Nothing Special   »   [go: up one dir, main page]

CN109412927B - Multi-VPN data transmission method and device and network equipment - Google Patents

Multi-VPN data transmission method and device and network equipment Download PDF

Info

Publication number
CN109412927B
CN109412927B CN201811472515.6A CN201811472515A CN109412927B CN 109412927 B CN109412927 B CN 109412927B CN 201811472515 A CN201811472515 A CN 201811472515A CN 109412927 B CN109412927 B CN 109412927B
Authority
CN
China
Prior art keywords
tunnel
gre
address
vpn
data message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811472515.6A
Other languages
Chinese (zh)
Other versions
CN109412927A (en
Inventor
王守唐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201811472515.6A priority Critical patent/CN109412927B/en
Publication of CN109412927A publication Critical patent/CN109412927A/en
Application granted granted Critical
Publication of CN109412927B publication Critical patent/CN109412927B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a multi-virtual private network VPN data transmission method, a device and network equipment. The invention distinguishes the GRE tunnel based on the source IP address, the destination IP address and the tunnel identification of the GRE tunnel, and establishes the one-to-one corresponding relation between VPN and the GRE tunnel. And when the data message from the VPN is transmitted, the GRE package is used for carrying the tunnel identifier of the tunnel. The receiving end equipment identifies the GRE tunnel based on the source IP address, the destination IP address and the tunnel identifier of the GRE tunnel encapsulated in the data message, and forwards the data message to the VPN corresponding to the GRE tunnel according to the unique corresponding relation between the GRE tunnel and the VPN. In addition, due to the unique corresponding relation between the GRE tunnel and the VPN, a private network IP which belongs to the same network segment with the corresponding VPN can be configured on the interface of the GRE tunnel, so that dynamic route learning in each VPN is realized.

Description

Multi-VPN data transmission method and device and network equipment
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method, an apparatus, and a network device for transmitting multiple VPN data.
Background
The GRE (Generic Routing Encapsulation) protocol encapsulates data packets of some network layer protocols, so that the encapsulated data packets can be transmitted in another network layer protocol. The network layer protocols of the data packets before and after encapsulation may be the same or different.
The path of the encapsulated data packet transmitted in the network is called a GRE tunnel. The GRE tunnel is a virtual point-to-point connection, and the devices at the two ends of the tunnel respectively encapsulate and decapsulate the data packet.
The number of GRE tunnels that can be established between devices depends on the number of public network IPs available to the devices. Because the public network IP resources are short, the equipment is only provided with one public network IP, and therefore, only one GRE tunnel can be established between the equipment.
If data of multiple VPNs (Virtual Private networks) are all transmitted through the GRE tunnel, it is necessary to use the name of the VPN carried in the GRE header. And the receiving end identifies the VPN name to determine the VPN to which the current data belongs.
In this transmission scheme, the GRE tunnel does not belong to any VPN, and therefore, dynamic route learning of multiple VPNs based on the GRE tunnel cannot be supported.
Disclosure of Invention
The invention provides a multi-VPN data transmission method, a device and network equipment for solving the problem that the existing multi-VPN data transmission mode can not support multi-VPN dynamic route learning based on a GRE tunnel, and is used for realizing the transmission of multi-VPN data and simultaneously supporting the multi-VPN dynamic route learning based on the GRE tunnel.
In order to achieve the purpose, the invention provides the following technical scheme:
in a first aspect, the present invention provides a multi-VPN data transmission method, which is applied to a first network device, where the first network device and a second network device are both configured with GRE tunnel interfaces corresponding to multiple VPNs one to one, tunnel identifiers of GRE tunnel interfaces corresponding to a same VPN are the same, and tunnel identifiers of GRE tunnel interfaces corresponding to different VPNs are different, and the method includes:
if a first data message from a target VPN is received, and an outgoing interface for forwarding the first data message is determined to be a first GRE tunnel interface, a GRE header is encapsulated for the first data message, and a second data message is generated, wherein the GRE header comprises a tunnel identifier of the first GRE tunnel interface;
and encapsulating a message header containing the tunnel source IP address and the destination IP address of the first GRE tunnel interface for the second data message, generating a third data message and sending the third data message to the second network equipment, so that the second network equipment determines a second GRE tunnel interface based on the tunnel source IP address, the destination IP address and the tunnel identifier of the third data message after receiving the third data message, decapsulates the third data message to obtain the first data message, and forwards the first data message to a target VPN corresponding to the second GRE tunnel interface.
Optionally, the method further includes:
if a fourth data message forwarded by the second network equipment is received and the fourth data message is determined to be a GRE message, acquiring a tunnel source IP address and a destination IP address of the fourth data message and a tunnel identifier of a third GRE tunnel interface;
determining a fourth GRE tunnel interface based on the tunnel source IP address and the destination IP address of the fourth data message and the tunnel identifier of the third GRE tunnel interface;
decapsulating the fourth data packet to obtain a fifth data packet;
and forwarding the fifth data packet to the VPN corresponding to the fourth GRE tunnel interface according to a pre-configured correspondence between the GRE tunnel interface and the VPN.
Optionally, the tunnel identifier is carried in a Key field of the GRE header.
Optionally, the tunnel identifier is carried in an extension field of the GRE header.
In a second aspect, the present invention provides a multi-VPN data transmission apparatus, which is applied to a first network device, where the first network device and a second network device are both configured with GRE tunnel interfaces corresponding to multiple VPNs one to one, tunnel identifiers of GRE tunnel interfaces corresponding to a same VPN are the same, and tunnel identifiers of GRE tunnel interfaces corresponding to different VPNs are different, and the apparatus includes:
an encapsulation unit, configured to encapsulate a GRE header for a first data packet and generate a second data packet if the first data packet from a target VPN is received and an egress interface for forwarding the first data packet is determined to be a first GRE tunnel interface, where the GRE header includes a tunnel identifier of the first GRE tunnel interface; encapsulating a message header containing a tunnel source IP address and a destination IP address of the first GRE tunnel interface for the second data message to generate a third data message;
and the first sending unit is used for sending the third data message to the second network equipment, so that after the second network equipment receives the third data message, a second GRE tunnel interface is determined based on a tunnel source IP address, a destination IP address and a tunnel identifier of the third data message, the third data message is subjected to decapsulation processing to obtain the first data message, and the first data message is forwarded to a target VPN corresponding to the second GRE tunnel interface.
Optionally, the apparatus further comprises:
a receiving unit, configured to obtain a tunnel source IP address and a destination IP address of a fourth data packet and a tunnel identifier of a third GRE tunnel interface if the fourth data packet forwarded by the second network device is received and it is determined that the fourth data packet is a GRE packet;
a determining unit, configured to determine a fourth GRE tunnel interface based on the tunnel source IP address and the destination IP address of the fourth data packet and the tunnel identifier of the third GRE tunnel interface;
a decapsulation unit, configured to decapsulate the fourth data packet to obtain a fifth data packet;
and a second sending unit, configured to forward the fifth data packet to the VPN corresponding to the fourth GRE tunnel interface according to a pre-configured correspondence between the GRE tunnel interface and the VPN.
Optionally, the tunnel identifier is carried in a Key field of the GRE header.
Optionally, the tunnel identifier is carried in an extension field of the GRE header.
In a third aspect, the invention provides a network device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to cause, by the machine-executable instructions: the multi-VPN data transmission method is realized.
In a fourth aspect, the present invention provides a machine-readable storage medium having stored therein machine-executable instructions that, when executed by a processor, implement the multi-VPN data transmission method described above.
It can be seen from the above description that the present invention distinguishes GRE tunnels based on the source IP address, destination IP address and tunnel identification of the GRE tunnels, so that multiple GRE tunnels can still be established in the case of limited public network IP addresses (e.g., only one public network IP is provided for one device). Meanwhile, the invention establishes the one-to-one corresponding relation between the VPN and the GRE tunnel. When sending data message from VPN, sending end carries GRE package to data message, and GRE package carries tunnel mark of tunnel. And the receiving end identifies the GRE tunnel based on the source IP address, the destination IP address and the tunnel identifier of the GRE tunnel in the GRE encapsulation, and forwards the decapsulated data message to the VPN corresponding to the GRE tunnel according to the unique corresponding relation between the GRE tunnel and the VPN. In addition, due to the unique corresponding relation between the GRE tunnel and the VPN, a private network IP which belongs to the same network segment with the corresponding VPN can be configured on the interface of the GRE tunnel, so that dynamic route learning in each VPN is realized.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart illustrating a multi-VPN data transmission method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an application scenario according to an embodiment of the present invention;
fig. 3 is a processing flow of a first network device as a receiving end according to an embodiment of the present invention;
fig. 4A is a schematic structural diagram of a multi-VPN data transmission apparatus according to an embodiment of the present invention;
fig. 4B is a schematic structural diagram of another multi-VPN data transmission apparatus according to the embodiment of the present invention;
fig. 5 is a schematic diagram of a hardware structure of a network device according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the negotiation information may also be referred to as second information, and similarly, the second information may also be referred to as negotiation information without departing from the scope of the present invention. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The embodiment of the invention provides a multi-VPN data transmission method, in the method, a network device can distinguish a GRE tunnel based on a source IP address, a destination IP address and a tunnel identifier of the GRE tunnel, therefore, under the condition that the public network IP of the network device is limited, a plurality of GRE tunnels can still be established, and the unique corresponding relation between the GRE tunnel and a VPN is established. When the network equipment transmits the data message through the GRE tunnel, the source IP address, the destination IP address and the tunnel identification of the GRE tunnel are packaged for the data message, so that the receiving end equipment identifies the GRE tunnel according to the source IP address, the destination IP address and the tunnel identification of the packaged GRE tunnel, and forwards the unpacked data message to the VPN corresponding to the GRE tunnel according to the unique corresponding relation of the GRE tunnel and the VPN.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the following detailed description of the embodiments of the present invention is performed with reference to the accompanying drawings and specific embodiments:
referring to fig. 1, a flowchart of a multi-VPN data transmission method according to an embodiment of the present invention is shown. The flow applies to the first network device. The first network equipment and the second network equipment are both provided with GRE tunnel interfaces corresponding to multiple VPNs one by one, the tunnel identifiers of the GRE tunnel interfaces corresponding to the same VPN are the same, and the tunnel identifiers of the GRE tunnel interfaces corresponding to different VPNs are different.
Here, the first network device and the second network device are only named for convenience of description and are not intended to be limiting.
Fig. 2 is a schematic diagram of an application scenario shown in the embodiment of the present invention. The gateways 231 and 232 are respectively a first network device and a second network device; each of the site 211 and the site 212 includes a VPN221 and a VPN222, and data packets of the VPNs (VPN221 and VPN222) are transmitted between the two sites through GRE tunnels.
Two GRE Tunnel interfaces, which are respectively denoted as Tunnel221 and Tunnel222, are configured on the gateway 231. The source IP address of Tunnel221 is 1.1.1.1, the destination IP address is 2.2.2.2, and the Tunnel identifier is 221; the source IP address of Tunnel222 is 1.1.1.1, the destination IP address is 2.2.2.2, and the Tunnel identifier is 222. And configures the corresponding relationship between Tunnel221 and VPN221, and the corresponding relationship between Tunnel222 and VPN 222.
Two GRE Tunnel interfaces, denoted Tunnel221 and Tunnel222, are configured on the gateway 232. The source IP address of Tunnel221 is 2.2.2.2, the destination IP address is 1.1.1.1, and the Tunnel identifier is 221; the source IP address of Tunnel222 is 2.2.2.2, the destination IP address is 1.1.1.1, and the Tunnel identifier is 222. And configures the corresponding relationship between Tunnel221 and VPN221, and the corresponding relationship between Tunnel222 and VPN 222.
I.e. it can be understood that two independent GRE tunnels (i.e. tunnels 221 and 222) are configured between the gateway 231 and the gateway 232. It should be noted that the IP address 1.1.1.1 is the public network IP address of the gateway 231, and the IP address 2.2.2.2 is the public network IP address of the gateway 232. Because of the shortage of public network IP resources, the number of public network IPs configured on a network device is usually very small, for example, only one public network IP is configured.
As shown in fig. 1, the process may include the following steps:
step 101, if a first data packet from a target VPN is received, and an egress interface for forwarding the first data packet is determined to be a first GRE tunnel interface, a first network device encapsulates a GRE header for the first data packet, and generates a second data packet.
The GRE header includes a tunnel identification of the first GRE tunnel interface.
Here, the target VPN, the first datagram, the first GRE tunnel interface, and the second datagram are only named for convenience of description, and are not limited.
In a specific implementation, the intranet interface of the first network device may bind the target VPN, and then the data packet received through the intranet interface, that is, the data packet (the first data packet) belonging to the target VPN bound by the intranet interface, is received. The first network device matches the routing table entry in the target VPN based on the received first data message. And if the output interface of the hit routing table entry is a GRE tunnel interface (a first GRE tunnel interface), encapsulating a GRE header for the first data message. The GRE header includes a tunnel identification of the first GRE tunnel interface.
For example, if the outgoing interface of the routing table entry hit by the first data packet is Tunnel221, the GRE header encapsulated by the first data packet includes the Tunnel identifier 221 of the Tunnel 221.
The embodiment of the invention encapsulates the first data message into the GRE header to obtain a message, which is called as a second data message.
And 102, the first network equipment encapsulates a message header containing the tunnel source IP address and the destination IP address of the first GRE tunnel interface for the second data message, generates a third data message and sends the third data message to the second network equipment.
I.e. a new IP header containing the tunnel source IP address and the destination IP address of the first GRE tunnel interface is encapsulated at the outer layer of the GRE header. The tunnel source IP address of the first GRE tunnel interface is the public network IP address of the first network equipment, and the tunnel destination IP address of the first GRE tunnel interface is the public network IP address of the second network equipment. The encapsulated data packet is called a third data packet and can be forwarded in the public network based on the route.
Here, the third datagram is only named for convenience of description and is not intended to be limiting.
And when the second network equipment receives the third data message, determining a second GRE tunnel interface based on the tunnel source IP address, the destination IP address and the tunnel identifier of the third data message.
Here, the second GRE tunnel interface is named for convenience of description only and is not intended to be limiting.
The second GRE tunnel interface is a GRE tunnel interface corresponding to the target VPN and pre-configured by the second network device. The tunnel source IP address of the second GRE tunnel interface is the same as the tunnel destination IP address of the first GRE tunnel interface, the tunnel destination IP address of the second GRE tunnel interface is the same as the tunnel source IP address of the first GRE tunnel interface, and the tunnel identifier of the second GRE tunnel interface is the same as the tunnel identifier of the first GRE tunnel interface.
The second network device decapsulates the third data packet (i.e., removes the source IP address, the destination IP address, and the GRE header of the first GRE tunnel interface), and obtains the first data packet. And forwarding the first data message to a target VPN corresponding to the second GRE tunnel interface.
Thus, the flow shown in fig. 1 is completed.
As can be seen from the flow shown in fig. 1, in the embodiment of the present invention, the network device can distinguish the GRE tunnels based on the source IP address, the destination IP address, and the tunnel identifiers of the GRE tunnels, so that a plurality of GRE tunnels can be still established and the unique correspondence between the GRE tunnels and the VPN can be established under the condition that the public network IP of the network device is limited.
When the network equipment transmits the data message through the GRE tunnel, the source IP address, the destination IP address and the tunnel identification of the GRE tunnel are packaged for the data message, so that the receiving end equipment identifies the GRE tunnel according to the source IP address, the destination IP address and the tunnel identification of the packaged GRE tunnel, and forwards the unpacked data message to the VPN corresponding to the GRE tunnel according to the unique corresponding relation of the GRE tunnel and the VPN. To implement multi-VPN data transmission.
In addition, due to the unique corresponding relation between each GRE tunnel and each VPN, a private network IP which belongs to the same network segment with the host IP in the corresponding VPN can be configured on the interface of the GRE tunnel, thereby realizing the dynamic route learning in the VPN.
As shown in fig. 2, the private network IP of Tunnel221 is configured as a private network IP (e.g., 10.0.0.1) belonging to the same network segment as the host IP in VPN221 on gateway 231, and the private network IP of Tunnel222 is configured as a private network IP (e.g., 20.0.0.1) belonging to the same network segment as the host IP in VPN 222; likewise, the private network IP of Tunnel221 is configured on gateway 232 as a private network IP belonging to the same network segment as the host IP in VPN221 (e.g., 0.0.0.2), and the private network IP of Tunnel222 is configured as a private network IP belonging to the same network segment as the host IP in VPN222 (e.g., 20.0.0.2). In this way, dynamic route learning across GRE tunnels can be implemented within both VPN221 and VPN 222.
Referring to fig. 3, a processing flow of the first network device as a receiving end is shown in the embodiment of the present invention.
As shown in fig. 3, the process may include the following steps:
step 301, if receiving a fourth data packet forwarded by the second network device and determining that the fourth data packet is a GRE packet, the first network device obtains a tunnel source IP address and a destination IP address of the fourth data packet and a tunnel identifier of the third GRE tunnel interface.
Here, the fourth data packet and the third GRE tunnel interface are only named for convenience of description, and are not limited.
The tunnel source IP address of the fourth data packet is the public network IP address of the second network device, and the tunnel destination IP address of the fourth data packet is the public network IP address of the first network device.
And the first network equipment determines the fourth data message as a message needing to be processed by the equipment according to the tunnel destination IP address of the fourth data message. And then determining whether the fourth data message is a GRE message according to the IP message protocol number.
If the fourth data message is a GRE message (i.e., a message transmitted through a GRE tunnel), the tunnel source IP address and the destination IP address of the fourth data message and the tunnel identifier of the third GRE tunnel interface are extracted.
Step 302, based on the tunnel source IP address and the destination IP address of the fourth data packet and the tunnel identifier of the third GRE tunnel interface, the first network device determines the fourth GRE tunnel interface.
Since it is determined in step 301 that the fourth data packet is a GRE packet, the tunnel source IP address and the destination IP address of the fourth data packet may be determined as the tunnel source IP address and the destination IP address of the third GRE tunnel interface encapsulated by the second network device.
And the first network equipment can determine the fourth GRE tunnel interface according to the obtained tunnel source IP address, the destination IP address and the tunnel identifier of the third GRE tunnel interface.
Here, the fourth GRE tunnel interface is named for convenience of description only and is not intended to be limiting.
The tunnel source IP address of the fourth GRE tunnel interface is the same as the tunnel destination IP address of the third GRE tunnel interface, the tunnel destination IP address of the fourth GRE tunnel interface is the same as the tunnel source IP address of the third GRE tunnel interface, and the tunnel identifier of the fourth GRE tunnel interface is the same as the tunnel identifier of the third GRE tunnel interface.
For example, if the gateway 231 obtains the Tunnel source IP address 2.2.2.2, the destination IP address 1.1.1.1, and the Tunnel identifier 221 of the GRE Tunnel interface from the fourth data packet, it may determine that the GRE Tunnel interface receiving the data packet is the Tunnel221 by matching with the locally configured GRE Tunnel interface.
Step 303, the first network device decapsulates the fourth data packet to obtain a fifth data packet.
Here, the fifth datagram is only named for convenience of description and is not intended to be limiting.
The GRE tunnel encapsulation is removed through the step, and the data message which can be forwarded in the VPN is restored.
Step 304, according to the pre-configured correspondence between the GRE tunnel interface and the VPN, the first network device forwards the fifth data packet to the VPN corresponding to the fourth GRE tunnel interface.
Since the first network device has configured the corresponding relationship between the GRE tunnel interface and the VPN in advance, the VPN to which the fifth data packet belongs can be determined according to the corresponding relationship, and forwarding is performed by querying a routing table in the VPN to which the fifth data packet belongs.
For example, the correspondence between Tunnel221 and VPN221 has been configured in advance, so gateway 231 may determine that the data packet received through Tunnel221 belongs to VPN221, and forward the data packet based on the routing table in VPN 221.
The flow shown in fig. 3 is completed.
The processing of the received VPN data packet is implemented by the flow shown in fig. 3.
Optionally, as an embodiment, the tunnel identifier of the GRE tunnel interface may be carried in a Key field of the GRE header.
The Key field is typically used to verify the validity of the message. When the network equipment is matched with the GRE tunnel interface, the Key value of the GRE tunnel interface can be configured. When the sending end encapsulates the GRE head for the data message, the Key field of the GRE head carries the Key value of the GRE tunnel interface configured in advance by the sending end. The receiving end compares the Key value in the received GRE header with the Key value of the GRE tunnel interface pre-configured by the home end, and if the Key value is consistent, the message is continuously processed; otherwise, the message is discarded.
The embodiment of the invention can directly use the Key value of the preset GRE tunnel interface as the tunnel identifier of the GRE tunnel interface. When the first network device encapsulates the GRE header for the first data packet, a Key value (tunnel identifier of a tunnel interface) is added to a Key field of the GRE header.
After the second network device receives the encapsulated third data message (the first data message is encapsulated by the GRE header, the tunnel source IP address of the GRE tunnel interface and the destination IP address), the Key value carried in the message is compared with the Key value of the locally pre-configured GRE tunnel interface (for the same GRE tunnel, the Key values of the GRE tunnel interfaces configured by the second network device and the first network device are the same), and if the Key values are consistent, the received message is processed. Namely, the legality detection of the message is completed. Meanwhile, the GRE tunnels can be distinguished based on the Key value (tunnel identification of the tunnel interface).
Optionally, as an embodiment, the tunnel identifier of the GRE tunnel interface may be carried in an extension field of the GRE header. That is, the existing field of the GRE header is not occupied, and the tunnel identifier of the GRE tunnel interface is carried by the newly added field (e.g., the newly added VNID field) to distinguish different GRE tunnels. The Key field in the GRE header is still used for verifying the message validity.
The method provided by the embodiment of the invention is described by the following specific embodiment:
the networking shown in fig. 2 is still taken as an example. The networking includes two VPNs (VPN221 and VPN222), wherein,
gateway 231 is configured with two GRE Tunnel interfaces, Tunnel221 and Tunnel222, respectively.
Wherein, the source IP address of Tunnel221 is 1.1.1.1, the destination IP address is 2.2.2.2, the Key value (in this embodiment, the Key value is taken as the Tunnel identifier of the GRE Tunnel interface as an example) is 221, the private network IP address is 10.0.0.1, and the corresponding relationship between Tunnel221 and VPN221 is configured. The source IP address of Tunnel222 is 1.1.1.1, the destination IP address is 2.2.2.2, the Key value is 222, the private network IP address is 20.0.0.1, and the corresponding relationship between Tunnel222 and VPN222 is configured.
Gateway 232 is configured with two GRE Tunnel interfaces, Tunnel221 and Tunnel222, respectively.
Wherein, the source IP address of Tunnel221 is 2.2.2.2, the destination IP address is 1.1.1.1, the Key value is 221, the private network IP address is 10.0.0.2, and the corresponding relationship between Tunnel221 and VPN221 is configured. The source IP address of Tunnel222 is 2.2.2.2, the destination IP address is 1.1.1.1, the Key value is 222, the private network IP address is 20.0.0.2, and the corresponding relationship between Tunnel222 and VPN222 is configured.
If the gateway 231 receives the data Packet (marked as Packet1) from the VPN221, the routing table entry in the VPN221 is searched, and if the outgoing interface of the hit routing table entry is Tunnel221, the Packet1 encapsulates the GRE header, and the value of the Key field in the GRE header is 221. And encapsulating the source IP address (1.1.1.1) and the destination IP address (2.2.2.2) of the Tunnel221 at the outer layer of the GRE header, and recording the encapsulated message as Packet 12.
Packet12 is forwarded in the public network on a route basis. When the gateway 232 receives Packet12, the gateway 232 determines to process Packet12 because the destination IP address (2.2.2.2) of Packet12 is the same as the public network IP address of the gateway 232. The gateway 232 determines that the Packet12 is a GRE Packet, that is, a Packet transmitted through a GRE tunnel, according to a protocol number in an outer IP header of the Packet 12.
The gateway 232 obtains the Tunnel source IP address (1.1.1.1), the destination IP address (2.2.2.2) and the value (221) of the Key field in the GRE header of the Packet12, and matches with the locally configured GRE Tunnel interface, and it can be known that the GRE Tunnel interface for receiving the Packet12 is Tunnel 221. And then determining that Packet12 belongs to the VPN221 according to the correspondence between the locally configured GRE Tunnel interface and the VPN (Tunnel221 corresponds to VPN 221).
The gateway 232 decapsulates the Packet12, i.e. removes the tunnel source IP address (1.1.1.1), the destination IP address (2.2.2.2), and the GRE header, and restores the Packet to the Packet 1. The Packet1 is forwarded by querying the routing table within the local VPN 221.
Similarly, when the gateway 231 receives the data Packet (denoted as Packet2) from the VPN222, the gateway searches for a routing table entry in the VPN222, and an outgoing interface of the hit routing table entry is the Tunnel 222. The Key field in the GRE header has a value of 222 for encapsulating the GRE header for Packet 2. And encapsulating the source IP address (1.1.1.1) and the destination IP address (2.2.2.2) of the Tunnel222 at the outer layer of the GRE header, and recording the encapsulated message as Packet 22.
Packet22 is forwarded in the public network on a route basis. When the gateway 232 receives Packet22, it is determined from the destination IP address (2.2.2.2) of Packet22 that Packet22 is handled by itself. The gateway 232 determines that the Packet22 is a GRE message according to the protocol number in the outer IP header of the Packet 22.
The gateway 232 obtains the Tunnel source IP address (1.1.1.1), the destination IP address (2.2.2.2) and the value (222) of the Key field in the GRE header of the Packet22, and matches with the locally configured GRE Tunnel, and it can be known that the GRE Tunnel interface for receiving the Packet22 is Tunnel 222. And then determining that Packet22 belongs to the VPN222 according to the correspondence between the locally configured GRE Tunnel interface and the VPN (Tunnel222 corresponds to the VPN 222).
The gateway 232 decapsulates the Packet22, i.e. removes the tunnel source IP address (1.1.1.1), the destination IP address (2.2.2.2), and the GRE header, and restores the Packet to the Packet 2. The Packet2 is forwarded by querying the routing table within the local VPN 222.
In the embodiment of the invention, each VPN has a dedicated GRE tunnel, and a private network IP address which belongs to the same network segment with the corresponding VPN is configured on a GRE tunnel interface, so that dynamic route learning in each VPN can be realized.
For example, the gateway 231 configures the private network IP of the Tunnel221 corresponding to the VPN221 to be 10.0.0.1, and the gateway 232 configures the private network IP of the Tunnel221 corresponding to the VPN221 to be 10.0.0.2, so that dynamic route learning across GRE tunnels can be realized in the VPN 221. Similarly, the gateway 231 configures the private network IP of the Tunnel222 corresponding to the VPN222 to be 20.0.0.1, and the gateway 232 configures the private network IP of the Tunnel222 corresponding to the VPN222 to be 20.0.0.2, so that dynamic route learning across GRE tunnels can be realized in the VPN 222.
This completes the description of the present embodiment.
The method provided by the embodiment of the invention is described above, and the device provided by the embodiment of the invention is described below:
referring to fig. 4A, a schematic structural diagram of an apparatus according to an embodiment of the present invention is shown. The multi-VPN data transmission device includes: a packaging unit 401 and a first sending unit 402, wherein:
an encapsulating unit 401, configured to, if a first data packet from a target VPN is received and an egress interface for forwarding the first data packet is determined to be a first GRE tunnel interface, encapsulate a GRE header for the first data packet, and generate a second data packet, where the GRE header includes a tunnel identifier of the first GRE tunnel interface; encapsulating a message header containing a tunnel source IP address and a destination IP address of the first GRE tunnel interface for the second data message to generate a third data message;
a first sending unit 402, configured to send the third data packet to the second network device, so that after receiving the third data packet, the second network device determines a second GRE tunnel interface based on a tunnel source IP address, a destination IP address, and a tunnel identifier of the third data packet, decapsulates the third data packet, obtains the first data packet, and forwards the first data packet to a target VPN corresponding to the second GRE tunnel interface.
Thus, the description of the apparatus shown in fig. 4A is completed.
In the embodiment of the invention, the network equipment can distinguish the GRE tunnel based on the source IP address, the destination IP address and the tunnel identifier of the GRE tunnel, so that a plurality of GRE tunnels can be still established under the condition that the public network IP of the network equipment is limited, and the unique corresponding relation between the GRE tunnel and the VPN is established.
When the network equipment transmits the data message through the GRE tunnel, the source IP address, the destination IP address and the tunnel identification of the GRE tunnel are packaged for the data message, so that the receiving end equipment identifies the GRE tunnel according to the source IP address, the destination IP address and the tunnel identification of the packaged GRE tunnel, and forwards the unpacked data message to the VPN corresponding to the GRE tunnel according to the unique corresponding relation of the GRE tunnel and the VPN. To implement multi-VPN data transmission.
In addition, because of the unique corresponding relation between the GRE tunnel and the VPN, a private network IP which belongs to the same network segment with the host IP in the corresponding VPN can be configured on the interface of the GRE tunnel, thereby realizing the dynamic route learning in each VPN.
As an embodiment, on the basis of the apparatus shown in fig. 4A, the multi-VPN data transmission apparatus further includes a receiving unit 403, a determining unit 404, a decapsulating unit 405, and a second sending unit 406, as shown in fig. 4B, where:
a receiving unit 403, configured to obtain a tunnel source IP address and a destination IP address of a fourth data packet and a tunnel identifier of a third GRE tunnel interface if the fourth data packet forwarded by the second network device is received and it is determined that the fourth data packet is a GRE packet;
a determining unit 404, configured to determine a fourth GRE tunnel interface based on the tunnel source IP address and the destination IP address of the fourth data packet and the tunnel identifier of the third GRE tunnel interface;
a decapsulation unit 405, configured to decapsulate the fourth data packet to obtain a fifth data packet;
a second sending unit 406, configured to forward the fifth data packet to the VPN corresponding to the fourth GRE tunnel interface according to a pre-configured correspondence between the GRE tunnel interface and the VPN.
Thus, the description of the apparatus shown in fig. 4B is completed.
The processing of the received VPN data packet is implemented by the apparatus shown in fig. 4B.
As an embodiment, the tunnel identifier is carried in a Key field of a GRE header.
As an embodiment, the tunnel identification is carried in an extension field of the GRE header.
The following describes a network device provided in an embodiment of the present invention:
fig. 5 is a schematic diagram of a hardware structure of a network device according to an embodiment of the present invention. The apparatus may include a processor 501, a machine-readable storage medium 502 having stored thereon machine-executable instructions. The processor 501 and the machine-readable storage medium 502 may communicate via a system bus 503. Also, the processor 501 may perform the multi-VPN data transmission method described above by reading and executing machine executable instructions in the machine readable storage medium 502 corresponding to the multi-VPN data transmission logic.
The machine-readable storage medium 502 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium 502 may include at least one of the following storage media: volatile memory, non-volatile memory, other types of storage media. The volatile Memory may be a Random Access Memory (RAM), and the nonvolatile Memory may be a flash Memory, a storage drive (e.g., a hard disk drive), a solid state disk, and a storage disk (e.g., a compact disk, a DVD).
Embodiments of the present invention also provide a machine-readable storage medium, such as machine-readable storage medium 502 in fig. 5, comprising machine-executable instructions that are executable by processor 501 in a network device to implement the multi-VPN data transmission method described above.
So far, the description of the apparatus shown in fig. 5 is completed.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the embodiments of the present invention should be included in the scope of the present invention.

Claims (10)

1. A multi-virtual private network VPN data transmission method is applied to a first network device, and is characterized in that the first network device and a second network device are both configured with generic routing encapsulation GRE tunnel interfaces corresponding to multiple VPNs one to one, tunnel identifiers of the GRE tunnel interfaces corresponding to the same VPN are the same, and tunnel identifiers of the GRE tunnel interfaces corresponding to different VPNs are different, the method comprises the following steps:
if a first data message from a target VPN is received, determining that an outgoing interface for forwarding the first data message is a first GRE tunnel interface by inquiring a routing table item in the target VPN, encapsulating a GRE header for the first data message, and generating a second data message, wherein the GRE header comprises a tunnel identifier of the first GRE tunnel interface;
and encapsulating a message header containing the tunnel source IP address and the destination IP address of the first GRE tunnel interface for the second data message, generating a third data message and sending the third data message to the second network equipment, so that the second network equipment determines a second GRE tunnel interface based on the tunnel source IP address, the destination IP address and the tunnel identifier of the third data message after receiving the third data message, decapsulates the third data message to obtain the first data message, and forwards the first data message to a target VPN corresponding to the second GRE tunnel interface.
2. The method of claim 1, wherein the method further comprises:
if a fourth data message forwarded by the second network equipment is received and the fourth data message is determined to be a GRE message, acquiring a tunnel source IP address and a destination IP address of the fourth data message and a tunnel identifier of a third GRE tunnel interface;
determining a fourth GRE tunnel interface based on the tunnel source IP address and the destination IP address of the fourth data message and the tunnel identifier of the third GRE tunnel interface;
decapsulating the fourth data packet to obtain a fifth data packet;
and forwarding the fifth data packet to the VPN corresponding to the fourth GRE tunnel interface according to a pre-configured correspondence between the GRE tunnel interface and the VPN.
3. The method of claim 1, wherein the tunnel identification is carried in a Key field of a GRE header.
4. The method of claim 1 wherein the tunnel identification is carried in an extension field of a GRE header.
5. A multi-virtual private network VPN data transmission device is applied to a first network device, and is characterized in that a first network device and a second network device are both configured with a generic routing encapsulation GRE tunnel interface corresponding to the multi-VPN one-to-one, tunnel identifiers of the GRE tunnel interfaces corresponding to the same VPN are the same, and tunnel identifiers of the GRE tunnel interfaces corresponding to different VPNs are different, the device comprises:
an encapsulation unit, configured to determine, if a first data packet from a target VPN is received, that an egress interface for forwarding the first data packet is a first GRE tunnel interface by querying a routing table entry in the target VPN, encapsulate a GRE header for the first data packet, and generate a second data packet, where the GRE header includes a tunnel identifier of the first GRE tunnel interface; encapsulating a message header containing a tunnel source IP address and a destination IP address of the first GRE tunnel interface for the second data message to generate a third data message;
and the first sending unit is used for sending the third data message to the second network equipment, so that after the second network equipment receives the third data message, a second GRE tunnel interface is determined based on a tunnel source IP address, a destination IP address and a tunnel identifier of the third data message, the third data message is subjected to decapsulation processing to obtain the first data message, and the first data message is forwarded to a target VPN corresponding to the second GRE tunnel interface.
6. The apparatus of claim 5, wherein the apparatus further comprises:
a receiving unit, configured to obtain a tunnel source IP address and a destination IP address of a fourth data packet and a tunnel identifier of a third GRE tunnel interface if the fourth data packet forwarded by the second network device is received and it is determined that the fourth data packet is a GRE packet;
a determining unit, configured to determine a fourth GRE tunnel interface based on the tunnel source IP address and the destination IP address of the fourth data packet and the tunnel identifier of the third GRE tunnel interface;
a decapsulation unit, configured to decapsulate the fourth data packet to obtain a fifth data packet;
and a second sending unit, configured to forward the fifth data packet to the VPN corresponding to the fourth GRE tunnel interface according to a pre-configured correspondence between the GRE tunnel interface and the VPN.
7. The apparatus of claim 5, wherein the tunnel identification is carried in a Key field of a GRE header.
8. The apparatus of claim 5, wherein the tunnel identification is carried in an extension field of a GRE header.
9. A network device, the device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 4.
10. A machine-readable storage medium having stored therein machine-executable instructions which, when executed by a processor, perform the method steps of any of claims 1-4.
CN201811472515.6A 2018-12-04 2018-12-04 Multi-VPN data transmission method and device and network equipment Active CN109412927B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811472515.6A CN109412927B (en) 2018-12-04 2018-12-04 Multi-VPN data transmission method and device and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811472515.6A CN109412927B (en) 2018-12-04 2018-12-04 Multi-VPN data transmission method and device and network equipment

Publications (2)

Publication Number Publication Date
CN109412927A CN109412927A (en) 2019-03-01
CN109412927B true CN109412927B (en) 2021-07-23

Family

ID=65457162

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811472515.6A Active CN109412927B (en) 2018-12-04 2018-12-04 Multi-VPN data transmission method and device and network equipment

Country Status (1)

Country Link
CN (1) CN109412927B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112804129B (en) * 2019-11-13 2023-11-03 中兴通讯股份有限公司 Message transmission method and system, transmitting end VPN equipment and GRE splicing equipment
CN113098749B (en) * 2020-01-08 2024-10-15 华为技术有限公司 Message sending method, device and storage medium
CN113259497A (en) * 2020-02-07 2021-08-13 华为技术有限公司 Method, device, storage medium and system for transmitting message
US11336573B2 (en) * 2020-02-26 2022-05-17 Cisco Technology, Inc. Service chaining in multi-fabric cloud networks
CN111447132B (en) * 2020-03-16 2021-12-21 广州方硅信息技术有限公司 Data transmission method, device, system and computer storage medium
CN111884903B (en) * 2020-07-15 2022-02-01 迈普通信技术股份有限公司 Service isolation method and device, SDN network system and routing equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1412988A (en) * 2002-05-22 2003-04-23 华为技术有限公司 Packaging retransmission method of message in network communication
CN1468007A (en) * 2002-07-10 2004-01-14 华为技术有限公司 Virtual switch for supplying virtual LAN service and method
CN1553661A (en) * 2003-05-28 2004-12-08 ��Ϊ�������޹�˾ Method for point to point transparent transmission
CN102130826A (en) * 2010-11-25 2011-07-20 华为技术有限公司 Message transmitting method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101394361B (en) * 2008-11-10 2011-07-27 杭州华三通信技术有限公司 Packet transmission method, device and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1412988A (en) * 2002-05-22 2003-04-23 华为技术有限公司 Packaging retransmission method of message in network communication
CN1468007A (en) * 2002-07-10 2004-01-14 华为技术有限公司 Virtual switch for supplying virtual LAN service and method
CN1553661A (en) * 2003-05-28 2004-12-08 ��Ϊ�������޹�˾ Method for point to point transparent transmission
CN102130826A (en) * 2010-11-25 2011-07-20 华为技术有限公司 Message transmitting method and device

Also Published As

Publication number Publication date
CN109412927A (en) 2019-03-01

Similar Documents

Publication Publication Date Title
CN109412927B (en) Multi-VPN data transmission method and device and network equipment
US11671367B1 (en) Methods and apparatus for improving load balancing in overlay networks
US11979322B2 (en) Method and apparatus for providing service for traffic flow
CN105591982B (en) A kind of method and apparatus of message transmissions
US10412008B2 (en) Packet processing method, apparatus, and system
CN107682370B (en) Method and system for creating protocol headers for embedded layer two packets
CN105827495B (en) The message forwarding method and equipment of VXLAN gateway
CN104683210B (en) A kind of automatic method and apparatus for establishing tunnel
US9112723B2 (en) Service node using services applied by an application node
CN107770072B (en) Method and equipment for sending and receiving message
US10505759B2 (en) Access layer-2 virtual private network from layer-3 virtual private network
CN108924062B (en) Message processing method and device
CN107659484B (en) Method, device and system for accessing VXLAN network from VLAN network
CN107645433B (en) Message forwarding method and device
CN107547340B (en) Message forwarding method and device
CN108259453B (en) Message forwarding method and device
CN108390812B (en) Message forwarding method and device
CN107948150A (en) Message forwarding method and device
CN109246016B (en) Cross-VXLAN message processing method and device
CN110391984B (en) Message forwarding method and device
CN108471374B (en) Data message forwarding method and device
CN105591929B (en) Lightweight dual stack group authentication method off the net and device
US11115506B2 (en) Inner VXLAN tunnel packet detection
CN112565044B (en) Message processing method and device
CN108111385B (en) Message forwarding method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant