WO2020108531A1 - 报文转发 - Google Patents
报文转发 Download PDFInfo
- Publication number
- WO2020108531A1 WO2020108531A1 PCT/CN2019/121267 CN2019121267W WO2020108531A1 WO 2020108531 A1 WO2020108531 A1 WO 2020108531A1 CN 2019121267 W CN2019121267 W CN 2019121267W WO 2020108531 A1 WO2020108531 A1 WO 2020108531A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- vxlan
- tunnel
- default
- address
- received
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/32—Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Definitions
- This application relates to the field of network communication technology, and in particular, to a message forwarding method and device.
- Virtual Extended Local Area Network is a technology that encapsulates Layer 2 packets with a Layer 3 protocol, which specifically includes: introducing an outer tunnel in the format of User Datagram Protocol (UDP: User Datagram Protocol) , As the data path layer, and the original message data is transmitted as a payload.
- UDP User Datagram Protocol
- the protection of secret information of the VXLAN network needs to solve the network protection problem.
- FIG. 1 is a schematic flowchart of a message forwarding method provided by an embodiment of the present application.
- FIG. 2 is a schematic structural diagram of a specific application scenario provided by an embodiment of the present application.
- FIG. 3 is a schematic structural diagram of another specific application scenario provided by an embodiment of the present application.
- FIG. 4 is a schematic structural diagram of a packet forwarding device provided by an embodiment of the present application.
- FIG. 5 is a schematic structural diagram of a packet forwarding device provided by an embodiment of the present application.
- FIG. 6 is a schematic structural diagram of a packet forwarding device provided by an embodiment of the present application.
- VXLAN Virtual Extensible Local Area Network
- VXLAN Virtual Extensible Local Area Network
- VTEP broadcasts broadcast data packets, unknown unicast data packets, and multicast data packets received through the access circuit (Attachment Circuit) on the same VXLAN network. In this way, data packets from high-density devices will be broadcast to the same VXLAN through VTEP, resulting in leakage.
- FIG. 1 is a schematic flowchart of a message forwarding method provided by an embodiment of the present application. As shown in FIG. 1, the message forwarding method may include the following processing.
- Process 101 create a default VXLAN tunnel to match the VXLAN tunnel from each low-density VTEP device to this device.
- Process 102 creating more than one VXLAN tunnel, each created VXLAN tunnel to a tunnel end point of the same density level or a tunnel end point of a higher density level.
- Process 103 when it is determined that the received VXLAN data packet matches the default VXLAN tunnel, prohibit learning the inner source MAC address of the received VXLAN data packet, decapsulate the received VXLAN data packet, and remove the forwarding Ethernet data packets encapsulated by VXLAN.
- low-density VTEP in order to ensure that data of low-density devices or networks in the VXLAN network can flow to high-density devices or networks, low-density VTEP can normally create VXLAN tunnels to send datagrams to high-density VTEP devices
- the high-density VTEP device creates a default VXLAN tunnel to isolate data packets sent to the low-density VTEP device in the same VXLAN.
- the VTEP device can receive the VXLAN data message sent by the low-density VTEP device to the device through the VXLAN tunnel. It should be noted that, in the embodiment of the present application, when the VTEP device determines that the outer destination IP address of the received VXLAN data packet is not the IP address of the device, VXLAN tunnel termination is not required. The VTEP device can search for the underlay (lower layer) forwarding entry of layer 3 according to the outer destination IP address of the VXLAN data packet for forwarding.
- the TEP device can decapsulate the VXLAN data packet. After forwarding, learn the MAC address and perform regular VXLAN forwarding.
- the VTEP device determines that the destination IP address of the received VXLAN data packet is the IP address of the device, and performs VXLAN tunnel termination; it determines that the source IP address of the received VXLAN data packet is the same security level or more connected to the device.
- the destination IP address of the VXLAN tunnel of the high security level VTEP determines that the outer source IP address and the destination IP address of the received VXLAN data packet match the VXLAN tunnel connected to the same security level or higher security level VTEP.
- VTEP in order to ensure that data of a high-density level device or network cannot flow to a low-density level device or network, VTEP creates a VXLAN tunnel to connect a VTEP of the same density level or a VTEP of a higher density level; and VTEP does not learn the MAC address of data packets from low-density level VTEP, to prevent data packets received at confidential level from being sent to VTEP of low-density level to ensure data forwarding security.
- VTEP In order to avoid sending VXLAN data packets to the low-density level VTEP, VTEP matches the VXLAN data packets from the low-density level VTEP with the default VXLAN tunnel, does not perform MAC address learning, and can further save hardware resources for storing MAC address entries.
- FIG. 2 is a schematic structural diagram of a specific application scenario provided by an embodiment of the present application.
- Server 110 and Server 120 are low-density servers of the same density level
- Server 130 and Server 140 are high-density servers of the same density level
- Server 110, Server 120, Server 130 and Server 140 are respectively Access the Layer 3 core network through VTEP 210, VTEP 220, VTEP 230, and VTEP 240.
- VTEP 210 and VTEP 220 are low-density VTEP equipment
- VTEP 230 and VTEP 240 are high-density VTEP equipment.
- a VXLAN tunnel is created between VTEP 230 and VTEP 240 to exchange data packets.
- VTEP 230 creates a VXLAN tunnel 34 to VTEP 240; the source IP address and destination IP address of VXLAN tunnel 34 are the IP address IP 230 of VTEP 230, and the IP address IP 240 of VTEP 240, respectively.
- VTEP 240 creates a VXLAN tunnel 43 to VTEP 230; the source IP address of VXLAN tunnel 43 is the IP address IP 240 of VTEP 240, and the destination IP address is the IP address IP 230 of VTEP 230.
- a VXLAN tunnel (not shown in the figure) can be created between VTEP 210 and VTEP 220 to exchange data packets.
- the source IP address and destination IP address of the VXLAN tunnel created by VTEP 210 to VTEP 220 are the IP address IP 210 of VTEP 210 and the IP address IP 220 of VTEP 220, respectively.
- VTEP 220 creates a VXLAN tunnel to VTEP 210.
- the IP address and destination IP address of the VXLAN tunnel are the IP address IP 220 of VTEP 220 and the IP address IP 210 of VTEP 210, respectively.
- VTEP 210 creates a VXLAN tunnel 14 to VTEP 240; the source IP address of VXLAN tunnel 14 is the IP address IP 210 of VTEP 210, and the destination IP address is the IP address IP 240 of VTEP 240.
- VTEP 220 creates a VXLAN tunnel to VTEP 240 (not shown in the figure) to send VXLAN encapsulated data messages to VTEP 240.
- VTEP 240 creates a default VXLAN tunnel 10, and sets the outgoing port of VXLAN tunnel 10 to be non-existent; the source IP address of the default VXLAN tunnel 10 is the IP address of VTEP 240, and the destination IP address is null, that is, does not exist.
- VTEP 240 sets the VXLAN tunnel 10 not to learn the MAC address, and sets the output port of the VXLAN tunnel 10 as a non-existent physical port.
- VTEP 240 creates the source IP address of the default VXLAN tunnel 10.
- the default VXLAN tunnel 10 is created to match the VXLAN tunnel of the low-density level VTEP sending VXLAN data packets to VTEP 240, including VXLAN tunnel 14 and VTEP 220 connected to VTEP 240. VXLAN tunnel.
- VTEP 210 and VTEP 220 can create VXLAN tunnels (not shown in the figure) to VTEP 230 respectively to send VXLAN data packets to VTEP 230.
- VTEP 230 can create a default VXLAN tunnel (not shown); the source IP address and destination IP address are the IP address of VTEP 230 and null, respectively.
- the default VXLAN tunnel of VTEP 230 is used to match the low-density level VTEP210 and 220 to the VXLAN tunnel of VTEP 230.
- the transmission of data packets sent by VTEP 210 and VTEP 240 is taken as an example.
- VTEP240 creates VSI A, sets VSI A to bind VXLAN_ID1, VTEP240 binds AC4 between Server 140 and VTEP 240 to the VSI A; VTEP210 creates VSI A, sets VSI A to bind VXLAN_ID1, and VTEP 210 is set Server 110 accesses AC 1 of VTEP 210 to bind VSI A, and sets VXLAN tunnel 14 to bind to VSI A.
- the Ethernet data packet 200 belonging to the traffic from Server 110 reaches VTEP 210.
- VTEP 210 recognizes AC 1 based on the VLAN information (identifier) and the port information (port identifier) of the received Ethernet data packet 200.
- VTEP_210 determines in the forwarding table of VSI A associated with AC1 that the outgoing port corresponding to the destination MAC address of Ethernet data packet 200 is VXLAN tunnel 14.
- VTEP210 encapsulates the Ethernet data packet 200 in VXLAN; among them, the outer source IP address is the IP address of VTEP 210, the outer destination IP address is the IP address of VTEP 240; VNI is VXLAN_ID1.
- the VTEP 210 sends the VXLAN encapsulated data message 201 through the outlet port of the VXLAN tunnel 14.
- VTEP 240 receives the VXLAN encapsulated data message 201 through the VXLAN tunnel 14, obtains the outer destination IP address of the VXLAN header, and recognizes that the obtained outer destination IP address is the IP address of the device, but the device does not exist with the VXLAN encapsulated header
- the VXLAN tunnel in which the source IP address and the destination IP address match that is, there is no VXLAN tunnel where the source IP address is the destination IP address in the VXLAN encapsulation header and the destination IP address is the source IP address in the VXLAN encapsulation header.
- VTEP 240 determines that these received VXLAN encapsulated data packets match the default VXLAN tunnel.
- VTEP 240 determines that the outer destination IP address of VXLAN encapsulated data packet 201 is the IP address of the device, and terminates the VXLAN tunnel. VTEP 240 checks whether the destination IP address of the created VXLAN tunnel is consistent with the outer source IP address of the received VXLAN encapsulated data packet 201. VTEP 240 determines that the destination IP address of each created VXLAN tunnel is inconsistent with the outer source IP address of the received VXLAN encapsulated data packet 201, and checks whether the IP address of the device VTEP 240 is created as the default of the source IP address VXLAN tunnel.
- VTEP 240 determines to create a default VXLAN tunnel 10 with the IP address of the device VTEP 240 as the source IP address, and determines that the VXLAN tunnel receiving the data packet 201 encapsulated by the VXLAN matches the default VXLAN tunnel 10.
- VTEP_240 removes the VXLAN encapsulation of the VXLAN data message 201, and determines the corresponding VSI according to the VXLAN_ID (VXLAN ID1) carried by the VXLAN encapsulation of the VXLAN data message 201.
- the default VXLAN tunnel 10 of VTEP 240 is configured not to learn the MAC address, and VTEP 240 prohibits learning the inner MAC address of the VXLAN data packet 201 to be associated with the VXLAN tunnel 14.
- VTEP 204 finds AC_4 in the destination MAC address mapping of the Ethernet data packet 200 with the VXLAN encapsulated in the forwarding table of the VSI A. VTEP 240 sends the Ethernet data packet 200 to Server 140 through the AC4 found.
- the multicast data message, broadcast Ethernet data message, or unknown unicast Ethernet data message 202 from the server 140 arrives at the VTEP 240.
- VTEP 240 recognizes AC 4 based on the VLAN ID and in-port ID of the received multicast data packet, broadcast Ethernet data packet, or unknown unicast Ethernet data packet.
- VTEP 240 searches the broadcast forwarding table in VSI A associated with AC 4, and copies a copy for each VXLAN tunnel of VSI_A, so as to broadcast in VSI A.
- VTEP240 encapsulates these broadcast Ethernet data packets or unknown unicast Ethernet data packets that need to be broadcast in VSI through VXLAN tunnel 43 into VXLAN broadcast data packets 203, and sends them to VTEP230 with the same encryption level.
- VTEP 240 discards the message copied for VXLAN tunnel 10. In this way, when the data packets from the high-density level server need to be broadcast in the VSI, VTEP240 will only broadcast to the VTEP with the same security level or higher density level in the VSI, and the default VXLAN tunnel 10 discards the packets sent to the low-density level. VXLAN broadcast data packets of VTEP210 and 220.
- VTEP240 learns the mapping of the inner MAC address of the VXLAN data packet from VTEP230 and the outer source IP;
- VTEP230 learns the mapping of the inner MAC address of the VXLAN data packet from VTEP220 and the outer source IP;
- VTEP240 VTEP230 sends VXLAN data messages that need to be broadcast in the VXLAN network;
- VTEP230 sends VXLAN data messages that need to be broadcast in the VXLAN network to VTEP240 and other existing forwarding schemes.
- the high-density level VTEP device is implemented to filter the data packets sent to the low-density level VTEP device, which is beneficial to ensure data security.
- FIG. 4 is a schematic diagram of a packet forwarding apparatus 400 provided by an embodiment of the present application.
- the apparatus 400 can be applied to the VTEP device 240 or 230 in the examples shown in FIGS. 2 and 3.
- the message forwarding device 400 may include a creation module 410, a receiving module 420, a determination module 430, a decapsulation module 440, a forwarding module 450, and a learning module 460.
- the creation module 410 is used to create a default VXLAN tunnel and create more than one VXLAN tunnel.
- the default tunnel created by the creation module 410 is used to match the VXLAN tunnel from each low-density VTEP device to the local device.
- Each VXLAN tunnel created by the creation module 410 reaches a tunnel end point of the same encryption level or a tunnel end point of a higher encryption level.
- the receiving module 420 receives the VXLAN data message.
- the determining module 430 is configured to determine that the received VXLAN data packet matches the default VXLAN tunnel.
- the decapsulation module 440 is used to decapsulate the received VXLAN data message.
- the learning module 460 is used to prohibit the inner source MAC address of the VXLAN data packet determined by the learning determination module 430 that matches the default VXLAN tunnel.
- the determining module 430 determines that the VXLAN data packet matching the default VXLAN tunnel is decapsulated by the decapsulation module 440, and then the forwarding module 450 forwards the Ethernet data packet with the VXLAN encapsulation removed.
- the VTEP using the message forwarding device 400 creates a VXLAN tunnel that connects a VTEP of the same encryption level or a higher encryption level to the VTEP of the VXLAN tunnel; MAC address to avoid sending data packets to low-density VTEP to ensure data forwarding security. Beneficial to ensure the security of data.
- the message forwarding device 400 may further include an encapsulation module 470.
- the receiving module 420 is used for receiving Ethernet data packets.
- the determining module 430 is also used to determine that the received Ethernet data message needs to be broadcast in the VXLAN network, and discard an Ethernet data message sent through the default VXLAN tunnel.
- the encapsulation module 470 is also used to VXLAN encapsulate an Ethernet data packet through each created VXLAN tunnel.
- the forwarding module 450 is also used to send a VXLAN encapsulated Ethernet data message through each VXLAN tunnel created by the creation module 410 to send a VXLAN data message to a VTEP of the same encryption level or a VTEP of a higher encryption level.
- the determining module 430 is also used to determine the outer destination IP address in the VXLAN encapsulation header of the received VXLAN data message as the IP address of the device; determine the outer source in the VXLAN encapsulation header of the received VXLAN data message The IP address is inconsistent with the destination IP address of each created VXLAN tunnel; make sure that the received VXLAN data packet matches the default VXLAN tunnel.
- the determining module 430 is also used to determine the corresponding access circuit AC according to the virtual LAN VLAN information and in-port information of the received Ethernet data packet; look up the forwarding table in the virtual switching instance VSI associated with the AC and determine that it is in the VXLAN network Received Ethernet data packets broadcast through the default VXLAN tunnel and each created VXLAN tunnel.
- the source IP address of the default VXLAN tunnel created by the creation module 410 is the IP address of the device, the destination IP of the default VXLAN tunnel is empty; the outbound direction of the default VXLAN tunnel is a non-existent physical port.
- the message forwarding device 400 shown in FIGS. 4 and 5 may be implemented by software (for example, machine-readable instructions stored in a memory and executed by a processor), hardware (for example, a processor of an application specific integrated circuit ASIC), or by Software and hardware are implemented together.
- software for example, machine-readable instructions stored in a memory and executed by a processor
- hardware for example, a processor of an application specific integrated circuit ASIC
- Software and hardware are implemented together.
- FIG. 6 shows an example of VTEP provided by the present disclosure.
- the VTEP 600 includes: a forwarding unit 610, a processor 620, and a machine-readable storage medium 630 connected to the processor 620 that stores machine-executable instructions, and a storage unit 630.
- the forwarding unit 610, the processor 620, and the storage unit 630 can communicate via a system bus.
- the forwarding unit 610 may be, for example, a hardware forwarding chip and has multiple physical interfaces (not shown in the figure). Further, the forwarding unit 610 may include the receiving module 420, the determining module 430, the decapsulation module 440, the encapsulating module 470, the forwarding module 450, and the learning module 460 shown in FIGS. 4 and 5.
- the processor 620 reads and executes the machine-executable instructions in the machine-readable storage medium 630 to execute the processing of the creation module 410 in FIGS. 4 and 5.
- the VTEP in the example shown in Figure 6 creates a VXLAN tunnel connecting a VTEP with the same encryption level or a VTEP with a higher encryption level;
- the VTEP sends data packets to further ensure data security.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
本申请提供一种报文转发方法及装置。根据该方法一个示例,VTEP创建缺省VXLAN隧道和一个以上VXLAN隧道。该VTEP设备创建的缺省VXLAN用以匹配每个低密级别的VTEP设备到本设备的VXLAN隧道;该VTEP设备创建的每个VXLAN隧道分别到一个相同密级别的隧道终结点或一个更高密级别的隧道终结点。该VTEP设备确定收到的VXLAN数据报文与缺省VXLAN隧道匹配时,禁止学习收到的VXLAN数据报文的内层源MAC地址,对收到的VXLAN数据报文进行解封装,转发移除VXLAN封装的以太网数据报文。
Description
本申请涉及网络通信技术领域,尤其涉及一种报文转发方法及装置。
虚拟扩展局域网(VXLAN:Virtual Extensible Local Area Network)是一种将二层报文用三层协议进行封装的技术,具体包括:引入一个用户数据包协议(UDP:User Datagram Protocol)格式的外层隧道,作为数据路径层,而原有的报文数据作为净荷来传输。VXLAN网络的涉密信息的保护是需要解决网络保护问题。
图1是本申请实施例提供的一种报文转发方法的流程示意图;
图2是本申请实施例提供的具体应用场景的架构示意图;
图3是本申请实施例提供的另一种具体应用场景的架构示意图;
图4是本申请实施例提供的一种报文转发装置的结构示意图;
图5是本申请实施例提供的一种报文转发装置的结构示意图;
图6是本申请实施例提供的一种报文转发设备的结构示意图。
为了使本技术领域的人员更好地理解本申请实施例中的技术方案,并使本申请实施例的上述目的、特征和优点能够更加明显易懂,下面结合附图对本申请实施例中技术方案作进一步详细的说明。
在VXLAN(Virtual Extensible Local Area Network,虚拟可扩展局域网)的网络中存在高密级别的设备或者网络和低密级别的设备或者网络,为了保证网络的安全,需要确保低密级别的设备或者网络的数据能流向高密级别的设备或者网络,并且高密级别的设备或者网络的数据不能向低密级别的设备或者网络的数据。但是,VTEP会将通过接入电路(Attachment Circuit)收到的广播数据报文、未知单播数据报文以及组播数 据报文,在同一个VXLAN网络进行广播。这样,来自高密级别设备的数据报文会通过VTEP广播到同一个VXLAN,导致泄密。
图1为本申请实施例提供的一种报文转发方法的流程示意图。如图1所示,该报文转发方法可以包括以下处理。
处理101,创建缺省VXLAN隧道,用以匹配每个低密级别的VTEP设备到本设备的VXLAN隧道。
处理102,创建一个以上VXLAN隧道,每个创建的VXLAN隧道分别到一个相同密级别的隧道终结点或一个更高密级别的隧道终结点。
处理103,确定收到的VXLAN数据报文与缺省VXLAN隧道匹配时,禁止学习收到的VXLAN数据报文的内层源MAC地址,对收到的VXLAN数据报文进行解封装,转发移除VXLAN封装的以太网数据报文。
本申请实施例中,为了确保VXLAN网络中低密级别的设备或者网络的数据能流向高密级别的设备或者网络,低密级别的VTEP可以正常创建VXLAN隧道用以向高密级别的VTEP设备发送数据报文,而高密级别的VTEP设备创建缺省VXLAN隧道,用以隔离向同一个VXLAN内的低密级别的VTEP设备发送数据报文。
VTEP设备可以接收低密级别的VTEP设备的通过VXLAN隧道发送给本设备的VXLAN数据报文。需要说明的是,在本申请实施例中,当VTEP设备确定接收到的VXLAN数据报文的外层目的IP地址不是本设备的IP地址时,不需要进行VXLAN隧道终结。VTEP设备可以根据该VXLAN数据报文的外层目的IP地址查找underlay(下层)的三层转发表项进行转发。或这,当VTEP设备根据收到VXLAN数据报文的外层源IP地址和目的IP地址匹配到连接相同保密级或更高保密级VTEP的VXLAN隧道时TEP设备可以对VXLAN数据报文解除VXLAN封装后转发,学习MAC地址,执行常规的VXLAN转发。具体地,VTEP设备确定收到的VXLAN数据报文的目的IP地址为本设备的IP地址,进行VXLAN隧道终结;确定收到的VXLAN数据报文的源IP地址是本设备连接相同保密级或更高保密级VTEP的VXLAN隧道的目的IP地址,则确定接收的VXLAN数据报文的外层源IP地址和目的IP地址匹配到连接相同保密级或更高保密级VTEP的VXLAN隧道。
本图1所示实施例中,为了保证高密级别的设备或者网络的数据不能流向低密级别的设备或者网络,VTEP创建VXLAN隧道连接相同密级别的VTEP或更高密级别的VTEP的VXLAN隧道;并且VTEP不学习来自低密级别VTEP的数据报文的MAC地址,避免保密 级别收到的数据报文发往低己密级别的VTEP,以保证数据转发安全。
为了避免向低密级别VTEP发送VXLAN数据报文,VTEP将来自低密级别VTEP的VXLAN数据报文匹配缺省VXLAN隧道,不进行MAC地址学习,还能进一步节省存储MAC地址表项的硬件资源。
为了使本领域技术人员更好地理解本申请实施例提供的技术方案,下面结合具体应用场景对本申请实施例提供的技术方案进行说明。
图2为本申请实施例提供的一种具体应用场景的架构示意图。图2中,Server(服务器)110和Server 120是相同密级别的低密级别的服务器,Server 130和Server 140为相同密级别的高密级别的服务器,Server 110,Server 120,Server 130以及Server 140分别通过VTEP 210,VTEP 220,VTEP 230以及VTEP 240接入三层核心网络。VTEP 210和VTEP 220是低密级别的VTEP设备,VTEP 230和VTEP 240是高密级别的VTEP设备。
在图2所示的实施例中,VTEP 230和VTEP 240之间创建了用以交互数据报文的VXLAN隧道。VTEP 230创建到VTEP 240的VXLAN隧道34;VXLAN隧道34的源IP地址和目的IP地址分别为VTEP 230的IP地址IP 230,VTEP 240的IP地址IP 240。VTEP 240创建到VTEP 230的VXLAN隧道43;VXLAN隧道43的源IP地址为VTEP 240的IP地址IP 240,目的IP地址为VTEP 230的IP地址IP 230。
VTEP 210和VTEP 220之间可创建了用以交互数据报文的VXLAN隧道(图中未示)。VTEP 210创建到VTEP 220的VXLAN隧道源IP地址和目的IP地址分别为VTEP210的IP地址IP210以及VTEP 220的IP地址IP 220。VTEP 220创建到VTEP 210的VXLAN隧道,该VXLAN隧道的IP地址和目的IP地址分别为VTEP 220的IP地址IP 220以及VTEP 210的IP地址IP 210。
VTEP 210创建到VTEP 240的VXLAN隧道14;VXLAN隧道14的源IP地址为VTEP210的IP地址IP 210,目的IP地址为VTEP 240的IP地址IP 240。VTEP 220创建到VTEP 240的VXLAN隧道(图中未示出),用以向VTEP240发送VXLAN封装的数据报文。VTEP 240创建缺省VXLAN隧道10,设置VXLAN隧道10的出端口为不存在;该缺省VXLAN隧道10的源IP地址为VTEP 240的IP地址,目的IP地址为空(null),即不存在。VTEP 240设置VXLAN隧道10不学习MAC地址,设置VXLAN隧道10的出端口为不存在的物理端口。VTEP 240创建该缺省VXLAN隧道10的源IP地址创建的缺省VXLAN隧道10用以匹配低密级别VTEP向VTEP 240发送VXLAN数据报文的VXLAN隧道, 包括VXLAN隧道14以及VTEP 220上连接VTEP 240的VXLAN隧道。
VTEP 210和VTEP 220可以分别创建到VTEP 230的VXLAN隧道(图中未示),用以向VTEP230发送VXLAN数据报文。VTEP 230可以创建缺省VXLAN隧道(图中未示);其中源IP地址和目的IP地址分别为VTEP 230的IP地址以及空(null)。VTEP 230的缺省VXLAN隧道用以匹配低密级别VTEP210和220到VTEP 230的VXLAN隧道。
在该实施例中,分别以VTEP 210和VTEP 240发出的数据报文的传输为例。
请参见图3,VTEP240创建VSI A,设置VSI A绑定VXLAN_ID1,VTEP240将Server 140与VTEP 240之间的AC 4绑定该VSI A;VTEP210创建VSI A,设置VSI A绑定VXLAN_ID1,VTEP 210设置Server 110接入VTEP 210的AC 1绑定VSI A,设置VXLAN隧道14与VSI A绑定。
属于来自Server 110的流量的以太网数据报文200到达VTEP 210。VTEP 210根据接收到以太网数据报文200的VLAN信息(ident ifier)和入端口信息(port identifier)识别AC 1。VTEP_210在AC 1关联的VSI A的转发表中,确定以太网数据报文200的目的MAC地址对应的出端口为VXLAN隧道14。VTEP210对以太网数据报文200进行VXLAN封装;其中,外层源IP地址为VTEP 210的IP地址,外层目的IP地址为VTEP 240的IP地址;VNI是VXLAN_ID1。VTEP210将VXLAN封装数据报文201通过VXLAN隧道14的出端口发送。
VTEP 240通过VXLAN隧道14接收到VXLAN封装数据报文201,获取VXLAN头的外层目的IP地址,识别获取的外层目的IP地址为本设备的IP地址,但是本设备不存在与该VXLAN封装头中的源IP地址和目的IP地址匹配的VXLAN隧道,即不存在源IP地址为该VXLAN封装头中的目的IP地址,目的IP地址为该VXLAN封装头中的源IP地址的VXLAN隧道。VTEP 240确定这些收到VXLAN封装的数据报文与缺省VXLAN隧道匹配。具体地,VTEP240确定VXLAN封装数据报文201的外层目的IP地址为本设备IP地址,终结VXLAN隧道。VTEP 240检查已创建的VXLAN隧道的目的IP地址与收到的VXLAN封装数据报文201的外层源IP地址是否一致。VTEP 240确定每个已创建的VXLAN隧道的目的IP地址与收到的VXLAN封装数据报文201的外层源IP地址不一致,检查是否创建了本设备VTEP 240的IP地址为源IP地址的缺省VXLAN隧道。VTEP 240确定创建了以本设备VTEP 240的IP地址为源IP地址的缺省VXLAN隧道10,确定收到该VXLAN封装的数据报文201的VXLAN隧道匹配缺省VXLAN隧道10。VTEP_240移除VXLAN数据报文201的VXLAN封装,根据VXLAN数据报文201的VXLAN封装携带的VXLAN_ID(VXLAN ID1) 确定对应的VSI A。VTEP 240的缺省VXLAN隧道10被配置为不学习MAC地址,VTEP 240禁止学习VXLAN数据报文201的内层MAC地址关联于VXLAN隧道14。
VTEP 204在该VSI A的转发表中查找到移除VXLAN封装的以太网数据报文200的目的MAC地址映射的AC_4。VTEP 240通过查找到的AC4将以太网数据报文200发送到Server 140。
来自服务器140的组播数据报文、广播以太网数据报文或者未知单播以太网数据报文202到达VTEP 240。VTEP 240根据收到组播数据报文、广播以太网数据报文或者未知单播以太网数据报文的VLAN标识和入端口标识识别AC 4。VTEP 240在AC 4关联的VSI A内查找广播转发表,为VSI_A的每个VXLAN隧道复制一份,从而在VSI A进行广播。VTEP240通过VXLAN隧道43,将这些需要在VSI A内广播的广播以太网数据报文或者未知单播以太网数据报文封装为VXLAN广播数据报文203,并发送到相同密级别的VTEP230。由于VTEP240的缺省VXLAN隧道10的出端口为空,即不存在的物理端口。VTEP 240丢弃为VXLAN隧道10复制的报文。这样,来自高密级别的服务器的数据报文需要在VSI内广播时,VTEP240只会向VSI内相同保密级别或者更高密级别的VTEP广播,而通过缺省VXLAN隧道10丢弃了发往低密级别的VTEP210和220的VXLAN广播数据报文。
需要说明的是,在本申请实施例中,相同密级别的VTEP 210与VTEP 220之间的VXLAN数据报文转发以及相同密级别VTEP 230与VTEP 240之间的VXLAN数据报文转发按已有方案执行,包括:VTEP240学习来自VTEP230的VXLAN数据报文的内层MAC地址与外层源IP的映射;VTEP230学习来自VTEP220的VXLAN数据报文的内层MAC地址与外层源IP的映射;VTEP240向VTEP230发送需要在VXLAN网络内广播的VXLAN数据报文;VTEP230向VTEP240发送需要在VXLAN网络内广播的VXLAN数据报文等已有转发方案。
通过以上描述可以看出,在本申请实施例提供的技术方案中,实现了高密级别的VTEP设备过滤发往低密级别的VTEP设备的数据报文,有益于保证数据的安全。
图4为本申请实施例提供的一种报文转发装置400的示意图。该装置400可以应用于图2和图3所示的例子中的VTEP设备240或230。如图4所示,该报文转发装置400可以包括:创建模块410,接收模块420,确定模块430,解封装模块440,转发模块450以及学习模块460。
创建模块410,用于创建缺省VXLAN隧道以及创建一个以上VXLAN隧道。创建模块410创建的缺省隧道用以匹配每个低密级别的VTEP设备到本设备的VXLAN隧道。每个由创建模块410创建的VXLAN隧道分别到一个相同密级别的隧道终结点或一个更高密级别的隧道终结点。
接收模块420,接收VXLAN数据报文。
确定模块430,用于确定收到的VXLAN数据报文与缺省VXLAN隧道匹配。
解封装模块440,用于解封装收到的VXLAN数据报文。
学习模块460,用于禁止学习确定模块430确定的匹配缺省VXLAN隧道的VXLAN数据报文的内层源MAC地址。
确定模块430确定匹配缺省VXLAN隧道的VXLAN数据报文由解封装模块440解封装之后,由转发模块450转发移除VXLAN封装的以太网数据报文。
图4所示例子中,应用了报文转发装置400的VTEP创建VXLAN隧道连接相同密级别的VTEP或更高密级别的VTEP的VXLAN隧道;并且该VTEP不学习来自低密级别VTEP的数据报文的MAC地址,避免向低密级别的VTEP发送数据报文,保证数据转发安全。有益于保证了数据的安全性。
在图5所示的例子中,报文转发装置400还可进一步包括封装模块470。
接收模块420,用于接收以太网数据报文。确定模块430,还用于确定收到的以太网数据报文需要在VXLAN网络内广播,丢弃通过缺省VXLAN隧道发送的一份以太网数据报文。封装模块470,还用于通过每个创建的VXLAN隧道对一份以太网数据报文进行VXLAN封装。转发模块450还用于通过创建模块410创建的每个的VXLAN隧道发送一份VXLAN封装的以太网数据报文,用以向相同密级别的VTEP或者更高密级别的VTEP发送VXLAN数据报文。
确定模块430,还用于确定收到的VXLAN数据报文的VXLAN封装头中的外层目的IP地址为本设备的IP地址;确定收到的VXLAN数据报文的VXLAN封装头中的外层源IP地址与每个创建的VXLAN隧道的目的IP地址不一致;确定收到的VXLAN数据文与缺省VXLAN隧道匹配。
确定模块430,还用于根据收到以太网数据报文的虚拟局域网VLAN信息和入端口信息确定对应的接入电路AC;在AC关联的虚拟交换实例VSI内查找转发表,确定在 VXLAN网络内通过缺省VXLAN隧道和每个创建的VXLAN隧道广播的收到的以太网数据报文。
创建模块410创建的缺省VXLAN隧道的源IP地址为本设备的IP地址,缺省VXLAN隧道的目的IP为空;缺省VXLAN隧道的出方向为不存在的物理端口。
图4和图5所示的报文转发装置400可以通过软件实现(例如,存储于存储器并且由处理器运行的机器可读指令)、硬件实现(例如专用集成电路ASIC的处理器),或者由软件和硬件共同实现。
图6所示为本公开提供的一个VTEP例子。图6中,该VTEP600包括:转发单元610、处理器620以及连接处理器620的存储有机器可执行指令的机器可读存储介质630存储单元630。转发单元610、处理器620以及存储单元630之间可经由系统总线通信。
转发单元610例如可以是硬件转发芯片且具有多个物理接口(图中未示)。进一步,转发单元610可包括图4和图5所示的接收模块420,确定模块430,解封装模块440,封装模块470,转发模块450以及学习模块460。
处理器620通过读取并执行机器可读存储介质630中机器可执行指令,用以执行可执行图4以及图5中创建模块410的处理。
图6所示例子中的VTEP创建VXLAN隧道连接相同密级别的VTEP或更高密级别的VTEP的VXLAN隧道;并且该VTEP不学习来自低密级别VTEP的数据报文的MAC地址,避免向低密级别的VTEP发送数据报文,进一步保证了数据的安全性。
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以位于一个物理硬件,或者也可以分布到多个物理硬件,可以根据实际的需要选择其中的部分或者全部模块来实现本申请方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。
本领域技术人员在考虑说明书及实践这里公开的申请后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由下面的权利要求指出。
Claims (10)
- 一种数据报文转发方法,其特征在于,创建缺省VXLAN隧道,用以匹配每个低密级别的VTEP设备到本设备的VXLAN隧道;创建一个以上VXLAN隧道,每个所述创建的VXLAN隧道分别到一个相同密级别的隧道终结点或一个更高密级别的隧道终结点;确定收到的所述VXLAN数据报文与缺省VXLAN隧道匹配时,对所述收到的VXLAN数据报文进行解封装,禁止学习所述收到的VXLAN数据报文的内层源MAC地址,转发移除VXLAN封装的以太网数据报文。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:确定收到的以太网数据报文需要在VXLAN网络内广播,丢弃所述通过所述缺省VXLAN隧道发送的一份所述以太网数据报文;通过每个所述创建的VXLAN隧道对一份所述以太网数据报文进行VXLAN封装,通过每个所述创建的VXLAN隧道发送一份VXLAN封装的以太网数据报文。
- 根据权利要求1所述的方法,其特征在于,所述确定收到的所述VXLAN数据报文与缺省VXLAN隧道匹配,包括:确定所述收到的VXLAN数据报文的VXLAN封装头中的外层目的IP地址为本设备的IP地址;确定所述收到的VXLAN数据报文的VXLAN封装头中的外层源IP地址与每个所述创建的VXLAN隧道的目的IP地址不一致;确定所述收到的VXLAN数据文与所述缺省VXLAN隧道匹配。
- 根据权利要求2所述的方法,其特征在于,确定收到的以太网数据报文需要在VXLAN网络内广播之前,所述方法还包括:根据所述收到以太网数据报文的虚拟局域网VLAN信息和入端口信息确定对应的接入电路AC;在所述AC关联的虚拟交换实例VSI内查找转发表,确定在所述VXLAN网络内通过所述缺省VXLAN隧道和每个所述创建的VXLAN隧道广播的所述收到的以太网数据报文。
- 根据权利要求1所述的方法,其特征在于,所述缺省VXLAN隧道的源IP地址为本设备的IP地址,所述缺省VXLAN隧道的目的IP为空;所述缺省VXLAN隧道的出方向为不存在的物理端口。
- 一种报文转发装置,其特征在于,创建模块,用于创建缺省VXLAN隧道以及创建一个以上VXLAN隧道;其中,所述缺 省隧道用以匹配每个低密级别的VTEP设备到本设备的VXLAN隧道;每个所述创建的VXLAN隧道分别到一个相同密级别的隧道终结点或一个更高密级别的隧道终结点;接收模块,接收VXLAN数据报文;确定模块,用于确定收到的所述VXLAN数据报文与缺省VXLAN隧道匹配;解封装模块,用于解封装所述收到的VXLAN数据报文;学习模块,用于禁止学习所述收到的VXLAN数据报文的内层源MAC地址;转发模块,转发移除VXLAN封装的以太网数据报文。
- 根据权利要求6所述的装置,其特征在于,所述装置还包括封装模块;所述接收模块,用于接收以太网数据报文;所述确定模块,还用于确定收到的以太网数据报文需要在VXLAN网络内广播,丢弃所述通过所述缺省VXLAN隧道发送的一份所述以太网数据报文;所述封装模块,还用于通过每个所述创建的VXLAN隧道对一份所述以太网数据报文进行VXLAN封装;所述转发模块,还用于通过每个所述创建的VXLAN隧道发送一份VXLAN封装的以太网数据报文。
- 根据权利要求6所述的装置,其特征在于,所述确定模块,还用于确定所述收到的VXLAN数据报文的VXLAN封装头中的外层目的IP地址为本设备的IP地址;确定所述收到的VXLAN数据报文的VXLAN封装头中的外层源IP地址与每个所述创建的VXLAN隧道的目的IP地址不一致;确定所述收到的VXLAN数据文与所述缺省VXLAN隧道匹配。
- 根据权利要求7所述的装置,其特征在于,所述确定模块还用于,根据所述收到以太网数据报文的虚拟局域网VLAN信息和入端口信息确定对应的接入电路AC;在所述AC关联的虚拟交换实例VSI内查找转发表,确定在所述VXLAN网络内通过所述缺省VXLAN隧道和每个所述创建的VXLAN隧道广播的所述收到的以太网数据报文。
- 根据权利要求6所述的装置,其特征在于,所述创建模块创建的所述缺省VXLAN隧道的源IP地址为本设备的IP地址,所述缺省VXLAN隧道的目的IP为空;所述缺省VXLAN隧道的出方向为不存在的物理端口。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811426641.8 | 2018-11-27 | ||
CN201811426641.8A CN109474507B (zh) | 2018-11-27 | 2018-11-27 | 一种报文转发方法及装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020108531A1 true WO2020108531A1 (zh) | 2020-06-04 |
Family
ID=65674266
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/121267 WO2020108531A1 (zh) | 2018-11-27 | 2019-11-27 | 报文转发 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109474507B (zh) |
WO (1) | WO2020108531A1 (zh) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113286011A (zh) * | 2021-04-27 | 2021-08-20 | 锐捷网络股份有限公司 | 基于vxlan的ip地址分配方法及装置 |
CN113794635A (zh) * | 2021-08-05 | 2021-12-14 | 新华三信息安全技术有限公司 | 一种报文转发方法及设备 |
CN113872847A (zh) * | 2021-11-18 | 2021-12-31 | 浪潮思科网络科技有限公司 | 一种基于vxlan网络的报文转发方法、设备及介质 |
CN113992582A (zh) * | 2021-09-17 | 2022-01-28 | 新华三信息安全技术有限公司 | 一种报文转发方法及设备 |
CN114374641A (zh) * | 2021-12-23 | 2022-04-19 | 锐捷网络股份有限公司 | 一种三层报文转发方法及装置 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101127680A (zh) * | 2007-07-20 | 2008-02-20 | 胡德勇 | Usb光纤单向物理隔离网闸 |
CN103491072A (zh) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | 一种基于双单向隔离网闸的边界访问控制方法 |
US20140003434A1 (en) * | 2012-06-29 | 2014-01-02 | Avaya, Inc. | Method for Mapping Packets to Network Virtualization Instances |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016540448A (ja) * | 2013-12-11 | 2016-12-22 | 華為技術有限公司Huawei Technologies Co.,Ltd. | 仮想拡張lanの通信方法、装置、及びシステム |
CN106067864B (zh) * | 2016-06-02 | 2021-05-07 | 新华三技术有限公司 | 一种报文处理方法及装置 |
CN106130865B (zh) * | 2016-07-07 | 2020-11-27 | 新华三技术有限公司 | 一种终端间的通信方法及装置 |
-
2018
- 2018-11-27 CN CN201811426641.8A patent/CN109474507B/zh active Active
-
2019
- 2019-11-27 WO PCT/CN2019/121267 patent/WO2020108531A1/zh active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101127680A (zh) * | 2007-07-20 | 2008-02-20 | 胡德勇 | Usb光纤单向物理隔离网闸 |
US20140003434A1 (en) * | 2012-06-29 | 2014-01-02 | Avaya, Inc. | Method for Mapping Packets to Network Virtualization Instances |
CN103491072A (zh) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | 一种基于双单向隔离网闸的边界访问控制方法 |
Non-Patent Citations (1)
Title |
---|
HENAULXYXA UPLOAD: "Non-official translation: 17-VXLAN Configuration Guide-VXLAN Configuration", BAIDU LIBRARY, 22 August 2015 (2015-08-22), DOI: 20200209111037Y * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113286011A (zh) * | 2021-04-27 | 2021-08-20 | 锐捷网络股份有限公司 | 基于vxlan的ip地址分配方法及装置 |
CN113286011B (zh) * | 2021-04-27 | 2023-08-22 | 锐捷网络股份有限公司 | 基于vxlan的ip地址分配方法及装置 |
CN113794635A (zh) * | 2021-08-05 | 2021-12-14 | 新华三信息安全技术有限公司 | 一种报文转发方法及设备 |
CN113794635B (zh) * | 2021-08-05 | 2023-04-07 | 新华三信息安全技术有限公司 | 一种报文转发方法及设备 |
CN113992582A (zh) * | 2021-09-17 | 2022-01-28 | 新华三信息安全技术有限公司 | 一种报文转发方法及设备 |
CN113872847A (zh) * | 2021-11-18 | 2021-12-31 | 浪潮思科网络科技有限公司 | 一种基于vxlan网络的报文转发方法、设备及介质 |
CN114374641A (zh) * | 2021-12-23 | 2022-04-19 | 锐捷网络股份有限公司 | 一种三层报文转发方法及装置 |
CN114374641B (zh) * | 2021-12-23 | 2023-06-16 | 锐捷网络股份有限公司 | 一种三层报文转发方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
CN109474507B (zh) | 2020-12-04 |
CN109474507A (zh) | 2019-03-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11765000B2 (en) | Method and system for virtual and physical network integration | |
US11240065B2 (en) | NSH encapsulation for traffic steering | |
WO2020108531A1 (zh) | 报文转发 | |
CN106936939B (zh) | 一种报文处理方法、相关装置及nvo3网络系统 | |
CN109218178B (zh) | 一种报文处理方法及网络设备 | |
CN103841023B (zh) | 数据转发的方法和设备 | |
US9768968B2 (en) | Method and apparatus for processing multicast packet on network virtualization over layer 3 (NVO3) network | |
CN102316030B (zh) | 一种实现数据中心二层互联的方法和装置 | |
WO2015074394A1 (zh) | 一种报文转发方法及装置 | |
WO2014194711A1 (zh) | 报文处理方法、设备标签处理方法及设备 | |
WO2021082803A1 (zh) | 路由信息传输方法及装置、数据中心互联网络 | |
WO2013139159A1 (zh) | 在网络中转发报文的方法和运营商边缘设备 | |
WO2020220459A1 (zh) | 基于VXLAN和OpenFlow的虚拟家庭网络共享方法及系统 | |
WO2022117018A1 (zh) | 报文传输的方法和装置 | |
WO2017036384A1 (zh) | 运营商边缘设备及数据转发方法 | |
CN113794615A (zh) | 一种报文转发方法及设备 | |
CN107547691B (zh) | 地址解析协议报文代理方法和装置 | |
CN113542441B (zh) | 一种通信处理方法及装置 | |
CN115955512A (zh) | 一种数据传输方法、设备和计算机可读存储介质 | |
CN112688887A (zh) | 一种隧道的配置方法和节点设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19889856 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19889856 Country of ref document: EP Kind code of ref document: A1 |