JP5713865B2 - VPN terminator, communication system, packet transfer method, and program - Google Patents

Description

  The present invention relates to an IP communication technology in a virtual private network (VPN).

  In recent years, VPLS (Virtual Private LAN Service) technology for realizing a wide area Ethernet (registered trademark) service using MPLS (Multi-Protocol Label Switching) has begun to be used. FIG. 1A shows an example of a network configuration using the VPLS technology.

  The network shown in FIG. 1A includes PE (provider edge) devices 10, 20, and 30 that are communication devices on the telecommunications carrier (provider) side, and CE (customer edge) devices that are communication devices on the user's base side. 40, 50, and 60 are connected by a communication path. In the example of FIG. 1A, the user terminal A is connected to the CE device 40, the user terminal B is connected to the CE device 50, and the user terminal C is connected to the CE device 60. Each CE device is a router for routing IP packets. Each PE device is a device having a function of performing packet switching by a MAC address and performing transfer using an MPLS logical path (LSP: Label Switched Path) as a tunnel. In this specification and claims, the term “packet” is used in a broad sense including “frame” and the like. However, in the following description of the prior art and the description of the embodiments, most In this case, “packet” is an Ethernet frame, and when referring to a specific type of packet, a description such as “IP packet” or “MPLS packet” is used.

  Each device is assigned an IP address and a MAC address as shown in FIG. For example, the MAC address: 2222 and the IP address: 192.168.0.1 are assigned to the interface (physical interface): eth0 in the CE device 40, and the MAC address: αααα and the IP address: 172.16.0 are assigned to eth1. .1 is assigned. As shown in FIG. 1A, each CE device includes a routing table. The routing table shown here is for routing to the MPLS backbone side.

  The MPLS backbone 70 on the telecommunications carrier side is configured with an MPLS network, and the PE devices are fully meshed with each other by LSP.

  In the network shown in FIG. 1A, an MPLS backbone 70 connecting PE devices is a public network that passes various user traffic. In a PE device, packets sent from user bases are expressed by MPLS labels. It is encapsulated and the MPLS packet is transferred to the opposite PE apparatus. Since MPLS label values are strictly managed so that users can be uniquely identified between PE devices, confidentiality of user communication is ensured. A network configured by connecting CE devices appears to a user as an IP closed network dedicated to the user. However, since this closed network is a virtual network using a public network, it is called a virtual closed network (also referred to as a VPN: Virtual Private Network) 80.

  Hereinafter, with reference to the sequence diagram of FIG. 1B, an operation example when IP packet communication is performed from the user terminal A to the user terminal B in the network shown in FIG.

  Step 1) The user terminal A sends a packet including an IP packet having the IP address of the user terminal B as the destination IP address to the CE device 40 that is the default gateway of the user terminal A.

  Step 2) The CE device 40 that has received the packet from the user terminal A refers to the routing table, grasps that the IP address of the next hop is 172.16.0.2, and determines the next hop (172. 16.0). .2) broadcast the ARP packet to grasp the MAC address. From the ARP, the CE device 40 grasps that the MAC address of the next hop (172.16.0.2) is ββββ.

  Step 3) The CE device 40 transmits a packet including the above IP packet and having the destination MAC address ββββ to the PE device 10 connected to eth1.

  Step 4) At this point, if the PE device 10 has already learned the correspondence between the MAC address: ββββ and the interface to which the packet is to be output, the packet received from the CE device 40 based on this correspondence is MPLS-encapsulated. (LSP label is attached) and transferred to the counter PE device 20. Note that if the MAC learning is not performed at this time (for example, when the contents of the learning table are deleted due to timeout), the PE device 10 floods the packet to all the LSPs to obtain the MAC address: ββββ. The interface corresponding to (LSP to be used) is learned.

  Step 5) Upon receiving the MPLS packet, the PE device 20 transfers the packet obtained by removing the MPLS capsule from the MPLS packet to the CE device 50.

  Step 6) The CE device 50 transfers the IP packet to the user terminal B.

  As described above, each PE device in the MPLS backbone has a MAC address learning table for each user, and determines which LSP should forward a packet addressed to which MAC address. The packet is tunnel-transferred by the LSP, and the relay interval is transferred only by looking at the label.

JP 2000-183968 A

  As described above, in the above-described prior art, the CE device needs to broadcast an ARP packet in order to grasp the MAC address of the opposite CE device necessary for IP communication. The user's IP packet transfer processing is put on hold from when the CE device sends an ARP request until it receives an ARP reply from the opposite CE device. There is a delay. In particular, in the network configuration shown in FIG. 1 in which a user packet is transferred over a wide area via a tunnel, the ARP packet is transferred over a long section, which may increase the delay.

In addition, since the entry holding period in the ARP table in the CE device and the entry holding period in the MAC learning address table in the PE device are individually managed, inefficient packet transfer processing (ARP) between the CE devices Broadcast frames and flooding to all LSPs due to unlearned MAC addresses in the VPLS section (= broadcast Unknown unicast frame transfer) occurs, and the packet is transferred to the CE device that is not the communication partner. For this reason, the bandwidth of the access line (between PE and CE) is compressed, and there is a possibility that the communication other than the intended communication may be affected by delay or the like.
The present invention has been made in view of the above points. A VPN for accommodating and transferring IP packets sent from a user terminal in a VPN tunnel configured by encapsulation using a MAC address between VPN end devices. The purpose is to provide a technique for enabling IP packet communication without performing ARP packet transmission or the like for MAC address resolution.

In order to solve the above-mentioned problems, the present invention is a VPN termination device that accommodates and transfers IP packets in a VPN tunnel configured by encapsulation using a MAC address, and includes IP subnetwork information, MAC address And routing table storage means for storing a routing table in association with the output interface, and setting information of the routing table is received from the NW operation device network-connected to the VPN terminating device, and the setting information is stored in the routing table. A setting means for storing in the means; when receiving an IP packet, refer to the routing table to determine a MAC address and an output interface corresponding to a destination IP address of the IP packet, and including the IP packet A VPN terminating device comprising a packet transfer means for transferring a packet having a MAC address as a destination MAC address from the output interface.

  The VPN termination device includes a first packet processing unit connected to a network on a user terminal side, the routing table storage unit, and the packet transfer unit, and a second packet connected to the backbone network of the VPN Processing means, and the first packet processing means may be configured to perform IP packet transfer to the network on the user terminal side by performing IP routing processing.

  Further, the present invention is a communication system comprising the VPN termination device and an edge device that constitutes the VPN backbone network and is connected to the VPN termination device, wherein the edge device outputs a MAC address and an output A table storage means for storing a table in which the interface is associated; and when the packet transferred from the VPN terminating device is received, the output interface corresponding to the destination MAC address of the packet is referred to by referring to the table And a packet transfer means for determining and transferring the packet from the output interface.

The present invention also relates to a packet transfer method executed by a VPN terminator that accommodates and transfers IP packets in a VPN tunnel configured by encapsulation using a MAC address, and the VPN terminator is configured to receive an IP sub- Routing table storage means for storing a routing table in which network information, a MAC address, and an output interface are associated with each other, and receives setting information of the routing table from an NW operation device connected to the VPN terminal device and the network, A setting step for storing information in the routing table storage means; when an IP packet is received, referring to the routing table, a MAC address and an output interface corresponding to a destination IP address of the IP packet A packet transfer step of determining and transferring a packet having the MAC address including the IP packet as a destination MAC address from the output interface.

  The present invention can also be configured as a program for causing a communication device including a computer configuration to function as each means of the VPN termination device.

  According to the present invention, in a virtual closed network in which an IP packet sent from a user terminal is accommodated and transferred in a VPN tunnel configured by encapsulation using a MAC address between VPN termination devices, for MAC address resolution IP packet communication is possible without performing ARP packet transmission and the like, and delays can be prevented from occurring.

  Furthermore, according to an embodiment of the present invention, in a VPN backbone network, when a packet forwarded from a VPN terminating device at an edge device is received, flooding to all LSPs due to MAC address unlearned in the VPLS section (= Broadcast Unknown unicast frame transfer) is not performed, and packets are not transferred to the CE device that is not the communication partner, so it is possible to prevent access line bandwidth compression.

It is a figure for demonstrating a prior art. It is a figure which shows the network structural example which concerns on embodiment of this invention. It is a figure which shows the function structural example of the VPN termination device which concerns on embodiment of this invention. It is a figure which shows an example of the MAC routing table which concerns on embodiment of this invention. It is a figure which shows the function structural example of the PE apparatus which concerns on embodiment of this invention. It is a figure which shows an example of the MAC learning table which concerns on embodiment of this invention. It is a figure for demonstrating the packet transfer process which concerns on embodiment of this invention. It is a figure for demonstrating the modification of embodiment of this invention.

  Embodiments of the present invention will be described below with reference to the drawings. The embodiment described below is only an example, and the embodiment to which the present invention is applied is not limited to the following embodiment.

(System configuration)
FIG. 2 shows a network configuration example including a virtual closed network (hereinafter referred to as VPN) according to the embodiment of the present invention. As shown in FIG. 2, the network according to the present embodiment is configured by connecting PE apparatuses 201 and 202 and VPN termination apparatuses 101 and 102 via a communication path. Further, a user terminal X is connected to the VPN termination device 101, and a user terminal Y is connected to the VPN termination device 102. Each VPN terminating device is common to the CE device shown in FIG. 1A in that it is arranged at the same network location and routes IP packets, but there are differences in their functions. . Each PE device is the same as the PE device shown in FIG. 1A regarding the communication processing, but the MAC learning table setting method is different. Details will be described later.

  As shown in FIG. 2, a VPN 400 is configured by the VPN termination devices 101 and 102, and an MPLS backbone 300 is configured by the PE devices 201 and 202. In FIG. 2, only the VPN termination devices 101 and 102 and the PE devices 201 and 202 are shown. However, these are only examples, and a large number of devices may actually exist.

  As shown in FIG. 2, in this embodiment, the NW operation device 500 is connected to the communication network 600 and can communicate with each VPN termination device and each PE device.

  FIG. 3 shows a functional configuration example of the VPN terminating device 101 according to the present embodiment. Other VPN terminators have the same functional configuration. As illustrated in FIG. 3, the VPN terminating device 101 includes a user side packet processing unit 110, a provider side packet processing unit 120, and interfaces 131 and 132. In the example of FIG. 3, the number of interfaces on the user side and the provider (communication carrier) side is one, but this is only an example, and there may be a plurality of interfaces.

  The user-side packet processing unit 110 is a functional unit that transfers a packet received from the user-side device and a packet received from the provider-side packet processing unit 120 by a normal IP routing process. For example, if the destination IP address of the packet is the IP address of the user side network in the same site, the packet is transferred to the user side, and if the destination IP address of the packet is the IP address of the user side network of the site different, The packet is passed to the provider side packet processing unit 120. Note that default routing may be used as routing management related to user-side network information at different locations. Alternatively, the user-side packet processing unit 110 may be separated from the VPN termination device 101 and provided in the user's network as another device connected to the VPN termination device 101.

  The provider side packet processing unit 120 includes a MAC routing table setting instruction receiving unit 121, a MAC routing table storage unit 122, and a packet transfer processing unit 123.

  The MAC routing table setting instruction receiving unit 121 receives a setting instruction including setting information (entry) of the MAC routing table from the NW operation device 500, and uses the received setting information as an entry of the MAC routing table. It is a functional part stored in. The MAC routing table storage unit 122 stores a MAC routing table.

  FIG. 4 shows an example of the MAC routing table according to the present embodiment. As shown in FIG. 4, the MAC routing table is a table in which IP subnetwork information for identifying a destination network, a MAC address of a next hop, and an interface for outputting a packet are associated with each other. In addition to the information shown in FIG. 4, metric information for each destination network may be inserted.

  Returning to FIG. 3, the packet transfer processing unit 123 converts the packet received via the interface 132 connected to the PE device 201 serving as the provider side device and the packet received from the user side packet processing unit 110 into the MAC routing table. It is a functional unit that transfers according to the table information stored in the storage unit 122.

  In the present embodiment, the table setting information is received from the NW operation device 500 and stored. However, the operation terminal connected to the VPN terminal device 101 is connected via the MAC routing table setting instruction receiving unit 121. The setting information may be received and stored in the MAC routing table storage unit 122.

  FIG. 5 shows a functional configuration example of the PE apparatus 201. Other PE apparatuses have the same configuration. As shown in FIG. 5, the PE device 201 includes a MAC learning table setting instruction receiving unit 210, a MAC learning table storage unit 220, a packet transfer processing unit 230, and interfaces 241 and 242. In the example of FIG. 5, the number of interfaces on the user side and the MPLS backbone side is one, but this is only an example, and there may be a plurality of interfaces.

  In this embodiment, in order to facilitate understanding of the technology according to the present invention, the functional configuration of the PE apparatus 201, the contents of the table, and the operation thereof will be described as relating to one VPN user. The apparatus 201 can accommodate a plurality of users. For this purpose, for example, the packet transfer processing unit 230 and the MAC learning table storage unit 220 may be provided for each user. In this configuration, for example, the user is identified by predetermined information (information that can identify the user) in the received packet, the received packet is distributed to the packet transfer processing unit 230 corresponding to the user, and the packet transfer processing unit 230 transfers the received packet. Process. When the packet transfer processing unit 230 transfers a packet to the LSP, a label corresponding to the identified user may be added in addition to the label corresponding to the LSP.

  In addition, instead of such a configuration, a table for each user may be provided in the MAC learning table storage unit 220. In this case, the packet transfer processing unit 230 performs transfer processing by referring to a table corresponding to the user of the received packet.

  The configuration for identifying the user and performing the transfer process is not limited to the above, and various configurations other than the above can be adopted.

  The MAC learning table setting instruction receiving unit 210 receives a setting instruction including setting information (entry) of the MAC learning table from the NW operation device 500, and uses the received setting information as an entry of the MAC learning table. It is a functional part stored in. The MAC learning table storage unit 220 stores a MAC learning table.

  FIG. 6 shows an example of the MAC learning table according to the present embodiment. As shown in FIG. 6, the MAC learning table is a table in which a destination MAC address is associated with an interface that outputs a packet.

  Returning to FIG. 5, the packet transfer processing unit 230 is a functional unit that transfers a packet received via each interface according to the table information stored in the MAC learning table storage unit 220. The packet transfer processing unit 230 has an MPLS function, and when transferring a packet to another PE apparatus, performs packet transfer by performing MPLS encapsulation. That is, when transferring a packet to another PE device, the packet transfer processing unit 230 transfers the packet via the LSP tunnel corresponding to the transfer destination. In the present embodiment, for the transfer to the LSP, the identification information of the LSP is recorded as an “interface” in the MAC learning table. For the transfer to the Ethernet line, the identification information (such as eth0) of the physical interface of Ether is recorded as the “interface”.

  As in the case of the VPN terminating device 101, in the present embodiment, the table setting information is received from the NW operation device 500 and the setting is performed, but the MAC is sent from the operation terminal connected to the PE device 201. The setting information may be received via the learning table setting instruction receiving unit 210 and stored in the MAC learning table storage unit 220.

  Each functional unit of the VPN termination device 101 can be realized by causing a communication device having a computer configuration (including a CPU, a memory, and the like) to execute a program corresponding to each functional unit. Similarly, each functional unit of the PE device 201 can be realized by causing a communication device having a computer configuration (including a CPU, a memory, and the like) to execute a program corresponding to each functional unit. Moreover, you may implement | achieve all or one part function of the VPN termination device 101 and PE apparatus 201 with a hardware logic circuit.

  The program may be installed in a computer from a recording medium such as a portable memory, or may be downloaded from a server on a network.

(System operation)
Next, a packet transfer process according to the present embodiment will be described with reference to FIGS. FIG. 7A shows the network shown in FIG. 2 more specifically. As shown in FIG. 7A, in this example, VPN termination devices 101, 102, and 103 are included, and PE devices 201, 202, and 203 are included. A user terminal A is connected to the VPN terminal device 101, a user terminal B is connected to the VPN terminal device 102, and a user terminal C is connected to the VPN terminal device 103.

Each device is assigned an IP address and a MAC address as shown in FIG. Further, it is assumed that the table setting of each device has already been completed, and the table information shown in the drawing is set in each device. FIG. 7A shows only main table information. FIG. 7A shows that a VPN tunnel is formed between the VPN terminators 101 and 102 corresponding to the following operations.
Hereinafter, an operation example in the case where IP packet communication is performed from the user terminal A to the user terminal B in the network shown in FIG. 7A will be described with reference to the sequence diagram of FIG. In the following description, the functional units in the configuration shown in FIGS.

  Step 101) The user terminal A sends a packet including an IP packet having the IP address of the user terminal B as a destination IP address to the VPN terminating device 101 which is the default gateway of the user terminal A.

  Step 102) In the VPN terminating device 101 that has received the packet from the user terminal A, the user side packet processing unit 110 determines that the destination IP address of the IP packet is the IP address of the network of the user base B that is not the user base A. The received packet is passed to the provider side packet processing unit 120.

  The packet transfer processing unit 123 in the provider side packet processing unit 120 refers to the MAC routing table storage unit 122, and the MAC address of the next hop corresponding to the destination IP address (192.168.1.B) is ββββ. Is recognized as eth1. Then, the packet transfer processing unit 123 sends a packet with a MAC header with the source MAC address αααα corresponding to eth1 and the destination MAC address ββββ from the eth1 interface.

  Step 103) In the PE device 201 that has received the packet from the VPN terminating device 101, the packet transfer processing unit 230 refers to the MAC learning table storage unit 220 and confirms that the interface corresponding to the destination MAC address (ββββ) is LSP1. To grasp. That is, in order to transmit a packet addressed to the MAC address (ββββ), the LSP 1 determines to transfer the packet. Then, the packet transfer processing unit 230 transmits the packet via the LSP1. More specifically, the packet transfer processing unit 230 encapsulates the packet with a label corresponding to LSP1, and transmits the encapsulated packet (referred to as an MPLS packet) from the physical interface corresponding to LSP1.

  Step 104) The MPLS packet transmitted from the PE device 201 reaches the PE device 202. The PE device 202 decapsulates the MPLS packet, and transmits the packet extracted by the decapsulation to the opposite VPN termination device 102 based on the MAC learning table.

  Step 105) In the VPN terminating device 102 that has received the packet, the packet transfer processing unit 123 in the provider side packet processing unit 120 passes the packet to the user side packet processing unit 110 based on the MAC routing table, and the user side packet processing unit 110 transmits an IP packet to the user terminal B by a normal IP routing process.

(Modification)
In the above-described embodiment, an example in which the MPLS backbone 300 using MPLS is applied as the backbone network of the VPN 400 is shown, but the network configuration of the VPN 400 is not limited to this. For example, as shown in FIG. 8, an L2 network 350 (a wide area Ethernet network or the like) can be used. The L2 network 350 is a network configured by connecting L2 switches (such as an Ethernet switch). In FIG. 8, four L2 switches 701, 702, 703, and 704 are shown. The MAC learning table (association between the MAC address and the interface) in each L2 switch is set statically. In addition, in order to make the explanation easy to understand, the MAC learning table in the figure also describes an individual table image of a 1VPN user in this modification, but actually, for example, a table is provided for each user, A transfer process can be performed by referring to a table corresponding to the user identified from the information of the received packet.

  In the configuration of FIG. 8, for example, when packets are to be transferred from the VPN termination device 101 to the VPN termination device 102 (ββββ) via the route of the L2 switch 701-> 703-> 702, the MAC of each L2 switch An entry illustrated in the learning table may be set. Also in the example shown in FIG. 8, IP packet transfer between the user terminals A and B can be performed in the same manner as the example shown in FIG.

(Effect of embodiment)
According to the present embodiment, the routing table storage that stores the routing table in which the IP address, the MAC address, and the output interface are associated with each other in the VPN termination device that configures the VPN that encapsulates and transfers the IP packet with the MAC header. Means, when receiving an IP packet, refer to the routing table to determine a MAC address and an output interface corresponding to a destination IP address of the IP packet, and to determine a packet addressed to the MAC address including the IP packet. And packet transfer means for transferring from the output interface.

  With this configuration, it is possible to prevent the occurrence of traffic for MAC address resolution, and as a result, it is possible to reduce communication delay.

  In addition, since the routing table setting information is received from the NW operation device network-connected to the VPN termination device, and the setting information is stored in the routing table storage unit, the network table further includes Setting management can be performed efficiently.

  In the present embodiment, the VPN terminating device includes a first packet processing unit (user side packet processing unit) connected to a user terminal side network, the routing table storage unit, and the packet transfer unit. Second packet processing means (provider-side packet processing unit) connected to the VPN backbone network, wherein the first packet processing means performs the IP routing process, thereby providing a network on the user terminal side. IP packet transfer is performed.

  With this configuration, it is possible to realize efficient IP VPN communication while maintaining the conventional technology in the user network.

  In the present embodiment, the VPN storage network is configured to store a table in which a MAC address and an output interface are associated with each other in the edge device connected to the VPN termination device. A packet transfer means for determining an output interface corresponding to a destination MAC address of the packet when the packet transferred from the terminating device is received, and transferring the packet from the output interface; It was comprised so that.

  As a result, flooding in the backbone network can be eliminated, and band compression due to wasted traffic can be prevented.

  Further, according to the present embodiment, it is possible to configure a VPN tunnel by encapsulation using a MAC address by arranging a VPN termination device at the location of a conventional CE device. According to this VPN tunnel configuration, the VPN tunnel can be easily identified by simply confirming the destination MAC address in the PE device.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible within the scope of the claims.

10, 20, 30 PE equipment 40, 50, 60 CE equipment 70 MPLS backbone 80 VPN
101, 102, 103 VPN terminator 201, 202, 203 PE device 300 MPLS backbone 400 VPN
500 NW operation device 600 Communication network 110 User side packet processing unit 120 Provider side packet processing unit 121 MAC routing table setting instruction receiving unit 122 MAC routing table storage unit 123 Packet transfer processing unit 131, 132 Interface 210 MAC learning table setting instruction receiving unit 220 MAC learning table storage unit 230 packet transfer processing unit 241, 242 interface 350 L2 network 701, 702, 703, 704 L2 switch

Claims (5)

A VPN terminating device that accommodates and transfers IP packets in a VPN tunnel configured by encapsulation using a MAC address,
Routing table storage means for storing a routing table in which IP subnetwork information, a MAC address, and an output interface are associated with each other;
Setting means for receiving setting information of the routing table from an NW operation device network-connected to the VPN terminating device, and storing the setting information in the routing table storage means;
When receiving an IP packet, refer to the routing table to determine the MAC address and output interface corresponding to the destination IP address of the IP packet, and use the MAC address including the IP packet as the destination MAC address And a packet transfer means for transferring the packet from the output interface. The VPN terminator is
First packet processing means connected to the network on the user terminal side;
A second packet processing unit that includes the routing table storage unit and the packet transfer unit and is connected to the backbone network of the VPN,
The VPN terminal apparatus according to claim 1, wherein the first packet processing means performs IP packet transfer to the network on the user terminal side by performing IP routing processing. A VPN termination device according to claim 1 or 2, wherein to configure the VPN backbone network, a communication system and a edge device connected to the VPN termination device,
The edge device is
Table storage means for storing a table in which MAC addresses and output interfaces are associated with each other;
When the packet transferred from the VPN terminating device is received, the table is referred to, an output interface corresponding to the destination MAC address of the packet is determined, and the packet is transferred from the output interface. And a communication system. A packet transfer method executed by a VPN terminating device that accommodates and transfers an IP packet in a VPN tunnel configured by encapsulation using a MAC address,
The VPN termination device includes a routing table storage unit that stores a routing table in which IP subnetwork information, a MAC address, and an output interface are associated with each other.
A setting step of receiving setting information of the routing table from an NW operation device network-connected to the VPN terminating device, and storing the setting information in the routing table storage means;
When receiving an IP packet, refer to the routing table to determine the MAC address and output interface corresponding to the destination IP address of the IP packet, and use the MAC address including the IP packet as the destination MAC address the packet transfer method is characterized in that a packet transfer step of transferring from the output interface. The program for functioning the communication apparatus containing the structure of a computer as each means of the VPN termination device of Claim 1 or 2 .

Images