CN101631062B - PVLAN implementation method of trunking port isolation - Google Patents
PVLAN implementation method of trunking port isolation Download PDFInfo
- Publication number
- CN101631062B CN101631062B CN 200910091461 CN200910091461A CN101631062B CN 101631062 B CN101631062 B CN 101631062B CN 200910091461 CN200910091461 CN 200910091461 CN 200910091461 A CN200910091461 A CN 200910091461A CN 101631062 B CN101631062 B CN 101631062B
- Authority
- CN
- China
- Prior art keywords
- port
- territory
- pvlan
- shared
- vlan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a PVLAN implementation method of trunking port isolation, which aims at providing a technology related to trunking port isolation of virtual local area network (VLAN). The technical schemes of the method adopts the following key points: calling a port collocated in a PVLAN region as a PVLAN port, and dividing the port into two equivalence classes in the PVLAN port: shared port regions and isolated port regions; adding an upstream port into the shared port regions in a UNTAG way; adding a downstream port into each isolated port region in a UNTAG way; adding the ports into the isolated port regions into the shared port region in a UNTAG way; adding ports of all shared port regions into the isolated port regions in a UNTAG way; and correcting a learning mode of an MAC address into a shared VLAN learning mode. The invention is suitable for solving the technical difficulties of trunking port VLAN isolation, realizes the network optimization and solves the problem of communication safety.
Description
Technical field
The present invention relates to network communications technology field, more particularly, relate to the technology that VLAN converges port isolation.
Background technology
VLAN a kind ofly becomes the network segment (littler local area network (LAN) LAN in other words conj.or perhaps) one by one with Local Area Network equipment from dividing (noting, is not from physically dividing) in logic, thereby realizes the Data Interchange Technology of virtual work group (unit).VLAN based on 802.1Q realizes and can isolate, the user is divided into groups broadcast domain.Its weak point is: most networking mode all is the pattern of converging; Be to be linked to same convergent point on a plurality of user data; If want to let a plurality of users and first line of a couplet pool side port communications like this; Just can only be divided among the same VLAN, can not accomplish preferably that therefore broadcast domain is isolated and VLAN isolates.
Summary of the invention
The objective of the invention is to overcome deficiency of the prior art, provide a kind of and be applicable to that switch ports themselves is isolated and broadcast domain is isolated, help the network optimization and the technology that solves Communication Security Problem.
Technical scheme of the present invention is:
The port that is configured in the PVLAN territory is called the PVLAN port, in the PVLAN port, port is divided into two equivalence classes: shared port territory and isolated port territory; Wherein can free communication between the shared domain inner port, can free communication between the quarantine domain inner port, can mutual communication between quarantine domain port and the shared domain port, can not free communication between the port between the different quarantine domain;
VLAN among the PVLAN is divided into shared port territory and isolated port territory; Wherein all shared port territory ports must add shared port territory VLAN with the UNTAG mode, and the PVID of shared port territory port is shared port territory VLAN ID, and all isolated port territory ports must add shared port territory VLAN with the UNTAG mode; All isolated port territory ports add isolated port territory VLAN with the UNTAG mode, and its PVID is quarantine domain VLAN ID, and all shared port territory ports add isolated port territory VLAN with the UNTAG mode.
The port of all tag attributes is the UNTAG pattern in inter-process, and the message of all these mouthfuls of flowing through all is regarded as UNTAG and handles.
A shared port territory can comprise one or more ports, and an isolated port territory can comprise one or more ports.
A switch can dispose one or more PVLAN groups.
A PVLAN group can comprise a shared port territory and a plurality of isolated ports territory.
The invention has the beneficial effects as follows: solved and converged the technical barrier that port vlan is isolated, realized the network optimization and solved Communication Security Problem.
Description of drawings
Figure is divided in Fig. 1 PVLAN port territory;
Data flow figure between each territory of Fig. 2 PVLAN.
Embodiment
Below in conjunction with accompanying drawing the present invention is done further description.
Fig. 1 has indicated PVLAN port territory division figure, and wherein VLAN 100 is the shared port territory, and VLAN200, VLAN300 are the isolated port territory.Require:
Can communicate by letter with isolated port territory 200 in shared port territory 100
Can communicate by letter with isolated port territory 300 in shared port territory 100
Can not communicate by letter with isolated port territory 300 in isolated port territory 200
In order to accomplish above-mentioned functions, at first dispose shared port territory 100;
1, VLAN100 configuration;
(1). create VLAN 100
#kyland(config)#vlan?100
(2). add the UNTAG port
#kyland(config-vlan-100)#add?port?1?UNTAG?priority?1
#kyland(config-vlan-100)#add?port?2?UNTAG?priority?1
(3). add the Tag port
#kyland(config-vlan-100)#add?port?3?tag?pvlan?enable
#kyland(config-vlan-100)#add?port?4?tag?pvlan?enable
#kyland(config-vlan-100)#add?port?5?tag?pvlan?enable
#kyland(config-vlan-100)#add?port?6?tag?pvlan?enable
2, VLAN200 configuration;
(1). create VLAN 200
#kyland(config)#vlan?200
(2). add the UNTAG port
#kyland(config-vlan-200)#add?port?3?UNTAG?priority?1
#kyland(config-vlan-200)#add?port?4?UNTAG?priority?1
(3). add the Tag port
#kyland(config-vlan-200)#add?port?1?tag?pvlan?enable
#kyland(config-vlan-200)#add?port?2?tag?pvlan?enable
3.VLAN300 configuration;
(1). create VLAN 300
#kyland(config)#vlan?300
(2). add the UNTAG port
#kyland(config-vlan-300)#add?port?5?UNTAG?priority?1
#kyland(config-vlan-300)#add?port?6?UNTAG?priority?1
(3). add the Tag port
#kyland(config-vlan-300)#add?port?1?tag?pvlan?enable
#kyland(config-vlan-300)#add?port?2?tag?pvlan?enable
(4). add the VLAN that creates to PVLAN
#kyland(config)#pvlan?add?100
#kyland(config)#pvlan?add?200
#kyland(config)#pvlan?add?300
So far Pvlan configuration is accomplished, and can get a desired effect.
Configuration instruction:
Then when joining this VLAN among the PVLAN, the port of all tag attributes is the UNTAG pattern in inter-process in the pvlan feature unlatching, and the message of all these mouthfuls of flowing through all is regarded as UNTAG and handles; Therefore the data of different VLAN can intercom mutually in shared domain and the quarantine domain; For quarantine domain and quarantine domain, when configuration tag port, it is not configured in the quarantine domain of different VLAN, so even message handle too and cannot communicate by letter with the UNTAG mode, thereby reach the purpose that quarantine domain can not be communicated by letter.
Fig. 2 has indicated the data flow figure between each territory of PVLAN, down in the face of every data flow with PVID set forth so that the darker realization mechanism of understanding PVLAN:
(1) VLAN100 is to the data flow of VLAN200, VLAN300;
As shown in the figure; The downlink data that is arrived VLAN200 and VLAN300 by VLAN100 via switch has been stamped the mark of PVID100 when the process switch; At switch TAG that internal data is with is 100; Owing to added among the VLAN100 with the TAG pattern respectively carrying out PVLAN when configuration 3.4.5.6 port, thus switches got into by 1.2 mouthfuls, and to be beaten PVID be that 100 packet can be forwarded to the 3.4.5.6. mouth through switch; Thereby reach the purpose that VLAN100 communicates by letter with VLAN200, VLAN300.
(2) VLAN200, VLAN300 are to the data flow of VLAN100;
The upstream data that gets into switch via port 3.4.5.6 by VLAN200, VLAN300 can be labeled as PVID200, PVID300 respectively after wrapping in and getting into switch inside; Because port one .2 has added VLAN200 and VLAN300 respectively with the TAG mode when configuration, the packet of mark can arrive port one .2 through the switch forwarding so get into also by the 3.4.5.6 port; Thereby reach the purpose that VLAN200, VLAN300 and VLAN100 communicate.
(3) VLAN200 is to the data flow of VLAN300;
Stamped the mark of PVID200 at the entering switch through the packet of port 3.4 arrival switches by VLAN200; Stamped the mark of PVID 300 at the entering switch through the packet of port 5.6 arrival switches by VLAN300; Because not common factor generation of 3.4.5.6 port when carrying out the PVLAN configuration; Therefore the packet of PVID 200 can not arrive the port territory of PVID 300 through the forwarding of switch; In like manner, the packet of PVID300 can not arrive the port territory of PVID200 through the forwarding of switch; Thereby reached the purpose that to communicate by letter between the quarantine domain.
The above is merely process of the present invention and method embodiment, in order to restriction the present invention, all any modifications of within spirit of the present invention and essence, being made, is not equal to replacement, improvement etc., all should be included within the protection range of the present invention.
Claims (4)
1. a PVLAN implementation method that converges port isolation is characterized in that, the port that is configured in the PVLAN territory is called the PVLAN port, in the PVLAN port, port is divided into two equivalence classes: shared port territory and isolated port territory; Wherein can free communication between the inner port of shared port territory, can free communication between the inner port of isolated port territory, can mutual communication between isolated port territory port and the shared port territory port, can not free communication between the port between the different isolated ports territory;
VLAN among the PVLAN is divided into shared port territory and isolated port territory; Wherein all shared port territory ports must add shared port territory VLAN with the UNTAG mode, and the PVID of shared port territory port is shared port territory VLAN ID, and all isolated port territory ports must add shared port territory VLAN with the port mode of tag attribute; All isolated port territory ports add isolated port territory VLAN with the UNTAG mode; Its PVID is quarantine domain VLAN ID; All shared port territory ports add isolated port territory VLAN with the port mode of tag attribute; The port of all tag attributes is the UNTAG mode in inter-process, and the message of all these mouthfuls of flowing through all is regarded as UNTAG and handles.
2. method according to claim 1 is characterized in that, a shared port territory comprises one or more ports, and an isolated port territory comprises one or more ports.
3. method according to claim 1 is characterized in that, the one or more PVLAN groups of switch configuration.
4. method according to claim 3 is characterized in that, a PVLAN group comprises a shared port territory and a plurality of isolated ports territory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910091461 CN101631062B (en) | 2009-08-25 | 2009-08-25 | PVLAN implementation method of trunking port isolation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910091461 CN101631062B (en) | 2009-08-25 | 2009-08-25 | PVLAN implementation method of trunking port isolation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101631062A CN101631062A (en) | 2010-01-20 |
| CN101631062B true CN101631062B (en) | 2012-01-11 |
Family
ID=41576017
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910091461 Active CN101631062B (en) | 2009-08-25 | 2009-08-25 | PVLAN implementation method of trunking port isolation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101631062B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104022960B (en) | 2013-02-28 | 2017-05-31 | 新华三技术有限公司 | Method and apparatus based on OpenFlow protocol realizations PVLAN |
| CN103812752B (en) * | 2014-03-03 | 2018-10-09 | 国家电网公司 | In a kind of power telecom network between VLAN resource-sharing method |
| CN106685789B (en) * | 2017-01-13 | 2019-10-08 | 盛科网络(苏州)有限公司 | The chip implementing method of PVLAN under stacking mode |
| CN111181866B (en) * | 2019-12-21 | 2023-06-30 | 武汉迈威通信股份有限公司 | Port aggregation method and system based on port isolation |
| CN114205236A (en) * | 2020-09-18 | 2022-03-18 | 中兴通讯股份有限公司 | Network configuration method, terminal, system and storage medium |
| CN112671783B (en) * | 2020-12-28 | 2021-08-10 | 上海自恒信息科技有限公司 | Host IP scanning prevention method based on VLAN user group |
| CN113438334B (en) * | 2021-06-08 | 2023-02-28 | 新华三技术有限公司 | Port PVID configuration method, device and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7095741B1 (en) * | 2000-12-20 | 2006-08-22 | Cisco Technology, Inc. | Port isolation for restricting traffic flow on layer 2 switches |
| CN1905509A (en) * | 2006-08-03 | 2007-01-31 | 华为技术有限公司 | Method and system of user access virtual special LAN service |
| US20070121623A1 (en) * | 2005-11-30 | 2007-05-31 | Garcia Jose A | Method and system for establishing narrowband communications connections using virtual local area network identification |
| CN101035052A (en) * | 2007-04-25 | 2007-09-12 | 中兴通讯股份有限公司 | Port separation method based on the virtual LAN |
| CN101119276A (en) * | 2007-08-22 | 2008-02-06 | 杭州华三通信技术有限公司 | Method and apparatus for implementing VLAN downlink user isolation |
-
2009
- 2009-08-25 CN CN 200910091461 patent/CN101631062B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7095741B1 (en) * | 2000-12-20 | 2006-08-22 | Cisco Technology, Inc. | Port isolation for restricting traffic flow on layer 2 switches |
| US20070121623A1 (en) * | 2005-11-30 | 2007-05-31 | Garcia Jose A | Method and system for establishing narrowband communications connections using virtual local area network identification |
| CN1905509A (en) * | 2006-08-03 | 2007-01-31 | 华为技术有限公司 | Method and system of user access virtual special LAN service |
| CN101035052A (en) * | 2007-04-25 | 2007-09-12 | 中兴通讯股份有限公司 | Port separation method based on the virtual LAN |
| CN101119276A (en) * | 2007-08-22 | 2008-02-06 | 杭州华三通信技术有限公司 | Method and apparatus for implementing VLAN downlink user isolation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101631062A (en) | 2010-01-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101631062B (en) | PVLAN implementation method of trunking port isolation | |
| CN104022960B (en) | Method and apparatus based on OpenFlow protocol realizations PVLAN | |
| US10122615B2 (en) | Delayed updating of forwarding databases for multicast transmissions over telecommunications networks | |
| CN100461732C (en) | Ethernet technology switching and forwarding method, system and equipment | |
| CN100502335C (en) | Communication system, wireless LAN base station controller, and wireless LAN base station device | |
| CN104283756B (en) | A kind of method and apparatus for realizing distributed multi-tenant virtual network | |
| CN101155109B (en) | Ethernet switching system and equipment | |
| CN101616014B (en) | Method for realizing cross-virtual private local area network multicast | |
| JP2008193614A (en) | Switching hub and lan system | |
| CN102427429B (en) | A kind of realize the method for switch built-in message security protection, system and switch | |
| CN103107934B (en) | A kind of Message processing control method and device | |
| CN103401774A (en) | Message forwarding method and equipment based on stacking system | |
| CN101707545B (en) | Method and system for realizing private virtual local area network | |
| CN101729355B (en) | Method for realizing particular virtual local area network and device | |
| CN102413059A (en) | Multicast forwarding method based on SPB (Shortest Path Bridging) network and SPBM (MAC-in-MAC SPB) bridge | |
| CN104092554B (en) | Multicast distribution tree method for building up and device | |
| CN107579898A (en) | The method and its device of interconnected communication between one kind of multiple containers | |
| CN103812752B (en) | In a kind of power telecom network between VLAN resource-sharing method | |
| CN101656671A (en) | Packet sending method and device | |
| CN101360062B (en) | Method and system implementing service of multi-point to multi-point Ethernet with root node | |
| CN107623636A (en) | A kind of user isolation method and interchanger | |
| CN1988498A (en) | Route repeating method in repeating control separation system | |
| CN107770028B (en) | Method for realizing point-to-multipoint virtual local area network service in China telecommunication scene | |
| CN103532857B (en) | The method and device that a kind of data forward | |
| CN104702477A (en) | Method and device for realizing tunnel protection, and network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |