CN107623636A - A kind of user isolation method and interchanger - Google Patents
A kind of user isolation method and interchanger Download PDFInfo
- Publication number
- CN107623636A CN107623636A CN201610552867.7A CN201610552867A CN107623636A CN 107623636 A CN107623636 A CN 107623636A CN 201610552867 A CN201610552867 A CN 201610552867A CN 107623636 A CN107623636 A CN 107623636A
- Authority
- CN
- China
- Prior art keywords
- multicast
- user
- address
- interchanger
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The embodiment of the present invention provides a kind of user isolation method and interchanger, is related to the communications field, can solve the problem that the problem of BUM flows can not isolate between tenant.Its method is:Interchanger intercepts the information carried in the first message sent when the first user reaches the standard grade, interchanger determines that the first user belongs to the first EPG according to the information and the corresponding relation of EPG mark that are carried in the first message, and corresponding first IP multicast address of the first user is determined according to the first EPG mark and EPG mark and the corresponding relation of IP multicast address, and determine that the first user belongs to the multicast group corresponding to the first IP multicast address, then, first user is added multicast group by interchanger, when interchanger receives the first BUM flows of the first user transmission, first BUM flows are encapsulated as the first flux of multicast of multicast group by interchanger, first flux of multicast includes the first IP multicast address, to cause the first flux of multicast to be forwarded to other use of multicast group.The user isolation that the embodiment of the present invention is used in VXLAN.
Description
Technical field
The present invention relates to the communications field, more particularly to a kind of user isolation method and interchanger.
Background technology
VLAN (Virtual Local Area Network, VLAN) is one group of equipment and user in logic,
These equipment and user are not limited by physical location, can be organized them according to factors such as function, department and applications
Come, mutual communication is similar in the same network segment the same, VLAN of thus gaining the name.VLAN is operated in opening
System interconnects the layers 2 and 3 of (Open System Interconnection, OSI) reference model.
In a computer network, a double layer network can be divided into multiple different broadcast domains, a broadcast domain pair
Answer a specific tenant, these different broadcast domains are mutually isolated under default situations.Want between different broadcast domains
, it is necessary to by one or more routers or interchanger forwarding communication, such a broadcast domain is just a VLAN for communication, one
User under individual VLAN can be a tenant, i.e. can include multiple users in a tenant.Tenant can be understood as terminal
Tactful group (End-Point Policy Group, EPG), i.e. all users in a tenant are an EPG.Different VLAN or
Communication between different tenants is completed by the 3rd layer of router or interchanger.
So, after being isolated using different VLAN to user, different EPG can distribute different VLAN, when one
An equipment in individual VLAN send broadcast or unknown unicast or multicast (Broadcast, Unicast unknown,
Multicast, BUM) flow when, can be flooded in the VLAN, the whole net equipment in the VLAN can all receive the BUM flows.
But VLAN resource-constrained, cause support tenant (isolation group) limited amount, if different tenants share it is same
VLAN, it will cause BUM flows can not isolate between tenant.
The content of the invention
The embodiment of the present invention provides a kind of user isolation method and interchanger, can solve the problem that BUM flows can not be between tenant
The problem of isolation.
On the one hand, there is provided a kind of user isolation method, including:
Interchanger intercepts the information carried in the first message sent when the first user reaches the standard grade;Interchanger is according to the first message
The corresponding relation of the information of middle carrying and terminal strategy group EPG mark determines that the first user belongs to the first EPG, and according to first
EPG mark and EPG mark and the corresponding relation of Internet protocol IP multicast address determine the corresponding first IP groups of the first user
Address is broadcast, and determines that the first user belongs to the multicast group corresponding to the first IP multicast address;Wherein EPG includes VLAN
Certain customers in VLAN, virtual extended LAN VXLAN, or user in the same network segment or subnet, the first EPG are multiple
One in EPG;First user is added multicast group by interchanger;When interchanger receive the first user transmission first broadcast and
During unknown unicast multicast BUM flows, the first BUM flows are encapsulated as the first flux of multicast of multicast group, the first multicast by interchanger
Flow includes the first IP multicast address, so that the first flux of multicast, which is forwarded to, belongs to other users corresponding to multicast group.
Thus, if different EPG under same VLAN be present, the BUM flows under different EPG need to isolate, an EPG
For a tenant group, when being that EPG is configured with IP multicast address in a switch, if the first user reaches the standard grade, interchanger according to
The information that first user listens to when reaching the standard grade determines the first IP multicast address of the multicast group belonging to the first user, and first is used
Family is added in the multicast group, if interchanger receives the BUM flows of the first user transmission, interchanger can be according to the first IP
BUM flows are encapsulated as being forwarded to remaining user for belonging to multicast group after flux of multicast by multicast address so that under same VLAN
BUM flows isolation between different EPG.
In a kind of possible design, method further comprises:Interchanger establishes VLAN marks and incoming interface mark altogether
With the corresponding relation of the mark with EPG;And interchanger establishes EPG mark and the corresponding relation of IP multicast address.Wherein, it is right
It should be related to that can be access controller (Access Controller, AC) issue configuration or artificial match somebody with somebody to interchanger
Put in a switch.
Thus, when any user is reached the standard grade from the interface of interchanger, EPG that can be according to belonging to corresponding relation determines user
And its IP multicast address, to send flux of multicast according to IP multicast address.
In a kind of possible design, interchanger is according to the information carried in the first message and terminal strategy group EPG mark
The corresponding relation of knowledge determines that the first user belongs to the first EPG and included:Interchanger is marked according to the first VLAN carried in the first message
Know, interchanger receive the first message the first incoming interface, and VLAN mark and incoming interface mark jointly with EPG mark
Corresponding relation determines that the first user belongs to the first EPG.
In a kind of possible design, interchanger includes the first user addition multicast group:Interchanger determines whether there is
Belong to the second user of the multicast group corresponding to the first IP multicast address jointly with the first user;It is determined that it is, then by the first user
Be added to second user it is common belonging to multicast group, and establish the corresponding pass of the first incoming interface mark and the first IP multicast address
System;If it is determined that no, then interchanger establishes the corresponding relation of the first incoming interface mark and the first IP multicast address, by with interchanger
The upstream equipment of connection sends multicast join message to convergent point RP, and multicast join message includes the first IP multicast address, and
Mark and the corresponding relation of the first IP multicast address that interchanger sends the first outgoing interface of multicast join message are established, so that on
Swim equipment and RP is established and received the incoming interface mark of multicast join message and the corresponding relation of the first IP multicast address, and transmission group
Broadcast the outgoing interface mark and the corresponding relation of the first IP multicast address for adding message.
Thus, after the incoming interface and outgoing interface of the IP multicast address of user and interchanger being established into corresponding relation, user is worked as
When sending flux of multicast, interchanger can be carried out flux of multicast according to the incoming interface and outgoing interface of IP multicast address and interchanger
Remaining user of multicast group is forwarded to, i.e., user is added in multicast group based on interface granularity.
In a kind of possible design, interchanger includes the first user addition multicast group:Interchanger determines whether there is
Belong to the second user of same multicast group with the first user;If it is determined that it is then to be added to the first user common with second user
Affiliated multicast group, and the first incoming interface mark and the first IP address corresponding relation with the first IP multicast address jointly are established,
Or establish the first incoming interface mark, the first IP address and the first VLAN the marks corresponding relation with the first IP multicast address jointly;
If it is determined that no, then interchanger establishes the first incoming interface mark and the first IP address pass corresponding with the first IP multicast address jointly
System, or establish the first incoming interface mark, the first IP address and the first VLAN mark jointly with the mark of the first IP multicast address
Corresponding relation, multicast join message, multicast join message bag are sent to convergent point RP by the upstream equipment being connected with interchanger
The first IP multicast address is included, and establishes interchanger and sends the first outgoing interface mark of multicast join message with the first IP multicasts
The corresponding relation of location, so that upstream equipment and RP establish the incoming interface mark and the first IP multicast address for receiving multicast join message
Corresponding relation, and send the outgoing interface mark and the corresponding relation of the first IP multicast address of multicast join message.
Thus, user can be added in multicast group based on user's granularity.So, multiple use are corresponding with the same interface
, can be common according to the IP address and interface identifier of user if multiple VM belong to different EPG when family for example corresponds to multiple VM
Corresponding relation determination with EPG belongs to same EPG VM, avoids unnecessary flow from flooding.
In a kind of possible design, method also includes:When interchanger receives the second multicast data flow corresponding to the 3rd user
During amount, the second flux of multicast includes the second IP multicast address corresponding to the multicast group belonging to the 3rd user, and interchanger is according to second
The corresponding relation of IP multicast address and outgoing interface, replicate and send to the user under outgoing interface corresponding with the second IP multicast address
Second flux of multicast.
In a kind of possible design, method also includes:When interchanger receives the second multicast data flow corresponding to the 3rd user
During amount, the second flux of multicast includes the second IP multicast address corresponding to the multicast group belonging to the 3rd user, and interchanger is according at least
Second incoming interface mark and the second IP address corresponding relation with the second IP multicast address jointly corresponding to one user, by second
IP multicast address replaces with the second IP address corresponding with the second IP multicast address;Interchanger will be corresponding with the second incoming interface mark
Interface as outgoing interface, replicate the second flux of multicast at outgoing interface, and according to the second IP address after replacement by duplication
Second flux of multicast is sent at least one user.
For example, when being connected with multiple virtual machines (Virtual Machine, VM) under the same interface of interchanger, such as
The multiple virtual machines of fruit belong to different EPG, can be according to interface identifier and the IP address corresponding relation with IP multicast address jointly
IP multicast address is replaced with to VM IP address, unicast is changed to by multicast, make it that the flux of multicast of same EPG user will not
It is sent to other EPG user.
In a kind of possible design, after the first user reaches the standard grade, method also includes:
Interchanger is that the first user establishes membership table, and membership table includes MAC Address, the first incoming interface mark of the first user
The corresponding relation of knowledge, the first VLAN marks and the first IP address, the user that the first membership table is used for inspection transmission flux of multicast are
It is no legal.
For example, there is the IP address and MAC Address of counterfeit first user of another user, send and attack to interchanger in another interface
The flux of multicast hit, then interchanger can the interface message according to corresponding to the membership table of preservation determines flux of multicast it is wrong, really
The fixed flux of multicast is illegal, to prevent the transmission of the illegal flux of multicast.
In a kind of possible design, method also includes:When interchanger listens to the first user offline, removing members
Table, and the second message is sent to convergent point RP, the second message includes the first IP multicast address, and multicast addition is received so that RP is deleted
The incoming interface mark of message and the corresponding relation of the first IP multicast address, and outgoing interface mark are corresponding with the first IP multicast address
Relation.
Thus, during the first user offline, the corresponding relation in the membership table and RP in interchanger is deleted, exchange can be saved
The memory space of machine and RP.
On the other hand, there is provided a kind of interchanger, including:
Unit is intercepted, for intercepting the information carried in the first message sent when the first user reaches the standard grade;Determining unit, use
In determining that the first user belongs to first according to the corresponding relation of the information that is carried in the first message and terminal strategy group EPG mark
EPG, and the first use is determined according to the first EPG mark and EPG mark and the corresponding relation of Internet protocol IP multicast address
Corresponding first IP multicast address in family, and determine that the first user belongs to the multicast group corresponding to the first IP multicast address, wherein EPG bags
Include virtual LAN VLAN, the certain customers in virtual extended LAN VXLAN, or user in the same network segment or subnet,
First EPG is one in multiple EPG;Unit is added, for the first user to be added into multicast group;Encapsulation unit, for when friendship
When changing planes the first broadcast for receiving the first user transmission with unknown unicast multicast BUM flows, the first BUM flows are encapsulated as group
The first flux of multicast of group is broadcast, the first flux of multicast includes the first IP multicast address, so that the first flux of multicast is forwarded to and belonged to
Other users corresponding to multicast group.
In a kind of possible design, in addition to:Unit is established, it is common for establishing VLAN marks and incoming interface mark
With the corresponding relation of EPG mark;And establish EPG mark and the corresponding relation of IP multicast address.
In a kind of possible design, determining unit is used for:
Identified according to the first VLAN carried in the first message, the first incoming interface of interchanger the first message of reception, and
VLAN is identified and incoming interface mark determines that the first user belongs to the first EPG with the corresponding relation of EPG mark jointly.
In a kind of possible design, adding unit includes:Determination subelement, it is used to determine whether exist and the first user
Belong to the second user of the multicast group corresponding to the first IP multicast address jointly;Subelement is established to be used for:If it is determined that it is, then by
One user be added to second user it is common belonging to multicast group, and establish the first incoming interface mark and the first IP multicast address
Corresponding relation;If it is determined that it is no, then the corresponding relation of the first incoming interface mark and the first IP multicast address is established, method also includes hair
Subelement is sent, sends multicast join message to convergent point RP for the upstream equipment by being connected with interchanger, multicast, which adds, to disappear
Breath includes the first IP multicast address, and establishes mark and the first IP that interchanger sends the first outgoing interface of multicast join message
The corresponding relation of multicast address, so that upstream equipment and RP establish the incoming interface mark and the first IP groups for receiving multicast join message
The corresponding relation of address is broadcast, and sends the outgoing interface mark and the corresponding relation of the first IP multicast address of multicast join message.
In a kind of possible design, adding unit includes:Determination subelement, it is used to determine whether exist and the first user
Belong to the second user of same multicast group;Subelement is established to be used for:If it is determined that be, then the first user is added to and second user
Multicast group belonging to common, and establish the first incoming interface mark and the first IP address pass corresponding with the first IP multicast address jointly
System, or establish the first incoming interface mark, the first IP address and the first VLAN marks pass corresponding with the first IP multicast address jointly
System;If it is determined that it is no, then the first incoming interface mark and the first IP address corresponding relation with the first IP multicast address jointly are established, or
Establish the first incoming interface mark, the first IP address and the first VLAN marks pass corresponding with the mark of the first IP multicast address jointly
System, multicast join message is sent to convergent point RP by the upstream equipment being connected with interchanger, multicast join message includes first
IP multicast address, and establish the first outgoing interface mark and pair of the first IP multicast address that interchanger sends multicast join message
It should be related to, so that upstream equipment and RP, which are established, receives the incoming interface mark of multicast join message and the correspondence of the first IP multicast address
Relation, and send the outgoing interface mark and the corresponding relation of the first IP multicast address of multicast join message.
In a kind of possible design, in addition to transmitting element, it is used for:When interchanger is received corresponding to the 3rd user
During two flux of multicast, the second flux of multicast includes the second IP multicast address corresponding to multicast group belonging to the 3rd user, according to the
The corresponding relation of two IP multicast address and outgoing interface, replicated to the user under outgoing interface corresponding with the second IP multicast address concurrent
Send the second flux of multicast.
In a kind of possible design, in addition to replacement unit, for being received when interchanger corresponding to the 3rd user
During two flux of multicast, the second flux of multicast includes the second IP multicast address corresponding to the multicast group belonging to the 3rd user, according to extremely
Second incoming interface mark corresponding to a few user and the second IP address corresponding relation with the second IP multicast address jointly, by the
Two IP multicast address replace with the second IP address corresponding with the second IP multicast address;Transmitting element, for that will enter connect with second
Interface corresponding to mouth mark is as outgoing interface, the second flux of multicast of duplication at outgoing interface, and according to the 2nd IP after replacement
Second flux of multicast of duplication is sent at least one user by location.
In a kind of possible design, establish unit and be additionally operable to:Membership table is established for the first user, membership table includes first
The MAC Address of user, the first incoming interface mark, the first VLAN is identified and the corresponding relation of the first IP address, the first membership table are used
In examining, whether the user for sending flux of multicast is legal.
In a kind of possible design, in addition to:Unit is deleted, for when interchanger listens to the first user offline,
Removing members table;Transmitting element is additionally operable to:The second message is sent to convergent point RP, the second message includes the first IP multicast address,
The incoming interface mark of multicast join message and the corresponding relation of the first IP multicast address are received so that RP is deleted, and outgoing interface mark
With the corresponding relation of the first IP multicast address.
The embodiment of the present invention provides a kind of user isolation method and interchanger, interchanger are intercepted when the first user reaches the standard grade and sent
The first message in the information that carries, interchanger is true according to the information and the corresponding relation of EPG mark carried in the first message
Fixed first user belongs to the first EPG, and according to the first EPG mark and EPG mark and the corresponding relation of IP multicast address
Corresponding first IP multicast address of the first user is determined, and determines that the first user belongs to the multicast corresponding to the first IP multicast address
First user is added multicast group by group, then, interchanger, when interchanger receives the first BUM flows of the first user transmission,
First BUM flows are encapsulated as the first flux of multicast of multicast group by interchanger, and the first flux of multicast includes the first IP multicast address,
To cause the first flux of multicast to be forwarded to other users of multicast group, so by dividing different EPG in one network, often
Individual EPG distributes an IP multicast address to carry all BUM flows of the user of the EPG, that is, passes through the different EPG's of isolation
BUM flows realize user isolation, can not be every to solve BUM flows between shared same VLAN or same VXLAN tenant group
From the problem of, relative to non-multicast mode converting flow in the prior art, may result in unnecessary port and also receive this
Flow, takes network bandwidth, and the application can optimize the forwarding capability of BUM flows.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be in embodiment or description of the prior art
The required accompanying drawing used is briefly described, it should be apparent that, drawings in the following description are only some realities of the present invention
Example is applied, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to these accompanying drawings
Obtain other accompanying drawings.
Fig. 1 is a kind of VLAN schematic network structure provided in an embodiment of the present invention;
Fig. 2 is a kind of VXLAN schematic network structure provided in an embodiment of the present invention;
Fig. 3 is a kind of schematic flow sheet of user isolation method provided in an embodiment of the present invention;
Fig. 4 system schematics that flow is isolated between a kind of multiple EPG provided in an embodiment of the present invention;
Fig. 5 is the signal flow graph that a kind of user provided in an embodiment of the present invention is added in multicast group;
Fig. 6 is a kind of signal flow graph for sending flux of multicast provided in an embodiment of the present invention;
Signal flow graph when Fig. 7 is a kind of user offline provided in an embodiment of the present invention;
Fig. 8 is a kind of structural representation of interchanger provided in an embodiment of the present invention;
Fig. 9 is a kind of structural representation of interchanger provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made
Embodiment, belong to the scope of protection of the invention.
In VLAN, the corresponding network segment of each VLAN or subnet, it is possible to reduce the server in same broadcast domain
Quantity, reduce unnecessary broadcast traffic.As shown in figure 1, the corresponding different VLAN of multiple users from interchanger connection, is used
Family 1, user 2 and user equipment corresponding to user 3 belong to VLAN10, and user equipment corresponding to user 4 and user 5 belongs to
BUM flows between VLAN20, VLAN10 and VLAN20 are isolated, i.e. when any user equipment in VLAN10 sends BUM flows,
Other all user equipmenies in VLAN10 can all receive the BUM flows, and the user equipment in VLAN20 is all without reception
To the BUM flows.If the BUM flows need to transmit to VLAN20 from VLAN10, need by router or L3 Switching
Machine is realized.
Virtual extended LAN (Virtual eXtensible Local Area Network, VXLAN) is a kind of by two
The technology that layer message is packaged with three layer protocols, can be extended to double layer network in three layers of scope.Each broadcast domain
(Broadcast Domain, BD) is referred to as VXLAN segment, and its ID is by the VXLAN in VXLAN data packet heads
Network identifier (VXLAN Network Identifier, VNI) mark.VNI fields include 24bits, therefore segments is most
24 powers that big quantity is 2, and can be just in communication with each other between the virtual machine only in identical VXLAN segment.
In VXLAN, traditional physical server is virtualized into several virtual servers, i.e. virtual machine (Virtual
Machine, VM), each VM runs independent operating system.Tenant corresponding to same VXLAN possesses virtual server money
VM or one group of VM in the pond of source.As shown in Fig. 2 in VXLAN, convergent point (Rendezvous Point, RP) can be included
(not shown), ridge (spine) interchanger, leaf (leaf) interchanger and server.It is connected with different leaf interchangers
Multiple servers, include at least one VM in each server, each VM is an independent user, and server 1 includes VM1
And VM2, server 2 include VM3 and VM4, server 3 includes VM5 and VM6, and the different VM in same server may belong to
Different tenants, as the VM1 in Fig. 2 and VM6 may belong to same tenant, VM2 and VM3 may belong to same tenant, VM4 and
VM5 may belong to same tenant.The BUM flows that any one VM (or server) is sent in same VXLAN networks all can be
Flooded in the VXLAN to each member, the BUM flows between VXLAN need to realize by router or three-tier switch.
Global motion planning, and VLAN and VXLAN resource-constraineds are needed for VLAN in the prior art and VXLAN, causes to support
Isolation group limited amount, if different tenants shares same VLAN or VXLAN, BUM flows can be caused not rent
The problem of isolating between family, the present invention uses and different tenant group EPG is divided in same VLAN or VXLAN, and gives each EPG
Distribute an IP multicast address, to carry same EPG BUM flows, so by isolate BUM flows realize user every
From.Therefore, the embodiment of the present invention provides a kind of user isolation method, by taking VXLAN as an example, as shown in figure 3, including:
301st, interchanger establishes VLAN marks and the incoming interface of interchanger identifies the corresponding relation with EPG mark jointly,
And establish EPG mark and the corresponding relation of IP multicast address.
Here interchanger is leaf interchangers, i.e., the interchanger being directly connected to user equipment.
In the embodiment of the present application, can be that each EPG distribute an IP multicast address, and establish EPG mark with
The corresponding relation of IP multicast address.EPG is a tenant, and same VLAN may correspond to EPG or multiple EPG, i.e., more
Individual EPG shares same VLAN, likewise, same VXLAN may also correspond to an EPG or multiple EPG.For example, such as Fig. 4 institutes
Show, different VM is crossed (Top of Rank, ToR) connection (not shown) of changing planes with machine, and ToR is in the present embodiment
Leaf interchangers.Wherein VM1 and VM6 is same tenant, belongs to EPG-1, and IP multicast address corresponding to EPG-1 is
225.0.0.1, VM2 and VM3 is same tenant, belongs to EPG-2, and IP multicast address corresponding to EPG-2 is 225.0.0.2, VM4
It is same tenant with VM5, belongs to EPG-3, IP multicast address corresponding to EPG-3 is 225.0.0.3.EPG-1, EPG-2 and
EPG-3 belongs to same VXLAN broadcast domain BD8, and its corresponding VNI is 10000, and the network segment corresponding to the VXLAN is
IP192.168.1.1/16.Gateway (GateWay, GW) 1 and GW2 can be router or interchanger.
When the incoming interface that VLAN marks and leaf interchangers are configured in leaf interchangers identifies the mark with EPG jointly
Corresponding relation after, if a certain user reaches the standard grade, leaf interchangers can be according to the incoming interface for receiving the user and sending message
The VLAN marks and the corresponding relation of EPG mark that are carried in mark and message determine the EPG belonging to user.
Wherein, the VLAN marks and incoming interface established in leaf interchangers identify the corresponding relation with EPG mark jointly,
In leaf interchangers or such as Fig. 4 can be a manually configured with EPG mark and the corresponding relation of IP multicast address
In access controller (Access Controller, AC) issued to leaf interchangers directly or indirectly through other interchangers
Configuration information is simultaneously stored in leaf interchangers.Wherein in human configuration, corresponding relation can be inputted by order line
To leaf interchangers;When AC issues configuration information to leaf interchangers, first configuration information can be matched somebody with somebody by order line input
Put at AC ends, configuration information is passed through leaf interchangers by AC by the GW being connected between leaf interchangers, or AC also may be used
To be directly connected to leaf interchangers, and configuration information is directly handed down to leaf interchangers, such as AC can pass through
OpenFlow interfaces or network management interface or other interfaces issue configuration information to leaf interchangers.
302nd, interchanger intercepts the information carried in the first message sent when the first user reaches the standard grade.
When a certain moment, a new user (a corresponding VM) from leaf switch onlines when, leaf interchangers can connect
The first message of the first user transmission is received, first message can be DHCP (Dynamic Host
Configuration Protocol, DHCP) message, and intercept the first media interviews of the first user carried in DHCP message
Control (Media Access Control, MAC) address and the first VLAN belonging to the first user the first VLAN marks.
303rd, interchanger determines that the first user belongs to according to the information and the corresponding relation of EPG mark that are carried in the first message
The corresponding first IP groups of the first user are determined in the first EPG, and according to the first EPG mark and the corresponding relation of IP multicast address
Broadcast address.
The first MAC Address for the first user that Leaf interchangers carry in the first message is listened to and the first VLAN marks
Afterwards, it can determine that the first user connects the first interface mark of leaf interchangers according to the interface for receiving the first message, and be the
One user distributes the first IP address.Leaf interchangers can be according to the first MAC Address, the first VLAN marks, the first IP address and the
One interface identifier is that the first user equipment establishes membership table, and membership table includes first MAC Address, the first VLAN marks, first
The information such as IP address and first interface mark.The membership table can be used for safety check, to detect the multicast data flow of subsequent user transmission
Whether amount is legal, such as another user to be present counterfeit with first the first MAC Address of user's identical and the first IP address, still
What another user and the first user connected with leaf interchangers respectively is different interfaces, another user may from another interface to
Leaf interchangers send the flux of multicast for attack.Assuming that leaf interchangers it is determined that another user send flux of multicast when with
The first IP address and the first MAC Address all same in membership table, but interface identifier identifies with the first interface in membership table
Difference, then leaf interchangers can not receive the flux of multicast that another user sends.
Due to preserving interface identifier and VLAN the marks corresponding relation with EPG mark jointly in leaf interchangers, in
It is that leaf interchangers can identify according to first interface and the first VLAN identifies the corresponding relation with the first EPG mark jointly
Determine that the first EPG belonging to the first user, such as the first user belong to EPG-1.Again due to preserving EPG's in leaf interchangers
Mark and the corresponding relation of IP multicast address, therefore, leaf interchangers can be according to the mark of the first EPG belonging to the first user
Corresponding first IP multicast address of multicast group belonging to determining the first user with the corresponding relation of the first IP multicast address, such as
IP multicast address corresponding to EPG-1 is 225.0.0.1, and IP multicast address corresponding to the multicast group belonging to the first user is just
225.0.0.1.Multicast group can be understood as the destination address that multicast message or data frame are sent, and goal address is for example
For 225.0.0.1.
It is due to jointly leaf with the corresponding relation of EPG mark that Leaf interchangers, which preserve interface identifier and VLAN marks,
The same interface of interchanger may be connected with the VM in different EPG, i.e. the either interface of leaf interchangers can connect different
VM in VXLAN or different EPG.
304th, the first user is added multicast group by interchanger, then performs step 305 or step 306.
Leaf interchangers can add the first user it is determined that after the first IP multicast address of multicast group belonging to the first user
Enter into the multicast group.The process that user adds multicast group is to establish the process of multicast share tree, the multicast share tree of foundation
Shi Jun establishes by root of RP known to leaf interchangers.Wherein, multicast share tree is after selecting a RP in a network, all
Multicast message is required for being transmitted from this RP.RP is a router or interchanger set in advance, undertakes forwarding institute
The responsibility of some multicast messages.The server of multicast message is sent before multicast message is sent, it is necessary to being registered on RP, so
RP shortest path is determined by direct-connected router or interchanger afterwards, the shortest path to destination is determined by RP
Footpath.
The embodiment of the present application is added to multicast group including being added to multicast group neutralization based on interface granularity based on user's granularity
In.No matter the first user is added in multicast group based on interface granularity or user's granularity, the first user is being added to this
Before multicast group, due to the user that may be connected with the different interface of leaf interchangers in same EPG, if with the first user
Another user for belonging to same multicast group has been had been added in the multicast group, then the transmission path and RP of another user and RP
Transmission path to destination has built up, and leaf interchangers need not be sent multicast and added by multicast share tree to RP to disappear
For breath to be added in multicast group, the first user need to only be added to the multicast group belonged to altogether with another user by leaf interchangers
In.
Therefore, leaf interchangers by the first user add multicast group before, leaf interchangers first determine be in interchanger
It is no to preserve the second user for belonging to same multicast group with the first user, it can specifically determine whether established in leaf interchangers
First VLAN is identified and the corresponding relation of second interface mark and the first EPG mark, i.e., in leaf interchangers under distinct interface
User may belong to same EPG, however, it is determined that foundation has, it is determined that exists in leaf interchangers and with the first user belongs to same group
The second user of group is broadcast, now, the path corresponding to the multicast group for forwarding multicast flow is it has been established that leaf interchangers
First user need to be added in the multicast group of leaf interchangers.
Specifically, if the first user is added in multicast group based on interface granularity, and existing belong to the first user
The second user of same multicast group, then leaf interchangers foundation receive the first incoming interface of the first message of the first user transmission
The corresponding relation of mark and the first IP multicast address;If the first user is added in multicast group based on interface granularity, and do not deposit
Belonging to the second user of same multicast group with the first user, then as shown in figure 5, leaf interchangers establish the first incoming interface mark
With the corresponding relation of the first IP multicast address, multicast join message, group are sent to RP by the upstream equipment being connected with interchanger
Broadcasting addition message includes the first IP multicast address, and establishes the first outgoing interface mark that leaf interchangers send multicast join message
With the corresponding relation of the first IP multicast address, when upstream equipment and RP receive multicast join message, upstream equipment and RP are built
The incoming interface mark of the vertical interface for receiving multicast join message and the corresponding relation of the first IP multicast address, and send multicast and add
The outgoing interface mark and the corresponding relation of the first IP multicast address of message.Specifically, leaf interchangers can be unrelated by agreement
(upstream interchanger and RP send multicast addition to (Protocol Independent Multicast, PIM) Join messages to multicast
Message, the upstream switches and RP that multicast join message is received per one-level establish the incoming interface for receiving PIM Join messages
With the outgoing interface pass corresponding with the first IP multicast address of the corresponding relation of the first IP multicast address, and transmission PIM Join messages
System, the first user is added in multicast group;
If the first user is added in multicast group based on user's granularity, and existing and the first user belongs to same multicast
Group second user, then leaf interchangers establish the first incoming interface mark and the first IP address jointly with the first IP multicast address
Corresponding relation, or establish the first incoming interface mark, the first IP address and the first VLAN mark jointly with the first IP multicast address
Corresponding relation;If the first user is added in multicast group based on user's granularity, and it is not present and belongs to same group with the first user
Broadcast group second user, then leaf interchangers establish the first incoming interface mark and the first IP address jointly with the first IP multicast address
Corresponding relation, or establish the first incoming interface mark, the first IP address and the first VLAN mark jointly with the first IP multicast address
Corresponding relation after, by with the upstream equipment that leaf interchangers are connected to RP send multicast join message, the multicast add disappears
Breath includes the first IP multicast address, and establishes the first outgoing interface mark and first that leaf interchangers send multicast join message
The corresponding relation of IP multicast address, each upstream equipment and RP are established after multicast access message is received and receive multicast addition
Incoming interface mark and the corresponding relation of the first IP multicast address of message, and send the outgoing interface mark of multicast join message and the
The corresponding relation of one IP multicast address, the first user is added in multicast group.
305th, when interchanger receives the first BUM flows of the first user transmission, interchanger encapsulates the first BUM flows
For the first flux of multicast of multicast group, so that the first flux of multicast is forwarded to the other users for belonging to multicast group.
When the first user is VM, VXLAN tunneling terminations (VXLAN can also be deployed with leaf interchangers
Tunneling End Point, VTEP), at one end by BUM flows be encapsulated as after VXLAN data messages by tunnel to
Other end VTEP sends encapsulated message, and other end VETP E-Packets to each user after receiving the message decapsulation of encapsulation.Can
Choosing, VETP can also be deployed in the virtual switch (Virtual Switch, vSwitch) of server, i.e. leaf is exchanged
Machine is that failure is true so that forwarding is tabled look-up by MAC or IP control of the vSwitch based on VM when receiving the flux of multicast of user's transmission
Constant flow is not unicast, it is necessary to flood, and BUM flows can be encapsulated as into flux of multicast by the vSwitch in server and is sent to
Leaf interchangers.
After the first user is added in multicast group by leaf interchangers, if the first user will send BUM flows to multicast
Other users in group, then when the leaf interchangers being connected with the first user receive the first BUM flows of the first user transmission
When, if leaf interchangers carry out routing table look-up or address resolution protocol (Address Resolution Protocol, ARP)
Table look-up or media access control (Media Access Control, MAC) table look-up failure when, it is not unicast to illustrate flow, but
BUM flows are, it is necessary to flood.As shown in fig. 6, the first BUM flows are encapsulated as the first user and added by the VTEP in leaf interchangers
Multicast group the first flux of multicast, forward first flux of multicast according to multicast share tree in VXLAN so that this first group
Broadcast flow and the other users for belonging to the multicast group are forwarded in the multicast share tree established.Specifically, the first flux of multicast
Include the first IP multicast address, when leaf interchangers receive first flux of multicast, leaf interchangers are according to the first IP
First flux of multicast is sent to upstream switches by multicast address and the corresponding relation of the first outgoing interface mark, and upstream switches is again
According to the incoming interface mark established in step 304 and corresponding relation and the outgoing interface mark and the first IP groups of the first IP multicast address
First flux of multicast is sent to what multicast group was connected with remaining user by the corresponding relation for broadcasting address by spine interchangers and RP
Other leaf interchangers, other leaf interchangers according to remaining user add multicast group when the first IP multicast address and with it is other
The corresponding relation of the outgoing interface of leaf interchangers connection, the first flux of multicast is sent to remaining user of multicast group.
306th, when the second flux of multicast corresponding to interchanger receives the 3rd user, the second flux of multicast includes the 3rd and used
Second IP multicast address corresponding to multicast group belonging to family, interchanger close according to the second IP multicast address is corresponding with outgoing interface
System, replicates to the user under outgoing interface corresponding with the second IP multicast address and sends the second flux of multicast.
For the leaf interchangers, if in the multicast group for being added user based on interface granularity, then if should
When leaf interchangers receive the second flux of multicast corresponding to the 3rd user of the upstream equipment forwarding of multicast share tree, it is assumed that the
Two flux of multicast include the second IP multicast address corresponding to multicast group belonging to the 3rd user, and the leaf interchangers can be according to the
The corresponding relation of two IP multicast address and outgoing interface, replicated to the user under outgoing interface corresponding with the second IP multicast address concurrent
Give second flux of multicast.Due to carrying the second IP multicast address in the second flux of multicast, the use that is connected under the leaf interchangers
It is identical with multicast address corresponding to the 3rd user to belong to same EPG user's set in family with the 3rd user, i.e. the 2nd IP multicasts
Address, the user to be reached the standard grade in user set such as above-mentioned first user, can also be added to the multicast of the 3rd user when reaching the standard grade
In group, the corresponding relation of the incoming interface being connected with leaf interchangers and the second IP multicast address can be established, then when leaf is exchanged
When machine receives the second flux of multicast of upstream transmission, the second IP multicast address that can be in the second flux of multicast is handed over leaf
The corresponding relation for the incoming interface changed planes, the outgoing interface that incoming interface is sent as user downstream, with the in gathering to user
The user that three users belong to same EPG sends the second flux of multicast.Exchanged because the user in same EPG may be connected to leaf
On machine on different interfaces, when multiple interfaces that the user that leaf interchangers are determined in the EPG is connected with leaf interchangers,
Leaf exchange opportunities replicate the second flux of multicast received under the interface of each determination, and are sent to the interface of each determination
Second flux of multicast, to cause the user of same EPG under distinct interface under leaf interchangers to receive second flux of multicast.
Wherein when sending the second flux of multicast, the VTEP in leaf interchangers can be the deblocking of the second IP multicast address according to purpose IP
The second flux of multicast is filled, obtains message corresponding to the second flux of multicast, to replicate and send the user under the message to outgoing interface;
Or the second flux of multicast is sent to the user under outgoing interface by leaf interchangers, the vSwitch in server where user
Second flux of multicast can be decapsulated, the message after being decapsulated.
Due in VXLAN, multiple VM may be included in the server connected under same interface, if by flux of multicast
Replicated under the interface of leaf switch-to-servers connection and be forwarded to the server, may be such that multiple VM in the server
The flux of multicast can be received, but if when multiple VM belong to different EPG, different tenants can be caused all to receive this
Flux of multicast, therefore, in above-mentioned steps 304, if the multicast group for being added user based on user's granularity, i.e. leaf interchangers
The corresponding relation of the IP address for having user and IP multicast address is established, then when leaf interchangers receive corresponding to the 3rd user the
During two flux of multicast, interchanger can according to corresponding at least one user the second incoming interface mark and the second IP address jointly with
Second IP multicast address should be related to, by the second IP multicast address with replacing with twoth IP corresponding with the second IP multicast address
Location;Leaf interchangers will replicate the second multicast data flow with the second incoming interface corresponding interface of mark as outgoing interface at outgoing interface
Amount, and the second flux of multicast of duplication is sent to by least one user according to the second IP address after replacement.That is, work as
When the second flux of multicast that upstream is sent reaches leaf interchangers, if preserved in leaf interchangers in the second flux of multicast
The the second incoming interface mark and the corresponding relation of the second IP address that second IP multicast address is connected with VM and leaf interchangers, by group
Broadcast and switch to unicast, i.e., replace the second IP multicast address with the second IP address of multiple VM under same EPG, and by under same EPG
The outgoing interfaces that are sent with multiple incoming interfaces that the leaf interchangers are connected as flow of VM, replicated at each outgoing interface this
Two flux of multicast, the second IP address for unicast after replacing is carried in the second flux of multicast, when server receives the
After two flux of multicast, the second flux of multicast is sent to multiple VM under same EPG according to the second IP address by meeting, can so keep away
The user for exempting from EPG different under same interface receives flux of multicast, and to reduce upstream device, unnecessary flow is flooded or connect
Receive unknown flow rate.
Optionally, when the first user offline, in order to save the storage resource of interchanger, this method also includes:
307th, when interchanger listens to the first user offline, and the second message is sent to RP, the second message includes first
IP multicast address, the incoming interface mark of multicast join message and the corresponding relation of the first IP multicast address are received so that RP is deleted,
With outgoing interface mark and the corresponding relation of the first IP multicast address.
As shown in fig. 7, during the first user offline, offline notice can be sent to leaf interchangers, the offline notice includes
The first IP address and the first IP multicast address of first user, when leaf interchangers listen to the first user offline, it can delete
The first incoming interface when first user adds multicast group based on interface granularity identifies the corresponding relation with the first IP multicast address, or
Delete the first user based on user's granularity add multicast group when the first incoming interface mark and the first IP address jointly with the first IP
The corresponding relation of multicast address, and the second message is sent to RP, the first IP multicast address is carried in the second message, RP is being received
Identified to the first IP multicast address afterwards, is deleted with receiving the incoming interface of multicast join message.Meanwhile leaf exchange opportunities will be
The membership table that first user establishes is deleted.
In addition, leaf interchangers can also safeguard the MAC table and ARP table of user.MAC table includes what leaf interchangers were established
The corresponding relation of MAC Address and interface, ARP table includes MAC Address and the corresponding relation of IP address, therefore, when under the first user
During line, leaf interchangers can also cause MAC table and ARP table aging corresponding to the MAC Address of the first user, to save leaf exchanges
The memory space of machine.
Therefore, the embodiment of the present invention provides a kind of user isolation method, and interchanger intercepts what is sent when the first user reaches the standard grade
The information carried in first message, interchanger determine according to the corresponding relation of the information and EPG mark carried in the first message
First user belongs to the first EPG, and true according to the first EPG mark and EPG mark and the corresponding relation of IP multicast address
Fixed corresponding first IP multicast address of first user, and determine that the first user belongs to the multicast group corresponding to the first IP multicast address,
Then, the first user is added multicast group by interchanger, when interchanger receives the first BUM flows of the first user transmission, is handed over
To change planes and the first BUM flows are encapsulated as to the first flux of multicast of multicast group, the first flux of multicast includes the first IP multicast address, with
So that the first flux of multicast is forwarded to other users of multicast group, so by dividing different EPG in one network, each
EPG distributes an IP multicast address to carry all BUM flows of the user of the EPG, that is, passes through the different EPG's of isolation
BUM flows realize user isolation, can not be every to solve BUM flows between shared same VLAN or same VXLAN tenant group
From the problem of, relative to non-multicast mode converting flow in the prior art, may result in unnecessary port and also receive this
Flow, takes network bandwidth, and the application can optimize the forwarding capability of BUM flows.
The embodiment of the present invention provides a kind of interchanger 8, as shown in figure 8, including:
Unit 802 is intercepted, for intercepting the information carried in the first message sent when the first user reaches the standard grade;
Determining unit 803, for being closed according to the information carried in the first message is corresponding with terminal strategy group EPG mark
System determines that the first user belongs to the first EPG, and according to the first EPG mark and EPG mark with Internet protocol IP multicasts
The corresponding relation of location determines corresponding first IP multicast address of the first user, and determines that the first user belongs to the first IP multicast address institute
Corresponding multicast group, wherein EPG include virtual LAN VLAN, virtual extended LAN VXLAN, or the same network segment or subnet
In user in certain customers, the first EPG be multiple EPG in one;
Unit 804 is added, for the first user to be added into multicast group;
Encapsulation unit 805, for receiving the first broadcast and the unknown unicast multicast BUM of the first user transmission when interchanger
During flow, the first BUM flows are encapsulated as to the first flux of multicast of multicast group, the first flux of multicast is with including the first IP multicasts
Location, so that the first flux of multicast, which is forwarded to, belongs to other users corresponding to multicast group.
Optionally, can also include:Unit 801 is established, for establishing VLAN marks and incoming interface mark jointly and EPG
Mark corresponding relation;And
Establish EPG mark and the corresponding relation of IP multicast address.
Optionally, determining unit 803 can be used for:
Identified according to the first VLAN carried in the first message, the first incoming interface of interchanger the first message of reception, and
VLAN is identified and incoming interface mark determines that the first user belongs to the first EPG with the corresponding relation of EPG mark jointly.
Optionally, determining unit 803 can be used for:
Transmission dynamic host configuration protocol DHCP message when the first user reaches the standard grade is intercepted, DHCP message carries the first user's
First MAC address and the first virtual LAN VLAN mark belonging to the first user.
Optionally, adding unit 804 can include:
Determination subelement 8041, be used to determine whether exist belong to jointly corresponding to the first IP multicast address with the first user
Multicast group second user;
Subelement 8042 is established, for if it is determined that being then to be added to the first user and the common affiliated group of second user
Group is broadcast, and establishes the corresponding relation of the first incoming interface mark and the first IP multicast address;
If it is determined that it is no, then the corresponding relation of the first incoming interface mark and the first IP multicast address is established, method also includes hair
Subelement 8043 is sent, sends multicast join message to convergent point RP for the upstream equipment by being connected with interchanger, multicast adds
Entering message includes the first IP multicast address, and establishes the mark and that interchanger sends the first outgoing interface of multicast join message
The corresponding relation of one IP multicast address, so that upstream equipment and RP establish the incoming interface mark and first for receiving multicast join message
The corresponding relation of IP multicast address, and send the outgoing interface mark pass corresponding with the first IP multicast address of multicast join message
System.
Optionally, adding unit 804 can include:
Determination subelement 8041, it is used to determine whether the second user for belonging to same multicast group with the first user be present;
Subelement 8042 is established, for if it is determined that being then to be added to the first user and the common affiliated group of second user
Group is broadcast, and establishes the first incoming interface mark and the first IP address corresponding relation with the first IP multicast address jointly, or establishes the
One incoming interface mark, the first IP address and the first VLAN identify the corresponding relation with the first IP multicast address jointly;
If it is determined that it is no, then establish the first incoming interface mark and the first IP address pass corresponding with the first IP multicast address jointly
System, or establish the first incoming interface mark, the first IP address and the first VLAN mark jointly with the mark of the first IP multicast address
Corresponding relation, multicast join message, multicast join message bag are sent to convergent point RP by the upstream equipment being connected with interchanger
The first IP multicast address is included, and establishes interchanger and sends the first outgoing interface mark of multicast join message with the first IP multicasts
The corresponding relation of location, so that upstream equipment and RP establish the incoming interface mark and the first IP multicast address for receiving multicast join message
Corresponding relation, and send the outgoing interface mark and the corresponding relation of the first IP multicast address of multicast join message.
Optionally, can also include:
Transmitting element 806, for corresponding to receiving the 3rd user when interchanger during the second flux of multicast, the second multicast data flow
Amount includes the second IP multicast address corresponding to multicast group belonging to the 3rd user, according to the second IP multicast address and pair of outgoing interface
It should be related to, be replicated to the user under outgoing interface corresponding with the second IP multicast address and send the second flux of multicast.
Optionally, in addition to replacement unit 807, for receiving the second flux of multicast corresponding to the 3rd user when interchanger
When, the second flux of multicast includes the second IP multicast address corresponding to the multicast group belonging to the 3rd user, according at least one user
Corresponding second incoming interface mark and the second IP address corresponding relation with the second IP multicast address jointly, by the 2nd IP multicasts
Location replaces with the second IP address corresponding with the second IP multicast address;
Transmitting element 806 can be used for:Will be with the corresponding interface of the second incoming interface mark as outgoing interface, at outgoing interface
The second flux of multicast is replicated, and the second flux of multicast of duplication is sent to by least one use according to the second IP address after replacement
Family.
Optionally, unit 801 is established to can be also used for:Membership table is established for the first user, membership table includes the first user
MAC Address, the first incoming interface mark, the first VLAN mark and the first IP address corresponding relation, the first membership table be used for examine
Issue after examination and approval and send the user of flux of multicast whether legal.
Optionally, can also include:Unit 808 is deleted, for when interchanger listens to the first user offline, deleting into
Member's table;
Transmitting element 806 is additionally operable to:The second message is sent to convergent point RP, the second message includes the first IP multicast address,
The incoming interface mark of multicast join message and the corresponding relation of the first IP multicast address are received so that RP is deleted, and outgoing interface mark
With the corresponding relation of the first IP multicast address.
Therefore, interchanger provided in an embodiment of the present invention intercepts what is carried in the first message sent when the first user reaches the standard grade
Information, interchanger determine that the first user belongs to first according to the information and the corresponding relation of EPG mark that are carried in the first message
EPG, and the first user corresponding is determined with the corresponding relation of IP multicast address according to the first EPG mark and EPG mark
One IP multicast address, and determine that the first user belongs to multicast group corresponding to the first IP multicast address, then, interchanger is by first
User adds multicast group, and when interchanger receives the first BUM flows of the first user transmission, interchanger is by the first BUM flows
The first flux of multicast of multicast group is encapsulated as, the first flux of multicast includes the first IP multicast address, to cause the first flux of multicast
Other users of multicast group are forwarded to, so by dividing different EPG in one network, each EPG distributes an IP group
Address is broadcast to carry all BUM flows of the user of the EPG, i.e., user is realized by the different EPG of isolation BUM flows
Isolation, to solve the problems, such as that the BUM flows between shared same VLAN or same VXLAN tenant group can not isolate, relative to existing
There is non-multicast mode converting flow in technology, may result in unnecessary port and also receive the flow, take network bandwidth,
The application can optimize the forwarding capability of BUM flows.
Fig. 9 shows the structural representation for the interchanger being related in above-described embodiment.The interchanger can be shown in Fig. 1
The network architecture in interchanger or Fig. 2 shown in the network architecture in leaf interchangers or Fig. 3 in explain
Interchanger in the method stated.
The interchanger can include:The action that controller/processor 902 is used for interchanger is controlled management.For example,
Controller/processor 902 is used to support interchanger to perform the process 301~307 in Fig. 3, and/or in the embodiment of the present invention
Other processes of described technology.Memory 901 is used for the program code and data for storing interchanger.Network interface 903 is used
In the communication for supporting interchanger and other network entities, network interface may include transmitter and receiver.For example, network interface
903 are used to support interchanger to be communicated with the server where user.In another example network interface 903 is used to support interchanger
With the communication between other interchangers in multicast share tree.
In embodiments of the present invention, when network interface 903 performs the embodiment of the present invention and can be used for intercepting the first user and reaching the standard grade
The information carried in the first message sent;Controller/processor 902 performs the embodiment of the present invention and can be used for according to described first
The corresponding relation of the information carried in message and terminal strategy group EPG mark determines that first user belongs to the first EPG, and
According to determining the corresponding relation of the mark of the first EPG and the mark of the EPG and Internet protocol IP multicast address
Corresponding first IP multicast address of first user, and determine that first user belongs to the group corresponding to first IP multicast address
Broadcast group;Wherein described EPG includes virtual LAN VLAN, virtual extended LAN VXLAN, or in the same network segment or subnet
Certain customers in user, the first EPG are one in multiple EPG;Controller/processor 902 performs the present invention
Embodiment is additionally operable to first user adding the multicast group;Sent when network interface 903 receives first user
The first broadcast and during unknown unicast multicast BUM flows, controller/processor 902 performs the embodiment of the present invention and is additionally operable to institute
The first flux of multicast that the first BUM flows are encapsulated as the multicast group is stated, first flux of multicast includes the first IP groups
Address is broadcast, so that first flux of multicast, which is forwarded to, belongs to other users corresponding to the multicast group.
The specific implementation of controller noted above/processor 902 and network interface 903 can be found in above-described embodiment, herein
Repeat no more.
Therefore, interchanger provided in an embodiment of the present invention, by dividing different EPG in one network, each EPG divides
With an IP multicast address to carry all BUM flows of the user of the EPG, that is, pass through the different EPG of isolation BUM flows
To realize user isolation, to solve the problems, such as that the BUM flows between the tenant group for sharing same VLAN can not isolate, relative to existing
Non-multicast mode converting flow in technology, it may result in unnecessary port and also receive the flow, take network bandwidth, this
Application can optimize the forwarding capability of BUM flows.
In several embodiments provided herein, it should be understood that disclosed terminal and method, it can be passed through
Its mode is realized.For example, device embodiment described above is only schematical, for example, the division of the unit, only
Only a kind of division of logic function, there can be other dividing mode when actually realizing, such as multiple units or component can be tied
Another system is closed or is desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or discussed
Mutual coupling or direct-coupling or communication connection can be the INDIRECT COUPLINGs or logical by some interfaces, device or unit
Letter connection, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That the independent physics of unit includes, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, can also be realized in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can be stored in one and computer-readable deposit
In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are causing a computer
Equipment (can be personal computer, server, or network equipment etc.) performs the portion of each embodiment methods described of the present invention
Step by step.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (Read-Only Memory, abbreviation
ROM), random access memory (Random Access Memory, abbreviation RAM), magnetic disc or CD etc. are various to store
The medium of program code.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used
To be modified to the technical scheme described in foregoing embodiments, or equivalent substitution is carried out to which part technical characteristic;
And these modification or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and
Scope.
Claims (18)
- A kind of 1. user isolation method, it is characterised in that including:Interchanger intercepts the information carried in the first message sent when the first user reaches the standard grade;The interchanger determines according to the corresponding relation of the information carried in first message and terminal strategy group EPG mark First user belongs to the first EPG, and according to the mark of the first EPG and the mark of the EPG and Internet protocol IP The corresponding relation of multicast address determines corresponding first IP multicast address of first user, and determines that first user belongs to institute State the multicast group corresponding to the first IP multicast address;Wherein described EPG includes virtual LAN VLAN, virtual extended LAN The certain customers in user in VXLAN, or the same network segment or subnet, the first EPG are one in multiple EPG It is individual;First user is added the multicast group by the interchanger;It is described when the interchanger receives the first broadcast and the unknown unicast multicast BUM flows that first user sends The first BUM flows are encapsulated as the first flux of multicast of the multicast group by interchanger, and first flux of multicast includes institute The first IP multicast address is stated, so that first flux of multicast, which is forwarded to, belongs to other users corresponding to the multicast group.
- 2. according to the method for claim 1, it is characterised in that methods described further comprises:The interchanger establishes VLAN marks and incoming interface the mark corresponding relation with the mark of the EPG jointly;AndThe interchanger establishes the mark of the EPG and the corresponding relation of IP multicast address.
- 3. method according to claim 1 or 2, it is characterised in that the interchanger carries according in first message Information and the corresponding relation of the mark of the terminal strategy group EPG determine that first user belongs to the first EPG and included:The interchanger identifies according to the first VLAN carried in first message, the interchanger receives first message The first incoming interface, and VLAN marks and incoming interface mark determine with the corresponding relation of the mark of the EPG jointly First user belongs to the first EPG.
- 4. according to the method for claim 3, it is characterised in that first user is added the multicast by the interchanger Group includes:The interchanger determines whether there is the multicast group belonged to jointly with first user corresponding to the first IP multicast address Second user;If it is determined that be, then by first user be added to the second user it is common belonging to multicast group, and described in establishing First incoming interface identifies and the corresponding relation of first IP multicast address;If it is determined that no, then the interchanger establishes the corresponding pass of the first incoming interface mark and first IP multicast address System, by sending multicast join message, the multicast join message to convergent point RP with the upstream equipment that the interchanger is connected Including first IP multicast address, and establish the mark that the interchanger sends the first outgoing interface of the multicast join message The corresponding relation with first IP multicast address is known, so that the upstream equipment and the RP, which are established, receives the multicast addition The incoming interface mark of message and the corresponding relation of first IP multicast address, and send the outgoing interface of the multicast join message Mark and the corresponding relation of first IP multicast address.
- 5. according to the method for claim 3, it is characterised in that first user is added the multicast by the interchanger Group includes:The interchanger determines whether there is the second user for belonging to same multicast group with first user;If it is determined that be, then by first user be added to the second user it is common belonging to multicast group, and described in establishing First incoming interface identifies and first IP address corresponding relation with first IP multicast address jointly, or establishes described the One incoming interface mark, first IP address and the first VLAN identify jointly corresponding with first IP multicast address close System;If it is determined that no, then the interchanger establishes the first incoming interface mark and first IP address jointly with described first The corresponding relation of IP multicast address, or establish the first incoming interface mark, first IP address and the first VLAN marks Know the corresponding relation with the mark of first IP multicast address jointly, by with the upstream equipment that the interchanger is connected to remittance Accumulation RP sends multicast join message, and the multicast join message includes first IP multicast address, and establishes the friendship Change planes and send the first outgoing interface mark and the corresponding relation of first IP multicast address of the multicast join message, so that institute State upstream equipment and the RP establishes the incoming interface mark for receiving the multicast join message and first IP multicast address Corresponding relation, and send the outgoing interface mark and the corresponding relation of first IP multicast address of the multicast join message.
- 6. according to the method for claim 4, it is characterised in that methods described also includes:When the second flux of multicast corresponding to the interchanger receives the 3rd user, second flux of multicast includes described the Second IP multicast address corresponding to multicast group belonging to three users, the interchanger is according to second IP multicast address with going out to connect The corresponding relation of mouth, replicates to the user under outgoing interface corresponding with second IP multicast address and sends second multicast Flow.
- 7. according to the method for claim 5, it is characterised in that methods described also includes:When the second flux of multicast corresponding to the interchanger receives the 3rd user, second flux of multicast includes described the Second IP multicast address corresponding to multicast group belonging to three users, the interchanger second enter according to corresponding at least one user Interface identifier and the second IP address corresponding relation with second IP multicast address jointly, second IP multicast address is replaced It is changed to the second IP address corresponding with second IP multicast address;The interchanger will replicate institute with the second incoming interface corresponding interface of mark as outgoing interface at the outgoing interface State the second flux of multicast, and described according to second IP address after replacement, second flux of multicast of duplication is sent to At least one user.
- 8. according to the method described in claim any one of 4-7, it is characterised in that after first user reaches the standard grade, the side Method also includes:The interchanger is that first user establishes membership table, and the membership table includes the MAC Address of first user, institute The corresponding relation of the first incoming interface mark, the first VLAN marks and first IP address is stated, first membership table is used to examine Issue after examination and approval and send the user of flux of multicast whether legal.
- 9. according to the method for claim 8, it is characterised in that methods described also includes:When the interchanger listens to first user offline, the membership table is deleted, and the second report is sent to the RP Text, second message include first IP multicast address, so that the RP deletes the reception multicast join message Incoming interface mark and first IP multicast address corresponding relation, and outgoing interface mark is with first IP multicast address Corresponding relation.
- A kind of 10. interchanger, it is characterised in that including:Unit is intercepted, for intercepting the information carried in the first message sent when the first user reaches the standard grade;Determining unit, for the corresponding relation according to the information carried in first message and terminal strategy group EPG mark Determine that first user belongs to the first EPG, and according to the mark of the first EPG and the mark of the EPG and internet association The corresponding relation of view IP multicast address determines corresponding first IP multicast address of first user, and determines the first user category In the multicast group corresponding to first IP multicast address, wherein the EPG includes virtual LAN VLAN, virtual extended local The certain customers in the user in VXLAN, or the same network segment or subnet are netted, the first EPG is one in multiple EPG It is individual;Unit is added, for first user to be added into the multicast group;Encapsulation unit, for receiving the first broadcast and the unknown unicast multicast that first user sends when the interchanger During BUM flows, the first BUM flows are encapsulated as to the first flux of multicast of the multicast group, the first flux of multicast bag First IP multicast address is included, so that first flux of multicast, which is forwarded to, belongs to other users corresponding to the multicast group.
- 11. interchanger according to claim 10, it is characterised in that also include:Unit is established, for establishing VLAN marks and incoming interface the mark corresponding relation with the mark of the EPG jointly;AndEstablish the mark of the EPG and the corresponding relation of IP multicast address.
- 12. interchanger according to claim 11, it is characterised in that the determining unit is used for:Enter to connect according to the first VLAN marks carried in first message, the first of interchanger reception first message Mouthful, and the VLAN is identified and incoming interface mark determines that described first uses with the corresponding relation of the mark of the EPG jointly Family belongs to the first EPG.
- 13. interchanger according to claim 12, it is characterised in that the addition unit includes:Determination subelement, it is used for Determine whether there is the second user for belonging to the multicast group corresponding to the first IP multicast address jointly with first user;Subelement is established, for if it is determined that being then to be added to first user and the common affiliated group of the second user Group is broadcast, and establishes the corresponding relation of the first incoming interface mark and first IP multicast address;If it is determined that it is no, then establish the corresponding relation of the first incoming interface mark and first IP multicast address, in addition to hair Send subelement, for by with the upstream equipment that the interchanger is connected to convergent point RP send multicast join message, described group Broadcasting addition message includes first IP multicast address, and establishes the interchanger sends the multicast join message first The mark and the corresponding relation of first IP multicast address of outgoing interface, so that the upstream equipment and the RP are established and received institute The incoming interface mark of multicast join message and the corresponding relation of first IP multicast address are stated, and sends the multicast and adds and disappear The outgoing interface mark and the corresponding relation of first IP multicast address of breath.
- 14. interchanger according to claim 12, it is characterised in that the addition unit includes:Determination subelement, it is used for Determine whether there is the second user for belonging to same multicast group with first user;Subelement is established, for if it is determined that being then to be added to first user and the common affiliated group of the second user Group is broadcast, and establishes the first incoming interface mark and first IP address pass corresponding with first IP multicast address jointly System, or establish first incoming interface mark, first IP address and the first VLAN marks jointly with the first IP The corresponding relation of multicast address;If it is determined that no, then establish the first incoming interface mark and first IP address jointly with first IP multicast address Corresponding relation, or establish first incoming interface mark, first IP address and the first VLAN marks jointly and institute The corresponding relation of the mark of the first IP multicast address is stated, transmission sub-unit, is set for the upstream by being connected with the interchanger Standby to send multicast join message to convergent point RP, the multicast join message includes first IP multicast address, and establishes The interchanger sends the first outgoing interface mark and the corresponding relation of first IP multicast address of the multicast join message, So that the upstream equipment and the RP establish the incoming interface mark for receiving the multicast join message and the first IP multicasts The corresponding relation of address, and send the outgoing interface mark pass corresponding with first IP multicast address of the multicast join message System.
- 15. interchanger according to claim 13, it is characterised in that also including transmitting element, be used for:When the interchanger When receiving the second flux of multicast corresponding to the 3rd user, second flux of multicast includes the multicast belonging to the 3rd user Second IP multicast address corresponding to group, according to second IP multicast address and the corresponding relation of outgoing interface, to described second User under outgoing interface corresponding to IP multicast address replicates and sends second flux of multicast.
- 16. interchanger according to claim 14, it is characterised in that also including replacement unit, be used for:When the interchanger When receiving the second flux of multicast corresponding to the 3rd user, second flux of multicast includes the multicast belonging to the 3rd user Second IP multicast address corresponding to group, according to corresponding at least one user the second incoming interface mark and the second IP address jointly with The corresponding relation of second IP multicast address, second IP multicast address is replaced with and second IP multicast address pair The second IP address answered;Transmitting element, for will be answered with the second incoming interface corresponding interface of mark as outgoing interface at the outgoing interface Second flux of multicast is made, and is sent to second flux of multicast of duplication according to second IP address after replacement At least one user.
- 17. according to the interchanger described in claim any one of 13-16, it is characterised in that the unit of establishing is additionally operable to:For institute State the first user and establish membership table, the membership table includes the MAC Address of first user, first incoming interface identifies, First VLAN is identified and the corresponding relation of first IP address, and first membership table is used to examine the use for sending flux of multicast Whether family is legal.
- 18. interchanger according to claim 17, it is characterised in that also include:Unit is deleted, for when the interchanger When listening to first user offline, the membership table is deleted;Transmitting element is used for:The second message is sent to convergent point RP, second message includes first IP multicast address, with Toilet states the corresponding pass that RP deletes the incoming interface mark for receiving the multicast join message and first IP multicast address System, and outgoing interface mark and the corresponding relation of first IP multicast address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610552867.7A CN107623636B (en) | 2016-07-13 | 2016-07-13 | User isolation method and switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610552867.7A CN107623636B (en) | 2016-07-13 | 2016-07-13 | User isolation method and switch |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107623636A true CN107623636A (en) | 2018-01-23 |
| CN107623636B CN107623636B (en) | 2020-08-25 |
Family
ID=61087494
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610552867.7A Active CN107623636B (en) | 2016-07-13 | 2016-07-13 | User isolation method and switch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107623636B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900422A (en) * | 2018-07-27 | 2018-11-27 | 新华三技术有限公司 | Multicast forward method, device and electronic equipment |
| CN110661732A (en) * | 2019-09-20 | 2020-01-07 | 浪潮思科网络科技有限公司 | Device and method for scheduling traffic among working groups based on MAC (media access control) VLAN (virtual local area network) division |
| CN111464511A (en) * | 2020-03-18 | 2020-07-28 | 紫光云技术有限公司 | Method for supporting multi-VPC isolation in cloud computing network |
| CN113079030A (en) * | 2020-05-29 | 2021-07-06 | 新华三信息安全技术有限公司 | Configuration information issuing method and access equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159665A (en) * | 2007-08-28 | 2008-04-09 | 杭州华三通信技术有限公司 | Method and device to implement forwarding of unknown multicast packet to router port |
| US20160021015A1 (en) * | 2014-07-18 | 2016-01-21 | Cisco Technology, Inc. | Reducing transient packet duplication and improving split-horizon filtering |
| EP3013006A1 (en) * | 2014-10-22 | 2016-04-27 | Juniper Networks, Inc. | Protocol independent multicast sparse mode (pim-sm) support for data center interconnect |
-
2016
- 2016-07-13 CN CN201610552867.7A patent/CN107623636B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159665A (en) * | 2007-08-28 | 2008-04-09 | 杭州华三通信技术有限公司 | Method and device to implement forwarding of unknown multicast packet to router port |
| US20160021015A1 (en) * | 2014-07-18 | 2016-01-21 | Cisco Technology, Inc. | Reducing transient packet duplication and improving split-horizon filtering |
| EP3013006A1 (en) * | 2014-10-22 | 2016-04-27 | Juniper Networks, Inc. | Protocol independent multicast sparse mode (pim-sm) support for data center interconnect |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900422A (en) * | 2018-07-27 | 2018-11-27 | 新华三技术有限公司 | Multicast forward method, device and electronic equipment |
| CN108900422B (en) * | 2018-07-27 | 2021-10-12 | 新华三技术有限公司 | Multicast forwarding method and device and electronic equipment |
| CN110661732A (en) * | 2019-09-20 | 2020-01-07 | 浪潮思科网络科技有限公司 | Device and method for scheduling traffic among working groups based on MAC (media access control) VLAN (virtual local area network) division |
| CN110661732B (en) * | 2019-09-20 | 2022-05-27 | 浪潮思科网络科技有限公司 | Device and method for scheduling flow among working groups based on MAC (media access control) VLAN (virtual local area network) |
| CN111464511A (en) * | 2020-03-18 | 2020-07-28 | 紫光云技术有限公司 | Method for supporting multi-VPC isolation in cloud computing network |
| CN113079030A (en) * | 2020-05-29 | 2021-07-06 | 新华三信息安全技术有限公司 | Configuration information issuing method and access equipment |
| CN113079030B (en) * | 2020-05-29 | 2022-05-24 | 新华三信息安全技术有限公司 | Configuration information issuing method and access equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107623636B (en) | 2020-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104009926B (en) | Multicast method in EVI network and edge device ED | |
| US6553028B1 (en) | Method and apparatus for multicast switching using a centralized switching engine | |
| CN103747499B (en) | For for the wired and public control protocol of radio node method and apparatus | |
| CN108880968B (en) | Method and device for realizing broadcast and multicast in software defined network and storage medium | |
| CN103841023B (en) | The method and apparatus of data forwarding | |
| US9166807B2 (en) | Transmission of layer two (L2) multicast traffic over multi-protocol label switching networks | |
| EP0861544B1 (en) | Method for establishing restricted broadcast groups in a switched network | |
| CN105812259B (en) | A kind of message forwarding method and equipment | |
| CN104378297B (en) | A kind of message forwarding method and equipment | |
| CN104022960B (en) | Method and apparatus based on OpenFlow protocol realizations PVLAN | |
| EP3706374B1 (en) | Point-to-multipoint functionality in a bridged network | |
| CN106936939A (en) | A kind of message processing method, relevant apparatus and NVO3 network systems | |
| US9100198B2 (en) | Network provider bridge MMRP registration snooping | |
| CN102739501B (en) | Message forwarding method and system in two three layer virtual private networks | |
| CN104221332A (en) | LAN multiplexer apparatus | |
| CN104579894B (en) | The IGMP Snooping implementation methods and device of the distributed virtual switch system | |
| CN106209689B (en) | Multicast data packet forwarding method and apparatus from VXLAN to VLAN | |
| WO2008017270A1 (en) | Method and device and system of ethernet supporting source specific multicast forwarding | |
| CN107623636A (en) | A kind of user isolation method and interchanger | |
| CN105187311B (en) | A kind of message forwarding method and device | |
| US9112711B2 (en) | Optimizing OTV multicast traffic flow for site local receivers | |
| CN108322338A (en) | A kind of broadcast suppressing method and VTEP equipment | |
| CN104253698B (en) | The processing method and equipment of message multicast | |
| CN107645431A (en) | Message forwarding method and device | |
| CN109525489A (en) | A kind of Convergence gateway and data transmission method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |