CN101631062B - PVLAN implementation method of trunking port isolation - Google Patents
PVLAN implementation method of trunking port isolation Download PDFInfo
- Publication number
- CN101631062B CN101631062B CN 200910091461 CN200910091461A CN101631062B CN 101631062 B CN101631062 B CN 101631062B CN 200910091461 CN200910091461 CN 200910091461 CN 200910091461 A CN200910091461 A CN 200910091461A CN 101631062 B CN101631062 B CN 101631062B
- Authority
- CN
- China
- Prior art keywords
- port
- territory
- pvlan
- shared
- isolated
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
本发明公开了一种汇聚端口隔离的PVLAN实现方法,旨在提供一种涉及到虚拟局域网汇聚端口隔离的技术。其技术方案的要点是,将配置到PVLAN域内的端口称作PVLAN端口,在PVLAN端口中,将端口划分为两个等价类:共享端口域和隔离端口域;将上行端口以UNTAG方式添加到共享端口域;将下行端口以UNTAG方式添加到各个隔离端口域;将所有隔离端口域内的端口以UNTAG方式加入到共享端口域;所有共享端口域端口以UNTAG方式加入隔离端口域;将MAC地址的学习模式修改为共享VLAN学习模式。本发明适用于解决汇聚端口VLAN隔离的技术难题,并且实现了网络优化和解决了通信安全问题。
The invention discloses a PVLAN implementation method for converging port isolation, aiming to provide a technology related to the isolation of converging ports of a virtual local area network. The main point of the technical solution is to call the port configured in the PVLAN domain as a PVLAN port. In the PVLAN port, the port is divided into two equivalent classes: the shared port domain and the isolated port domain; the uplink port is added to the Shared port domain; add downlink ports to each isolated port domain in UNTAG mode; add all ports in the isolated port domain to shared port domain in UNTAG mode; add all shared port domain ports to isolated port domain in UNTAG mode; The learning mode is changed to shared VLAN learning mode. The invention is suitable for solving the technical problem of VLAN isolation of the aggregation port, realizes network optimization and solves the problem of communication security.
Description
Technical field
The present invention relates to network communications technology field, more particularly, relate to the technology that VLAN converges port isolation.
Background technology
VLAN a kind ofly becomes the network segment (littler local area network (LAN) LAN in other words conj.or perhaps) one by one with Local Area Network equipment from dividing (noting, is not from physically dividing) in logic, thereby realizes the Data Interchange Technology of virtual work group (unit).VLAN based on 802.1Q realizes and can isolate, the user is divided into groups broadcast domain.Its weak point is: most networking mode all is the pattern of converging; Be to be linked to same convergent point on a plurality of user data; If want to let a plurality of users and first line of a couplet pool side port communications like this; Just can only be divided among the same VLAN, can not accomplish preferably that therefore broadcast domain is isolated and VLAN isolates.
Summary of the invention
The objective of the invention is to overcome deficiency of the prior art, provide a kind of and be applicable to that switch ports themselves is isolated and broadcast domain is isolated, help the network optimization and the technology that solves Communication Security Problem.
Technical scheme of the present invention is:
The port that is configured in the PVLAN territory is called the PVLAN port, in the PVLAN port, port is divided into two equivalence classes: shared port territory and isolated port territory; Wherein can free communication between the shared domain inner port, can free communication between the quarantine domain inner port, can mutual communication between quarantine domain port and the shared domain port, can not free communication between the port between the different quarantine domain;
VLAN among the PVLAN is divided into shared port territory and isolated port territory; Wherein all shared port territory ports must add shared port territory VLAN with the UNTAG mode, and the PVID of shared port territory port is shared port territory VLAN ID, and all isolated port territory ports must add shared port territory VLAN with the UNTAG mode; All isolated port territory ports add isolated port territory VLAN with the UNTAG mode, and its PVID is quarantine domain VLAN ID, and all shared port territory ports add isolated port territory VLAN with the UNTAG mode.
The port of all tag attributes is the UNTAG pattern in inter-process, and the message of all these mouthfuls of flowing through all is regarded as UNTAG and handles.
A shared port territory can comprise one or more ports, and an isolated port territory can comprise one or more ports.
A switch can dispose one or more PVLAN groups.
A PVLAN group can comprise a shared port territory and a plurality of isolated ports territory.
The invention has the beneficial effects as follows: solved and converged the technical barrier that port vlan is isolated, realized the network optimization and solved Communication Security Problem.
Description of drawings
Figure is divided in Fig. 1 PVLAN port territory;
Data flow figure between each territory of Fig. 2 PVLAN.
Embodiment
Below in conjunction with accompanying drawing the present invention is done further description.
Fig. 1 has indicated PVLAN port territory division figure, and wherein VLAN 100 is the shared port territory, and VLAN200, VLAN300 are the isolated port territory.Require:
Can communicate by letter with isolated port territory 200 in shared port territory 100
Can communicate by letter with isolated port territory 300 in shared port territory 100
Can not communicate by letter with isolated port territory 300 in isolated port territory 200
In order to accomplish above-mentioned functions, at first dispose shared port territory 100;
1, VLAN100 configuration;
(1). create VLAN 100
#kyland(config)#vlan?100
(2). add the UNTAG port
#kyland(config-vlan-100)#add?port?1?UNTAG?priority?1
#kyland(config-vlan-100)#add?port?2?UNTAG?priority?1
(3). add the Tag port
#kyland(config-vlan-100)#add?port?3?tag?pvlan?enable
#kyland(config-vlan-100)#add?port?4?tag?pvlan?enable
#kyland(config-vlan-100)#add?port?5?tag?pvlan?enable
#kyland(config-vlan-100)#add?port?6?tag?pvlan?enable
2, VLAN200 configuration;
(1). create VLAN 200
#kyland(config)#vlan?200
(2). add the UNTAG port
#kyland(config-vlan-200)#add?port?3?UNTAG?priority?1
#kyland(config-vlan-200)#add?port?4?UNTAG?priority?1
(3). add the Tag port
#kyland(config-vlan-200)#add?port?1?tag?pvlan?enable
#kyland(config-vlan-200)#add?port?2?tag?pvlan?enable
3.VLAN300 configuration;
(1). create VLAN 300
#kyland(config)#vlan?300
(2). add the UNTAG port
#kyland(config-vlan-300)#add?port?5?UNTAG?priority?1
#kyland(config-vlan-300)#add?port?6?UNTAG?priority?1
(3). add the Tag port
#kyland(config-vlan-300)#add?port?1?tag?pvlan?enable
#kyland(config-vlan-300)#add?port?2?tag?pvlan?enable
(4). add the VLAN that creates to PVLAN
#kyland(config)#pvlan?add?100
#kyland(config)#pvlan?add?200
#kyland(config)#pvlan?add?300
So far Pvlan configuration is accomplished, and can get a desired effect.
Configuration instruction:
Then when joining this VLAN among the PVLAN, the port of all tag attributes is the UNTAG pattern in inter-process in the pvlan feature unlatching, and the message of all these mouthfuls of flowing through all is regarded as UNTAG and handles; Therefore the data of different VLAN can intercom mutually in shared domain and the quarantine domain; For quarantine domain and quarantine domain, when configuration tag port, it is not configured in the quarantine domain of different VLAN, so even message handle too and cannot communicate by letter with the UNTAG mode, thereby reach the purpose that quarantine domain can not be communicated by letter.
Fig. 2 has indicated the data flow figure between each territory of PVLAN, down in the face of every data flow with PVID set forth so that the darker realization mechanism of understanding PVLAN:
(1) VLAN100 is to the data flow of VLAN200, VLAN300;
As shown in the figure; The downlink data that is arrived VLAN200 and VLAN300 by VLAN100 via switch has been stamped the mark of PVID100 when the process switch; At switch TAG that internal data is with is 100; Owing to added among the VLAN100 with the TAG pattern respectively carrying out PVLAN when configuration 3.4.5.6 port, thus switches got into by 1.2 mouthfuls, and to be beaten PVID be that 100 packet can be forwarded to the 3.4.5.6. mouth through switch; Thereby reach the purpose that VLAN100 communicates by letter with VLAN200, VLAN300.
(2) VLAN200, VLAN300 are to the data flow of VLAN100;
The upstream data that gets into switch via port 3.4.5.6 by VLAN200, VLAN300 can be labeled as PVID200, PVID300 respectively after wrapping in and getting into switch inside; Because port one .2 has added VLAN200 and VLAN300 respectively with the TAG mode when configuration, the packet of mark can arrive port one .2 through the switch forwarding so get into also by the 3.4.5.6 port; Thereby reach the purpose that VLAN200, VLAN300 and VLAN100 communicate.
(3) VLAN200 is to the data flow of VLAN300;
Stamped the mark of PVID200 at the entering switch through the packet of port 3.4 arrival switches by VLAN200; Stamped the mark of PVID 300 at the entering switch through the packet of port 5.6 arrival switches by VLAN300; Because not common factor generation of 3.4.5.6 port when carrying out the PVLAN configuration; Therefore the packet of PVID 200 can not arrive the port territory of PVID 300 through the forwarding of switch; In like manner, the packet of PVID300 can not arrive the port territory of PVID200 through the forwarding of switch; Thereby reached the purpose that to communicate by letter between the quarantine domain.
The above is merely process of the present invention and method embodiment, in order to restriction the present invention, all any modifications of within spirit of the present invention and essence, being made, is not equal to replacement, improvement etc., all should be included within the protection range of the present invention.
Claims (4)
1. a PVLAN implementation method that converges port isolation is characterized in that, the port that is configured in the PVLAN territory is called the PVLAN port, in the PVLAN port, port is divided into two equivalence classes: shared port territory and isolated port territory; Wherein can free communication between the inner port of shared port territory, can free communication between the inner port of isolated port territory, can mutual communication between isolated port territory port and the shared port territory port, can not free communication between the port between the different isolated ports territory;
VLAN among the PVLAN is divided into shared port territory and isolated port territory; Wherein all shared port territory ports must add shared port territory VLAN with the UNTAG mode, and the PVID of shared port territory port is shared port territory VLAN ID, and all isolated port territory ports must add shared port territory VLAN with the port mode of tag attribute; All isolated port territory ports add isolated port territory VLAN with the UNTAG mode; Its PVID is quarantine domain VLAN ID; All shared port territory ports add isolated port territory VLAN with the port mode of tag attribute; The port of all tag attributes is the UNTAG mode in inter-process, and the message of all these mouthfuls of flowing through all is regarded as UNTAG and handles.
2. method according to claim 1 is characterized in that, a shared port territory comprises one or more ports, and an isolated port territory comprises one or more ports.
3. method according to claim 1 is characterized in that, the one or more PVLAN groups of switch configuration.
4. method according to claim 3 is characterized in that, a PVLAN group comprises a shared port territory and a plurality of isolated ports territory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910091461 CN101631062B (en) | 2009-08-25 | 2009-08-25 | PVLAN implementation method of trunking port isolation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910091461 CN101631062B (en) | 2009-08-25 | 2009-08-25 | PVLAN implementation method of trunking port isolation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101631062A CN101631062A (en) | 2010-01-20 |
| CN101631062B true CN101631062B (en) | 2012-01-11 |
Family
ID=41576017
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910091461 Active CN101631062B (en) | 2009-08-25 | 2009-08-25 | PVLAN implementation method of trunking port isolation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101631062B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104022960B (en) | 2013-02-28 | 2017-05-31 | 新华三技术有限公司 | Method and apparatus based on OpenFlow protocol realizations PVLAN |
| CN103812752B (en) * | 2014-03-03 | 2018-10-09 | 国家电网公司 | In a kind of power telecom network between VLAN resource-sharing method |
| CN106685789B (en) * | 2017-01-13 | 2019-10-08 | 盛科网络(苏州)有限公司 | The chip implementing method of PVLAN under stacking mode |
| CN111181866B (en) * | 2019-12-21 | 2023-06-30 | 武汉迈威通信股份有限公司 | A port aggregation method and system based on port isolation |
| CN114205236B (en) | 2020-09-18 | 2025-04-08 | 中兴通讯股份有限公司 | Network configuration method, terminal, system and storage medium |
| CN112671783B (en) * | 2020-12-28 | 2021-08-10 | 上海自恒信息科技有限公司 | Host IP scanning prevention method based on VLAN user group |
| CN113438334B (en) * | 2021-06-08 | 2023-02-28 | 新华三技术有限公司 | Port PVID configuration method, device and system |
| CN116708196B (en) * | 2023-06-28 | 2025-08-19 | 济南浪潮数据技术有限公司 | Bare metal tenant isolation method, device, equipment and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7095741B1 (en) * | 2000-12-20 | 2006-08-22 | Cisco Technology, Inc. | Port isolation for restricting traffic flow on layer 2 switches |
| CN1905509A (en) * | 2006-08-03 | 2007-01-31 | 华为技术有限公司 | Method and system of user access virtual special LAN service |
| US20070121623A1 (en) * | 2005-11-30 | 2007-05-31 | Garcia Jose A | Method and system for establishing narrowband communications connections using virtual local area network identification |
| CN101035052A (en) * | 2007-04-25 | 2007-09-12 | 中兴通讯股份有限公司 | Port separation method based on the virtual LAN |
| CN101119276A (en) * | 2007-08-22 | 2008-02-06 | 杭州华三通信技术有限公司 | A method and device for realizing downlink user isolation in a VLAN |
-
2009
- 2009-08-25 CN CN 200910091461 patent/CN101631062B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7095741B1 (en) * | 2000-12-20 | 2006-08-22 | Cisco Technology, Inc. | Port isolation for restricting traffic flow on layer 2 switches |
| US20070121623A1 (en) * | 2005-11-30 | 2007-05-31 | Garcia Jose A | Method and system for establishing narrowband communications connections using virtual local area network identification |
| CN1905509A (en) * | 2006-08-03 | 2007-01-31 | 华为技术有限公司 | Method and system of user access virtual special LAN service |
| CN101035052A (en) * | 2007-04-25 | 2007-09-12 | 中兴通讯股份有限公司 | Port separation method based on the virtual LAN |
| CN101119276A (en) * | 2007-08-22 | 2008-02-06 | 杭州华三通信技术有限公司 | A method and device for realizing downlink user isolation in a VLAN |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101631062A (en) | 2010-01-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101631062B (en) | PVLAN implementation method of trunking port isolation | |
| CN104022960B (en) | Method and apparatus based on OpenFlow protocol realizations PVLAN | |
| US10122615B2 (en) | Delayed updating of forwarding databases for multicast transmissions over telecommunications networks | |
| CN104468394B (en) | Message forwarding method and device in a kind of VXLAN networks | |
| CN100461732C (en) | A method, system and device for switching and forwarding Ethernet technology | |
| CN104009926B (en) | Multicast method in EVI network and edge device ED | |
| CN101616014B (en) | Method for realizing cross-virtual private local area network multicast | |
| CN102739501B (en) | Message forwarding method and system in two three layer virtual private networks | |
| CN104283756A (en) | A method and device for implementing a distributed multi-tenant virtual network | |
| CN102427429B (en) | A kind of realize the method for switch built-in message security protection, system and switch | |
| CN103107934B (en) | A kind of Message processing control method and device | |
| CN101635702B (en) | Method for forwarding data packet using security strategy | |
| CN105227363B (en) | A kind of whole network port separation method and device based on SDN | |
| CN104092554B (en) | Multicast distribution tree method for building up and device | |
| CN104158745A (en) | Data packet forwarding method and system | |
| CN101707562A (en) | Method and device for realizing access of virtual local area network (VLAN) stacking in virtual private wire service (VPWS) | |
| CN104092684B (en) | A kind of OpenFlow agreements support VPN method and apparatus | |
| CN110022262A (en) | A kind of mthods, systems and devices for realizing planar separation based on SDN network | |
| CN106713026A (en) | Service chain topological structure, service chain setting method and controller | |
| CN105743797B (en) | Multicasting VPN tunnel establishing method based on interface binding | |
| CN107579898A (en) | The method and its device of interconnected communication between one kind of multiple containers | |
| CN105376161B (en) | Multicast distribution tree switching method and device | |
| CN107592259B (en) | Flow switching method in a kind of VRRP protection scene | |
| CN103905285A (en) | Method for dividing users with the same MAC address into multiple different VLANs | |
| CN101360062A (en) | Method and system for realizing multipoint-to-multipoint Ethernet service with root node |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |