WO2016150205A1 - Method, device and system for processing vxlan message - Google Patents

Method, device and system for processing vxlan message Download PDF

Info

Publication number
WO2016150205A1
WO2016150205A1 PCT/CN2015/097523 CN2015097523W WO2016150205A1 WO 2016150205 A1 WO2016150205 A1 WO 2016150205A1 CN 2015097523 W CN2015097523 W CN 2015097523W WO 2016150205 A1 WO2016150205 A1 WO 2016150205A1
Authority
WO
WIPO (PCT)
Prior art keywords
header
encapsulated
vni
packet
router
Prior art date
Application number
PCT/CN2015/097523
Other languages
French (fr)
Chinese (zh)
Inventor
查敏
刘树成
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016150205A1 publication Critical patent/WO2016150205A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Definitions

  • the present invention relates to communication technologies, and in particular, to a method, device, and system for processing a virtual extensible local area network (English name: VXLAN) message.
  • VXLAN virtual extensible local area network
  • VXLAN can be applied to the data center to enable virtual machines to migrate within a three-layer network that is connected to each other without changing the Internet Protocol (English full name: Internet Protocol, IP address) and media access control. : Media Access Control, English abbreviation: MAC) address, to ensure business continuity.
  • the Internet Protocol Security (English Protocol: IPSec) protocol ensures secure and secure communication over IP networks by using encrypted security services.
  • Encapsulating Security Payload (English full name: ESP) protocol is a major protocol in the IPsec protocol. IPsec-ESP can be applied to different data centers (English name: Data Center, English abbreviation: DC) Communication scenario.
  • the first router belonging to DC1 can receive the virtual tunnel endpoint (English full name: virtual tunnel end point, English abbreviation: VTEP) that belongs to DC1.
  • VXLAN message The first router performs IPsec-ESP encapsulation on the received VXLAN packet to obtain an IPsec-ESP packet.
  • the IPsec-ESP packet includes the encrypted VXLAN packet, the ESP header encapsulated in the encrypted VXLAN packet, and the IP header encapsulated in the ESP header.
  • the IP header includes a source IP address and a destination IP address, the source IP address is the IP address of the first router, and the destination IP address is the IP address of the second router.
  • the second router belongs to DC2.
  • the first router sends an IPsec-ESP packet to the second router.
  • the router located between the first router and the second router can forward the IPsec-ESP packet.
  • the router on the transmission path between the first router and the second router cannot detect the VXLAN packet included in the IPsec-ESP packet.
  • the information related to VXLAN such as the VXLAN network identifier (VXLAN Network Identifier, English abbreviation: VNI), can not perform service processing such as load sharing.
  • the embodiments of the present invention provide a method, an apparatus, and a system for processing a VXLAN message, which are helpful for a router between different data centers to obtain a VNI.
  • a method for processing a VXLAN message including:
  • the first router receives the VXLAN message sent by the VTEP, where the VXLAN message includes a VNI;
  • the first router obtains the encapsulated packet according to the VXLAN packet, and the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet, and the encapsulated packet is obtained.
  • the file includes an IP header, the VNI, an ESP header, and the encrypted VXLAN message, and the VNI is encapsulated between the IP header and the ESP header;
  • the first router sends the encapsulated packet to the second router.
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI.
  • the encapsulated packet further includes a user data packet protocol encapsulated between the IP header and the VNI (English full name : User Datagram Protocol (English abbreviation: UDP) header, the UDP header is a UDP header included in the VXLAN message from the VTEP;
  • VNI User Datagram Protocol
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
  • a method for processing a VXLAN message including:
  • the second router receives the encapsulated packet sent by the first router, and the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, and the encapsulated packet includes the IP packet. a header, a VNI, an ESP header, and the encrypted VXLAN message, the VNI being encapsulated between the IP header and the ESP header;
  • the second router obtains the VNI from the encapsulated message.
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI, and the second Obtaining the VNI from the encapsulated message by the router includes:
  • the second router determines, according to the first identifier information included in the IP header, that the encapsulated packet includes the VNI;
  • the second router obtains the VNI from between the IP header and the ESP header.
  • the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, the UDP header For the UDP header included in the VXLAN packet from the VTEP, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header.
  • the UDP header encapsulated between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI;
  • Obtaining, by the second router, the VNI from the encapsulated packet includes:
  • the second router obtains a UDP header encapsulated between the IP header and the VNI according to the first identifier information included in the IP header;
  • the second router determines that the encapsulated packet includes the VNI according to the second identifier information included in a UDP header encapsulated between the IP header and the VNI;
  • the second router obtains the VNI from between the IP header and the ESP header.
  • a first router including:
  • a receiving unit configured to receive a VXLAN message sent by the VTEP, where the VXLAN message includes VNI;
  • a processing unit configured to obtain, according to the VXLAN packet, a encapsulated packet, where the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet, and the encapsulated packet
  • the file includes an IP header, the VNI, an ESP header, and the encrypted VXLAN message, and the VNI is encapsulated between the IP header and the ESP header;
  • a sending unit configured to send the encapsulated packet to the second router.
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI.
  • the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, the UDP header a UDP header included in the VXLAN message from the VTEP;
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
  • a second router including:
  • the receiving unit is configured to receive the encapsulated packet sent by the first router, where the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, where the encapsulated packet is obtained.
  • the packet includes an IP header, a VNI, an ESP header, and the encrypted VXLAN packet, where the VNI is encapsulated between the IP header and the ESP header;
  • a processing unit configured to obtain the VNI from the encapsulated message.
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI;
  • the processing unit is specifically configured to determine, according to the first identifier information that is included in the IP header, that the encapsulated packet includes the VNI;
  • the processing unit is specifically configured to obtain the VNI from between the IP header and the ESP header.
  • the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, and the UDP header
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header.
  • the UDP header encapsulated between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI;
  • the processing unit is configured to obtain, according to the first identifier information included in the IP header, a UDP header encapsulated between the IP header and the VNI;
  • the processing unit is configured to determine, according to the second identifier information that is included in a UDP header that is encapsulated between the IP header and the VNI, that the encapsulated packet includes the VNI;
  • the processing unit is specifically configured to obtain the VNI from between the IP header and the ESP header.
  • a system for processing a VXLAN message including:
  • the first router provided by any one of the foregoing third aspect or the third aspect, and the second router provided by any one of the foregoing fourth or fourth possible implementation manners.
  • the first router performs IPsec-ESP encapsulation on the VXLAN packet sent by the VTEP to obtain the encapsulated packet.
  • the first router encapsulates the VNI included in the VXLAN message sent by the VTEP between the IP header and the ESP header included in the encapsulated packet.
  • the first router sends the encapsulated packet to the second router.
  • the second router obtains a VNI encapsulated between the IP header and the ESP header from the encapsulated packet. In this way, routers located between different data centers, such as the second router, can obtain the VNI from the received encapsulated message.
  • FIG. 1 is a flowchart of a method for processing a VXLAN message according to a first embodiment of the present invention
  • FIG. 2 is a flowchart of a method for processing a VXLAN message according to a second embodiment of the present invention
  • FIG. 3 is a schematic diagram of a packaged packet according to an embodiment of the present disclosure.
  • FIG. 3b is a schematic diagram of another encapsulated packet according to an embodiment of the present disclosure.
  • 4a is a schematic diagram of a packaged packet according to an embodiment of the present invention.
  • FIG. 4b is a schematic diagram of another encapsulated packet according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic diagram of an IP header included in a encapsulated packet according to an embodiment of the present disclosure
  • FIG. 6 is a schematic diagram of a UDP header included in a encapsulated packet according to an embodiment of the present disclosure
  • FIG. 7 is a schematic structural diagram of a first router according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a first router according to another embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of a second router according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of a second router according to another embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of a system for processing a VXLAN packet according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a method for processing a VXLAN message according to a first embodiment of the present invention.
  • the first embodiment of the present invention describes a method for processing a VXLAN message from the perspective of the first router.
  • the first router may be an operator edge (English full name: provider edge, English abbreviation: PE) device.
  • PE English abbreviation: PE
  • the first router receives the VXLAN packet sent by the VTEP, where the VXLAN packet is sent. Including VNI.
  • the first router may belong to DC1.
  • the VTEP in DC1 can encapsulate the service packets sent by the virtual machine (English name: virtual machine, English abbreviation: VM) into VXLAN packets to obtain VXLAN packets.
  • the VXLAN message obtained by the VTEP in DC1 includes the VNI.
  • the VXLAN message obtained by the VTEP in DC1 needs to be sent to a VM in another DC, such as a VM in DC2.
  • the first router can receive the VXLAN message sent by the VTEP in DC1.
  • VNI can be used to distinguish between different VXLANs. For example: a VNI can be used to identify a tenant.
  • the first router obtains the encapsulated packet according to the VXLAN packet, and the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet, and the encapsulated packet is encapsulated.
  • the message includes an IP header, the VNI, an ESP header, and the encrypted VXLAN message, and the VNI is encapsulated between the IP header and the ESP header.
  • the first router may insert a VNI included in the VXLAN message between the IP header and the ESP header included in the encapsulated packet.
  • the first router obtains the encapsulated packet according to the VXLAN packet, the first router obtains the VNI from the VXLAN packet, and the first router pairs the VXLAN packet.
  • the IPsec-ESP encapsulation packet is obtained by the IPsec-ESP encapsulation packet, and the IPsec-ESP encapsulation packet includes an encrypted VXLAN packet, an ESP header encapsulated in the encrypted VXLAN packet, and an IP header encapsulated in the ESP header.
  • the first router inserts the VNI into the encapsulated packet between the IP header included in the IPsec-ESP encapsulated packet and the ESP header.
  • the encapsulated message may be the message shown in FIG. 3a or 3b. The packet shown in FIG.
  • the IP header included in the message shown in FIG. 3a is a encapsulated message sent by using the transmission (English name is transport) mode.
  • the IP header included in the message shown in FIG. 3a can adopt the structure shown in FIG.
  • the packet shown in Figure 3b is a encapsulated packet sent in the tunnel (English name tunnel) mode.
  • the intranet IP header included in the packet shown in Figure 3b is the IP header included in the VXLAN packet sent by the VTEP to the first router.
  • the IP header included in the message shown in FIG. 3b can adopt the structure shown in FIG. 5.
  • the encrypted VXLAN message in Figure 3a and Figure 3b is VTEP.
  • the packets obtained after the VXLAN is sent are encrypted.
  • the content of the encrypted VXLAN packets is not described here.
  • the first router obtains the encapsulated packet according to the VXLAN packet, the first router obtains the VNI from the VXLAN packet, and the first router pairs the VXLAN packet.
  • the first router encapsulates the ESP header, the VNI, and the IP header layer by layer outside the encrypted VXLAN message.
  • the encapsulated message may be the message shown in FIG. 3a or 3b.
  • the IP header that is included in the encapsulated packet may further include first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI.
  • the IP header shown in FIG. 5 is used.
  • the first identification information shown may be carried in the protocol number field in the IP header shown in FIG.
  • the protocol number field in the IP header shown in FIG. 5 can be used to indicate the packet type after the IP header.
  • the protocol number field is defined as “ESP/VXLAN”, which is used to indicate the IP header.
  • the packet type is an ESP packet that encapsulates the VXLAN header.
  • the ESP packet encapsulating the VXLAN header may be a VXLAN header that includes the VNI in the ESP packet, or may be encapsulated in the ESP packet.
  • the first router may update the information included in the IP header after adding the VNI between the ESP header and the IP header. As shown in FIG. 5, the first router may add a protocol number field, a total length field, and a head table to the IP header after the VNI is added between the ESP header and the IP header. The checksum field is updated so that the encapsulated message of the VNI is increased to meet the format requirement.
  • the first router may obtain a VXLAN header from a VXLAN message from the VTEP, the VXLAN header including the VNI.
  • the first router encapsulates the VXLAN header included in the VXLAN packet between the IP header and the ESP header to obtain a encapsulated packet.
  • the first router can eliminate the need to identify and acquire the VNI from the VXLAN message from the VTEP, which helps to simplify the operation.
  • the method for obtaining the encapsulated packet including the VXLAN header by the first router is the same as the method for obtaining the encapsulated packet including the VNI, and is not described here.
  • the first router sends the encapsulated packet to the second router.
  • the second router is a router between different DCs.
  • the first router belongs to DC1
  • the third router belongs to DC2.
  • the encapsulated packet is a packet that needs to be sent by the first router of DC1 to the third router of DC2.
  • the second router is a router in a transport network between DC1 and DC2.
  • the destination IP address in the IP header included in the encapsulated packet is the IP address of the third router.
  • the destination IP address in the IP header included in the encapsulated packet is the destination address of the tunnel, and the destination address of the tunnel is the third router. IP address.
  • the first correspondence may be pre-configured on the first router, where the first correspondence includes an IP address of the VNI and the third router.
  • the first router may obtain an IP address of the third router according to the first correspondence and the VNI.
  • the first router may use the IP address of the third router as the destination IP address included in the IP header in the encapsulated packet.
  • the second router may be pre-configured with a second correspondence, where the second correspondence includes address information and an IP address of the third router.
  • the address information may be any one or any combination of a source IP address, a destination IP address, a source MAC address, and a destination MAC address included in the VXLAN message sent by the VTEP.
  • the first router in DC1 obtains the encapsulated packet and sends the encapsulated packet to the third router in DC2 according to the destination IP address included in the IP header. After the message.
  • the destination IP address included in the IP header in the encapsulated packet is the IP address of the third router in DC2.
  • a second router is included between the first router in DC1 and the third router in DC2, that is, the path between the first router in DC1 and the third router in DC2 includes a second router.
  • the second router may be a router capable of obtaining the VNI carried by the encapsulated packet.
  • the first router in the DC1 sends the encapsulated packet to the third router in the DC2, and the encapsulated packet is forwarded to the path along the path between the first router and the third router. Two routers.
  • the first router obtains the encapsulated packet according to the VXLAN packet and the VNI in the VXLAN packet, and the encapsulated packet includes an IP header.
  • the VNI is packaged with the ESP header.
  • the first router sends the encapsulated packet to the second router, and the second router is configured to perform further service processing, such as load balancing and other service processing, according to the VNI carried in the encapsulated packet. It helps to improve the efficiency of network operation.
  • another embodiment of the present invention provides a method for processing a VXLAN message.
  • the method provided by another embodiment of the present invention is different from the method provided by the first embodiment of the present invention in that the first router may also insert a UDP header included in the VXLAN message into the encapsulated packet.
  • the method provided by another embodiment of the present invention includes S104 is different from S104 in the method provided by the first embodiment of the present invention, and the differences are described herein.
  • S104 is different from S104 in the method provided by the first embodiment of the present invention, and the differences are described herein.
  • For other content refer to the method provided by the first embodiment of the present invention. The corresponding content in .
  • the first router obtains the encapsulated packet according to the VXLAN packet, and the first router obtains the VNI and the UDP header from the VXLAN packet;
  • a router performs IPsec-ESP encapsulation on the VXLAN packet to obtain an IPsec-ESP encapsulation packet, where the IPsec-ESP encapsulation packet includes an encrypted VXLAN packet and an ESP header and encapsulation encapsulated in the encrypted VXLAN packet.
  • An IP header outside the ESP header the first router inserts the VNI and the UDP header between the IP header included in the IPsec-ESP encapsulated packet and the ESP header to obtain the encapsulated packet.
  • the encapsulated message may be the message shown in FIG. 4a or 4b.
  • the message shown in Figure 4a is a encapsulated message sent in transport mode.
  • the IP header included in the packet shown in FIG. 4a can adopt the structure shown in FIG. 5, and the UDP header included in the packet shown in FIG. 4a can adopt the structure shown in FIG. 6.
  • the packet shown in Figure 4b is a encapsulated packet sent in tunnel mode.
  • the intranet IP header included in the packet shown in Figure 4b is the IP header included in the VXLAN packet sent by the VTEP to the first router.
  • the IP header included in the packet shown in FIG. 4b can adopt the structure shown in FIG. 5, and the UDP header included in the packet shown in FIG. 4b can adopt the structure shown in FIG. 6.
  • Figure 4a and Figure 4b The dense VXLAN packet is the packet obtained after the VXLAN sent by the VTEP is encrypted. The content of the encrypted VXLAN packet is not described here.
  • the first router obtains the encapsulated packet according to the VXLAN packet, and the first router obtains the VNI and the UDP header from the VXLAN packet;
  • the router encrypts the VXLAN packet to obtain the encrypted VXLAN packet;
  • the first router encapsulates the ESP header, the VNI, and the UDP header layer by layer outside the encrypted VXLAN packet.
  • the IP header may be the message shown in FIG. 4a or 4b.
  • the IP header included in the encapsulated packet may further include first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the encapsulated in the The UDP header between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI.
  • the IP header shown in FIG. 5 is used.
  • the first identification information shown may be carried in the protocol number field in the IP header shown in FIG.
  • the protocol number field in the IP header shown in FIG. 5 may be defined as UDP, which is used to indicate that the IP header carries the UDP header.
  • the first router may update the information included in the IP header after adding the VNI and the UDP header between the ESP header and the IP header.
  • the IP header shown in FIG. 5, the first router may add a protocol number field and a total length to the IP header after the VNI and the UDP header are added between the ESP header and the IP header.
  • the field and the header checksum field are updated so that the encapsulated message carrying the VNI and the UDP header satisfies the format requirement.
  • the destination port number in the UDP header shown in FIG. 6 can be used to carry the second identifier information.
  • the destination port number in the UDP header shown in Figure 6 is the ESP/VXLAN port number. That is, the ESP/VXLAN port number is used to identify the UDP header and carries the VNI. If the UDP header carries the VXLAN header that contains the VNI, the destination port number in the UDP header shown in Figure 6 is the ESP/VXLAN port number. That is, the ESP/VXLAN port number is used to identify the UDP header and is carried with the packaged VXLAN. Header ESP message.
  • the packet shown in FIG. 6 includes a UDP checksum field included in the UDP header. If the IP header included in the message shown in Figure 5 is set When the "header checksum” is set, the "UDP checksum” in the UDP header included in the message shown in FIG. 6 can be set to 0.
  • a plurality of paths may be included between the first router of DC1 and the third router of DC2.
  • Each of the plurality of paths may include one or more routers.
  • the source port number in the UDP header included in the encapsulated packet and the quintuple information included in the encapsulated packet may be used to determine one of the multiple paths to forward the encapsulated packet.
  • the path of the text may be used to determine one of the multiple paths to forward the encapsulated packet.
  • a second embodiment of the present invention is a method for processing a VXLAN message according to an embodiment of the present invention.
  • the second router may be an operator (English full name: provider, English abbreviation: P) device. The method for processing a VXLAN message according to the second embodiment of the present invention will be specifically described below with reference to FIG.
  • the second router receives the encapsulated packet sent by the first router, where the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, and the encapsulated packet is sent.
  • the IP header, the VNI, the ESP header, and the encrypted VXLAN message are included, and the VNI is encapsulated between the IP header and the ESP header.
  • the second router is in a path between the first router of the DC1 and the third router of the DC2, and the second router receives the encapsulated report sent by the first router to the third router.
  • Text The encapsulated packet is the same as the encapsulated packet in the first embodiment of the present invention, and details are not described herein again.
  • the IP header that is included in the encapsulated packet further carries the first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI. If the encapsulated packet includes a VXLAN header encapsulated in the IP header and the ESP header, and the VXLAN header includes the VNI, the first identifier information may be used to identify the encapsulated packet. The VXLAN header is carried.
  • the encapsulated packet received by the second router may be the packet shown in FIG. 3a or FIG. 3b, and details of the specific structure are not described herein.
  • the second router obtains the VNI from the encapsulated packet.
  • the obtaining, by the second router, the VNI from the encapsulated packet includes: the second router determining, according to the first identifier information carried in the IP header of the encapsulated packet, The encapsulated packet carries the VNI; the second router obtains the VNI carried by the encapsulated packet from the IP header of the encapsulated packet.
  • the second router may perform service processing on the encapsulated packet by using the obtained VNI, for example, service processing such as QoS and load sharing.
  • VNI is used to distinguish between different VXLANs.
  • the second router may determine, by using the VNI, a tenant to which the VXLAN packet included in the encapsulated packet belongs.
  • the second router may store a mapping table between the VNI and the tenant.
  • the second router may perform a load sharing operation on the encapsulated packet according to the VNI carried in the encapsulated packet and the mapping relationship table, and details of the specific operation process are not described herein.
  • the VNI encapsulated in the encapsulated packet is encapsulated between the IP header and the ESP header, and the second router can receive the encapsulated packet after the packet is received.
  • the VNI carried in the encapsulated message is identified.
  • the second router may obtain the VNI from the encapsulated message. In this way, the second router can use the obtained VNI for further service processing, which helps improve network operation efficiency.
  • another embodiment of the present invention provides a method for processing a VXLAN message.
  • the encapsulated packet received by the second router includes a VNI and a UDP header encapsulated between an IP header and an ESP header, or received by the second router.
  • the encapsulated message includes a VXLAN header and a UDP header encapsulated between an IP header and an ESP header, the VXLAN header including the VNI.
  • the method provided by another embodiment of the present invention is different from the method provided by the second embodiment of the present invention in S204, and only the differences are described below. For the same content, refer to the method provided by the second embodiment of the present invention. The corresponding content.
  • the encapsulated packet received by the second router includes an IP header, a UDP header, and VNI, ESP headers, and encrypted VXLAN messages.
  • the encapsulated packet received by the second router may be the packet shown in FIG. 4a or FIG. 4b, and details of the specific structure are not described herein.
  • the IP header of the encapsulated packet may carry the first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header UDP header carried by the VXLAN packet sent by the VTEP to the first router.
  • the UDP header encapsulated between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI.
  • the VNI is usually carried in a VXLAN message sent by the VTEP to the first router, and if the encapsulated message includes a VXLAN header and a UDP header encapsulated in the IP header and the ESP header, The second identifier information may be used to identify that the encapsulated packet carries a VXLAN header.
  • the obtaining, by the second router, the VNI from the encapsulated packet includes: obtaining, by the second router, the IP header carried by the IP header from the IP header of the encapsulated packet And the second router obtains, according to the first identifier information, the UDP header that is included in the encapsulated packet and that is located after the IP header; and the second router according to the purpose of the UDP header
  • the port number is determined to be that the encapsulated packet carries the VNI; and the second router obtains the VNI after the UDP header of the encapsulated packet.
  • the second router may be encapsulated from the encapsulated packet.
  • the VXLAN header is obtained after the UDP header of the message, and the VNI is obtained from the VXLAN header.
  • the third router in the DC2 receives the encapsulated packet from the first router, that is, the encapsulated packet forwarded by the second router, and the third router can process the encapsulated packet to obtain the encapsulated packet. VXLAN message.
  • the third router may process the encapsulated packet, and obtaining the VXLAN packet includes: the third The router may remove the VNI encapsulated in the IP header and the ESP header included in the encapsulated packet; the third router updates the IP header in the packet obtained after removing the VNI, and obtains the VXLAN message.
  • the VXLAN packet is a packet that can be identified by the VTEP in DC2.
  • the updating, by the third router, the IP header in the packet obtained after removing the VNI may include: a total length field and a protocol number of the IP header in the packet obtained by the third router pair after removing the VNI
  • the field and header checksum fields are updated so that the VXLAN message can be identified and/or processed by the VTEP in DC2.
  • the third router may process the encapsulated packet to obtain a VXLAN packet, including: The third router may remove the VNI and UDP headers encapsulated in the IP header and the ESP header included in the encapsulated packet; the third router removes the IP header in the packet obtained after the VNI and the UDP header The update is performed to obtain the VXLAN message.
  • the VXLAN packet is a packet that can be identified by the VTEP in DC2.
  • the updating, by the third router, the IP header in the packet obtained after removing the VNI and the UDP header may include: the IP header in the packet obtained by the third router pair after removing the VNI and the UDP header
  • the total length field, the protocol number field, and the header checksum field are updated so that the VXLAN message can be identified and/or processed by the VTEP in DC2.
  • FIG. 7 is a schematic structural diagram of a first router according to an embodiment of the present invention.
  • the first router corresponding to FIG. 7 can perform the method provided by the embodiment corresponding to FIG. 1.
  • the first router corresponding to FIG. 7 may be the first router in the embodiment corresponding to FIG. 2.
  • the first router provided by the embodiment of the present invention includes a receiving unit 702, a processing unit 704, and a sending unit 706.
  • the receiving unit 702 is configured to receive a VXLAN message sent by the VTEP, where the VXLAN message includes a VNI.
  • the processing unit 704 is configured to obtain, according to the VXLAN packet, a encapsulated packet, where the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet, after the encapsulation
  • the message includes an IP header, the VNI, an ESP header, and the encrypted VXLAN message, and the VNI is encapsulated between the IP header and the ESP header.
  • the sending unit 706 is configured to send the encapsulated packet to the second router.
  • the IP header includes first identifier information, where the first identifier information is used to identify
  • the encapsulated message carries the VNI.
  • the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, where the UDP header is a UDP header included in the VXLAN packet from the VTEP.
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
  • the processing unit obtains the encapsulated packet according to the VXLAN packet and the VNI in the VXLAN packet, and the encapsulated packet includes an IP header and an ESP header. There is the VNI.
  • the sending unit sends the encapsulated packet to the second router, and the second router is configured to perform further service processing, such as load balancing and other service processing, according to the VNI carried in the encapsulated packet. Helps improve the efficiency of network operation.
  • FIG. 8 is a schematic structural diagram of a first router according to another embodiment of the present invention.
  • the first router may perform the method provided by the embodiment corresponding to FIG. 1.
  • the first router may be the first router in the embodiment corresponding to FIG. 2.
  • the first router provided by the embodiment of the present invention includes a processor 801, a memory 802, an interface 803, and a bus 804.
  • the interface 803 can be implemented in a wireless or wired manner.
  • the interface 803 can be a network interface card (English name: Network Interface Card, NIC) or other components for implementing communication.
  • the processor 801, the memory 802, and the interface 803 can be connected by the bus 804.
  • the memory 802 is for storing program code.
  • the program code can include an operating system program and an application.
  • the processor 801 performs the following operations in accordance with executable instructions included in a program read from the memory 802.
  • the processor 801 receives the VXLAN packet sent by the VTEP through the interface 803, where the VXLAN packet includes a VXLAN network identifier VNI, and the processor 801 obtains the encapsulated packet according to the VXLAN packet.
  • the encapsulated message is for the VXLAN
  • the processor 801 sends the encapsulated packet to the second router through the interface 803.
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI.
  • the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, where the UDP header is a UDP header included in the VXLAN packet from the VTEP.
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
  • the processor 801 obtains the encapsulated packet according to the VXLAN packet and the VNI in the VXLAN packet, and the encapsulated packet includes an IP header and an ESP header.
  • the VNI is packaged.
  • the processor 801 sends the encapsulated packet to the second router through the interface 803, which helps the second router to perform further service processing, such as load, according to the VNI carried in the encapsulated packet. Sharing and other business processes can help improve network operation efficiency.
  • FIG. 9 is a schematic structural diagram of a second router according to an embodiment of the present invention.
  • the second router shown in FIG. 9 can perform the method provided by the embodiment corresponding to FIG. 2.
  • the second router shown in FIG. 9 may be the second router in the embodiment corresponding to FIG. 1.
  • the second router provided by the embodiment of the present invention includes a receiving unit 902 and a processing unit 904.
  • the receiving unit 902 is configured to receive the encapsulated packet sent by the first router.
  • the encapsulated packet is obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, and the encapsulated packet includes an IP header, a VNI, an ESP header, and the encrypted VXLAN packet.
  • the VNI is encapsulated between the IP header and the ESP header.
  • the processing unit 904 is configured to obtain the VNI from the encapsulated message.
  • the processing unit 904 is specifically configured to use the IP header according to the IP header.
  • the first identifier information is included to determine that the encapsulated packet includes the VNI; and the processing unit 904 is specifically configured to obtain the VNI from between the IP header and the ESP header.
  • the UDP header is a UDP header included in the VXLAN packet from the VTEP.
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI includes a second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI, and the processing unit 904 is specifically configured to use, according to the first identifier information included in the IP header, Obtaining a UDP header encapsulated between the IP header and the VNI; the processing unit 904 is specifically configured to: according to the second identifier information included in a UDP header encapsulated between the IP header and the VNI, Determining that the encapsulated message includes the VNI; the processing unit 904 is specifically configured to obtain the VNI from between the
  • the packaged VNI is encapsulated between the IP header and the ESP header, and the processing unit 904 may, after receiving the encapsulated packet, the encapsulated packet.
  • the VNI carried by the document is identified.
  • the processing unit 904 can obtain the VNI from the encapsulated message. In this way, the second router can use the obtained VNI for further service processing, which helps improve network operation efficiency.
  • FIG. 10 is a schematic structural diagram of a second router according to another embodiment of the present invention.
  • the second router may perform the method provided by the embodiment corresponding to FIG. 2.
  • the second router may be the second router in the corresponding embodiment.
  • the second router provided by the embodiment of the present invention includes: a processor 1001, a memory 1002, an interface 1003, and a bus 1004.
  • the interface 1003 can be implemented by wireless or wired, such as a NIC or other component for implementing communication.
  • the processor 1001, the memory 1002, and the interface 1003 are connected by the bus 1004.
  • the memory 1002 is for storing program code.
  • the program code can include an operating system program and an application.
  • the processor 1001 performs the following operations in accordance with executable instructions included in a program read from the memory 1002.
  • the processor 1001 receives, by using the interface 1003, the encapsulated packet sent by the first router.
  • the encapsulated packet is obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, and the encapsulated packet includes an IP header, a VNI, an ESP header, and the encrypted VXLAN packet.
  • the VNI is encapsulated between the IP header and the ESP header; the processor 1001 obtains the VNI from the encapsulated message.
  • the processor 1001 includes, according to the IP header, Determining the first identification information, determining that the encapsulated message includes the VNI; and the processor 1001 obtains the VNI from between the IP header and the ESP header.
  • the UDP header is a UDP header included in the VXLAN packet from the VTEP.
  • the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI includes a second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI, and the processor 1001 obtains the encapsulation according to the first identifier information included in the IP header.
  • the processor 1001 determines the encapsulated according to the second identifier information included in a UDP header encapsulated between the IP header and the VNI
  • the message includes the VNI; the processor 1001 obtains the VNI from between the IP header and the ESP header.
  • the packaged VNI is encapsulated between the IP header and the ESP header, and the processor 1001 may, after receiving the encapsulated packet, the encapsulated packet.
  • the VNI carried by the document is identified.
  • the processor 1001 may receive the encapsulated message The VNI is obtained. In this way, the second router can use the obtained VNI for further service processing, which helps improve network operation efficiency.
  • FIG. 11 is a schematic diagram of a system for processing a VXLAN message according to an embodiment of the present invention.
  • the system provided by the embodiment of the present invention may include the first router provided by the foregoing embodiment corresponding to FIG. 7 or FIG. 8 and the second router provided by the embodiment corresponding to FIG. 9 or FIG. 10, where the first router and the second router are no longer used. The second router will go into details.
  • aspects of the present invention, or possible implementations of various aspects may be embodied as a system, method, or computer program product.
  • aspects of the invention, or possible implementations of various aspects may be in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, etc.), or a combination of software and hardware aspects, They are collectively referred to herein as "circuits," “modules,” or “systems.”
  • aspects of the invention, or possible implementations of various aspects may take the form of a computer program product, which is a computer readable program code stored in a computer readable medium.
  • the computer readable medium can be a computer readable signal medium or a computer readable storage medium.
  • the computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing, such as a random access memory (English full name: random access memory, English abbreviation: RAM ), read-only memory (English full name: read-only memory, English abbreviation: ROM), erasable programmable read-only memory (English full name: erasable programmable read only memory (EPROM) or flash memory), Optical fiber, portable read-only memory (English full name: compact disc read-only memory, English abbreviation: CD-ROM).
  • the processor in the computer reads the computer readable program code stored in the computer readable medium such that the processor is capable of performing the various functional steps specified in each step of the flowchart, or a combination of steps; A device that functions as specified in each block, or combination of blocks.
  • the computer readable program code can execute entirely on the user's local computer, partly on the user's local computer, as a separate software package, partly on the user's local computer and partly on the remote computer, or entirely on the remote computer or Executed on the server. It should also be noted that in some alternative implementations, the functions noted in the various steps in the flowcharts or in the blocks in the block diagrams may not occur in the order noted. For example, two steps, or two blocks, shown in succession may be executed substantially concurrently or the blocks may be executed in the reverse order.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided are a method, device and system for processing a VXLAN message, which are helpful to a router between different data centres to obtain a VNI. In the method, a first router receives a VXLAN message sent by a VTEP, the VXLAN message comprising a VNI; the first router obtains an encapsulated message according to the VXLAN message, the encapsulated message being a message obtained after IPsec-ESP encapsulation is performed on the VXLAN message, and the encapsulated message comprising an IP header, the VNI, an ESP header and the encrypted VXLAN message, wherein the VNI is encapsulated between the IP header and the ESP header; and the first router sends the encapsulated message to a second router.

Description

用于处理VXLAN报文的方法、装置及系统Method, device and system for processing VXLAN messages
本申请要求于2015年03月23日提交中国专利局、申请号为201510127449.9、发明名称为“用于处理VXLAN报文的方法、装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201510127449.9, entitled "Method, Apparatus and System for Processing VXLAN Messages", filed on March 23, 2015, the entire contents of which are incorporated by reference. Combined in this application.
技术领域Technical field
本发明涉及通信技术,尤其涉及一种用于处理虚拟可扩展局域网(英文全称:Virtual Extensible Local Area Network,英文缩写:VXLAN)报文的方法、装置及系统。The present invention relates to communication technologies, and in particular, to a method, device, and system for processing a virtual extensible local area network (English name: VXLAN) message.
背景技术Background technique
VXLAN可应用于数据中心内部,使虚拟机可以在互相连通的三层网络范围内迁移,而不需要改变互联网协议(英文全称:Internet Protocol,英文缩写:IP)地址和媒体接入控制(英文全称:Media Access Control,英文缩写:MAC)地址,保证业务的连续性。互联网协议安全性(英文全称:Internet Protocol Security,英文缩写:IPSec)协议可通过使用加密的安全服务来确保在IP网络上进行保密而安全的通讯。封装安全载荷(英文全称:Encapsulating Security Payload,英文缩写:ESP)协议是IPsec协议中的一种主要协议,IPsec-ESP可应用于不同的数据中心(英文全称:Data Center,英文缩写:DC)间通信的场景。VXLAN can be applied to the data center to enable virtual machines to migrate within a three-layer network that is connected to each other without changing the Internet Protocol (English full name: Internet Protocol, IP address) and media access control. : Media Access Control, English abbreviation: MAC) address, to ensure business continuity. The Internet Protocol Security (English Protocol: IPSec) protocol ensures secure and secure communication over IP networks by using encrypted security services. Encapsulating Security Payload (English full name: ESP) protocol is a major protocol in the IPsec protocol. IPsec-ESP can be applied to different data centers (English name: Data Center, English abbreviation: DC) Communication scenario.
在不同的DC间通信场景中,比如在DC1和DC2间通信的场景中,属于DC1的第一路由器可接收属于DC1的虚拟隧道端点(英文全称:virtual tunnel end point,英文缩写:VTEP)发送的VXLAN报文。第一路由器对接收到的VXLAN报文进行IPsec-ESP封装,获得IPsec-ESP报文。IPsec-ESP报文包括加密后的VXLAN报文、封装于加密后的VXLAN报文外的ESP头以及封装于ESP头外的IP头。IP头包括源IP地址和目的IP地址,源IP地址为第一路由器的IP地址,目的IP地址为第二路由器的IP地址。第二路由器属于DC2。第一路由器向第二路由器发送IPsec-ESP报文。 In a different inter-DC communication scenario, such as a scenario in which DC1 and DC2 communicate, the first router belonging to DC1 can receive the virtual tunnel endpoint (English full name: virtual tunnel end point, English abbreviation: VTEP) that belongs to DC1. VXLAN message. The first router performs IPsec-ESP encapsulation on the received VXLAN packet to obtain an IPsec-ESP packet. The IPsec-ESP packet includes the encrypted VXLAN packet, the ESP header encapsulated in the encrypted VXLAN packet, and the IP header encapsulated in the ESP header. The IP header includes a source IP address and a destination IP address, the source IP address is the IP address of the first router, and the destination IP address is the IP address of the second router. The second router belongs to DC2. The first router sends an IPsec-ESP packet to the second router.
位于第一路由器和第二路由器之间的路由器可转发IPsec-ESP报文,但是,位于第一路由器和第二路由器间的传输路径上的路由器无法感知IPsec-ESP报文中VXLAN报文所包括的与VXLAN相关的信息,比如VXLAN网络标识(英文全称:VXLAN Network Identifier,英文缩写:VNI),进而无法进行负载分担等业务处理。The router located between the first router and the second router can forward the IPsec-ESP packet. However, the router on the transmission path between the first router and the second router cannot detect the VXLAN packet included in the IPsec-ESP packet. The information related to VXLAN, such as the VXLAN network identifier (VXLAN Network Identifier, English abbreviation: VNI), can not perform service processing such as load sharing.
发明内容Summary of the invention
有鉴于此,本发明实施例提供了一种用于处理VXLAN报文的方法、装置及系统,有助于不同的数据中心间的路由器获得VNI。In view of this, the embodiments of the present invention provide a method, an apparatus, and a system for processing a VXLAN message, which are helpful for a router between different data centers to obtain a VNI.
本发明实施例提供的技术方案如下。The technical solutions provided by the embodiments of the present invention are as follows.
第一方面,提供了一种用于处理VXLAN报文的方法,包括:In a first aspect, a method for processing a VXLAN message is provided, including:
第一路由器接收VTEP发送的VXLAN报文,所述VXLAN报文包括VNI;The first router receives the VXLAN message sent by the VTEP, where the VXLAN message includes a VNI;
所述第一路由器根据所述VXLAN报文,获得封装后的报文,所述封装后的报文是对所述VXLAN报文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、所述VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;The first router obtains the encapsulated packet according to the VXLAN packet, and the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet, and the encapsulated packet is obtained. The file includes an IP header, the VNI, an ESP header, and the encrypted VXLAN message, and the VNI is encapsulated between the IP header and the ESP header;
所述第一路由器向第二路由器发送所述封装后的报文。The first router sends the encapsulated packet to the second router.
在第一方面的第一种可能的实现方式中,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI。In a first possible implementation manner of the first aspect, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI.
结合上述第一方面,还提供了第一方面的第二种可能的实现方式,所述封装后的报文还包括封装于所述IP头与所述VNI之间的用户数据包协议(英文全称:User Datagram Protocol,英文缩写:UDP)头,所述UDP头为来自所述VTEP的所述VXLAN报文所包括的UDP头;In conjunction with the foregoing first aspect, a second possible implementation manner of the first aspect is further provided, where the encapsulated packet further includes a user data packet protocol encapsulated between the IP header and the VNI (English full name : User Datagram Protocol (English abbreviation: UDP) header, the UDP header is a UDP header included in the VXLAN message from the VTEP;
所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI。 The IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
第二方面,提供了一种用于处理VXLAN报文的方法,包括:In a second aspect, a method for processing a VXLAN message is provided, including:
第二路由器接收第一路由器发送的封装后的报文,所述封装后的报文是对来自VTEP的VXLAN报文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;The second router receives the encapsulated packet sent by the first router, and the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, and the encapsulated packet includes the IP packet. a header, a VNI, an ESP header, and the encrypted VXLAN message, the VNI being encapsulated between the IP header and the ESP header;
所述第二路由器从所述封装后的报文获得所述VNI。The second router obtains the VNI from the encapsulated message.
在第二方面的第一种可能的实现方式中,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI,所述第二路由器从所述封装后的报文获得所述VNI包括:In a first possible implementation manner of the second aspect, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI, and the second Obtaining the VNI from the encapsulated message by the router includes:
所述第二路由器根据所述IP头包括的所述第一标识信息,确定所述封装后的报文包括所述VNI;The second router determines, according to the first identifier information included in the IP header, that the encapsulated packet includes the VNI;
所述第二路由器从所述IP头和所述ESP头之间获得所述VNI。The second router obtains the VNI from between the IP header and the ESP header.
结合上述第二方面,还提供了第二方面的第二种可能的实现方式,所述封装后的报文还包括封装于所述IP头与所述VNI之间的UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文包括的UDP头,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI;With the second aspect, the second possible implementation of the second aspect is further provided, the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, the UDP header For the UDP header included in the VXLAN packet from the VTEP, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header. The UDP header encapsulated between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI;
所述第二路由器从所述封装后的报文获得所述VNI包括:Obtaining, by the second router, the VNI from the encapsulated packet includes:
所述第二路由器根据所述IP头包括的所述第一标识信息,获得封装于所述IP头与所述VNI之间的UDP头;The second router obtains a UDP header encapsulated between the IP header and the VNI according to the first identifier information included in the IP header;
所述第二路由器根据封装于所述IP头与所述VNI之间的UDP头包括的所述第二标识信息,确定所述封装后的报文包括所述VNI;The second router determines that the encapsulated packet includes the VNI according to the second identifier information included in a UDP header encapsulated between the IP header and the VNI;
所述第二路由器从所述IP头和所述ESP头之间获得所述VNI。The second router obtains the VNI from between the IP header and the ESP header.
第三方面,提供了第一路由器,包括:In a third aspect, a first router is provided, including:
接收单元,用于接收VTEP发送的VXLAN报文,所述VXLAN报文包括 VNI;a receiving unit, configured to receive a VXLAN message sent by the VTEP, where the VXLAN message includes VNI;
处理单元,用于根据所述VXLAN报文,获得封装后的报文,所述封装后的报文是对所述VXLAN报文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、所述VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;a processing unit, configured to obtain, according to the VXLAN packet, a encapsulated packet, where the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet, and the encapsulated packet The file includes an IP header, the VNI, an ESP header, and the encrypted VXLAN message, and the VNI is encapsulated between the IP header and the ESP header;
发送单元,用于向第二路由器发送所述封装后的报文。And a sending unit, configured to send the encapsulated packet to the second router.
在第三方面的第一种可能的实现方式中,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI。In a first possible implementation manner of the third aspect, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI.
结合上述第三方面,还提供了第三方面的第二种可能的实现方式,所述封装后的报文还包括封装于所述IP头与所述VNI之间的UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文所包括的UDP头;With the foregoing third aspect, a second possible implementation manner of the third aspect is further provided, the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, the UDP header a UDP header included in the VXLAN message from the VTEP;
所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI。The IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
第四方面,提供了第二路由器,包括:In a fourth aspect, a second router is provided, including:
接收单元,用于接收第一路由器发送的封装后的报文,所述封装后的报文是对来自VTEP的所述VXLAN报文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;The receiving unit is configured to receive the encapsulated packet sent by the first router, where the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, where the encapsulated packet is obtained. The packet includes an IP header, a VNI, an ESP header, and the encrypted VXLAN packet, where the VNI is encapsulated between the IP header and the ESP header;
处理单元,用于从所述封装后的报文获得所述VNI。And a processing unit, configured to obtain the VNI from the encapsulated message.
在第四方面的第一种可能的实现方式中,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI;In a first possible implementation manner of the fourth aspect, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI;
所述处理单元具体用于根据所述IP头包括的所述第一标识信息,确定所述封装后的报文包括所述VNI;The processing unit is specifically configured to determine, according to the first identifier information that is included in the IP header, that the encapsulated packet includes the VNI;
所述处理单元具体用于从所述IP头和所述ESP头之间获得所述VNI。 The processing unit is specifically configured to obtain the VNI from between the IP header and the ESP header.
结合上述第四方面,还提供了第四方面的第二种可能的实现方式,所述封装后的报文还包括封装于所述IP头与所述VNI之间的UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文包括的UDP头,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI;With the foregoing fourth aspect, a second possible implementation manner of the fourth aspect is further provided, the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, and the UDP header For the UDP header included in the VXLAN packet from the VTEP, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header. The UDP header encapsulated between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI;
所述处理单元具体用于根据所述IP头包括的所述第一标识信息,获得封装于所述IP头与所述VNI之间的UDP头;The processing unit is configured to obtain, according to the first identifier information included in the IP header, a UDP header encapsulated between the IP header and the VNI;
所述处理单元具体用于根据封装于所述IP头与所述VNI之间的UDP头包括的所述第二标识信息,确定所述封装后的报文包括所述VNI;The processing unit is configured to determine, according to the second identifier information that is included in a UDP header that is encapsulated between the IP header and the VNI, that the encapsulated packet includes the VNI;
所述处理单元具体用于从所述IP头和所述ESP头之间获得所述VNI。The processing unit is specifically configured to obtain the VNI from between the IP header and the ESP header.
第五方面,提供了用于处理VXLAN报文的系统,包括:In a fifth aspect, a system for processing a VXLAN message is provided, including:
上述第三方面或第三方面的任意一种可能的实现方式所提供的第一路由器和上述第四方面或第四方面的任意一种可能的实现方式所提供的第二路由器。The first router provided by any one of the foregoing third aspect or the third aspect, and the second router provided by any one of the foregoing fourth or fourth possible implementation manners.
通过上述方案,本发明实施例提供的用于处理VXLAN报文的方法、装置及系统中,第一路由器对VTEP发送的VXLAN报文进行IPsec-ESP封装,获得封装后的报文。所述第一路由器将所述VTEP发送的所述VXLAN报文包括的VNI封装于所述封装后的报文包括的IP头和ESP头之间。所述第一路由器向第二路由器发送所述封装后的报文。所述第二路由器从所述封装后的报文中获得封装于IP头和ESP头之间的VNI。这样,位于不同的数据中心间的路由器,比如第二路由器,可从接收到的封装后的报文中获得VNI。With the above solution, in the method, device, and system for processing a VXLAN message, the first router performs IPsec-ESP encapsulation on the VXLAN packet sent by the VTEP to obtain the encapsulated packet. The first router encapsulates the VNI included in the VXLAN message sent by the VTEP between the IP header and the ESP header included in the encapsulated packet. The first router sends the encapsulated packet to the second router. The second router obtains a VNI encapsulated between the IP header and the ESP header from the encapsulated packet. In this way, routers located between different data centers, such as the second router, can obtain the VNI from the received encapsulated message.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的方案,下面将对实施例中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员而言,在不付出创造性劳动的 前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the prior art, the drawings used in the embodiments will be briefly described below. It is obvious that the drawings in the following description are some implementations of the present invention. For example, for those skilled in the art, without creative labor Further drawings can also be obtained from these drawings.
图1为本发明第一实施例提供的用于处理VXLAN报文的方法流程图;FIG. 1 is a flowchart of a method for processing a VXLAN message according to a first embodiment of the present invention;
图2为本发明第二实施例提供的用于处理VXLAN报文的方法流程图;2 is a flowchart of a method for processing a VXLAN message according to a second embodiment of the present invention;
图3a为本发明实施例提供的一种封装后的报文的示意图;FIG. 3 is a schematic diagram of a packaged packet according to an embodiment of the present disclosure;
图3b为本发明实施例提供的另一种封装后的报文的示意图;FIG. 3b is a schematic diagram of another encapsulated packet according to an embodiment of the present disclosure;
图4a为本发明实施例提供的一种封装后的报文的示意图;4a is a schematic diagram of a packaged packet according to an embodiment of the present invention;
图4b为本发明实施例提供的另一种封装后的报文的示意图;FIG. 4b is a schematic diagram of another encapsulated packet according to an embodiment of the present disclosure;
图5为本发明实施例提供的封装后的报文包括的IP头的示意图;FIG. 5 is a schematic diagram of an IP header included in a encapsulated packet according to an embodiment of the present disclosure;
图6为本发明实施例提供的封装后的报文包括的UDP头的示意图;FIG. 6 is a schematic diagram of a UDP header included in a encapsulated packet according to an embodiment of the present disclosure;
图7为本发明实施例提供的第一路由器的结构示意图;FIG. 7 is a schematic structural diagram of a first router according to an embodiment of the present disclosure;
图8为本发明另一实施例提供的第一路由器的结构示意图;FIG. 8 is a schematic structural diagram of a first router according to another embodiment of the present disclosure;
图9为本发明实施例提供的第二路由器的结构示意图;FIG. 9 is a schematic structural diagram of a second router according to an embodiment of the present disclosure;
图10为本发明另一实施例提供的第二路由器的结构图示意图;FIG. 10 is a schematic structural diagram of a second router according to another embodiment of the present invention;
图11为本发明实施例提供的用于处理VXLAN报文的系统的结构示意图。FIG. 11 is a schematic structural diagram of a system for processing a VXLAN packet according to an embodiment of the present invention.
具体实施方式detailed description
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整的描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described in conjunction with the drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图1为本发明第一实施例提供的用于处理VXLAN报文的方法的流程图。本发明第一实施例是从第一路由器的角度,对用于处理VXLAN报文的方法进行说明。所述第一路由器可以是运营商边缘(英文全称:provider edge,英文缩写:PE)设备。下面结合图1,对本发明第一实施例提供的用于处理VXLAN报文的方法进行说明。FIG. 1 is a flowchart of a method for processing a VXLAN message according to a first embodiment of the present invention. The first embodiment of the present invention describes a method for processing a VXLAN message from the perspective of the first router. The first router may be an operator edge (English full name: provider edge, English abbreviation: PE) device. A method for processing a VXLAN message according to the first embodiment of the present invention will be described below with reference to FIG.
S102,第一路由器接收VTEP发送的VXLAN报文,所述VXLAN报文包 括VNI。S102. The first router receives the VXLAN packet sent by the VTEP, where the VXLAN packet is sent. Including VNI.
举例说明,在不同的DC之间通信场景中,第一路由器可以属于DC1。DC1中的VTEP可将虚拟机(英文全称:virtual machine,英文缩写:VM)发送的业务报文进行VXLAN封装,获得VXLAN报文。DC1中的VTEP所获得的VXLAN报文包括VNI。DC1中的VTEP所获得的VXLAN报文需要发送至另一DC中的VM,比如DC2中的VM。第一路由器可接收DC1中的VTEP发送的VXLAN报文。其中,VNI可用于区分不同的VXLAN。比如:一个VNI可用于标识一个租户。For example, in a communication scenario between different DCs, the first router may belong to DC1. The VTEP in DC1 can encapsulate the service packets sent by the virtual machine (English name: virtual machine, English abbreviation: VM) into VXLAN packets to obtain VXLAN packets. The VXLAN message obtained by the VTEP in DC1 includes the VNI. The VXLAN message obtained by the VTEP in DC1 needs to be sent to a VM in another DC, such as a VM in DC2. The first router can receive the VXLAN message sent by the VTEP in DC1. Among them, VNI can be used to distinguish between different VXLANs. For example: a VNI can be used to identify a tenant.
S104,所述第一路由器根据所述VXLAN报文,获得封装后的报文,所述封装后的报文是对所述VXLAN报文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、所述VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间。S104, the first router obtains the encapsulated packet according to the VXLAN packet, and the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet, and the encapsulated packet is encapsulated. The message includes an IP header, the VNI, an ESP header, and the encrypted VXLAN message, and the VNI is encapsulated between the IP header and the ESP header.
举例说明,所述第一路由器可将VXLAN报文包括的VNI插入所述封装后的报文包括的所述IP头和所述ESP头之间。For example, the first router may insert a VNI included in the VXLAN message between the IP header and the ESP header included in the encapsulated packet.
举例说明,所述第一路由器根据所述VXLAN报文,获得封装后的报文包括:所述第一路由器从所述VXLAN报文获得所述VNI;所述第一路由器对所述VXLAN报文进行IPsec-ESP封装,获得IPsec-ESP封装报文,所述IPsec-ESP封装报文包括加密的VXLAN报文、封装于加密的VXLAN报文外的ESP头和封装于ESP头外的IP头;所述第一路由器将所述VNI插入IPsec-ESP封装报文包括的IP头和所述ESP头之间,获得所述封装后的报文。所述封装后的报文可以为图3a或图3b所示的报文。图3a所示的报文为采用传输(英文名称为transport)模式发送的封装后的报文。图3a所示的报文包括的IP头可采用图5所示的结构。图3b所示的报文为采用隧道(英文名称为tunnel)模式发送的封装后的报文。图3b所示的报文中包括的内网IP头为VTEP向第一路由器发送的VXLAN报文包括的IP头。图3b所示的报文包括的IP头可采用图5所示的结构。图3a和图3b中加密的VXLAN报文是VTEP发 送的VXLAN经加密后获得的报文,在此不再对加密的VXLAN报文包括的内容进行赘述。For example, the first router obtains the encapsulated packet according to the VXLAN packet, the first router obtains the VNI from the VXLAN packet, and the first router pairs the VXLAN packet. The IPsec-ESP encapsulation packet is obtained by the IPsec-ESP encapsulation packet, and the IPsec-ESP encapsulation packet includes an encrypted VXLAN packet, an ESP header encapsulated in the encrypted VXLAN packet, and an IP header encapsulated in the ESP header. The first router inserts the VNI into the encapsulated packet between the IP header included in the IPsec-ESP encapsulated packet and the ESP header. The encapsulated message may be the message shown in FIG. 3a or 3b. The packet shown in FIG. 3a is a encapsulated message sent by using the transmission (English name is transport) mode. The IP header included in the message shown in FIG. 3a can adopt the structure shown in FIG. The packet shown in Figure 3b is a encapsulated packet sent in the tunnel (English name tunnel) mode. The intranet IP header included in the packet shown in Figure 3b is the IP header included in the VXLAN packet sent by the VTEP to the first router. The IP header included in the message shown in FIG. 3b can adopt the structure shown in FIG. 5. The encrypted VXLAN message in Figure 3a and Figure 3b is VTEP. The packets obtained after the VXLAN is sent are encrypted. The content of the encrypted VXLAN packets is not described here.
举例说明,所述第一路由器根据所述VXLAN报文,获得封装后的报文包括:所述第一路由器从所述VXLAN报文获得所述VNI;所述第一路由器对所述VXLAN报文进行加密,获得加密后的VXLAN报文;所述第一路由器在所述加密后的VXLAN报文外逐层封装所述ESP头、所述VNI和所述IP头。所述封装后的报文可以为图3a或图3b所示的报文。For example, the first router obtains the encapsulated packet according to the VXLAN packet, the first router obtains the VNI from the VXLAN packet, and the first router pairs the VXLAN packet. Performing encryption to obtain an encrypted VXLAN message; the first router encapsulates the ESP header, the VNI, and the IP header layer by layer outside the encrypted VXLAN message. The encapsulated message may be the message shown in FIG. 3a or 3b.
可选地,所述封装后的报文包括的IP头还可包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI。Optionally, the IP header that is included in the encapsulated packet may further include first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI.
举例说明,若图3a或图3b的封装后的报文包括的IP头采用图5所示的IP头。所示第一标识信息可以携带于图5所示的IP头中的协议号字段。在本实施例中图5所示的IP头中的协议号字段可用于表示IP头后的报文类型,例如将所述协议号字段定义为“ESP/VXLAN”,用以标明IP头后的报文类型为封装了VXLAN头的ESP报文。其中,封装了VXLAN头的ESP报文可以是在ESP报文外封装包含VNI的VXLAN头,还可以是在ESP报文外封装了所述VNI。所述第一路由器可在所述ESP头和所述IP头之间增加所述VNI后,对所述IP头包含的信息进行更新。如图5所示的IP头,所述第一路由器可在所述ESP头和所述IP头之间增加了所述VNI后,对IP头包括的协议号字段、总长度字段和头部校验和字段进行更新,使得增加了所述VNI的封装后的报文满足格式要求。For example, if the encapsulated packet of FIG. 3a or FIG. 3b includes an IP header, the IP header shown in FIG. 5 is used. The first identification information shown may be carried in the protocol number field in the IP header shown in FIG. In this embodiment, the protocol number field in the IP header shown in FIG. 5 can be used to indicate the packet type after the IP header. For example, the protocol number field is defined as “ESP/VXLAN”, which is used to indicate the IP header. The packet type is an ESP packet that encapsulates the VXLAN header. The ESP packet encapsulating the VXLAN header may be a VXLAN header that includes the VNI in the ESP packet, or may be encapsulated in the ESP packet. The first router may update the information included in the IP header after adding the VNI between the ESP header and the IP header. As shown in FIG. 5, the first router may add a protocol number field, a total length field, and a head table to the IP header after the VNI is added between the ESP header and the IP header. The checksum field is updated so that the encapsulated message of the VNI is increased to meet the format requirement.
可选地,所述第一路由器可从来自VTEP的VXLAN报文中获得VXLAN头,所述VXLAN头包括所述VNI。所述第一路由器将VXLAN报文包括的VXLAN头封装于所述IP头和所述ESP头之间,获得封装后的报文。这样,所述第一路由器可无需从来自VTEP的VXLAN报文中识别并获取VNI,有助于简化操作。所述第一路由器获得包括VXLAN头的封装后的报文的方法与上述获得包括VNI的封装后的报文的方法相同,在此不再赘述。 Optionally, the first router may obtain a VXLAN header from a VXLAN message from the VTEP, the VXLAN header including the VNI. The first router encapsulates the VXLAN header included in the VXLAN packet between the IP header and the ESP header to obtain a encapsulated packet. In this way, the first router can eliminate the need to identify and acquire the VNI from the VXLAN message from the VTEP, which helps to simplify the operation. The method for obtaining the encapsulated packet including the VXLAN header by the first router is the same as the method for obtaining the encapsulated packet including the VNI, and is not described here.
S106,所述第一路由器向第二路由器发送所述封装后的报文。S106. The first router sends the encapsulated packet to the second router.
举例说明,所述第二路由器为不同的DC之间的路由器。比如所述第一路由器属于DC1,第三路由器属于DC2。所述封装后的报文为需要由DC1的第一路由器发送至DC2的第三路由器的报文。所述第二路由器为处于DC1和DC2之间的传输网络中的路由器。For example, the second router is a router between different DCs. For example, the first router belongs to DC1, and the third router belongs to DC2. The encapsulated packet is a packet that needs to be sent by the first router of DC1 to the third router of DC2. The second router is a router in a transport network between DC1 and DC2.
举例说明,若所述封装后的报文为transport模式发送的报文,则所述封装后的报文包括的IP头中的目的IP地址是第三路由器的IP地址。若所述封装后的报文为tunnel模式发送的报文,则所述封装后的报文包括的IP头中的目的IP地址为隧道的目的地址,所述隧道的目的地址为第三路由器的IP地址。For example, if the encapsulated packet is a packet sent by the transport mode, the destination IP address in the IP header included in the encapsulated packet is the IP address of the third router. If the encapsulated packet is a packet sent by the tunnel mode, the destination IP address in the IP header included in the encapsulated packet is the destination address of the tunnel, and the destination address of the tunnel is the third router. IP address.
举例说明,所述第一路由器上可预先配置了第一对应关系,所述第一对应关系包括所述VNI和第三路由器的IP地址。所述第一路由器可根据所述第一对应关系和所述VNI,获得所述第三路由器的IP地址。所述第一路由器可将所述第三路由器的IP地址作为所述封装后的报文中的IP头包括的目的IP地址。For example, the first correspondence may be pre-configured on the first router, where the first correspondence includes an IP address of the VNI and the third router. The first router may obtain an IP address of the third router according to the first correspondence and the VNI. The first router may use the IP address of the third router as the destination IP address included in the IP header in the encapsulated packet.
举例说明,所述第一路由器上可预先配置了第二对应关系,所述第二对应关系包括地址信息和第三路由器的IP地址。所述地址信息可以是VTEP发送的VXLAN报文包括的源IP地址、目的IP地址、源MAC地址和目的MAC地址中的任意一个或任意组合。For example, the second router may be pre-configured with a second correspondence, where the second correspondence includes address information and an IP address of the third router. The address information may be any one or any combination of a source IP address, a destination IP address, a source MAC address, and a destination MAC address included in the VXLAN message sent by the VTEP.
以DC1和DC2之间需要进行通信的场景为例,DC1中的第一路由器获得所述封装后的报文后,依据IP头包括的目的IP地址,向DC2中的第三路由器发送所述封装后的报文。所述封装后的报文中IP头包括的目的IP地址为DC2中的第三路由器的IP地址。DC1中的第一路由器和DC2中的第三路由器间包括有第二路由器,也就是说,DC1中的第一路由器和DC2中的第三路由器之间的路径上包括第二路由器。第二路由器可以为能够获得所述封装后的报文携带的所述VNI的路由器。DC1中的第一路由器向DC2中的第三路由器发送所述封装后的报文,所述封装后的报文会沿所述第一路由器至所述第三路由器间的路径转发至所述第二路由器。 For example, the first router in DC1 obtains the encapsulated packet and sends the encapsulated packet to the third router in DC2 according to the destination IP address included in the IP header. After the message. The destination IP address included in the IP header in the encapsulated packet is the IP address of the third router in DC2. A second router is included between the first router in DC1 and the third router in DC2, that is, the path between the first router in DC1 and the third router in DC2 includes a second router. The second router may be a router capable of obtaining the VNI carried by the encapsulated packet. The first router in the DC1 sends the encapsulated packet to the third router in the DC2, and the encapsulated packet is forwarded to the path along the path between the first router and the third router. Two routers.
本发明实施例提供的用于处理VXLAN报文的方法中,第一路由器根据VXLAN报文和所述VXLAN报文中的VNI获得封装后的报文,所述封装后的报文包括的IP头和ESP头之间封装有所述VNI。第一路由器向第二路由器发送所述封装后的报文,有助于所述第二路由器根据所述封装后的报文中携带的所述VNI进行进一步地业务处理,比如负载分担等业务处理,有助于提高网络运行效率。In the method for processing a VXLAN packet, the first router obtains the encapsulated packet according to the VXLAN packet and the VNI in the VXLAN packet, and the encapsulated packet includes an IP header. The VNI is packaged with the ESP header. The first router sends the encapsulated packet to the second router, and the second router is configured to perform further service processing, such as load balancing and other service processing, according to the VNI carried in the encapsulated packet. It helps to improve the efficiency of network operation.
基于本发明第一实施例提供的用于处理VXLAN报文的方法,本发明另一实施例提供了用于处理VXLAN报文的方法。本发明另一实施例提供的的方法与本发明第一实施例提供的方法不同之处在于:所述第一路由器还可将VXLAN报文包括的UDP头插入所述封装后的报文包括的所述IP头和所述VNI之间。即本发明另一实施例提供的方法包括的S104与本发明第一实施例提供的方法中的S104不同,在此对不同之处进行说明,其它内容可参看本发明第一实施例提供的方法中的相应内容。Based on the method for processing a VXLAN message provided by the first embodiment of the present invention, another embodiment of the present invention provides a method for processing a VXLAN message. The method provided by another embodiment of the present invention is different from the method provided by the first embodiment of the present invention in that the first router may also insert a UDP header included in the VXLAN message into the encapsulated packet. Between the IP header and the VNI. That is, the method provided by another embodiment of the present invention includes S104 is different from S104 in the method provided by the first embodiment of the present invention, and the differences are described herein. For other content, refer to the method provided by the first embodiment of the present invention. The corresponding content in .
举例说明,S104中,所述第一路由器根据所述VXLAN报文,获得封装后的报文包括:所述第一路由器从所述VXLAN报文获得所述VNI和所述UDP头;所述第一路由器对所述VXLAN报文进行IPsec-ESP封装,获得IPsec-ESP封装报文,所述IPsec-ESP封装报文包括加密的VXLAN报文、封装于加密的VXLAN报文外的ESP头和封装于ESP头外的IP头;所述第一路由器将所述VNI和UDP头插入IPsec-ESP封装报文包括的IP头和所述ESP头之间,获得所述封装后的报文。所述封装后的报文可以为图4a或图4b所示的报文。图4a所示的报文为采用transport模式发送的封装后的报文。图4a所示的报文包括的IP头可采用图5所示的结构,图4a所示的报文包括的UDP头可采用图6所示的结构。图4b所示的报文为采用tunnel模式发送的封装后的报文。图4b所示的报文中包括的内网IP头为VTEP向第一路由器发送的VXLAN报文包括的IP头。图4b所示的报文包括的IP头可采用图5所示的结构,图4b所示的报文包括的UDP头可采用图6所示的结构。图4a和图4b中加 密的VXLAN报文是VTEP发送的VXLAN经加密后获得的报文,在此不再对加密的VXLAN报文包括的内容进行赘述。For example, in S104, the first router obtains the encapsulated packet according to the VXLAN packet, and the first router obtains the VNI and the UDP header from the VXLAN packet; A router performs IPsec-ESP encapsulation on the VXLAN packet to obtain an IPsec-ESP encapsulation packet, where the IPsec-ESP encapsulation packet includes an encrypted VXLAN packet and an ESP header and encapsulation encapsulated in the encrypted VXLAN packet. An IP header outside the ESP header; the first router inserts the VNI and the UDP header between the IP header included in the IPsec-ESP encapsulated packet and the ESP header to obtain the encapsulated packet. The encapsulated message may be the message shown in FIG. 4a or 4b. The message shown in Figure 4a is a encapsulated message sent in transport mode. The IP header included in the packet shown in FIG. 4a can adopt the structure shown in FIG. 5, and the UDP header included in the packet shown in FIG. 4a can adopt the structure shown in FIG. 6. The packet shown in Figure 4b is a encapsulated packet sent in tunnel mode. The intranet IP header included in the packet shown in Figure 4b is the IP header included in the VXLAN packet sent by the VTEP to the first router. The IP header included in the packet shown in FIG. 4b can adopt the structure shown in FIG. 5, and the UDP header included in the packet shown in FIG. 4b can adopt the structure shown in FIG. 6. Figure 4a and Figure 4b The dense VXLAN packet is the packet obtained after the VXLAN sent by the VTEP is encrypted. The content of the encrypted VXLAN packet is not described here.
举例说明,S104中,所述第一路由器根据所述VXLAN报文,获得封装后的报文包括:所述第一路由器从所述VXLAN报文获得所述VNI和所述UDP头;所述第一路由器对所述VXLAN报文进行加密,获得加密后的VXLAN报文;所述第一路由器在所述加密后的VXLAN报文外逐层封装所述ESP头、所述VNI、所述UDP头和所述IP头。所述封装后的报文可以为图4a或图4b所示的报文。For example, in S104, the first router obtains the encapsulated packet according to the VXLAN packet, and the first router obtains the VNI and the UDP header from the VXLAN packet; The router encrypts the VXLAN packet to obtain the encrypted VXLAN packet; the first router encapsulates the ESP header, the VNI, and the UDP header layer by layer outside the encrypted VXLAN packet. And the IP header. The encapsulated message may be the message shown in FIG. 4a or 4b.
举例说明,所述封装后的报文包括的IP头还可包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI。For example, the IP header included in the encapsulated packet may further include first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the encapsulated in the The UDP header between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI.
举例说明,若图4a或图4b的封装后的报文包括的IP头采用图5所示的IP头。所示第一标识信息可以携带于图5所示的IP头中的协议号字段。在本实施例中,图5所示的IP头中的协议号字段可定义为UDP,用于表示IP头后携带了UDP头。所述第一路由器可在所述ESP头和所述IP头之间增加所述VNI和所述UDP头后,对所述IP头包含的信息进行更新。如图5所示的IP头,所述第一路由器可在所述ESP头和所述IP头之间增加了所述VNI和所述UDP头后,对IP头包括的协议号字段、总长度字段和头部校验和字段进行更新,以便携带了所述VNI和所述UDP头的封装后的报文满足格式要求。图6所示的UDP头中的目的端口号可用来携带所述第二标识信息。图6所示的UDP头中的目的端口号为ESP/VXLAN端口号,即ESP/VXLAN端口号用来标识UDP头后携带了VNI。如果UDP头后携带的是包含了VNI的VXLAN头,图6所示的UDP头中的目的端口号为ESP/VXLAN端口号,即ESP/VXLAN端口号用来标识UDP头后携带了封装有VXLAN头的ESP报文。图6所示的报文包括的UDP头中包括“UDP校验和”字段。如果图5所示的报文包括的IP头已设 置了“头部校验和”,则图6所示的报文包括的UDP头中的“UDP校验和”可以设置为0。For example, if the encapsulated packet of FIG. 4a or FIG. 4b includes an IP header, the IP header shown in FIG. 5 is used. The first identification information shown may be carried in the protocol number field in the IP header shown in FIG. In this embodiment, the protocol number field in the IP header shown in FIG. 5 may be defined as UDP, which is used to indicate that the IP header carries the UDP header. The first router may update the information included in the IP header after adding the VNI and the UDP header between the ESP header and the IP header. The IP header shown in FIG. 5, the first router may add a protocol number field and a total length to the IP header after the VNI and the UDP header are added between the ESP header and the IP header. The field and the header checksum field are updated so that the encapsulated message carrying the VNI and the UDP header satisfies the format requirement. The destination port number in the UDP header shown in FIG. 6 can be used to carry the second identifier information. The destination port number in the UDP header shown in Figure 6 is the ESP/VXLAN port number. That is, the ESP/VXLAN port number is used to identify the UDP header and carries the VNI. If the UDP header carries the VXLAN header that contains the VNI, the destination port number in the UDP header shown in Figure 6 is the ESP/VXLAN port number. That is, the ESP/VXLAN port number is used to identify the UDP header and is carried with the packaged VXLAN. Header ESP message. The packet shown in FIG. 6 includes a UDP checksum field included in the UDP header. If the IP header included in the message shown in Figure 5 is set When the "header checksum" is set, the "UDP checksum" in the UDP header included in the message shown in FIG. 6 can be set to 0.
举例说明,DC1的第一路由器和DC2的第三路由器间可包括多条路径。所述多条路径上的每条路径可包括一台或多台路由器。所述封装后的报文包括的UDP头中的源端口号和所述封装后的报文包括的五元组信息可用来从所述多条路径中确定一条用来转发所述封装后的报文的路径。For example, a plurality of paths may be included between the first router of DC1 and the third router of DC2. Each of the plurality of paths may include one or more routers. The source port number in the UDP header included in the encapsulated packet and the quintuple information included in the encapsulated packet may be used to determine one of the multiple paths to forward the encapsulated packet. The path of the text.
图2为本发明第二实施例的用于处理VXLAN报文的方法的流程图。本发明第二实施例是从第二路由器的角度,对本发明实施例提供的用于处理VXLAN报文的方法进行说明。所述第二路由器可以是运营商(英文全称:provider,英文缩写:P)设备。下面结合图2,对本发明第二实施例的用于处理VXLAN报文的方法进行具体说明。2 is a flow chart of a method for processing a VXLAN message according to a second embodiment of the present invention. A second embodiment of the present invention is a method for processing a VXLAN message according to an embodiment of the present invention. The second router may be an operator (English full name: provider, English abbreviation: P) device. The method for processing a VXLAN message according to the second embodiment of the present invention will be specifically described below with reference to FIG.
S202,第二路由器接收第一路由器发送的封装后的报文,所述封装后的报文是对来自VTEP的VXLAN报文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间。S202. The second router receives the encapsulated packet sent by the first router, where the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, and the encapsulated packet is sent. The IP header, the VNI, the ESP header, and the encrypted VXLAN message are included, and the VNI is encapsulated between the IP header and the ESP header.
举例说明,所述第二路由器处于DC1的第一路由器和DC2的第三路由器之间的路径上,所述第二路由器接收到所述第一路由器向所述第三路由器发送的封装后的报文。所述封装后的报文与本发明第一实施例中的封装后的报文相同,在此不再赘述。For example, the second router is in a path between the first router of the DC1 and the third router of the DC2, and the second router receives the encapsulated report sent by the first router to the third router. Text. The encapsulated packet is the same as the encapsulated packet in the first embodiment of the present invention, and details are not described herein again.
可选地,所述封装后的报文包括的IP头还携带了第一标识信息,所述第一标识信息用于标识所述封装后的报文携带了所述VNI。若所述封装后的报文包括封装于所述IP头和所述ESP头的VXLAN头,所述VXLAN头包括所述VNI,则所述第一标识信息可以用于标识所述封装后的报文携带了所述VXLAN头。Optionally, the IP header that is included in the encapsulated packet further carries the first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI. If the encapsulated packet includes a VXLAN header encapsulated in the IP header and the ESP header, and the VXLAN header includes the VNI, the first identifier information may be used to identify the encapsulated packet. The VXLAN header is carried.
举例说明,所述第二路由器接收到的封装后的报文可以是图3a或图3b所示的报文,在此不再对具体结构进行赘述。 For example, the encapsulated packet received by the second router may be the packet shown in FIG. 3a or FIG. 3b, and details of the specific structure are not described herein.
S204,所述第二路由器从所述封装后的报文获得所述VNI。S204. The second router obtains the VNI from the encapsulated packet.
举例说明,所述第二路由器从所述封装后的报文获得所述VNI包括:所述第二路由器可根据所述封装后的报文的IP头中携带的第一标识信息,确定所述封装后的报文携带所述VNI;所述第二路由器从所述封装后的报文的IP头后获得所述封装后的报文携带的VNI。For example, the obtaining, by the second router, the VNI from the encapsulated packet includes: the second router determining, according to the first identifier information carried in the IP header of the encapsulated packet, The encapsulated packet carries the VNI; the second router obtains the VNI carried by the encapsulated packet from the IP header of the encapsulated packet.
举例说明,所述第二路由器可利用获得的VNI,对所述封装后的报文进行业务处理,例如Qos、负载分担等业务处理。VNI用于区分不同的VXLAN。所述第二路由器可通过所述VNI,确定所述封装后的报文包括的VXLAN报文所属的租户。所述第二路由器可存储有VNI与租户的映射关系表。所述第二路由器可根据所述封装后的报文携带的VNI以及所述映射关系表,对所述封装后的报文进行负载分担操作,在此不再对具体的操作过程进行赘述。For example, the second router may perform service processing on the encapsulated packet by using the obtained VNI, for example, service processing such as QoS and load sharing. VNI is used to distinguish between different VXLANs. The second router may determine, by using the VNI, a tenant to which the VXLAN packet included in the encapsulated packet belongs. The second router may store a mapping table between the VNI and the tenant. The second router may perform a load sharing operation on the encapsulated packet according to the VNI carried in the encapsulated packet and the mapping relationship table, and details of the specific operation process are not described herein.
本发明实施例提供的用于处理VXLAN报文的方法中,封装后的报文包括的VNI封装于IP头和ESP头之间,第二路由器可以在接收到封装后的报文后,对所述封装后的报文携带的VNI进行识别。所述第二路由器可从所述封装后的报文中获得所述VNI。这样,所述第二路由器可以利用获得的所述VNI进行进一步的业务处理,有助于提高网络运行效率。In the method for processing a VXLAN packet, the VNI encapsulated in the encapsulated packet is encapsulated between the IP header and the ESP header, and the second router can receive the encapsulated packet after the packet is received. The VNI carried in the encapsulated message is identified. The second router may obtain the VNI from the encapsulated message. In this way, the second router can use the obtained VNI for further service processing, which helps improve network operation efficiency.
在本发明第二实施例提供的用于处理VXLAN报文的方法的基础上,本发明的另一实施例提供了用于处理VXLAN报文的方法。本发明的另一实施例提供的方法中,所述第二路由器接收到的封装后的报文包括封装于IP头和ESP头之间的VNI和UDP头,或者所述第二路由器接收到的封装后的报文包括封装于IP头和ESP头之间的VXLAN头和UDP头,所述VXLAN头包括所述VNI。本发明另一实施例提供的方法与本发明第二实施例提供的方法不同之处在于S204,下面仅对不同之处进行说明,对于相同的内容可参见本发明第二实施例提供的方法中的相应内容。On the basis of the method for processing a VXLAN message provided by the second embodiment of the present invention, another embodiment of the present invention provides a method for processing a VXLAN message. In another method of the present invention, the encapsulated packet received by the second router includes a VNI and a UDP header encapsulated between an IP header and an ESP header, or received by the second router. The encapsulated message includes a VXLAN header and a UDP header encapsulated between an IP header and an ESP header, the VXLAN header including the VNI. The method provided by another embodiment of the present invention is different from the method provided by the second embodiment of the present invention in S204, and only the differences are described below. For the same content, refer to the method provided by the second embodiment of the present invention. The corresponding content.
S202中,所述第二路由器接收到的封装后的报文包括IP头、UDP头、 VNI、ESP头和加密的VXLAN报文。所述第二路由器接收到的封装后的报文可以是图4a或图4b所示的报文,在此不再对具体结构进行赘述。在该实施例中,所述封装后的报文的IP头可携带第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述UDP头为VTEP向第一路由器发送的VXLAN报文携带的UDP头。所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI。由于所述VNI通常会携带在VTEP向所述第一路由器发送的VXLAN报文中,若所述封装后的报文包括封装于所述IP头和所述ESP头中的VXLAN头和UDP头,则所述第二标识信息可用于标识所述封装后的报文携带有VXLAN头。In S202, the encapsulated packet received by the second router includes an IP header, a UDP header, and VNI, ESP headers, and encrypted VXLAN messages. The encapsulated packet received by the second router may be the packet shown in FIG. 4a or FIG. 4b, and details of the specific structure are not described herein. In this embodiment, the IP header of the encapsulated packet may carry the first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header UDP header carried by the VXLAN packet sent by the VTEP to the first router. The UDP header encapsulated between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI. The VNI is usually carried in a VXLAN message sent by the VTEP to the first router, and if the encapsulated message includes a VXLAN header and a UDP header encapsulated in the IP header and the ESP header, The second identifier information may be used to identify that the encapsulated packet carries a VXLAN header.
举例说明,S204中,所述第二路由器从所述封装后的报文获得所述VNI包括:所述第二路由器从所述封装后的报文的IP头,获得所述IP头携带的第一标识信息;所述第二路由器根据所述第一标识信息,获得所述封装后的报文包括的位于所述IP头后的UDP头;所述第二路由器根据所述UDP头包括的目的端口号,确定所述封装后的报文携带所述VNI;所述第二路由器从所述封装后的报文的UDP头后获得所述VNI。如果所述封装后的报文的VNI携带于VXLAN头中,所述VXLAN头封装于所述封装后的报文的UDP头和ESP头之间,则所述第二路由器可从所述封装后的报文的UDP头后获得所述VXLAN头,从所述VXLAN头获得所述VNI。For example, in S204, the obtaining, by the second router, the VNI from the encapsulated packet includes: obtaining, by the second router, the IP header carried by the IP header from the IP header of the encapsulated packet And the second router obtains, according to the first identifier information, the UDP header that is included in the encapsulated packet and that is located after the IP header; and the second router according to the purpose of the UDP header The port number is determined to be that the encapsulated packet carries the VNI; and the second router obtains the VNI after the UDP header of the encapsulated packet. If the VNI of the encapsulated packet is carried in the VXLAN header, and the VXLAN header is encapsulated between the UDP header and the ESP header of the encapsulated packet, the second router may be encapsulated from the encapsulated packet. The VXLAN header is obtained after the UDP header of the message, and the VNI is obtained from the VXLAN header.
DC2中的第三路由器接收到来自第一路由器的封装后的报文,即经第二路由器转发的封装后的报文,所述第三路由器可对所述封装后的报文进行处理,获得VXLAN报文。The third router in the DC2 receives the encapsulated packet from the first router, that is, the encapsulated packet forwarded by the second router, and the third router can process the encapsulated packet to obtain the encapsulated packet. VXLAN message.
举例说明,若所述封装后的报文包括封装于IP头和ESP头的VNI,则所述第三路由器可对所述封装后的报文进行处理,获得VXLAN报文包括:所述第三路由器可移除所述封装后的报文包括的封装于IP头和ESP头的VNI;所述第三路由器将移除VNI后获得的报文中的IP头进行更新,获得所述 VXLAN报文。所述VXLAN报文为DC2中的VTEP能够识别的报文。其中,所述第三路由器将移除VNI后获得的报文中的IP头进行更新可以包括:所述第三路由器对移除VNI后获得的报文中的IP头的总长度字段、协议号字段和头部校验和字段进行更新,以便所述VXLAN报文能够被DC2中的VTEP识别和/或处理。For example, if the encapsulated packet includes a VNI encapsulated in an IP header and an ESP header, the third router may process the encapsulated packet, and obtaining the VXLAN packet includes: the third The router may remove the VNI encapsulated in the IP header and the ESP header included in the encapsulated packet; the third router updates the IP header in the packet obtained after removing the VNI, and obtains the VXLAN message. The VXLAN packet is a packet that can be identified by the VTEP in DC2. The updating, by the third router, the IP header in the packet obtained after removing the VNI may include: a total length field and a protocol number of the IP header in the packet obtained by the third router pair after removing the VNI The field and header checksum fields are updated so that the VXLAN message can be identified and/or processed by the VTEP in DC2.
举例说明,若所述封装后的报文包括封装于IP头和ESP头的VNI和UEP头,则所述第三路由器可对所述封装后的报文进行处理,获得VXLAN报文包括:所述第三路由器可移除所述封装后的报文包括的封装于IP头和ESP头的VNI和UDP头;所述第三路由器将移除VNI和UDP头后获得的报文中的IP头进行更新,获得所述VXLAN报文。所述VXLAN报文为DC2中的VTEP能够识别的报文。其中,所述第三路由器将移除VNI和UDP头后获得的报文中的IP头进行更新可以包括:所述第三路由器对移除VNI和UDP头后获得的报文中的IP头的总长度字段、协议号字段和头部校验和字段进行更新,以便所述VXLAN报文能够被DC2中的VTEP识别和/或处理。For example, if the encapsulated packet includes a VNI and a UEP header encapsulated in an IP header and an ESP header, the third router may process the encapsulated packet to obtain a VXLAN packet, including: The third router may remove the VNI and UDP headers encapsulated in the IP header and the ESP header included in the encapsulated packet; the third router removes the IP header in the packet obtained after the VNI and the UDP header The update is performed to obtain the VXLAN message. The VXLAN packet is a packet that can be identified by the VTEP in DC2. The updating, by the third router, the IP header in the packet obtained after removing the VNI and the UDP header may include: the IP header in the packet obtained by the third router pair after removing the VNI and the UDP header The total length field, the protocol number field, and the header checksum field are updated so that the VXLAN message can be identified and/or processed by the VTEP in DC2.
图7为本发明实施例提供的第一路由器的结构示意图。图7对应的第一路由器可以执行图1对应的实施例提供的方法。图7对应的第一路由器可以是图2对应的实施例中的第一路由器。本发明实施例提供的第一路由器包括接收单元702、处理单元704和发送单元706。FIG. 7 is a schematic structural diagram of a first router according to an embodiment of the present invention. The first router corresponding to FIG. 7 can perform the method provided by the embodiment corresponding to FIG. 1. The first router corresponding to FIG. 7 may be the first router in the embodiment corresponding to FIG. 2. The first router provided by the embodiment of the present invention includes a receiving unit 702, a processing unit 704, and a sending unit 706.
所述接收单元702用于接收VTEP发送的VXLAN报文,所述VXLAN报文包括VNI。The receiving unit 702 is configured to receive a VXLAN message sent by the VTEP, where the VXLAN message includes a VNI.
所述处理单元704用于根据所述VXLAN报文,获得封装后的报文,所述封装后的报文是对所述VXLAN报文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、所述VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间。The processing unit 704 is configured to obtain, according to the VXLAN packet, a encapsulated packet, where the encapsulated packet is a packet obtained by performing IPsec-ESP encapsulation on the VXLAN packet, after the encapsulation The message includes an IP header, the VNI, an ESP header, and the encrypted VXLAN message, and the VNI is encapsulated between the IP header and the ESP header.
所述发送单元706用于向第二路由器发送所述封装后的报文。The sending unit 706 is configured to send the encapsulated packet to the second router.
可选地,所述IP头包括第一标识信息,所述第一标识信息用于标识所 述封装后的报文携带有所述VNI。Optionally, the IP header includes first identifier information, where the first identifier information is used to identify The encapsulated message carries the VNI.
可选地,所述封装后的报文还包括封装于所述IP头与所述VNI之间的UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文所包括的UDP头,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI。Optionally, the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, where the UDP header is a UDP header included in the VXLAN packet from the VTEP. The IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
本发明实施例提供的第一路由器中,处理单元根据VXLAN报文和所述VXLAN报文中的VNI获得封装后的报文,所述封装后的报文包括的IP头和ESP头之间封装有所述VNI。发送单元向第二路由器发送所述封装后的报文,有助于所述第二路由器根据所述封装后的报文中携带的所述VNI进行进一步地业务处理,比如负载分担等业务处理,有助于提高网络运行效率。In the first router provided by the embodiment of the present invention, the processing unit obtains the encapsulated packet according to the VXLAN packet and the VNI in the VXLAN packet, and the encapsulated packet includes an IP header and an ESP header. There is the VNI. The sending unit sends the encapsulated packet to the second router, and the second router is configured to perform further service processing, such as load balancing and other service processing, according to the VNI carried in the encapsulated packet. Helps improve the efficiency of network operation.
图8为本发明另一实施例提供的第一路由器的结构示意图。所述第一路由器可执行图1对应的实施例提供的方法。所述第一路由器可为图2对应的实施例中的第一路由器。本发明实施例提供的第一路由器包括处理器801、存储器802、接口803和总线804。其中,接口803可以通过无线或有线的方式实现,例如接口803可为网络接口卡(英文全称:Network Interface Card,英文缩写:NIC)或其它用于实现通信的元件。所述处理器801、所述存储器802、所述接口803可通过所述总线804连接。FIG. 8 is a schematic structural diagram of a first router according to another embodiment of the present invention. The first router may perform the method provided by the embodiment corresponding to FIG. 1. The first router may be the first router in the embodiment corresponding to FIG. 2. The first router provided by the embodiment of the present invention includes a processor 801, a memory 802, an interface 803, and a bus 804. The interface 803 can be implemented in a wireless or wired manner. For example, the interface 803 can be a network interface card (English name: Network Interface Card, NIC) or other components for implementing communication. The processor 801, the memory 802, and the interface 803 can be connected by the bus 804.
所述存储器802用于存储程序代码。可选地,所述程序代码可以包括操作系统程序和应用程序。The memory 802 is for storing program code. Optionally, the program code can include an operating system program and an application.
所述处理器801根据从所述存储器802中读取的程序所包括的可执行指令,执行如下操作。The processor 801 performs the following operations in accordance with executable instructions included in a program read from the memory 802.
所述处理器801通过所述接口803,接收VTEP发送的VXLAN报文,所述VXLAN报文包括VXLAN网络标识符VNI;所述处理器801根据所述VXLAN报文,获得封装后的报文,所述封装后的报文是对所述VXLAN报 文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、所述VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;所述处理器801通过所述接口803,向第二路由器发送所述封装后的报文。The processor 801 receives the VXLAN packet sent by the VTEP through the interface 803, where the VXLAN packet includes a VXLAN network identifier VNI, and the processor 801 obtains the encapsulated packet according to the VXLAN packet. The encapsulated message is for the VXLAN The packet obtained after the IPsec-ESP encapsulation is performed, the encapsulated packet includes an IP header, the VNI, an ESP header, and the encrypted VXLAN packet, where the VNI is encapsulated in the IP header and the The processor 801 sends the encapsulated packet to the second router through the interface 803.
可选地,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI。Optionally, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI.
可选地,所述封装后的报文还包括封装于所述IP头与所述VNI之间的UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文所包括的UDP头,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI。Optionally, the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, where the UDP header is a UDP header included in the VXLAN packet from the VTEP. The IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
本发明实施例提供的第一路由器中,处理器801根据VXLAN报文和所述VXLAN报文中的VNI获得封装后的报文,所述封装后的报文包括的IP头和ESP头之间封装有所述VNI。处理器801通过接口803,向第二路由器发送所述封装后的报文,有助于所述第二路由器根据所述封装后的报文中携带的所述VNI进行进一步地业务处理,比如负载分担等业务处理,有助于提高网络运行效率。In the first router provided by the embodiment of the present invention, the processor 801 obtains the encapsulated packet according to the VXLAN packet and the VNI in the VXLAN packet, and the encapsulated packet includes an IP header and an ESP header. The VNI is packaged. The processor 801 sends the encapsulated packet to the second router through the interface 803, which helps the second router to perform further service processing, such as load, according to the VNI carried in the encapsulated packet. Sharing and other business processes can help improve network operation efficiency.
图9为本发明实施例提供的第二路由器的结构示意图。图9所示的第二路由器可执行图2对应的实施例提供的方法。图9所示的第二路由器可以为图1对应的实施例中的第二路由器。本发明实施例提供的第二路由器包括接收单元902和处理单元904。FIG. 9 is a schematic structural diagram of a second router according to an embodiment of the present invention. The second router shown in FIG. 9 can perform the method provided by the embodiment corresponding to FIG. 2. The second router shown in FIG. 9 may be the second router in the embodiment corresponding to FIG. 1. The second router provided by the embodiment of the present invention includes a receiving unit 902 and a processing unit 904.
所述接收单元902用于接收第一路由器发送的封装后的报文。所述封装后的报文是对来自VTEP的所述VXLAN报文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间。 The receiving unit 902 is configured to receive the encapsulated packet sent by the first router. The encapsulated packet is obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, and the encapsulated packet includes an IP header, a VNI, an ESP header, and the encrypted VXLAN packet. The VNI is encapsulated between the IP header and the ESP header.
所述处理单元904用于从所述封装后的报文获得所述VNI。The processing unit 904 is configured to obtain the VNI from the encapsulated message.
举例说明,若所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI,则所述处理单元904具体用于根据所述IP头包括的所述第一标识信息,确定所述封装后的报文包括所述VNI;所述处理单元904具体用于从所述IP头和所述ESP头之间获得所述VNI。For example, if the IP header includes the first identifier information, and the first identifier information is used to identify that the encapsulated packet carries the VNI, the processing unit 904 is specifically configured to use the IP header according to the IP header. The first identifier information is included to determine that the encapsulated packet includes the VNI; and the processing unit 904 is specifically configured to obtain the VNI from between the IP header and the ESP header.
举例说明,若所述封装后的报文还包括封装于所述IP头与所述VNI之间的UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文包括的UDP头,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI,则所述处理单元904具体用于根据所述IP头包括的所述第一标识信息,获得封装于所述IP头与所述VNI之间的UDP头;所述处理单元904具体用于根据封装于所述IP头与所述VNI之间的UDP头包括的所述第二标识信息,确定所述封装后的报文包括所述VNI;所述处理单元904具体用于从所述IP头和所述ESP头之间获得所述VNI。For example, if the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, the UDP header is a UDP header included in the VXLAN packet from the VTEP. The IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI includes a second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI, and the processing unit 904 is specifically configured to use, according to the first identifier information included in the IP header, Obtaining a UDP header encapsulated between the IP header and the VNI; the processing unit 904 is specifically configured to: according to the second identifier information included in a UDP header encapsulated between the IP header and the VNI, Determining that the encapsulated message includes the VNI; the processing unit 904 is specifically configured to obtain the VNI from between the IP header and the ESP header.
本发明实施例提供的第二路由器中,封装后的报文包括的VNI封装于IP头和ESP头之间,处理单元904可以在接收到封装后的报文后,对所述封装后的报文携带的VNI进行识别。所述处理单元904可从所述封装后的报文中获得所述VNI。这样,所述第二路由器可以利用获得的所述VNI进行进一步的业务处理,有助于提高网络运行效率。In the second router provided by the embodiment of the present invention, the packaged VNI is encapsulated between the IP header and the ESP header, and the processing unit 904 may, after receiving the encapsulated packet, the encapsulated packet. The VNI carried by the document is identified. The processing unit 904 can obtain the VNI from the encapsulated message. In this way, the second router can use the obtained VNI for further service processing, which helps improve network operation efficiency.
图10为本发明另一实施例提供的第二路由器结构示意图。所述第二路由器可以执行图2对应的实施例提供的方法。所述第二路由器可以为1对应的实施例中的第二路由器。本发明实施例提供的第二路由器包括:处理器1001、存储器1002、接口1003和总线1004。其中,接口1003可以通过无线或有线的方式实现,比如NIC或其它用于实现通信的元件。所述处理器1001、所述存储器1002、所述接口1003通过所述总线1004连接。 FIG. 10 is a schematic structural diagram of a second router according to another embodiment of the present invention. The second router may perform the method provided by the embodiment corresponding to FIG. 2. The second router may be the second router in the corresponding embodiment. The second router provided by the embodiment of the present invention includes: a processor 1001, a memory 1002, an interface 1003, and a bus 1004. The interface 1003 can be implemented by wireless or wired, such as a NIC or other component for implementing communication. The processor 1001, the memory 1002, and the interface 1003 are connected by the bus 1004.
所述存储器1002用于存储程序代码。可选的,程序代码可以包括操作系统程序和应用程序。The memory 1002 is for storing program code. Optionally, the program code can include an operating system program and an application.
所述处理器1001根据从所述存储器1002中读取的程序所包括的可执行指令,执行如下操作。The processor 1001 performs the following operations in accordance with executable instructions included in a program read from the memory 1002.
所述处理器1001通过所述接口1003,接收第一路由器发送的封装后的报文。所述封装后的报文是对来自VTEP的所述VXLAN报文进行IPsec-ESP封装后获得的报文,所述封装后的报文包括IP头、VNI、ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;所述处理器1001从所述封装后的报文获得所述VNI。The processor 1001 receives, by using the interface 1003, the encapsulated packet sent by the first router. The encapsulated packet is obtained by performing IPsec-ESP encapsulation on the VXLAN packet from the VTEP, and the encapsulated packet includes an IP header, a VNI, an ESP header, and the encrypted VXLAN packet. The VNI is encapsulated between the IP header and the ESP header; the processor 1001 obtains the VNI from the encapsulated message.
举例说明,若所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI,则所述处理器1001根据所述IP头包括的所述第一标识信息,确定所述封装后的报文包括所述VNI;所述处理器1001从所述IP头和所述ESP头之间获得所述VNI。For example, if the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the VNI, the processor 1001 includes, according to the IP header, Determining the first identification information, determining that the encapsulated message includes the VNI; and the processor 1001 obtains the VNI from between the IP header and the ESP header.
举例说明,若所述封装后的报文还包括封装于所述IP头与所述VNI之间的UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文包括的UDP头,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI,则所述处理器1001根据所述IP头包括的所述第一标识信息,获得封装于所述IP头与所述VNI之间的UDP头;所述处理器1001根据封装于所述IP头与所述VNI之间的UDP头包括的所述第二标识信息,确定所述封装后的报文包括所述VNI;所述处理器1001从所述IP头和所述ESP头之间获得所述VNI。For example, if the encapsulated packet further includes a UDP header encapsulated between the IP header and the VNI, the UDP header is a UDP header included in the VXLAN packet from the VTEP. The IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI includes a second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI, and the processor 1001 obtains the encapsulation according to the first identifier information included in the IP header. a UDP header between the IP header and the VNI; the processor 1001 determines the encapsulated according to the second identifier information included in a UDP header encapsulated between the IP header and the VNI The message includes the VNI; the processor 1001 obtains the VNI from between the IP header and the ESP header.
本发明实施例提供的第二路由器中,封装后的报文包括的VNI封装于IP头和ESP头之间,处理器1001可以在接收到封装后的报文后,对所述封装后的报文携带的VNI进行识别。所述处理器1001可从所述封装后的报文 中获得所述VNI。这样,所述第二路由器可以利用获得的所述VNI进行进一步的业务处理,有助于提高网络运行效率。In the second router provided by the embodiment of the present invention, the packaged VNI is encapsulated between the IP header and the ESP header, and the processor 1001 may, after receiving the encapsulated packet, the encapsulated packet. The VNI carried by the document is identified. The processor 1001 may receive the encapsulated message The VNI is obtained. In this way, the second router can use the obtained VNI for further service processing, which helps improve network operation efficiency.
图11为本发明实施例提供的用于处理VXLAN报文的系统。本发明实施例提供的系统可以包括前述图7或图8对应的实施例提供的第一路由器和图9或图10对应的实施例提供的第二路由器,在此不再对第一路由器和第二路由器进行赘述。FIG. 11 is a schematic diagram of a system for processing a VXLAN message according to an embodiment of the present invention. The system provided by the embodiment of the present invention may include the first router provided by the foregoing embodiment corresponding to FIG. 7 or FIG. 8 and the second router provided by the embodiment corresponding to FIG. 9 or FIG. 10, where the first router and the second router are no longer used. The second router will go into details.
本领域普通技术人员将会理解,本发明的各个方面、或各个方面的可能实现方式可以被具体实施为系统、方法或者计算机程序产品。因此,本发明的各方面、或各个方面的可能实现方式可以采用完全硬件实施例、完全软件实施例(包括固件、驻留软件等等),或者组合软件和硬件方面的实施例的形式,在这里都统称为“电路”、“模块”或者“系统”。此外,本发明的各方面、或各个方面的可能实现方式可以采用计算机程序产品的形式,计算机程序产品是指存储在计算机可读介质中的计算机可读程序代码。Those of ordinary skill in the art will appreciate that various aspects of the present invention, or possible implementations of various aspects, may be embodied as a system, method, or computer program product. Thus, aspects of the invention, or possible implementations of various aspects, may be in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, etc.), or a combination of software and hardware aspects, They are collectively referred to herein as "circuits," "modules," or "systems." Furthermore, aspects of the invention, or possible implementations of various aspects, may take the form of a computer program product, which is a computer readable program code stored in a computer readable medium.
计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质。计算机可读存储介质包含但不限于电子、磁性、光学、电磁、红外或半导体系统、设备或者装置,或者前述的任意适当组合,如随机存取存储器(英文全称:random access memory,英文缩写:RAM)、只读存储器(英文全称:read-only memory,英文缩写:ROM)、可擦除可编程只读存储器((英文全称:erasable programmable read only memory,英文缩写:EPROM)或者快闪存储器)、光纤、便携式只读存储器(英文全称:compact disc read-only memory,英文缩写:CD-ROM)。The computer readable medium can be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing, such as a random access memory (English full name: random access memory, English abbreviation: RAM ), read-only memory (English full name: read-only memory, English abbreviation: ROM), erasable programmable read-only memory (English full name: erasable programmable read only memory (EPROM) or flash memory), Optical fiber, portable read-only memory (English full name: compact disc read-only memory, English abbreviation: CD-ROM).
计算机中的处理器读取存储在计算机可读介质中的计算机可读程序代码,使得处理器能够执行在流程图中每个步骤、或各步骤的组合中规定的功能动作;生成实施在框图的每一块、或各块的组合中规定的功能动作的装置。 The processor in the computer reads the computer readable program code stored in the computer readable medium such that the processor is capable of performing the various functional steps specified in each step of the flowchart, or a combination of steps; A device that functions as specified in each block, or combination of blocks.
计算机可读程序代码可以完全在用户的本地计算机上执行、部分在用户的本地计算机上执行、作为单独的软件包、部分在用户的本地计算机上并且部分在远程计算机上,或者完全在远程计算机或者服务器上执行。也应该注意,在某些替代实施方案中,在流程图中各步骤、或框图中各块所注明的功能可能不按图中注明的顺序发生。例如,依赖于所涉及的功能,接连示出的两个步骤、或两个块实际上可能被大致同时执行,或者这些块有时候可能被以相反顺序执行。The computer readable program code can execute entirely on the user's local computer, partly on the user's local computer, as a separate software package, partly on the user's local computer and partly on the remote computer, or entirely on the remote computer or Executed on the server. It should also be noted that in some alternative implementations, the functions noted in the various steps in the flowcharts or in the blocks in the block diagrams may not occur in the order noted. For example, two steps, or two blocks, shown in succession may be executed substantially concurrently or the blocks may be executed in the reverse order.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims (13)

  1. 一种用于处理虚拟可扩展局域网VXLAN报文的方法,其特征在于,所述方法包括:A method for processing a virtual scalable local area network (VXLAN) packet, the method comprising:
    第一路由器接收虚拟隧道端点VTEP发送的VXLAN报文,所述VXLAN报文包括VXLAN网络标识符VNI;The first router receives the VXLAN message sent by the virtual tunnel endpoint VTEP, where the VXLAN message includes a VXLAN network identifier VNI;
    所述第一路由器根据所述VXLAN报文,获得封装后的报文,所述封装后的报文是对所述VXLAN报文进行互联网协议安全性-封装安全载荷IPsec-ESP封装后获得的报文,所述封装后的报文包括互联网协议IP头、所述VNI、封装安全载荷协议ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;The first router obtains the encapsulated packet according to the VXLAN packet, and the encapsulated packet is obtained by performing an Internet Protocol security-encapsulation security payload IPsec-ESP encapsulation on the VXLAN packet. The encapsulated packet includes an Internet Protocol IP header, the VNI, an encapsulated secure payload protocol ESP header, and the encrypted VXLAN packet, and the VNI is encapsulated between the IP header and the ESP header. ;
    所述第一路由器向第二路由器发送所述封装后的报文。The first router sends the encapsulated packet to the second router.
  2. 根据权利要求1所述的方法,其特征在于,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI。The method according to claim 1, wherein the IP header includes first identifier information, and the first identifier information is used to identify that the encapsulated packet carries the VNI.
  3. 根据权利要求1所述的方法,其特征在于,所述封装后的报文还包括封装于所述IP头与所述VNI之间的用户数据包协议UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文所包括的UDP头;The method according to claim 1, wherein the encapsulated message further comprises a User Data Packet Protocol UDP header encapsulated between the IP header and the VNI, the UDP header being from the a UDP header included in the VXLAN packet of the VTEP;
    所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI。The IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
  4. 一种用于处理虚拟可扩展局域网VXLAN报文的方法,其特征在于,所述方法包括:A method for processing a virtual scalable local area network (VXLAN) packet, the method comprising:
    第二路由器接收第一路由器发送的封装后的报文,所述封装后的报文是对来自虚拟隧道端点VTEP的VXLAN报文进行互联网协议安全性-封装安全载荷IPsec-ESP封装后获得的报文,所述封装后的报文包括互联网协议IP头、VXLAN网络标识符VNI、封装安全载荷协议ESP头和加密的所述 VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;The second router receives the encapsulated packet sent by the first router, and the encapsulated packet is obtained by performing an Internet Protocol security-encapsulated security payload IPsec-ESP encapsulation on the VXLAN packet from the virtual tunnel endpoint VTEP. The encapsulated message includes an internet protocol IP header, a VXLAN network identifier VNI, an encapsulated secure payload protocol ESP header, and the encrypted a VXLAN packet, the VNI being encapsulated between the IP header and the ESP header;
    所述第二路由器从所述封装后的报文获得所述VNI。The second router obtains the VNI from the encapsulated message.
  5. 根据权利要求4所述的方法,其特征在于,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI,所述第二路由器从所述封装后的报文获得所述VNI包括:The method according to claim 4, wherein the IP header includes first identifier information, and the first identifier information is used to identify that the encapsulated packet carries the VNI, the second router Obtaining the VNI from the encapsulated message includes:
    所述第二路由器根据所述IP头包括的所述第一标识信息,确定所述封装后的报文包括所述VNI;The second router determines, according to the first identifier information included in the IP header, that the encapsulated packet includes the VNI;
    所述第二路由器从所述IP头和所述ESP头之间获得所述VNI。The second router obtains the VNI from between the IP header and the ESP header.
  6. 根据权利要求4所述的方法,其特征在于,所述封装后的报文还包括封装于所述IP头与所述VNI之间的用户数据包协议UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文包括的UDP头,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI;The method according to claim 4, wherein the encapsulated message further comprises a User Data Packet Protocol UDP header encapsulated between the IP header and the VNI, the UDP header being from the The UDP header of the VXLAN packet of the VTEP, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the encapsulated in the The UDP header between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI;
    所述第二路由器从所述封装后的报文获得所述VNI包括:Obtaining, by the second router, the VNI from the encapsulated packet includes:
    所述第二路由器根据所述IP头包括的所述第一标识信息,获得封装于所述IP头与所述VNI之间的UDP头;The second router obtains a UDP header encapsulated between the IP header and the VNI according to the first identifier information included in the IP header;
    所述第二路由器根据封装于所述IP头与所述VNI之间的UDP头包括的所述第二标识信息,确定所述封装后的报文包括所述VNI;The second router determines that the encapsulated packet includes the VNI according to the second identifier information included in a UDP header encapsulated between the IP header and the VNI;
    所述第二路由器从所述IP头和所述ESP头之间获得所述VNI。The second router obtains the VNI from between the IP header and the ESP header.
  7. 一种第一路由器,其特征在于,所述第一路由器包括:A first router, wherein the first router comprises:
    接收单元,用于接收虚拟隧道端点VTEP发送的虚拟可扩展局域网VXLAN报文,所述VXLAN报文包括VXLAN网络标识符VNI;a receiving unit, configured to receive a virtual scalable local area network VXLAN message sent by the virtual tunnel endpoint VTEP, where the VXLAN message includes a VXLAN network identifier VNI;
    处理单元,用于根据所述VXLAN报文,获得封装后的报文,所述封装后的报文是对所述VXLAN报文进行互联网协议安全性-封装安全载荷IPsec-ESP封装后获得的报文,所述封装后的报文包括互联网协议IP头、所 述VNI、封装安全载荷协议ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;The processing unit is configured to obtain, according to the VXLAN packet, a encapsulated packet, where the encapsulated packet is obtained by performing an Internet Protocol security-encapsulation security payload IPsec-ESP encapsulation on the VXLAN packet. The encapsulated message includes an internet protocol IP header and a file. a VNI, an encapsulated secure payload protocol ESP header, and the encrypted VXLAN message, the VNI being encapsulated between the IP header and the ESP header;
    发送单元,用于向第二路由器发送所述封装后的报文。And a sending unit, configured to send the encapsulated packet to the second router.
  8. 根据权利要求7所述的第一路由器,其特征在于,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI。The first router according to claim 7, wherein the IP header includes first identifier information, and the first identifier information is used to identify that the encapsulated packet carries the VNI.
  9. 根据权利要求7所述的第一路由器,其特征在于,所述封装后的报文还包括封装于所述IP头与所述VNI之间的用户数据包协议UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文所包括的UDP头;The first router according to claim 7, wherein the encapsulated message further comprises a User Data Packet Protocol UDP header encapsulated between the IP header and the VNI, the UDP header is from a UDP header included in the VXLAN packet of the VTEP;
    所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI。The IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the UDP header encapsulated between the IP header and the VNI The second identifier information is used to identify that the encapsulated packet carries the VNI.
  10. 一种第二路由器,其特征在于,所述第二路由器包括:A second router, wherein the second router comprises:
    接收单元,用于接收第一路由器发送的封装后的报文,所述封装后的报文是对来自虚拟隧道端点VTEP的所述VXLAN报文进行互联网协议安全性-封装安全载荷IPsec-ESP封装后获得的报文,所述封装后的报文包括互联网协议IP头、VXLAN网络标识符VNI、封装安全载荷协议ESP头和加密的所述VXLAN报文,所述VNI封装于所述IP头和所述ESP头之间;The receiving unit is configured to receive the encapsulated packet sent by the first router, where the encapsulated packet is an Internet Protocol security-encapsulated security payload IPsec-ESP encapsulation of the VXLAN packet from the virtual tunnel endpoint VTEP After the obtained packet, the encapsulated message includes an Internet Protocol IP header, a VXLAN network identifier VNI, an encapsulated secure payload protocol ESP header, and the encrypted VXLAN packet, where the VNI is encapsulated in the IP header and Between the ESP heads;
    处理单元,用于从所述封装后的报文获得所述VNI。And a processing unit, configured to obtain the VNI from the encapsulated message.
  11. 根据权利要求10所述的第二路由器,其特征在于,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述VNI;The second router according to claim 10, wherein the IP header includes first identifier information, and the first identifier information is used to identify that the encapsulated packet carries the VNI;
    所述处理单元具体用于根据所述IP头包括的所述第一标识信息,确定所述封装后的报文包括所述VNI;The processing unit is specifically configured to determine, according to the first identifier information that is included in the IP header, that the encapsulated packet includes the VNI;
    所述处理单元具体用于从所述IP头和所述ESP头之间获得所述VNI。 The processing unit is specifically configured to obtain the VNI from between the IP header and the ESP header.
  12. 根据权利要求10所述的第二路由器,其特征在于,所述封装后的报文还包括封装于所述IP头与所述VNI之间的用户数据包协议UDP头,所述UDP头为来自所述VTEP的所述VXLAN报文包括的UDP头,所述IP头包括第一标识信息,所述第一标识信息用于标识所述封装后的报文携带有所述UDP头,所述封装于所述IP头与所述VNI之间的UDP头包括第二标识信息,所述第二标识信息用于标识所述封装后的报文携带有所述VNI;The second router according to claim 10, wherein the encapsulated message further comprises a User Data Packet Protocol UDP header encapsulated between the IP header and the VNI, wherein the UDP header is from The UDP header of the VXLAN packet of the VTEP, the IP header includes first identifier information, where the first identifier information is used to identify that the encapsulated packet carries the UDP header, and the encapsulation The UDP header between the IP header and the VNI includes second identifier information, where the second identifier information is used to identify that the encapsulated packet carries the VNI;
    所述处理单元具体用于根据所述IP头包括的所述第一标识信息,获得封装于所述IP头与所述VNI之间的UDP头;The processing unit is configured to obtain, according to the first identifier information included in the IP header, a UDP header encapsulated between the IP header and the VNI;
    所述处理单元具体用于根据封装于所述IP头与所述VNI之间的UDP头包括的所述第二标识信息,确定所述封装后的报文包括所述VNI;The processing unit is configured to determine, according to the second identifier information that is included in a UDP header that is encapsulated between the IP header and the VNI, that the encapsulated packet includes the VNI;
    所述处理单元具体用于从所述IP头和所述ESP头之间获得所述VNI。The processing unit is specifically configured to obtain the VNI from between the IP header and the ESP header.
  13. 一种用于处理虚拟可扩展局域网VXLAN报文的系统,其特征在于,所述系统包括权利要求7至9任一项所述的第一路由器和权利要求10至12任一项所述的第二路由器。 A system for processing a virtual scalable local area network (VXLAN) message, the system comprising the first router of any one of claims 7 to 9 and the Two routers.
PCT/CN2015/097523 2015-03-23 2015-12-15 Method, device and system for processing vxlan message WO2016150205A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510127449.9A CN106161225B (en) 2015-03-23 2015-03-23 For handling the method, apparatus and system of VXLAN message
CN201510127449.9 2015-03-23

Publications (1)

Publication Number Publication Date
WO2016150205A1 true WO2016150205A1 (en) 2016-09-29

Family

ID=56977035

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/097523 WO2016150205A1 (en) 2015-03-23 2015-12-15 Method, device and system for processing vxlan message

Country Status (2)

Country Link
CN (1) CN106161225B (en)
WO (1) WO2016150205A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912859A (en) * 2018-09-17 2020-03-24 华为技术有限公司 Method for sending message, method for receiving message and network equipment
CN113794616A (en) * 2021-08-31 2021-12-14 新华三信息安全技术有限公司 Message forwarding method and device

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108111471B (en) * 2016-11-25 2021-05-11 中国电信股份有限公司 Message processing method and system and VTEP
CN106878278B (en) * 2017-01-09 2021-06-22 新华三技术有限公司 Message processing method and device
CN109412922B (en) * 2017-08-15 2021-07-20 华为技术有限公司 Method, forwarding device, controller and system for transmitting message
CN109525477A (en) * 2018-09-30 2019-03-26 华为技术有限公司 Communication means, device and system in data center between virtual machine
CN116418537A (en) * 2021-12-31 2023-07-11 苏州盛科通信股份有限公司 Tunnel encryption, forwarding and decryption method and device
CN116800486B (en) * 2023-06-13 2024-06-07 中科驭数(北京)科技有限公司 Cloud network communication method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014028094A1 (en) * 2012-08-14 2014-02-20 Vmware, Inc. Method and system for virtual and physical network integration
CN104104747A (en) * 2014-07-28 2014-10-15 杭州华三通信技术有限公司 Method and device for message transmission
CN104335532A (en) * 2012-06-04 2015-02-04 瑞典爱立信有限公司 Routing VLAN tagged packets to far end addresses of virtual forwarding instances using separate administrations

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095546B (en) * 2013-01-28 2015-10-07 华为技术有限公司 A kind of method, device and data center network processing message

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104335532A (en) * 2012-06-04 2015-02-04 瑞典爱立信有限公司 Routing VLAN tagged packets to far end addresses of virtual forwarding instances using separate administrations
WO2014028094A1 (en) * 2012-08-14 2014-02-20 Vmware, Inc. Method and system for virtual and physical network integration
CN104104747A (en) * 2014-07-28 2014-10-15 杭州华三通信技术有限公司 Method and device for message transmission

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912859A (en) * 2018-09-17 2020-03-24 华为技术有限公司 Method for sending message, method for receiving message and network equipment
WO2020057436A1 (en) * 2018-09-17 2020-03-26 华为技术有限公司 Method for sending message, method for receiving message, and network device
CN110912859B (en) * 2018-09-17 2021-12-14 华为技术有限公司 Method for sending message, method for receiving message and network equipment
US11888904B2 (en) 2018-09-17 2024-01-30 Huawei Technologies Co., Ltd. Packet sending method, packet receiving method, and network device
CN113794616A (en) * 2021-08-31 2021-12-14 新华三信息安全技术有限公司 Message forwarding method and device

Also Published As

Publication number Publication date
CN106161225B (en) 2019-05-28
CN106161225A (en) 2016-11-23

Similar Documents

Publication Publication Date Title
WO2016150205A1 (en) Method, device and system for processing vxlan message
US11108751B2 (en) Segmentation of encrypted segments in networks
US10148573B2 (en) Packet processing method, node, and system
US10749794B2 (en) Enhanced error signaling and error handling in a network environment with segment routing
US9729578B2 (en) Method and system for implementing a network policy using a VXLAN network identifier
US20180139191A1 (en) Method, Device, and System for Processing VXLAN Packet
KR102054338B1 (en) Routing vlan tagged packets to far end addresses of virtual forwarding instances using separate administrations
CA2870048C (en) Multi-tunnel virtual private network
US20170237656A1 (en) Method and apparatus for service function forwarding in a service domain
US10986075B2 (en) Distributing packets across processing cores
WO2016173271A1 (en) Message processing method, device and system
US20150135178A1 (en) Modifying virtual machine communications
US20140286342A1 (en) Method for generating entry, method for receiving packet, and corresponding apparatus and system
JP5871063B2 (en) Multi-tenant system, switch, controller, and packet transfer method
CN109150684B (en) Message processing method and device, communication equipment and computer readable storage medium
US10505759B2 (en) Access layer-2 virtual private network from layer-3 virtual private network
WO2016086670A1 (en) Vxlan packet transmission method and apparatus, and storage medium
CN111917625B (en) Method, device and nodes for realizing difference from VXLAN service to SR domain
US11303619B2 (en) Encapsulated encrypted packet handling for receive-side scaling (RSS)
CN115442184A (en) Access system and method, access server, system and storage medium
WO2017131767A1 (en) Mobile virtual private network configuration
US20230143157A1 (en) Logical switch level load balancing of l2vpn traffic
CN112994928B (en) Virtual machine management method, device and system
US20240223515A1 (en) Managing processing queue allocation using sequence number bits of an ipsec packet
US11025538B2 (en) Network service context

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15886127

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15886127

Country of ref document: EP

Kind code of ref document: A1