WO2021093372A1

WO2021093372A1 - Data packet processing method and device, and storage medium and system

Info

Publication number: WO2021093372A1
Application number: PCT/CN2020/105056
Authority: WO
Inventors: 白涛; 杜正贤
Original assignee: 华为技术有限公司
Priority date: 2019-11-15
Filing date: 2020-07-28
Publication date: 2021-05-20
Also published as: CN112822104A

Abstract

The present application provides a data packet processing method and device, and a storage medium and a system. A micro segmentation segment ID identifying a micro segmentation of a network device is applied to a segment routing network, so that when a second network device in the segment routing network receives a data packet forwarded in the segment routing network, a micro segmentation segment ID of a micro segmentation of a corresponding first network device is determined according to the data packet, and the micro segmentation segment ID is carried in the process of forwarding the data packet. When the data packet is forwarded in the segment routing network, a network device in the segment routing network can process the data packet based on the micro segmentation segment ID, to realize access control of the data packet based on the micro segmentation. According to the method, the configuration complexity of the network can be reduced.

Description

Method, equipment, storage medium and system for processing data message

This application requires the priority of a Chinese patent application filed with the Intellectual Property Office of the People's Republic of China, the application number is 201911122088.3, and the application name is "a data message processing method, equipment, storage medium and system" on November 15, 2019 , The entire content of this Chinese patent application is incorporated into this application by reference.

Technical field

This application relates to the field of communications, a method, equipment, storage medium and system for processing data messages.

Background technique

Micro segmentation (MS): It is a type that can be based on (Internet Protocol, IP) address, IP network segment, Media Access Control (MAC) address, virtual machine (VM) name, container, The virtual network division method that the operating system implements the subnet division can support fine-grained network isolation. For example, different devices belonging to the same virtual local network (virtual local network, VLAN) can also be isolated from each other. Generally, a micro-segment corresponds to an endpoint group.

An endpoint group (EPG) is a set of endpoints with the same characteristics. The endpoints provide applications or services. For example, the endpoints can be virtual machines. An endpoint group represents a group of applications or services. These applications or services are grouped into a micro-segment and can have the same security policy level.

Segment routing (SR) is a protocol designed to forward data messages in a network based on the concept of source routing. In the SR network, the head node inserts a set of ordered segment identifiers into the data message to explicitly specify the forwarding path of the data message. When SR is applied to the multi-protocol label switching (MPLS) data plane, it is called MPLS-based segment routing (MPLS-SR or SR-MPLS). When SR is applied to Internet Protocol version 6 ( Internet Protocol Version 6, IPv6) data plane, it is called segment routing based on IPv6 (SRv6).

Segment ID (Segment ID, SID) represents a node or a link. In SRv6, the SID is represented as a 128-bit value; in SR-MPLS, the SID is represented as a label value. An SRv6 segment identifier can include a functional part, which indicates that the network device that issues the segment identifier needs to execute The corresponding action.

Segment ID List (SID List, SID List): A list containing a group of segment IDs. After receiving the data message, the head node in the segment routing network inserts 1 SID into the data message. The List can display the indication One forwarding path.

In the prior art, when different micro-segments need to access each other or perform security policy control, and these access and security policies need to be applied to the segment routing network, a large number of configurations are required, such as configuring all devices on each device. The corresponding relationship between all relevant IP addresses and micro-segmentation on the Internet is complicated to configure, and in a sense, it is basically not feasible.

Summary of the invention

This application provides a data message processing method and device, which are used to implement data message access control in a segment routing network according to micro-segmentation information, and reduce configuration complexity.

In a first aspect, a data packet processing method is provided, including: a first network device in a segment routing network receives a first data packet, the first data packet includes a first micro-segment segment identifier, and the first network device in the segment routing network A micro-segment segment identifier is used to identify a micro-segment of a second network device in the segment routing network, the first data packet is a data packet sent to the second network device; the first network device Determine a processing action on the first data packet according to the first micro-segmentation segment identifier; the first network device performs the processing action on the first data packet.

The network device in the SR network directly obtains the micro-segment segment identifier from the received data message, and then the network device performs corresponding processing actions on the data message according to the micro-segment segment identifier, which can reduce the complexity of network configuration and further reduce The number of table lookups when the network device implements access control of the data message according to the micro-segmentation.

In a possible manner, the determining, by the first network device, a processing action on the first data packet according to the first micro-segmentation identifier, includes: the first network device according to the first micro-segmentation segment The corresponding relationship between the identifier and the processing action is determined, and the processing action on the first data packet is determined.

The network device in the SR network directly determines the processing action according to the corresponding relationship between the micro-segmentation segment identifier and the processing action, thereby reducing the number of table lookups when the network device implements the access control of the data message according to the micro-segmentation.

In a possible manner, the first network device performs a processing action on the first data packet according to the first micro-segment identification, including: the first network device identifies from the first micro-segment identification Obtain the first micro-segment directly in the middle; the first network device performs the processing action on the first data packet according to the first micro-segment.

The network device in the SR network directly obtains the micro-segment segment identifier from the received data message, and directly obtains the micro-segment from the micro-segment identifier, and then the network device performs corresponding processing actions on the data message according to the micro-segment , Can reduce the complexity of network configuration, and further reduce the number of table lookups when the network device implements data message access control according to micro-segmentation.

In a possible manner, the first network device and the second network device are the same network device, the first micro-segment segment identifier includes a functional part, and the first network device is based on the first differential Before the segment identifier determines the processing action on the first data message, the method further includes: the first network device determines that the functional part is used to indicate: the first network device according to the first micro-segment segment The identifier determines the processing action for the first data packet.

By directly instructing the network device to perform a certain action in the functional part identified in this segment, the network configuration can be reduced.

In a possible manner, the first data message further includes a second micro-segment segment identifier, and the second micro-segment segment identifier is used to identify a micro-segment of a third network device in the segment routing network, so The first network device performing a processing action on the first data packet according to the first micro-segmentation identifier includes: the first network device performs a processing action on the first data packet according to the first micro-segmentation identifier and the second micro-segmentation identifier pair The first data message performs a processing action.

In a possible manner, the first network device executes the processing action according to the first micro-segment segment identifier and the second micro-segment segment identifier, including: the first micro-segment segment identifier includes the first micro-segment, so The second micro-segment segment identifier includes a second micro-segment; the first network device performs the processing action on the first data packet according to the first micro-segment and the second micro-segment.

In a possible manner, the first data message further includes a second micro-segment segment identifier, and the second micro-segment segment identifier is used to identify a micro-segment of a third network device in the segment routing network, so The first micro-segmentation segment identifier and the second micro-segmentation segment identifier are added to the first data packet by the third network device, and the first network device determines the corresponding The processing action of the first data packet includes: the first network device determines a processing action on the first data packet according to the correspondence between a matching condition and the processing action, and the matching condition includes the The first micro-segmentation segment identifier and the second micro-segmentation segment identifier.

By carrying the first micro-segment segment identifier and the second micro-segment segment identifier in the data message at the same time, or the first micro-segmentation and the second micro-segmentation are used as the matching conditions for the access policy control of the data message, more refined access can be performed Strategy configuration, and further reduce the configuration workload.

In a possible manner, the segment identifier list of the first data packet includes the first micro-segment segment identifier.

In a possible manner, the segment identifier list further includes the second micro-segment segment identifier, or the first data message further includes metadata, and the metadata includes the second micro-segment segment identifier.

In a possible manner, the second micro-segmentation segment identifier is carried in the source and destination address of the header of the first data message.

In a possible manner, the segment identification list is carried in the segment routing header or the multi-protocol label switching label stack of the first data packet.

The network device carries the first micro-segment segment identifier in the segment identifier list, and the segment identifier list is carried in the segment routing header of the second number message or the multi-protocol label switching label stack, which is conducive to the use of segment routing networks. The control and forwarding mechanism of the invention reduces the complexity of the implementation of the solution of the present invention.

The network device carries the second micro-segment segment identifier in the segment identifier list or metadata, which is similar to directly carrying the micro-segment feature of the data message in the message, which is beneficial for routing between other devices in the segment of the network. Obtaining the second micro-segment segment identifier without complicated configuration and multiple table lookups is beneficial to reduce the overall segment routing network equipment overhead.

In a possible manner, the segment routing header of the first data message further includes a carrying flag, and the carrying flag identifies a carrying manner of the second micro-segment segment identifier.

The network device carries a carrying flag that identifies the second micro-segment segment identifier carrying mode in the segment routing header of the first data packet, so that the first network device can use the indication of the carrying flag to obtain information from the position indicated by the carrying flag. Obtain the second micro-segmentation segment identifier directly.

In a possible manner, the processing action includes: forwarding, discarding, marking, redirection, or mirroring.

By supporting multiple processing actions, the solution of the present invention can match the requirements of multiple network services and meet more application scenarios.

In a possible manner, the second network device and the first network device are the same device.

In a possible manner, the first network device sends a notification message, the notification message carrying the first micro-segment segment identifier; or the first network device sends a border network protocol link state message, The link state message carries the first micro-segment segment identifier; or the first network device sends a path calculation unit communication protocol message, and the path calculation unit communication protocol message carries the first micro-segment segment identifier.

Through the above method, the first network device can issue a micro-segment segment identifier that identifies its own micro-segment, so that other network devices in this segment of the routing network can obtain the micro-segment identification information of the first network device, and route to other networks in the segment. The device notifies the first network device that it has the ability to process data packets according to the micro-segmentation identifier, and the corresponding routing information.

In a possible manner, when the processing action includes forwarding or marking, the first network device performing the processing action on the first data packet includes: the first network device generates a second A data message, the second data message does not include the first micro-segmentation segment identifier; the first network device sends the second data message.

In a possible manner, when the processing action includes forwarding or marking, the first network device performs a processing action on the first data packet according to the first micro-segmentation segment identifier, including: A network device strips the list of segment identifiers in the first data message to obtain a second data message; when the second micro-segment segment identifier is carried in the metadata, the first network device also strips all The metadata in the first data message is used to obtain the second data message; the first network device sends the second data message.

After receiving the second data message through the first network device (tail node), the SRH in the data message is stripped, and when the second micro-segment segment identifier is carried in the metadata, the metadata is also stripped Method, the method of stripping the relevant information in the segment routing network is similar to restoring the forwarded data message, so as to avoid affecting the subsequent forwarding of the data message.

In a possible manner, the second network device and the first network device are different devices.

In a possible manner, the first data message further includes a micro-segment node segment identifier, the micro-segment node segment identifier is the segment identifier of the first network device, and the micro-segment node segment identifier is used for Instruct the first network device to process the first data packet according to the first micro-segmentation identifier.

In a possible manner, the first network device sends a notification message, the notification message carrying the micro-segment node segment identifier; or the first network device sends a border network protocol link state message, The link state message publishes the micro-segment node segment identifier; or the first network device sends a path calculation unit communication protocol message, and the path calculation unit communication protocol message carries the micro-segment node segment identifier.

Through the above optional methods, the intermediate node in the segment of the routing network issues its micro-segment node segment identifier, so that the first network device can generate the micro-segment node when the second data packet is generated according to the first data packet. The segment identifier is carried in the second data message, so that the intermediate node can also perform processing actions on the data message according to the carried first and second micro-segment segment identifiers.

In a second aspect, a data packet processing method is provided, including: a first network device in a segment routing network receives a first data packet; the first network device determines a first data packet according to the first data packet A micro-segment segment identifier, the first micro-segment segment identifier is used to identify a micro-segment of a second network device in the segment routing network, the first data message does not include the first micro-segment segment identifier, and the first micro-segment segment identifier A data message is a data message sent to the second network device; the first network device determines a processing action on the first data message according to the first micro-segmentation identifier; the first network The device performs the processing action on the first data packet.

The head node in the SR network can determine the micro-segment segment identifier of the tail node to be sent to the data message corresponding to the received data message according to the segment identifier table according to the longest matching principle (it can be called the destination micro-segment segment identifier) , Without the need to configure the relationship between the IP addresses of all devices in the entire network and micro-segmentation on the head node, which can reduce the complexity of network configuration.

In a possible manner, determining, by the first network device, a processing action on the first data packet according to the first micro-segmentation segment identifier includes:

The first network device determines a processing action on the first data packet according to the correspondence between the first micro-segmentation segment identifier and the processing action.

In a possible manner, before the second network device performs a processing action on the first data packet according to the first micro-segmentation identifier, the method further includes: the second network device obtains the corresponding A relationship, the corresponding relationship includes a mapping relationship between the first micro-segmentation segment identifier and the processing action.

In a possible manner, the second network device performing a processing action on the first data packet according to the first micro-segment identifier includes: the second network device performs a processing action on the first data packet according to the first micro-segment identifier And a second micro-segment segment identifier to execute the processing action, where the second micro-segment segment identifier is used to identify a micro-segment of the second network device; the method further includes: the second network device according to the received first A data message determines the second micro-segmentation segment identifier.

In a possible manner, the second network device executes the processing action according to the first micro-segment segment identifier and the second micro-segment segment identifier, including: the first micro-segment segment identifier includes the first micro-segment, so The second micro-segment segment identifier includes a second micro-segment; the second network device performs the processing action on the first data packet according to the first micro-segment and the second micro-segment.

In this way, the head node uses the above-mentioned destination micro-segment segment identifier and the head node's micro-segment segment identifier (which can be referred to as the source micro-segment segment identifier) as the matching condition for data message access policy control; or, the head node network device can also determine The source micro-segment segment identifies the corresponding micro-segment (may be referred to as the source micro-segment) and the above-mentioned destination micro-segment, and then the source micro-segment and the destination micro-segment are used as the matching condition when controlling the access policy of the data message. In this way, more refined access policy control can be performed. In a possible manner, the processing action includes: forwarding, discarding, marking, redirection, or mirroring.

In a possible manner, the first micro-segmentation segment identifier includes a functional part, and the functional part is used to indicate: the second network device determines that the first data packet is processed according to the first micro-segmentation segment identifier. Processing actions.

In a possible manner, the first network device further determines the second micro-segmentation segment identifier according to the received first data packet, and the second micro-segmentation segment identifier is used to identify the network device of the first network device. A micro-segment; the first network device determines the processing action of the first data packet according to the first micro-segmentation identifier, including: the first network device determines the corresponding relationship between the processing action and the matching condition according to the matching condition , Determining a processing action for the first data packet, and the matching condition includes the first micro-segmentation identifier and the second micro-segmentation identifier.

By using the first micro-segmentation segment identifier and the second micro-segmentation segment identifier as the matching condition, a more precise access policy control can be adopted for the data message.

In a possible manner, when the processing action includes forwarding or marking, the second network device performs a processing action on the first data packet according to the first micro-segment segment identifier, including: 2. A network device generates a second data message according to the first data message, the second data message includes a segment identifier list, and the segment identifier list includes the first micro-segment segment identifier; the second network device Sending the second data packet to the first network device.

After the second network device determines the first micro-segment segment identifier according to the data message, the second data message generated by the second network device carries the first micro-segment segment identifier. It only needs to be in the second network device, such as: a segment routing network The head node that forwards the first data message carries the first micro-segment segment identifier in subsequent data messages, without the need for other network devices to determine the manner in which the first endpoint group segment is represented again, which reduces the overall network device overhead.

In a possible manner, the segment identifier list further includes the second micro-segment segment identifier, or the second data message further includes metadata, and the metadata includes the second micro-segment segment identifier.

In a possible manner, the second micro-segmentation segment identifier is carried in the source and destination address of the header of the second data packet.

By carrying the second micro-segmentation segment identifier in the segment identifier list or metadata, it is similar to directly carrying the micro-segmentation feature of the data message in the message, which is beneficial to other devices in the routing network of this segment to obtain the first Two micro-segment segment identifications do not require multiple comparison calculations, which is beneficial to reduce the overall segment routing network equipment overhead.

In a possible manner, the segment identifier list is carried in the segment routing header of the second data packet or the multi-protocol label switching MPLS label stack.

By carrying the first micro-segment segment identifier in the segment identifier list, and carrying the segment identifier list in the segment routing header or MPLS label stack of the second number packet, it is beneficial to follow the control and forwarding mechanism of the segment routing network. , Reduce the complexity of the implementation of the present invention.

In a possible manner, the segment routing header of the second data message further includes a carrying flag, and the carrying flag identifies a carrying manner of the second micro-segment segment identifier.

By carrying a carrying flag that identifies the carrying mode of the second micro-segment segment identifier in the segment routing header of the second data message, the network device receiving the second data message can use the indication of the carrying flag to obtain information from the carrying flag. The location directly obtains the second micro-segment segment identifier.

In a possible manner, the second network device also obtains the micro-segmentation node segment identifier of the third network device, and the micro-segmentation node segment identifier is used to instruct the third network device according to the first micro-segmentation segment. The identifier processes the first data message; the segment identifier list also includes the micro-segment node segment identifier.

By obtaining the third network device from the second network device, such as the micro-segment node segment identifier of the intermediate node that forwards the first data packet in the segment routing network, the second network device is able to generate data based on the first data packet. In the case of the second data message, the micro-segment node segment identifier can be carried in the second data message, so that the intermediate network node that publishes the micro-segment node segment identifier can also compare the datagram according to the carried first micro-segment segment identifier. The text executes processing actions.

In a possible manner, the second network device receives a configuration instruction, and obtains the second micro-segment segment identifier from the configuration instruction; or the second network device generates the second micro-segment node segment identifier.

In a possible manner, the second network device sends a notification message, the notification message carrying the second micro-segment segment identifier; or the second network device sends a border network protocol link state message, The link state message carries the second micro-segment segment identifier; or the second network device sends a path calculation unit communication protocol message, and the path calculation unit communication protocol message carries the second micro-segment segment identifier.

Through the above method, the second network device can also issue the micro-segment segment identifier that identifies its own micro-segment, so that other network devices in the routing network at this end can also obtain the micro-segment identification information of the second network device, and route the micro-segment identification information of the second network device to this segment. The other network device notifies the second network device that it has the ability to process data packets according to the micro-segment identifier, and the corresponding routing information.

In a possible manner, the second micro-segmentation segment identifier includes a functional part, and the functional part is used to indicate: the first network device determines that the first data packet is processed according to the second micro-segmentation segment identifier. Processing actions.

In a possible manner, the second network device determining the second micro-segment segment identifier according to the received first data packet includes: the second network device according to the source of the first data packet The address determines the second micro-segment segment identifier, or the second network device determines the second micro-segment segment identifier according to the interface through which the first data message is received.

In the above manner, the network device can determine the second micro-segment segment identifier corresponding to the first data packet in multiple ways, and it is not limited to only one solution, and the solution application scenarios are more abundant.

In a possible manner, the second network device determining the first micro-segment segment identifier according to the first data packet includes: the second network device determines the first micro-segment segment identifier according to the destination address or distinction of the first data packet The service code point determines the first micro-segment segment identifier.

The method of determining the first micro-segment segment identifier according to the destination address of the first data message or the differentiated services code point does not need to add additional feature information to the solution to determine the first micro-segment segment identifier, and the solution has a wider application range.

In a possible manner, the second network device receives a notification message sent by the second network device, and obtains the first micro-segment segment identifier through the notification message; or the second network device receives The controller or the path calculation unit sends the first micro-segment segment identifier.

Through the above optional methods, the network device receives the micro-segment segment identifiers issued by other network devices in the segment routing network in a variety of ways, so that the present invention can be used in multiple segment routing network scenarios.

In a third aspect, a first network device is provided. The first network device is applied to a segment routing network and includes: a receiving unit configured to receive a first data packet, the first data packet including a first data packet A micro-segment segment identifier, the first micro-segment segment identifier is used to identify a micro-segment of a second network device in the segment routing network, and the first data packet is a data packet sent to the second network device The processing unit is configured to determine a processing action on the first data packet according to the first micro-segmentation segment identifier; the processing unit is configured to perform the processing action on the first data packet.

In a possible manner, the processing unit is configured to determine a processing action for the first data packet according to the first micro-segmentation identifier, specifically: the processing unit is configured to determine the processing action of the first data packet according to the first micro-segmentation identifier. The corresponding relationship between a micro-segmentation identifier and the processing action determines the processing action for the first data packet.

In a possible manner, the first network device and the second network device are the same network device, the first micro-segment identifier includes a functional part, and the processing unit is configured to perform according to the first differential Before the segment identifier determines the processing action on the first data message, the processing unit is further specifically configured to: determine that the functional part is used to indicate that the processing unit determines the processing action for the first micro-segment segment identifier according to the first micro-segment segment identifier. The processing action of the first data message.

In a possible manner, the first data message further includes a second micro-segment segment identifier, and the second micro-segment segment identifier is used to identify a micro-segment of a third network device in the segment routing network, so The processing unit is configured to perform a processing action on the first data message according to the first micro-segmentation identifier, specifically: the processing unit is configured to perform a processing action on the first data message according to the first micro-segmentation identifier and the second micro-segmentation identifier Identifies the execution of a processing action on the first data message.

In a possible manner, the segment identifier list is carried in the segment routing header or the multi-protocol label switching label stack of the second data packet.

In a possible manner, the first network device further includes a sending unit, and the processing action includes: forwarding, discarding, marking, redirection, or mirroring.

In a possible manner, the sending unit is configured to send a notification message, the notification message carrying the first micro-segment segment identifier; or the sending unit is configured to send a border network protocol link status report The link state message carries the first micro-segment segment identifier; or the sending unit is configured to send a path calculation unit communication protocol message, and the path calculation unit communication protocol message carries the first differential Segment identifier.

In a possible manner, the first network device further includes a sending unit, and when the processing action includes forwarding or marking, the processing unit performs the processing action on the first data packet, specifically : The processing unit generates a second data packet, and the second data packet does not include the first micro-segment segment identifier; the sending unit is configured to send the second data packet.

In a possible manner, when the processing action includes forwarding or marking, the processing unit is configured to perform a processing action on the first data packet according to the first micro-segmentation identifier, specifically: The processing unit is configured to strip the list of segment identifiers in the first data message to obtain a second data message; when the second micro-segment segment identifier is carried in the metadata, the processing unit further Used to strip the metadata in the first data message to obtain the second data message; the first network device sends the second data message.

In a possible manner, the first network device and the second network device are different devices, the first data message further includes a micro-segment node segment identifier, and the micro-segment node segment identifier is The segment identifier of the first network device, the micro-segment node segment identifier includes a functional part, and the functional part is used to instruct: the processing unit determines, according to the first micro-segment segment identifier, the information on the first data packet Processing actions.

In a possible manner, the sending unit is configured to: send a notification message, the notification message carrying the micro-segment node segment identifier; or send a border network protocol link state message, the link The status message publishes the micro-segment node segment identifier; or sends a path calculation unit communication protocol message, and the path calculation unit communication protocol message carries the micro-segment node segment identifier.

In a fourth aspect, a second network device is provided, which is applied to a segment routing network, including:

The receiving unit is configured to receive a first data message; the processing unit is configured to determine a first micro-segment segment identifier according to the first data message, and the first micro-segment segment identifier is used to identify the first micro-segment segment identifier in the segment routing network 2. A micro-segment of a network device, the first data message does not include the first micro-segmentation identifier, and the first data message is a data message sent to the second network device; the processing unit And is further configured to determine a processing action on the first data packet according to the first micro-segmentation segment identifier; the processing unit is further configured to perform the processing action on the first data packet.

In a possible manner, the processing unit is further configured to determine a processing action on the first data packet according to the first micro-segmentation identifier, specifically: the processing unit is configured to perform processing according to the first micro-segmentation identifier. The corresponding relationship between a micro-segmentation identifier and the processing action determines the processing action for the first data packet.

In a possible manner, the processing unit is configured to perform a processing action on the first data message according to the first micro-segmentation identifier, specifically: the processing unit is configured to perform a processing action according to the first micro-segmentation segment An identifier and a second micro-segment identifier to execute the processing action, the second micro-segment identifier is used to identify a micro-segment of the second network device; the processing unit is further used to: receive the first datagram according to the The text determines the identifier of the second micro-segmentation segment.

In a possible manner, the second network device further includes a sending unit, and when the processing action includes forwarding or marking, the processing unit is further configured to perform the processing action on the first data packet , Specifically: the processing unit is configured to generate a second data message according to the first data message, the second data message includes the first micro-segment segment identifier; the sending unit is configured to The second network device sends the second data packet.

In a possible manner, the processing unit further includes a sending unit, and when the processing action includes forwarding or marking, the processing unit performs processing on the first data packet according to the first micro-segmentation identifier The action is specifically: the processing unit is configured to generate a second data message according to the first data message, the second data message includes a segment identifier list, and the segment identifier list includes the first differential Segment identifier; the sending unit is configured to send the second data message to the first network device.

In a possible manner, the receiving unit is further configured to receive a micro-segmentation node segment identifier of a third network device, and the micro-segmentation node segment identifier is used to instruct the third network device according to the first micro-segmentation segment The identifier processes the first data message; the segment identifier list also includes the micro-segment node segment identifier.

In a possible manner, the receiving unit is further configured to receive a configuration instruction, and obtain the second micro-segment segment identifier from the configuration instruction; or the processing unit is further configured to generate the second micro-segment node Segment ID.

In a possible manner, the sending unit is configured to send a notification message, the notification message carrying the second micro-segment identifier; or the sending unit is configured to send a border network protocol link status report The link state message carries the second micro-segment segment identifier; or the sending unit is configured to send a path calculation unit communication protocol message, and the path calculation unit communication protocol message carries the second differential Segment identifier.

In a possible manner, the processing unit is further configured to determine the second micro-segmentation identifier according to the received first data packet, specifically: the processing unit is configured to determine the second micro-segmentation segment identifier according to the first data packet The source address of the message determines the second micro-segmentation identifier, or the processing unit is configured to determine the second micro-segmentation identifier according to the interface through which the first data message is received.

In a possible manner, the processing unit is configured to determine the first micro-segment segment identifier according to the first data packet, specifically: the processing unit is configured to determine the first micro-segment segment identifier according to the destination address of the first data packet Or a differentiated service code point determines the first micro-segment segment identifier.

In a possible manner, the receiving unit is further configured to receive the first micro-segment segment identifier in the notification message sent by the second network device; or the receiving unit is further configured to receive the controller Or the first micro-segment segment identifier sent by the path calculation unit.

In a fifth aspect, a first network device is provided, which is applied to a segment routing network, and includes: a communication interface, a memory, and a processor; the communication interface is configured to receive a first data packet, and the first data packet The message includes a first micro-segment segment identifier, the first micro-segment segment identifier is used to identify a micro-segment of a second network device in the segment routing network, and the first data message is sent to the second network device The data message; the processor is configured to determine a processing action on the first data message according to the first micro-segmentation segment identifier; the processor performs the processing action on the first data message .

In a possible manner, the processor determining the processing action of the first data packet according to the first micro-segment identifier includes: the processor according to the first micro-segment identifier and the The corresponding relationship of the processing actions determines the processing action for the first data packet.

In a possible manner, the first network device and the second network device are the same network device, the first micro-segmentation identifier includes a functional part, and the processor is configured according to the first micro-segmentation identifier Before determining the processing action for the first data packet, the processor is further configured to: determine that the functional part is used to instruct: the first network device determines to perform the processing of the first data packet according to the first micro-segmentation identifier A processing action of a data message.

In a possible manner, the first data message further includes a second micro-segment segment identifier, and the second micro-segment segment identifier is used to identify a micro-segment of a third network device in the segment routing network, so The processor is configured to perform a processing action on the first data message according to the first micro-segmentation identifier, specifically: the processor is further configured to perform a processing action on the first data message according to the first micro-segmentation identifier and the second micro-segmentation identifier Identifies the execution of a processing action on the first data message.

In a possible manner, the communication interface is also used to send a notification message, the notification message carrying the first micro-segment identifier; or the communication interface is also used to send a border network protocol link Status message, the link status message carries the first micro-segment identifier; or the communication interface is also used to send a path calculation unit communication protocol message, the path calculation unit communication protocol message carries the The first micro-segment segment identifier.

In a possible manner, when the processing action includes forwarding or marking, the processor is configured to perform a processing action on the first data packet according to the first micro-segmentation segment identifier, specifically: The processor is configured to strip the list of segment identifiers in the first data message to obtain a second data message; when the processor determines that the second micro-segment segment identifier is carried in the metadata, The processor is further configured to strip the metadata in the first data message to obtain the second data message; the communication interface is also configured to send the second data message.

In a possible manner, the communication interface is also used to send a notification message, the notification message carrying the micro-segment node segment identifier; or the communication interface is also used to send a border network protocol link Status message, the link status message advertises the micro-segment node segment identifier; or the communication interface is also used to send a path calculation unit communication protocol message, the path calculation unit communication protocol message carries the Micro-segment node segment identifier.

In a sixth aspect, a second network device is provided. The second network device is applied to a segment routing network and includes: a communication interface, a memory, and a processor; the communication interface is used to receive a first data packet; The processor is configured to determine a first micro-segment segment identifier according to the first data message, and the first micro-segment segment identifier is used to identify a micro-segment of a second network device in the segment routing network, and the first data The message does not include the first micro-segmentation segment identifier, and the first data message is a data message sent to the second network device; the processor is further configured to determine a pair according to the first micro-segmentation segment identifier. Processing action of the first data packet; the processor is further configured to perform the processing action on the first data packet.

In a possible manner, the processor is configured to determine a processing action on the first data packet according to the first micro-segmentation identifier, specifically: the processor is configured to determine the processing action of the first data packet according to the first micro-segmentation identifier and The corresponding relationship between the processing actions determines the processing action on the first data packet.

In a possible manner, the processor is configured to perform a processing action on the first data message according to the first micro-segment identifier, specifically: the processor is configured to perform a processing action on the first data message according to the first micro-segment identifier and the first micro-segment identifier. The second micro-segment segment identifier executes the processing action, and the second micro-segment segment identifier is used to identify a micro-segment of the second network device; the processor is further specifically configured to: determine according to the received first data packet The second micro-segmentation segment identifier.

In a possible manner, the communication interface is further configured to receive a notification message sent by the second network device, and the processor is further configured to obtain the first differential from the notification message. Segment identifier; or the communication interface is further configured to receive a control message sent by a controller or a path calculation unit, and the processor is further configured to obtain the first micro-segment segment identifier from the control message.

In a possible manner, when the processing action includes forwarding or marking, the processor is configured to perform a processing action on the first data packet according to the first micro-segmentation segment identifier, specifically: The processor is configured to generate a second data message according to the first data message, the second data message including a segment identifier list, and the segment identifier list includes the first micro-segment segment identifier; the communication The interface is used to send the second data packet to the first network device.

In a possible manner, the processor is further configured to obtain a micro-segment node segment identifier of a third network device, and the micro-segment node segment identifier is used to instruct the third network device to perform the identification according to the first differential The segment identifier processes the first data message; the segment identifier list also includes the micro-segment node segment identifier.

In a possible manner, the communication interface is configured to receive a configuration instruction, and the processor is configured to obtain the second micro-segment segment identifier from the configuration instruction; or the processor is configured to generate the The second micro-segment node segment identifier.

The foregoing various possible implementation manners of the sixth aspect, and the various possible implementation manners of the sixth aspect and the foregoing sixth aspect may be reasonably combined.

In a seventh aspect, a network device is provided. The network device includes a main control board and an interface board, and further, may also include a switching network board. The network device is used to execute the first aspect or the method in any possible implementation manner of the first aspect. Specifically, the network device includes a module for executing the method in the first aspect or any possible implementation of the first aspect.

In an eighth aspect, a network device is provided. The network device includes a main control board and an interface board, and further, may also include a switching network board. The network device is used to execute the second aspect or the method in any possible implementation manner of the second aspect. Specifically, the network device includes a module for executing the second aspect or the method in any possible implementation manner of the second aspect.

In a ninth aspect, a network system is provided. The network system includes a first network device and a second network device. The first network device is provided by any one of the optional methods of the third aspect or the fifth aspect. A first network device, where the first network device is a second network device provided in any optional manner of the fourth aspect or the sixth aspect.

In a tenth aspect, a computer-readable storage medium is provided, and at least one instruction is stored in the storage medium. The instruction is loaded and executed by a processor as described in the first aspect and any one of the optional manners of the first aspect. The provided data packet processing method, or the data packet processing method provided in the second aspect and any one of the optional methods of the second aspect.

In an eleventh aspect, a computer program is provided, and the computer program includes a method for executing the foregoing first aspect or any one of the optional manners of the first aspect.

In a twelfth aspect, a computer program is provided, and the computer program includes a method for executing the above-mentioned second aspect or any one of the optional manners of the second aspect.

Description of the drawings

In order to explain the technical solution of the present invention more clearly, the drawings used in the embodiments will be briefly introduced below. Obviously, the following drawings are only drawings of some embodiments of the present invention. For those of ordinary skill in the art, without creative labor, other drawings that can also implement the present invention can also be obtained based on these drawings. Technical scheme and drawings. These technical solutions and drawings should also be considered within the scope of the present invention.

FIG. 1 is a schematic diagram of an application scenario of a network system in an embodiment of the application;

Figure 2 is a schematic diagram of an application scenario in an embodiment of the application;

FIG. 3a is a flowchart of a data packet processing method provided by an embodiment of the application;

FIG. 3b is a flowchart of a data packet processing method provided by an embodiment of the application;

FIG. 4a is a flowchart of a method for processing a data message provided by an embodiment of the application;

4b is a flowchart of a method for processing a data message provided by an embodiment of the application;

FIG. 5 is a schematic diagram of a first type length value TLV provided by an embodiment of this application;

FIG. 6 is a schematic diagram of the composition of a micro-segment segment identifier provided by an embodiment of this application;

FIG. 7 is a schematic diagram of a segment routing header provided by an embodiment of the application;

FIG. 8 is a schematic diagram of a metadata TLV provided by an embodiment of this application;

FIG. 9 is a schematic diagram of a flag bit in a segment routing header provided by an embodiment of the application;

FIG. 10 is a schematic diagram of a second type length value TLV provided by an embodiment of this application;

FIG. 11 is a schematic structural diagram of a second network device provided by an embodiment of this application;

FIG. 12 is a schematic structural diagram of a first network device provided by an embodiment of this application;

FIG. 13 is a schematic structural diagram of a network device provided by an embodiment of this application;

FIG. 14 is a schematic structural diagram of a network device provided by an embodiment of this application;

FIG. 15 is a schematic diagram of a network system provided by an embodiment of this application.

Detailed ways

In order to enable those skilled in the art to better understand the solution of the present invention, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings and implementation manners.

In this application, the terms "first", "second", "third" and other words are used to distinguish the same or similar items with basically the same function and function. It should be understood that "first", "second", There is no logical or timing dependency between the "third", nor does it limit the number and execution order.

The following explains the terms involved in this application:

Segment routing header (segment routing header, SRH): IPv6 packets are composed of IPv6 standard header + extended header (0...n) + payload (Payload). In order to implement SRv6 based on the IPv6 forwarding plane, a new IPv6 extension header is added, called the SRH extension header. The extension header specifies an explicit IPv6 path and stores IPv6 Segment List information. Its function is the same as the Segment in SR MPLS. Same as List. The head node adds an SRH extension header to the IPv6 message, and the intermediate node can forward the IPv6 message according to the path information contained in the SRH extension header. For example, when forwarding IPv6 packets, a network device that supports SRv6 will query the local segment identification table (local SID table) according to the destination address ((Destination Address, DA) in the data packet. When the destination address of the data packet is When any SID in the local segment identification table matches, the operation corresponding to the strategy is executed according to the SID-related strategy in the local segment identification table. For example, the operation corresponding to the strategy can export data packets from the SID specified Interface forwarding); if the destination address of the data message does not match each SID in the local segment identification table, the IPv6 routing and forwarding table is checked again, and the longest matching forwarding is performed according to the IPv6 routing and forwarding table.

Head Node: The start node of the SR forwarding path, responsible for the encapsulation segment identification.

Micro-segment segment identifier: a segment identifier used to identify the micro-segment of the network device in the segment routing network, corresponding to an endpoint group. The micro-segment identifier instructs the network device issuing the micro-segment identifier to perform the operation of processing the message according to the micro-segment identifier or the micro-segment.

Micro-segment node segment identifier: a segment identifier used to identify network devices in a segment routing network. The micro-segment node segment identifier instructs the network device issuing the micro-segment node segment identifier to perform the operation of processing the message according to the micro-segment identifier or the micro-segment.

In a possible way, if you need to process packets based on micro-segmentation in the segment routing network, you need to configure the relationship between the IP address and the micro-segmentation on each device in the segment routing network, and configure the micro-segmentation Corresponding processing actions. For example, a network includes network device 1 and network device 2, network device 1 is connected to VM1, network device 2 is connected to VM2, and the network between network device 1 and network device 2 is an SR network. When VM1 sends data message A to VM2, network device 1 receives the data message A, and network device 1 first needs to look up the table according to the destination address in data message A (that is, the address of VM2) to obtain the address corresponding to VM2 Micro-segmentation, and then look up the table according to the micro-segmentation to obtain the corresponding processing actions (such as modifying the priority), and then forward the marked data message A to the network device 2, and the network device 2 should also perform similar to the network device 1. action. Sometimes the intermediate device between the network device 1 and the network device 2 also needs to execute a similar strategy according to the micro-segmentation, which will result in the configuration of many devices. In addition, when a large number of data packets are transmitted between network device 1 and network device 2, it may involve many devices (including network device 1, network device 2 and intermediate devices). Text processing strategy. In some special scenarios, when there are multiple network segment IP address translations, such as: VM IP address is a private network segment IP address, and the routing network address in the segment routing network is a public network IP address, it cannot be The corresponding relationship between micro-segmentation and IP address is configured on the network device in the segment routing network, and the data message cannot be processed according to the micro-segmentation.

Below, the application scenarios of this application are exemplarily introduced. Refer to FIG. 1, which is a schematic diagram of an application scenario of a network system according to an embodiment of the application. In the scenario shown in Figure 1, the network device 101, the network device 102, the network device 103, and the network device 104 belong to the same SR network. Among them, the network device 101, the network device 102, the network device 103, and the network device 104 may be routers. The device may also be a switch or any other device with SR routing function. The form of the device may be a physical device device or a virtualized device with SR routing function, which is not specifically limited in this application.

Those skilled in the art may know that the number of network devices in this application scenario may be more or less. For example, the number of the above-mentioned network devices may be dozens or hundreds, or more. The embodiments of this application do not limit the number and device types of network devices.

In the scenario shown in FIG. 1, the network device 101 is connected to virtual machines (VM) 1, VM2, VM3, and VM4. At the same time, the network device 101 is also connected to the network device 102 and the network device 104; the network device 102 is connected to Network device 101 is connected to network device 103; network device 104 is connected to network device 101 and network device 103; network device 103 is connected to VM5, VM6, VM7, and VM8, while network device 103 is also connected to network device 102 and network device 104 . Among them, VM1 and VM2 belong to the same EPG: EPG1, VM3 and VM4 belong to the same EPG: EPG2, VM5 and VM6 belong to the same EPG: EPG3, VM7 and VM8 belong to the same EPG: EPG4.

The network runs with the SR protocol: the network can be either an SR-MPLS network or an SRv6 network. In the scenario shown in FIG. 1, both the network device 101 and the network device 103 support SR, and the network device 102 and the network device 104 may or may not support SR.

Optionally, the application scenario may also include a controller or a path calculation unit. The controller or path calculation unit may be connected to each network device through a wireless network or a wired network. The controller or path calculation unit may be used for The data packets that need to be forwarded in this segment of the routing network determine the corresponding forwarding path. The controller or path calculation unit may be at least one of a server, multiple servers, a cloud computing platform, and a virtualization center. When there are multiple controllers, there may be at least two controllers used to provide different services, and/or there may be at least two controllers used to provide the same service, for example, to provide the same service in a load balancing manner. This is not specifically limited.

Those skilled in the art should understand that the scenario shown in FIG. 1 does not limit the specific connection mode between the network device 101 and the network device 103 and their corresponding VMs. They can be directly connected or through other network devices, such as switches and firewalls. When the device is connected to the corresponding VM, these other network devices do not belong to the SR network, that is, do not run the corresponding SR function. As shown in FIG. 2, the network device 101 is connected to VM1 and VM3 through the network device 201, and the network device 101 is connected to VM2 and VM4 through the network device 202. The network device 103 is connected to VM5 and VM6 through the network device 203, and the network device 103 is connected to VM7 and VM8 through the network device 204. Reflected on the network device 101 and the network device 103, the way it divides the corresponding micro-segmentation for the endpoint group is not limited to the specific connection mode, that is, not only can the micro-segmentation be divided according to their own physical or virtual interfaces, but also The micro-segmentation is divided based on the characteristics of the final endpoint group, such as IP address, or differentiated services code point (DSCP), or a combination of the two or more features.

Refer to FIG. 3a, which is a flowchart of a data packet processing method provided by an embodiment of the application. As shown in Figure 3a, the interaction of this method mainly includes a first network device and a second network device. The second network device may be the head node of the forwarding path of the data packet in the segment routing network, and the first network device may be the tail node of the forwarding path. Applied to the application scenario shown in FIG. 1, the network device 101 and the network device 103 may be the second network device and the first network device, respectively.

In the following, the main steps and optional methods included in the method are explained in conjunction with FIG. 1 and FIG. 3a. For ease of understanding, the network device 101 is used as the second network device and the network device 103 is used as the first network device. Give an exemplary explanation. It should be understood that this is only an example, and those skilled in the art can also refer to this embodiment to make similar substitutions and applications, and this application will not give examples one by one.

The method mainly includes the following steps:

S301: The network device 103 issues the first micro-segmentation segment identifier.

The micro-segment segment identifies a micro-segment corresponding to the network device, which can be expressed as End.XTEpg SID, End stands for endpoint, which means endpoint; X stands for crossing, which means three-layer cross connection; T stands for table lookup, which means table lookup; Epg stands for endpoint group, which means endpoint group; SID means segment identifier. The micro-segment identifier can meet the format of the IPv6 address or the MPLS label.

The first micro-segment identifier corresponds to a micro-segment of the network device 103. In an example, the micro-segment is EPG3, and the corresponding micro-segment identifier may be a value in an IPv6 address format. The endpoint group corresponding to the micro-segment includes VM5. And VM6. Those skilled in the art should understand that this is only an example, and the endpoint groups corresponding to the micro-segment EPG3 may also be VM5 and VM7. The division of micro-segmentation can be based on specific IP addresses, IP prefixes, and specific requirements of applications or services, which are not specifically limited in this application. It should be understood that, in some cases, the first micro-segment segment identifier may also correspond to multiple micro-segments of the network device 103.

The manner in which the network device 103 publishes the first micro-segment segment identifier includes the following three or more publishing methods:

Manner 1: The network device 103 sends a notification message, which carries the first micro-segment segment identifier.

The notification message can be a Border Gateway Protocol (Border Gateway Protocol, BGP) message, or a Border Gateway Protocol Ethernet Virtual Private Network (Border Gateway Protocol Ethernet Virtual Private Network, BGP EVPN) message, or it can be an internal gateway. Protocol (Interior Gateway Protocol, IGP) messages are not specifically limited in this application.

Optionally, the first micro-segmentation segment identifier in the notification message is carried in its first type length value (TLV). TLV is an encoding format, mainly by type (type) and length (length). And value (value) these three kinds of information to define. The format of the first TLV is shown in FIG. 5. The type field identifier in the figure indicates the type of the first TLV, the value of the type field can identify that the first TLV is a TLV used to publish End.XTEpg SID, and the value of the type field can be for publishing micro-segment segments. Identifies the type of new application, for example, it can be 90. The value of the length field identifies the length of the first TLV. The reserved field is reserved for subsequent expansion, for example, it can be used to identify the forwarding path. The micro-segment segment identifier field is used to carry the micro-segment segment identifier.

Manner 2: The network device 103 may issue the first micro-segment segment identifier through the BGP link state protocol (Border Gateway Protocol-link state, BGP-LS).

Specifically, the network device 103 may send the first micro-segment identifier to the controller through BGP-LS, and the controller may receive the first micro-segment identifier sent by the network device 103 and send the first micro-segment identifier through BGP-LS To the network device 101.

Manner 3: The network device 103 may issue the first micro-segment segment identifier through the Path Computation Element Communication Protocol (PCEP).

Specifically, the network device 103 may send the first micro-segment segment identifier to the controller or path calculation element (PCE) through the PCEP, and the controller or PCE may receive the first micro-segment segment sent by the network device 103 through the PCEP. Identification, sending the first micro-segment segment identification to the network device 101.

Before the network device 103 releases the first micro-segment segment identifier, the network device 103 needs to obtain the first micro-segment segment identifier. Regarding how the network device 103 obtains the micro-segment segment identifier, in some possible embodiments, the network device 103 may automatically assign at least one micro-segment segment identifier, or manually configure at least one micro-segment segment identifier. Specifically, the manner of obtaining the micro-segment segment identifier may include any one or more of the following manner 1 or manner 2.

Manner 1: The network device 103 allocates a micro-segment segment identifier to the corresponding micro-segment or endpoint group.

In an example, the network device 103 may assign a micro-segment segment identifier to each micro-segment or each endpoint group. The micro-segment identifiers assigned to different endpoint groups/micro-segments are different, so that each micro-segment identifier assigned corresponds to one micro-segment identifier. Micro-segmentation or a group of endpoints. In another example, the network device 103 may also allocate the same micro-segment segment identifier to multiple micro-segments or multiple endpoint groups, so that the assigned micro-segment identifier corresponds to multiple micro-segments or multiple endpoint groups. Among them, the network device 103 may store a segment identification space, and can select an unoccupied micro-segment segment identifier from the segment identification space, and assign the micro-segment segment identifier to the micro-segment or endpoint group.

Manner 2: The network device 103 receives the configuration instruction, and the network device 103 obtains the corresponding relationship between the micro-segment segment identifier and one or more micro-segments or endpoint groups from the configuration instruction. Among them, the configuration instruction may be triggered by a user's configuration operation on the network device 103, and the configuration instruction may also be triggered by a network manager or a controller.

In an example, applied to the scenario shown in FIG. 1, the corresponding relationship between the micro-segmentation identifier and the micro-segmentation obtained by the network device 103 may be as shown in Table 1 below.

Table 1

微分段段标识Micro-segment identification	微分段标识Micro-segment identification
End.XTEpg SID3End.XTEpg SID3	EPG3EPG3
End.XTEpg SID4End.XTEpg SID4	EPG4EPG4

When the network device 103 has the corresponding relationship between the micro-segment identification and the micro-segment as shown in Table 1, there is also a corresponding relationship between the micro-segment and the endpoint group. The endpoint group can use the IP address of the endpoint device, the endpoint group device The interface, MAC address, and other information connected to the network device 103 are defined. The following uses the IP address of the endpoint device to represent the endpoint group as an example: For example, VM5 and VM6 can be represented by the same IP address prefix A1::3:1/80, and VM7 and VM8 can be represented by the same IP address prefix A1::3: 2/80 means it can be shown in Table 2 below.

Table 2

微分段标识Micro-segment identification	端点组Endpoint group
EPG3EPG3	A1::3:1/80A1::3:1/80
EPG4EPG4	A1::3:2/80A1::3:2/80

The above Table 1 and Table 2 only represent the concept of logic, and Table 1 and Table 2 can be combined into one table in implementation.

In another example, applied to the scenario shown in FIG. 1, the corresponding relationship between the micro-segmentation identifier obtained by the network device 103 and the endpoint group can be shown in Table 3 below. In this example, the endpoint group passes through the endpoint group device The interface connected to the network device 103 is defined, and the interface may be a virtual sub-interface or a physical interface. The following takes the virtual sub-interface as an example: End.XTEpg SID3 corresponds to the endpoint group EPG3, and the interface between the network device 103 and the endpoint group EPG3 is virtual interface 1, and its name is vInf103-1; End.XTEpg SID4 corresponds to the endpoint group EPG4, the port that the network device 103 connects to the endpoint group EPG4 is its virtual interface 2, and its name is vInf103-2.

table 3

微分段段标识Micro-segment identification	端点组Endpoint group
End.XTEpg SID3End.XTEpg SID3	vInf103-1vInf103-1
End.XTEpg SID4End.XTEpg SID4	vInf103-2vInf103-2

In Table 3, the micro-segment segment identifier can also be used as a micro-segment identifier to indicate a micro-segment.

It should be understood that the above is only an example of the corresponding relationship between the micro-segment segment identifier and the micro-segment or endpoint group. In the specific implementation process, it can be based on the above methods, such as according to the IP prefix, or the combination of the specific IP address, or the endpoint and the endpoint group. Information such as the interface to which the network device is connected obtains the corresponding relationship between the micro-segment segment identifier and the micro-segment or endpoint group.

In an SRv6 example, the specific value of the micro-segment identifier includes the following two parts: location information (Locator) and function (Function): SRv6 SID is the form of IPv6 address, SRv6 SID can be composed of two parts: location information and function , The format is: location information: function. Among them, the location information occupies the high bits of the IPv6 address, and the function occupies the low bits of the IPv6 address. Among them, the location information can have a positioning function and can be unique in the SR domain. The function represents the instructions of the device. These instructions are preset by the device. The function part is used to instruct the SRv6 SID generating device to perform corresponding functional operations.

Figure 6 shows an example of another SRv6 micro-segment segment identifier. In this example, the micro-segment segment identifier has a total of 128 bits and is divided into 3 parts. Location information: function: parameter segment, where the location information part occupies 0 -64 high bits, the functional part occupies the middle bit, instructs the generating device of the micro-segment segment identifier, such as the network device 103, to perform corresponding processing actions of looking up the table according to the micro-segment segment identifier to determine the message corresponding to the micro-segment segment identifier, And finally perform processing actions on the message and the generation of the corresponding segment routing header or other related operations. The parameter segment part can define information such as the flow and service of some messages.

S303: The network device 101 obtains the first micro-segmentation segment identifier.

Corresponding to the manner in which the network device 103 issues the first micro-segment segment identifier, the manner in which the network device 101 obtains the first micro-segment segment identifier may be the following two optional methods:

Manner 1: The network device 101 receives a notification message sent by the network device 103, and the message carries the first micro-segment identifier.

Specifically, when the network device 103 sends the first micro-segment segment identifier through a BGP message, the network device 101 receives the BGP message sent by the network device 103, and obtains the first micro-segment segment identifier from the message; The device 103 sends the first micro-segment identifier through the IGP message, and the network device 101 receives the IGP message sent by the network device 103 and obtains the first micro-segment identifier from the message.

Furthermore, when the first micro-segmentation segment identifier is carried in the first TLV of a BGP message or IGP message, the network device 101 obtains the first micro-segmentation segment identifier from the first TLV of the BGP message or IGP message .

Manner 2: The network device 101 receives the first micro-segment segment identifier sent from the controller or the path calculation unit.

Specifically, when the network device 103 sends the first micro-segment segment identifier to the controller through BGP-LS, the controller can receive the first micro-segment segment identifier sent by the network device 103 through the BGP-LS protocol, and add the first micro-segment segment identifier to the first micro-segment segment. The identification is sent to the network device 101. When the network device 103 sends the first micro-segment segment identifier to the controller or PCE by sending a PCEP message, the controller or PCE can receive the first micro-segment segment identifier sent by the network device 103, and send the first micro-segment segment identifier to the network Equipment 101. The time when the controller or PCE executes sending the first micro-segment identifier to the network device 101 may be sent after receiving the first micro-segment identifier, or it may be within a period of time, or when the network device 101 requests the controller or PCE When there is a forwarding path, it is sent to the network device 101.

S305: The network device 101 receives the first data packet, and determines the first micro-segment segment identifier according to the first data packet, and the first data packet does not include the first micro-segment segment identifier.

In an example shown in FIG. 1, when communication between VM1 and VM5 is required, VM1 will send a data message (that is, the first data message) to VM5. After receiving the first data packet sent by VM1, the network device 101 may determine the first micro-segmentation segment identifier according to the first data packet.

The manner in which the network device 101 determines the first micro-segment segment identifier according to the first data packet includes:

Manner 1: The network device 101 determines the first micro-segment segment identifier according to the destination IP address of the first data packet. For example, there may be a corresponding relationship shown in Table 4 below on the network device 101, and when the destination IP address of the first data packet is A1::3:1/80, the network device 101 follows the matching principle (for example, Longest matching principle), the first micro-segment segment identifier is obtained as End.XTEpg SID3.

Table 4

目的IP前缀Destination IP prefix	微分段段标识Micro-segment identification
A1::3:1/80A1::3:1/80	End.XTEpg SID3End.XTEpg SID3
A1::3:2/80A1::3:2/80	End.XTEpg SID4End.XTEpg SID4

As shown in Table 4, the corresponding relationship may be calculated by the network device 101 iteratively based on information such as the route announcement message issued by the network device 103, or it may be the network device 101 receiving the forwarding path issued by the controller or the path calculation unit. Planning information.

Manner 2: After receiving the first data message, the network device 101 requests a forwarding path to the destination IP of the data message from the controller or the path calculation unit. After receiving the request, the controller or the path calculation unit calculates a forwarding path according to the obtained network topology or other information and sends it to the network device 101. For example, the forwarding path from VM1 to VM5 calculated by the controller or path calculation unit for the network device 101 is network device 102->network device 103, and the specific segment identifier list may be: End.SID102, End.XTEpg SID3. Among them, End.SID102 is the segment identifier of the network device 102, and End.XTEpg SID3 is the micro-segment segment identifier of the network device 103. The network device 101 determines that the first micro-segment segment identifier is End.XTEpg SID3 according to the forwarding path.

Manner 3: The network device 101 determines the first micro-segmentation segment identifier according to the differentiated services code point of the first data packet.

S307: The network device 101 determines a processing action on the first data packet according to the first micro-segmentation segment identifier.

In a possible manner, the network device 101 can be configured to determine whether it needs to find or execute a processing strategy. The processing strategy here can also be considered as a correspondence. When the network device is configured to not need to find or execute In the processing strategy, the processing action is forwarding the first data packet, and the network device 101 determines that the processing action on the first data packet is forwarding according to the configuration.

In a possible manner, the network device 101 may be configured to search for a processing strategy for the first data packet and process it according to the processing strategy. Therefore, in a possible implementation manner, the network device 101 is configured according to the first data packet. Before a micro-segment identifier determines a processing action on the first data packet, the network device 101 also needs to obtain a processing strategy. The processing strategy includes matching conditions and processing actions. In a possible implementation, the processing strategy It is stored in a group-based access policy entry (GBP) of the network device 101. Wherein, the matching condition may include the first micro-segment segment identifier, that is, the network device determines the first micro-segment segment identifier according to the received data message, the first micro-segment identifier End.XTEpg SID3 as described above. The processing actions in the processing strategy include one or more of the following: forwarding, discarding, marking, redirection, and mirroring. Wherein, marking is a special kind of forwarding, that is, the network device first marks the data message before forwarding the data message. The marking actions that a network device can perform on a data message may include, for example, remarking the DSCP of the data message, or modifying the priority of the data message.

The network equipment acquisition processing strategy includes the following methods:

Manner 1: The network device 101 receives a processing strategy instruction. The instruction may be an instruction manually configured to the network device by a network management system, network application, or operation and maintenance personnel. The network device 101 saves the processing strategy according to the processing strategy instruction. Including the first micro-segment segment identifier.

Method 2: The network device can also obtain the processing strategy by presetting the processing strategy during production instead of receiving the processing strategy instruction.

In an example, the processing strategy obtained by the network device 101 is shown in Table 5. The network device 101 uses the first micro-segment identifier as the matching condition. When the first micro-segment identifier corresponding to the data packet received by the network device 101 is End When XTEpg SID3, the processing action of "marking" is executed, and when the first micro-segment segment identifier corresponding to the data message received by the network device is End.XTEpg SID4, the processing action of "discarding" is executed. The processing actions shown in Table 5 are only examples. The content corresponding to the processing action can be a processing action identifier, so that the network device can further obtain the corresponding specific processing action based on the processing action identifier, and the content corresponding to the processing action is also It can be a specific processing action, such as remark dscp 40, which means that the DSCP of the data packet that meets the condition is changed to 40. In an example, the first micro-segment segment identifier may also be recorded as the target micro-segment segment identifier.

table 5

微分段段标识Micro-segment identification	处理动作Processing action
End.XTEpg SID3End.XTEpg SID3	标记mark
End.XTEpg SID4End.XTEpg SID4	丢弃throw away

In an example, the processing strategy obtained by the network device 101 is as shown in Table 6. The network device 101 obtains the corresponding micro-segment according to the first micro-segment identifier, for example, obtains the micro-segment from the 64th to 80th bits of the micro-segment identifier. Micro-segmentation, and use the micro-segment as the matching condition. When the first micro-segment identifier corresponding to the data message received by the network device 101 is End.XTEpg SID3, the first micro-segment is obtained as EPG3 according to the micro-segment identifier, and execute The processing action of "marking". When the first micro-segment identifier corresponding to the data packet received by the network device is End.XTEpg SID4, the first micro-segment is obtained as EPG4 according to the micro-segment identifier, and the processing action of "discarding" is performed . The first micro-segment can also be recorded as a destination micro-segment or a destination endpoint group.

Table 6

Optionally, the network device 101 further determines a processing strategy for the first data packet according to the second micro-segmentation segment identifier. The second micro-segment segment identifier indicates a micro-segment of the network device 101. Before the network device 101 further determines the processing strategy for the first data packet according to the second micro-segmentation identifier, the network device 101 needs to obtain the second micro-segmentation identifier. Regarding how the network device 101 obtains the second micro-segment identifier, similar to the manner in which the network device 103 obtains the micro-segment identifier, in some possible embodiments, the network device 101 may automatically assign the second micro-segment identifier, or it may be manually configured. The second micro-segment segment identifier. For the specific obtaining method, refer to the above-mentioned mode 1 and mode 2 for the network device 103 to obtain the micro-segment segment identification part, which will not be repeated here.

In an example, applied to the scenario shown in FIG. 1, the corresponding relationship between the micro-segmentation identifier and the micro-segmentation obtained by the network device 101 may be as shown in Table 7 below.

Table 7

微分段段标识Micro-segment identification	微分段标识Micro-segment identification
End.XTEpg SID1End.XTEpg SID1	EPG1EPG1
End.XTEpg SID2End.XTEpg SID2	EPG2EPG2

When the network device 101 has the corresponding relationship between the micro-segmentation identifier and the micro-segment as shown in Table 1, there is also a corresponding relationship between the micro-segment and the endpoint group. The endpoint group can use the IP address of the endpoint device, the endpoint group device The interface, MAC address, and other information connected to the network device 101 are defined. The following uses the IP address of the endpoint device to represent the endpoint group as an example: For example, VM1 and VM2 can be represented by the same IP address prefix A1::1:1/80, and VM3 and VM4 can be represented by the same IP address prefix A1::1: 2/80 means it can be shown in Table 7 below.

Table 8

微分段标识Micro-segment identification	端点组Endpoint group
EPG1EPG1	A1::1:1/80A1::1:1/80
EPG2EPG2	A1::1:2/80A1::1:2/80

In another example, applied to the scenario shown in FIG. 1, the corresponding relationship between the micro-segmentation identifier obtained by the network device 101 and the endpoint group can be shown in Table 9 below. In this example, the endpoint group passes through the endpoint group device The interface connected to the network device 101 is defined, and the interface may be a virtual sub-interface or a physical interface. The following takes the virtual sub-interface as an example: End.XTEpg SID1 corresponds to the endpoint group EPG1, and the interface between the network device 101 and the endpoint group EPG1 is virtual interface 1, and its name is vInf101-1; End.XTEpg SID2 corresponds to the endpoint group EPG2, the port that the network device 101 connects to the endpoint group EPG2 is its virtual interface 2, and its name is vInf101-2.

Table 9

微分段段标识Micro-segment identification	端点组Endpoint group
End.XTEpg SID1End.XTEpg SID1	vInf101-1vInf101-1
End.XTEpg SID2End.XTEpg SID2	vInf101-2vInf101-2

When the corresponding relationship between the micro-segment segment identifier and the endpoint group is shown in Table 9, the micro-segment segment identifier can also be used as a micro-segment identifier to indicate a micro-segment.

After receiving the first data packet, the network device 101 determines the second micro-segmentation segment identifier according to the received first data packet. Corresponding to the correspondence information between the micro-segmentation segment identifier and the endpoint group on the network device 101, the network device 101 determines the second micro-segmentation segment identifier according to the "receiving the first data packet" including one or more of the following methods:

Manner 1: The network device 101 determines the second micro-segment identifier according to the source IP address of the first data packet. For example, when the first data message is the first data message sent by VM1, and its source IP address is A1::1:1, the network device 101 confirms according to the endpoint group information in the correspondence relationship shown in Table 7. VM1 belongs to the endpoint group EPG1, and further determines the micro-segment identifier corresponding to the endpoint group as End.XTEpg SID1 according to the corresponding relationship shown in Table 6.

Manner 2: The network device 101 determines the second micro-segment identifier according to the interface through which the first data packet is received. For example, when the network device 101 is the first data packet received from vInf101-1, as shown in Table 9, the network device 101 determines that the second micro-segment segment identifier corresponding to the first data packet is End.XTEpg SID1 .

Before the network device 101 determines the processing strategy for the first data packet according to the second micro-segmentation identifier, the network device 101 also obtains the processing strategy that includes the second micro-segmentation identifier. The manner in which the network device 101 obtains the processing strategy including the second micro-segment segment identifier is the same as the manner in which the network device 101 obtains the processing strategy including the first micro-segment segment identifier, and will not be repeated here.

In an example, the processing strategy obtained by the network device 101 is shown in Table 10. The matching condition of the processing strategy includes the second micro-segment segment identifier and the first micro-segment segment identifier, which can also be recorded as: source micro-segment segment identifier and destination micro-segment segment identifier Logo. Table 10 shows two processing strategies. The first processing strategy indicates that when the second micro-segment identifier and the first micro-segment identifier determined by the data message received by the network device 101 meet the matching condition: the second micro-segment identifier is When End.XTEpg SID1, the first micro-segment segment identifier is End.XTEpg SID3, the network device 101 performs a processing action on the data packet: marking. The second processing strategy indicates that when the second micro-segment segment identifier and the first micro-segment segment identifier determined by the data message received by the network device 101 meet the matching condition: the second micro-segment segment identifier is End.XTEpg SID1, the first micro-segment segment identifier When it is End.XTEpg SID2, the network device 101 performs a processing action on the data message: discarding.

Table 10

第二微分段段标识The second micro-segment identifier	第一微分段段标识The first micro-segment identifier	处理动作Processing action
End.XTEpg SID1End.XTEpg SID1	End.XTEpg SID3End.XTEpg SID3	标记mark
End.XTEpg SID1End.XTEpg SID1	End.XTEpg SID4End.XTEpg SID4	丢弃throw away

In an example, the processing strategy obtained by the network device 101 is shown in Table 11. The matching condition of the processing strategy includes the second micro-segment and the first micro-segment, which can also be recorded as: the source micro-segment and the destination micro-segment, or They are: source endpoint group and destination endpoint group. Table 11 shows two processing strategies. The first processing strategy indicates that the second micro-segment and the first micro-segment meet the matching conditions: when the second micro-segment is EPG1 and the first micro-segment is EPG3, then the network device 101 pairs The data message performs a processing action: marking. The second processing strategy indicates that when the second micro-segment and the first micro-segment determined by the data message received by the network device 101 meet the matching condition: when the second micro-segment is EPG1 and the first micro-segment is EPG4, the network device 101 performs a processing action on the data message: discard.

When the second micro-segment identifier determined by the data packet received by the network device 101 is End.XTEpg SID1, the second micro-segment identified by the network device 101 according to the second micro-segment identifier is EPG1. When the network device 101 receives When the first micro-segment identifier determined by the data packet is End.XTEpg SID3, the first micro-segment determined by the network device 101 according to the first micro-segment identifier is EPG3. Then, the processing action determined by the network device 101 according to the second micro-segment and the first micro-segment is a mark.

Table 11

第二微分段Second micro-segmentation	第一微分段First micro-segment	处理动作Processing action
EPG1EPG1	EPG3EPG3	标记mark
EPG1EPG1	EPG4EPG4	丢弃throw away

When the network device 101 determines the processing action for the data message according to the processing strategy, the network device 101 can perform a strict match or the longest match between the data message and the matching condition. Strict matching indicates that the processing action to be performed on the data message is determined only when the data message completely meets the matching condition. The longest match indicates that the processing action of the data packet is determined according to the matching condition of the longest match of the data packet. When there are multiple processing strategies with the same matching length, the first hit or the last hit can be executed. Or the processing strategy of the highest priority hit.

The method for the network device 101 to calculate the matching length may include multiple methods. For example, if one branch meets the matching condition, the length is one. The matching condition shown in Table 10 above contains two branches, that is, matching the second micro-segment identifier and matching the first micro-segment identifier, the longest The matching length is 2. The second method is to match the first micro-segment segment identifier, then match the second micro-segment segment identifier, and then match the conditions of other branches. For each matching item, the matching length is increased by 1.

The following are examples of strict matching and longest matching: For example, when the processing strategy obtained in the network device 101 is as shown in Table 10, when strict matching is used, only when the network device 101 determines according to the received data packet The identifier of the second micro-segmentation segment and the identifier of the first micro-segmentation segment are (End.XTEpg SID1, End.XTEpg SID3) or

(End.XTEpg SID1, End.XTEpg SID4), that is, when the matching condition of the first processing strategy is fully satisfied or the matching condition of the second processing strategy is fully satisfied, the processing action for the data packet is determined. If it only matches, for example, the first micro-segment segment identifier is End.XTEpg SID3, the network device 101 considers that there is no processing action on the data packet, and the network device 101 executes a default processing action, such as forwarding or discarding. The default processing action may be a default processing strategy configured on the network device, or it may be the default processing strategy of all devices in the segment of the routing network. When the longest match is used, when the network device 101 determines the second micro-segmentation segment ID as End.XTEpg SID1 and the first micro-segmentation segment ID as End.XTEpg SID3 according to the received data message, according to the table 9 The first processing strategy is to confirm that the processing action for the data message is marked, but when the network device 101 only determines that the first micro-segment segment identifier is End.XTEpg SID3 according to the received data message, it does not obtain the second differential When the segment identifier or the obtained second micro-segment segment identifier is not End.XTEpg SID1, the network device 101 can still determine that the data packet matches the first processing strategy, thereby determining that the processing action for the data packet is a mark.

Optionally, the processing strategy obtained by the network device also includes the sending direction of the data packet. If the sending direction of the data packet is inflow (in), it indicates that the processing strategy is for the processing of the data packet received by the network device. Strategy; if the sending direction of the data message is out, it indicates that the processing strategy is a processing strategy for the data message sent by the network device.

In a possible manner, after the network device 101 also determines the second micro-segment segment identifier according to the received data packet, the network device 101 may determine the processing action for the first data packet only according to the second micro-segment segment identifier. The method and optional manner for the network device 101 to determine the processing action on the first data packet according to the second micro-segmentation identifier are the same as the method and the optional manner for the network device 101 to determine the processing action for the first data packet based on the first micro-segmentation identifier only. The selection method is the same, so I won't repeat it here.

S308: The network device 101 performs a determined processing action on the first data packet.

In S307, when the network device 101 determines that the processing action on the first data packet is forwarding according to the configuration to not search or execute the processing policy, S309 is executed.

In S307, when the network device 101 searches for the processing strategy of the first data packet according to the configuration and processes it according to the processing strategy, it performs one of the following steps according to the determined processing action:

When the processing action for the first data packet determined by the network device 101 is discard, the network device 101 discards the first data packet and ends the process.

When the network device 101 determines that the processing action on the first data packet is mirroring, the network device 101 mirrors the first data packet to the designated address, and the process ends.

When the network device 101 determines that the processing action for the first data packet is redirection, the network device 101 changes the forwarding destination address of the first data packet, and ends the process.

When the processing action determined by the network device 101 is forwarding or marking, S309 is executed.

S309: The network device 101 generates a second data packet according to the first data packet.

The network device 101 generates a second data packet according to the obtained segment routing network forwarding path for the first data packet and the first data packet. The manner in which the network device 101 obtains the segment of the routing network forwarding path may include: 1. The network device 101 itself has the ability to calculate the segment of the routing network forwarding path, and the network device 101 determines the segment of the routing network forwarding path. 2. The network device 101 obtains the segment of the routing network forwarding path from the controller or the path calculation unit.

In an example, when the intermediate network device does not support SR, the segment routing network forwarding path of the data message from VM1 to VM5 obtained by the network device 101 is: End.XTEpg SID3. When the intermediate network device supports SR, the segment routing network forwarding path for the data packets from VM1 to VM5 obtained by the network device 101 can correspond to a segment identification list, and the segment identification list can include 1 or Multiple segment identifiers. For example, the list of segment identifiers is End.SID102, End.XTEpg SID3, where End.SID102 is the segment identifier of the network device 102, and End.XTEpg SID3 is a micro-segment segment identifier of the network device 101.

The network device 101 generates a second data packet according to the forwarding path and the first data packet. The following SRv6 is taken as an example, and the SR-MPLS solution is similar to this, so I will not repeat it here.

The network device 101 generates a second data packet, the second data packet includes an SRH, the SRH includes a segment identifier list, and the segment identifier list includes a first micro-segment segment identifier, such as End.XTEpg SID3.

Optionally, the list of segment identifiers also includes segment identifiers of intermediate network devices, such as segment identifiers of network device 102.

Optionally, the second data message further includes a second micro-segment segment identifier. This embodiment of the present application provides a variety of methods for carrying the second micro-segment segment identifier in a data message, including:

Manner 1: The list of segment identifiers also includes a second micro-segment segment identifier, such as the source micro-segment segment identifier in the example, End.XTEpg SID1.

In an example of the SRH shown in FIG. 7, when the second endpoint group end identifier is carried in the SRH, the second micro-segment segment identifier is carried at the position of Segment List[0] of the SRH, and the first micro-segment segment The identifier is carried in the position of the Segment List[1] of the SRH, that is, the value of the remaining nodes (segments left) in the SRH is at least 1.

Manner 2: The second data message further includes metadata, and the metadata carries the second micro-segmentation segment identifier. In order to enable the second data message to carry the second micro-segmentation segment identifier, a new kind of metadata may be defined. In this way, the first micro-segment segment identifier can also be carried in the metadata. In this way, all network devices in the segment routing network that need to process data packets according to the micro-segment segment identifier can obtain the first micro-segment segment identifier only through the metadata. The micro-segment segment identifier and the second micro-segment segment identifier do not need to obtain the first micro-segment segment identifier and the second micro-segment segment identifier from the SRH of the data message.

This metadata can be carried through the TLV as shown in FIG. 8. In this TLV, the type field indicates that it is metadata that carries the micro-segment segment identifier, and the value of the type field can be a specific value applied for carrying the endpoint group end identifier, such as 91. The length field indicates the overall length of the metadata. The reserved field can be reserved for special processing. There is currently no specific definition. The second micro-segment segment identifier field carries the second micro-segment segment identifier, such as End.XTEpg SID2. Optionally, the TLV also includes a first micro-segment segment identifier field, and the first micro-segment segment identifier field carries the first micro-segment segment identifier. , Such as: End.XTEgp SID1.

Manner 3: The network device 101 copies the IPv6 header of the first data message and carries it in the payload of the second data message, and generates a new IPv6 header for the second data message. The IPv6 header The source address in is the second micro-segment segment identifier.

The operation and maintenance personnel can configure in advance on the network device whether the second micro-segmentation identifier needs to be carried when generating the second data message, and which of the above three methods is used to carry the second micro-segmentation identifier. Or, by default, the network device adopts a consistent manner to carry the second micro-segment segment identifier.

When the operation and maintenance personnel configure the network device to carry the second micro-segment identifier when generating the second data packet and determine the manner in which the network device 101 carries the second micro-segment identifier, in order to make the network device 101 generate the second data The message can be correctly processed during the forwarding process without affecting the forwarding of the data message. When the network device 101 generates the SRH of the second data message, it can identify the carrying of the second micro-segment segment identifier in the SRH. In this way, the network device in the routing network that is equipped with the micro-segment segment identifier to process the data message can determine the location to obtain the second endpoint group end identifier during the message forwarding process.

As shown in the schematic diagram of the Flag bit of the SRH of the second data message shown in FIG. 9, the flag bit (Flags) of the SRH occupies 8 bits, among which U is currently not used, and the P flag occupies 1 bit, which is a protection flag. . The O sign, which occupies 1 bit, is an operation, administration and maintenance (operation, administration and maintenance, OAM) sign. The A flag, which occupies 1 bit, is an alarm flag. If it exists, it means that there is an important TLV. The H symbol, which occupies 1 bit, is a hash-based message authentication code (HMAC) symbol. If it exists, it means that there is a HMAC TLV. The network device 101 can use the low bit of the U flag in the Flags field of the SRH to identify the position carried by the second endpoint group. For example, when the eighth bit of Flags is 1, it indicates that the second micro-segment segment identifier is carried in a manner In the above manner 1, it is carried in the segment[0] of the segment identifier list of the SRH. When the 7th bit of the Flags field is 1, it indicates that the two micro-segment segment identifiers are carried in the above-mentioned manner two, and are carried in the metadata of the SRH. When the 6th bit of the Flags field is 1, it indicates that the two micro-segment segment identifier is carried in the above-mentioned way 3, which is carried in the source IP address of the IPv6 header of the second message.

S311: The network device 101 sends a second data packet to the network device 103.

The network device 101 sends a second data packet to the network device 103 according to the routing and forwarding information, and the second data packet carries the first micro-segment identifier.

Optionally, the second data message also carries a second micro-segmentation identifier.

S321: After receiving the second data packet sent by the network device 101, the network device 103 obtains the first micro-segmentation segment identifier from the second data packet.

For example, the network device 103 obtains the first micro-segment segment identifier from the second data packet as: End.XTEpg SID3.

Before the network device 103 determines a processing action on the data message according to the first micro-segmentation identifier, the network device 103 also needs to obtain a processing strategy, which includes matching conditions and processing actions. The processing actions in the processing strategy include one or more of the following: forwarding, discarding, marking, redirection, and mirroring. Wherein, marking is a special kind of forwarding, that is, the network device first marks the data message before forwarding the data message. The marking actions that a network device can perform on a data message may include, for example, remarking the DSCP of the data message, or modifying the priority of the data message.

The way that the network device 103 obtains the processing strategy and the content of the processing strategy are consistent with the way that the network device 101 obtains the processing strategy and the content of the processing strategy. For details, please refer to the detailed description of the processing strategy obtained by the network device 101, which will not be repeated in this application. .

S323: The network device 103 determines a processing action on the second data packet according to the first micro-segmentation identifier.

The manner in which the network device 103 determines the processing action on the second data packet according to the first micro-segment segment identifier is consistent with the manner in which the network device 101 determines the processing action on the first data packet according to the first micro-segment segment identifier. For details, see Network Equipment The detailed description of the processing action of the first data packet determined by 101 according to the first micro-segmentation segment identifier will not be repeated in this application.

Optionally, the network device 103 also determines a processing action on the second data packet according to the second micro-segmentation segment identifier.

When the second data message also carries the second micro-segmentation identifier, the network device 103 also obtains the second micro-segmentation identifier, and performs execution on the second data message according to the first micro-segmentation identifier and the second micro-segmentation identifier. Processing actions.

Corresponding to the three ways that the network device 101 carries the second micro-segmentation identifier, and the identification of the carrying method in the second data packet: the network device 103 obtains the first data packet from the corresponding position of the second data packet according to the indication of the identification. Two micro-segment segment identification. For example, when the eighth bit of the Flags field of the SRH of the second data message is 1, the network device 103 obtains the second micro-segment segment identifier from the segment[0] of the SRH segment identifier list of the second data message . When the 7th bit of the Flags field is 1, the network device 103 obtains the second micro-segmentation segment identifier from the metadata of the SRH of the second data packet. When the sixth bit of the Flags field is 1, the network device 103 obtains the second micro-segmentation segment identifier from the source IP address of the IPv6 header of the second data packet.

In a possible implementation manner, the network device directly follows the default rule, for example, obtaining the second micro-segment segment identifier from the metadata.

The network device 103 determines the processing action for the second data packet according to the first micro-segment identifier and the second micro-segment identifier, and the network device 101 determines the processing action for the first data packet according to the first micro-segment identifier and the second micro-segment identifier. The processing actions are the same. For details, please refer to the detailed description of where the network device 101 determines the processing action of the first data packet according to the first micro-segment segment identifier and the second micro-segment segment identifier, which will not be repeated in this application.

In a possible manner, when the second data packet received by the network device 103 also carries the second micro-segmentation identifier, the network device 103 may determine the second data packet's identification based on the second micro-segmentation identifier only. Processing actions. The method and optional manner for the network device 103 to determine the processing action on the second data packet according to the second micro-segmentation identifier are the same as the method and optional manner for the network device 101 to determine the processing action for the first data packet based on the first micro-segmentation identifier only The method is the same, so I won't repeat it here.

S325: The network device 103 performs a determined processing action on the second data packet.

When the processing action for the second data packet determined by the network device 103 is discard, the network device 103 discards the second data packet.

When the processing action on the second data packet determined by the network device 103 is mirroring, the network device 103 mirrors the first data packet to the designated address.

When the network device 103 determines that the processing action on the second data packet is redirection, the network device 103 changes the forwarding destination address of the first data packet.

S327: When the processing action determined by the network device 103 is forwarding or marking, the network device 103 generates a third data packet according to the second data packet.

Corresponding to the three ways that the network device 101 carries the second micro-segmentation identifier, and the identification of the carrying method in the second data packet: the network device 103 generates a third datagram according to the second data packet according to the indication of the identification Text. When the 8th bit of the Flags field of the SRH of the second data message is 1, when the network device generates the third message according to the second message, it strips the SRH of the second data message to generate the third data Message. When the 7th bit of the Flags field is 1, the network device 103 strips the SRH and metadata of the second data packet to generate a third data packet. When the 6th bit of the Flags field is 1, the network device 103 replaces the IPv6 header of the second data packet with the copied IPv6 header (that is, the IPv6 header of the first packet), and sets The SRH of the second data message is stripped to generate a third data message, and the IPv6 header of the third data message is the IPv6 header of the first message.

Or the network device according to the default rule, such as stripping the SRH of the second data message to obtain the third data message.

S329: The network device 103 sends a third data packet.

The network device sends the third data message to the endpoint VM5 in the corresponding endpoint group according to the micro-segment EPG3 identified by the first micro-segment segment identifier. For example, the network device 103 sends the third data packet to the destination IP address of the third data packet (that is, the IP address of VM5).

The foregoing is a method embodiment provided by an embodiment of the present application. The method embodiment provides a method for processing data packets based on micro-segment segment identifiers that act on the head node and the tail node in a segment routing network.

The method embodiment shown in FIG. 3b provides a flow chart of a method for processing data packets. The main difference between the flow chart and the method embodiment shown in FIG. 3a is that the first network device and the second network device are A micro-segment segment identifier and a second micro-segment segment identifier are used for message processing. This embodiment is a detailed representation of the method embodiment in FIG. 3a. For the specific content of each execution step, please refer to the steps with the same number in FIG. 3a and the implementation of their alternatives. For brevity, it will not be repeated here. The detailed steps of the embodiment in FIG. 3b will be repeated here.

The following introduces another method embodiment. The method embodiment provides a method for processing data packets based on the micro-segment segment identifier that acts on the head node, the intermediate node, and the tail node in the segment routing network. In the embodiment of the present application, the method of processing data packets according to the micro-segment segment identifier performed by the head node and the tail node is similar to the method in the previous method embodiment. The embodiments of the present application will focus on the detailed explanation of the differences in the previous method embodiment.

Hereinafter, the main steps and optional methods of this method are explained in conjunction with FIG. 1 and FIG. 4a. For ease of understanding, the network device 101 is used as the third network device, the network device 102 is used as the second network device, and the network device 103 is used as the second network device. A network device is used as an example to exemplarily explain the embodiment of the method. It should be understood that this is only an example, and those skilled in the art can also refer to this embodiment to make similar substitutions and applications, and this application will not give examples one by one.

S401: The network device 103 issues a first micro-segmentation segment identifier.

The method and optional manner for the network device 103 to issue the first micro-segment identification, and the method and optional manner for the network device 103 to obtain the first micro-segment identification are consistent with the method and optional manner in the embodiment shown in FIG. 3a, For details, please refer to the related content and optional methods of step S301 in the embodiment of FIG. 3a, which will not be repeated here.

S402: The network device 102 issues the micro-segment node segment identifier.

Since the network device 102 is an intermediate forwarding node on the forwarding path of the first data packet in the segment routing network shown in FIG. 1, in order to make the network device 102 also have the function of performing processing actions on the data packet according to the micro-segment segment identifier, A manner of defining and publishing a segment identifier with a specific function for the network device 102 may be adopted. The segment identifier with a specific function is the micro-segment node segment identifier, so that the network device 102 has the function.

The micro-segment node segment identifier corresponds to a network device, which can be expressed as End.TEpg SID, End means endpoint, which means endpoint; T means table lookup, means lookup table; Epg means endpoint group, means endpoint group; SID means segment Logo. The endpoint group segment node identifier can meet the format of the IPv6 address or the MPLS label.

The manner in which the network device 102 publishes the micro-segment node segment identifier includes the following three or more publishing methods:

Manner 1: The network device 102 sends a notification message, which carries the micro-segment node segment identifier.

The notification message may be a Border Gateway Protocol (BGP) message or an Interior Gateway Protocol (Interior Gateway Protocol, IGP) message, which is not specifically limited in this application.

Optionally, the micro-segment node segment identifier in the notification message is carried in its second type length value (TLV). The format of the second TLV is shown in FIG. 10. The type field identifier in the figure indicates the type of the second TLV, the value of the type field can identify that the second TLV is a TLV used to publish End.TEpg SID, and the value of the type field can be for publishing micro-segments The node segment identifies the type of the new application, for example, it can be 92. The value of the length field identifies the length of the second TLV. The value of the flag field can be 0 or 1, for example, when the value is 0, it means that it is a TLV of the endpoint group type. The reserved fields are reserved for subsequent extensions, such as those that can be used to identify the forwarding path. The micro-segment node segment identifier field is used to carry the micro-segment node segment identifier.

Manner 2: The network device 102 may issue the micro-segment node segment identifier through the BGP link state protocol (Border Gateway Protocol-link state, BGP-LS).

Specifically, the network device 102 can send the micro-segment node segment identifier to the controller through BGP-LS, and the controller can receive the micro-segment node segment identifier sent by the network device 102 through BGP-LS, and send the micro-segment segment identifier to Network equipment 101.

Manner 3: The network device 102 may issue the micro-segment node segment identifier through the Path Computation Element Communication Protocol (PCEP).

Specifically, the network device 102 may send the micro-segment node segment identifier to the controller or path calculation element (PCE) through the PCEP, and the controller may receive the micro-segment node segment identifier sent by the network device 102 through the PCEP. The micro-segment node segment identifier is sent to the network device 101.

In a possible design, before the network device 102 issues the micro-segment node segment identifier, the network device 102 needs to obtain the micro-segment node segment identifier first. Regarding how the network device 102 obtains the micro-segment node segment identifier, in some possible embodiments, the network device 102 may automatically assign the micro-segment node segment identifier, or manually configure at least the micro-segment node segment identifier. Specifically, the manner of obtaining the micro-segment node segment identifier may include any one or more of the following manner 1 or manner 2.

Manner 1: The network device 102 assigns itself a micro-segment node segment identifier.

In an example, the network device 102 can allocate one or more micro-segment node segment identifiers by itself. For example, the segment identifier can be a segment identifier indicating a node type or an adjacent segment identifier. The network device 102 may store a segment In the identification space, an unoccupied micro-segment node segment identifier can be selected from the segment identification space, and the micro-segment node segment identifier can be assigned to itself.

Manner 2: The network device 102 receives the configuration instruction, the network device 102 obtains the micro-segment node segment identifier from the configuration instruction, and the network device 102 may also obtain the corresponding relationship between the micro-segment node segment identifier and the forwarding path from the configuration instruction. The configuration instruction may be triggered by a user's configuration operation on the network device 102, and the configuration instruction may also be triggered by a network management or a controller.

In an SRv6 example, the specific value of the micro-segment node segment identifier includes the following two parts: location information (Locator) and function (Function): SRv6 SID is in the form of an IPv6 address, SRv6 SID can consist of two parts: location information and function. Part of the composition, the format is: location information: function. Among them, the location information occupies the high bits of the IPv6 address, and the function occupies the low bits of the IPv6 address. Among them, the location information can have a positioning function and can be unique in the SR domain. The function represents the instructions of the device. These instructions are preset by the device. The function part is used to instruct the SRv6 SID generating device to perform corresponding functional operations. In an example, the micro-segment node segment identifier obtained by the network device 102 includes a location and a function part, and the function part is used to instruct the network device 102 to perform a predefined operation on the data packet according to the micro-segment segment identifier.

Optionally: the network device 101 and the network device 103 also issue the micro-segment node segment identifier, and the manner in which the network device 101 and the network device 103 obtain and issue the micro-segment node segment identifier is the same as that of the network device 102, and will not be repeated here.

S403: The network device 101 obtains the first micro-segmentation identifier.

The method and optional manner for the network device 101 to obtain the first endpoint group are consistent with the method and optional manner in the embodiment shown in FIG. 3a. For details, please refer to the related content and optional manner of step S303 in the embodiment of FIG. 3a. , I won’t repeat it here.

S404: The network device 101 obtains the micro-segment node segment identifier.

Corresponding to the manner in which the network device 102 issues the micro-segment node segment identifier, the manner in which the network device 101 obtains the micro-segment node segment identifier may be the following two methods.

Manner 1: The network device 101 receives a notification message sent by the network device 102, and the message carries the micro-segment node segment identifier.

Specifically, when the network device 102 sends the micro-segment node segment identifier through a BGP message, the network device 101 receives the BGP message sent by the network device 103, and obtains the micro-segment node segment identifier from the message; The device 102 sends the micro-segment node segment identifier through the IGP message, and the network device 101 receives the IGP message sent by the network device 102 and obtains the micro-segment node segment identifier from the message.

Furthermore, when the micro-segment node segment identifier is carried in the second TLV of the BGP message or IGP message, the network device 101 obtains the micro-segment node segment identifier from the second TLV of the BGP message or IGP message .

Manner 2: The network device 101 receives the micro-segment node segment identifier sent from the controller or the path calculation unit.

Specifically, when the network device 102 sends the micro-segment node segment identifier to the controller through BGP-LS, the controller can receive the micro-segment node segment identifier sent by the network device 102 through the BGP-LS protocol, and send the micro-segment node segment identifier The identification is sent to the network device 101. When the network device 102 sends the micro-segment node segment identifier to the controller or PCE by sending a PCEP message, the controller or PCE can receive the micro-segment node segment identifier sent by the network device 102, and send the micro-segment node segment identifier to the network Equipment 101. The time when the controller or PCE executes sending the micro-segment node segment identifier to the network device 101 can be sent after receiving the micro-segment node segment identifier, or it can be within a period of time, or when the network device 101 requests the controller or PCE When there is a forwarding path, it is sent to the network device 101.

The above steps S401 and S402 are executed in no order, and the execution steps of S403 and S404 are also in no order.

S405: The network device 101 receives the first data packet, and determines the first micro-segment segment identifier according to the first data packet, and the first data packet does not include the first micro-segment segment identifier.

The method and optional manner for the network device 101 to determine the first micro-segment identifier according to the first data packet are the same as the method and optional manner in the embodiment shown in FIG. 3a. For details, please refer to step S305 in the embodiment in FIG. 3a. The related content and optional methods will not be repeated here.

S407: The network device 101 determines a processing action on the first data packet according to the first micro-segmentation identifier.

The method and optional manner for the network device 101 to determine the processing action of the first data packet according to the first micro-segmentation segment identifier are consistent with the method and optional manner in the embodiment shown in FIG. 3a. For details, please refer to the embodiment in FIG. 3a. The content and optional manners related to step S307 in step S307 will not be repeated here.

S408: The network device 101 performs a determined processing action on the first data packet.

The method and optional manner for the network device 101 to perform the determined processing action on the first data packet according to the first micro-segmentation segment identifier are consistent with the method and optional manner in the embodiment shown in FIG. 3a. For details, please refer to the embodiment shown in FIG. 3a. The content and optional methods related to step S308 in step S308 will not be repeated here.

S409: When the processing action determined by the network device 101 according to the first data packet includes forwarding or marking, the network device 101 generates a second data packet according to the first data packet.

In an example, the segment identifier list corresponding to the forwarding path obtained by the network device 101 is: End.TEpg SID 1021, End.XTEpg SID3.

The network device 101 generates a second data packet, the second data packet includes SRH, the SRH includes a segment identifier list, and the segment identifier list includes a first micro-segment segment identifier and a micro-segment node segment identifier, such as End.TEpg SID1021,

End.XTEpg SID3. When the segment identifier list does not include the second micro-segment segment identifier, the first micro-segment segment identifier is carried at the position of Segment List[0] of SRH, and the micro-segment node segment identifier is carried at the position of Segment List[n] of SRH, Where n>0, n is the number of intermediate nodes on the specified path.

Optionally, the second data message further includes a second micro-segment segment identifier. When the segment identifier list includes the second micro-segment segment identifier, the first micro-segment segment identifier is carried at the position of Segment List[1] of SRH, and the second micro-segment segment identifier is carried at the position of Segment List[0] of SRH. The micro-segment node segment identifier is carried in the Segment List[n+1] position of the SRH, where n>1. The method and optional manner in which the network device 101 generates the second micro-segment segment identifier in the second data packet described in this method embodiment are the same as those in the second packet in the embodiment shown in FIG. 3a. The method for identifying the micro-segment segment is the same as the optional method. For details, please refer to the relevant content of part S309 in the embodiment shown in FIG. 3a, which will not be repeated in this application.

S411: The network device 101 sends a second data packet to the network device 102.

The network device 101 sends a second data packet to the network device 102 according to the routing and forwarding information, and the second data packet carries the first micro-segment segment identifier and the micro-segment node segment identifier.

S413: After receiving the second data packet sent by the network device 101, the network device 102 obtains the first micro-segmentation segment identifier from the second data packet.

The network device 102 receives the second data packet sent by the network device 101, and the destination address in the SRH of the data packet is the micro-segment node segment identifier issued by the network device 102, such as End.TEpg SID 1021. The network device 102 executes the function indicated by the micro-segment node segment identifier, that is, performs processing actions on the data packet according to the micro-segment segment identifier.

The network device 102 obtains the first micro-segment segment identifier from the second data message, such as End.XTEpg SID3. In this implementation, the network device 102 performs the function indicated by End.TEpg SID 1021, that is, performs processing actions on the data packet according to End.XTEpg SID3.

Before the network device 102 determines a processing action on the data packet according to the first micro-segmentation identifier, the network device 102 also needs to obtain a processing strategy, and the processing strategy includes a matching condition and a processing action. The processing actions in the processing strategy include one or more of the following: forwarding, discarding, marking, redirection, and mirroring. Wherein, marking is a special kind of forwarding, that is, the network device first marks the data message before forwarding the data message. The marking actions that a network device can perform on a data message may include, for example, remarking the DSCP of the data message, or modifying the priority of the data message.

The manner in which the network device 102 obtains the processing strategy and the content of the processing strategy are the same as the manner in which the network device 101 obtains the processing strategy and the content of the processing strategy in the method embodiment shown in FIG. 3a. For details, please refer to the network device 101 shown in FIG. 3a. Step S307 obtains a detailed description of the processing strategy, which will not be repeated in this application.

S415: The network device 102 determines a processing action on the second data packet according to the first micro-segmentation identifier.

The manner in which the network device 102 determines the processing action of the second data packet according to the first micro-segmentation identifier is the same as the method in which the network device 103 in the method embodiment shown in FIG. 3a determines the processing of the first data packet according to the first micro-segmentation identifier The actions are the same. For details, please refer to the detailed description of the processing action of the first data packet by the network device 103 in the method embodiment shown in FIG. 3a according to the first micro-segment identifier (such as step 323). This will not be repeated here.

S416: The network device 102 performs a determined processing action on the second data packet.

When the processing action for the second data packet determined by the network device 102 is discard, the network device 102 discards the second data packet and ends the process.

When the processing action on the second data packet determined by the network device 102 is mirroring, the network device 102 mirrors the first data packet to the designated address, and the process ends.

When the processing action for the second data packet determined by the network device 102 is redirection, the network device 102 changes the forwarding destination address of the first data packet, and ends the process.

When the processing action determined by the network device 102 is forwarding or marking, S417 is executed.

S417: The network device 102 generates a third data packet according to the second data packet.

The network device 102 modifies the second data message to obtain the third data message, including: 1. The network device 102 sets the value of the SL field of the SRH to the value of SL-1, that is, when SL=1, the value of SL is modified to 0, when SL=2, modify the SL value to 1. 2. The network device 102 modifies the destination address of the IPv6 header in the second data message to Segmentlist[SL]. In an example, the network device 102 sets the value of the SL field of the SRH to 0, and modifies the destination address in the IPv6 header to: End.XTEpg SID3.

S419: The network device 102 sends a third data packet.

The network device 102 searches for the forwarding entry according to the IPv6 destination address and sends the third data packet.

In an example, the network device 102 sends a third data packet to the network device 103.

S421: After receiving the third data packet sent by the network device 102, the network device 103 obtains the first micro-segmentation segment identifier from the third data packet.

The method and optional manner in which the network device 103 obtains the first micro-segment segment identifier from the third data packet are the same as the method and optional manner in which the network device 103 obtains the first micro-segment segment identifier in the method embodiment shown in FIG. 3a. For details, please refer to the detailed description at S321 in the method embodiment shown in FIG. 3a, which is not repeated in this application.

S423: The network device 103 determines a processing action on the third data packet according to the first micro-segmentation identifier.

The method and optional manner for the network device 103 to determine the processing action of the third data packet according to the first micro-segment segment identifier are the same as those of the network device 103 in the method embodiment shown in FIG. 3a. The processing actions of the data packets are in the same manner. For details, please refer to the detailed description at S323 in the method embodiment shown in FIG. 3a, which will not be repeated in this application.

S425: The network device 103 performs a determined processing action on the third data packet.

The method and optional manner for the network device 103 to perform the determined processing action on the third data packet are consistent with the manner in which the network device 103 performs the determined processing action on the second data packet in the method embodiment shown in FIG. 3a. For details, please Refer to the detailed description at S325 in the method embodiment shown in FIG. 3a, which is not repeated in this application.

S427: When the processing action determined by the network device 103 is forwarding or marking, the network device 103 generates a fourth data packet according to the third data packet.

The method and optional manner for the network device 103 to generate a fourth data packet according to the third data packet are the same as the processing action of the network device 103 in the method embodiment shown in FIG. 3a to generate a third data packet according to the second data packet The manners are the same. For details, please refer to the detailed description at S327 in the method embodiment shown in FIG. 3a, which is not repeated in this application.

S429: The network device 103 sends a fourth data packet.

The method and optional method for the network device 103 to send the fourth data packet are the same as the method for the network device 103 to send the third data packet in the method embodiment shown in FIG. 3a. For details, please refer to the method implementation shown in FIG. 3a. The detailed description at S329 in the example will not be repeated here in this application.

The method embodiment shown in FIG. 4b provides a flow chart of a method for processing data packets. The main difference between the flow chart and the method embodiment shown in FIG. 4a is that the first network device, the second network device, and the first network device Third, the network device processes the message according to the first micro-segment segment identifier and the second micro-segment segment identifier. This embodiment is a detailed representation of the method embodiment of FIG. 4a. For the specific content of each execution step, please refer to the steps with the same number in FIG. 4a and the implementation of their optional methods. For brevity, it will not be repeated here. The detailed steps of the embodiment in FIG. 4b will be repeated here.

The foregoing describes the embodiments of the data packet processing method provided in this application, and the following describes the first network device and the second network device provided in this application.

FIG. 11 is a schematic structural diagram of a second network device provided by an embodiment of the present application. The network device 1100 can execute the second network device (network device 101) shown in FIG. 3a and the second network device (network device 101) shown in FIG. 4a. The method performed by the device 101). The network device 1100 includes a receiving unit 1101, a processing unit 1102, and a sending unit 1103. The receiving unit 1101 can be used to perform, for example, the related methods of receiving the first data message in steps S303 and S305 in the embodiment of FIG. 3a, and can also be used to perform, for example, the receiving in steps S403, S404, and S405 in the embodiment of FIG. 4a. The related method of the first data message. The processing unit 1102 can be used to perform, for example, steps S307, S308, S309, and S305 in the embodiment of FIG. The related methods for determining the first micro-segment identifier in S409 and S405; the sending unit 1103 may be used to perform, for example, step S311 in the embodiment of FIG. 3a, and may also be used to perform, for example, step S411 in the embodiment of FIG. 4a.

It should be noted that when the second network device provided in the embodiment of FIG. 11 performs the above-mentioned data message processing, only the division of the above-mentioned functional units is used as an example for illustration. In actual applications, the The above function allocation is completed by different functional units, that is, the internal structure of the second network device is divided into different functional units to complete all or part of the functions described above; or a single functional unit is used to complete the functions of the above multiple units. It should be understood that the second network device provided in the foregoing embodiment belongs to the same concept as the foregoing embodiment of the method for determining a forwarding path. Here, only the steps performed by each unit of the second network device are described as examples, but it does not represent it. Other steps or optional methods in the foregoing embodiments are not executed, and the specific implementation process is detailed in the method embodiments, which will not be repeated here.

Fig. 12 is a schematic structural diagram of a first network device provided by an embodiment of the present application. The network device 1200 can execute the first network device (network device 103) shown in Fig. 3a and the first network device (network device 103) shown in Fig. 4a. The method performed by the device 102) and the second network device (the network device 103). The network device 1200 includes a receiving unit 1201, a processing unit 1202, and a sending unit 1203. The receiving unit 1201 may be used to execute, for example, the related method of receiving the second data packet in step S321 in the embodiment shown in FIG. 3a. The processing unit 1202 may be used to execute, for example, the method of obtaining the first micro-segment segment identifier in steps S323, S325, S337, and S321 in the embodiment shown in FIG. 3a. The sending unit 1203 may be used to perform steps S301 and S319 in the embodiment shown in FIG. 3a, for example. The receiving unit 1201 may be used to execute, for example, the related method of receiving the second data packet in step S413 and the related method of receiving the third data packet in S421 in the embodiment shown in FIG. 4a. The processing unit 1202 may be used to perform, for example, the related method for obtaining the first micro-segmentation identifier in steps S415, S416, S417, S423, S425, S427, and S413 in the embodiment shown in FIG. 4a and the obtaining of the first micro-segmentation segment in S421. Related methods of identification. The sending unit 1203 may be used to execute steps S401, S402, S419, and S429 in the embodiment shown in FIG. 4a, for example.

It should be noted that when the first network device provided in the embodiment of FIG. 12 performs the above-mentioned data message processing, only the division of the above-mentioned functional units is used as an example for illustration. In actual applications, the The above-mentioned function allocation is completed by different functional units, that is, the internal structure of the first network device is divided into different functional units to complete all or part of the functions described above; or a single functional unit is used to complete the functions of the above-mentioned multiple units. It should be understood that the first network device provided in the foregoing embodiment and the foregoing data packet processing method embodiment belong to the same concept. Here, only the steps performed by each unit of the first network device are described as examples, but they do not represent It does not execute other steps or optional methods in the above-mentioned embodiment, and its specific implementation process is detailed in the method embodiment, which will not be repeated here.

The above describes the first network device and the second network device of the embodiments of the present application, and the following describes possible product forms of the first network device and the second network device. It should be understood that all products in any form that have the characteristics of the second network device in FIG. 11, and all products in any form that have the characteristics of the first network device in FIG. 12, fall within the scope of protection of this application . It should also be understood that the following introduction is only an example, and does not limit the product forms of the first network device and the second network device in the embodiments of the present application.

FIG. 13 is a schematic structural diagram of a device 1300 provided by an embodiment of the present application. The first network device or the second network device shown in the embodiment of FIG. 3a, or the first network device, the second network device or the third network device shown in the embodiment of FIG. achieve. See the schematic diagram of the device structure shown in Figure 13. The device 1300 includes a main control board and one or more interface boards, and the main control board is in communication connection with the interface board. The main control board is also called the main processing unit (MPU) or route processor card (route processor card). The main control board is responsible for the control and management of each component in the device 1300, including routing calculation, device management and maintenance functions . The interface board is also called a line processing unit (LPU) or a line card (line card), and is used to forward data. In some embodiments, the device 1300 may also include a switching network board. The switching network board is in communication connection with the main control board and the interface board. The switching network board is used to forward data between the interface boards. The switching network board may also be called a switching network. Board unit (switch fabric unit, SFU). The interface board includes a central processing unit, a memory, a forwarding chip, and a physical interface card (PIC). The central processing unit is respectively communicatively connected with the memory, the network processor and the physical interface card. The memory is used to store the forwarding table. The forwarding chip is used to forward the received data message based on the forwarding table stored in the memory. If the destination address of the data message is the address of the device 1300, the data message is sent to the central processing unit (CPU). ), such as processing by the central processing unit 1331; if the destination address of the data message is not the address of the device 1300, the next hop and outbound interface corresponding to the destination address are found from the forwarding table according to the destination address, and the data message is Forward to the outgoing interface corresponding to the destination address. The forwarding chip may be a network processor (NP). The PIC is also called a daughter card, which can be installed on the interface board and is responsible for converting the photoelectric signal into a data message, and then forwarding the data message to the forwarding chip for processing after checking the legality of the data message. In some embodiments, the central processing unit can also perform the function of a forwarding chip, such as realizing software forwarding based on a general-purpose CPU, so that no forwarding chip is required in the interface board. The communication connection between the main control board, the interface board, and the switching network board can be realized through a bus. In some embodiments, the forwarding chip may be implemented by an application-specific integrated circuit (ASIC) or a field programmable gate array (FPGA).

Logically, the device 1300 includes a control plane and a forwarding plane. The control plane includes a main control board and a central processing unit. The forwarding plane includes various components that perform forwarding, such as memory, PIC, and NP. The control plane performs functions such as routers, generation of forwarding tables, processing of signaling and protocol messages, configuration and maintenance of the status of the equipment, and the control plane sends the generated forwarding tables to the forwarding plane. On the forwarding plane, the NP is based on the control plane’s The forwarding table looks up and forwards the message received by the PIC of the device 1300. The forwarding table issued by the control plane can be stored in the memory. In some embodiments, the control plane and the forwarding plane may be completely separated and not on the same device. The above process will be briefly described below in conjunction with the embodiment of FIG. 3a and FIG. 4a.

As shown in the method described in Figure 3a or Figure 4a, the second network device in the segmented routing network can receive the first data packet through the physical interface card 1333, and determine when the destination IP address of the first data packet is the network The address of the device 1300, the data message is sent to the CPU 1331 for processing. The CPU 1331 can determine the first micro-segment identifier according to the first data packet. Optionally, the CPU 1331 is further configured to determine the second micro-segmentation segment identifier according to the first data packet. The CPU 1331 is also used to perform corresponding processing actions on the first data message and generate a second data message according to the first micro-segmentation identifier; or execute the first data message according to the first micro-segment identifier and the second micro-segment identifier Corresponding processing actions and generating a second data message. The CPU 1311 may be configured to receive configuration instructions sent by the controller or the computing unit. The physical interface card 1333 can be used to send a second data packet to the first network device.

As shown in the method described in Figure 3a or Figure 4a, the second network device or the first network device in the segmented routing network can use the first data packet of the physical interface card 1333 to determine when the purpose of the first data packet is If the IP address is the address of the network device 1300, the data message is sent to the CPU 1331 for processing. The first data message carries the first micro-segment identifier. Optionally, the first data message also carries The second micro-segment segment identifier. The CPU 1331 is configured to perform corresponding processing actions on the first data message and generate a second data message according to the first micro-segmentation identifier; or perform corresponding processing to the first data message according to the first micro-segment identifier and the second micro-segment identifier The processing action and the generation of the second data message. The CPU 1311 may be configured to receive configuration instructions sent by the controller or the computing unit. The physical interface card 1333 can be used to send a second data packet to the first network device.

The network device provided by the embodiment of the present invention may correspond to the first network device, the second network device, or the third network device in the method embodiment described in FIG. 3a or FIG. 4a, and can implement the first network device in each method embodiment described above. Functions and/or various steps and methods implemented by the network device, the second network device, or the third network device. The above is only a brief exemplary description, and for the sake of brevity, it will not be repeated here.

It is worth noting that there may be one or more main control boards, and when there are more than one, it may include the main main control board and the standby main control board. There may be one or more interface boards. The stronger the data processing capability of the network device, the more interface boards are provided. There may also be one or more physical interface cards on the interface board. The switching network board may not exist, or there may be one or more. When there are more than one, the load sharing and redundant backup can be realized together. Under the centralized forwarding architecture, the network equipment does not need to switch the network board, and the interface board undertakes the processing function of the business data of the entire system. Under the distributed forwarding architecture, the network device can have at least one switching network board, and data exchange between multiple interface boards is realized through the switching network board, providing large-capacity data exchange and processing capabilities. Therefore, the data access and processing capabilities of network equipment with a distributed architecture are greater than those with a centralized architecture. Optionally, the form of the network device may also have only one board, that is, there is no switching network board, and the functions of the interface board and the main control board are integrated on the one board. At this time, the central processing unit and the main control board on the interface board The central processing unit on the board can be combined into a central processing unit on this board, and perform the functions of the superposition of the two. The data exchange and processing capacity of this form of equipment is low (for example, low-end switches or routers and other networks) equipment). The specific architecture used depends on the specific networking deployment scenario, and there is no restriction here.

FIG. 14 is a schematic structural diagram of a device 1400 provided by an embodiment of the present application. The first network device or the second network device shown in the embodiment of FIG. 3a, or the first network device, the second network device or the third network device shown in the embodiment of FIG. achieve. Refer to the schematic diagram of the device structure shown in Figure 14. The device 1400 includes at least one processor 1401, a communication bus 1402, and at least one communication interface 1404. Optionally, the device 1400 may further include a memory 1403.

The processor 1401 may be a general-purpose central processing unit (CPU), an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling program execution of the solution of this application. The processor may be used to process the received message, so as to implement the message processing method provided in the embodiment of the present application.

For example, when the second network device in FIG. 3a or FIG. 4a is implemented by the device 1400 shown in FIG. 14, the processor may be used to add the first micro-segment identifier and the second differential in the received message. SRH of the segment identifier, so that other network devices in the subsequent segment routing network can process the data message according to the first micro-segment segment identifier and the second micro-segment segment identifier. For specific function implementation, please refer to the method shown in Figure 3a or Figure 4a. This example corresponds to the processing part of the second network device. For another example, when the first network device in FIG. 3a or FIG. 4a, or the second network device in FIG. 4a is implemented by the network device shown in FIG. Obtain the first micro-segment segment identifier and the second micro-segment segment identifier in the process, and process the data message according to the first micro-segment segment identifier and the second micro-segment segment identifier. For specific function implementation, please refer to the second network device and the first The processing part of the network equipment.

The communication bus 1402 is used to transfer information between the processor 1401, the communication interface 1404, and the memory 1403.

The memory 1403 can be a read-only memory (ROM), such as: electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), compact disc read-only memory, CD -ROM) or other optical discs, optical disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.). Or the memory 1403 may also be a random access memory (RAM) or other types of dynamic storage devices that can store information and instructions.

The memory 1403 may exist independently, and is connected to the processor 1401 through a communication bus 1402. The memory 1403 may also be integrated with the processor 1401.

Optionally, the memory 1403 is used to store program codes or instructions for executing the solutions of the present application, and the processor 1401 controls the execution. The processor 1401 is configured to execute program codes stored in the memory 1403. One or more software modules can be included in the program code. Optionally, the processor 1401 itself may also store program codes or instructions for executing the solutions of the present application.

The communication interface 1404 uses any device such as a transceiver to communicate with other devices or communication networks. The communication network may be Ethernet, wireless access network (RAN), or wireless local area networks (WLAN), etc. In the embodiment of the present application, the communication interface 1404 may be used to receive packets sent by other network devices in the segment routing network, and may also send packets to other network devices in the segment routing network. The communication interface 1404 may be an Ethernet interface (Ethernet) interface, a Fast Ethernet (FE) interface, or a Gigabit Ethernet (GE) interface.

In a specific implementation, as an embodiment, the device 1400 may include multiple processors, such as the processor 1401 and the processor 1405 shown in FIG. 14. Each of these processors can be a single-CPU (single-CPU) processor or a multi-core (multi-CPU) processor. The processor here may refer to one or more devices, circuits, and/or processing cores for processing data (for example, computer program instructions).

It should be understood that the above-mentioned network devices of various product forms respectively have any function of the network device in the embodiment of the above-mentioned data packet processing method, and will not be repeated here.

Refer to FIG. 15, which is a schematic diagram of a network system 1500 according to an embodiment of this application.

The network system provided by the embodiment of the present application may include a first network device 1510 and a second network device 1520, and communication is performed between the first network device 1510 and the second network device 1520. In a possible manner, the second network device 1520 may execute the method steps and related optional manners executed by the network device 101 in the embodiment shown in FIG. 3a and FIG. 3b, and the first network device 1510 may execute The method steps and related optional manners performed by the network device 102 in the embodiment shown in FIG. 4a or FIG. 4b are described above. In a possible way, the first network device 1510 and the second network device 1520 communicate with each other, and the second network device 1520 can perform the execution of the network device 101 in the embodiment shown in FIG. 3a and FIG. 3b. For the method steps and related optional manners, the first network device 1510 can execute the method steps and related optional manners executed by the network device 103 in the embodiment shown in FIG. 4a or FIG. 4b. In a possible manner, the network system also includes a third network device 1530, and the first network device 1510, the second network device 1520, and the third network device communicate with each other, and the second network device 1520 can perform as described above The method steps and related optional manners performed by the network device 101 in the embodiment shown in FIG. 3a and FIG. 3b, the first network device 1510 can execute the network device 102 in the embodiment shown in FIG. 4a or FIG. 4b For the executed method steps and related optional manners, the first network device 1530 may execute the method steps and related optional manners executed by the network device 103 in the embodiment shown in FIG. 4a or FIG. 4b. The specific product forms of the network device 101, the network device 102, and the network device 103 are as described above, and will not be repeated here.

A person of ordinary skill in the art may realize that, in combination with the method steps and units described in the embodiments disclosed herein, they can be implemented by electronic hardware, computer software, or a combination of both, in order to clearly illustrate the possibilities of hardware and software. Interchangeability. In the above description, the steps and components of each embodiment have been generally described in terms of function. Whether these functions are performed by hardware or software depends on the specific application and design constraint conditions of the technical solution. A person of ordinary skill in the art may use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of the present application.

A person of ordinary skill in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the above-described system, device, and unit can be referred to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed device and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be other division methods, for example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may also be electrical or other forms of connection.

The unit described as a separate component may or may not be physically separated, and the component displayed as a unit may or may not be a physical unit, that is, it may be located in one place, or may also be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments of the present application.

In addition, the processing units in each embodiment of the present application can be dispersed into multiple functional units, can also be integrated in one processing unit, or each unit can exist alone physically, or two or more units can be integrated. In one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.

In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, firmware, or a combination thereof, it may be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer program instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer program instructions may be transmitted from a website, computer, server, or data. The center transmits to another website site, computer, server or data center through wired or wireless means. The computer-readable storage medium may be any medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more media. The medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, an optical disk), or a semiconductor medium (for example, a solid-state hard disk).

The specific embodiments described above further describe the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention. The protection scope, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of the present invention shall be included in the protection scope of the present invention.

Claims

A method for processing a data message, characterized in that it comprises:

A first network device in the segment routing network receives a first data message, the first data message including a first micro-segment segment identifier, and the first micro-segment segment identifier is used to identify a second network in the segment routing network A micro-segmentation of a device, where the first data message is a data message sent to the second network device;

Determining, by the first network device, a processing action on the first data packet according to the first micro-segmentation segment identifier;

The first network device performs the processing action on the first data packet.
The method according to claim 1, wherein the determining, by the first network device, a processing action on the first data packet according to the first micro-segmentation identifier, comprises:

The first network device determines a processing action on the first data packet according to the correspondence between the first micro-segmentation segment identifier and the processing action.
The method according to claim 1 or 2, wherein the first network device and the second network device are the same network device, and the first micro-segment segment identifier includes a functional part,

Before the first network device determines a processing action on the first data packet according to the first micro-segmentation identifier, the method further includes:

The first network device determines that the functional part is used to instruct: the first network device determines a processing action on the first data packet according to the first micro-segment segment identifier.
The method according to claim 3, wherein when the processing action includes forwarding or marking, the first network device performing the processing action on the first data packet includes:

Generating a second data packet by the first network device, and the second data packet does not include the first micro-segmentation segment identifier;

The first network device sends the second data packet.
The method according to claim 1 or 2, wherein the first network device and the second network device are different devices, the first data packet further includes a micro-segment node segment identifier, and the The micro-segment node segment identifier is the segment identifier of the first network device, and the micro-segment node segment identifier includes a functional part, and the functional part is used to indicate:

The first network device determines a processing action on the first data packet according to the first micro-segmentation segment identifier.
The method according to any one of claims 1-5, wherein the first data message further includes a second micro-segmentation segment identifier, and the second micro-segmentation segment identifier is used to identify the A micro-segment of a third network device, the first micro-segment identifier and the second micro-segment identifier are added to the first data packet by the third network device, and the first network device is based on The determining of the processing action of the first data packet by the first micro-segmentation segment identifier includes:

The first network device determines a processing action on the first data packet according to a correspondence between a matching condition and the processing action, and the matching condition includes the first micro-segmentation segment identifier and the second micro-segmentation segment Logo.
The method of claim 6, wherein:

The segment identifier list of the first data packet includes the second micro-segment segment identifier, or

The first data message further includes metadata, and the metadata includes the second micro-segmentation identifier.
The method according to any one of claims 1-7, wherein:

The segment identifier list of the first data message includes the first micro-segment segment identifier.
The method according to claim 7 or 8, wherein the segment identifier list is carried in a segment routing header or a multi-protocol label switching label stack of the first data message.
A method for processing a data message, characterized in that it comprises:

The first network device in the segment routing network receives the first data message;

The first network device determines a first micro-segment segment identifier according to the first data message, and the first micro-segment segment identifier is used to identify a micro-segment of a second network device in the segment routing network. A data message does not include the first micro-segmentation segment identifier, and the first data message is a data message sent to the second network device;

Determining, by the first network device, a processing action on the first data packet according to the first micro-segmentation segment identifier;

The first network device performs the processing action on the first data packet.
The method according to claim 10, wherein the first network device determines a processing action on the first data packet according to the first micro-segmentation segment identifier, comprising:

The first network device determines a processing action on the first data packet according to the correspondence between the first micro-segmentation segment identifier and the processing action.
The method according to claim 10 or 11, wherein the first micro-segmentation segment identifier includes a functional part, and the functional part is used to indicate that the second network device determines the pairing according to the first micro-segmentation segment identifier. The processing action of the first data message.
The method according to claim 10 or 11, wherein when the processing action includes forwarding or marking, the first network device performing the processing action on the first data packet includes:

Generating, by the first network device, a second data message according to the first data message, the second data message including the first micro-segment segment identifier;

The first network device sends the second data packet to the second network device.
The method according to any one of claims 10-12, wherein:

The method further includes: the first network device further determines the second micro-segmentation segment identifier according to the received first data message, and the second micro-segmentation segment identifier is used to identify a differential of the first network device segment;

The determining, by the first network device, a processing action on the first data packet according to the first micro-segmentation segment identifier includes:

The first network device determines a processing action on the first data packet according to a correspondence between a matching condition and the processing action, and the matching condition includes the first micro-segmentation segment identifier and the second micro-segmentation segment Logo.
The method according to claim 14, wherein when the processing action includes forwarding or marking, the first network device performing the processing action on the first data packet includes:

Generating, by the first network device, a second data message according to the first data message, the second data message including the first micro-segmentation segment identifier and the second micro-segmentation segment identifier;

The first network device sends the second data packet to the second network device.
The method of claim 15, wherein:

The segment identifier list of the second data message includes the second micro-segment segment identifier, or

The second data message further includes metadata, and the metadata includes the second micro-segment segment identifier.
The method according to any one of claims 14-16, wherein the second micro-segmentation segment identifier includes a functional part, and the functional part is used to indicate: the first network device according to the second micro-segmentation segment The identifier determines the processing action for the first data packet.
The method according to claim 13, 15 or 16, wherein the second data message further includes a micro-segment node segment identifier, and the micro-segment node segment identifier is a third network in the segment routing network The segment identifier of the device, where the micro-segment node segment identifier is used to instruct the third network device to process the second data packet according to the first micro-segment segment identifier.
A first network device applied to a segment routing network, characterized in that it includes:

The receiving unit is configured to receive a first data message, the first data message including a first micro-segment segment identifier, and the first micro-segment segment identifier is used to identify a differential of the second network device in the segment routing network Paragraph, the first data message is a data message sent to the second network device;

A processing unit, configured to determine a processing action for the first data packet according to the first micro-segmentation segment identifier;

The processing unit is configured to perform the processing action on the first data packet.
The first network device according to claim 19, wherein the processing unit is configured to determine a processing action on the first data packet according to the first micro-segmentation segment identifier, specifically:

The processing unit is configured to determine a processing action on the first data packet according to the corresponding relationship between the first micro-segmentation segment identifier and the processing action.
The first network device according to claim 19 or 20, wherein the first network device and the second network device are the same network device, and the first micro-segment segment identifier includes a functional part,

Before the processing unit is configured to determine a processing action on the first data packet according to the first micro-segmentation segment identifier, the processing unit is further specifically configured to:

The determining the functional part is used to indicate that the processing unit determines a processing action on the first data packet according to the first micro-segmentation identifier.
The first network device according to claim 21, further comprising a sending unit, wherein when the processing action includes forwarding or marking, the processing unit performs processing on the first data packet The execution of the processing action is specifically:

The processing unit generates a second data message, and the second data message does not include the first micro-segment segment identifier;

The sending unit is configured to send the second data message.
The first network device according to claim 19 or 20, wherein the first network device and the second network device are different devices, and the first data packet further includes a micro-segment node segment identifier The micro-segment node segment identifier is the segment identifier of the first network device, and the micro-segment node segment identifier includes a functional part, and the functional part is used to indicate:

The processing unit determines a processing action on the first data packet according to the first micro-segmentation segment identifier.
The first network device according to any one of claims 19-23, wherein the first data message further includes a second micro-segment segment identifier, and the second micro-segment segment identifier is used to identify the segment route A micro-segment of a third network device in the network, the first micro-segment identifier and the second micro-segment identifier are added to the first data packet by the third network device, the processing unit , Used to determine a processing action on the first data packet according to the first micro-segmentation segment identifier, specifically:

The processing unit is configured to determine a processing action for the first data packet according to the correspondence between a matching condition and the processing action, and the matching condition includes the first micro-segment segment identifier and the second differential Segment identifier.
The first network device according to claim 24, wherein:

The segment identifier list of the first data packet includes the second micro-segment segment identifier, or

The first data message further includes metadata, and the metadata includes the second micro-segmentation identifier.
The first network device according to any one of claims 19-25, wherein:

The segment identifier list of the first data message includes the first micro-segment segment identifier.
The method according to claim 25 or 26, wherein the segment identifier list is carried in a segment routing header or a multi-protocol label switching label stack of the first data message.
A second network device, applied to a segment routing network, is characterized in that it includes:

The receiving unit is configured to receive the first data message;

The processing unit is configured to determine a first micro-segment segment identifier according to the first data message, where the first micro-segment segment identifier is used to identify a micro-segment of a second network device in the segment routing network, and the first The data message does not include the first micro-segmentation segment identifier, and the first data message is a data message sent to the second network device;

The processing unit is further configured to determine a processing action on the first data packet according to the first micro-segmentation segment identifier;

The processing unit is further configured to perform the processing action on the first data packet.
The second network device according to claim 28, wherein the processing unit is further configured to determine a processing action on the first data packet according to the first micro-segment segment identifier, specifically:

The processing unit is configured to determine a processing action on the first data packet according to the corresponding relationship between the first micro-segmentation segment identifier and the processing action.
The second network device according to claim 28 or 29, wherein the first micro-segmentation identifier includes a functional part, and the functional part is used to indicate that the second network device is based on the first micro-segmentation The identifier determines the processing action for the first data packet.
The second network device according to claim 28 or 29, the second network device further comprising a sending unit, wherein when the processing action includes forwarding or marking, the processing unit is further configured to The first data message performs the processing action, specifically:

The processing unit is configured to generate a second data message according to the first data message, the second data message including the first micro-segmentation identifier;

The sending unit is configured to send the second data packet to the second network device.
The second network device according to any one of claims 28-30, wherein:

It further includes: the processing unit is further configured to determine the second micro-segment segment identifier according to the received first data message, the second micro-segment segment identifier being used to identify a micro-segment of the first network device;

The processing unit is further configured to determine a processing action on the first data packet according to the first micro-segmentation segment identifier, specifically:

The processing unit determines a processing action on the first data packet according to a correspondence between a matching condition and the processing action, where the matching condition includes the first micro-segment segment identifier and the second micro-segment segment identifier.
The second network device according to claim 30, further comprising a sending unit, wherein when the processing action includes forwarding or marking, the processing unit is further configured to A data message executes the processing action, including:

The processing unit is configured to generate a second data message according to the first data message, the second data message including the first micro-segment segment identifier and the second micro-segment segment identifier;

The processing unit is configured to send the second data packet to the second network device.
The second network device according to claim 33, wherein:

The segment identifier list of the second data message includes the second micro-segment segment identifier, or

The second data message further includes metadata, and the metadata includes the second micro-segment segment identifier.
The second network device according to any one of claims 32-34, wherein the second micro-segmentation segment identifier includes a functional part, and the functional part is used to indicate: the first network device according to the first The second micro-segment identifier determines the processing action of the first data packet.
The second network device according to claim 31, 33, or 34, wherein the second data message further includes a micro-segment node segment identifier, and the micro-segment node segment identifier is a segment in the segment routing network The segment identifier of the third network device, where the micro-segment node segment identifier is used to instruct the third network device to process the second data packet according to the first micro-segment segment identifier.
A network system, wherein the network system includes a first network device and a second network device, the first network device is the first network device according to any one of claims 19 to 24, and the first network device is The second network device is the second network device according to any one of claims 25 to 30.
A computer-readable storage medium, wherein a computer program is stored on the storage medium, and the computer program is used to execute the method of any one of claims 1-18.