[go: up one dir, main page]

CN1266887C - Virtual switch for supplying virtual LAN service and method - Google Patents

Virtual switch for supplying virtual LAN service and method Download PDF

Info

Publication number
CN1266887C
CN1266887C CN 02123964 CN02123964A CN1266887C CN 1266887 C CN1266887 C CN 1266887C CN 02123964 CN02123964 CN 02123964 CN 02123964 A CN02123964 A CN 02123964A CN 1266887 C CN1266887 C CN 1266887C
Authority
CN
China
Prior art keywords
tunnel
virtual switch
virtual
layer
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 02123964
Other languages
Chinese (zh)
Other versions
CN1468007A (en
Inventor
熊宇
陈龙辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 02123964 priority Critical patent/CN1266887C/en
Publication of CN1468007A publication Critical patent/CN1468007A/en
Application granted granted Critical
Publication of CN1266887C publication Critical patent/CN1266887C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

一种提供虚拟私有局域网段(VPLS)业务的虚拟交换机及方法,该虚拟交换机包括有:ATM接口模块、以太接口模块和以太交换模块;以及与以太交换模块相连接的、完成第三层隧道协议处理的三层隧道接口模块。利用虚拟交换机(VS)跨越IP广域网提供虚拟私有局域网段(VPLS)业务的方法,是在不同的虚拟交换机之间使用第三层隧道协议建立IP隧道,提供把以太包数据作为IP数据包的负载进行透明传送的通道;并对需要传送的以太包数据进行第三层隧道协议封装。也就是把以太包封装在IP报文内进行转发,完成虚拟交换机跨越IP网的互连。本发明使虚拟交换机能够在ATM、以太及IP多种类型的网络环境下提供虚拟私有局域网段业务,增强了虚拟交换机的组网能力和应用范围。

Figure 02123964

A virtual switch and method for providing virtual private local area network segment (VPLS) services, the virtual switch includes: an ATM interface module, an Ethernet interface module and an Ethernet switch module; Handled Layer 3 Tunneling Interface Module. The method of using a virtual switch (VS) to provide a virtual private local area network (VPLS) service across an IP WAN is to use a layer-3 tunneling protocol to establish an IP tunnel between different virtual switches, and to provide Ethernet packet data as the load of an IP packet A channel for transparent transmission; and encapsulates the Ethernet packet data that needs to be transmitted with the third-layer tunnel protocol. That is, the Ethernet packet is encapsulated in the IP message for forwarding, and the interconnection of the virtual switch across the IP network is completed. The invention enables the virtual switch to provide virtual private local area network segment services under the network environments of ATM, Ethernet and IP, and enhances the networking capability and application range of the virtual switch.

Figure 02123964

Description

提供虚拟局域网段业务的虚拟交换机及方法Virtual switch and method for providing virtual local area network segment services

技术领域technical field

本发明涉及一种提供虚拟局域网段业务的虚拟交换机及方法,属于数据通信中宽带网络技术领域。The invention relates to a virtual switch and a method for providing virtual local area network segment services, and belongs to the technical field of broadband networks in data communication.

背景技术Background technique

宽带网络迅速发展,现代企业和政府机关需要将多个办公地点的电脑网络互连起来。这些办公地点之间的距离可能从一、二公里到几千公里,每个地点的信息点数量(即:连网的计算机数量)从几台到上千台。典型的大公司需要组成遍布全国的电脑网络,连网计算机的数目达到几万台。由企业自行铺设线路,各自建设自己的专用网络显然很不经济,也不合理。通常是由企业购买Internet服务提供商(ISP,Internet Service Provider)提供的虚拟私有网(VPN,virtual private network)服务,用于组建企业自己的专用网络。With the rapid development of broadband networks, modern enterprises and government agencies need to interconnect computer networks in multiple office locations. The distance between these office locations may range from one or two kilometers to several thousand kilometers, and the number of information points (that is, the number of computers connected to the network) at each location ranges from a few to thousands. A typical large company needs to form a computer network all over the country, and the number of computers connected to the network reaches tens of thousands. It is obviously uneconomical and unreasonable for enterprises to lay lines by themselves and build their own dedicated networks. Usually, the enterprise purchases the virtual private network (VPN, virtual private network) service provided by the Internet Service Provider (ISP, Internet Service Provider) to form the enterprise's own private network.

目前,虚拟私有网VPN包括四种类型:Currently, virtual private network VPNs include four types:

(1)虚拟私有拨号网络(VPDN,Virtual Private Dial Networks):用户利用拨号网络访问企业数据中心,每个用户从企业数据中心获得一个私有地址,但用户数据可跨越公共数据网络进行传送。(1) Virtual Private Dial Networks (VPDN, Virtual Private Dial Networks): Users use the dial-up network to access the enterprise data center, each user obtains a private address from the enterprise data center, but user data can be transmitted across the public data network.

(2)虚拟租用线(VLL,Virtual Lease Line):最简单的VPN类型,两端之间通过IP隧道仿真出一条专线。(2) Virtual Lease Line (VLL, Virtual Lease Line): The simplest VPN type, a leased line is simulated through an IP tunnel between the two ends.

(3)虚拟私有路由网络(VPRN,Virtual Private Routed Networks):企业利用公共数据网络建立自己的私有企业网络,用户可自由规划企业各分支机构之间的地址、路由策略、安全机制等。(3) Virtual Private Routed Networks (VPRN, Virtual Private Routed Networks): Enterprises use public data networks to build their own private enterprise networks, and users can freely plan addresses, routing strategies, and security mechanisms between branches of the enterprise.

(4)虚拟私有局域网段(VPLS,Virtual Private LAN Segment):利用Internet仿真出的一个局域网。(4) Virtual Private LAN Segment (VPLS, Virtual Private LAN Segment): A LAN simulated by using the Internet.

虚拟交换机(VS,virtual switch)是在网络设备上通过配置生成的功能实体,它能够完成以太网交换机的功能。虚拟交换机是一种实现虚拟私用网(VPN)的技术手段。在一台网络设备上可以划分出多个虚拟交换机,每个虚拟交换机可以实现虚拟私有局域网段(VPLS)业务。目前,利用虚拟交换机实现的虚拟私有网系统只能跨越ATM和以太网互连,不能跨越IP网进行互连。A virtual switch (VS, virtual switch) is a functional entity generated through configuration on a network device, and it can complete the function of an Ethernet switch. A virtual switch is a technical means to realize a virtual private network (VPN). Multiple virtual switches can be divided on one network device, and each virtual switch can implement a virtual private local area network segment (VPLS) service. At present, the virtual private network system realized by the virtual switch can only be interconnected across ATM and Ethernet, and cannot be interconnected across the IP network.

每一个虚拟交换机对应一台网络设备上一组独立的数据表,它们包括虚拟交换机接入通道表、虚拟交换机转发控制表、虚拟交换机地址交换表。其中接入通道表保存属于该虚拟交换机的数据转发通道的信息,这些信息又称为虚拟交换机的端口。转发控制表保存虚拟交换机的一个端口是否可以与同一虚拟交换机其他端口数据互通的控制标志。地址交换表保存以太地址和虚拟交换机端口的对应关系。Each virtual switch corresponds to a group of independent data tables on a network device, and they include a virtual switch access channel table, a virtual switch forwarding control table, and a virtual switch address switching table. The access channel table stores the information of the data forwarding channel belonging to the virtual switch, and the information is also called the port of the virtual switch. The forwarding control table stores a control flag indicating whether a port of a virtual switch can communicate with other ports of the same virtual switch. The address exchange table stores the correspondence between Ethernet addresses and virtual switch ports.

网络设备根据接收数据的端口信息确定处理该数据的虚拟交换机。在虚拟交换机内部根据以太网包头携带的目的地址查“地址交换表”得到出端口信息。如果出端口可以与入端口互通,则将数据包转发到出端口;如果查表没有匹配的出端口地址,则向本虚拟交换机的所有可与该入端口互通的其他端口转发。每个虚拟交换机具有独立的以太网地址学习和地址淘汰功能。每个虚拟交换机使用的以太网地址以及共享的系统资源是相互隔离的。任何一个虚拟交换机都可不受其他虚拟交换机的影响,保证每个虚拟私有网数据的安全性。The network device determines the virtual switch to process the data according to the port information of the received data. In the virtual switch, check the "address exchange table" according to the destination address carried by the Ethernet packet header to obtain the outgoing port information. If the outbound port can communicate with the inbound port, forward the data packet to the outbound port; if there is no matching outbound port address in the lookup table, forward the packet to all other ports of the virtual switch that can communicate with the inbound port. Each virtual switch has independent Ethernet address learning and address elimination functions. The Ethernet addresses used by each virtual switch and shared system resources are isolated from each other. Any virtual switch can not be affected by other virtual switches, ensuring the security of each virtual private network data.

虚拟交换机最初应用于在ATM设备上提供虚拟私有局域网段业务,因此虚拟交换机系统最初只具有ATM接入功能。之后,虚拟交换机加入了以太接入的功能。现有的虚拟交换机系统是由ATM接口模块、以太接口模块和以太交换模块组成。对于ATM接入,用户数据使用1483B协议封装输入到ATM接口模块,ATM接口模块去除数据包的1483B封装,取出以太包数据交给以太交换模块处理。对于以太接入,用户数据按802.Q规范封装输入到以太接口摸块,以太接口模块去除802.Q封装,取出以太包数据交给以太交换模块处理。数据输出时,如果出端口是ATM端口,则以太交换模块把以太包数据交给ATM接口模块进行1483B封装后发出;如果出端口是以太端口,则以太交换模块把以太包数据交给以太接口模块按802.Q规范封装后发出。The virtual switch is initially used to provide virtual private LAN segment services on ATM equipment, so the virtual switch system only has the ATM access function initially. Later, the virtual switch added the function of Ethernet access. The existing virtual switch system is composed of ATM interface module, Ethernet interface module and Ethernet switching module. For ATM access, user data is encapsulated by 1483B protocol and input to the ATM interface module, the ATM interface module removes the 1483B encapsulation of the data packet, and takes out the Ethernet packet data and hands it to the Ethernet switch module for processing. For Ethernet access, user data is encapsulated and input to the Ethernet interface module according to the 802.Q specification. The Ethernet interface module removes the 802.Q encapsulation, and takes out the Ethernet packet data and hands it to the Ethernet switch module for processing. When outputting data, if the output port is an ATM port, the Ethernet switch module sends the Ethernet packet data to the ATM interface module for 1483B encapsulation; if the output port is an Ethernet port, the Ethernet switch module sends the Ethernet packet data to the Ethernet interface module It is sent out after packaging according to the 802.Q specification.

目前在利用虚拟交换机组建虚拟私有局域网段时,如果用户的两个分部分别连接到位于两台不同的网络设备的虚拟交换机上,那么,这两个虚拟交换机之间只能跨越ATM网或以太网才能实现互连。因为IP网在转发数据时是根据第三层信息(即IP地址)来寻找路由的。因此,从现有的虚拟交换机系统发出的数据包经过1483B或802.Q封装,无法在IP网上被转发。即使该数据包内封装的是IP报文,IP地址是企业内部的私网地址,也无法被公网上设备正确转发。At present, when using a virtual switch to set up a virtual private LAN segment, if the two branches of the user are respectively connected to the virtual switch located on two different network devices, then the two virtual switches can only span the ATM network or Ethernet network. network to achieve interconnection. Because the IP network searches for routes based on the third-layer information (ie IP address) when forwarding data. Therefore, the data packets sent from the existing virtual switch system cannot be forwarded on the IP network after 1483B or 802.Q encapsulation. Even if the data packet encapsulates an IP packet, and the IP address is a private network address within the enterprise, it cannot be correctly forwarded by devices on the public network.

但是,由于网络技术的发展,IP技术逐渐占据主导地位,IP网的应用和分布范围远远超过ATM网。现有的虚拟交换机发出的数据包无法在IP网上被转发的缺陷极大地限制了虚拟私有网(VPN)的发展和应用,已经成为急需业内人士解决和克服的市场应用的瓶颈。However, due to the development of network technology, IP technology gradually occupies a dominant position, and the application and distribution range of IP network far exceeds that of ATM network. The defect that the data packets sent by the existing virtual switch cannot be forwarded on the IP network greatly limits the development and application of virtual private network (VPN), and has become a market application bottleneck that urgently needs to be solved and overcome by people in the industry.

发明内容Contents of the invention

本发明的目的是提供一种能够克服现有技术缺陷的、提供虚拟局域网段(VPLS)业务的虚拟交换机,以适应目前包括ATM网、以太网以及IP网等多种网络共存的通信环境。The purpose of the present invention is to provide a virtual switch that can overcome the defects of the prior art and provide virtual local area network segment (VPLS) services, so as to adapt to the current communication environment including the coexistence of multiple networks such as ATM network, Ethernet and IP network.

本发明的另一目的是提供一种利用虚拟交换机(VS)提供虚拟私有局域网段(VPLS)业务的方法。Another object of the present invention is to provide a method for providing virtual private local area network segment (VPLS) service by using a virtual switch (VS).

本发明的目的是这样实现的:一种提供虚拟局域网段(VPLS)业务的虚拟交换机,该虚拟交换机包括有:ATM接口模块、以太接口模块和以太交换模块;其特征在于:该虚拟交换机还设置有与以太交换模块相连接的、完成第三层隧道协议处理的三层隧道接口模块,该三层隧道接口模块设置并维护有:第三层隧道封装表和密钥-虚拟交换机端口绑定表。The purpose of the present invention is achieved like this: a kind of virtual switch that provides virtual local area network segment (VPLS) business, this virtual switch includes: ATM interface module, Ethernet interface module and Ethernet exchange module; It is characterized in that: this virtual switch is also set There is a layer-3 tunnel interface module connected to the Ethernet switch module that completes layer-3 tunnel protocol processing. The layer-3 tunnel interface module sets and maintains: a layer-3 tunnel encapsulation table and a key-virtual switch port binding table .

所述的第三层隧道封装表存储有隧道本端的密钥值、隧道对端的IP地址和隧道对端的密钥值。The layer-3 tunnel encapsulation table stores the key value of the local end of the tunnel, the IP address of the opposite end of the tunnel, and the key value of the opposite end of the tunnel.

所述的密钥-虚拟交换机端口绑定表存储有第三层隧道本段的密钥值,以及与之绑定的虚拟交换机序号和虚拟交换机端口序号;第三层隧道本段的密钥值和与其绑定的虚拟交换机序号及其端口序号存在一一对应关系。The key-virtual switch port binding table stores the key value of this section of the third-layer tunnel, and the virtual switch sequence number and virtual switch port sequence number bound thereto; the key value of this section of the third-layer tunnel There is a one-to-one correspondence with the serial number of the virtual switch bound to it and the serial number of its port.

所述的三层隧道接口模块对于输入的数据,由其终结第三层隧道协议,取出隧道传输的以太包,并送交以太交换模块进行交换;当有以太包从三层隧道接口摸块输出时,由其对以太包进行隧道封装,然后交给IP转发模块予以转发。The three-layer tunnel interface module terminates the third-layer tunnel protocol for the input data, takes out the Ethernet packet transmitted by the tunnel, and sends it to the Ethernet switch module for switching; , the Ethernet packet is tunnel-encapsulated, and then handed over to the IP forwarding module for forwarding.

所述的以太交换模块是该虚拟交换机系统的核心,用于完成虚拟交换机表项管理以及以太包的交换功能。The Ethernet switching module is the core of the virtual switch system, and is used to complete virtual switch table item management and Ethernet packet switching functions.

该以太交换模块设有一组独立的与虚拟交换机对应的数据表,在接收从ATM、以太或三层隧道接口模块来的数据时,根据数据中携带的端口信息查找对应的虚拟交换机表,然后根据该虚拟交换机表记录的信息查找端口转发。The Ethernet switching module has a set of independent data tables corresponding to the virtual switch. When receiving data from the ATM, Ethernet or Layer 3 tunnel interface module, it searches for the corresponding virtual switch table according to the port information carried in the data, and then according to The virtual switch table records information for looking up port forwarding.

本发明的另一发明目的是这样实现的:一种利用虚拟交换机(VS)提供虚拟私有局域网段(VPLS)业务的方法,其特征在于:Another object of the invention of the present invention is achieved like this: a kind of method utilizing virtual switch (VS) to provide virtual private local area segment (VPLS) service, is characterized in that:

(1)在不同的虚拟交换机之间使用第三层隧道协议建立第三层隧道,提供把以太包数据作为IP数据包的负载进行透明传送的通道;(1) Use the third-layer tunneling protocol to establish the third-layer tunnel between different virtual switches, and provide a channel for transparently transmitting the Ethernet packet data as the load of the IP data packet;

(2)对需要传送的以太包数据进行第三层隧道协议封装,并通过第三层隧道进行传送。(2) Carry out layer-3 tunnel protocol encapsulation for the Ethernet packet data to be transmitted, and transmit through the layer-3 tunnel.

所述的步骤(2)进一步包括:Described step (2) further comprises:

(21)本地网络设备根据接收数据的入端口信息取出以太包,并把它交给本地虚拟交换机;(21) The local network device takes out the Ethernet packet according to the incoming port information of the received data, and gives it to the local virtual switch;

(22)本地虚拟交换机收到以太包后,根据目的以太地址把该包交换到与第三层隧道对应的输出端口去;(22) After the local virtual switch receives the Ethernet packet, it switches the packet to the output port corresponding to the third-layer tunnel according to the destination Ethernet address;

(23)三层隧道接口模块根据输出端口号得到第三层隧道协议封装信息,然后按第三层隧道协议规定给该以太包添加第三层隧道标识-通用路由封装GRE隧道头和IP头,并通过第三层隧道发送;(23) the three-layer tunnel interface module obtains the third-layer tunneling protocol encapsulation information according to the output port number, then adds the third-layer tunnel identification-general routing encapsulation GRE tunnel head and IP head to this Ethernet packet according to the third-layer tunneling protocol regulation, And sent through the third layer tunnel;

(24)目的地网络设备的三层隧道转发模块收到通过第三层隧道发送来的IP报文,根据第三层隧道标识和IP头确定目的地虚拟交换机,取出以太包交给目的地虚拟交换机;(24) The Layer 3 tunnel forwarding module of the destination network device receives the IP message sent through the Layer 3 tunnel, determines the destination virtual switch according to the Layer 3 tunnel identifier and IP header, and takes out the Ethernet packet and hands it to the destination virtual switch. switch;

(25)目的地虚拟交换机把以太包送到目的地网络设备。(25) The destination virtual switch sends the Ethernet packet to the destination network device.

所述的建立IP隧道所使用的第三层隧道协议包括有:通用路由封装(GRE,Generic Routing Encapsulation)隧道协议、多协议标记交换(MPLS,MultiprotocolLabel Switching)技术和因特网协议安全(IPsec,Internet Protocol Security)技术。The third layer tunneling protocol used in the establishment of the IP tunnel includes: Generic Routing Encapsulation (GRE, Generic Routing Encapsulation) tunneling protocol, Multiprotocol Label Switching (MPLS, MultiprotocolLabel Switching) technology and Internet Protocol Security (IPsec, Internet Protocol Security) technology.

所述的第三层隧道标识为通用路由封装(GRE)隧道头。The third layer tunnel is identified as a Generic Routing Encapsulation (GRE) tunnel header.

所述的IP头含有第三层隧道对端的三层隧道接口模块的IP地址,第三层隧道标识中设有校验和域与密钥域,且校验和使用域和密钥使用域必须设置为1。The IP header contains the IP address of the Layer 3 tunnel interface module at the opposite end of the Layer 3 tunnel, and the Layer 3 tunnel identifier is provided with a checksum field and a key field, and the checksum field and the key field must be Set to 1.

所述的校验和域用于对第三层隧道标识和以太包数据计算检验和,所述的密钥域中设置有唯一地标示第三层隧道的密钥值,该密钥值用于唯一地确定与隧道绑定的虚拟交换机序号和该虚拟交换机的端口序号。The checksum domain is used to calculate the checksum for the third-layer tunnel identifier and the Ethernet packet data, and the key value uniquely indicating the third-layer tunnel is set in the described key domain, and the key value is used for Uniquely determine the sequence number of the virtual switch bound to the tunnel and the port sequence number of the virtual switch.

所述的密钥域中可以携带用于三层隧道接口模块处理时查证使用的验证信息,防止外界对虚拟私有局域网段的攻击。The key domain can carry verification information used for verification during the processing of the layer-3 tunnel interface module, so as to prevent external attacks on the virtual private local area network segment.

本发明系统的特点是在原有的虚拟交换机系统中增加新功能接口模块:三层隧道接口模块,从而扩展了原有虚拟交换系统的组网能力,使扩展的虚拟交换机系统能够在ATM、以太及IP多种不同类型的通信网络环境下提供虚拟私有局域网段业务,增强了虚拟交换机的组网能力和应用范围。The feature of the system of the present invention is to add a new function interface module in the original virtual exchange system: a three-layer tunnel interface module, thereby expanding the networking capability of the original virtual exchange system, so that the expanded virtual exchange system can be used in ATM, Ethernet and Provide virtual private LAN segment services under various types of IP communication network environments, which enhances the networking capabilities and application scope of virtual switches.

本发明方法的特点是在虚拟交换机之间创建第三层隧道,使得处于上述不同网络设备上的虚拟交换机可以跨越广域网转发以太包,提供了利用虚拟交换机在广域网组建虚拟私有局域网段的方法。该方法对原有虚拟交换机系统的影响小,使得虚拟交换机系统具有很强的可扩展性。本发明可应用于数据通信领域的接入服务器设备、边缘业务路由器等设备,具有很好的应用前景。The method of the present invention is characterized in that layer-3 tunnels are created between the virtual switches, so that the virtual switches on the different network devices can forward Ethernet packets across the wide area network, and a method for establishing a virtual private local area network segment in the wide area network by using the virtual switches is provided. The method has little impact on the original virtual switch system, so that the virtual switch system has strong scalability. The invention can be applied to access server equipment, edge service routers and other equipment in the field of data communication, and has good application prospects.

附图说明Description of drawings

图1是本发明的提供虚拟局域网段业务的虚拟交换机系统结构示意图。FIG. 1 is a schematic structural diagram of a virtual switch system providing virtual local area network segment services according to the present invention.

图2是本发明的利用IP协议传送以太包的数据报文形式示意图。Fig. 2 is a schematic diagram of the data message format of the transmission of Ethernet packets utilizing the IP protocol in the present invention.

图3是图2中的本发明使用的以太包中GRE隧道头形式示意图。Fig. 3 is a schematic diagram of the form of the GRE tunnel header in the Ethernet packet used by the present invention in Fig. 2 .

图4是本发明系统的实施例应用组网示意图。Fig. 4 is a schematic diagram of an application networking of an embodiment of the system of the present invention.

具体实施方式Detailed ways

参见图1所示的本发明扩展后的虚拟交换机系统结构图,本发明是一种提供虚拟局域网段(VPLS)业务的虚拟交换机系统,其是在现有的虚拟交换机的ATM接口模块1、以太接口模块2和以太交换模块3的基础上,增加了与以太交换模块3相连接的、完成第三层隧道协议处理的三层隧道接口模块4。Referring to the expanded virtual switch system structure diagram of the present invention shown in Fig. 1, the present invention is a kind of virtual switch system providing virtual local area network segment (VPLS) service, and it is in the ATM interface module 1, Ethernet of existing virtual switch On the basis of the interface module 2 and the Ethernet switch module 3, a layer-3 tunnel interface module 4 connected to the Ethernet switch module 3 and which completes layer-3 tunnel protocol processing is added.

其中ATM接口模块1用于处理1483B协议:在数据输入时,去除输入数据的1483B封装取出以太包,并把以太包交给以太交换模块进行交换;在输出以太包时,则对以太包添加1483B封装,然后由ATM接口发送出去。以太接口模块2用于处理802.Q规范:在数据输入时,去除输入数据的802.Q封装取出以太包,并把以太包交给以太交换模块进行交换;在输出以太包时,则对以太包添加802.Q封装,然后由以太接口发送出去。三层隧道接口模块4则完成第三层隧道协议的处理。该三层隧道接口模块4设置并维护有第三层隧道封装表以及密钥(key)-虚拟交换机端口绑定表,第三层隧道封装表存储有隧道本端的密钥(key)值、隧道对端的IP地址和隧道对端的密钥(key)值。密钥(key)-虚拟交换机端口绑定表存储有第三层隧道本端的密钥(key)值,以及与之绑定的虚拟交换机序号和虚拟交换机端口序号;第三层隧道本段的密钥(key)值和与其绑定的虚拟交换机序号及其端口序号存在一一对应关系。三层隧道接口模块4对于输入的数据,由其终结第三层隧道协议,取出隧道传输的以太包,并送交以太交换模块进行交换;当有以太包要从三层隧道接口摸块输出时,由其对以太包进行隧道封装,然后交给IP转发模块予以转发。Among them, the ATM interface module 1 is used to process the 1483B protocol: when data is input, the 1483B encapsulation of the input data is removed to take out the Ethernet packet, and the Ethernet packet is handed over to the Ethernet switching module for exchange; when the Ethernet packet is output, 1483B is added to the Ethernet packet Encapsulated, and then sent out by the ATM interface. The Ethernet interface module 2 is used to process the 802.Q specification: when data is input, the 802.Q encapsulation of the input data is removed to take out the Ethernet packet, and the Ethernet packet is handed over to the Ethernet switching module for switching; when the Ethernet packet is output, the Ethernet The packet adds 802.Q encapsulation and is sent out by the Ethernet interface. The layer-3 tunnel interface module 4 completes the processing of the layer-3 tunnel protocol. The layer-3 tunnel interface module 4 is provided with and maintains a layer-3 tunnel encapsulation table and a key (key)-virtual switch port binding table, and the layer-3 tunnel encapsulation table stores the key (key) value of the tunnel local end, the tunnel The IP address of the peer end and the key (key) value of the tunnel peer end. Key (key)-the virtual switch port binding table stores the key (key) value of the local end of the Layer 3 tunnel, as well as the serial number of the virtual switch and the serial number of the virtual switch port bound to it; There is a one-to-one correspondence between the value of the key (key) and the serial number of the virtual switch bound to it and the serial number of its port. The three-layer tunnel interface module 4 terminates the third-layer tunnel protocol for the input data, takes out the Ethernet packet transmitted by the tunnel, and sends it to the Ethernet switch module for switching; when there is an ether packet to be output from the three-layer tunnel interface , which performs tunnel encapsulation on the Ethernet packet, and then delivers it to the IP forwarding module for forwarding.

以太交换模块3是该虚拟交换机系统的核心,用于完成虚拟交换机表项管理以及以太包的交换功能。以太交换模块3设有一组独立的与虚拟交换机对应的数据表,在接收从ATM、以太或三层隧道接口模块来的数据时,根据数据中携带的端口信息查找对应的虚拟交换机表,然后根据该虚拟交换机表记录的信息查找端口转发。如果找到,则向该端口转发,否则,向该虚拟交换机所有的可达的端口转发。The Ethernet switch module 3 is the core of the virtual switch system, and is used to complete virtual switch table item management and Ethernet packet switching functions. Ethernet switching module 3 is provided with a group of independent data table corresponding to virtual switch, when receiving the data that comes from ATM, Ethernet or layer-3 tunnel interface module, searches corresponding virtual switch table according to the port information carried in the data, then according to The virtual switch table records information for looking up port forwarding. If found, it is forwarded to this port, otherwise, it is forwarded to all reachable ports of this virtual switch.

图1中的各条细实线表明了分别来自ATM、以太或IP网等多种不同类型通信网络的数据包都可以通过本发明的虚拟交换机实现跨越ATM网、以太网和IP网的互连,提供虚拟私有局域网段业务,大大增强了本发明虚拟交换机的组网能力和应用范围。Each thin solid line in Fig. 1 has shown that the data packets from multiple different types of communication networks such as ATM, Ethernet or IP network can realize the interconnection across ATM network, Ethernet and IP network by the virtual switch of the present invention , providing virtual private local area network segment services, which greatly enhances the networking capability and application range of the virtual switch of the present invention.

对于构建虚拟私有网(VPN)来说,网络隧道(Tunnelling)技术是个关键。网络隧道技术是指利用一种网络协议来传输另一种网络协议,虚拟私有网(VPN)主要利用网络隧道协议来实现其功能。本发明的利用虚拟交换机(VS)跨越广域网提供虚拟私有局域网段(VPLS)业务的方法,就是利用第三层隧道协议,例如因特网工程任务组(IETF,Internet Engineering Task Force)在RFC1701中提出的通用路由封装(GRE,Generic Routing Encapsulation)隧道协议、以及多协议标签交换(MPLS)技术和Internet协议安全(IPsec,Internet ProtocolSecurity)技术等,把以太包数据作为IP数据包的负载进行透明传送而实现的,本实施方式以GRE隧道协议为例。For constructing a virtual private network (VPN), network tunneling (Tunnelling) technology is a key. Network tunnel technology refers to the use of one network protocol to transmit another network protocol, and a virtual private network (VPN) mainly uses network tunnel protocols to realize its functions. The method of utilizing virtual switch (VS) of the present invention to provide virtual private local area segment (VPLS) service across wide area network is exactly to utilize the third layer tunneling protocol, such as the general purpose proposed by Internet Engineering Task Force (IETF, Internet Engineering Task Force) in RFC1701 Generic Routing Encapsulation (GRE, Generic Routing Encapsulation) tunneling protocol, multi-protocol label switching (MPLS) technology and Internet Protocol Security (IPsec, Internet Protocol Security) technology, etc., realize the transparent transmission of Ethernet packet data as the load of IP data packet , this embodiment takes the GRE tunnel protocol as an example.

参见图2所示的本发明被封装的整个报文的形式,其是在该以太包数据的起始部分分别封装第三层隧道标识(本实施方式中为GRE隧道头)和IP头。其中IP头含有GRE隧道对端的三层隧道接口模块的IP地址,GRE隧道头的形式则参见图3所示,其中C(比特0)是校验和使用(checksum present):如果校验和使用位被设置为1,那么GRE隧道头中包含校验和域,并且设置了有效值。R(比特1)是路由使用(Routing Present):如果路由使用位被设置为1,则表明GRE隧道头中包含了偏移量域(offset field)和路由域(routing fields),并且设置了有效值。K(比特2)是密钥使用(key present):如果密钥使用位被设置为1,则表明GRE隧道头中包含了密钥域(key field),否则GRE隧道头不含有密钥域。S(比特3)是序列号使用(sequence number present):如果序列号使用位被设置为1,则表明GRE隧道头中包含了序列号域(sequence number field),否则GRE隧道头不含有序列号域。s(比特4)是严格源路由(strict source route):如果所有的路由信息都是由严格源路由组成,则推荐该比特位设置为1。Recur(比特5-7)是递归控制(rescursion control):其包含一个3比特的无符号整数,说明允许的附加封装的次数。该值应该缺省设为0。Flage(比特8-12)是为未来应用预留的域,Flage必须设置为0。Ver(比特13-15)是版本号(version number):版本号域必须被设置为0。Protocol Type(2字节)是协议类型:协议类型域包含了负载报文(payload packet)的协议类型。本发明的协议类型(Protocol Type)根据RFC1701规定设置为:6558。Checksum(2字节)是校验和:校验和域包含了对GRE隧道头和负载报文的IP检验和。Sequence Number(4字节)是序列号:序列号域包含一个无符号32比特的整数,由封装者插入。可以被接收者用于确定封装者发送给接收者的报文顺序。Offset(2字节)是偏移量:偏移量域说明了从路由域(routing field)起始处到需要检验的有效路由路由项(activesource route entry)第一个字节的偏移量(其单位为字节)。Key(4字节)是密钥:密钥域包含一个由封装者插入的四字节的数字,接收者可以使用它来验证报文发送者的身份。Routing:路由(可变长):路由域是源路由项(source routeentry)的列表。Referring to the form of the encapsulated whole message of the present invention shown in Fig. 2, it is to respectively encapsulate the third layer tunnel identification (GRE tunnel head) and IP header at the initial part of this Ethernet packet data. Wherein the IP header contains the IP address of the Layer 3 tunnel interface module at the opposite end of the GRE tunnel, and the form of the GRE tunnel header is shown in Figure 3, where C (bit 0) is the checksum present: if the checksum is used bit is set to 1, then the checksum field is included in the GRE tunnel header, and a valid value is set. R (bit 1) is Routing Present: If the Routing Present bit is set to 1, it indicates that the GRE tunnel header contains offset fields and routing fields, and the effective value. K (bit 2) is the key present: if the key present is set to 1, it indicates that the GRE tunnel header contains the key field, otherwise the GRE tunnel header does not contain the key field. S (bit 3) is the sequence number present: if the sequence number present is set to 1, it indicates that the GRE tunnel header contains the sequence number field, otherwise the GRE tunnel header does not contain the sequence number area. s (bit 4) is strict source route: If all routing information is composed of strict source routes, it is recommended to set this bit to 1. Recur (bits 5-7) is the recursion control: it contains a 3-bit unsigned integer indicating the number of additional encapsulations allowed. This value should default to 0. Flage (bits 8-12) is a field reserved for future applications, and Flage must be set to 0. Ver (bits 13-15) is the version number: the version number field must be set to 0. Protocol Type (2 bytes) is the protocol type: the protocol type field contains the protocol type of the payload packet. The protocol type (Protocol Type) of the present invention is set to: 6558 according to RFC1701 regulation. Checksum (2 bytes) is the checksum: the checksum field contains the IP checksum of the GRE tunnel header and payload packets. Sequence Number (4 bytes) is the sequence number: the sequence number field contains an unsigned 32-bit integer inserted by the packager. Can be used by the receiver to determine the order of packets sent by the encapsulator to the receiver. Offset (2 bytes) is the offset: the offset field describes the offset from the beginning of the routing field (routing field) to the first byte of the active source route entry (activesource route entry) that needs to be checked ( Its unit is byte). Key (4 bytes) is the key: the key field contains a four-byte number inserted by the encapsulator, and the receiver can use it to verify the identity of the sender of the message. Routing: Routing (variable length): The routing field is a list of source route entries.

根据RFC1701的说明,校验和、偏移量、密钥、路由以及序列号域都是可选的。但是,本发明在应用GRE协议对报文进行封装时,GRE隧道头中必须包含有校验和域和密钥域,并且校验和使用和密钥使用域必须设置为1。偏移量、路由以及序列号域则可根据实际需要选用。According to RFC1701, the checksum, offset, key, routing, and sequence number fields are optional. However, when the present invention uses the GRE protocol to encapsulate the message, the GRE tunnel header must contain a checksum field and a key field, and the checksum usage and key usage fields must be set to 1. Offset, routing and serial number fields can be selected according to actual needs.

为了保证数据传送的正确性,本发明在GRE头中设置了校验和(Checksum)域,对GRE隧道头和以太包数据计算检验和。为了保证在虚拟私有局域网中传送数据的安全性,本发明又在GRE隧道头中设置了密钥(Key)域。使用该密钥(Key)域可以从两方面保证虚拟私有局域网段的安全性:In order to ensure the correctness of data transmission, the present invention sets a checksum (Checksum) field in the GRE header, and calculates the checksum for the GRE tunnel header and the Ethernet packet data. In order to ensure the security of data transmission in the virtual private local area network, the present invention sets a key (Key) field in the GRE tunnel header. Using this key (Key) field can guarantee the security of the virtual private LAN segment from two aspects:

1、密钥(Key)域中可以协带验证信息。本发明虚拟交换机中的三层隧道接口模块只会处理GRE隧道头里携带有正确验证信息的IP报文,而其他报文均被丢弃。这样可以防止外界对虚拟私有局域网段的攻击。1. The key (Key) field can carry authentication information. The three-layer tunnel interface module in the virtual switch of the present invention can only process the IP message carrying the correct authentication information in the GRE tunnel head, and all other messages are discarded. This can prevent external attacks on the virtual private LAN segment.

2、每个虚拟交换机中的以太交换模块可以配置出多个虚拟交换机,而该多个虚拟交换机共享一个三层隧道接口模块。为了保证各个虚拟私有局域网段数据的隔离,需要有把各个GRE隧道与其对应的虚拟交换机绑定的机制。本发明所采取的方法是:网络设备的管理系统为不同的GRE隧道分配不同的密钥(Key)值,而在每个GRE隧道中的密钥(Key)域中可以设置唯一地标示该GRE隧道的密钥(Key)值,该密钥(Key)值可以用于唯一确定与隧道绑定的虚拟交换机序号和该虚拟交换机的端口序号。这样,当三层隧道接口模块发现GRE隧道头的密钥(Key)值时,就可查找密钥(Key)和虚拟交换机端口的绑定关系表,把以太包送到正确的虚拟交换机进行交换,从而能够区分不同用户和保证虚拟私有局域网端中传送数据的安全。2. The Ethernet switch module in each virtual switch can be configured with multiple virtual switches, and the multiple virtual switches share one layer-3 tunnel interface module. In order to ensure data isolation of each virtual private LAN segment, a mechanism is required to bind each GRE tunnel to its corresponding virtual switch. The method adopted by the present invention is: the management system of the network equipment distributes different key (Key) values for different GRE tunnels, and in the key (Key) field in each GRE tunnel, it can be set to uniquely mark the GRE The key (Key) value of the tunnel, which can be used to uniquely determine the serial number of the virtual switch bound to the tunnel and the port serial number of the virtual switch. In this way, when the Layer 3 tunnel interface module finds the key (Key) value of the GRE tunnel header, it can search the binding relationship table between the key (Key) and the virtual switch port, and send the Ethernet packet to the correct virtual switch for switching , so that different users can be distinguished and the security of data transmitted in the virtual private local area network can be ensured.

下面简要说明三层隧道接口模块对数据包的处理流程:设某企业在A、B两地分别设有A分部和B分部,使用虚拟交换机系统组建虚拟私有局域网段。A、B两地之间设有IP广域网连接。Internet服务提供商为该企业在A、B两地的网络设备上分别配置两台虚拟交换机(记为A-VS,B-VS),并把该企业的两个分部接入到对应的虚拟交换机上,可以使用ATM接入或以太接入方式。然后,Internet服务提供商配置一条在两台虚拟交换机A-VS与B-VS之间跨越IP广域网的GRE隧道,并把密钥(Key)值与对应虚拟交换机端口的绑定关系记录下来。The following briefly explains the processing flow of the data packet by the three-layer tunnel interface module: Assume that an enterprise has A branch and B branch in A and B respectively, and uses a virtual switch system to establish a virtual private LAN segment. There is an IP WAN connection between A and B. The Internet service provider configures two virtual switches (denoted as A-VS and B-VS) on the network devices of A and B respectively for the enterprise, and connects the two branches of the enterprise to the corresponding virtual switches. On the switch, ATM access or Ethernet access can be used. Then, the Internet service provider configures a GRE tunnel across the IP WAN between the two virtual switches A-VS and B-VS, and records the binding relationship between the key (Key) value and the corresponding virtual switch port.

A分部发送以太包给B分部的处理流程是:。The processing flow of branch A sending an Ethernet packet to branch B is: .

(1)A地网络设备根据接收数据的入端口信息取出以太包,并把它交给本地虚拟交换机A-VS。(1) The network device at A takes out the Ethernet packet according to the incoming port information of the received data, and sends it to the local virtual switch A-VS.

(2)本地虚拟交换机A-VS收到以太包后,根据目的以太地址把该包交换到与GRE隧道对应的输出端口去。(2) After receiving the Ethernet packet, the local virtual switch A-VS switches the packet to the output port corresponding to the GRE tunnel according to the destination Ethernet address.

(3)三层隧道接口模块根据输出端口号查找“密钥(Key)-虚拟交换机端口绑定表”获取密钥(Key)值,再由密钥(Key)值查找“GRE隧道封装表”得到GRE协议封装信息,如该隧道对端的IP地址和密钥(Key)值,然后按GRE隧道协议规定给该以太包加上GRE隧道头和IP头。(3) The Layer 3 tunnel interface module searches the "Key (Key)-virtual switch port binding table" according to the output port number to obtain the key (Key) value, and then searches the "GRE tunnel encapsulation table" by the key (Key) value Obtain the GRE protocol encapsulation information, such as the IP address and key (Key) value of the opposite end of the tunnel, and then add a GRE tunnel header and an IP header to the Ethernet packet according to the GRE tunnel protocol.

(4)三层隧道接口模块把承载以太包的IP报文交给IP转发模块转发。(4) The layer-3 tunnel interface module forwards the IP packet carrying the Ethernet packet to the IP forwarding module.

(5)B地网络设备的三层隧道转发模块收到A-VS通过GRE隧道发送来的IP报文,根据IP头中的协议号分析出该报文是GRE隧道协议封装的报文。(5) The Layer 3 tunnel forwarding module of the network equipment at B receives the IP packet sent by the A-VS through the GRE tunnel, and analyzes the packet according to the protocol number in the IP header to be a packet encapsulated by the GRE tunnel protocol.

(6)三层隧道接口模块继续分析GRE隧道头内容:利用GRE隧道头中校验和域检查报文数据的正确性,利用GRE隧道头中密钥(Key)值验证发送设备的身份;如果报文出错或发送方没有通过验证,则丢弃报文。(6) The three-layer tunnel interface module continues to analyze the GRE tunnel header content: utilize the checksum field in the GRE tunnel header to check the correctness of the message data, and utilize the key (Key) value in the GRE tunnel header to verify the identity of the sending device; if If there is an error in the packet or the sender fails the verification, the packet will be discarded.

(7)三层隧道接口模块根据GRE隧道头中密钥(Key)值查找“密钥(Key)-虚拟交换机端口绑定表”,确定要把该以太包送给本地虚拟交换机B-VS,随后去除报文的GRE封装,取出以太包交给本地虚拟交换机B-VS。(7) The three-layer tunnel interface module searches for "key (Key)-virtual switch port binding table" according to the key (Key) value in the GRE tunnel header, and determines that the Ethernet packet will be sent to the local virtual switch B-VS, Then the GRE encapsulation of the message is removed, and the Ethernet packet is taken out and delivered to the local virtual switch B-VS.

(8)本地虚拟交换机B-VS查找虚拟交换机地址交换表,把以太包送到与该企业B分部相连的端口上。(8) The local virtual switch B-VS searches the address exchange table of the virtual switch, and sends the Ethernet packet to the port connected to the branch of the enterprise B.

这样,该企业B分部就接收到A分部发送来的以太包。B分部发送以太包到A分部的流程与此相同,不再赘述。In this way, branch B of the enterprise receives the Ethernet packet sent by branch A. The procedure for branch B to send an Ethernet packet to branch A is the same and will not be repeated here.

参见图4所示的本发明系统的应用实施例示意图:企业网用户的各分支点通过数字用户线接入服务器(DSLAM,Digital Subscriber Liner Multiplexer)的非对称数字用户线路(ADSL,Asymmetric Digital Subscriber Loop)接入或局域网网关(LAN Switch)的以太接入方式接入到ISP的边缘业务节点的虚拟交换机上。这些不同边缘业务节点的虚拟交换机可以利用ATM接口模块跨越ATM骨干网进行互连;也可以利用以太接口模块跨越以太网进行互连;还可以利用本发明的三层隧道接口模块建立GRE隧道跨越IP广域网进行互连。Referring to the schematic diagram of the application embodiment of the system of the present invention shown in Fig. 4: each branch point of the enterprise network user accesses the asymmetric digital subscriber line (ADSL, Asymmetric Digital Subscriber Loop) of the server (DSLAM, Digital Subscriber Liner Multiplexer) by the digital subscriber line ) access or LAN gateway (LAN Switch) Ethernet access to the virtual switch of the edge service node of the ISP. The virtual switches of these different edge service nodes can utilize the ATM interface module to cross the ATM backbone network to interconnect; also can utilize the Ethernet interface module to span the Ethernet to interconnect; can also utilize the three-layer tunnel interface module of the present invention to set up the GRE tunnel to cross the IP WAN for interconnection.

Claims (13)

1, a kind ofly provide virtual LAN VPLS the virtual switch of business, this virtual switch includes: atm interface module, ether interface module and ether Switching Module; It is characterized in that: this virtual switch also is provided with the three layer tunnel interface module that is connected with the ether Switching Module, finish the layer 3 Tunnel protocol processing, and this three layer tunnel interface module setting and maintenance have: three layer tunnel encapsulating sheet and key-virtual switch port binding table.
2, the virtual switch that virtual LAN service is provided according to claim 1 is characterized in that: described three layer tunnel encapsulating sheet stores the key value of tunnel local terminal, the IP address of opposite end, tunnel and the key value of opposite end, tunnel.
3, the virtual switch that virtual LAN service is provided according to claim 1, it is characterized in that: described key-virtual switch port binding table stores the key value of this section of three layer tunnel, and the virtual switch sequence number and the virtual switch port sequence number of binding with it; The key value of this section of three layer tunnel and have one-to-one relationship with the virtual switch sequence number and the port sequence number thereof of its binding.
4, the virtual switch that virtual LAN service is provided according to claim 1, it is characterized in that: described three layer tunnel interface module is for the data of input, by its termination layer 3 Tunnel protocol, take out the ether bag of tunnel transmission, and deliver the ether Switching Module and exchange; Touch piece when output as the ether bag from the three layer tunnel interface, the ether bag is carried out tunnel encapsulation, give IP forward module then and transmitted by it.
5, the virtual switch that virtual LAN service is provided according to claim 1, it is characterized in that: described ether Switching Module is the core of this virtual switch system, is used to finish the function of exchange of management of virtual switch list item and ether bag.
6, the virtual switch of virtual LAN service is provided according to claim 1 or 5, it is characterized in that: this ether Switching Module is provided with one group of independently corresponding with virtual switch tables of data, when receiving from data that ATM, ether or three layer tunnel interface module are come, search corresponding virtual switch table according to the port information that carries in the data, transmit according to the information searching port of this virtual switch table record then.
7, a kind of virtual switch VS that utilizes provides virtual private LAN section VPLS the method for business, it is characterized in that:
(1) between different virtual switches, uses layer 3 Tunnel protocol to set up three layer tunnel, the passage that ether bag data is carried out transparent transmission as the load of IP packet is provided;
(2) the ether bag data that needs are transmitted are carried out the layer 3 Tunnel protocol encapsulation, and transmit by three layer tunnel.
8, leap IP wide area network according to claim 7 provides the method for virtual private LAN section business, and it is characterized in that: described step (2) further comprises:
(21) local network device takes out the ether bag according to the ingress port information that receives data, and gives the local virtual switch it;
(22) after the local virtual switch is received the ether bag, this packet switch is gone to the output port corresponding with three layer tunnel according to purpose ether address;
(23) the three layer tunnel interface module obtains the layer 3 Tunnel protocol packaging information according to the output slogan, stipulate to add three layer tunnel sign-generic route encapsulation gre tunneling head and IP head by layer 3 Tunnel protocol then, and send by three layer tunnel to this ether bag;
(24) the three layer tunnel forwarding module of destination network equipment is received the IP message that sends by three layer tunnel, determines the destination virtual switch according to three layer tunnel sign and IP head, takes out the ether bag and gives the destination virtual switch;
(25) the destination virtual switch is delivered to destination network equipment to the ether bag.
9, describedly provide virtual private LAN section VPLS the method for business according to claim 7 or 8, it is characterized in that: the described employed layer 3 Tunnel protocol of IP tunnel of setting up includes: generic route encapsulation gre tunneling agreement, multi protocol label exchange MPLS technology and internet protocol secure IPsec technology.
10, according to claim 9ly provide virtual private LAN section VPLS the method for business, it is characterized in that: described three layer tunnel is designated generic route encapsulation gre tunneling head.
11, according to claim 8ly provide virtual private LAN section VPLS the method for business, it is characterized in that: described IP head contains the IP address of the three layer tunnel interface module of three layer tunnel opposite end, be provided with verification and territory and key territory in the three layer tunnel sign, and verification uses the territory must be set to 1 with use territory and key.
12, according to claim 11ly provide virtual private LAN section VPLS the method for business, it is characterized in that: described verification and territory be used for to three layer tunnel sign and the check of ether bag data computation with, described key is provided with the key value that indicates three layer tunnel uniquely in the territory, and this key value is used for determining uniquely and the virtual switch sequence number of tunnel binding and the port sequence number of this virtual switch.
13, according to claim 12ly provide virtual private LAN section VPLS the method for business, it is characterized in that: can carry the authorization information that verification is used when being used for the three layer tunnel interface modules handle in the described key territory, prevent the attack of outer bound pair virtual private LAN section.
CN 02123964 2002-07-10 2002-07-10 Virtual switch for supplying virtual LAN service and method Expired - Fee Related CN1266887C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 02123964 CN1266887C (en) 2002-07-10 2002-07-10 Virtual switch for supplying virtual LAN service and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 02123964 CN1266887C (en) 2002-07-10 2002-07-10 Virtual switch for supplying virtual LAN service and method

Publications (2)

Publication Number Publication Date
CN1468007A CN1468007A (en) 2004-01-14
CN1266887C true CN1266887C (en) 2006-07-26

Family

ID=34142571

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 02123964 Expired - Fee Related CN1266887C (en) 2002-07-10 2002-07-10 Virtual switch for supplying virtual LAN service and method

Country Status (1)

Country Link
CN (1) CN1266887C (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1816003A (en) * 2005-02-06 2006-08-09 华为技术有限公司 Telecommunication method and apparatus of dissimilar chain protocol
CN100466599C (en) * 2005-07-22 2009-03-04 上海贝尔阿尔卡特股份有限公司 A method of secure access to a private local area network and a device used in the method
CN100428739C (en) * 2005-12-31 2008-10-22 华为技术有限公司 Implementation Method and System for Supporting VPLS Service on IP Backbone Network
US10044841B2 (en) 2011-11-11 2018-08-07 Pismo Labs Technology Limited Methods and systems for creating protocol header for embedded layer two packets
WO2013068790A1 (en) * 2011-11-11 2013-05-16 Pismo Labs Technology Ltd. Protocol for layer two multiple network links tunnelling
CN102801598B (en) * 2012-07-25 2015-04-22 福建星网锐捷网络有限公司 Method and device for constructing virtual switching system, and switching devices
EP2945320B1 (en) 2013-02-06 2018-01-31 Huawei Technologies Co., Ltd. Method, device and routing system for data transmission of network virtualization
CN106230793A (en) * 2016-07-22 2016-12-14 安徽皖通邮电股份有限公司 A kind of MPLSVPN of realization operates in the method on the IPVPN of encryption
US10390114B2 (en) 2016-07-22 2019-08-20 Intel Corporation Memory sharing for physical accelerator resources in a data center
US10810321B2 (en) * 2016-08-11 2020-10-20 Intel Corporation Secure public cloud
US20180150256A1 (en) 2016-11-29 2018-05-31 Intel Corporation Technologies for data deduplication in disaggregated architectures
US20190044809A1 (en) 2017-08-30 2019-02-07 Intel Corporation Technologies for managing a flexible host interface of a network interface controller
CN109412927B (en) * 2018-12-04 2021-07-23 新华三技术有限公司 Multi-VPN data transmission method and device and network equipment

Also Published As

Publication number Publication date
CN1468007A (en) 2004-01-14

Similar Documents

Publication Publication Date Title
US8825829B2 (en) Routing and service performance management in an application acceleration environment
US8913623B2 (en) Method and apparatus for processing labeled flows in a communications access network
US7590123B2 (en) Method of providing an encrypted multipoint VPN service
US8531941B2 (en) Intra-domain and inter-domain bridging over MPLS using MAC distribution via border gateway protocol
EP1475942A2 (en) Address Resolution in IP Internetworking Layer 2 point-to-point connections
WO2010034255A1 (en) Data transmission method and network node and data transmission system
EP1875668B1 (en) Scalable system method for dsl subscriber traffic over an ethernet network
CN109218178A (en) A kind of message processing method and the network equipment
WO2011032473A1 (en) Implementation method and system of virtual private network
CN101110745A (en) Method, device and system for connecting layer-2 network and layer-3 network
WO2009012688A1 (en) Method, system and apparatus for forwarding message in three-layer virtual private network
CN1266887C (en) Virtual switch for supplying virtual LAN service and method
CN101030935B (en) A method for IPSec to traverse NAT-PT
US20040025054A1 (en) MPLS/BGP VPN gateway-based networking method
CN101262429B (en) A system and method for realizing virtual private network communication
CN1697408A (en) Method for managing routes in virtual private network based on IPv6
CN1184781C (en) Packaging retransmission method of message in network communication
CN1601996A (en) Method for accessing IP public network of a virtual switch system
CN101030915A (en) Method for sharing V-Switch transparent-transferring data load
WO2008028383A1 (en) Method for identifying the layer 3 protocol in l2vpn heterogeneous medium interconnection and the apparatus and system thereof
CN1863127A (en) Method for core network access to multi-protocol sign exchange virtual special network
CN100372321C (en) A Method of Establishing Virtual Circuit
CN100428739C (en) Implementation Method and System for Supporting VPLS Service on IP Backbone Network
CN1870637A (en) Method for implementing virtual circuit state consistency in virtual special local network service
CN1822598A (en) Intercommunication of IP to VPN services

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20060726

Termination date: 20170710

CF01 Termination of patent right due to non-payment of annual fee