CN107623636A - A kind of user isolation method and interchanger - Google Patents

Abstract

Embodiments of the present invention provide a user isolation method and a switch, which relate to the communication field and can solve the problem that BUM traffic cannot be isolated between tenants. The method is: the switch monitors the information carried in the first message sent when the first user goes online, the switch determines that the first user belongs to the first EPG according to the correspondence between the information carried in the first message and the EPG identifier, and Determine that the first user corresponds to the first IP multicast address according to the identification of the first EPG and the correspondence between the identification of the EPG and the IP multicast address, and determine that the first user belongs to the multicast group corresponding to the first IP multicast address, and then , the switch adds the first user to the multicast group. When the switch receives the first BUM traffic sent by the first user, the switch encapsulates the first BUM traffic into the first multicast traffic of the multicast group. The first multicast traffic includes The first IP multicast address, so that the first multicast traffic is forwarded to other users of the multicast group. The embodiment of the present invention is used for user isolation in VXLAN.

Description

A user isolation method and switch

technical field

The invention relates to the communication field, in particular to a user isolation method and a switch.

Background technique

A virtual local area network (Virtual Local Area Network, VLAN) is a group of logical devices and users. These devices and users are not limited by physical locations. They can be organized according to factors such as functions, departments, and applications. The communication is similar to being in the same network segment, hence the name virtual local area network. VLAN works on Layer 2 and Layer 3 of the Open System Interconnection (OSI) reference model.

In a computer network, a Layer 2 network can be divided into multiple different broadcast domains, and a broadcast domain corresponds to a specific tenant. By default, these different broadcast domains are isolated from each other. If you want to communicate between different broadcast domains, you need to forward the communication through one or more routers or switches. Such a broadcast domain is a VLAN, and users under a VLAN can be a tenant, that is, a tenant can include multiple user. A tenant can be understood as an End-Point Policy Group (EPG), that is, all users in a tenant are an EPG. Communication between different VLANs or different tenants is done through Layer 3 routers or switches.

In this way, after using different VLANs to isolate users, different EPGs can allocate different VLANs. When a device in a VLAN sends broadcast or unknown unicast or multicast (Broadcast, Unicast unknown, Multicast, BUM) traffic, It will be flooded in this VLAN, and all network devices in this VLAN will receive this BUM traffic. However, VLAN resources are limited, resulting in a limited number of supported tenants (isolation groups). If different tenants share the same VLAN, BUM traffic cannot be isolated between tenants.

Contents of the invention

Embodiments of the present invention provide a user isolation method and a switch, which can solve the problem that BUM traffic cannot be isolated between tenants.

On the one hand, a user isolation method is provided, including:

The switch monitors the information carried in the first packet sent when the first user goes online; the switch determines that the first user belongs to the first EPG according to the correspondence between the information carried in the first packet and the identifier of the terminal policy group EPG, and according to The identification of the first EPG and the corresponding relationship between the identification of the EPG and the Internet Protocol IP multicast address determine that the first user corresponds to the first IP multicast address, and determine that the first user belongs to the corresponding multicast group of the first IP multicast address; Wherein the EPG includes a virtual local area network VLAN, a virtual extended local area network VXLAN, or some users in users in the same network segment or subnet, and the first EPG is one of a plurality of EPGs; the switch adds the first user to the multicast group; when When the switch receives the first broadcast and unknown unicast multicast BUM traffic sent by the first user, the switch encapsulates the first BUM traffic into the first multicast traffic of the multicast group, and the first multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other users belonging to the corresponding multicast group.

Therefore, if there are different EPGs under the same VLAN, the BUM traffic under different EPGs needs to be isolated. One EPG is a tenant group. When an IP multicast address is configured for the EPG in the switch, if the first user goes online, the switch Determine the first IP multicast address of the multicast group to which the first user belongs according to the information detected when the first user goes online, and add the first user to the multicast group. For BUM traffic, the switch can encapsulate the BUM traffic into multicast traffic according to the first IP multicast address and then forward it to other users belonging to the multicast group, so that the BUM traffic between different EPGs under the same VLAN is isolated.

In a possible design, the method further includes: the switch establishes a correspondence between the VLAN ID and the inbound interface ID and the EPG ID; and the switch establishes the correspondence between the EPG ID and the IP multicast address. Wherein, the corresponding relationship may be configured by an access controller (Access Controller, AC) to the switch, or may be manually configured in the switch.

Thus, when any user goes online through the interface of the switch, the EPG to which the user belongs and its IP multicast address can be determined according to the corresponding relationship, so as to send multicast traffic according to the IP multicast address.

In a possible design, the switch determining that the first user belongs to the first EPG according to the correspondence between the information carried in the first message and the identifier of the terminal policy group EPG includes: the switch according to the first VLAN carried in the first message It is determined that the first user belongs to the first EPG through the identification, the first inbound interface of the switch that receives the first message, and the correspondence between the VLAN ID and the inbound interface ID and the EPG ID.

In a possible design, the switch adding the first user to the multicast group includes: the switch determines whether there is a second user who belongs to the multicast group corresponding to the first IP multicast address together with the first user; if yes, then Add the first user to the multicast group to which the second user belongs together, and set up the corresponding relationship between the first ingress interface identifier and the first IP multicast address; The corresponding relationship of the IP multicast address is to send a multicast join message to the rendezvous point RP through the upstream device connected to the switch. The multicast join message includes the first IP multicast address and establishes the first outgoing interface for the switch to send the multicast join message. The corresponding relationship between the identifier of the IP address and the first IP multicast address, so that the upstream device and the RP can establish the corresponding relationship between the incoming interface identifier receiving the multicast join message and the first IP multicast address, and the outgoing interface identifier sending the multicast join message Corresponding relationship with the first IP multicast address.

Therefore, after establishing a corresponding relationship between the user's IP multicast address and the inbound and outbound interfaces of the switch, when the user sends multicast traffic, the switch can forward the multicast traffic according to the IP multicast address and the inbound and outbound interfaces of the switch. Forwarding to other users of the multicast group means adding users to the multicast group based on interface granularity.

In a possible design, the switch adding the first user to the multicast group includes: the switch determines whether there is a second user belonging to the same multicast group as the first user; The multicast group to which the two users belong together, and establish the corresponding relationship between the first inbound interface identifier and the first IP address and the first IP multicast address, or establish the first inbound interface identifier, the first IP address and the first VLAN identifier Common correspondence with the first IP multicast address; if determined no, the switch establishes the correspondence between the first incoming interface identification and the first IP address and the first IP multicast address, or establishes the first incoming interface identification, the first incoming interface identification, the first IP multicast address An IP address and the corresponding relationship between the identification of the first VLAN and the identification of the first IP multicast address, the upstream device connected to the switch sends a multicast join message to the rendezvous point RP, and the multicast join message includes the first IP multicast address , and establish the corresponding relationship between the first outgoing interface identifier of the switch sending the multicast join message and the first IP multicast address, so that the upstream device and the RP establish the connection between the incoming interface identifier and the first IP multicast address for receiving the multicast join message The corresponding relationship, and the corresponding relationship between the outgoing interface identifier sending the multicast join message and the first IP multicast address.

Thus, users can be added to the multicast group based on user granularity. In this way, when there are multiple users corresponding to multiple VMs under the same interface, if the multiple VMs belong to different EPGs, the VMs belonging to the same EPG can be determined according to the corresponding relationship between the user's IP address and interface identifier and the EPG, so as to avoid Unnecessary flooding of traffic.

In a possible design, the method further includes: when the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes the second IP multicast address corresponding to the multicast group to which the third user belongs The switch copies and sends the second multicast traffic to users under the outgoing interface corresponding to the second IP multicast address according to the correspondence between the second IP multicast address and the outgoing interface.

In a possible design, the method further includes: when the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes the second IP multicast address corresponding to the multicast group to which the third user belongs The switch replaces the second IP multicast address with the second IP multicast address corresponding to the second IP address; the switch uses the interface corresponding to the second incoming interface identifier as the outgoing interface, copies the second multicast flow at the outgoing interface, and sends the copied second multicast flow to at least one according to the replaced second IP address user.

For example, when multiple virtual machines (Virtual Machine, VM) are connected to the same interface of the switch, if the multiple virtual machines belong to different EPGs, the corresponding relationship between the interface identifier and the IP address and the IP multicast address can be The IP multicast address is replaced with the IP address of the VM, and multicast is changed to unicast, so that the multicast traffic of users of the same EPG will not be sent to users of other EPGs.

In a possible design, after the first user goes online, the method further includes:

The switch establishes a membership table for the first user, and the membership table includes the corresponding relationship between the MAC address of the first user, the first ingress interface identifier, the first VLAN identifier, and the first IP address, and the first membership table is used to check the status of sending multicast traffic. Whether the user is legitimate.

For example, if another user forges the IP address and MAC address of the first user and sends attacking multicast traffic to the switch on another interface, then the switch can determine that the interface information corresponding to the multicast traffic is wrong according to the saved member list, and determine The multicast traffic is illegal, so as to prevent the sending of the illegal multicast traffic.

In a possible design, the method further includes: when the switch detects that the first user is offline, delete the member list, and send a second message to the rendezvous point RP, the second message includes the first IP multicast address , so that the RP deletes the correspondence between the identifier of the incoming interface receiving the multicast join message and the first IP multicast address, and the correspondence between the identifier of the outgoing interface and the first IP multicast address.

Therefore, when the first user goes offline, the corresponding relationship between the membership table in the switch and the RP is deleted, which can save the storage space of the switch and the RP.

In another aspect, a switch is provided, including:

The listening unit is configured to listen to the information carried in the first message sent when the first user goes online; the determining unit is configured to determine the first message according to the correspondence between the information carried in the first message and the identifier of the terminal policy group EPG. A user belongs to the first EPG, and according to the identification of the first EPG and the corresponding relationship between the identification of the EPG and the IP multicast address of the Internet Protocol, it is determined that the first user corresponds to the first IP multicast address, and it is determined that the first user belongs to the first IP group The multicast group corresponding to the multicast address, wherein the EPG includes a virtual local area network VLAN, a virtual extended local area network VXLAN, or some users in the same network segment or subnet, and the first EPG is one of multiple EPGs; the joining unit , for adding the first user to the multicast group; an encapsulation unit, used for encapsulating the first BUM traffic into the multicast group when the switch receives the first broadcast and unknown unicast multicast BUM traffic sent by the first user The first multicast traffic, where the first multicast traffic includes a first IP multicast address, so that the first multicast traffic is forwarded to corresponding other users belonging to the multicast group.

In a possible design, it also includes: an establishing unit, configured to establish a correspondence between the VLAN ID and the inbound interface ID and the EPG ID; and establish a corresponding relationship between the EPG ID and the IP multicast address.

In one possible design, the determination unit is used to:

Determine that the first user belongs to the first EPG according to the first VLAN ID carried in the first message, the first inbound interface of the switch receiving the first message, and the correspondence between the VLAN ID and the inbound interface ID and the EPG ID.

In a possible design, the joining unit includes: a determination subunit, configured to determine whether there is a second user who belongs to the multicast group corresponding to the first IP multicast address together with the first user; the establishment subunit is used for: If it is determined to be yes, then the first user is added to the multicast group to which the second user belongs together, and the corresponding relationship between the first ingress interface identifier and the first IP multicast address is established; if it is determined to be no, the first ingress interface is established The corresponding relationship between the identifier and the first IP multicast address, the method also includes a sending subunit, which is used to send a multicast join message to the rendezvous point RP through an upstream device connected to the switch, and the multicast join message includes the first IP multicast address, And establish the corresponding relationship between the identification of the first outgoing interface that the switch sends the multicast join message and the first IP multicast address, so that the upstream device and the RP establish the identification of the incoming interface that receives the multicast join message and the first IP multicast address The corresponding relationship, and the corresponding relationship between the outgoing interface identifier sending the multicast join message and the first IP multicast address.

In a possible design, the joining unit includes: a determining subunit, configured to determine whether there is a second user belonging to the same multicast group as the first user; the establishing subunit is configured to: if yes, add the first user Join the multicast group that the second user belongs to, and establish the correspondence between the first inbound interface identifier and the first IP address and the first IP multicast address, or establish the first inbound interface identifier, the first IP address and The corresponding relationship between the first VLAN mark and the first IP multicast address; if it is determined that no, then set up the common corresponding relationship between the first incoming interface mark and the first IP address and the first IP multicast address, or set up the first incoming interface ID, the first IP address, and the first VLAN ID together with the corresponding relationship of the ID of the first IP multicast address, send a multicast join message to the rendezvous point RP through the upstream device connected to the switch, and the multicast join message includes the first IP Multicast address, and establish the corresponding relationship between the first outgoing interface identifier of the switch sending the multicast join message and the first IP multicast address, so that the upstream device and RP can establish the incoming interface identifier and the first IP group for receiving the multicast join message The corresponding relationship between the multicast address and the corresponding relationship between the outgoing interface identifier sending the multicast join message and the first IP multicast address.

In a possible design, it further includes a sending unit, configured to: when the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes the second multicast traffic corresponding to the multicast group to which the third user belongs. The IP multicast address, according to the correspondence between the second IP multicast address and the outgoing interface, copies and sends the second multicast traffic to users under the outgoing interface corresponding to the second IP multicast address.

In a possible design, a replacement unit is further included, configured to: when the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes the second IP address corresponding to the multicast group to which the third user belongs For the multicast address, replace the second IP multicast address with the one corresponding to the second IP multicast address according to the corresponding relationship between the second inbound interface identifier and the second IP address corresponding to at least one user and the second IP multicast address. The second IP address; the sending unit is used to use the interface corresponding to the second incoming interface identifier as the outgoing interface, copy the second multicast flow at the outgoing interface, and copy the second group according to the replaced second IP address broadcast traffic to at least one user.

In a possible design, the establishment unit is also used to: establish a membership table for the first user, the membership table includes the correspondence between the MAC address of the first user, the first ingress interface identifier, the first VLAN identifier, and the first IP address , the first member table is used to check whether the user sending the multicast traffic is legitimate.

In a possible design, it also includes: a deletion unit, which is used to delete the member list when the switch detects that the first user is offline; the sending unit is also used to: send the second message to the rendezvous point RP, the second The message includes the first IP multicast address, so that the RP deletes the corresponding relationship between the incoming interface identifier and the first IP multicast address receiving the multicast join message, and the corresponding relationship between the outgoing interface identifier and the first IP multicast address.

An embodiment of the present invention provides a user isolation method and a switch. The switch listens to the information carried in the first message sent by the first user when going online, and the switch determines the information according to the correspondence between the information carried in the first message and the EPG identifier. The first user belongs to the first EPG, and according to the identification of the first EPG and the corresponding relationship between the identification of the EPG and the IP multicast address, it is determined that the first user corresponds to the first IP multicast address, and it is determined that the first user belongs to the first IP multicast The multicast group corresponding to the address, then, the switch adds the first user to the multicast group, when the switch receives the first BUM flow sent by the first user, the switch encapsulates the first BUM flow into the first group of the multicast group broadcast traffic, the first multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other users of the multicast group, so that by dividing different EPGs in a network, each EPG is assigned an IP group The multicast address is used to carry all the BUM traffic of the users of the EPG, that is, to implement user isolation by isolating the BUM traffic of different EPGs, so as to solve the problem that the BUM traffic between tenant groups sharing the same VLAN or the same VXLAN cannot be isolated. In the prior art, forwarding traffic in a non-multicast mode may cause unnecessary ports to receive the traffic and occupy network bandwidth. This application will optimize the forwarding function of BUM traffic.

Description of drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only some of the present invention. Embodiments, for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

Fig. 1 is the network structural diagram of a kind of VLAN that the embodiment of the present invention provides;

FIG. 2 is a schematic diagram of a VXLAN network structure provided by an embodiment of the present invention;

FIG. 3 is a schematic flowchart of a user isolation method provided by an embodiment of the present invention;

FIG. 4 is a schematic diagram of a system of traffic isolation between multiple EPGs provided by an embodiment of the present invention;

FIG. 5 is a signal flow diagram of a user joining a multicast group provided by an embodiment of the present invention;

FIG. 6 is a signal flow diagram for sending multicast traffic provided by an embodiment of the present invention;

FIG. 7 is a signal flow diagram when a user goes offline according to an embodiment of the present invention;

FIG. 8 is a schematic structural diagram of a switch provided by an embodiment of the present invention;

FIG. 9 is a schematic structural diagram of a switch provided by an embodiment of the present invention.

detailed description

The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

In VLAN, each VLAN corresponds to a network segment or subnet, which can reduce the number of servers in the same broadcast domain and reduce unnecessary broadcast traffic. As shown in Figure 1, multiple users connected to the switch correspond to different VLANs. The user equipment corresponding to user 1, user 2 and user 3 belongs to VLAN10, and the user equipment corresponding to user 4 and user 5 belongs to VLAN20, between VLAN10 and VLAN20 BUM traffic isolation, that is, when any user equipment in VLAN10 sends BUM traffic, all other user equipment in VLAN10 will receive the BUM traffic, and no user equipment in VLAN20 will receive the BUM traffic. If the BUM traffic needs to be transmitted from VLAN10 to VLAN20, it needs to be implemented through a router or a Layer 3 switch.

Virtual eXtensible Local Area Network (VXLAN) is a technology that encapsulates Layer 2 packets with Layer 3 protocols, and can extend the Layer 2 network within the Layer 3 range. Each Broadcast Domain (Broadcast Domain, BD) is called a VXLAN segment, and its ID is identified by a VXLAN Network Identifier (VXLAN Network Identifier, VNI) located in the VXLAN packet header. The VNI field contains 24 bits, so the maximum number of segments is 2 to the 24th power, and only virtual machines in the same VXLAN segment can communicate with each other. In VXLAN, a traditional physical server is virtualized into several virtual servers, that is, virtual machines (Virtual Machine, VM), and each VM runs an independent operating system. A tenant corresponding to the same VXLAN owns a VM or a group of VMs in the virtual server resource pool. As shown in FIG. 2 , the VXLAN may include a rendezvous point (Rendezvous Point, RP) (not shown in the figure), a spine (spine) switch, a leaf (leaf) switch, and a server. There are multiple servers connected to different leaf switches, each server includes at least one VM, each VM is an independent user, server 1 includes VM1 and VM2, server 2 includes VM3 and VM4, server 3 includes VM5 and VM6 , different VMs in the same server may belong to different tenants, for example, VM1 and VM6 in Figure 2 may belong to the same tenant, VM2 and VM3 may belong to the same tenant, and VM4 and VM5 may belong to the same tenant. The BUM traffic sent by any VM (or server) in the same VXLAN network will be flooded to each member in the VXLAN, and the BUM traffic between cross-VXLANs needs to be implemented through routers or Layer 3 switches.

VLAN and VXLAN in the prior art require global planning, and VLAN and VXLAN resources are limited, resulting in a limited number of supported isolation groups. If different tenants share the same VLAN or VXLAN, BUM traffic cannot be isolated between tenants. , the present invention divides different tenant group EPGs in the same VLAN or VXLAN, and assigns an IP multicast address to each EPG to carry the BUM traffic of the same EPG, thus realizing user isolation by isolating the BUM traffic. Therefore, an embodiment of the present invention provides a user isolation method, taking VXLAN as an example, as shown in FIG. 3 , including:

301. The switch establishes a correspondence between the VLAN identifier and the inbound interface identifier of the switch and the EPG identifier, and establishes a correspondence between the EPG identifier and the IP multicast address.

The switch here is a leaf switch, that is, a switch directly connected to the user equipment.

In the embodiment of the present application, an IP multicast address may be assigned to each EPG, and a correspondence between an EPG identifier and an IP multicast address is established. An EPG is a tenant. The same VLAN may correspond to one EPG or multiple EPGs, that is, multiple EPGs share the same VLAN. Similarly, the same VXLAN may correspond to one EPG or multiple EPGs. For example, as shown in FIG. 4 , different VMs are connected to a set-top switch (Top of Rank, ToR) (not shown in the figure), and the ToR is a leaf switch in this embodiment. Among them, VM1 and VM6 belong to the same tenant and belong to EPG-1. The IP multicast address corresponding to EPG-1 is 225.0.0.1. VM2 and VM3 belong to the same tenant and belong to EPG-2. The IP multicast address corresponding to EPG-2 is 225.0.0.2, VM4 and VM5 belong to the same tenant and belong to EPG-3, and the IP multicast address corresponding to EPG-3 is 225.0.0.3. EPG-1, EPG-2, and EPG-3 all belong to the same VXLAN broadcast domain BD8, the corresponding VNI is 10000, and the network segment corresponding to this VXLAN is IP192.168.1.1/16. Gateways (GateWay, GW) 1 and GW2 may be routers or switches.

After the VLAN ID and the corresponding relationship between the ID of the incoming interface of the leaf switch and the ID of the EPG are configured on the leaf switch, if a user goes online, the leaf switch can The corresponding relationship between the VLAN identifier carried in the text and the EPG identifier determines the EPG to which the user belongs.

Among them, the corresponding relationship between the VLAN ID and the incoming interface ID established in the leaf switch and the EPG ID, and the corresponding relationship between the EPG ID and the IP multicast address can be manually configured in the leaf switch, or it can be as shown in Figure 4 The access controller (Access Controller, AC) in the AC sends configuration information to the leaf switch directly or indirectly through other switches and saves the configuration information in the leaf switch. During manual configuration, the corresponding relationship can be input to the leaf switch through the command line; when the AC sends configuration information to the leaf switch, the configuration information can be input and configured on the AC side through the command line, and the AC is connected to the leaf switch The GW transparently transmits the configuration information to the leaf switch, or the AC can also directly connect to the leaf switch and deliver the configuration information directly to the leaf switch. For example, the AC can deliver the configuration information to the leaf switch through the OpenFlow interface, the network management interface, or other interfaces. configuration information.

302. The switch monitors the information carried in the first packet sent when the first user goes online.

When at a certain moment, when a new user (corresponding to a VM) goes online from the leaf switch, the leaf switch can receive the first message sent by the first user, and the first message can be a Dynamic Host Configuration Protocol (Dynamic HostConfiguration Protocol, DHCP) message, and listen to the first media access control (Media Access Control, MAC) address of the first user carried in the DHCP message and the first VLAN identifier of the first VLAN to which the first user belongs.

303. The switch determines that the first user belongs to the first EPG according to the correspondence between the information carried in the first message and the EPG identifier, and determines the first EPG corresponding to the first user according to the correspondence between the first EPG identifier and the IP multicast address. An IP multicast address.

After the leaf switch detects the first MAC address and the first VLAN ID of the first user carried in the first message, it can determine the first interface ID of the first user connected to the leaf switch according to the interface that receives the first message , and assign the first IP address to the first user. The Leaf switch can establish a member table for the first user equipment according to the first MAC address, the first VLAN identifier, the first IP address and the first interface identifier, and the member table includes the first MAC address, the first VLAN identifier, and the first IP address and the first interface identifier and other information. This member table can be used for security verification to detect whether the multicast traffic sent by subsequent users is legal. One user is connected to the leaf switch through different interfaces, and another user may send multicast traffic for attacking to the leaf switch through another interface. Assuming that the leaf switch determines that another user sends multicast traffic, it is the same as the first IP address and first MAC address in the member table, but the interface ID is different from the first interface ID in the member table, then the leaf switch may not receive the multicast traffic. Multicast traffic sent by another user.

Since the leaf switch stores the corresponding relationship between the interface identifier and the VLAN identifier and the EPG identifier, the leaf switch can determine the first user's identity according to the corresponding relationship between the first interface identifier and the first VLAN identifier and the first EPG identifier. The first EPG, for example, the first user belongs to EPG-1. And because the corresponding relationship between the EPG identifier and the IP multicast address is stored in the leaf switch, the leaf switch can determine the corresponding relationship between the first EPG identifier to which the first user belongs and the first IP multicast address. The first IP multicast address corresponding to the multicast group, for example, the IP multicast address corresponding to EPG-1 is 225.0.0.1, and the IP multicast address corresponding to the multicast group to which the first user belongs is 225.0.0.1. The multicast group can be understood as a destination address for sending multicast packets or data frames, where the destination address is, for example, 225.0.0.1.

Leaf switches store the corresponding relationship between the interface ID and VLAN ID and the EPG ID because the same interface of the leaf switch may be connected to VMs in different EPGs, that is, any interface of the leaf switch can be connected to different VXLANs or different EPGs VMs in .

304. The switch adds the first user to the multicast group, and then performs step 305 or step 306.

After the leaf switch determines the first IP multicast address of the multicast group to which the first user belongs, it can add the first user to the multicast group. The process of a user joining a multicast group is the process of establishing a multicast shared tree, and the established multicast shared tree is established with the known RP of the leaf switch as the root. Among them, the multicast shared tree means that after an RP is selected in the network, all multicast packets need to be transmitted from this RP. The RP is a pre-set router or switch that is responsible for forwarding all multicast packets. The server sending multicast packets needs to register with the RP before sending multicast packets, and then determine the shortest path to the RP through the directly connected router or switch, and determine the shortest path to the destination through the RP.

This embodiment of the present application includes adding to a multicast group based on interface granularity and joining to a multicast group based on user granularity. Regardless of whether the first user is added to the multicast group based on interface granularity or user granularity, before the first user is added to the multicast group, users in the same EPG may be connected to different interfaces of the leaf switch. A user belonging to the same multicast group and another user has joined the multicast group, then the transmission path between the other user and the RP and the transmission path from the RP to the destination have been established, and the leaf switch does not need to pass through the multicast shared tree Sending a multicast join message to the RP to join the multicast group, the leaf switch only needs to add the first user to the multicast group that the other user belongs to.

Therefore, before the leaf switch adds the first user to the multicast group, the leaf switch first determines whether there is a second user in the switch that belongs to the same multicast group as the first user. Specifically, it can be determined whether the first VLAN is established in the leaf switch The corresponding relationship between the identification and the second interface identification and the identification of the first EPG, that is, users under different interfaces in the leaf switch can belong to the same EPG. At this time, the path corresponding to the multicast group for forwarding multicast traffic has been established, and the leaf switch only needs to add the first user to the multicast group of the leaf switch.

Specifically, if the first user is added to the multicast group based on the interface granularity, and there is already a second user belonging to the same multicast group as the first user, the leaf switch establishes and receives the first message sent by the first user The corresponding relationship between the first incoming interface identifier and the first IP multicast address; if the first user is added to the multicast group based on the interface granularity, and there is no second user belonging to the same multicast group as the first user, then As shown in Figure 5, the leaf switch establishes the corresponding relationship between the first incoming interface identifier and the first IP multicast address, and sends a multicast join message to the RP through an upstream device connected to the switch. The multicast join message includes the first IP multicast address, and establish the corresponding relationship between the first outbound interface identifier of the leaf switch and the first IP multicast address for sending the multicast join message. When the upstream device and RP receive the multicast join message, the upstream device and RP establish the receiving multicast join The corresponding relationship between the incoming interface identifier of the interface of the message and the first IP multicast address, and the corresponding relationship between the outgoing interface identifier sending the multicast join message and the first IP multicast address. Specifically, the leaf switch can send a multicast join message to the upstream switch and RP through a protocol independent multicast (Protocol Independent Multicast, PIM) Join message, and each level receives the multicast join message. The corresponding relationship between the incoming interface of the PIM Join message and the first IP multicast address, and the corresponding relationship between the outgoing interface of the PIM Join message and the first IP multicast address, so as to add the first user to the multicast group;

If the first user is added to the multicast group based on user granularity, and there is already a second user belonging to the same multicast group as the first user, the leaf switch establishes the first inbound interface ID and the first IP address to share with the first The corresponding relationship between the IP multicast address, or establish the corresponding relationship between the first incoming interface identifier, the first IP address and the first VLAN identifier and the first IP multicast address; if the first user is added to the multicast group based on user granularity , and there is no second user belonging to the same multicast group as the first user, the leaf switch establishes the correspondence between the first ingress interface identifier and the first IP address and the first IP multicast address, or establishes the first ingress After the interface identifier, the first IP address, and the first VLAN identifier have a corresponding relationship with the first IP multicast address, the upstream device connected to the leaf switch sends a multicast join message to the RP, and the multicast join message includes the first IP Multicast address, and establish the corresponding relationship between the first outbound interface identifier of the leaf switch sending the multicast join message and the first IP multicast address. After receiving the multicast access message, each upstream device and RP establish a multicast receive message The corresponding relationship between the incoming interface identifier of the join message and the first IP multicast address, and the corresponding relationship between the outgoing interface identifier and the first IP multicast address for sending the multicast join message, so as to add the first user to the multicast group.

305. When the switch receives the first BUM traffic sent by the first user, the switch encapsulates the first BUM traffic into the first multicast traffic of the multicast group, so that the first multicast traffic is forwarded to other multicast traffic belonging to the multicast group. user.

When the first user is a VM, a VXLAN tunneling end point (VXLAN Tunneling End Point, VTEP) can also be deployed in the leaf switch, which is used to encapsulate the BUM traffic into a VXLAN data packet at one end and send the encapsulated packet to the VTEP at the other end through the tunnel , the other end VETP receives the encapsulated message and decapsulates it and forwards the message to each user. Optionally, VETP can also be deployed in the virtual switch (Virtual Switch, vSwitch) of the server, that is, when the leaf switch receives the multicast traffic sent by the user, it is the VM-based MAC or IP control of the vSwitch that makes the forwarding table lookup fail to determine The traffic is not unicast and needs to be flooded. The vSwitch in the server can encapsulate the BUM traffic as multicast traffic and send it to the leaf switch.

After the leaf switch adds the first user to the multicast group, if the first user wants to send BUM traffic to other users in the multicast group, when the leaf switch connected to the first user receives the first For BUM traffic, if the leaf switch fails to perform routing table lookup, Address Resolution Protocol (ARP) table lookup, or Media Access Control (MAC) table lookup, it means that the traffic is not unicast but BUM Traffic requires flooding. As shown in Figure 6, the VTEP in the leaf switch encapsulates the first BUM traffic as the first multicast traffic of the multicast group joined by the first user, and forwards the first multicast traffic in the VXLAN according to the multicast shared tree, so that The first multicast traffic is forwarded to other users belonging to the multicast group in the established multicast sharing tree. Specifically, the first multicast traffic includes the first IP multicast address, and when the leaf switch receives the first multicast traffic, the leaf switch converts the first IP multicast address to the first outgoing interface identifier according to the corresponding relationship The multicast flow is sent to the upstream switch, and the upstream switch transmits the first multicast according to the corresponding relationship between the incoming interface identifier and the first IP multicast address and the corresponding relationship between the outgoing interface identifier and the first IP multicast address established in step 304. The traffic is sent through the spine switch and RP to other leaf switches connected to the multicast group and other users. The other leaf switches are based on the correspondence between the first IP multicast address of other users when they join the multicast group and the outgoing interfaces connected to other leaf switches. , to send the first multicast traffic to the remaining users of the multicast group.

306. When the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes a second IP multicast address corresponding to the multicast group to which the third user belongs, and the switch according to the second IP multicast address and The corresponding relationship of the outgoing interface is to copy and send the second multicast traffic to the user under the outgoing interface corresponding to the second IP multicast address.

For the leaf switch, if the user is added to the multicast group based on the interface granularity, if the leaf switch receives the second multicast traffic corresponding to the third user forwarded by the upstream device of the multicast shared tree, it is assumed that the first The second multicast traffic includes the second IP multicast address corresponding to the multicast group to which the third user belongs. Users on the egress interface copy and send the second multicast traffic. Since the second multicast traffic carries the second IP multicast address, the set of users connected to the leaf switch that belong to the same EPG as the third user has the same multicast address as the third user, that is, the second IP multicast Address, the online users in this user set will also join the multicast group of the third user when they go online, just like the first user above, and will establish the corresponding relationship between the incoming interface connected to the leaf switch and the second IP multicast address , then when the leaf switch receives the second multicast traffic sent upstream, it will use the incoming interface as the downstream user according to the correspondence between the second IP multicast address in the second multicast traffic and the incoming interface of the leaf switch The outgoing interface for sending sends the second multicast traffic to users in the user set that belong to the same EPG as the third user. Since the users in the same EPG may be connected to different interfaces on the leaf switch, when the leaf switch determines the multiple interfaces that the users in the EPG are connected to the leaf switch, the leaf switch will copy the received second multicast traffic, and send the second multicast traffic to each determined interface, so that users of the same EPG under different interfaces under the leaf switch receive the second multicast traffic. Wherein when sending the second multicast traffic, the VTEP in the leaf switch can decapsulate the second multicast traffic according to the destination IP, that is, the second IP multicast address, and obtain the message corresponding to the second multicast traffic, so as to copy and send the or, the leaf switch sends the second multicast traffic to the user on the interface, and the vSwitch in the server where the user resides decapsulates the second multicast traffic to obtain the decapsulated message.

In VXLAN, the server connected to the same interface may contain multiple VMs. If the multicast traffic is copied and forwarded to the server on the interface connected to the leaf switch and the server, multiple VMs in the server will The multicast traffic is received, but if multiple VMs belong to different EPGs, different tenants will receive the multicast traffic. Therefore, in the above step 304, if the multicast group that the user joins based on user granularity , that is, the leaf switch establishes the corresponding relationship between the user's IP address and the IP multicast address, then when the leaf switch receives the second multicast traffic corresponding to the third user, the switch can identify the second incoming interface according to at least one user and the corresponding relationship between the second IP address and the second IP multicast address, replace the second IP multicast address with the second IP address corresponding to the second IP multicast address; the leaf switch will correspond to the second ingress interface identifier The interface is used as the outgoing interface, the second multicast flow is copied on the outgoing interface, and the copied second multicast flow is sent to at least one user according to the replaced second IP address. That is to say, when the second multicast traffic sent upstream arrives at the leaf switch, if the leaf switch stores the second inbound interface identifier and The corresponding relationship of the second IP address, convert multicast to unicast, that is, replace the second IP multicast address with the second IP addresses of multiple VMs under the same EPG, and connect the VMs under the same EPG to the leaf switch The multiple inbound interfaces of the network are used as the outbound interfaces for traffic transmission, and the second multicast traffic is copied at each outbound interface. The second multicast traffic carries the replaced second IP address for unicast. When the server receives After receiving the second multicast traffic, the second multicast traffic will be sent to multiple VMs under the same EPG according to the second IP address, which can prevent users of different EPGs under the same interface from receiving multicast traffic and reduce downstream The device is flooded with unnecessary traffic or receives unknown traffic.

Optionally, when the first user goes offline, in order to save storage resources of the switch, the method further includes:

307. When the switch detects that the first user is offline, it sends a second packet to the RP, and the second packet includes the first IP multicast address, so that the RP deletes the identification of the incoming interface receiving the multicast join message and the first IP multicast address. The corresponding relationship between the IP multicast address and the corresponding relationship between the outgoing interface identifier and the first IP multicast address.

As shown in Figure 7, when the first user goes offline, an offline notification will be sent to the leaf switch. The offline notification includes the first IP address and the first IP multicast address of the first user. When the leaf switch detects When the first user goes offline, the correspondence between the first inbound interface ID and the first IP multicast address when the first user joins the multicast group based on the interface granularity is deleted, or when the first user joins the multicast group based on the user granularity The corresponding relationship between the first inbound interface identifier and the first IP address and the first IP multicast address, and sends a second message to the RP, the second message carries the first IP multicast address, and the RP receives the Afterwards, the first IP multicast address and the identifier of the incoming interface receiving the multicast join message are deleted. At the same time, the leaf switch will delete the membership list created for the first user.

In addition, the leaf switch also maintains the user's MAC table and ARP table. The MAC table includes the corresponding relationship between the MAC address and the interface established by the leaf switch, and the ARP table includes the corresponding relationship between the MAC address and the IP address. Therefore, when the first user goes offline, the leaf switch will also make the MAC address of the first user correspond to The MAC table and ARP table are aged to save the storage space of the leaf switch.

Therefore, an embodiment of the present invention provides a method for user isolation. The switch listens to the information carried in the first message sent by the first user when the first user goes online, and the switch determines the corresponding relationship between the information carried in the first message and the EPG identifier. The first user belongs to the first EPG, and according to the identification of the first EPG and the corresponding relationship between the identification of the EPG and the IP multicast address, it is determined that the first user corresponds to the first IP multicast address, and it is determined that the first user belongs to the first IP multicast The multicast group corresponding to the address, then, the switch adds the first user to the multicast group, when the switch receives the first BUM flow sent by the first user, the switch encapsulates the first BUM flow into the first group of the multicast group broadcast traffic, the first multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other users of the multicast group, so that by dividing different EPGs in a network, each EPG is assigned an IP group The multicast address is used to carry all the BUM traffic of the users of the EPG, that is, to implement user isolation by isolating the BUM traffic of different EPGs, so as to solve the problem that the BUM traffic between tenant groups sharing the same VLAN or the same VXLAN cannot be isolated. In the prior art, forwarding traffic in a non-multicast mode may cause unnecessary ports to receive the traffic and occupy network bandwidth. This application will optimize the forwarding function of BUM traffic.

An embodiment of the present invention provides a switch 8, as shown in FIG. 8, including:

The listening unit 802 is configured to listen to the information carried in the first message sent when the first user goes online;

The determining unit 803 is configured to determine that the first user belongs to the first EPG according to the correspondence between the information carried in the first message and the identifier of the terminal policy group EPG, and to determine that the first user belongs to the first EPG according to the identifier of the first EPG and the identifier of the EPG and the Internet Protocol IP group The corresponding relationship of the broadcast address determines that the first user corresponds to the first IP multicast address, and determines that the first user belongs to the multicast group corresponding to the first IP multicast address, wherein the EPG includes a virtual local area network VLAN, a virtual extended local area network VXLAN, or the same For some users in a network segment or subnet, the first EPG is one of multiple EPGs;

A joining unit 804, configured to add the first user to the multicast group;

The encapsulating unit 805 is configured to encapsulate the first BUM traffic into the first multicast traffic of the multicast group when the switch receives the first broadcast and unknown unicast multicast BUM traffic sent by the first user, the first multicast traffic The first IP multicast address is included, so that the first multicast traffic is forwarded to other users corresponding to the multicast group.

Optionally, it may also include: an establishing unit 801, configured to establish a correspondence between the VLAN ID and the incoming interface ID and the EPG ID; and

A correspondence relationship between the EPG identifier and the IP multicast address is established.

Optionally, the determining unit 803 may be used to:

Determine that the first user belongs to the first EPG according to the first VLAN ID carried in the first message, the first inbound interface of the switch receiving the first message, and the correspondence between the VLAN ID and the inbound interface ID and the EPG ID.

Optionally, the determining unit 803 may be used to:

Sending a Dynamic Host Configuration Protocol DHCP message when listening to the first user going online, the DHCP message carries the first media access control MAC address of the first user and the first virtual local area network (VLAN) identifier to which the first user belongs.

Optionally, the adding unit 804 may include:

The determining subunit 8041 is configured to determine whether there is a second user who belongs to the multicast group corresponding to the first IP multicast address together with the first user;

The establishment subunit 8042 is used to add the first user to the multicast group to which the second user belongs together if it is determined to be yes, and establish the corresponding relationship between the first inbound interface identifier and the first IP multicast address;

If it is determined not, then establish the corresponding relationship between the first incoming interface identifier and the first IP multicast address, the method also includes a sending subunit 8043, which is used to send a multicast join message to the rendezvous point RP through the upstream device connected to the switch, and the group The broadcast join message includes the first IP multicast address, and establishes the corresponding relationship between the identifier of the first outgoing interface through which the switch sends the multicast join message and the first IP multicast address, so that the upstream device and the RP establish a connection for receiving the multicast join message The corresponding relationship between the incoming interface identifier and the first IP multicast address, and the corresponding relationship between the outgoing interface identifier sending the multicast join message and the first IP multicast address.

Optionally, the adding unit 804 may include:

A determining subunit 8041, configured to determine whether there is a second user belonging to the same multicast group as the first user;

The establishment subunit 8042 is used to add the first user to the multicast group to which the second user belongs together if it is determined to be yes, and to establish a connection between the first inbound interface identifier and the first IP address and the first IP multicast address. Corresponding relationship, or establishing the corresponding relationship between the first incoming interface identifier, the first IP address and the first VLAN identifier and the first IP multicast address;

If it is determined to be negative, then the corresponding relationship between the first incoming interface identifier and the first IP address and the first IP multicast address is established, or the first incoming interface identifier, the first IP address and the first VLAN identifier are jointly associated with the first IP multicast address. The corresponding relationship of the identification of the multicast address is to send a multicast join message to the rendezvous point RP through the upstream device connected to the switch. The corresponding relationship between the interface identifier and the first IP multicast address, so that the upstream device and the RP can establish the corresponding relationship between the incoming interface identifier receiving the multicast join message and the first IP multicast address, and the outgoing interface identifier for sending the multicast join message Corresponding relationship with the first IP multicast address.

Optionally, may also include:

The sending unit 806 is configured to, when the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes a second IP multicast address corresponding to the multicast group to which the third user belongs, and according to the second IP group The corresponding relationship between the multicast address and the outgoing interface, and copy and send the second multicast traffic to users under the outgoing interface corresponding to the second IP multicast address.

Optionally, a replacement unit 807 is also included, configured to, when the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes the second IP multicast address corresponding to the multicast group to which the third user belongs , replacing the second IP multicast address with the second IP corresponding to the second IP multicast address according to the correspondence between the second inbound interface identifier and the second IP address corresponding to at least one user and the second IP multicast address address;

The sending unit 806 may be configured to: use the interface corresponding to the second incoming interface identifier as the outgoing interface, copy the second multicast traffic at the outgoing interface, and send the copied second multicast traffic according to the replaced second IP address to at least one user.

Optionally, the establishment unit 801 may also be used to: establish a membership table for the first user, the membership table includes the correspondence between the MAC address of the first user, the first ingress interface identifier, the first VLAN identifier, and the first IP address, and the first A membership table is used to check whether the user sending multicast traffic is legitimate.

Optionally, it may also include: a deletion unit 808, configured to delete the member table when the switch detects that the first user is offline;

The sending unit 806 is also used to: send a second message to the rendezvous point RP, the second message includes the first IP multicast address, so that the RP deletes the correspondence between the incoming interface identifier and the first IP multicast address for receiving the multicast join message relationship, and the corresponding relationship between the outgoing interface identifier and the first IP multicast address.

Therefore, the switch provided by the embodiment of the present invention listens to the information carried in the first packet sent when the first user goes online, and the switch determines that the first user belongs to the first packet according to the correspondence between the information carried in the first packet and the EPG identifier. An EPG, and according to the identification of the first EPG and the corresponding relationship between the identification of the EPG and the IP multicast address, it is determined that the first user corresponds to the first IP multicast address, and it is determined that the first user belongs to the group corresponding to the first IP multicast address Then, the switch adds the first user to the multicast group. When the switch receives the first BUM flow sent by the first user, the switch encapsulates the first BUM flow into the first multicast flow of the multicast group. The first The multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other users of the multicast group, so that by dividing different EPGs in a network, each EPG allocates an IP multicast address to carry All the BUM traffic of the users of the EPG, that is, user isolation is implemented by isolating the BUM traffic of different EPGs to solve the problem that the BUM traffic between tenant groups sharing the same VLAN or the same VXLAN cannot be isolated. Forwarding traffic in multicast mode may cause unnecessary ports to receive the traffic and occupy network bandwidth. This application will optimize the forwarding function of BUM traffic.

Fig. 9 shows a schematic structural diagram of the switch involved in the above embodiment. The switch may be a switch in the network architecture shown in FIG. 1 , or a leaf switch in the network architecture shown in FIG. 2 , or a switch in the method described in FIG. 3 .

The switch may include: a controller/processor 902 configured to control and manage actions of the switch. For example, the controller/processor 902 is used to support the switch to perform the processes 301-307 in FIG. 3, and/or other processes for the techniques described in the embodiments of the present invention. The memory 901 is used to store program codes and data of the switch. The network interface 903 is used to support communication between the switch and other network entities, and the network interface may include a transmitter and a receiver. For example, the network interface 903 is used to support the communication between the switch and the server where the user is located. For another example, the network interface 903 is used to support communication between the switch and other switches in the multicast sharing tree.

In the embodiment of the present invention, the network interface 903 executing the embodiment of the present invention can be used to listen to the information carried in the first message sent by the first user when going online; the controller/processor 902 can be used to execute the embodiment of the present invention according to the Determine that the first user belongs to the first EPG according to the correspondence between the information carried in the first message and the identifier of the terminal policy group EPG, and according to the identifier of the first EPG and the identifier of the EPG and the Internet Protocol IP group The corresponding relationship of the broadcast address determines that the first user corresponds to the first IP multicast address, and determines that the first user belongs to the multicast group corresponding to the first IP multicast address; wherein the EPG includes a virtual local area network (VLAN) , Virtual Extended Local Area Network VXLAN, or some users in the same network segment or subnet, the first EPG is one of the multiple EPGs; the controller/processor 902 executes the embodiment of the present invention and also uses To add the first user to the multicast group; when the network interface 903 receives the first broadcast and unknown unicast multicast BUM traffic sent by the first user, the controller/processor 902 executes the implementation of the present invention The example is also used to encapsulate the first BUM traffic into the first multicast traffic of the multicast group, the first multicast traffic includes the first IP multicast address, so that the first multicast The traffic is forwarded to other users corresponding to the multicast group.

For the specific implementation manners of the foregoing controller/processor 902 and the network interface 903, reference may be made to the foregoing embodiments, and details are not repeated here.

Therefore, the switch provided by the embodiment of the present invention divides different EPGs in a network, and each EPG allocates an IP multicast address to carry all BUM traffic of users of the EPG, that is, BUM traffic passing through different isolated EPGs To achieve user isolation, to solve the problem that the BUM traffic between tenant groups sharing the same VLAN cannot be isolated. Compared with the non-multicast mode of forwarding traffic in the prior art, unnecessary ports may also receive the traffic, occupying the network Bandwidth, this application will optimize the forwarding function of BUM traffic.

In the several embodiments provided in this application, it should be understood that the disclosed terminal and method may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may be physically included separately, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.

The above-mentioned integrated units implemented in the form of software functional units may be stored in a computer-readable storage medium. The above-mentioned software functional units are stored in a storage medium, and include several instructions to enable a computer device (which may be a personal computer, server, or network device, etc.) to execute some steps of the methods described in various embodiments of the present invention. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM for short), random access memory (Random Access Memory, RAM for short), magnetic disk or optical disk, etc., which can store program codes. medium.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (18)

1. A user isolation method, characterized in that, comprising: The switch monitors the information carried in the first message sent when the first user goes online; The switch determines that the first user belongs to the first EPG according to the correspondence between the information carried in the first message and the identifier of the terminal policy group EPG, and determines that the first user belongs to the first EPG according to the identifier of the first EPG and the identifier of the EPG. The corresponding relationship with the Internet Protocol IP multicast address determines that the first user corresponds to the first IP multicast address, and determines that the first user belongs to the multicast group corresponding to the first IP multicast address; wherein the The EPG includes a virtual local area network VLAN, a virtual extended local area network VXLAN, or some users in the same network segment or subnet, and the first EPG is one of a plurality of the EPGs; adding the first user to the multicast group by the switch; When the switch receives the first broadcast and unknown unicast multicast BUM traffic sent by the first user, the switch encapsulates the first BUM traffic as the first multicast traffic of the multicast group, The first multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other corresponding users belonging to the multicast group. 2. The method according to claim 1, characterized in that the method further comprises: The switch establishes a corresponding relationship between the VLAN identifier and the incoming interface identifier and the identifier of the EPG; and The switch establishes a correspondence between the EPG identifier and the IP multicast address. 3. The method according to claim 1 or 2, wherein the switch determines that the first user belongs to The first EPG includes: The switch, according to the first VLAN ID carried in the first message, the first inbound interface of the switch that receives the first message, and the VLAN ID and inbound interface ID together with the EPG ID The corresponding relationship determines that the first user belongs to the first EPG. 4. The method according to claim 3, wherein adding the first user to the multicast group by the switch comprises: The switch determines whether there is a second user who belongs to the multicast group corresponding to the first IP multicast address together with the first user; If it is determined to be yes, then adding the first user to the multicast group to which the second user belongs together, and establishing a correspondence between the first ingress interface identifier and the first IP multicast address; If it is determined to be no, then the switch establishes the corresponding relationship between the first incoming interface identifier and the first IP multicast address, and sends a multicast join message to the rendezvous point RP through an upstream device connected to the switch, and the The multicast join message includes the first IP multicast address, and establishes a correspondence between the identifier of the first outgoing interface through which the switch sends the multicast join message and the first IP multicast address, so that the The upstream device and the RP establish a corresponding relationship between the identifier of the incoming interface that receives the multicast join message and the first IP multicast address, and the identifier of the outgoing interface that sends the multicast join message and the identifier of the first IP group broadcast address correspondence. 5. The method according to claim 3, wherein adding the first user to the multicast group by the switch comprises: The switch determines whether there is a second user belonging to the same multicast group as the first user; If it is determined to be yes, then add the first user to the multicast group to which the second user belongs, and establish the identification of the first ingress interface and the first IP address together with the first IP group broadcast address, or establish a correspondence between the first inbound interface identifier, the first IP address and the first VLAN identifier and the first IP multicast address; If it is determined to be no, then the switch establishes a correspondence between the first inbound interface identifier and the first IP address and the first IP multicast address, or establishes the first inbound interface identifier, the first inbound interface identifier, and the first IP address. An IP address and the corresponding relationship between the identification of the first VLAN and the identification of the first IP multicast address, the upstream device connected to the switch sends a multicast join message to the rendezvous point RP, and the multicast join The message includes the first IP multicast address, and establishes a correspondence between the identifier of the first outgoing interface through which the switch sends the multicast join message and the first IP multicast address, so that the upstream device and the The RP establishes the correspondence between the identifier of the incoming interface receiving the multicast join message and the first IP multicast address, and the correspondence between the identifier of the outgoing interface sending the multicast join message and the first IP multicast address relation. 6. The method according to claim 4, characterized in that the method further comprises: When the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes a second IP multicast address corresponding to the multicast group to which the third user belongs, and the switch according to the The corresponding relationship between the second IP multicast address and the outgoing interface, and copy and send the second multicast traffic to users under the outgoing interface corresponding to the second IP multicast address. 7. The method according to claim 5, wherein the method further comprises: When the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes a second IP multicast address corresponding to the multicast group to which the third user belongs, and the switch according to at least The corresponding relationship between the second inbound interface identifier and the second IP address corresponding to a user and the second IP multicast address is to replace the second IP multicast address with the corresponding to the second IP multicast address second IP address; The switch uses the interface corresponding to the second incoming interface identifier as an outgoing interface, copies the second multicast traffic at the outgoing interface, and copies the copied multicast traffic according to the replaced second IP address. The second multicast traffic is sent to the at least one user. 8. The method according to any one of claims 4-7, wherein after the first user goes online, the method further comprises: The switch establishes a membership table for the first user, and the membership table includes a correspondence relationship between the first user's MAC address, the first ingress interface identifier, the first VLAN identifier, and the first IP address, The first member table is used to check whether the user sending the multicast traffic is legitimate. 9. The method of claim 8, further comprising: When the switch detects that the first user is offline, delete the member list, and send a second message to the RP, where the second message includes the first IP multicast address, so that The RP deletes the corresponding relationship between the incoming interface identifier receiving the multicast join message and the first IP multicast address, and the corresponding relationship between the outgoing interface identifier and the first IP multicast address. 10. A switch, characterized in that, comprising: The listening unit is configured to listen to the information carried in the first message sent when the first user goes online; A determining unit, configured to determine that the first user belongs to a first EPG according to the correspondence between the information carried in the first message and the identifier of the terminal policy group EPG, and determine that the first user belongs to the first EPG according to the identifier of the first EPG and the EPG The corresponding relationship between the identifier of the IP multicast address and the Internet Protocol IP multicast address determines that the first user corresponds to the first IP multicast address, and determines that the first user belongs to the multicast group corresponding to the first IP multicast address, wherein The EPG includes a virtual local area network VLAN, a virtual extended local area network VXLAN, or some users in the same network segment or subnet, and the first EPG is one of a plurality of the EPGs; a joining unit, configured to add the first user to the multicast group; An encapsulation unit, configured to encapsulate the first BUM traffic into the first multicast of the multicast group when the switch receives the first broadcast and unknown unicast multicast BUM traffic sent by the first user traffic, the first multicast traffic includes the first IP multicast address, so that the first multicast traffic is forwarded to other users corresponding to the multicast group. 11. The switch according to claim 10, further comprising: An establishing unit, configured to establish a correspondence relationship between the VLAN identifier and the incoming interface identifier and the identifier of the EPG; and A correspondence relationship between the EPG identifier and the IP multicast address is established. 12. The switch according to claim 11, wherein the determining unit is used for: According to the first VLAN ID carried in the first message, the first inbound interface of the switch receiving the first message, and the corresponding relationship between the VLAN ID and the inbound interface ID and the EPG ID It is determined that the first user belongs to a first EPG. 13. The switch according to claim 12, wherein the joining unit comprises: a determination subunit, configured to determine whether there is a multicast group corresponding to the first IP multicast address that the first user belongs to the second user of Establishing a subunit, configured to add the first user to the multicast group to which the second user belongs together, and establish the first ingress interface identifier and the first IP multicast address if it is determined to be yes corresponding relationship; If it is determined not, then establish the corresponding relationship between the first incoming interface identifier and the first IP multicast address, and also include a sending subunit, which is used to send multicast to the rendezvous point RP through the upstream device connected to the switch A join message, the multicast join message includes the first IP multicast address, and establishes a correspondence between the identifier of the first outgoing interface through which the switch sends the multicast join message and the first IP multicast address so that the upstream device and the RP establish a corresponding relationship between the identifier of the incoming interface that receives the multicast join message and the first IP multicast address, and the identifier of the outgoing interface that sends the multicast join message and the identifier of the first IP multicast address Describe the corresponding relationship of the first IP multicast address. 14. The switch according to claim 12, wherein the joining unit comprises: a determining subunit, configured to determine whether there is a second user belonging to the same multicast group as the first user; Establishing a subunit, used to add the first user to the multicast group to which the second user belongs together if it is determined to be yes, and establish the identification of the first ingress interface and the first IP address to be shared with The corresponding relationship of the first IP multicast address, or establishing the corresponding relationship between the first inbound interface identifier, the first IP address and the first VLAN identifier and the first IP multicast address; If it is determined not, then establish the corresponding relationship between the first inbound interface identifier and the first IP address and the first IP multicast address, or establish the first inbound interface identifier and the first IP address and the corresponding relationship between the first VLAN identifier and the identifier of the first IP multicast address, a sending subunit, configured to send a multicast join message to the rendezvous point RP through an upstream device connected to the switch, the The multicast join message includes the first IP multicast address, and establishes the corresponding relationship between the switch sending the multicast join message and the first outgoing interface identifier of the first IP multicast address, so that the upstream The device and the RP establish a corresponding relationship between the identifier of the incoming interface receiving the multicast join message and the first IP multicast address, and the identifier of the outgoing interface sending the multicast join message and the first IP multicast address Address correspondence. 15. The switch according to claim 13, further comprising a sending unit, configured to: when the switch receives the second multicast traffic corresponding to the third user, the second multicast traffic includes the The second IP multicast address corresponding to the multicast group to which the third user belongs, according to the corresponding relationship between the second IP multicast address and the outgoing interface, to the outgoing interface corresponding to the second IP multicast address The user copies and sends the second multicast traffic. 16. The switch according to claim 14, further comprising a replacement unit, configured to: when the switch receives second multicast traffic corresponding to a third user, the second multicast traffic includes the The second IP multicast address corresponding to the multicast group to which the third user belongs, according to the corresponding relationship between the second inbound interface identifier and the second IP address corresponding to at least one user and the second IP multicast address, the The second IP multicast address is replaced with a second IP address corresponding to the second IP multicast address; A sending unit, configured to use the interface corresponding to the second incoming interface identifier as an outgoing interface, copy the second multicast traffic at the outgoing interface, and send the copied traffic according to the replaced second IP address The second multicast traffic is sent to the at least one user. 17. The switch according to any one of claims 13-16, wherein the establishing unit is further configured to: establish a membership table for the first user, the membership table including the MAC address of the first user The address, the first inbound interface identifier, the first VLAN identifier and the corresponding relationship of the first IP address, the first member table is used to check whether the user sending the multicast traffic is legal. 18. The switch according to claim 17, further comprising: a deletion unit, configured to delete the member list when the switch detects that the first user is offline; The sending unit is configured to: send a second message to the rendezvous point RP, the second message includes the first IP multicast address, so that the RP deletes the identifier of the incoming interface receiving the multicast join message and The corresponding relationship between the first IP multicast address and the corresponding relationship between the outgoing interface identifier and the first IP multicast address.