[go: up one dir, main page]

CN1297105C - Method for implementing multirole main machine based on virtual local network - Google Patents

Method for implementing multirole main machine based on virtual local network Download PDF

Info

Publication number
CN1297105C
CN1297105C CNB031013996A CN03101399A CN1297105C CN 1297105 C CN1297105 C CN 1297105C CN B031013996 A CNB031013996 A CN B031013996A CN 03101399 A CN03101399 A CN 03101399A CN 1297105 C CN1297105 C CN 1297105C
Authority
CN
China
Prior art keywords
vpn
role
host
message
site
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB031013996A
Other languages
Chinese (zh)
Other versions
CN1516401A (en
Inventor
董伟嗣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB031013996A priority Critical patent/CN1297105C/en
Publication of CN1516401A publication Critical patent/CN1516401A/en
Application granted granted Critical
Publication of CN1297105C publication Critical patent/CN1297105C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a method for realizing a multi-role host computer based on a virtual private network (VPN). In the method, a provider edge (PE) router which is connected with a VPN site where a multi-role host computer is positioned is provided with an access control strategy of a VPN retransmitting table of a message which can be accessed by the multi-role host computer. Thus, when the PE router receives a data message from the VPN site, the identity of a host computer which transmits the message is identified according to a source address of the message; if the host computer is the multi-role host computer, then information of a target VPN to be accessed is obtained according to the source address of the message, and the corresponding retransmitting table of the VPN message is searched, and the message is transmitted according to the information, else the message is transmitted according to the VPN attribute of an accessed interface of the host computer. The multi-role host computer based on an operator virtual private network is easy to realize by adopting the scheme and has the advantages of high flexibility and manageability.

Description

基于虚拟专用网的实现多角色主机的方法A Method of Realizing Multi-Role Host Based on Virtual Private Network

技术领域technical field

本发明涉及虚拟专用网(VPN),尤其是涉及VPN中的实现多角色主机的方法。The invention relates to a virtual private network (VPN), in particular to a method for realizing a multi-role host in the VPN.

背景技术Background technique

VPN(Virtual Private Network,虚拟专用网),是企业或特定用户群体利用公共网络(如运营商的网络资源)来构建自己的私有网络、以满足自身应用需求;通过VPN,企业或特定用户群体可在其分支机构、远程用户、商业伙伴等之间建立安全、可靠的连接、低成本地传输数据。传统的VPN网络是建立在IP技术基础上的,它使用IP网络设施对专用广域网仿真,是企业或特定用户群体利用公共IP网络来构建自己的私有网络。MPLS/BGP VPN,是一种在公共网络中使用多协议标签交换(MPLS)技术和边界网关协议(BGP)来提供IPVPN业务,以其为基础形成了RFC2547标准(RFC,请求注释协议,Internet的标准),该标准所述VPN是一种运营商提供的VPN(Provider Provide VPN,PPVPN),VPN设备位于网络侧,由运营商为用户提供VPN服务,用户设备不需要感知VPN,只要连接到运营商提供的PE设备即可。参考图1。图1中,服务提供商的骨干网络由P设备和PE设备组成。图1所示的设备中:VPN (Virtual Private Network, virtual private network), is that enterprises or specific user groups use public networks (such as network resources of operators) to build their own private networks to meet their own application needs; through VPN, enterprises or specific user groups can Establish secure, reliable connections, and transfer data at low cost between its branch offices, remote users, business partners, and more. The traditional VPN network is based on IP technology. It uses IP network facilities to simulate a private wide area network. Enterprises or specific user groups use public IP networks to build their own private networks. MPLS/BGP VPN is a kind of IPVPN service that uses Multi-Protocol Label Switching (MPLS) technology and Border Gateway Protocol (BGP) in public networks. Based on it, the RFC2547 standard (RFC, Request for Comments Protocol, Internet's Standard), the VPN described in this standard is a VPN (Provider Provide VPN, PPVPN) provided by the operator. The VPN device is located on the network side, and the operator provides the VPN service for the user. The PE equipment provided by the supplier is enough. Refer to Figure 1. In Figure 1, the service provider's backbone network consists of P equipment and PE equipment. In the device shown in Figure 1:

CE(Custom Edge,用户边缘路由器):是用户网络中的一个组成部分,有接口直接与服务提供商相连,一般是路由器,用于将VPN的一个用户站点(Site)连接到PE。CE (Custom Edge, User Edge Router): It is an integral part of the user network, with an interface directly connected to the service provider, usually a router, used to connect a VPN user site (Site) to PE.

PE(Provider Edge,骨干网边缘路由器):即运营商边缘路由器,是运营商网络的边缘设备,是MPLS/BGP VPN业务的实现主体,它为每一个VPN用户站点维护一个独立的路由表,与用户的CE直接相连。MPLS网络中,对VPN的所有处理都发生在PE路由器上。PE (Provider Edge, backbone network edge router): the operator's edge router, which is the edge device of the operator's network and the main body of implementing MPLS/BGP VPN services. It maintains an independent routing table for each VPN user site, and The user's CE is directly connected. In an MPLS network, all VPN processing occurs on PE routers.

P(Provider,骨干网核心路由器):运营商网络中的骨干路由器,主要不和CE直接相连。P路由器具有MPLS基本转发能力。P (Provider, backbone network core router): The backbone router in the carrier network, mainly not directly connected to CE. The P router has the basic forwarding capability of MPLS.

现在基于RFC2547的PP VPN解决方案中,要求将一个接口和一个VPN实例相关联,即将这一个接口赋予某一个VPN属性,表明从这个接口来的数据业务都要接入接口所关联的VPN,或者说从这个接口接入的用户只能访问这个特定的VPN,同样从这个接口流入的数据业务也只能是这个接口所属于的VPN的业务。但是在很多应用下,不能保证一个接口下所连的客户都是属于同一个VPN的,例如,一些特殊服务器,或者是政府网络的一些重要的主机,它们所能接入的VPN和同一地域内的其它主机是不一样的,这些主机通常要求有更多的访问权限,不受一个VPN的限制,即要求这种主机具有多角色的能力。还有那些通过拨号认证方式通过接入服务器认证,然后接入不同VPN的客户也要求具有多角色的能力,由于它们在地域上是和其他主机在一起的,如果通过同一个接口接入VPN,根据RFC2547中的PP VPN的解决方案,就制约这些特殊主机可以接入的VPN的多样性和特殊性。另外,当一个地域内的各主机所能访问的VPN都不一样的话,那样就根本不需要将这个地域的接入链路和某个VPN相关联,完全可以根据用户接入的实际需要,来实现用户的VPN的接入。In the current PP VPN solution based on RFC2547, it is required to associate an interface with a VPN instance, that is, assign this interface to a certain VPN attribute, indicating that the data services from this interface must access the VPN associated with the interface, or It is said that users accessing from this interface can only access this specific VPN, and the data services flowing in from this interface can only be the services of the VPN to which this interface belongs. However, in many applications, it cannot be guaranteed that the clients connected to an interface belong to the same VPN. For example, some special servers, or some important hosts in the government network, the VPN they can access and the VPN in the same region The other hosts are different, these hosts usually require more access rights and are not restricted by a VPN, that is, the hosts are required to have multi-role capabilities. In addition, those customers who pass the access server authentication through dial-up authentication and then access different VPNs also require the ability to have multiple roles. Since they are geographically with other hosts, if they access the VPN through the same interface, According to the PP VPN solution in RFC2547, the diversity and particularity of VPNs that these special hosts can access are restricted. In addition, if the VPNs that each host in a region can access are different, then there is no need to associate the access link of this region with a certain VPN. Realize the user's VPN access.

在目前基于RFC2547的PP VPN的方案应用中,对于这种多角色主机还没有提出解决方案,因此,在实际组网应用中,只有把这样的特殊主机以单独的接口接入PE,然后使用Extranet网络拓扑来解决这个问题。例如在图2中,主机PC1要求具有访问VPN1和VPN2的多角色能力,将PC1以一个单独的接口或链路接入运营商的边缘路由器PE1,通过配置PE1上的VPN转发表实现PC1的多角色。但是这样,如果这种特殊主机所能访问的VPN差异较大时,对于每一种VPN访问差异的主机都需要独占一个接入接口,这样VPN数量和关系都会积聚膨胀,将导致大量接口资源的浪费和管理上的麻烦。In the current PP VPN application based on RFC2547, no solution has been proposed for this kind of multi-role host. Therefore, in actual networking applications, only such a special host can be connected to PE with a separate interface, and then use the Extranet network topology to solve this problem. For example, in Figure 2, host PC1 requires the multi-role capability of accessing VPN1 and VPN2. PC1 is connected to the carrier’s edge router PE1 through a separate interface or link, and the multi-role function of PC1 is realized by configuring the VPN forwarding table on PE1. Role. But in this way, if the VPNs that can be accessed by this special host are quite different, each host with different VPN access needs to monopolize an access interface. In this way, the number and relationship of VPNs will accumulate and expand, which will lead to a large number of interface resources. Waste and management hassle.

发明内容Contents of the invention

本发明的目的在于提供一种基于虚拟专用网的实现多角色主机的方法,使用该方法实现主机的多角色具有较强的灵活性和可管理性。The object of the present invention is to provide a virtual private network-based method for realizing multi-role hosts, which has strong flexibility and manageability for realizing multi-roles of hosts.

为达到上述目的,本发明提供的基于虚拟专用网的实现多角色主机的方法,包括:In order to achieve the above object, the method for realizing multi-role host based on virtual private network provided by the present invention includes:

在多角色主机所在虚拟专用网VPN站点所连接的骨干网边缘路由器PE上,设置多角色主机可以访问的VPN报文转发表,将该VPN站点的接口与所在VPN相关联;On the backbone network edge router PE connected to the virtual private network VPN site where the multi-role host is located, set a VPN message forwarding table that the multi-role host can access, and associate the interface of the VPN site with the VPN where it is located;

当骨干网边缘路由器接收到来自上述VPN站点的数据报文时,根据报文的源地址识别发出报文的主机身份,如果为多角色主机,再根据报文的源地址获取目的VPN的信息,根据该信息查找相应的VPN报文转发表并转发报文,否则,根据主机所属VPN的报文转发表转发报文。When the backbone network edge router receives the data message from the above VPN site, it will identify the identity of the host sending the message according to the source address of the message, if it is a multi-role host, then obtain the information of the destination VPN according to the source address of the message, Find the corresponding VPN message forwarding table according to the information and forward the message, otherwise, forward the message according to the message forwarding table of the VPN to which the host belongs.

在多角色主机需要访问的每一个VPN的转发表中配置一条静态路由,该路由的下一跳为多角色主机所在VPN站点的VPN接口名。Configure a static route in the forwarding table of each VPN that the multi-role host needs to access. The next hop of this route is the VPN interface name of the VPN site where the multi-role host is located.

在多角色主机所在VPN站点的接口所关联的VPN中不配置静态路由。Static routes are not configured in the VPN associated with the interface of the VPN site where the multi-role host resides.

将所述静态路由发布到除多角色主机所在VPN站点的接口所关联的VPN以外的VPN内部。Publishing the static route to the inside of the VPN other than the VPN associated with the interface of the VPN site where the multi-role host is located.

当属于同一VPN站点的多角色主机为两个以上时,将上述多角色主机的地址设置为连续。When there are more than two multi-role hosts belonging to the same VPN site, set the addresses of the above-mentioned multi-role hosts to be continuous.

当多角色主机为一个时,所述静态路由为一条主机路由;当多角色主机为多个时,所述静态路由为网段路由。When there is one multi-role host, the static route is a host route; when there are multiple multi-role hosts, the static route is a network segment route.

在PE上配置对于多角色主机的过滤策略,并将该策略与包含多角色主机的VPN站点的接口相关联,以便在PE接收到来自多角色主机所在VPN站点的数据报文时,根据报文的源地址识别发出报文的主机身份。Configure a filtering policy for multi-role hosts on the PE, and associate the policy with the interface of the VPN site containing the multi-role host, so that when the PE receives data packets from the VPN site where the multi-role host is The source address identifies the identity of the host that sent the message.

包含多角色主机的VPN站点通过公网接口连接到PE。A VPN site including multi-role hosts is connected to PEs through public network interfaces.

本发明提供另一种基于虚拟专用网的实现多角色主机的方法,包括:The present invention provides another method for realizing a multi-role host based on a virtual private network, including:

在多角色主机所在VPN站点所连接的骨干网边缘路由器PE上,创建多角色主机可以访问的虚拟专用网VPN报文转发表,将该VPN站点的接口与所在VPN相关联;On the backbone network edge router PE connected to the VPN site where the multi-role host is located, create a virtual private network VPN packet forwarding table that the multi-role host can access, and associate the interface of the VPN site with the VPN;

当骨干网边缘路由器接收到来自上述VPN站点的数据报文时,根据报文的源地址和目的地址识别发出报文的主机可以接入的VPN,根据该VPN的报文转发表转发用户报文。When the edge router of the backbone network receives the data message from the above VPN site, it will identify the VPN that the host sending the message can access according to the source address and destination address of the message, and forward the user message according to the message forwarding table of the VPN .

在骨干网边缘路由器上建立VPN访问控制表,该表包括源地址和VPN字段,用于描述报文源地址所标识的用户与VPN的访问关系。Establish a VPN access control table on the edge router of the backbone network, the table includes source address and VPN fields, and is used to describe the access relationship between the user identified by the message source address and the VPN.

由于本发明通过在多角色主机所在VPN站点所连接的PE上设置多角色主机可以访问的VPN报文转发表的方式,不但易于实现基于运营商虚拟专用网的多角色主机,还可以通过在PE上配置对于多角色主机的过滤策略或设置多角色主机表,使实现的多角色主机具有较强的灵活性和可管理性。Since the present invention sets the VPN message forwarding table that the multi-role host can access on the PE connected to the VPN site where the multi-role host is located, it is not only easy to realize the multi-role host based on the operator's virtual private network, but also through the PE Configure the filtering policy for the multi-role host or set the multi-role host table, so that the multi-role host has strong flexibility and manageability.

附图说明Description of drawings

图1是MPLS/BGP VPN模型图;Figure 1 is a MPLS/BGP VPN model diagram;

图2是现有的多角色主机的实现方法原理图;Fig. 2 is a schematic diagram of an implementation method of an existing multi-role host;

图3是多角色主机访问不同VPN的结构图;Fig. 3 is a structural diagram of multi-role hosts accessing different VPNs;

图4是本发明所书方法的实施例流程图;Fig. 4 is the embodiment flowchart of the method of the present invention;

图5是多角色主机的数据流控制示例图。Fig. 5 is an example diagram of data flow control of a multi-role host.

具体实施方式Detailed ways

下面结合附图对本发明作进一步详细的描述。The present invention will be described in further detail below in conjunction with the accompanying drawings.

在现有的基于RFC2547的PP VPN应用方案中,只能通过接口来区分不同的VPN,例如在图3所示的网络中,VPN1的站点1(site1)通过一个接口接入骨干网的PE1设备,这个接口被绑定在VPN1下。根据RFC2547的规定,从这个接口进入的数据业务都应该通过PE1设备中VPN1的转发表来转发,也就是说,只要接入了VPN1,就无法再访问VPN1以外的设备或被VPN1以外的设备来访问,这样就限制了VPN1 site1中的所有主机只能属于VPN1。但是在实际组网中,往往不能保证VPN1 site1中的所有主机的VPN属性是相同的,比如这当中可能有一台服务器PC1,它是大家共享的服务器,其它的多个VPN中的用户也都可以访问它;或者是这台PC是一个具有某种特权的主机,它可以访问分属多个VPN网络中的资源。上述需求说明,在实际组网中,需要消除只能通过接口来区分VPN业务的局限性,实现通过同一个接口接入PE的site中的多角色主机用户可以实现访问不同的VPN和同时访问多个VPN的需求,而且,上述VPN中的用户也可以访问该site中的该多角色主机。In the existing PP VPN application scheme based on RFC2547, different VPNs can only be distinguished through interfaces. For example, in the network shown in Figure 3, Site 1 (site1) of VPN1 accesses the PE1 device of the backbone network through an interface. , this interface is bound under VPN1. According to the regulations of RFC2547, all data services entering through this interface should be forwarded through the forwarding table of VPN1 in PE1. Access, thus restricting all hosts in VPN1 site1 to only belong to VPN1. However, in actual networking, it is often impossible to guarantee that the VPN attributes of all hosts in VPN1 site1 are the same. For example, there may be a server PC1, which is a server shared by everyone, and users in other multiple VPNs can also access it; or this PC is a host with some kind of privilege, which can access resources belonging to multiple VPN networks. The above requirements indicate that in actual networking, it is necessary to eliminate the limitation that VPN services can only be distinguished through interfaces, so that multi-role host users in a site connected to PEs through the same interface can access different VPNs and simultaneously access multiple Moreover, users in the above VPN can also access the multi-role host in the site.

本发明是这样解决这个应用需求的,在骨干网的PE设备上根据数据报的源地址来区别每一个主机,如果是确认这个主机是一个有特殊访问需求的用户,就根据这个用户的访问需求,把它接入所能够访问的VPN网络,使该特殊用户能够访问需要的VPN。而对于那些普通的VPN用户仍然按照接入接口所属于的VPN进行网络访问。具体说,本发明是这样解决这个应用需求的,在PE设备上根据数据报的源地址来区分这种特殊属性的主机,对于这种特殊主机,根据需要配置允许它可以访问的各个VPN,而对于没有这些特权的主机,也通过它的源地址来判断其身份,让它接入接口所属于的VPN,走正常的转发流程。比如图3中的PC1,它从VPN1的接口接入,在PE上根据这种主机来的数据报获取其源地址来识别出其身份,然后,根据该源地址获取目的VPN的信息,并根据数据报的目的VPN信息去查找不同VPN报文转发表,这样,从PC1出去的数据报可以到达其它VPN的site,同样也需要从其它VPN的site来的数据报也能转发到这台特殊的PC1,因此,在PE1上其它的允许PC1访问的VPN内部配置一条静态路由,下一跳是VPN1私网接口名或是地址,这条静态路由可能是一条主机路由,也可能是网段路由,即在VPN1 site中这样的特殊角色的主机比较多的时候,给这些主机分配相同的子网地址。再将这些静态路由发布到不同的VPN内部。对于这个多角色主机本身所属于的VPN,就是接入接口所关联的VPN中可以配置,也可以不配置静态路由,因为可以使用动态路由协议交换路由。The present invention solves this application requirement in this way. On the PE equipment of the backbone network, each host is distinguished according to the source address of the datagram. , connect it to the VPN network that can be accessed, so that this special user can access the required VPN. For those common VPN users, they still perform network access according to the VPN to which the access interface belongs. Specifically, the present invention solves this application requirement in this way. On the PE device, according to the source address of the datagram, the host of this special attribute is distinguished. For this special host, each VPN that allows it to be accessed is configured as required, and For a host without these privileges, its identity is judged by its source address, and it is connected to the VPN to which the interface belongs, and the normal forwarding process is followed. For example, PC1 in Figure 3, it accesses from the interface of VPN1, obtains its identity on the PE according to the source address of the datagram from this host, and then obtains the information of the destination VPN according to the source address, and according to The destination VPN information of the datagram is to search for different VPN message forwarding tables, so that the datagrams from PC1 can reach other VPN sites, and the datagrams from other VPN sites can also be forwarded to this special VPN site. PC1, therefore, configure a static route on PE1 that allows PC1 to access the VPN. The next hop is the name or address of the private network interface of VPN1. This static route may be a host route or a network segment route. That is, when there are many hosts with such special roles in the VPN1 site, assign the same subnet address to these hosts. Then advertise these static routes to different VPNs. For the VPN to which the multi-role host itself belongs, the VPN associated with the access interface may or may not be configured with static routes, because dynamic routing protocols can be used to exchange routes.

下面以图3为例说明本发明。图3是一个简单的MPLS VPN网络,其中存在三个VPN,VPN1,VPN2,VPN3,其中site1在地域上是属于VPN1的,它通过一个接口serial 0接入PE1,来访问VPN1的其它site.不过由于组网的原因在site1中有一台主机PC1,它是一台服务器,除了被VPN1内的用户访问外,VPN2,VPN3中的用户也需要访问这台服务器,因此这台服务器是不能仅仅接入VPN1的,但是也不希望让这台服务器以单独的一个接口接入PE1,此时,采用本发明所述的方法对相关的PE设备进行配置和操作就可以解决这个问题。The present invention will be described below by taking FIG. 3 as an example. Figure 3 is a simple MPLS VPN network, in which there are three VPNs, VPN1, VPN2, and VPN3, where site1 belongs to VPN1 geographically, and it connects to PE1 through an interface serial 0 to access other sites of VPN1. Due to networking reasons, there is a host PC1 in site1, which is a server. In addition to being accessed by users in VPN1, users in VPN2 and VPN3 also need to access this server, so this server cannot only access VPN1, but also do not want to allow this server to access PE1 through a single interface. At this time, this problem can be solved by using the method described in the present invention to configure and operate the relevant PE equipment.

假设图中的PC1的地址为10.110.1.1,通过VPN1 site1接入骨干网的PE1;VPN1 site2的地址为100.1.0.0/16,VPN2 site1的地址为100.2.0.0/16,VPN3 site1的地址为100.3.0.0/16,接入骨干网的PE2;VPN1 site3的地址为100.4.0.0/16,VPN2 site2的地址为100.5.0.0/16,VPN3 site3的地址为100.6.0.0/16,接入骨干网的PE3。由于PE1上有多角色主机PC1的接入,PE1上必须有自己所接入的Site中的多角色主机PC1要访问的所有VPN的转发表信息,这就需要在PE1上需要配置相应的VPN1、VPN2、VPN3的报文转发表,同时还需要在上述VPN转发表下配置静态路由,使从其它VPN,即VPN2、VPN3的Site来的数据报文可以流入VPN1 Site的多角色主机。说明上述方法的具体步骤参考图4。首先进行步骤1在主机PC1所在VPN站点VPN1 Site1所连接的骨干网边缘路由器PE1上,设置主机PC1可以访问的虚拟专用网(VPN)报文转发表。即设置三个VPN,VPN1、VPN2和VPN3的报文转发表。如采用下述设置VPN1的命令设置上述VPN1转发表,同理设置VPN2、VPN3的转发表。Assuming that the address of PC1 in the figure is 10.110.1.1, it accesses PE1 on the backbone network through VPN1 site1; the address of VPN1 site2 is 100.1.0.0/16, the address of VPN2 site1 is 100.2.0.0/16, and the address of VPN3 site1 is 100.3 .0.0/16, PE2 connected to the backbone network; the address of VPN1 site3 is 100.4.0.0/16, the address of VPN2 site2 is 100.5.0.0/16, the address of VPN3 site3 is 100.6.0.0/16, connected to the backbone network PE3. Due to the access of multi-role host PC1 on PE1, PE1 must have the forwarding table information of all VPNs to be accessed by the multi-role host PC1 in the site to which it is connected. This requires that PE1 needs to configure corresponding VPN1, The packet forwarding tables of VPN2 and VPN3 also need to configure static routes under the above VPN forwarding tables, so that data packets from other VPNs, that is, sites of VPN2 and VPN3 can flow into the multi-role host of VPN1 Site. Refer to FIG. 4 to illustrate the specific steps of the above method. First perform step 1 on the backbone network edge router PE1 connected to the VPN site VPN1 Site1 where the host PC1 is located, and set a virtual private network (VPN) message forwarding table that the host PC1 can access. That is, set up packet forwarding tables for three VPNs, VPN1, VPN2, and VPN3. For example, use the following command to set VPN1 to set the forwarding table of VPN1 above, and set the forwarding tables of VPN2 and VPN3 in the same way.

ip vrf VPN1;创建一个名为VPN1的VPNip vrf VPN1; create a VPN named VPN1

rd 100:1;配置这个VPN1的RD(路由分辨符)标识是100:1rd 100:1; Configure the RD (routing distinguisher) identifier of this VPN1 to be 100:1

route both 100:1;配置这个VPN1的VPN策略是引入、引出都是100:1。route both 100:1; configure the VPN policy of this VPN1 to be 100:1 for both inbound and outbound.

以上的配置可以让数据报文流入正确的VPN,那么回来的数据报文也需要确保可以通过私网接口serial 0流入,由于本例中VPN1 Site1中只有一个多角色主机PC1,因此在VPN2、VPN3内部配置一条静态路由,下一跳可以是VPN1私网接口名,这条静态路由为一条主机路由,因此可以采用如下述命令所示的配置:The above configuration can allow data packets to flow into the correct VPN, so the returned data packets also need to ensure that they can flow through the private network interface serial 0. Since there is only one multi-role host PC1 in VPN1 Site1 in this example, VPN2, VPN3 Configure a static route internally. The next hop can be the private network interface name of VPN1. This static route is a host route, so the configuration as shown in the following command can be used:

ip route vrf VPN2 10.110.1.1 255.255.255.255 serial 0;ip route vrf VPN2 10.110.1.1 255.255.255.255 serial 0;

ip route vrf VPN3 10.110.1.1 255.255.255.255 serial 0;ip route vrf VPN3 10.110.1.1 255.255.255.255 serial 0;

在VPN2,VPN3中分别配置一条目的地址是10.110.1.1,下一跳出接口是serial 0的静态路由。In VPN2 and VPN3, configure a static route whose address is 10.110.1.1 and the next-hop outbound interface is serial 0.

这样,通过配置静态路由可以将从VPN2,VPN3来的数据流导入接口serial 0。将上述静态路由发布到VPN2、VPN3的内部。In this way, the data flow from VPN2 and VPN3 can be imported into interface serial 0 by configuring static routing. Advertise the above static routes to the inside of VPN2 and VPN3.

这样设置的VPN1、VPN2和VPN3转发表为:The VPN1, VPN2, and VPN3 forwarding tables set up in this way are as follows:

VPN1:VPN1:

100.1.0.0/16 nexthop:pe2100.1.0.0/16 nexthop: pe2

100.4.0.0/16 nexthop:pe3100.4.0.0/16 nexthop: pe3

VPN2:VPN2:

100.2.0.0/16 nexthop:pe2100.2.0.0/16 nexthop: pe2

100.5.0.0/16 nexthop:pe3100.5.0.0/16 nexthop: pe3

10.110.1.1 nexthop:serial 010.110.1.1 nexthop: serial 0

VPN3:VPN3:

100.3.0.0/16 nexthop:pe2100.3.0.0/16 nexthop: pe2

100.6.0.0/16 nexthop:pe3100.6.0.0/16 nexthop: pe3

10.110.1.1 nexthop:serial 010.110.1.1 nexthop: serial 0

然后进行步骤2将VPN1 site1接入PE1的接口serial 0与VPN1关联起来,将接口serial 0绑定到VPN1下,如采用下述命令实现:Then go to step 2 to associate the interface serial 0 connecting VPN1 site1 to PE1 with VPN1, and bind the interface serial 0 to VPN1, such as using the following command:

interface serial 0;使用串口serial 0;interface serial 0; use serial port serial 0;

ip vrf forwarding VPN1;将serial 0关联在VPN1下;ip vrf forwarding VPN1; associate serial 0 with VPN1;

ip addr 10.110.0.2 255.255.0.0;配置这个接口的IP地址为10.110.0.2。ip addr 10.110.0.2 255.255.0.0; Configure the IP address of this interface as 10.110.0.2.

在步骤3配置对于主机PC1的过滤策略,如采用下述命令实现:In step 3, configure the filtering policy for host PC1, such as using the following command:

access-list 101 per 10.110.1.1 any;配置一条允许源地址为10.110.1.1的报文通过的策略,101为策略号。access-list 101 per 10.110.1.1 any; configure a policy that allows packets with a source address of 10.110.1.1 to pass through, and 101 is the policy number.

在步骤4将配置的对于主机PC1的过滤策略与私网接口serial 0相关联,以便在PE1接收到来自多角色主机所在VPN1站点的数据报文时,根据报文的源地址识别出主机PC1的身份。如采用下述命令实现:In step 4, associate the configured filtering policy for host PC1 with the private network interface serial 0, so that when PE1 receives a data packet from the VPN1 site where the multi-role host resides, it can identify the host PC1's address based on the source address of the packet. identity. Such as using the following command to achieve:

interface serial 0;使用串口serial 0;interface serial 0; use serial port serial 0;

special-host access-list 101 access-vpn VPN1 VPN2 VPN3;符合101访问策略的数据报可以访问VPN:VPN1,VPN2,VPN3。special-host access-list 101 access-vpn VPN1 VPN2 VPN3; datagrams matching the 101 access policy can access VPN: VPN1, VPN2, VPN3.

综合以上的配置能够使VPN1中的多角色主机PC1可以被VPN1,VPN2,VPN3所访问,如果site1中相同访问属性的主机较多的话,可以通过合理规划的方法,让它们的地址连续,以便这些主机处于相同的子网中,这样可以大大的简化在PE1设备上的配置麻烦,这样,可以直接配置对于一个网段的过滤策略,即配置网段路由。如:Based on the above configurations, the multi-role host PC1 in VPN1 can be accessed by VPN1, VPN2, and VPN3. If there are many hosts with the same access attribute in site1, they can have consecutive addresses through a reasonable planning method so that these The hosts are in the same subnet, which greatly simplifies the configuration on PE1. In this way, you can directly configure the filtering policy for a network segment, that is, configure network segment routing. like:

access-list 101 permit 10.110.0.0 255.255.0.0 any;配置一条允许源地址属于10.110.0.0网段的报文通过的策略。access-list 101 permit 10.110.0.0 255.255.0.0 any; Configure a policy that allows packets whose source addresses belong to the 10.110.0.0 network segment to pass.

再配置反向的静态路由指向这个特殊的网段,如:Then configure the reverse static route to point to this special network segment, such as:

ip route vrf VPN2 10.110.0.0 255.255.0.0 serial 0ip route vrf VPN2 10.110.0.0 255.255.0.0 serial 0

ip route vrf VPN3 10.110.0.0 255.255.0.0 serial 0ip route vrf VPN3 10.110.0.0 255.255.0.0 serial 0

如果需要更改用户所能访问的VPN,只要在PE上灵活的更改访问策略就可以实现。对于策略匹配不成功的数据报文,将其直接接入接口所属的VPN。如果用户有访问公网的需求,可以在所能访问的VPN中没有找到转发项的情况下去查公网的转发表,接入公网,当然前提是VPN的地址空间是私有地址空间。可以如下配置:If you need to change the VPN that users can access, you only need to flexibly change the access policy on the PE. For data packets that fail to match the policy, they are directly connected to the VPN to which the interface belongs. If the user needs to access the public network, he can check the forwarding table of the public network and access the public network if no forwarding item is found in the accessible VPN. Of course, the premise is that the address space of the VPN is a private address space. It can be configured as follows:

special-host access-list 101 access-vpn VPN1 VPN2 VPN3 Internet;如果符合访问策略101的数据报在VPN1,VPN2,VPN3中都没有找到转发信息的话,可以让它查公网的转发表转发。special-host access-list 101 access-vpn VPN1 VPN2 VPN3 Internet; if the datagram conforming to access policy 101 does not find forwarding information in VPN1, VPN2, and VPN3, it can check the forwarding table of the public network for forwarding.

另外,如果site1中的各主机所需要接入的VPN都差别比较大的时候,可以不再将接入PE的接口关联到某个私网下,而是采用公网接口,但在这个接口上不应有路由协议的交互,以免用户使用私网地址空间时私网路由泄露进公网。如果使用公网地址空间,可以直接实现用户的不同VPN和公网的同时接入,实现Internet的访问。在此情况下,对于策略匹配不成功的数据报文,可以直接根据公网的转发表转发。In addition, if the VPNs that each host in site1 needs to access are quite different, you can no longer associate the interface accessing the PE with a private network, but use the public network interface, but on this interface There should be no routing protocol interaction, so as to prevent private network routes from leaking into the public network when users use the private network address space. If the address space of the public network is used, the user's different VPNs and the public network can be accessed directly at the same time, and Internet access can be realized. In this case, the data packets whose policy matching fails can be directly forwarded according to the forwarding table of the public network.

最后在步骤5,PE1对接收到的报文进行转发,实现多角色主机的多VPN访问,和多VPN中的用户对多角色主机PC1的共享。Finally, in step 5, PE1 forwards the received message to realize the multi-VPN access of the multi-role host and the sharing of the multi-role host PC1 by the users in the multi-VPN.

上述步骤5的具体实现参考图5。当PE1接收到来自VPN1 Site1的数据报文时,根据数据报的源地址与事先配置好的策略规则来做策略匹配,如果匹配成功,说明发出数据报的主机为多角色主机,因此匹配成功的数据报根据策略配置来访问相应的VPN,去查可以访问的VPN的转发表,找到转发项后,和正常的转发流程进行转发。因此,如果数据报是来自于PC1的,则会匹配成功,从而通过相应的VPN转发表转发出去;如果数据报是来自普通用户的,则不会匹配成功,只能VPN1的转发表转发。也可以同时根据数据报的目的和源地址一次定位到这个数据报文应该去查的VPN的转发表,然后进行报文的转发。Refer to FIG. 5 for the specific implementation of the above step 5. When PE1 receives a data packet from VPN1 Site1, it performs policy matching according to the source address of the datagram and the pre-configured policy rules. If the match is successful, it means that the host sending the datagram is a multi-role host, so the matching The datagram accesses the corresponding VPN according to the policy configuration, checks the forwarding table of the VPN that can be accessed, finds the forwarding item, and forwards it according to the normal forwarding process. Therefore, if the datagram comes from PC1, it will be matched successfully and forwarded through the corresponding VPN forwarding table; if the datagram is from a common user, it will not be matched successfully and can only be forwarded by the forwarding table of VPN1. It is also possible to locate the forwarding table of the VPN that the data message should check at once according to the purpose and source address of the data message, and then forward the message.

回来的数据流,即来自VPN2的数据报文,通过PE1发布出去的静态路由,从PE2转发到PE1,然后通过数据报文的内层标签转发到VPN1 site1,到达多角色主机PC1。The returned data flow, that is, the data packet from VPN2, is forwarded from PE2 to PE1 through the static route advertised by PE1, and then forwarded to VPN1 site1 through the inner layer label of the data packet, and reaches the multi-role host PC1.

总之,通过在PE1设备上灵活的调整策略,就可以控制所连接的site中各个主机的访问的VPN范围。In short, by flexibly adjusting the policy on PE1, you can control the VPN range accessed by each host in the connected site.

需要说明的是,第一,在PE1上也可以设置多角色主机表,并将该主机表与包含多角色主机PC1的VPN1 Site1的接口相关联。该表可以仅包括报文源地址,这样,在PE1接收到来自多角色主机所在VPN站点的数据报文时,可以根据报文的源地址与该表中的报文源地址相匹配,就能识别发出报文的主机身份。It should be noted that, first, a multi-role host table can also be set on PE1, and this host table is associated with the interface of VPN1 Site1 that contains the multi-role host PC1. This table can only include the source address of the packet. In this way, when PE1 receives a data packet from the VPN site where the multi-role host is located, it can match the source address of the packet with the packet source address in this table, and then Identify the identity of the host that sent the message.

第二,在PE设备上建立VPN访问控制表,该表包括源地址和VPN字段,用于描述报文源地址所标识的用户与VPN的访问关系。这样,当PE1接收到来自VPN2、VPN3站点的数据报文时,根据报文的源地址识别出发出报文的主机可以接入的VPN,根据该VPN的报文转发表转发用户报文。如果上述VPN访问表包括目的地址字段,更有利于报文的转发。这种情况尤其适用于所接入的VPN Site中所访问的VPN比较分散,且难以确定的情况,同时也可以满足公网用户接入的需求。Second, establish a VPN access control table on the PE device, which includes source address and VPN fields, and is used to describe the access relationship between the user identified by the source address of the message and the VPN. In this way, when PE1 receives data packets from VPN2 and VPN3 sites, it identifies the VPN that the host sending the packet can access according to the source address of the packet, and forwards the user packet according to the packet forwarding table of the VPN. If the aforementioned VPN access table includes a destination address field, it is more conducive to packet forwarding. This situation is especially applicable to the situation where the accessed VPNs in the accessed VPN Site are relatively scattered and difficult to determine, and it can also meet the needs of public network users for access.

Claims (10)

1、一种基于虚拟专用网的实现多角色主机的方法,包括:1. A method for realizing a multi-role host based on a virtual private network, comprising: 在多角色主机所在虚拟专用网VPN站点所连接的骨干网边缘路由器PE上,设置多角色主机可以访问的VPN报文转发表,将该VPN站点的接口与所在VPN相关联;On the backbone network edge router PE connected to the virtual private network VPN site where the multi-role host is located, set a VPN message forwarding table that the multi-role host can access, and associate the interface of the VPN site with the VPN where it is located; 当骨干网边缘路由器接收到来自上述VPN站点的数据报文时,根据报文的源地址识别发出报文的主机身份,如果为多角色主机,再根据报文的源地址获取目的VPN的信息,根据该信息查找相应的VPN报文转发表并转发报文,否则,根据主机所属VPN的报文转发表转发报文。When the backbone network edge router receives the data message from the above VPN site, it will identify the identity of the host sending the message according to the source address of the message, if it is a multi-role host, then obtain the information of the destination VPN according to the source address of the message, Find the corresponding VPN message forwarding table according to the information and forward the message, otherwise, forward the message according to the message forwarding table of the VPN to which the host belongs. 2、根据权利要求1所述的方法,其特征在于:在多角色主机需要访问的每一个VPN的转发表中配置一条静态路由,该路由的下一跳为多角色主机所在VPN站点的VPN接口名。2. The method according to claim 1, characterized in that: a static route is configured in the forwarding table of each VPN that the multi-role host needs to access, and the next hop of the route is the VPN interface of the VPN site where the multi-role host is located name. 3、根据权利要求2所述的方法,其特征在于:在多角色主机所在VPN站点的接口所关联的VPN中不配置静态路由。3. The method according to claim 2, characterized in that no static route is configured in the VPN associated with the interface of the VPN site where the multi-role host is located. 4、根据权利要求2所述的方法,其特征在于:将所述静态路由发布到除多角色主机所在VPN站点的接口所关联的VPN以外的VPN内部。4. The method according to claim 2, characterized in that: publishing the static route to the inside of the VPN other than the VPN associated with the interface of the VPN site where the multi-role host is located. 5、根据权利要求4所述的方法,其特征在于:当属于同一VPN站点的多角色主机为两个以上时,将上述多角色主机的地址设置为连续。5. The method according to claim 4, characterized in that: when there are more than two multi-role hosts belonging to the same VPN site, the addresses of the multi-role hosts are set to be continuous. 6、根据权利要求5所述的方法,其特征在于:当多角色主机为一个时,所述静态路由为一条主机路由;当多角色主机为多个时,所述静态路由为网段路由。6. The method according to claim 5, wherein when there is one multi-role host, the static route is a host route; when there are multiple multi-role hosts, the static route is a network segment route. 7、根据权利要求1、2、4、5或6所述的方法,其特征在于:在PE上配置对于多角色主机的过滤策略,并将该策略与包含多角色主机的VPN站点的接口相关联,以便在PE接收到来自多角色主机所在VPN站点的数据报文时,根据报文的源地址识别发出报文的主机身份。7. The method according to claim 1, 2, 4, 5 or 6, characterized in that: configuring a filtering policy for multi-role hosts on the PE, and correlating the policy with the interface of the VPN site containing the multi-role hosts so that when the PE receives a data packet from the VPN site where the multi-role host is located, it can identify the identity of the host sending the packet according to the source address of the packet. 8、根据权利要求7所述的方法,其特征在于:包含多角色主机的VPN站点通过公网接口连接到PE。8. The method according to claim 7, wherein the VPN site including the multi-role host is connected to the PE through a public network interface. 9、一种基于虚拟专用网的实现多角色主机的方法,包括:9. A method for realizing a multi-role host based on a virtual private network, comprising: 在多角色主机所在VPN站点所连接的骨干网边缘路由器PE上,创建多角色主机可以访问的虚拟专用网VPN报文转发表,将该VPN站点的接口与所在VPN相关联;On the backbone network edge router PE connected to the VPN site where the multi-role host is located, create a virtual private network VPN packet forwarding table that the multi-role host can access, and associate the interface of the VPN site with the VPN; 当骨干网边缘路由器接收到来自上述VPN站点的数据报文时,根据报文的源地址和目的地址识别发出报文的主机可以接入的VPN,根据该VPN的报文转发表转发用户报文。When the edge router of the backbone network receives the data message from the above VPN site, it will identify the VPN that the host sending the message can access according to the source address and destination address of the message, and forward the user message according to the message forwarding table of the VPN . 10、根据权利要求9所述的方法,其特征在于:在骨干网边缘路由器上建立VPN访问控制表,该表包括源地址和VPN字段,用于描述报文源地址所标识的用户与VPN的访问关系。10. The method according to claim 9, characterized in that a VPN access control table is established on the edge router of the backbone network, the table includes source address and VPN fields, and is used to describe the connection between the user identified by the source address of the message and the VPN. access relationship.
CNB031013996A 2003-01-06 2003-01-06 Method for implementing multirole main machine based on virtual local network Expired - Fee Related CN1297105C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB031013996A CN1297105C (en) 2003-01-06 2003-01-06 Method for implementing multirole main machine based on virtual local network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB031013996A CN1297105C (en) 2003-01-06 2003-01-06 Method for implementing multirole main machine based on virtual local network

Publications (2)

Publication Number Publication Date
CN1516401A CN1516401A (en) 2004-07-28
CN1297105C true CN1297105C (en) 2007-01-24

Family

ID=34239110

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB031013996A Expired - Fee Related CN1297105C (en) 2003-01-06 2003-01-06 Method for implementing multirole main machine based on virtual local network

Country Status (1)

Country Link
CN (1) CN1297105C (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100518138C (en) * 2005-04-12 2009-07-22 华为技术有限公司 Method for realizing virtual special network
CN100426791C (en) * 2005-06-21 2008-10-15 中兴通讯股份有限公司 Engine apparatus for route forwarding table address searching
CN100364278C (en) * 2005-10-24 2008-01-23 南京邮电大学 Method for controlling five layer resource access based on extending role
CN100463452C (en) * 2006-03-21 2009-02-18 杭州华三通信技术有限公司 A VPN data forwarding method and VPN equipment for data forwarding
CN101179406B (en) * 2006-11-30 2011-01-12 腾讯科技(深圳)有限公司 Electronic pet tourism method, tourism server and system
CN101483594A (en) * 2009-02-11 2009-07-15 成都市华为赛门铁克科技有限公司 Packet sending method and customer terminal based on virtual private network tunnel
CN101626338B (en) * 2009-08-03 2011-11-23 杭州华三通信技术有限公司 Method and device for realizing multiple virtual private network (VPN) examples
CN101729409B (en) * 2009-12-01 2012-05-23 杭州华三通信技术有限公司 Method and device for implementing multirole host computer
US9116728B2 (en) * 2010-12-21 2015-08-25 Microsoft Technology Licensing, Llc Providing a persona-based application experience
JP5673133B2 (en) * 2011-01-24 2015-02-18 日本電気株式会社 MAC search system and MAC search method for MPLS-TP device
CN107171857B (en) * 2017-06-21 2021-04-27 杭州迪普科技股份有限公司 Network virtualization method and device based on user group
CN107547509B (en) * 2017-06-27 2020-10-13 新华三技术有限公司 Message forwarding method and device
CN111107142B (en) * 2019-12-16 2022-07-01 新华三大数据技术有限公司 Service access method and device
US11469998B2 (en) * 2020-05-27 2022-10-11 Juniper Networks, Inc. Data center tenant network isolation using logical router interconnects for virtual network route leaking
CN116760652B (en) * 2023-08-23 2023-11-17 保大坊科技有限公司 Method, apparatus and storage medium for simultaneously accessing multiple systems

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1276666A (en) * 1999-06-03 2000-12-13 财团法人资讯工业策进会 On-demand system and method for access repeater applied to virtual private network
US6463061B1 (en) * 1997-12-23 2002-10-08 Cisco Technology, Inc. Shared communications network employing virtual-private-network identifiers

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6463061B1 (en) * 1997-12-23 2002-10-08 Cisco Technology, Inc. Shared communications network employing virtual-private-network identifiers
CN1276666A (en) * 1999-06-03 2000-12-13 财团法人资讯工业策进会 On-demand system and method for access repeater applied to virtual private network

Also Published As

Publication number Publication date
CN1516401A (en) 2004-07-28

Similar Documents

Publication Publication Date Title
CN1214583C (en) Three layer virtual private network and its construction method
RU2357281C2 (en) Virtual broadcasting network for inter-domain connection
CN1297105C (en) Method for implementing multirole main machine based on virtual local network
CN102025589B (en) Method and system for realizing virtual private network
CN102546351B (en) System and method for interconnecting openflow network and conventional Internet protocol (IP) network
CN101022394A (en) Method for realizing virtual local network aggregating method and converging exchanger
CN102355417A (en) Data center two-layer interconnection method and device
CN1722698A (en) Multi-protocol label switching virtual private network and its control and forwarding method
CN1708031A (en) Method for realizing virtual special network
CN102420774B (en) Method for realizing intranet penetration by using Internet group management protocol (IGMP) and intranet penetration system
CN1199405C (en) Enterprise external virtual special network system and method using virtual router structure
CN116547953A (en) Implementing inter-segment traffic policies by a network fabric control plane
CN101119290B (en) Ethernet supporting source specific multicast forwarding method and system
CN101908996A (en) Method for accessing private network, data transmission method, device and system
CN1697408A (en) Method for managing routes in virtual private network based on IPv6
CN1716901A (en) Virtual special network system of mixed station mixed skeleton network and its realizing method
CN1677951A (en) Data exchange method based on virtual local area network
CN1697396A (en) Method for realizing local virtual private network based on firewall
CN101043430B (en) A method for network address translation between devices
CN1677950A (en) Data exchange method based on virtual local area network
CN100514929C (en) Method and device for message transfer of virtual private local area network
CN101052022A (en) System and method for virtual special net user to access public net
CN1878115A (en) VPN realizing method
CN1863127A (en) Method for core network access to multi-protocol sign exchange virtual special network
CN1863129A (en) System based on two layer VPN foreign medium communication and method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20070124

Termination date: 20200106