality of external VLANs are configured, and the plurality of the external VLANs in the same virtual bridge can be forwarded across the VLAN, and each of the forwarding VLANs belongs to only one virtual bridge. Each of the external VLANs also belongs to only one of the virtual bridges.
- a plurality of the virtual bridges cannot communicate with each other.
- the virtual bridge includes: a receiving module, configured to receive a data packet sent by the first external VLAN of the virtual bridge; and a modifying module, configured to replace the destination VLAN tag TAG of the data packet with the a VLAN TAG of the forwarding VLAN that is local to the virtual bridge, and a forwarding module configured to forward the data packet modified by the modification module in the forwarding VLAN of the virtual bridge, and the data packet
- the datagram is sent according to the second external VLAN of the virtual bridge corresponding to the outbound interface.
- the destination VLAN TAG of the text is replaced with the VLAN TAG of the second external VLAN, and then forwarded from the outbound interface.
- the virtual bridge further includes: a determining module, configured to determine whether the received data packet is a non-TAG message, and if yes, according to the inbound interface of the data packet, the datagram And adding a VLAN TAG of the first external VLAN corresponding to the inbound interface.
- a determining module configured to determine whether the received data packet is a non-TAG message, and if yes, according to the inbound interface of the data packet, the datagram And adding a VLAN TAG of the first external VLAN corresponding to the inbound interface.
- a message forwarding device which is located in a virtual bridge, and includes: a receiving module, configured to receive a data packet sent by a first external VLAN of the virtual bridge; a modifying module, configured to replace the destination VLAN tag TAG of the data packet with a VLAN TAG of the forwarding VLAN of the virtual bridge; and the forwarding module is configured to forward the medium in the forwarding VLAN locally in the virtual bridge
- the destination VLAN TAG of the data packet is determined according to the second external VLAN of the virtual bridge corresponding to the outbound interface.
- the VLAN TAG of the second external VLAN is replaced and then forwarded from the outbound interface.
- the device further includes: a disconnecting module, configured to determine whether the received data packet is a non-TAG message, and if yes, according to the inbound interface of the data packet, the data packet Adding a VLAN TAG of the first external VLAN corresponding to the inbound interface.
- a disconnecting module configured to determine whether the received data packet is a non-TAG message, and if yes, according to the inbound interface of the data packet, the data packet Adding a VLAN TAG of the first external VLAN corresponding to the inbound interface.
- a method for forwarding a VLAN across a virtual local area network includes: the virtual bridge receives a data packet sent by the first external VLAN; the virtual bridge will The destination VLAN tag TAG of the data packet is replaced with the VLAN TAG of the forwarding VLAN of the virtual bridge; and the data packet modified by the modification module is forwarded in the forwarding VLAN of the virtual bridge.
- the destination VLAN TAG of the data packet is replaced with the VLAN TAG of the second external VLAN according to the second external VLAN of the virtual bridge corresponding to the outbound interface. And then forwarded from the outbound interface.
- the method further includes: determining whether the received data packet is a non-TAG packet, and if yes, according to the data packet
- the inbound interface adds a VLAN TAG of the first external VLAN corresponding to the inbound interface to the data packet.
- the method further includes: the virtual bridge determines whether media intervention control is required. Layer MAC address learning, if yes, perform MAC address learning.
- forwarding the data packet that is modified by the modifying module in the forwarding VLAN of the virtual bridge including: querying an address resolution protocol ARP entry of the virtual bridge, and searching for the datagram. Textual If the outbound interface is found, the outbound interface that is found is used as the outbound interface of the data packet; otherwise, the virtual bridge configuration is queried, and all external VLANs of the virtual bridge are respectively corresponding.
- the outbound interface serves as the outbound interface of the data packet.
- the VLANs that need to be communicated are set to the external VLANs of the same virtual bridge, and the configuration method is simple, and can be easily reconfigured when the networking changes, and the cross-VLAN Layer 2 forwarding in the related art is solved.
- the existing configuration problem is complicated, and the cross-VLAN Layer 2 forwarding requirement of the firewall in transparent mode is satisfied.
- FIG. 1 is a schematic structural diagram of a packet forwarding system across VLANs according to an embodiment of the present invention
- FIG. 2 is a schematic structural diagram of a message forwarding system according to an example of an embodiment of the present invention.
- FIG. 3 is a schematic structural diagram of a message forwarding device across VLANs according to an embodiment of the present invention.
- FIG. 4 is a flowchart of a packet forwarding method across VLANs according to an embodiment of the present invention.
- FIG. 5 is a flowchart of a method for forwarding a message across VLANs according to an alternative embodiment of the present invention.
- the embodiment of the present invention provides a solution for implementing Layer 2 forwarding across VLANs through a virtual bridge.
- a cross-VLAN packet forwarding system is provided, and the system can be configured to perform Layer 2 forwarding across VLANs in a virtual bridge.
- FIG. 1 is a schematic structural diagram of a cross-VLAN packet forwarding system according to an embodiment of the present invention.
- one or more virtual bridges 10 two shown in the figure
- one or more forwarding VLANs are provided in the system. 20 (shown in the figure 2) and a plurality of external VLANs 30 (5 are shown in the figure); wherein each of the virtual bridges 10 is configured with a forwarding VLAN 20 and a plurality of external VLANs 30, which are in the same virtual bridge 10
- a plurality of the external VLANs 30 can be configured to perform inter-VLAN Layer 2 forwarding, and each of the forwarding VLANs 20 belongs to only one of the virtual bridges 10, and each of the external VLANs 30 belongs to only one of the virtual bridges 10. .
- the firewall may be configured with multiple virtual bridges 10, and each virtual bridge 10 may be configured with only one forwarding VLAN 20, but multiple external VLANs 30 may be added, and the external VLAN 30 in the same virtual bridge 10 may be configured.
- Cross-VLAN Layer 2 forwarding Each forwarding VLAN 20 can belong to only one virtual bridge 10, and each external VLAN 30 can belong to only one virtual bridge 10. In this way, cross-VLAN Layer 2 forwarding can be easily implemented.
- the external VLAN 30 of different virtual bridges cannot be forwarded across the VLAN.
- the inter-VLAN Layer 2 forwarding cannot be performed between the external VLANs 30 of different virtual bridges, which is good for VLAN isolation.
- the virtual bridge mainly solves the Layer 2 traffic that is forwarded across the VLAN in the transparent mode of the firewall, and the data stream has different VLAN TAGs when entering the virtual bridge, but after entering the virtual bridge, the virtual bridge is replaced with a virtual The VLAN TAG of the local VLAN of the bridge is forwarded in the local VLAN of the virtual bridge according to the normal Layer 2 traffic. When the traffic leaves the virtual bridge, the VLAN TAG is replaced with the corresponding VLAN according to the outbound interface. Multiple virtual bridges can be established on the firewall, and communication between multiple virtual bridges is impossible. By configuring multiple virtual bridges, packet forwarding can be implemented across VLANs and VLAN isolation can be implemented. In a specific implementation process, the virtual bridge may include a packet forwarding device across VLANs as shown in FIG. 3, which will be specifically described below.
- the system has three virtual bridges vbrige 1, vbridge 2 and vbridge 3, where the external vlan1, vlan 2, vlan 3 belong to vbrige 1, the local vlan is vlan 10, and the external vlan4, vlan 5, vlan 6 belongs to vbrige 2, its local vlan is vlan 20, external vlan7, vlan 8, vlan 9 belongs to vbrige 3, and its local vlan is vlan 30.
- the nodes in the external vlan of each vbridge are on the same subnet and can communicate with each other.
- the nodes in the external vlan of different vbridges are not in the same subnet and cannot communicate with each other.
- the packet forwarding system of the VLAN across the virtual local area network (LAN) provided by the embodiment of the present invention is simple in configuration, and implements Layer 2 forwarding across VLANs and isolation of different VLANs, thereby satisfying various requirements of the firewall in transparent mode.
- FIG. 3 is a cross-VLAN message forwarding device according to an embodiment of the present invention.
- the device may be located in the virtual bridge 10 of the above system.
- a packet forwarding device for a cross-VLAN mainly includes: a receiving module 110, configured to receive a data packet sent by a first external VLAN of a virtual bridge; and a modification module 120 configured to The destination VLAN tag TAG of the data packet is replaced with the VLAN TAG of the forwarding VLAN of the virtual bridge; the forwarding module 130 is configured to forward the modified by the modification module in the forwarding VLAN local to the virtual bridge.
- the data packet when the data packet leaves the virtual bridge, replaces the destination VLAN TAG of the data packet with the second external VLAN according to the virtual interface corresponding to the outbound interface.
- the VLAN TAG of the external VLAN is then forwarded from the outbound interface.
- the apparatus may further include: a determining module 140, configured to determine whether the received data packet is a non-TAG message, if yes Adding a VLAN TAG of the first external VLAN corresponding to the inbound interface to the data packet according to the inbound interface of the data packet.
- the above-mentioned device provided by the embodiment of the present invention can implement Layer 2 traffic forwarding across the VLAN in the firewall transparent mode, and is convenient to configure.
- a method for forwarding a VLAN across a virtual local area network is also provided, and the method can be implemented by the above system or device.
- FIG. 4 is a flowchart of a method for forwarding packets across VLANs according to an embodiment of the present invention. As shown in FIG. 4, the method mainly includes the following steps:
- Step S402 the virtual bridge receives the data packet sent by the first external VLAN.
- Step S404 the virtual bridge replaces the destination VLAN tag TAG of the data packet with the VLAN TAG of the forwarding VLAN of the virtual bridge;
- the virtual bridge may further determine whether the received data packet is a non-TAG message, and if yes, according to the inbound interface of the data packet, Adding a VLAN TAG of the first external VLAN corresponding to the inbound interface to the data packet.
- Step S406 forwarding the data packet modified by the modification module in the forwarding VLAN of the virtual bridge, and when the data packet leaves the virtual bridge, according to the corresponding corresponding to the outbound interface
- the second external VLAN of the virtual bridge replaces the destination VLAN TAG of the data packet with the VLAN TAG of the second external VLAN, and then forwards the packet from the outbound interface.
- the virtual bridge may also be It is judged whether media intervention control layer MAC address learning is required, and if so, MAC address learning is performed. Therefore, subsequent data packet forwarding can be facilitated.
- the configuration entry of the virtual bridge may be queried.
- the outbound interface of the data packet is found; if the outbound interface is found, the outbound interface that is found is used as the outbound interface of the data packet; otherwise, the virtual bridge configuration is queried, respectively
- the outbound interface corresponding to all external VLANs of the virtual bridge serves as the outbound interface of the data packet, that is, the data packet is broadcasted on all external VLANs of the virtual bridge.
- FIG. 5 is a flowchart of a virtual bridge performing data packet forwarding according to an alternative embodiment of the present invention. As shown in FIG. 5, the method mainly includes the following steps:
- step S501 the virtual bridge receives the data packet.
- step S502 it is determined whether the data packet is an untagged message. If yes, step S503 is performed; otherwise, step S504 is performed.
- Step S503 Add a tag label to the packet according to the inbound interface, that is, add a VLAN TAG of the external VLAN corresponding to the inbound interface.
- Step S504 Query the virtual bridge configuration, and replace the VLAN TAG of the external vlan of the data packet with the VLAN TAG of the forwarding vlan.
- step S505 it is determined whether MAC address learning needs to be performed. If yes, step S506 is performed, otherwise step S507 is performed.
- step S506 MAC address learning is performed.
- step S507 the address resolution protocol (ARP) entry of the virtual bridge is queried, and it is determined whether the outbound interface of the data packet can be found. If yes, step S508 is performed; otherwise, step S510 is performed.
- ARP address resolution protocol
- step S508 the forwarding vlan tag of the data packet is replaced with the vlan tag of the vlan to which the outbound interface belongs.
- step S509 the packet is forwarded and the process ends.
- Step S510 Query the virtual bridge configuration, and broadcast the data packet in all external vlans of the virtual bridge.
- step S511 the virtual bridge configuration is queried, and the forwarding vlan label in the data packet is replaced with the corresponding external VLAN label.
- step S512 the data message is sequentially forwarded and ended.
- modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
- the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
- the invention is not limited to any specific combination of hardware and software.
- the above configuration and the preferred embodiment solve the problem that the configuration of the cross-VLAN Layer 2 forwarding in the related art is complicated, and the cross-VLAN Layer 2 forwarding requirement of the firewall in the transparent mode is satisfied.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种跨虚拟局域网的报文转发方法、装置及系统,其中,该系统包括:一个或多个虚拟桥、一个或多个转发VLAN及多个外部VLAN;其中,每个虚拟桥配置有一个转发VLAN和多个外部VLAN,同一个虚拟桥中的多个外部VLAN之间能够进行跨VLAN二层转发,且每个转发VLAN只属于一个虚拟桥,每个外部VLAN也只属于一个虚拟桥。
Description
本发明涉及数据通信领域,具体而言,涉及一种跨虚拟局域网的报文转发方法、装置及系统。
目前针对跨虚拟局域网(Virtual Local Area Network,VLAN)二层转发的实现技术主要包括:配置trunk permit、SUPERVLAN、及通过IGMP Snooping协议实现等。其他厂商如通过配置trunk permit实现跨VLAN二层转发,主要是针对一对VLAN之间的报文转发,每对VLAN之间都需要配置,配置复杂,并且,一旦组网发生变化,需要重新进行大量的配置。
针对相关技术中跨VLAN二层转发存在的配置复杂的问题,目前尚未提出有效的解决方案。
发明内容
针对相关技术中跨VLAN二层转发存在的配置复杂的问题,本发明提供了一种跨VLAN的报文转发方法、装置及系统,以至少解决上述问题。
根据本发明的一个方面,提供了一种跨虚拟局域网VLAN的报文转发系统,包括:一个或多个虚拟桥、一个或多个转发VLAN及多个外部VLAN;其中,每个所述虚拟桥配置有一个转发VLAN和多个外部VLAN,同一个所述虚拟桥中的多个所述外部VLAN之间能够进行跨VLAN二层转发,且每个所述转发VLAN只属于一个所述虚拟桥,每个所述外部VLAN也只属于一个所述虚拟桥。
优选地,所述系统包括多个所述虚拟桥时,多个所述虚拟桥之间不能通信。
优选地,所述虚拟桥包括:接收模块,设置为接收所述虚拟桥的第一外部VLAN发送的数据报文;修改模块,设置为将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的所述转发VLAN的VLAN TAG;转发模块,设置为在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,并所述数据报文离开所述虚拟桥时,根据出接口对应的所述虚拟桥的第二外部VLAN,将所述数据报
文的目的VLAN TAG替换成所述第二外部VLAN的VLAN TAG,然后从所述出接口转发。
优选地,所述虚拟桥还包括:判断模块,设置为判断接收到的所述数据报文是否为非TAG报文,如果是,则根据所述数据报文的入接口,为所述数据报文添加与所述入接口对应的所述第一外部VLAN的VLAN TAG。
根据本发明的另一个方面,还提供了一种跨虚拟局域网VLAN的报文转发装置,位于虚拟桥,包括:接收模块,设置为接收所述虚拟桥的第一外部VLAN发送的数据报文;修改模块,设置为将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的转发VLAN的VLAN TAG;转发模块,设置为在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,并所述数据报文离开所述虚拟桥时,根据出接口对应的所述虚拟桥的第二外部VLAN,将所述数据报文的目的VLAN TAG替换成所述第二外部VLAN的VLAN TAG,然后从所述出接口转发。
优选地,所述装置还包括:断模块,设置为判断接收到的所述数据报文是否为非TAG报文,如果是,则根据所述数据报文的入接口,为所述数据报文添加与所述入接口对应的所述第一外部VLAN的VLAN TAG。
根据本发明的又一个方面,提供了一种跨虚拟局域网VLAN的转发方法,应用于上述的系统,所述方法包括:虚拟桥接收其第一外部VLAN发送的数据报文;所述虚拟桥将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的转发VLAN的VLAN TAG;在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,并所述数据报文离开所述虚拟桥时,根据出接口对应的所述虚拟桥的第二外部VLAN,将所述数据报文的目的VLAN TAG替换成所述第二外部VLAN的VLAN TAG,然后从所述出接口转发。
优选地,虚拟桥接收其第一外部VLAN发送的数据报文之后,所述方法还包括:判断接收到的所述数据报文是否为非TAG报文,如果是,则根据所述数据报文的入接口,为所述数据报文添加与所述入接口对应的所述第一外部VLAN的VLAN TAG。
优选地,所述虚拟桥将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的转发VLAN的VLAN TAG之后,所述方法还包括:所述虚拟桥判断是否需要进行媒体介入控制层MAC地址学习,如果是,则进行MAC地址学习。
优选地,在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,包括:查询所述虚拟桥的地址解析协议ARP表项,查找所述数据报文的
出接口;如果找到所述出接口,则将查找到的所述出接口作为所述数据报文的出接口;否则,查询所述虚拟桥配置,分别将所述虚拟桥的所有外部VLAN对应的出接口作为所述数据报文的出接口。
通过本发明,将需要进行通信的VLAN设置为同一虚拟桥的外部VLAN,配置方法简单,并且,在组网发生变化时,也能很方便的重新配置,解决了相关技术中跨VLAN二层转发存在的配置复杂的问题,满足了防火墙在透明模式下的跨VLAN二层转发需求。
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:
图1是根据本发明实施例的跨VLAN的报文转发系统的结构示意图;
图2是根据本发明实施例的一个实例的报文转发系统的结构示意图;
图3是根据本发明实施例的跨VLAN的报文转发装置结构示意图;
图4是根据本发明实施例的跨VLAN的报文转发方法的流程图;
图5是根据本发明实施例的一种可选实施方式的跨VLAN的报文转发方法的流程图。
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。
针对防火墙透明模式的跨VLAN二层转发,本发明实施例提供了一种解决方案,即通过虚拟桥来实现跨VLAN的二层转发。
根据本发明实施例,提供了一种跨VLAN的报文转发系统,该系统可以设置在虚拟桥中执行跨VLAN的二层转发。
图1为根据本发明实施例的跨VLAN的报文转发系统的结构示意图,如图1所示,该系统一个或多个虚拟桥10(图中示出2个)、一个或多个转发VLAN 20(图中示出
2个)及多个外部VLAN 30(图中示出了5个);其中,每个所述虚拟桥10配置有一个转发VLAN 20和多个外部VLAN 30,同一个所述虚拟桥10中的多个所述外部VLAN 30之间能够进行跨VLAN二层转发,且每个所述转发VLAN 20只属于一个所述虚拟桥10,每个所述外部VLAN 30也只属于一个所述虚拟桥10。
在本发明实施例中,防火墙可配置多个虚拟桥10,每个虚拟桥10只可以配置一个转发VLAN 20,但可以添加多个外部VLAN 30,同一个虚拟桥10中的外部VLAN 30可以进行跨VLAN二层转发。每个转发VLAN 20只可以属于一个虚拟桥10,每个外部VLAN 30也只可以属于一个虚拟桥10。通过这种方式,可以很方便的实现跨VLAN二层转发。
在本发明实施例中,如果该系统中包括多个虚拟桥,则不同虚拟桥的外部VLAN30不可进行跨VLAN二层转发。与现有技术相比较,不同的虚拟桥的外部VLAN 30之间不能进行跨VLAN二层转发,很好做到了VLAN隔离。
在本发明实施例的上述系统中,虚拟桥主要是解决防火墙透明模式下跨VLAN转发的二层流量,数据流在进入虚拟桥时有不同的VLAN TAG,但是进入虚拟桥后,均替换成虚拟桥自己本地VLAN的VLAN TAG,然后按照普通二层流量在虚拟桥本地VLAN中转发,当流量离开虚拟桥时,再根据出接口将VLAN TAG替换成对应的VLAN。防火墙上可建立多个虚拟桥,多个虚拟桥之间的不能通信。通过配置多个虚拟桥,既实现了跨VLAN的报文转发,又能实现VLAN隔离。在具体实施过程中,虚拟桥可以包括如图3所示的跨VLAN的报文转发装置,具体将下面进行介绍。
为了进一步理解,下面通过一个具体的实例来说明本发明实施例所提供的系统。如图2所示,在该实例中,系统共有三个虚拟桥vbrige 1,vbridge 2和vbridge 3,其中外部vlan1、vlan 2、vlan 3属于vbrige 1,其本地vlan为vlan 10,外部vlan4、vlan 5、vlan 6属于vbrige 2,其本地vlan为vlan 20,外部vlan7、vlan 8、vlan 9属于vbrige 3,其本地vlan为vlan 30。其中每个vbridge的外部vlan中的节点位于同一子网,可以互相通信,不同vbridge的外部vlan中的节点不在同一子网,不能互相通信。
具体配置如下:
ZXR10(config)#vbridge 1
ZXR10(config-vbridge)#native-vlan 10
ZXR10(config-vbridge)#forward-vlan 1-3
ZXR10(config-vbridge)#ex
ZXR10(config)#vbridge 2
ZXR10(config-vbridge)#native-vlan 20
ZXR10(config-vbridge)#forward-vlan 4-6
ZXR10(config-vbridge)#ex
ZXR10(config)#vbridge 3
ZXR10(config-vbridge)#native-vlan 30
ZXR10(config-vbridge)#forward-vlan 7-9
ZXR10(config-vbridge)#ex
通过本发明实施例提供的跨虚拟局域网VLAN的报文转发系统,配置简单,既实现了跨VLAN的二层转发,又可对不同VLAN进行隔离,满足了防火墙在透明模式下的各种需求。
图3是根据本发明实施例的跨VLAN的报文转发装置,该装置可以位于上述系统的虚拟桥10中。
如图3所示,根据本发明实施例的跨VLAN的报文转发装置主要包括:接收模块110,设置为接收虚拟桥的第一外部VLAN发送的数据报文;修改模块120,设置为将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的转发VLAN的VLAN TAG;转发模块130,设置为在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,并所述数据报文离开所述虚拟桥时,根据出接口对应的所述虚拟桥的第二外部VLAN,将所述数据报文的目的VLAN TAG替换成所述第二外部VLAN的VLAN TAG,然后从所述出接口转发。
在本发明实施例的一个可选实施方式中,如图3所示,所述装置还可以包括:判断模块140,设置为判断接收到的所述数据报文是否为非TAG报文,如果是,则根据所述数据报文的入接口,为所述数据报文添加与所述入接口对应的所述第一外部VLAN的VLAN TAG。
通过本发明实施例提供的上述装置,可以实现防火墙透明模式下跨VLAN二层流量转发,且方便配置。
根据本发明实施例,还提供了一种跨虚拟局域网VLAN的转发方法,该方法可以通过上述系统或装置实现。
图4为根据本发明实施例的跨VLAN的报文转发方法的流程图,如图4所示,所述方法主要包括以下步骤:
步骤S402,虚拟桥接收其第一外部VLAN发送的数据报文;
步骤S404,虚拟桥将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的转发VLAN的VLAN TAG;
在该步骤中,在接收到数据报文后,虚拟桥还可以进一步判断接收到的所述数据报文是否为非TAG报文,如果是,则根据所述数据报文的入接口,为所述数据报文添加与所述入接口对应的所述第一外部VLAN的VLAN TAG。
步骤S406,在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,并所述数据报文离开所述虚拟桥时,根据出接口对应的所述虚拟桥的第二外部VLAN,将所述数据报文的目的VLAN TAG替换成所述第二外部VLAN的VLAN TAG,然后从所述出接口转发。
在本发明实施例的一个可选实施方式中,在所述虚拟桥将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的转发VLAN的VLAN TAG之后,所述虚拟桥还可以判断是否需要进行媒体介入控制层MAC地址学习,如果是,则进行MAC地址学习。从而可以方便后续的数据报文转发。
在本发明实施例一个可选实施方式中,在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文时,可以查询所述虚拟桥的配置表项,查找所述数据报文的出接口;如果找到所述出接口,则将查找到的所述出接口作为所述数据报文的出接口;否则,查询所述虚拟桥配置,分别将所述虚拟桥的所有外部VLAN对应的出接口作为所述数据报文的出接口,即将数据报文在本虚拟桥的所有外部VLAN进行广播。
图5为本发明实施例的一个可选实施方案中,虚拟桥进行数据报文转发的流程图,如图5所示,主要包括以下步骤:
步骤S501,虚拟桥收到数据报文。
步骤S502,判断数据报文是否为untag报文,如果是,则执行步骤S503,否则,执行步骤S504。
步骤S503,根据入接口为报文添加tag标签,即添加与入接口对应的外部VLAN的VLAN TAG。
步骤S504,查询虚拟桥配置,将数据报文的外部vlan的VLAN TAG替换为转发vlan的VLAN TAG。
步骤S505,判断是否需要进行MAC地址学习,如果是,则执行步骤S506,否则执行步骤S507。
步骤S506,进行MAC地址学习。步骤S507,查询虚拟桥的地址解析协议(Address Resolution Protocol,ARP)表项,判断是否能够找到数据报文的出接口,如果能,则执行步骤S508,否则,执行步骤S510。
步骤S508,将数据报文的转发vlan标签替换为出接口所属的vlan的vlan tag。
步骤S509,转发报文,结束。
步骤S510,查询虚拟桥配置,将数据报文在本虚拟桥的所有外部vlan内广播。
步骤S511,查询虚拟桥配置,依次将数据报文中的转发vlan标签替换为对应的外部vlan标签。
步骤S512,依次转发数据报文,结束。
从以上的描述中,可以看出,采用本发明实施例提供的技术方案,通过配置一个或多个虚拟桥,既实现了跨VLAN的报文转发,又能实现VLAN隔离。
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。
如上所述,通过上述实施例及优选实施方式,解决了相关技术中跨VLAN二层转发存在的配置复杂的问题,满足了防火墙在透明模式下的跨VLAN二层转发需求。
Claims (10)
- 一种跨虚拟局域网VLAN的报文转发系统,包括:一个或多个虚拟桥、一个或多个转发VLAN及多个外部VLAN;其中,每个所述虚拟桥配置有一个转发VLAN和多个外部VLAN,同一个所述虚拟桥中的多个所述外部VLAN之间能够进行跨VLAN二层转发,且每个所述转发VLAN只属于一个所述虚拟桥,每个所述外部VLAN也只属于一个所述虚拟桥。
- 根据权利要求1所述的系统,其中,所述系统包括多个所述虚拟桥时,多个所述虚拟桥之间不能通信。
- 根据权利要求1或2所述的系统,其中,所述虚拟桥包括:接收模块,设置为接收所述虚拟桥的第一外部VLAN发送的数据报文;修改模块,设置为将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的所述转发VLAN的VLAN TAG;转发模块,设置为在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,并所述数据报文离开所述虚拟桥时,根据出接口对应的所述虚拟桥的第二外部VLAN,将所述数据报文的目的VLAN TAG替换成所述第二外部VLAN的VLAN TAG,然后从所述出接口转发。
- 根据权利要求3所述的系统,其中,所述虚拟桥还包括:判断模块,设置为判断接收到的所述数据报文是否为非TAG报文,如果是,则根据所述数据报文的入接口,为所述数据报文添加与所述入接口对应的所述第一外部VLAN的VLAN TAG。
- 一种跨虚拟局域网VLAN的报文转发装置,位于虚拟桥,包括:接收模块,设置为接收所述虚拟桥的第一外部VLAN发送的数据报文;修改模块,设置为将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的转发VLAN的VLAN TAG;转发模块,设置为在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,并所述数据报文离开所述虚拟桥时,根据出接口对应的所述虚拟桥的第二外部VLAN,将所述数据报文的目的VLAN TAG替换成所述第二外部VLAN的VLAN TAG,然后从所述出接口转发。
- 根据权利要求5所述的装置,其中,所述装置还包括:判断模块,设置为判断接收到的所述数据报文是否为非TAG报文,如果是,则根据所述数据报文的入接口,为所述数据报文添加与所述入接口对应的所述第一外部VLAN的VLAN TAG。
- 一种跨虚拟局域网VLAN的转发方法,应设置为权利要求1至4中任一项所述的系统,所述方法包括:虚拟桥接收其第一外部VLAN发送的数据报文;所述虚拟桥将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的转发VLAN的VLAN TAG;在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,并所述数据报文离开所述虚拟桥时,根据出接口对应的所述虚拟桥的第二外部VLAN,将所述数据报文的目的VLAN TAG替换成所述第二外部VLAN的VLAN TAG,然后从所述出接口转发。
- 根据权利要求7所述的方法,其中,虚拟桥接收其第一外部VLAN发送的数据报文之后,所述方法还包括:判断接收到的所述数据报文是否为非TAG报文,如果是,则根据所述数据报文的入接口,为所述数据报文添加与所述入接口对应的所述第一外部VLAN的VLAN TAG。
- 根据权利要求7所述的方法,其中,所述虚拟桥将所述数据报文的目的VLAN标签TAG替换成所述虚拟桥本地的转发VLAN的VLAN TAG之后,所述方法还包括:所述虚拟桥判断是否需要进行媒体介入控制层MAC地址学习,如果是,则进行MAC地址学习。
- 根据权利要求7至9中任一项所述的方法,其中,在所述虚拟桥本地的所述转发VLAN中转发经所述修改模块修改后的所述数据报文,包括:查询所述虚拟桥的地址解析协议ARP表项,查找所述数据报文的出接口;如果找到所述出接口,则将查找到的所述出接口作为所述数据报文的出接口;否则,查询所述虚拟桥配置,分别将所述虚拟桥的所有外部VLAN对应的出接口作为所述数据报文的出接口。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410153765.9A CN105024901A (zh) | 2014-04-16 | 2014-04-16 | 跨虚拟局域网的报文转发方法、装置及系统 |
CN201410153765.9 | 2014-04-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015158113A1 true WO2015158113A1 (zh) | 2015-10-22 |
Family
ID=54323451
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2014/087475 WO2015158113A1 (zh) | 2014-04-16 | 2014-09-25 | 跨虚拟局域网的报文转发方法、装置及系统 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN105024901A (zh) |
WO (1) | WO2015158113A1 (zh) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10404648B2 (en) * | 2016-02-26 | 2019-09-03 | Nokia Of America Corporation | Addressing for customer premises LAN expansion |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100220726A1 (en) * | 2005-03-18 | 2010-09-02 | Cisco Technology Inc. | Source specific multicast layer 2 networking device and method |
CN102111459A (zh) * | 2009-12-28 | 2011-06-29 | 中兴通讯股份有限公司 | Ip语音设备主备切换中的通话维护方法及装置 |
CN103209132A (zh) * | 2012-01-16 | 2013-07-17 | 华为技术有限公司 | 在透明多链路互联(trill)网络中实现组播的方法、装置及系统 |
CN103220224A (zh) * | 2013-04-18 | 2013-07-24 | 福建星网锐捷网络有限公司 | 报文转发的处理方法和装置及网络设备 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8238340B2 (en) * | 2009-03-06 | 2012-08-07 | Futurewei Technologies, Inc. | Transport multiplexer—mechanisms to force ethernet traffic from one domain to be switched in a different (external) domain |
CN103023779B (zh) * | 2012-08-13 | 2018-04-10 | 中兴通讯股份有限公司 | 一种数据报文处理方法及装置 |
-
2014
- 2014-04-16 CN CN201410153765.9A patent/CN105024901A/zh not_active Withdrawn
- 2014-09-25 WO PCT/CN2014/087475 patent/WO2015158113A1/zh active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100220726A1 (en) * | 2005-03-18 | 2010-09-02 | Cisco Technology Inc. | Source specific multicast layer 2 networking device and method |
CN102111459A (zh) * | 2009-12-28 | 2011-06-29 | 中兴通讯股份有限公司 | Ip语音设备主备切换中的通话维护方法及装置 |
CN103209132A (zh) * | 2012-01-16 | 2013-07-17 | 华为技术有限公司 | 在透明多链路互联(trill)网络中实现组播的方法、装置及系统 |
CN103220224A (zh) * | 2013-04-18 | 2013-07-24 | 福建星网锐捷网络有限公司 | 报文转发的处理方法和装置及网络设备 |
Also Published As
Publication number | Publication date |
---|---|
CN105024901A (zh) | 2015-11-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8098656B2 (en) | Method and apparatus for implementing L2 VPNs on an IP network | |
EP3070877B1 (en) | Evpn inter-subnet multicast forwarding | |
EP3065342B1 (en) | Update of mac routes in evpn single-active topology | |
US9860169B1 (en) | Neighbor resolution for remote EVPN hosts in IPV6 EVPN environment | |
CN106936777B (zh) | 基于OpenFlow的云计算分布式网络实现方法、系统 | |
US10666459B1 (en) | System and method to facilitate interoperability between virtual private LAN service (VPLS) and ethernet virtual private network (EVPN) with all-active multi-homing | |
JP5862769B2 (ja) | 通信システム、制御装置、通信方法及びプログラム | |
US8537816B2 (en) | Multicast VPN support for IP-VPN lite | |
WO2016198017A1 (zh) | 一种组播地址的传输方法和装置 | |
EP3188422B1 (en) | Traffic black holing avoidance and fast convergence for active-active pbb-evpn redundancy | |
US10033539B1 (en) | Replicating multicast state information between multi-homed EVPN routing devices | |
US20150085862A1 (en) | Forwarding Multicast Data Packets | |
EP3528441B1 (en) | Message forwarding | |
WO2015196849A1 (zh) | 一种数据报文的处理方法、业务节点以及引流点 | |
CN105812259A (zh) | 一种报文转发方法和设备 | |
WO2013139159A1 (zh) | 在网络中转发报文的方法和运营商边缘设备 | |
WO2018072732A1 (zh) | 一种信息处理方法、装置和计算机存储介质 | |
WO2018014767A1 (zh) | 一种信息确定方法、装置及存储介质 | |
WO2022021818A1 (zh) | 数据报文的处理方法及装置、存储介质、电子装置 | |
CN105337884A (zh) | 基于逻辑端口实现多级报文编辑业务控制的方法及装置 | |
US10033636B1 (en) | Ethernet segment aware MAC address learning | |
CN103795630A (zh) | 一种标签交换网络的报文传输方法和装置 | |
WO2016034119A1 (zh) | Pw采用n:1模型接入l3vpn的系统及方法 | |
AU2021325836B2 (en) | Network service access and data routing based on assigned context | |
EP2670088B1 (en) | Trill network interconnection method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14889666 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14889666 Country of ref document: EP Kind code of ref document: A1 |