[go: up one dir, main page]

WO2013139270A1 - Procédé, dispositif et système pour implémenter un réseau privé virtuel en couche 3 - Google Patents

Procédé, dispositif et système pour implémenter un réseau privé virtuel en couche 3 Download PDF

Info

Publication number
WO2013139270A1
WO2013139270A1 PCT/CN2013/072915 CN2013072915W WO2013139270A1 WO 2013139270 A1 WO2013139270 A1 WO 2013139270A1 CN 2013072915 W CN2013072915 W CN 2013072915W WO 2013139270 A1 WO2013139270 A1 WO 2013139270A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
packet
multicast
routing
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2013/072915
Other languages
English (en)
Chinese (zh)
Inventor
徐小虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2013139270A1 publication Critical patent/WO2013139270A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, device, and system for implementing a three-layer virtual private network (VPN).
  • VPN virtual private network
  • a virtual private network is a virtual private network provided by an operator to a user through its public network.
  • the VPN member nodes that are geographically separated from each other are connected to the corresponding carrier border device through the client device, and form the customer's VPN network through the operator's public network.
  • the VPN implementation is divided into the following two types: Layer 3 Virtual Private Network (L3VPN), which requires the operator's border device to participate in the calculation and delivery of the customer route. , and a Layer 2 Virtual Private Network (L2VPN;) that does not require carrier edge devices to participate in the calculation and delivery of customer routes.
  • L3VPN Layer 3 Virtual Private Network
  • L2VPN Layer 2 Virtual Private Network
  • the Provider Edge (PE) devices that belong to the same VPN exchange VPN routing information through the Border Gateway Protocol (BGP). Manually configure the BGP protocol on each PE.
  • IP Internet Protocol
  • Each VPN has a global VPN ID.
  • each PE device allocates a local VPN label to the VPN for data forwarding.
  • the PE performs the VPN deployment by interacting with the PEs through the BGP packets carrying the VPN parameters.
  • the number of PEs is generally very large, and the configuration of the BGP protocol is correspondingly cumbersome and complicated.
  • the existing L3VPN solution requires a large number of complex parameter configurations on the PEs, such as VPN-related parameter configuration and BGP neighbor parameter configuration.
  • Embodiments of the present invention provide a method, device, and system for implementing a three-layer virtual private network. It can improve the automation configuration and automation operation capability of VPN.
  • a method for implementing a three-layer virtual private network comprising:
  • the first carrier edge PE device receives the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried.
  • the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried.
  • the second PE device When the second PE device is connected to the same VPN device, the second PE device performs a routing protocol interaction with the second VPN device to generate a VPN route corresponding to the same VPN.
  • a forwarding table the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
  • a first carrier edge PE device including:
  • the neighbor receiving unit is configured to receive the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is corresponding to the second PE device.
  • a network determining unit configured to determine, according to the VPN ID corresponding to the first PE device and the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device;
  • a routing interaction unit configured to perform, when the second PE device and the first PE device are connected to the same VPN, perform the routing protocol packet exchange in the same VPN with the second PE device, to generate the same
  • the VPN routing forwarding table corresponding to the VPN wherein the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
  • a system for implementing a three-layer virtual private network comprising: a first PE device and a second PE device;
  • the first PE device is configured to receive a virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second Determining, by the PE device, the IP address, the VPN ID, and the VPN label; determining, according to the VPN ID corresponding to the first PE device, and the VPN ID corresponding to the second PE device, whether the second PE device is the first PE The device is connected to the same VPN; when the second PE device is connected to the same VPN as the first PE device, performing the same with the second PE device
  • the routing protocol packets in the VPN are exchanged, and the VPN routing forwarding table corresponding to the same VPN is generated, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device, and the second The VPN label assigned by the PE device to the same VPN.
  • the method, the device and the system for implementing the three-layer virtual private network provided by the embodiment of the present invention add the VPN neighbor discovery message by extending the TLV ⁇ 1, and carry the VPN ID and the VPN label in the VPN neighbor discovery message, so that Determine and the first by identifying the VPN ID in the VPN neighbor discovery message.
  • a PE device belongs to the same VPN PE device and exchanges routing protocol packets with the PE device in the same VPN. Compared with the existing technology, the PE device can discover the PEs of the same VPN and complete the routing protocol. The interaction of the text eliminates a lot of manual configuration work, and improves the automatic configuration and automatic operation capability of the VPN.
  • FIG. 1 is a flowchart of a method for implementing a three-layer virtual private network according to Embodiment 1 of the present invention
  • FIG. 2 is a flowchart of a method for implementing a three-layer virtual private network according to Embodiment 2 of the present invention
  • 4 is a flowchart of another method for implementing a three-layer virtual private network according to Embodiment 2 of the present invention
  • FIG. 5 is a schematic diagram of a VPN connection situation according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a first PE device according to Embodiment 3 of the present invention.
  • FIG. 7 is a schematic structural diagram of another first PE device according to Embodiment 3 of the present invention.
  • FIG. 8 is a schematic structural diagram of another first PE device according to Embodiment 3 of the present invention.
  • FIG. 9 is a schematic structural diagram of another first PE device according to Embodiment 3 of the present invention.
  • FIG. 10 is a schematic diagram of a system composition for implementing a three-layer virtual private network according to Embodiment 3 of the present invention.
  • the Provider Edge (PE) device and the Cus tomer Edge Router (CE) need to exchange routing information.
  • the routing exchange between the PE and the CE may use static routing, or may use Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and intermediate system to Dynamic Routing Protocols such as Intermediate System to Intermediate System (ISIS) and BGP.
  • PEs belonging to the same VPN can exchange VPN routing information through the 0SPF protocol or the ISIS protocol.
  • the Provider Router (P) does not need to know the routing information of the customer's VPN network. This transparency can effectively reduce the burden on the P router and improve the scalability of the network and the flexibility of service development.
  • the PE After receiving the IP data packet sent from the local CE, the PE searches for the best route matching the destination address of the IP data packet through the routing forwarding table corresponding to the VPN to which the CE belongs, and then uses the multi-protocol label switching (Mul t iprotocol Label Swi tching). , MPLS) or IP tunneling, transmitting the IP data packet to the next hop PE device across the carrier MPLS/IP network.
  • Mul t iprotocol Label Swi tching MPLS
  • IP tunneling transmitting the IP data packet to the next hop PE device across the carrier MPLS/IP network.
  • the embodiment of the present invention mainly improves the automatic configuration of the L3VPN technology. Therefore, the VPNs improved in the following refers to the L3VPN.
  • An embodiment of the present invention provides a method for implementing a three-layer virtual private network. As shown in FIG. 1, the method includes:
  • the first PE device receives the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type-Length-Value (TLV) packet. Carrying an IP address, a VPN ID, and a VPN label corresponding to the second PE device.
  • TLV extended type-Length-Value
  • the VPN neighbor finds that the message is an extended TLV packet, for example, a TLV packet in the ISIS protocol or a TLV packet in the 0SPF protocol. Specifically, the VPN neighbor discovery packet under the ISIS protocol is shown in Table 1.
  • the extended ISIS TLV contains the message type identifier (type), the TLV packet length (length), and the TLV message content (value).
  • a specific message type identifier (type) can be defined for a TLV dedicated to VPN neighbor discovery. So when any PE in the public network is set up When receiving the VPN neighbor discovery packet, the device can determine the usage of the TLV according to the type identifier.
  • the Next-hop address field is used to fill in the IP address of the PE device that sends the VPN neighbor discovery message.
  • Value contains the VPN ID and VPN label written in pairs. For example, a VPN ID can occupy 32 bits, of which 20 bits have a VPN ID, and 12 bits are reserved. Similarly, VPN tags can also occupy 32 bits, of which 20 are written with VPN tags and 12 bits are reserved.
  • the VPN neighbor discovery packet under the 0SPF protocol is shown in Table 1.
  • the extended OSPF TLV includes a packet type identifier (type), a TLV packet length (length), and a TLV packet content (value).
  • type a packet type identifier
  • length a TLV packet length
  • value a TLV packet content
  • a type identifier such that when any one of the PE devices in the public network receives the VPN neighbor discovery message, the TLV can be determined according to the type identifier.
  • type identifier such that when any one of the PE devices in the public network receives the VPN neighbor discovery message, the TLV can be determined according to the type identifier.
  • For the method of filling in the value field reference may be made to the method of filling the ISIS TLV, which is not described herein again.
  • a VPN neighbor discovery packet can carry a pair of VPN IDs and VPN labels that exist in pairs. For example, if the second PE device is only connected to the VPN1, the second PE device can write the VPN ID of the VPN1 and the VPN label allocated by the second PE device to the VPN1 in the VPN neighbor discovery message.
  • the first PE device may be configured according to the VPN.
  • the neighbor finds the VPN ID carried in the text (that is, the VPN ID corresponding to the second PE device) and the VPN ID of the first PE device, and determines whether the second PE device is connected to the same VPN as the first PE device.
  • the first PE device may perform the routing protocol protocol in the same VPN with the second PE device to complete the subsequent VPN configuration process.
  • the VPN ID of the VPN1 carried in the VPN neighbor discovery packet may also be recorded.
  • the second PE device allocates the VPN label of the VPN1 and the IP address of the second PE device, so as to perform subsequent routing protocol packet interaction.
  • the second PE device can write the VPN ID of the VPN1 and the VPN label allocated by the second PE device to the VPN1 in the VPN neighbor discovery message.
  • the ID and the VPN label assigned by the second PE device to VPN2.
  • the first PE device may use the VPN ID corresponding to the VPN (for example, VPN1) connected to the first PE device and the VPN ID carried in the received VPN neighbor discovery message (ie, The VPN ID corresponding to the VPN to which the second PE device is connected is compared to determine whether there is a matching VPN ID.
  • the second PE device can perform the routing protocol packet exchange in the same VPN with the second PE device to complete the subsequent VPN configuration process.
  • the VPN ID of the VPN1 carried in the VPN neighbor discovery packet, the VPN label assigned by the second PE device to the VPN1, and the IP address of the second PE may be recorded, so as to perform subsequent routing protocol packet exchange.
  • the first PE device may distinguish, by using the VPN ID, whether the sender of the VPN neighbor discovery message and the first A PE device belongs to the same VPN.
  • the VPN corresponds to the VPN ID
  • the first PE device is configured as a member node of one or more VPNs. Therefore, the first PE device records the VPN ID of the VPN to which the first PE device belongs.
  • the second PE device that sends the VPN neighbor discovery packet allocates a VPN label to the VPN to which the second PE device belongs.
  • the first PE device determines the report according to the type identifier.
  • the packet is a VPN neighbor discovery packet, and the VPN ID in the va lue field is compared with the VPN ID of the first PE device to determine whether the second PE device and the first PE device are connected to the same VPN.
  • the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
  • the routing information is written into the routing protocol packet in advance, and interacts with the determined second PE device that is connected to the same VPN as the first PE device.
  • the routing protocol packet is a Link State Advertisement (LSSA) protocol packet under the 0SPF protocol, or a Link State Protocol Data Unit (LSP) protocol under the ISIS protocol.
  • LSSA Link State Advertisement
  • LSP Link State Protocol Data Unit
  • the LSA protocol document uses a specific destination multicast IP address
  • the LSP protocol message uses a specific destination multicast media access control (MAC) address for the second PE device.
  • MAC media access control
  • the method for implementing the three-layer virtual private network defines the VPN neighbor discovery >3 ⁇ 4 text by extending the TLV message, and carries the VPN ID and the VPN label in the VPN neighbor discovery document, thereby identifying the VPN neighbor by identifying the VPN neighbor
  • the VPN ID in the packet identifies the PE device that belongs to the same VPN as the first PE device, and performs the routing protocol packet exchange with the PE device in the same VPN.
  • the device can automatically discover the PEs that belong to the same VPN and complete the routing protocol packet exchange. This eliminates a lot of manual configuration and improves the automatic configuration and automatic operation of the VPN.
  • An embodiment of the present invention provides a method for implementing a three-layer virtual private network, as shown in FIG. 2, include:
  • the first PE device sends a VPN neighbor discovery packet to the second PE device, so that the first PE device is discovered by the second PE device that is connected to the same PE device.
  • the first PE device may be any PE device in a VPN.
  • three PE devices are connected in the VPN1, namely, node A, node B, and node C, respectively. Any one of the PE devices (Node A) is taken as the first PE device.
  • Nodes B and C are two neighboring nodes that are connected to the same VPN device as the first PE device (Node A).
  • Node D is a PE device in the public network, but it is not a PE device connected to VPN1, so it is not a neighbor node of Node A in terms of VPN1.
  • the VPN deployment may overlap, that is, the member nodes include nodes A and D for VPN2, so node D is the neighbor node of node A for VPN2.
  • the remaining nodes in the public network including nodes ⁇ C and D, can be used as the second PE device.
  • the VPN neighbor discovery packet sent by the node A to the other nodes in the public network includes the VPN label assigned by the node A to the VPN1.
  • the VPN label is unique in the same VPN and is used for identification. Issue the sender (node A) of the VPN neighbor discovery message.
  • the VPN neighbor discovery packet further includes a VPN ID, where the VPN ID is an identifier of a VPN to which the node A is connected. For example, the VPN label assigned by node A to VPN1 is 100.
  • the VPN ID (VPN1) and the VPN label (100) of node A can be written in the va lue field of the VPN neighbor discovery message, so the VPN ID and VPN label are in the neighbor. It is found that the messages exist in pairs. It can be understood that a VPN neighbor can find a pair of existing VPN IDs and VPN labels, and can also carry multiple pairs of VPN IDs and VPN labels at the same time.
  • the first PE device receives a VPN neighbor discovery packet sent by the second PE device.
  • the configuration of the VPN neighbor discovery packet is the same as that described in the step 201.
  • the other nodes in the public network can also send the VPN configuration information to the first PE device by using the VPN neighbor discovery packet.
  • the VPN neighbor discovery packet is an extended TLV packet, and carries an IP address corresponding to the second PE device that sends the VPN neighbor discovery message, a VPN ID, and a VPN assignment of the second PE device to which the second PE device is connected.
  • a VPN neighbor discovery packet can carry multiple pairs of VPN IDs and VPN labels at the same time, so the first PE device receives the VPN neighbor discovery.
  • the message needs to be parsed and the VPN information of the first PE device is identified.
  • node A the first PE device itself is connected to VPN1, so the VPN ID of VPN1 can be identified in the received VPN neighbor discovery message.
  • the VPN ID of the VPN1 is obtained, and thus the neighbor node (Node B) that belongs to the VPN1 is found, and the corresponding Node B is assigned the VPN label of the VPN1 (200). And the IP address of Node B is recorded.
  • node X if another VPN neighbor discovery message sent by the second PE device (node X) that is not connected to the same VPN by the node A is received, the matching VPN ID cannot be resolved from the node, and the node X is not used as the neighbor node. .
  • the VPN ID corresponding to the same VPN, the VPN label allocated by the second PE device to the same VPN, and the IP address of the second PE device are recorded in the VPN neighbor list.
  • each VPN connected to the first PE device may have a VPN neighbor list, and the IP address of the second PE device belonging to the same VPN may be recorded in the VPN neighbor list and allocated for the same VPN.
  • VPN label For example, node A corresponds to the VPN neighbor list of VPN1, and the IP address of node B and the VPN label 200 assigned by node B to VPN1, and the IP address of node C and the VPN label 300 assigned by node C to VPN1. For example, if node A is connected to both VPN1 and VPN2, then two corresponding VPN neighbor lists can be generated on node A.
  • the first PE device may also generate a shared VPN neighbor list for multiple VPNs connected to the first device.
  • the shared VPN neighbor list the VPN ID of each VPN to which the first PE device is connected, the IP address of the PE device included in each VPN, and the VPN label may be recorded.
  • the node A can identify the IP address of the Node B belonging to the VPN1 and the VPN label assigned by the Node B to the VPN1 from the shared VPN neighbor list according to the VPN ID of the VPN1.
  • the first routing protocol packet is sent by the first tunnel, and the first tunnel encapsulation information carries the VPN label allocated by the second PE device to the same VPN.
  • the routing protocol packet is used to convey the reachability of the route, so that each member PE device in the same VPN generates a VPN routing forwarding table, and finds the best path according to the VPN routing forwarding table in the service communication to transmit the service data to the routing data.
  • Next hop PE device is used to convey the reachability of the route, so that each member PE device in the same VPN generates a VPN routing forwarding table, and finds the best path according to the VPN routing forwarding table in the service communication to transmit the service data to the routing data.
  • the VPN tag type to be carried in the first tunnel encapsulation information may be set as a downstream distribution tag type, so that the second PE device determines the identification manner of the VPN tag.
  • the node A sends the VPN label (200) allocated by the node B, which was previously obtained through the VPN neighbor discovery, to the VPN1, and writes it into the first tunnel encapsulation information, and sets it as a downstream allocation label, so that when the node B receives After the first routing protocol packet, the node B has been assigned to the VPN1, and the first routing protocol packet is determined to be a routing protocol packet belonging to the VPN1.
  • the second routing protocol packet is sent by the second tunnel, and the second tunnel encapsulation information carries the VPN label allocated by the first PE device to the same VPN.
  • the node A receives the encapsulated second routing protocol packet sent by the node B (the second PE device) through the point-to-point tunnel, and parses the VPN label (1 00) carried in the second tunnel encapsulation information. After determining which VPN (VPN1) the node A has assigned to the VPN, it can be determined that the currently received second routing protocol packet is a routing protocol packet belonging to the VPN1.
  • the VPN routing forwarding table may include a prefix, a next hop (that is, an IP address of each PE device in the same VPN), and the like. Information, in order to determine an optimal path according to the VPN routing forwarding table during service transmission.
  • the method of the embodiment shown in FIG. 2 may further include:
  • the best transmission path can be determined according to the VPN routing forwarding table corresponding to the same VPN, and the service data is sent to the best next hop PE device.
  • the routing protocol packet interaction may be performed through a point-to-point tunnel, and the routing protocol packet interaction may be performed through a dedicated private network multicast tree dedicated to each VPN.
  • the method for implementing a three-layer virtual private network provided by an embodiment of the present invention may include:
  • the third routing protocol packet is encapsulated to obtain a first multicast packet, and is sent to another PE device in the private public network multicast tree by using the private public network multicast tree corresponding to the same VPN.
  • the private network multicast tree includes all the PE devices connected to the same VPN, and the destination address of the first multicast packet is a multicast group address corresponding to the private public network multicast tree.
  • Each private public network multicast tree has a multicast group address, that is, the same VPN corresponds to a private public network multicast tree and corresponds to a multicast group address.
  • the public network multicast tree is a carrier multicast tree
  • the private public network multicast tree is a non-aggregated multicast tree
  • the shared public network multicast tree is an aggregated multicast tree.
  • a dedicated public network multicast tree can be pre-configured to set all member PEs belonging to the same VPN as leaf nodes of a private public network multicast tree.
  • VPN1 consisting of three member PE devices (nodes A, B, and C) corresponds to a private public network multicast tree 1
  • the leaf nodes of the private public network multicast tree 1 include nodes A, B, and C.
  • the private public network multicast tree 1 sends the first multicast packet to the node B at the same time.
  • the node analyzes the multicast group address carried in the first multicast packet, so as to determine that the currently received first multicast packet belongs to the VPN1, and then the The routing information in the third routing protocol packet records and generates a VPN routing forwarding table corresponding to VPN1.
  • the private public network multicast tree corresponding to the same VPN, a second multicast packet that is obtained by the second PE device and is encapsulated by the fourth routing protocol packet, according to the second multicast packet. The destination address determines the corresponding VPN.
  • the destination address of the second multicast packet is a multicast group address corresponding to the private public network multicast tree.
  • the first PE device is a member node of the VPN and is also a leaf node of the public network multicast tree. Therefore, the received fourth routing protocol packet can be determined by receiving the multicast group address carried in the second multicast packet. Which VPN belongs to the corresponding VPN routing forwarding table.
  • the VPN routing forwarding table may include information such as an IP address (next hop) and a prefix of each PE device connected to the same VPN, so as to determine an optimal path according to the VPN routing forwarding table in the service transmission process.
  • the embodiment shown in FIG. 3 may further include step 308, which is the same as step 208.
  • routing protocol packet interaction may also be performed by using a shared public network multicast tree shared by multiple VPNs.
  • the method for implementing a three-layer virtual private network provided by the embodiment of the present invention may include:
  • the third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the destination address of the third multicast packet is the multicast corresponding to the shared public network multicast tree. Group address.
  • the shared public network multicast tree includes all the member PE devices in the at least two VPNs sharing the shared public network multicast tree, and the VPN label allocation is independent of each other for different VPNs, so
  • the third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the VPN label is set as an upstream distribution label. In this way, when the other PEs in the public network multicast tree receive the third multicast packet, the VPN label carried in the third multicast packet can be processed as an upstream distribution label.
  • the second PE device may determine that the VPN label is
  • the first PE device allocates the VPN label as the VPN, that is, determines the VPN corresponding to the VPN label.
  • the source IP address of the fourth multicast packet is used to search the VPN neighbor list, and the label determines the VPN corresponding to the sixth routing protocol.
  • the fourth multicast packet carries the VPN label allocated by the second PE device to the same VPN, and the source IP address of the fourth multicast packet is the IP address of the second PE device, The destination address of the fourth multicast packet is the multicast group address corresponding to the shared public network multicast tree.
  • the second PE device sets the type of the VPN label to be carried in the fourth multicast packet to the upstream allocation label type before the fourth multicast device sends the fourth multicast packet, so that the first PE device determines the identification manner of the VPN label.
  • the source IP address of the fourth multicast packet and the carried VPN tag are used to query the VPN neighbor list, and after finding an entry that matches both the source IP address and the VPN label, the matching entry is determined to belong.
  • the VPN label recorded in the VPN neighbor list is the VPN label assigned to the VPN by the upstream PE device (for the first PE device, the upstream PE device is the second PE device).
  • the VPN routing forwarding table may include information such as a prefix and a next hop (that is, an IP address of each member PE device in the same VPN), so as to determine an optimal path according to the VPN routing forwarding table in the service transmission process.
  • the embodiment shown in FIG. 4 may further include step 408, which is the same as step 208.
  • step 408 which is the same as step 208.
  • the method for implementing the three-layer virtual private network adds the VPN neighbor discovery>3 ⁇ 4 text by extending the TLV message, and carries the VPN ID and the VPN label in the VPN neighbor discovery, so that the VPN neighbor can be identified.
  • the VPN IDs in the packets are determined to be the PEs of the same VPN, and the PEs in the same VPN are configured to exchange routing protocol packets.
  • the VPN neighbor discovery packet automatically discovers the PEs that belong to the same VPN and completes the routing protocol packet exchange. This eliminates a lot of manual configuration and improves the automatic configuration and automatic operation of the VPN.
  • the embodiment of the present invention provides a first carrier edge (PE) device, as shown in FIG. 6, which may include: a neighbor receiving unit 51, a network determining unit 52, and a routing interaction unit 53.
  • PE carrier edge
  • the neighbor receiving unit 51 is configured to receive a virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried. Corresponding IP address, VPN ID and VPN label.
  • the network determining unit 52 is configured to determine, according to the VPN ID corresponding to the first PE device and the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device.
  • the routing interaction unit 53 is configured to: when the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, perform the routing protocol in the same VPN with the second PE device.
  • the packet exchanges the VPN routing forwarding table corresponding to the same VPN, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device, and the second PE device.
  • the VPN label assigned by the same VPN is configured to: when the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, perform the routing protocol in the same VPN with the second PE device.
  • the packet exchanges the VPN routing forwarding table corresponding to the same VPN, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device, and the second PE device.
  • the VPN label assigned by the same VPN is configured to: when the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, perform the routing protocol in the same VPN with the second
  • the first PE device may further include: a neighbor list unit 54.
  • the neighboring list unit 54 is configured to: after the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, the VPN ID corresponding to the same VPN, and the second PE device a VPN label assigned to the same VPN and an IP of the second PE device The address is recorded in the VPN neighbor list.
  • the routing interaction unit 53 includes: a first sending module 531.
  • the first sending module 531 is configured to send, by using the point-to-point tunnel, the first routing protocol packet to the second PE device that is recorded in the VPN neighbor list, where the first routing protocol packet passes the first tunnel After being encapsulated, the first tunnel encapsulation information carries the VPN label allocated by the second PE device to the same VPN.
  • the type of the VPN label to be carried in the first tunnel encapsulation information is set to a downstream allocation label type, so that the second PE device determines the identification manner of the VPN label.
  • the routing interaction unit 53 further includes: a first receiving module 532 and a first generating module 533.
  • the first receiving module 532 is configured to receive, by using the point-to-point tunnel, the second routing protocol packet sent by the second PE device, where the second routing protocol packet is encapsulated and sent by the second tunnel, and the second The tunnel encapsulation information carries the VPN label allocated by the first PE device to the same VPN.
  • the first generation module 533 is configured to determine, according to the VPN label carried in the encapsulated second routing protocol packet, the VPN corresponding to the second routing protocol packet, and generate, according to the content of the second routing protocol packet VPN routing forwarding table.
  • the routing interaction unit 53 includes: a second sending module 534.
  • the second sending module 534 is configured to encapsulate the third routing protocol packet to obtain the first multicast packet, and send the same to the other public network multicast tree through the dedicated public network multicast tree corresponding to the same VPN. PE equipment.
  • the private network multicast tree includes all the PE devices connected to the same VPN, and the destination address of the first multicast packet is a multicast group address corresponding to the private public network multicast tree.
  • routing interaction unit 53 further includes: a second receiving module 535 and a second generating module 536.
  • the second receiving module 535 is configured to receive by using a dedicated public network multicast tree corresponding to the same VPN. a second multicast packet obtained by the second PE device, which is encapsulated by the fourth routing protocol packet, where the destination address of the second multicast packet is a multicast group corresponding to the private public network multicast tree. address.
  • the second generation module 536 is configured to determine a corresponding VPN according to the destination address of the second multicast packet, and generate a corresponding VPN routing forwarding table according to the content of the fourth routing protocol packet.
  • the routing interaction unit 53 includes: a third sending module 537.
  • the third sending module 537 is configured to encapsulate the fifth routing protocol packet to obtain a third multicast packet, and send the packet to the other PE device in the shared public network multicast tree through the shared public network multicast tree.
  • the third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the destination address of the third multicast packet is a multicast group corresponding to the shared public network multicast tree. address.
  • the type of the VPN tag carried in the third multicast packet is set to the upstream distribution tag type, so that the second PE device determines the identification mode of the VPN tag.
  • routing interaction unit 53 further includes: a third receiving module 538 and a third generating module 539.
  • the third receiving module 538 is configured to receive, by using the public network multicast tree, a fourth multicast packet that is encapsulated by the second routing protocol packet sent by the second PE device, where the fourth multicast The packet carries the VPN label allocated by the second PE device to the same VPN, the source IP address of the fourth multicast packet is the IP address of the second PE device, and the destination address of the fourth multicast packet It is the multicast group address corresponding to the shared public network multicast tree.
  • the third generation module 539 is configured to search the VPN neighbor list according to the VPN label carried by the fourth multicast packet and the source IP address of the fourth multicast packet, and determine the corresponding message of the sixth routing protocol packet.
  • the VPN generates a corresponding VPN routing forwarding table according to the content of the sixth routing protocol packet.
  • the routing protocol packet is an LSA protocol document of the 0SPF protocol or an LSP protocol text of the ISIS protocol, where the LSA protocol document uses a specific destination multicast IP address.
  • the LSP protocol packet uses a specific destination multicast MAC address, so that the second PE device receives the LSA protocol packet or the LSP protocol packet according to the specific destination multicast IP address. Or a specific destination multicast MAC address, identifying the routing protocol The discussion is sent to the CPU for protocol processing.
  • the embodiment of the present invention further provides a system for implementing a three-layer virtual private network. As shown in FIG. 10, the system includes: a first PE device 61 and a second PE device 62.
  • the first PE device 61 is configured to receive a VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried. Corresponding IP address, VPN ID, and VPN label; determining, according to the VPN ID corresponding to the first PE device 61 and the VPN ID corresponding to the second PE device 62, whether the second PE device 62 and the first A PE device 61 is connected to the same VPN; when the second PE device 62 is connected to the same VPN as the first PE device 61, the routing protocol in the same VPN is performed with the second PE device 62. The interaction, the VPN routing forwarding table corresponding to the same VPN is generated, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device 62, and the second PE device 62. The VPN label assigned by the same VPN.
  • the VPN neighbor discovery packet is defined by the extended TLV packet, and the VPN ID and the VPN label are carried in the VPN neighbor discovery packet, so that By identifying the VPN IDs in the VPN neighbor discovery packets, the PEs that belong to the same VPN are identified, and the PEs in the same VPN are configured to exchange routing protocol packets. You can use the VPN neighbor discovery packets to automatically discover the PEs that belong to the same VPN and complete the routing protocol packet exchange. This eliminates a lot of personnel workload and improves the automatic configuration and automatic operation of the VPN.
  • the embodiments of the present invention can be implemented by means of software plus necessary general hardware, and of course, by hardware, but in many cases, the former is better.
  • Implementation Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, which is stored in a readable storage medium, such as A floppy disk, hard disk or optical disk of a computer, including a number of instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.
  • a computer device which may be a personal computer, a server, or a network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
PCT/CN2013/072915 2012-03-23 2013-03-20 Procédé, dispositif et système pour implémenter un réseau privé virtuel en couche 3 Ceased WO2013139270A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210081768.7 2012-03-23
CN201210081768.7A CN103326915A (zh) 2012-03-23 2012-03-23 实现三层虚拟专用网络的方法、设备及系统

Publications (1)

Publication Number Publication Date
WO2013139270A1 true WO2013139270A1 (fr) 2013-09-26

Family

ID=49195455

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/072915 Ceased WO2013139270A1 (fr) 2012-03-23 2013-03-20 Procédé, dispositif et système pour implémenter un réseau privé virtuel en couche 3

Country Status (2)

Country Link
CN (1) CN103326915A (fr)
WO (1) WO2013139270A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765815A (zh) * 2020-06-05 2021-12-07 华为技术有限公司 组播报文负载分担的方法、设备和系统
CN114650248A (zh) * 2020-12-02 2022-06-21 中国电信股份有限公司 路由信息的处理方法、系统和自治系统边界路由器
CN115695294A (zh) * 2021-07-31 2023-02-03 华为技术有限公司 一种静态三层虚拟专用网络l3vpn中处理报文的方法以及设备

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105515802B (zh) * 2014-09-22 2019-04-12 新华三技术有限公司 网络虚拟化方法及装置
CN104486225B (zh) * 2014-12-19 2018-04-20 新华三技术有限公司 应用于trill网络中的报文转发方法和设备
CN104618375B (zh) * 2015-01-30 2018-09-28 普联技术有限公司 一种网络设备的发现方法及装置
CN106572021B (zh) * 2015-10-09 2021-07-06 中兴通讯股份有限公司 一种实现网络虚拟化叠加的方法与网络虚拟化边缘节点
CN106169969B (zh) * 2016-08-31 2020-01-10 华为技术有限公司 建立虚拟专用网标签交换路径方法、相关设备和系统
CN110719237B (zh) * 2018-07-13 2022-01-07 华为技术有限公司 传输报文的方法、装置、设备及存储介质
CN111163009B (zh) * 2020-02-20 2021-06-22 盛科网络(苏州)有限公司 一种端口扩展系统中实现三层组播的方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040088389A1 (en) * 2002-11-05 2004-05-06 Tenor Networks, Inc. Methods and apparatus for automated edge device configuration in a heterogeneous network
CN1960299A (zh) * 2005-11-04 2007-05-09 中兴通讯股份有限公司 基于多协议标记交换网的虚拟专用网络拓扑自动建立方法
CN101180839A (zh) * 2005-03-28 2008-05-14 思科技术公司 基于网络的虚拟专用网的服务级别诊断测试点的自调整库
CN101379765A (zh) * 2005-11-18 2009-03-04 思科技术公司 从提供商边缘针对网络操作来配置客户设备的技术
CN101834794A (zh) * 2010-05-06 2010-09-15 杭州华三通信技术有限公司 通过骨干网进行报文转发的方法及设备

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040088389A1 (en) * 2002-11-05 2004-05-06 Tenor Networks, Inc. Methods and apparatus for automated edge device configuration in a heterogeneous network
CN101180839A (zh) * 2005-03-28 2008-05-14 思科技术公司 基于网络的虚拟专用网的服务级别诊断测试点的自调整库
CN1960299A (zh) * 2005-11-04 2007-05-09 中兴通讯股份有限公司 基于多协议标记交换网的虚拟专用网络拓扑自动建立方法
CN101379765A (zh) * 2005-11-18 2009-03-04 思科技术公司 从提供商边缘针对网络操作来配置客户设备的技术
CN101834794A (zh) * 2010-05-06 2010-09-15 杭州华三通信技术有限公司 通过骨干网进行报文转发的方法及设备

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765815A (zh) * 2020-06-05 2021-12-07 华为技术有限公司 组播报文负载分担的方法、设备和系统
CN113765815B (zh) * 2020-06-05 2024-03-26 华为技术有限公司 组播报文负载分担的方法、设备和系统
CN114650248A (zh) * 2020-12-02 2022-06-21 中国电信股份有限公司 路由信息的处理方法、系统和自治系统边界路由器
CN114650248B (zh) * 2020-12-02 2023-07-18 中国电信股份有限公司 路由信息的处理方法、系统和自治系统边界路由器
CN115695294A (zh) * 2021-07-31 2023-02-03 华为技术有限公司 一种静态三层虚拟专用网络l3vpn中处理报文的方法以及设备

Also Published As

Publication number Publication date
CN103326915A (zh) 2013-09-25

Similar Documents

Publication Publication Date Title
CN110830352B (zh) 一种vpn跨域的实现方法、装置和边界节点
CN104219147B (zh) 边缘设备的vpn实现处理方法及装置
CN103685022B (zh) 报文转发方法及服务提供商网络边缘设备
EP3002913B1 (fr) Procédé d'établissement de tunnel, procédé d'attribution d'étiquette, dispositif, et système de réseau
CN101277245B (zh) 一种l2vpn跨域的实现方法、系统和装置
WO2013139270A1 (fr) Procédé, dispositif et système pour implémenter un réseau privé virtuel en couche 3
CN105099846B (zh) 传输数据报文的方法和供应商边缘设备
CN103475581B (zh) 一种网络标签分配方法、设备与系统
WO2014194711A1 (fr) Procédé de traitement de paquets, procédé et dispositif de traitement d'étiquette de dispositif
WO2013139159A1 (fr) Procédé de transmission de paquet dans un réseau et dispositif côté fournisseur
CN101090355A (zh) 虚拟专用网隧道的标签交换路径建立方法、系统和设备
CN107026796A (zh) 一种vpn路由通告方法、数据流转发方法及相关设备
CN100484080C (zh) 一种虚拟私有网的路由引入方法、系统和运营商边缘设备
WO2020098611A1 (fr) Procédé et appareil pour acquérir des informations de routage
CN102571375B (zh) 组播转发方法、装置及网络设备
CN114598635A (zh) 报文传输的方法和装置
WO2013139234A1 (fr) Procédé, dispositif et système réseau de transmission en multidiffusion
CN102647328B (zh) 一种标签分配方法、设备与系统
CN106921573A (zh) NVo3网络中用于发布租户路由的方法及装置
CN108156067A (zh) 一种实现基于以太网虚拟专用网络的方法和系统
CN106487677B (zh) 运营商边缘设备及数据转发方法
CN103634210B (zh) 发现vpls实例的对端pe设备的方法及设备
WO2023050932A1 (fr) Procédé d'annonce de routage, dispositif de réseau et support de stockage informatique
CN102739519B (zh) 根基多点服务实现方法、装置和系统、运营商边缘设备
Joseph et al. Network convergence: Ethernet applications and next generation packet transport architectures

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13764724

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13764724

Country of ref document: EP

Kind code of ref document: A1