CN102394804A - VPN system building method and VPN system - Google Patents
VPN system building method and VPN system Download PDFInfo
- Publication number
- CN102394804A CN102394804A CN201110341754XA CN201110341754A CN102394804A CN 102394804 A CN102394804 A CN 102394804A CN 201110341754X A CN201110341754X A CN 201110341754XA CN 201110341754 A CN201110341754 A CN 201110341754A CN 102394804 A CN102394804 A CN 102394804A
- Authority
- CN
- China
- Prior art keywords
- edge device
- virtual private
- tpe
- relaying
- vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a VPN (Virtual Private Network) system building method and a VPN system. The VPN system comprises TPEs (Trunk Provider Edges) for dividing the network into a backbone VPN and an access VPN; the backbone VPN comprises one or more TPEs; and the access VPN communicates with one of the TPEs through an APE to acquire routing information. In the embodiment, the TPEs are introduced as new parts to divide the VPN into a backbone L3 VPN and an access L3 VPN, that is, owing to the splicing of the TPEs, the end-to-end L3 VPN is realized. By adopting the invention, the expansibility of large-scale MPLS (Multi-protocol Label Switching) VPN deployment is improved.
Description
Technical field
The present invention relates to the communications field, particularly, relate in particular to a kind of construction method and virtual private network system of virtual private network system.
Background technology
The Virtual Private Network of prior art (Virtual Private Network abbreviates VPN as) is the private dedicated network that utilizes common network to make up.It has won application more and more widely with its advantage that shows unique characteristics, and uses VPN can reduce expense for the user, convenient management.Can utilize existing infrastructure to provide value added service for operator, can enlarge the operation traffic carrying capacity and also create new commercial opportunity simultaneously.
The Multiprotocol Label Switching Protocol of prior art (Multi-Protocol Label Switching; Abbreviate MPLS as) be that a kind of grouping that will have identical forwarding processing mode is classified as the classification transmission technology of a type (being forwarding equivalence class, Forwarding Equivalent Class).MPLS is used for improving the forwarding speed of router and an agreement proposing, but because MPLS makes MPLS become the major criterion of expansion IP network scale day by day in these two of traffic engineering and the VPN superior performance in the very crucial technology in IP network at present.The key of mpls protocol is to have introduced label (Label) switching concept, and in the MPLS network, IP message MPLS edge router analyzing IP content of message when first MPLS equipment of entering also is that these IP messages are selected suitable labels.Later on be exactly according to this label as transmitting foundation in the MPLS transmission through network, label is separated by edge router when the IP message leaves the MPLS network.In the MPLS network, the network equipment is divided into edge network equipment (PE) and core network device (P), edge network equipment provides traffic classification and label mapping, the function that label removes.Core network device provides label exchange and label distribution function.
In combining the MPLS VPN network of above-mentioned technology, MPLS is as a kind of technology platform of IP backbone efficiently, provides flexibly a kind of and had the technical foundation of extensibility for realizing VPN.Above-mentioned MPLS VPN network can be made up of following three kinds of network equipments:
(1) edge device that directly links to each other in CE (Custom Edge) user network with the service provider;
(2) edge device in PE (Provider Edge) backbone network, it directly links to each other with user's CE;
(3) equipment that does not directly link to each other with CE in P router (Provider Router) backbone network.
Fig. 1 is according to the MPLS VPN network architecture sketch map of existing correlation technique.MPLS VPN network as shown in Figure 1 is made up of each Site of backbone network and user, and VPN is exactly the division to the site set, the just corresponding set of being made up of some site of VPN.MPLS VPN net structure is accomplished by the service provider, in this net structure, to the user VPN service is provided by the service provider, and the existence of the imperceptible public network of user just looks like to have that independently Internet resources are the same.The structure of all VPN connects and management work is all carried out on PE.From the angle of PE, the IP system of user's a connection is regarded as a site, and each site links to each other with PE through CE, and site has just constituted the elementary cell of VPN.A VPN is made up of a plurality of site, and a site also can belong to different VPN simultaneously.There is not the VPN of common site can use overlapping address space for any two; Promptly in user's private network, use own independent address space; And whether need not consider the address space conflicts with other VPN or public network; This just need depend on "VPN routing and forwarding (VRF) instance (VPN Routing & Forwarding Instance abbreviates VRF as).
Fig. 2 is according to concerning sketch map between "VPN routing and forwarding (VRF) instance and each VPN in the backbone network edge router embodiment illustrated in fig. 1.As shown in Figure 2, VRF only is present on the PE, on PE, all creates a corresponding with it VRF to each site, and each VRF comprises a routing table, transmits one group of set of interfaces and one group of relevant with it strategy that uses this VRF for one.VRF can be counted as a virtual router.The detailed description of relevant MPLS VPN is seen RFC 2547.
Fig. 3 is the sketch map according to the issue of the VPN route in embodiment illustrated in fig. 2.Adopt the mode of RFC2547 to use bgp protocol to carry out the issue and the study of L3VPN route.
After PE learnt the route among the VRF, the RD of VRF formed the VPNv4 route in the interpolation.After constructing Route-target, label and other attributes of route again, use the multi-protocols expansion of BGP to send to bgp neighbor.Neighbours receive the match condition of back according to the Route-target configuration of the Route-target attribute of route and VRF, route are sent among the VRF of correspondence.As shown in Figure 3, concrete VPN route issue flow process is following:
The last processing that receives the VPNv4 route of BGP of PE1:
1, from the VPNv4 route, solves corresponding route, and, confirm that which VRF is route all will export among according to the route-target attribute of route;
2, the label L1 that carries in the route is exactly the vpn label of data message;
3, according to the next hop information of route, inquiry needs the label of use in label switched path, is exactly the outer layer label in the label exchange;
4, the information that obtains more than the general is issued to be transmitted, and in forwarding, uses.
The VPNv4 routing procedure of the last formation of PE2 BGP:
1, forms the VPNv4 route to the RD of route prefix and place VRF;
2, go into label L1 for the VPNv4 route assignment;
3,, organize the route-targat attribute of route according to the route-target configuration of the VRF at route place;
4, next that route is set jumped to own, and organizes other attributes of route, the formation of VPNv4 route.
Accomplish in the issue of VPN route, after soon route sent among the corresponding VRF, system carried out the forwarding of data message according to the label condition of carrying.
Fig. 4 is according to the forwarding sketch map of the VPN message in embodiment illustrated in fig. 2 in MPLS VPN network.Data message forwarding process in the L3VPN network that the mode of employing RFC2547 realizes.As shown in Figure 4, concrete VPN message forwarding process is following:
CE1 is to the CE2 processing of literary composition on PE1 that send datagram:
1, obtains ID number of vpn according to the vrf attribute of message incoming interface;
2, use vpnID number and purpose IP address search vrf table obtains outgoing interface, internal layer outgoing label (being the VPN label) and outer outgoing label (being the label that P distributes to PE1);
3, two-layer label is encapsulated in the message inside and outside the general;
4, message is forwarded from outgoing interface.
Suppose that vpn label and the outer layer label found this moment are respectively 17,23, encapsulation back message structure is following so:
| The Ip bag | 17 | 23 |
CE1 is to the CE2 processing of literary composition on P that send datagram:
1, judges that this packet is a label bag; 2, take out ground floor MPLS forwarding label (being 23 in this example);
3,, obtain outgoing interface and next jumping and outgoing label according to this label lookup Label Forwarding Information Base;
If 4 outgoing label are not 3, explain that so next jumping is not the end-node of LSP, so just need to remove the outer layer label of this data message, encapsulate new outer layer label again; If outgoing label is 3 labels; Explain that so next jumping is the end-node among the LSP, go out according to time last ricochet so and directly transmit after regular needs are removed the outer layer label of this message, belong to second kind of situation in this example; So remove 23 these outer layer labels, forward from outgoing interface.The message structure of transmitting is as follows:
| The Ip bag | 17 |
CE1 is to the CE2 processing of literary composition on PE2 that send datagram:
1, judges that this packet is a label bag; 2, take out ground floor MPLS forwarding label (being 17 in this example);
3, judged whether the quadratic search mark earlier; If the quadratic search mark is arranged; That just need obtain vpnID number according to this label; Carry out matched routings according to the destination address in the message again and search forwarding, if there is not secondary route querying mark, that just can directly find outgoing interface according to label and carry out the message forwarding;
4, according to the outgoing interface that finds, message is forwarded from going out connection interface.Be exactly with behind 17 label peelings message being transmitted to CE2 in this example.The message structure of transmitting is as follows:
| The Ip bag |
The L3VPN model of RFC2547bis definition is a kind of flat mode in the foregoing description, and the status of all the PE nodes in the network all is reciprocity.Each PE need handle all VPN routes in typical case, simultaneously as the service access node, needs to handle numerous users and inserts request, and corresponding PE equipment needs enough ports, needs to handle, transmit user's message.The autgmentability of network receives the restriction of the most nervous PE of resource, and along with the expansion of network and the increase of number of users, original PE equipment is easy to become the bottleneck of extension of network, needs capacity expansion and upgrading.
To above-mentioned prior art since each PE all need handle all VPN routes, cause the relatively poor problem of autgmentability of virtual private networks, also do not have effective solution at present.
Summary of the invention
Main purpose of the present invention is to provide a kind of construction method and virtual private network system of virtual private network system, with solve prior art because each PE need handle all VPN routes, cause the relatively poor problem of autgmentability of network.
To achieve these goals, according to an aspect of the present invention, a kind of virtual private network system is provided.
Virtual private network system according to the present invention comprises: relaying edge device TPE is used for virtual private networks is divided into key virtual private networks and access of virtual private network; Key virtual private networks comprises one or more relaying edge device TPE; The access of virtual private network is communicated by letter with one of them relaying edge device TPE foundation through edge device APE, to obtain routing iinformation; Wherein, Relaying edge device TPE be used for safeguarding from key virtual private networks or and/or the VPN route that receives of the edge device PE of access of virtual private network, and after redistributing vpn label, transmit VPN and route to key virtual private networks and/or state the edge device APE in the access of virtual private network.
Preferably, in key virtual private networks, dispose the IBGP agreement, use polymerization routing tag distribution of information after bgp protocol will any relaying edge device TPE filters as signaling protocol to other and its mutual reciprocity relaying edge device TPE.
Preferably, set up IBGP with relaying edge device TPE or EBGP communicates by letter, transmit so that the polymerization routing tag information that gets access to is encapsulated in the outer layer tunnel as vpn label through edge device APE.
Preferably, in key virtual private networks, dispose static virtual private network agreement, between any two relaying edge device TPE, to set up static network communication.
Preferably, set up static virtual private network agreement, obtain the vpn label that configuration is accomplished among the device A PE on the edge of, and the vpn label that configures is encapsulated in the outer layer tunnel transmits through edge device APE and relaying edge device TPE.
Preferably, in key virtual private networks, dispose the IBGP agreement, use polymerization routing tag distribution of information after bgp protocol will any relaying edge device TPE filters as signaling protocol to other and its mutual reciprocity relaying edge device TPE.
Preferably, set up static virtual private network agreement, obtaining the vpn label that configuration is accomplished among the device A PE on the edge of, and the vpn label that configures is encapsulated in the outer layer tunnel transmits through edge device APE and relaying edge device TPE.
Preferably, in key virtual private networks, dispose static virtual private network agreement, between any two relaying edge device TPE, to set up static network communication.
Preferably, set up IBGP with relaying edge device TPE or EBGP communicates by letter, obtain the vpn label that configuration is accomplished among the device A PE on the edge of, and the vpn label that configures is encapsulated in the outer layer tunnel transmits through edge device APE.
Preferably, system also comprises: intermediate layer edge device MPE, and between relaying edge device TPE and edge device APE.
To achieve these goals, according to another aspect of the present invention, a kind of construction method of virtual private network system is provided.
Construction method according to virtual private network system of the present invention comprises: through relaying edge device TPE virtual private networks is divided into key virtual private networks and access of virtual private network; One or more relaying edge device TPE in the key virtual private networks are set up correspondence, the VPN route that receives with the edge device PE that safeguards from key virtual private networks and/or access of virtual private network; The access of virtual private network is set up with one of them relaying edge device TPE through edge device APE and is communicated by letter, to obtain routing iinformation.
Preferably, relaying edge device TPE also is used for after redistributing vpn label, transmitting the edge device APE that VPN routes to key virtual private networks and access of virtual private network.
Preferably, the relaying edge device TPE in the key virtual private networks communicates by letter and distributes vpn label through setting up IBGP or EBGP; Relaying edge device TPE in the perhaps key virtual private networks disposes through the configuring static route and distributes vpn label.
Preferably, the access of virtual private network is set up IBGP or EBGP through edge device APE and relaying edge device TPE and is communicated by letter and obtain vpn label; Perhaps, set up static virtual private network agreement, obtain on the edge of and dispose the vpn label of accomplishing among the device A PE through edge device APE and relaying edge device TPE.
To achieve these goals, according to a further aspect of the invention, a kind of virtual private networks is provided.
Virtual private networks according to the present invention comprises: comprising: edge network equipment PE; Core network device P and customer edge CE; Also comprise: one or more relaying edge device TPE; Be connected between edge network equipment PE and the core network device P; Wherein any relaying edge device TPE is used to safeguard the VPN route that receives from edge device PE and/or other relaying edge device TPE, and after redistributing vpn label, transmits VPN and route to edge device PE and/or other relaying edge device TPE.
Preferably, edge network equipment PE sets up with one of them relaying edge device TPE and communicates by letter, to obtain routing iinformation.
Preferably, set up the IBGP agreement between the relaying edge device TPE, use polymerization routing tag distribution of information after bgp protocol will any relaying edge device TPE filters as signaling protocol to other and its mutual reciprocity relaying edge device TPE.
Preferably, set up IBGP between network equipment PE and the relaying edge device TPE on the edge of or EBGP communicates by letter, transmit so that the polymerization routing tag information that gets access to is encapsulated in the outer layer tunnel as vpn label.
Preferably, between any two relaying edge device TPE, set up static network communication.
Preferably,, obtain the vpn label that configuration is accomplished among the device A PE on the edge of, and the vpn label that configures is encapsulated in the outer layer tunnel transmits through setting up static virtual private network agreement between network equipment PE and the relaying edge device TPE on the edge of.
Preferably, virtual private networks also comprises: intermediate layer edge device MPE, and between relaying edge device TPE and edge network equipment PE.
To achieve these goals, according to a further aspect of the invention, a kind of virtual private network system is provided.
Virtual private network system according to the present invention comprises: virtual private networks comprises key virtual private networks; One or more relaying edge device TPE are arranged among the key private network, and relaying edge device TPE sets up correspondence each other.
Preferably, virtual private networks also comprises: access of virtual private network, relaying edge device TPE are forwarded to the vpn route entry in the access of virtual private network any one or more PE or the TPE of key virtual private networks.
To achieve these goals, according to a further aspect of the invention, a kind of virtual private network system is provided.
Virtual private network system according to the present invention comprises: virtual private networks comprises the access of virtual private network; One or more relaying edge device TPE are arranged at and insert among the private network, and edge device APE sets up with one of them relaying edge device TPE and communicates by letter, and is used for all vpn route entrys are transmitted to edge device APE.
Preferably, virtual private networks also comprises: key virtual private networks, relaying edge device TPE are forwarded to the vpn route entry in the access of virtual private network any one or more PE or the TPE of key virtual private networks once more.
Through the present invention, adopt relaying edge device TPE, be used for virtual private networks is divided into key virtual private networks and access of virtual private network; Key virtual private networks comprises one or more relaying edge device TPE; The access of virtual private network is communicated by letter with one of them relaying edge device TPE foundation through edge device APE, to obtain routing iinformation; Wherein, relaying edge device TPE is used for safeguarding the VPN route that receives from the edge device PE of key virtual private networks or access of virtual private network, and after redistributing vpn label, transmits the VPN route.The foregoing description is through introducing the new role of relaying edge device (Trunk PE); Virtual private networks is divided into key L3VPN and inserts L3VPN; Promptly owing to the splicing of having adopted relaying PE has realized L3VPN end to end; Solved prior art causes the relatively poor problem of autgmentability of virtual private networks because each PE need handle all VPN routes, and then has reached the effect that improves large scale deployment MPLS VPN autgmentability.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes a part of the present invention, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, does not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the MPLS VPN network architecture sketch map according to existing correlation technique;
Fig. 2 is according to concerning sketch map between "VPN routing and forwarding (VRF) instance and each VPN in the backbone network edge router embodiment illustrated in fig. 1;
Fig. 3 is the sketch map according to the issue of the VPN route in embodiment illustrated in fig. 2.
Fig. 4 is according to the forwarding sketch map of the VPN message in embodiment illustrated in fig. 2 in MPLS VPN network;
Fig. 5 is the layering L3VPN configuration diagram according to the virtual private network system of the embodiment of the invention;
Fig. 6 is the flow chart according to the construction method of the virtual private network system of the embodiment of the invention;
Fig. 7 is the layering L3VPN configuration diagram according to the virtual private network system of the embodiment of the invention;
Fig. 8 is the MPLS VPN static configuration sketch map according to layering embodiment illustrated in fig. 7;
Fig. 9 concerns sketch map according to what VPN message embodiment illustrated in fig. 8 was transmitted in MPLS VPN network.
Embodiment
In order to make technical problem to be solved by this invention, technical scheme and beneficial effect clearer, clear,, the present invention is further elaborated below in conjunction with accompanying drawing and embodiment.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Fig. 5 is the layering L3VPN configuration diagram of the virtual private network system of the embodiment of the invention.The networking diagram of this typical layering L3VPN network comprises:
Relaying edge device TPE is used for virtual private networks is divided into key virtual private networks and access of virtual private network; Key virtual private networks comprises one or more relaying edge device TPE; The access of virtual private network is communicated by letter with one of them relaying edge device TPE foundation through edge device APE, to obtain routing iinformation.Wherein, Relaying edge device TPE is used for safeguarding the VPN route that receives from the edge device PE of key virtual private networks and/or access of virtual private network, and after redistributing vpn label, transmits VPN and route to the edge device APE in key virtual private networks and/or the access of virtual private network.Preferably, the maintenance work that relates to of relaying edge device TPE comprises polymerization and the processing of filtering this VPN route.
The foregoing description provides a kind of end-to-end L3VPN network configuration; Through introducing the new role of relaying edge device TPE (Trunk PE); Virtual private networks is divided into key L3VPN and inserts L3VPN; Through the splicing of relaying PE, realize L3VPN end to end, and L3VPN is professional end to end for the user provides.This network architecture solves the scaling concern that large scale deployment MPLS VPN runs into to a great extent.Operator can build, dispose the L3VPN business flexibly according to service needed, and key L3VPN and access L3VPN can distinguish evolution, protect the existing equipment investment simultaneously.But promptly realize improving the extensibility and the manageability of network through the deployment way of simplifying L3VPN.
Concrete is as shown in Figure 5; The end-to-end L3VPN network architecture that this enforcement provides comprises key L3VPN and inserts the L3VPN network that they are by P equipment; PE equipment and institute's access subscriber equipment (CE) and website (Site) are formed; Wherein, above-mentioned PE equipment can APE and relaying PE equipment (TPE), the access L3VPN network under TPE equipment inserts as the edge router of key L3VPN.TPE equipment is to connect key L3VPN and the border of inserting L3VPN, and TPE equipment is safeguarded route and the inner layer label received from APE inserting L3VPN one side; TPE equipment will be with from inserting other PE/TPE equipment that VPN route that side learns is redistributed vpn label and is published to key L3VPN then.TPE equipment is in key side, safeguard from key PE/TPE learning equipment to the VPN route, and announcement VPN polymerization route or default route give the PE equipment that inserts L3VPN, and distributing labels.Wherein, the PE node of top edge node (APE) functional equivalent in the 2547bis framework among this embodiment, for significantly distinguishing with TPE, called after APE, major side overweights user's access function, and the route of handling the local VPN website that inserts.VPN routing iinformation among the application comprises vpn label information and next hop information.
Virtual private network system in the foregoing description is in the practical implementation process; Virtual private networks on it can comprise: edge network equipment PE; Core network device P and customer edge CE; Can also comprise one or more relaying edge device TPE; Be connected between edge network equipment PE and the core network device P, wherein any relaying edge device TPE is used to safeguard the VPN route that receives from edge device PE and/or other relaying edge device TPE, and after redistributing vpn label, transmits VPN and route to edge device PE and/or other relaying edge device TPE.
Preferably, above-mentioned edge network equipment PE sets up with one of them relaying edge device TPE and communicates by letter, to obtain routing iinformation.
According to the end-to-end L3VPN network architecture of disposing in the foregoing description, that inserts L3VPN and key L3VPN can adopt different deployment way.Various IGP agreements can be adopted respectively, existing (and in the future) various outer layer tunnel technology can be adopted respectively; The vpn label distribution can adopt bgp protocol also can adopt other modes such as static configuration.
In the above embodiment of the present invention; In key virtual private networks, dispose the IBGP agreement, use polymerization routing tag distribution of information after bgp protocol will any relaying edge device TPE filters as signaling protocol to other and its mutual reciprocity relaying edge device TPE.Preferably, among this embodiment, mistake edge device APE sets up IBGP with relaying edge device TPE or EBGP communicates by letter, and transmits so that the polymerization routing tag information that gets access to is encapsulated in the outer layer tunnel as vpn label.
In the above embodiment of the present invention, dispose static virtual private network agreement in the key virtual private networks, between any two relaying edge device TPE, to set up static network communication.Preferably; In the foregoing description; Set up static virtual private network agreement through edge device APE and relaying edge device TPE, obtain the vpn label that configuration is accomplished among the device A PE on the edge of, and the vpn label that configures is encapsulated in the outer layer tunnel transmits.
In the above embodiment of the present invention; Dispose the IBGP agreement in the key virtual private networks, use polymerization routing tag distribution of information after bgp protocol will any relaying edge device TPE filters as signaling protocol to other and its mutual reciprocity relaying edge device TPE.Preferably; In the foregoing description; Cross edge device APE and relaying edge device TPE sets up static virtual private network agreement, obtaining the vpn label that configuration is accomplished among the device A PE on the edge of, and the vpn label that configures is encapsulated in the outer layer tunnel transmits.
In the above embodiment of the present invention, in key virtual private networks, dispose static virtual private network agreement, between any two relaying edge device TPE, to set up static network communication.Preferably, in the foregoing description, set up IBGP with relaying edge device TPE or EBGP communicates by letter, obtain the vpn label that configuration is accomplished among the device A PE on the edge of, and the vpn label that configures is encapsulated in the outer layer tunnel transmits through edge device APE.
Concrete, in the implementation process of the MPLS of above-mentioned hierarchical mode L3VPN network, through increasing by one type network node: relaying edge device node (TPE) reaches the purpose of virtual private networks layering.Make virtual private networks be divided into MPLS backbone area and MPLS access zone through in the MPLS network, disposing via node (TPE), backbone network is made up of the P equipment of all TPE and interconnected TPE.
Via node (TPE) among above-mentioned each embodiment is used for from dividing virtual private networks in logic virtual private networks being divided into backbone area and inserting the zone.TPE node major side overweights forwarding capability, needs more message to handle and transfer capability, and more route disposal ability.As the node of backbone area, TPE need handle the L3VPN route of whole network.
The PE node of fringe node (APE) functional equivalent in the 2547bis framework among above-mentioned each embodiment, for significantly distinguishing with TPE, called after APE, major side overweights user's access function, and the route of handling the local VPN website that inserts.
Corresponding L3VPN network is divided into key L3VPN and inserts L3VPN.The TPE node becomes key L3VPN (T-L3VPN) with the P groups of nodes, TPE node and interconnected APE form access L3VPN (A-L3VPN).If network size is very big, when need dividing more level, can increase an intermediate level MPE again, key relatively side TPE, MPE role is APE; Relative APE, the role of MPE is TPE.
Can know that to sum up core of the present invention is the function through expansion relays node (TPE), to the VPN route converge, processing such as filtration, only dispose professional necessary route, thereby reduce requirement the disposal ability of fringe node through fringe node.Can be when network upgrade is transformed with the deployed with devices of replacing to the fringe node that inserts L3VPN from key L3VPN, thus reduce investment outlay.
In practical application and deployment, for example can adopt the L3VPN function of 2547bis definition, this function mainly can be divided into signaling plane and forwarding face.Signaling plane mainly is that label distribution and LSP set up, and uses bgp protocol to distribute vpn label as signaling protocol, and outer layer tunnel can be used LDP tunnel or traffic engineering tunnel, also can use static tunnel.Forwarding plane mainly is to transmit service message according to the tag path of distributing.
The present invention improves L3VPN network extensibility and manageability mainly through expansion and simplification to signaling plane, simplifies the complexity of network design and management.Forwarding face keeps current mechanism constant, via node forwarding face is required to carry out the VPN flow of transmitting through the TPE node two-layer label eject, and search the vrf routing table, and then encapsulate the ability of two-layer label forwarding.
At chain of command, through route being carried out polymerization, import and fill the irrelevant route that newly has been published to the route filtering that inserts L3VPN by key L3VPN at the TPE node, reduce the burden of APE node.Do not do filtration from the route that access L3VPN learns, all be published to key L3VPN.The method that the TPE node carries out polymerization, control to the L3VPN route, the corresponding mechanism that can use bgp protocol to provide also can be used the mode of configuring static L3VPN route.Guaranteeing only has the necessary route of APE just to announce to APE.Difference according to L3VPN route aggregation granularity; There is not polymerization (being equivalent to 2547bis) fully at utmost polymerization (only announcing default route of every VRF) from route; According to the service management and control granularity of operator, can control as required the granularity of route polymerization.Can be every label of every VRF or the every label of the every PEER of every VRF etc.
At forwarding face, to what the TPE node needed be, can carry out quadratic search, confirm VRF according to the label that the message of receiving carries, and then the routing table of looking into a VRF is transmitted then.Outer layer tunnel is not had specific (special) requirements, and existing various tunneling mechanisms all can be used.
In the above-mentioned various execution mode, can dispose different scene in key virtual private networks and the access of virtual private network, perhaps mix and use, to adapt to various application scenarioss.
Concrete, in the above embodiment of the present invention, according between the different TPE of key L3VPN, insert the label distribution mode difference of using between TPE and the APE of L3VPN and can realize following four kinds of execution modes:
Embodiment one:
The unified scene of using BGP as signaling protocol, operation IBGP agreement can be moved IBGP or EBGP between TPE and the APE between the TPE node, depends on whether the AS of TPE and APE belongs to same AS.Concrete execution mode is following:
The first step: deployment IBGP agreement and 2547bis mode are identical in key L3VPN.All TPE equities are set up neighborhood between the TPE, announce the L3VPN route each other.Key L3VPN disposes the IGP agreement, can be ospf, isis etc.
Second step: inserting L3VPN, APE and TPE set up IBGP or ebgp neighbor, and APE is to all local L3VPN routes of TPE announcement, and TPE is to the route of APE announcement polymerization.Adopt the IBGP mode in this example; TPE is as the convergence router of all APE among this access L3VPN; Guarantee to redistribute a label respectively, next jumping of route is revised as TPE oneself, and the label route behind all modifications is transmitted to other TPE for all L3VPN routes of learning from APE.Need not set up neighborhood between the APE.TPE can announce all VRF and put into the polymerization route to APE announcement polymerization route, also can announce the polymerization route of specifying VRF.The polymerization route granularity of each VRF announcement also can be inequality.Inserting L3VPN deployment IGP agreement, can be ospf, isis etc.
In the above-mentioned steps, be different from RR role basic in traditional advertising of route, in the present invention TPE to other TPE reflex circuits by in to be necessary for that route redistributes a label and revise route next jump be TPE oneself.Can evade so simple RR handle the cross-domain crossing problem of traffic engineering tunnel that in the present networks model, possibly bring with downlink traffic problems such as the flow forwarding is obstructed during without MPE.
TPE equipment is at key side and different IGP agreement or the different I GP protocol instances of access sidepiece administration.If TPE does not support many instances, also can isolate through different area (ospf agreement) or level (isis), in this case, extension of network property is subject to the autgmentability of IGP.
The 3rd step: set up outer layer tunnel, make between the backbone network TPE and set up outer layer tunnel, set up outer layer tunnel between Access Network TPE and the APE.Each section can configuring static tunnel or MPLS-TE tunnel; In key L3VPN and access L3VPN zone; Outer layer tunnel is that segmentation is set up; When transmitting, can terminate outer layer tunnel and search different vrf routing tables according to vpn label and transmit of TPE also can be simplified so the tunnel is disposed, and need not dispose the tunnel and stride area territory or AS territory.
After accomplishing above step, in the building process, APE is a vpn label with the polymerization routing tag of learning from TPE, is encapsulated in the tunnel and transmits.Behind TPE, just can navigate among the corresponding VRF according to label value.Searching routing table according to the destination of data message then transmits.Different according to the destination, may encapsulate two-layer label and transmit.
Embodiment two:
The unified static labels of using is distributed, and whole L3VPN model deteriorates to static L3VPN, need not dispose bgp protocol fully.Concrete execution mode is following:
The first step: between backbone network TPE node, set up static L3VPN.
Second step: between Access Network TPE node and APE node, set up static L3VPN.The route entry of far-end TPE, APE is gone in configuration on the APE node, comprises the vpn label of use.
The 3rd step: set up outer layer tunnel, make backbone network and Access Network dispose outer layer tunnel.
After accomplishing above step, in the building process, be vpn label, be encapsulated in the tunnel and transmit with the outgoing label that disposes.Behind the opposite end, just can navigate among the corresponding VRF according to label value.Searching routing table according to the destination of data message then transmits.
Embodiment three:
Key L3VPN uses bgp protocol as the signaling protocol distributing labels, inserts L3VPN and uses static labels to distribute.Concrete execution mode is following:
Backbone network L3VPN deployment way inserts L3VPN deployment way instance two simultaneously with embodiment one.On the TPE node, need the configuring static route to import BGP, give far-end TPE neighbours the advertising of route of APE.
Embodiment four:
Key L3VPN uses static labels to distribute, and inserts L3VPN and uses bgp protocol as the signaling protocol distributing labels.Concrete execution mode is following:
Backbone network L3VPN deployment way inserts the L3VPN deployment way with embodiment one with embodiment two.On the TPE node, TPE node backbone network side uses static configuration to guarantee that the L3VPN route can reach, and the TPE node inserts side configuration BGP Routing Protocol announcement default route and gives APE.Under this scene, each inserts L3VPN becomes independent BGP routed domain, not mutual each other.
Network system in the above embodiment of the present invention can also comprise: intermediate layer edge device MPE, and between relaying edge device TPE and edge device APE.In the practical implementation process, very big if this embodiment is applied in network size, need to divide more level, can increase an intermediate level MPE again, key relatively side TPE, MPE role is APE; Relative APE, the role of MPE is TPE.Realized further expanding of network hierarchy structure,
Fig. 6 is the flow chart according to the construction method of the virtual private network system of the embodiment of the invention.As shown in Figure 6, this method comprises the steps:
Step S102 is divided into key virtual private networks and access of virtual private network through relaying edge device TPE with virtual private networks.
Step S104 sets up correspondence with the one or more relaying edge device TPE in the key virtual private networks, the VPN route that receives with the edge device PE that safeguards from key virtual private networks and/or access of virtual private network.
Step S106, access of virtual private network set up with one of them relaying edge device TPE through edge device APE and communicate by letter, to obtain routing iinformation.Preferably, after obtaining routing iinformation, the access of virtual private network is encapsulated in routing iinformation in the outer layer tunnel and transmits, and the routing iinformation here can be the VPN route.
The above embodiment of the present invention provides the implementation of a kind of end-to-end L3VPN.Through to introducing TPE role, virtual private networks is divided into key L3VPN and inserts L3VPN, and L3VPN is professional end to end for the user provides, and solves the scaling concern that present MPLS VPN is run into.Operator can build, dispose the L3VPN business flexibly according to service needed, and key L3VPN and access L3VPN can distinguish evolution, protect the existing equipment investment simultaneously.
In the foregoing description, relaying edge device TPE also is used for after redistributing vpn label, transmitting the edge device APE that VPN routes to said key virtual private networks and access of virtual private network.
In conjunction with network architecture diagram shown in Figure 5, among this method embodiment, TPE equipment is to connect key L3VPN and the border of inserting L3VPN, and TPE equipment is safeguarded route and the inner layer label received from PE inserting L3VPN one side; TPE equipment will be with from inserting other PE/TPE equipment that VPN route that side learns is redistributed vpn label and is published to key L3VPN then.TPE equipment is in key side, safeguard from key PE/TPE learning equipment to the VPN route, and announcement VPN polymerization route or default route give the PE equipment that inserts L3VPN, and distributing labels.
Among the end-to-end L3VN that disposes according to the present invention, that inserts L3VPN and key L3VPN can adopt different deployment way.Various IGP agreements can be adopted respectively, existing (and in the future) various outer layer tunnel technology can be adopted respectively; The vpn label distribution can adopt bgp protocol also can adopt other modes such as static configuration.
Preferably, in the foregoing description, the relaying edge device TPE in the key virtual private networks communicates by letter and distributes vpn label through setting up IBGP or EBGP; Relaying edge device TPE in the perhaps key virtual private networks disposes through the configuring static route and distributes vpn label.
Preferably, in the foregoing description, the access of virtual private network is set up IBGP or EBGP through edge device APE and relaying edge device TPE and is communicated by letter and obtain vpn label; Perhaps, set up static virtual private network agreement, obtain on the edge of and dispose the vpn label of accomplishing among the device A PE through edge device APE and relaying edge device TPE.
In conjunction with the present invention's four kinds of network design execution modes embodiment illustrated in fig. 5, do further elaboration to four kinds of method implementing procedures of implementing scene of the present invention below.The present invention can comprise following several method embodiment:
Be applied in the embodiment five in embodiment one scene, this method flow is following:
Concrete, present embodiment adopts network configuration as shown in Figure 7, and hardware components is made up of seven routers, and wherein 2 as private network client CE, and two as access edge router APE, and two as the TPE router, and one as the P router.Networking is as shown in Figure 7.Here only provide an instance, set up a layering L3VPN network based on bgp protocol the most basic, use mode of the present invention to realize layering L3VPN network at TPE and APE equipment, two ends CE sends out the VPN data message mutually then, and flow can intercommunication.
The treatment step of software section is following:
The 1st step: at key L3VPN, between TPE1 node and TPE2 node, comprise P node opening M PLS, set up MPLS label switched path LSP.The outer layer tunnel that guarantees L3VPN is normal.IGP uses ospf protocol, uses ospf process 1 to handle key L3VPN route on the TPE node.Also can use the ISIS agreement.
The 2nd step:, on TPE node and APE node, be respectively CE and create VRF inserting L3VPN.Opening M PLS between APE node and TPE node sets up the MPLS label switched path, guarantees that the L3VPN outer layer tunnel is normal.IGP uses ospf protocol, on the TPE node, uses ospf process 2 to handle and inserts the L3VPN route.Also can use the ISIS agreement.
The 3rd step: at CE1, the last configuration of CE2 arrives the route of opposite end, and next of route jumped and pointed to the APE equipment that links to each other separately, and APE1 and APE2 are configured to the route of CE1 and CE2 respectively.Ip route XXX2 XXXX2 APE1 on the CE1 as shown in Figure 5, the last ip route of APE1 XXX2 XXXX2CE1.Annotate: can move various Routing Protocols or configuring static route between APE and the CE, this example is used static routing.
The 4th step: on APE1 and TPE1, dispose VRF's respectively.Dispose with 2547bis MPLS VPN at APE1 configuration MP-BGP configuration mode.The IBGP neighbours of situation configuration TPE1 conduct oneself on APE1 as shown in Figure 7, and support VPNv4 address family.On TPE1, dispose MP-BGP; Configuration APE1 is as the IBGP neighbours of oneself; And support VPNv4 address family; And the configuration neighbours be oneself APE (neighbor neighbor-id ape), and the default route (neighbor neighbor-id default-originate vrf vrf-name) of appointment vrf is announced in configuration to APE.APE2 does identical configuration with TPE2.
The 5th step: configuration IBGP neighbours on TPE1 and TPE2, and activate the VPNv4 route.TPE1 will redistribute a label respectively and revise next jumping and be TPE1 oneself for all VPN route entrys of learning from APE1, and amended label advertising of route is arrived other TPE, thereby other TPE have been shielded the existence of APE.The VPN route entry that TPE1 learns from other TPE is announced to APE according to the filtering policy of configuration.TPE1 default route in vrf of APE1 announcement in this example.Other TPE also do identical configuration.
The 6th step: after configuration is accomplished.CE1 and CE2 give out a contract for a project mutually, and flow can intercommunication.
The L3VPN network of setting up through mode described in the invention can normally use.
Be applied in the embodiment six in embodiment two scenes, this method flow is following:
Hardware composition and network topology are with identical with the foregoing description five.Here only provide an instance, set up a static L3VPN network of the most basic layering.Use mode of the present invention to realize layering L3VPN network at TPE and APE equipment, two ends CE sends out the VPN data message mutually then, and flow can intercommunication.
The treatment step of software section is following:
The 1st step: at key L3VPN, between TPE1 node and TPE2 node, comprise P node opening M PLS, set up MPLS label switched path LSP.The outer layer tunnel that guarantees key L3VPN is normal.The IGP agreement is with embodiment five.
The 2nd step:, on TPE node and APE node, be respectively CE and create VRF inserting L3VPN.Opening M PLS between APE node and TPE node sets up the MPLS label switched path, guarantees that the L3VPN outer layer tunnel is normal.The IGP agreement is with embodiment five.
The 3rd step: at CE1, the last route that arrives the opposite end of distributing of CE2, next of route jumped and pointed to the APE node that links to each other separately.Ip route XXX2 XXXX2 APE1 as on Fig. 5 and the CE1 shown in Figure 8 partly disposes.The CE2 configuration is identical.
The 4th step: the label value of going into that on APE1 and TPE1, disposes VRF respectively.In-label:L1 configuration among the VRF1 on the configuring condition APE1 as shown in Figure 5, In-label:L2 configuration among the VRF1 on TPE1.APE2 and TPE2 do same configuration.
The 5th step: the outgoing label value that use the opposite end is gone in configuration respectively on APE1 and TPE1, needs and opposite end to go into label value corresponding.Next-hop:TPE1 out-label:L2 configuration among the VRF1 on configuring condition such as Fig. 5 and the middle APE1 shown in Figure 8, next-hop:TPE1 out-label:L1 configuration among the VRF1 on TPE1.APE2 and TPE2 do same configuration.
The 6th step: assignment configuration is gone to the static routing of opposite end VPN among the VRF on TPE1 and TPE2.Configuring condition such as Fig. 5 and shown in Figure 8 in the configuration of ip route vrf VRF1 XXX2 XXXX2 TPE2 global part among the VRF1 on the TPE1, the configuration of Ip route vrf VRF1 XXX2XXXX2 TPE1 global part among the last VRF1 of TPE1.
The 7th step: after configuration was accomplished, as shown in Figure 9, embodiment of the invention CE1 and CE2 gave out a contract for a project mutually, and flow can intercommunication, and the concrete mode that concrete VPN message is transmitted in MPLS VPN network is following:
CE1 is to the CE2 processing of literary composition on PE1 that send datagram:
1, obtains ID number of vpn according to the vrf attribute of message incoming interface;
2, use vpnID number and purpose IP address search vrf table obtains outgoing interface, internal layer outgoing label (being the VPN label) and outer outgoing label (being the label that P distributes to PE1);
3, two-layer label is encapsulated in the message inside and outside the general;
4, message is forwarded from outgoing interface.
Suppose that vpn label and the outer layer label found this moment are respectively 17,23, encapsulation back message structure is following so:
| The Ip bag | 17 | 23 |
CE1 is to the CE2 processing of literary composition on P that send datagram:
1, judges that this packet is a label bag; 2, take out ground floor MPLS forwarding label (being 23 in this example);
3,, obtain outgoing interface and next jumping and outgoing label according to this label lookup Label Forwarding Information Base;
If 4 outgoing label are not 3, explain that so next jumping is not the end-node of LSP, so just need to remove the outer layer label of this data message, encapsulate new outer layer label again; If outgoing label is 3 labels; Explain that so next jumping is the end-node among the LSP, go out according to time last ricochet so and directly transmit after regular needs are removed the outer layer label of this message, belong to second kind of situation in this example; So remove 23 these outer layer labels, forward from outgoing interface.The message structure of transmitting is as follows:
| The Ip bag | 17 |
CE1 is to the CE2 processing of literary composition on PE2 that send datagram:
1, judges that this packet is a label bag; 2, take out ground floor MPLS forwarding label (being 17 in this example);
3, obtain corresponding vpnID number according to this label, carry out matched routings according to the destination address in the message again and search forwarding;
4, according to the outgoing interface that finds, message is forwarded from going out connection interface.Be exactly with behind 17 label peelings message being transmitted to CE2 in this example.The message structure of transmitting is as follows:
| The Ip bag |
The L3VPN network of setting up through mode described in the invention can normally use.Static MPLS VPN configuration schematic diagram shown in Figure 8 has been described the configuring condition of the expansion L3VPN implementation described in the present invention; MPLS VPN network is divided into key part and inserts part; Key part is made up of TPE node and P node, and each inserts part and is made up of TPE node and affiliated APE node.The polymerization Control of carrying out to the VRF route of each APE node on the TPE node can reach and reduce the number of routes that APE handles.
Be applied in the embodiment seven in embodiment three scenes, this method flow is following:
Hardware composition and network topology are identical with the foregoing description five.Use mode of the present invention to realize layering L3VPN network at TPE and APE equipment, backbone network L3VPN deployment way inserts the L3VPN deployment way with embodiment six (static L3VPN) with embodiment five (dynamically L3VPN).Two ends CE sends out the VPN data message mutually then, and flow can intercommunication.
The treatment step of software section is ( step 1,2,3 is with the concrete grammar process step among the embodiment five, and step 4,5 is with the concrete grammar process step among the embodiment six) as follows.
The 1st step: at key L3VPN, between TPE1 node and TPE2 node, comprise P node opening M PLS, set up MPLS label switched path LSP.The outer layer tunnel that guarantees L3VPN is normal.IGP uses ospf protocol, uses ospf process 1 to handle key L3VPN route on the TPE node.Also can use the ISIS agreement.
The 2nd step:, on TPE node and APE node, be respectively CE and create VRF inserting L3VPN.Opening M PLS between APE node and TPE node sets up the MPLS label switched path, guarantees that the L3VPN outer layer tunnel is normal.IGP uses ospf protocol, on the TPE node, uses ospf process 2 to handle and inserts the L3VPN route.Also can use the ISIS agreement.
The 3rd step: at CE1, the last configuration of CE2 arrives the route of opposite end, and next of route jumped and pointed to the APE equipment that links to each other separately, and APE1 and APE2 are configured to the route of CE1 and CE2 respectively.Ip route XXX2 XXXX2 APE1 on the CE1 as shown in Figure 5, the last Ip route of APE1 XXX2 XXXX2CE1.Annotate: can move various Routing Protocols or configuring static route between APE and the CE, this example is used static routing.
The 4th step: L3VPN disposes L3VPN with static mode in access, at first on APE1 and TPE1, disposes VRF's respectively.
On APE1 and TPE1, dispose the label value of going into of VRF respectively.In-label:L1 configuration among the VRF1 on the configuring condition APE1 as shown in Figure 5, In-label:L2 configuration among the VRF1 on TPE1.APE2 and TPE2 do same configuration.
The 5th step: the outgoing label value that use the opposite end is gone in configuration respectively on APE1 and TPE1, needs and opposite end to go into label value corresponding.Next-hop:TPE1 out-label:L2 configuration among the VRF1 during configuring condition is as shown in Figure 5 on the APE1, next-hop:TPE1 out-label:L1 configuration among the VRF1 on TPE1.APE2 and TPE2 do same configuration.
The 6th step: configuration IBGP neighbours on TPE1 and TPE2, and activate the VPNv4 route.TPE1 will redistribute a label respectively and revise next jumping and be TPE1 oneself for all VPN route entrys of learning from APE1, and amended label advertising of route is arrived other TPE, thereby other TPE have been shielded the existence of APE.TPE1 does not announce to APE from the VPN route entry that other TPE learn.Other TPE also do identical configuration.The 7th step: after configuration is accomplished.CE1 and CE2 give out a contract for a project mutually, and flow can intercommunication.
The L3VPN network of setting up through mode described in the invention can normally use.
Be applied in the embodiment eight in embodiment four scenes, this method flow is following:
Hardware composition and network topology are identical with above-mentioned each embodiment.Here only provide an instance, use mode of the present invention to realize layering L3VPN network, set up a key L3VPN network of static state and dynamically insert the L3VPN network at TPE and APE equipment.Two ends CE sends out the VPN data message mutually then, and flow can intercommunication.
The treatment step of software section is following: ( step 1,2,3,6 is with the concrete grammar process step among the embodiment six)
The 1st step: at key L3VPN, between TPE1 node and TPE2 node, comprise P node opening M PLS, set up MPLS label switched path LSP.The outer layer tunnel that guarantees key L3VPN is normal.The IGP agreement is with embodiment five.
The 2nd step:, on TPE node and APE node, be respectively CE and create VRF inserting L3VPN.Opening M PLS between APE node and TPE node sets up the MPLS label switched path, guarantees that the L3VPN outer layer tunnel is normal.The IGP agreement is with embodiment five.
The 3rd step: at CE1, the last route that arrives the opposite end of distributing of CE2, next of route jumped and pointed to the APE node that links to each other separately.The Ip route XXX2 XXXX2 APE1 that closes on the CE1 shown in Figure 8 like Fig. 5 partly disposes.The CE2 configuration is identical.
The 4th step: L3VPN disposes L3VPN with dynamical fashion in access, on APE1 and TPE1, disposes VRF's respectively.Dispose with 2547bis MPLS VPN at APE1 configuration MP-BGP configuration mode.The IBGP neighbours of situation configuration TPE1 conduct oneself on APE1 as shown in Figure 5, and support VPNv4 address family.On TPE1, dispose MP-BGP; Configuration APE1 is as the IBGP neighbours of oneself; And support VPNv4 address family; And the configuration neighbours be oneself APE (neighbor neighbor-id ape), and the default route (neighbor neighbor-id default-originate vrf vrf-name) of appointment vrf is announced in configuration to APE.APE2 does identical configuration with TPE2.
The 5th step: dispose L3VPN at key L3VPN with static mode, assignment configuration is gone to the static routing of opposite end VPN among the VRF on TPE1 and TPE2.The configuration of Ip route vrf VRF1 XXX2 XXXX2 TPE2 global part among the VRF1 during configuring condition is as shown in Figure 5 on the TPE1, the configuration of Ip route vrf VRF1 XXX2 XXXX2 TPE1 global part among the last VRF1 of TPE1.
The 6th step: after configuration is accomplished.CE1 and CE2 give out a contract for a project mutually, and flow can intercommunication.
The L3VPN network of setting up through mode described in the invention can normally use.
Preferably, form and network topology system same as the previously described embodiments to hardware.Use mode of the present invention to realize layering L3VPN network at TPE and APE equipment, set up the layering L3VPN network of a hybrid plan.
The present invention can also comprise following possible combination except above-mentioned four kinds of application flows:
A: the key employing dynamically inserted the L3VPN network.Insert L3VPN1 and adopt dynamical fashion to dispose L3VPN, insert L3VPN2 and adopt static mode to dispose the L3VPN network.The L3VPN Access Network can adopt static or the dynamical fashion deployment as required in the actual deployment.
B: the key static state that adopts inserts the L3VPN network.Insert L3VPN1 and adopt dynamical fashion to dispose L3VPN, insert L3VPN2 and adopt static mode to dispose the L3VPN network.The L3VPN Access Network can adopt static or the dynamical fashion deployment as required in the actual deployment.
Two ends CE sends out the VPN data message mutually then, and flow can intercommunication.
The present invention also provides a kind of virtual private network system.This virtual private network system comprises: virtual private networks comprises key virtual private networks; One or more relaying edge device TPE are arranged among the key private network, and relaying edge device TPE sets up correspondence each other.
Preferably, above-mentioned virtual private networks can also comprise: access of virtual private network, relaying edge device TPE are forwarded to the vpn route entry in the access of virtual private network any one or more PE or the TPE of key virtual private networks.
The present invention also provides a kind of virtual private network system, and this virtual private network system comprises: virtual private networks comprises the access of virtual private network; One or more relaying edge device TPE are arranged at and insert among the private network, and edge device APE sets up with one of them relaying edge device TPE and communicates by letter, and is used for all vpn route entrys are transmitted to edge device APE.
Preferably, above-mentioned virtual private networks can also comprise: key virtual private networks, relaying edge device TPE are forwarded to the vpn route entry in the access of virtual private network any one or more PE or the TPE of key virtual private networks once more.
TPE equipment in the application's the foregoing description is supported all functions collection of PE equipment, and the existence that other P equipment in the network and PE equipment do not need perception TPE equipment is only handled the function of being accomplished as common PE.
The foregoing description has realized that introducing TPE equipment is divided into backbone network and Access Network with network; When TPE equipment under the situation of key virtual private networks one side; Realize beyond all functions of current PE; Also need announce other PE or TPE to the vpn route entry of affiliated Access Network again, and next is set jumps and to be oneself to backbone network.
Simultaneously, in order to reduce the processing pressure of access of virtual private network equipment one side, the support of TPE equipment is that every vpn announcement default route is announced to APE, also supports selectively with backbone network side vpn route, next jumping will be set equally be oneself.
The application flows to Access Network perhaps flows to backbone network from Access Network service traffics from backbone network after opening above-mentioned functions, all must carry out relaying through TPE equipment.Preferably, TPE equipment must be supported the ability that multilayer labels exchanges at forwarding face, carries out the route old complaint encapsulates multilayer labels information again according to needs ability according to ip after perhaps multilayer labels is peeled off.
Disposed the tunnel in the virtual network of the application embodiment, can divide backbone network and Access Network to dispose respectively, even can select different tunneling techniques.Those skilled in the art can be instance with the IGP of TPE equipment; Realization has the key virtual private networks side of TPE equipment and uses different IGP instances respectively with access of virtual private network side; Wherein, TPE equipment keeps the ability that directly inserts CE, and supports directly to insert the vpn website intercommunication of CE equipment and backbone network, other PE of Access Network.
From above embodiment described, can find out that the present invention has realized following technique effect: L3VPN implementation method autgmentability provided by the invention was better, and better manageability can be according to the service needed on-premise network.The network of setting up is more stable, to the resource of equipment use also still less.
Obviously, it is apparent to those skilled in the art that above-mentioned each module of the present invention or each step can realize with the general calculation device; They can concentrate on the single calculation element; Perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element; Thereby; Can they be stored in the storage device and carry out, perhaps they are made into a plurality of integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize by calculation element.Like this, the present invention is not restricted to any specific hardware and software combination.
Above-mentioned explanation illustrates and has described a preferred embodiment of the present invention; But as previously mentioned; Be to be understood that the present invention is not limited to the form that this paper discloses, should do not regard eliminating as, and can be used for various other combinations, modification and environment other embodiment; And can in invention contemplated scope described herein, change through the technology or the knowledge of above-mentioned instruction or association area.And change that those skilled in the art carried out and variation do not break away from the spirit and scope of the present invention, then all should be in the protection range of accompanying claims of the present invention.
Claims (24)
1. a virtual private network system is characterized in that, comprising:
Relaying edge device TPE is used for said virtual private networks is divided into key virtual private networks and access of virtual private network;
Said key virtual private networks comprises one or more said relaying edge device TPE;
Said access of virtual private network is communicated by letter with one of them said relaying edge device TPE foundation through edge device APE, to obtain routing iinformation;
Wherein, Said relaying edge device TPE is used for safeguarding the VPN route that receives from the edge device PE of said key virtual private networks and/or said access of virtual private network, and after redistributing vpn label, transmits said VPN and route to the edge device APE in said key virtual private networks and/or the said access of virtual private network.
2. system according to claim 1 is characterized in that,
In said key virtual private networks, dispose the IBGP agreement, use polymerization routing tag distribution of information after bgp protocol will any relaying edge device TPE filters as signaling protocol to other and its mutual reciprocity relaying edge device TPE.
3. system according to claim 2 is characterized in that,
Set up IBGP with said relaying edge device TPE or EBGP communicates by letter through said edge device APE, be encapsulated in the outer layer tunnel as vpn label with the said polymerization routing tag information that will get access to and transmit.
4. system according to claim 1 is characterized in that,
In said key virtual private networks, dispose static virtual private network agreement, between any two relaying edge device TPE, to set up static network communication.
5. system according to claim 4 is characterized in that,
Set up static virtual private network agreement through said edge device APE and said relaying edge device TPE, obtain in said edge device APE the vpn label that configuration is accomplished, and the said vpn label that will configure is encapsulated in the outer layer tunnel and transmits.
6. system according to claim 1 is characterized in that,
In said key virtual private networks, dispose the IBGP agreement, use polymerization routing tag distribution of information after bgp protocol will any relaying edge device TPE filters as signaling protocol to other and its mutual reciprocity relaying edge device TPE.
7. system according to claim 6 is characterized in that,
Set up static virtual private network agreement through said edge device APE and said relaying edge device TPE, obtaining in said edge device APE the vpn label that configuration is accomplished, and the said vpn label that will configure is encapsulated in the outer layer tunnel and transmits.
8. system according to claim 1 is characterized in that, comprising:
In said key virtual private networks, dispose static virtual private network agreement, between any two relaying edge device TPE, to set up static network communication.
9. system according to claim 8 is characterized in that, comprising:
Set up IBGP with said relaying edge device TPE or EBGP communicates by letter through said edge device APE, obtain the vpn label that configuration is accomplished in said edge device APE, and the said vpn label that will configure is encapsulated in the outer layer tunnel and transmits.
10. according to any described system among the claim 1-9, it is characterized in that said system also comprises: intermediate layer edge device MPE, between said relaying edge device TPE and said edge device APE.
11. the construction method of a virtual private network system is characterized in that, comprising:
Through relaying edge device TPE said virtual private networks is divided into key virtual private networks and access of virtual private network;
One or more said relaying edge device TPE in the said key virtual private networks is set up correspondence, the VPN route that receives with the edge device PE that safeguards from said key virtual private networks and/or said access of virtual private network;
Said access of virtual private network is set up with one of them said relaying edge device TPE through edge device APE and is communicated by letter, to obtain routing iinformation.
12. method according to claim 11; It is characterized in that said relaying edge device TPE also is used for after redistributing vpn label, transmitting the edge device APE that said VPN routes to said key virtual private networks and/or said access of virtual private network.
13. method according to claim 12 is characterized in that, the relaying edge device TPE in the said key virtual private networks communicates by letter and distributes vpn label through setting up IBGP or EBGP; Relaying edge device TPE in the perhaps said key virtual private networks disposes through the configuring static route and distributes vpn label.
14. method according to claim 12 is characterized in that, said access of virtual private network is set up IBGP or EBGP through said edge device APE and said relaying edge device TPE and is communicated by letter and obtain vpn label; Perhaps, set up static virtual private network agreement, obtain the vpn label that configuration is accomplished in said edge device APE through said edge device APE and said relaying edge device TPE.
15. a virtual private network system is characterized in that, comprising:
Virtual private networks comprises key virtual private networks;
One or more relaying edge device TPE are arranged among the said key private network, and said relaying edge device TPE sets up correspondence each other.
16. system according to claim 15; It is characterized in that; Said virtual private networks also comprises: the access of virtual private network, said relaying edge device TPE is forwarded to the vpn route entry in the said access of virtual private network any one or more PE or the TPE of said key virtual private networks.
17. a virtual private network system is characterized in that, comprising:
Virtual private networks comprises the access of virtual private network;
One or more relaying edge device TPE are arranged among the said access private network, and edge device APE sets up with one of them said relaying edge device TPE and communicates by letter, and is used for all VPN route entrys are transmitted to said edge device APE.
18. system according to claim 17; It is characterized in that; Said virtual private networks also comprises: key virtual private networks, said relaying edge device TPE is forwarded to the vpn route entry in the said access of virtual private network any one or more PE or the TPE of said key virtual private networks once more.
19. a virtual private networks comprises: edge network equipment PE, core network device P and customer edge CE is characterized in that, also comprise:
One or more relaying edge device TPE; Be connected between said edge network equipment PE and the said core network device P; Wherein any relaying edge device TPE is used to safeguard the VPN route that receives from said edge device PE and/or other relaying edge device TPE, and after redistributing vpn label, transmits said VPN and route to said edge device PE and/or other relaying edge device TPE.
20. virtual private networks according to claim 19 is characterized in that, said edge network equipment PE sets up with one of them said relaying edge device TPE and communicates by letter, to obtain routing iinformation.
21. virtual private networks according to claim 20; It is characterized in that; Set up the IBGP agreement between the said relaying edge device TPE, use polymerization routing tag distribution of information after bgp protocol will any relaying edge device TPE filters as signaling protocol to other and its mutual reciprocity relaying edge device TPE.
22. virtual private networks according to claim 20; It is characterized in that; Between said edge network equipment PE and said relaying edge device TPE, set up IBGP or EBGP communicates by letter, be encapsulated in the outer layer tunnel as vpn label with the said polymerization routing tag information that will get access to and transmit.
23. virtual private networks according to claim 20 is characterized in that, between any two relaying edge device TPE, sets up static network communication.
24. virtual private networks according to claim 20; It is characterized in that; Through between said edge network equipment PE and said relaying edge device TPE, setting up static virtual private network agreement; Obtain in said edge device APE the vpn label that configuration is accomplished, and the said vpn label that will configure is encapsulated in the outer layer tunnel and transmits.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110341754XA CN102394804A (en) | 2011-11-02 | 2011-11-02 | VPN system building method and VPN system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110341754XA CN102394804A (en) | 2011-11-02 | 2011-11-02 | VPN system building method and VPN system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102394804A true CN102394804A (en) | 2012-03-28 |
Family
ID=45862014
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110341754XA Pending CN102394804A (en) | 2011-11-02 | 2011-11-02 | VPN system building method and VPN system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102394804A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103856403A (en) * | 2012-11-30 | 2014-06-11 | 华为技术有限公司 | Message control method and apparatus |
| CN105939262A (en) * | 2016-05-09 | 2016-09-14 | 杭州迪普科技有限公司 | Label allocation method and device |
| CN106713137A (en) * | 2015-11-13 | 2017-05-24 | 中国电信股份有限公司 | VPN method based on segment routing and SDN technology and device and system thereof |
| WO2018068748A1 (en) * | 2016-10-14 | 2018-04-19 | 华为技术有限公司 | Method for determining virtual network topological structure, and provider edge device |
| CN107959611A (en) * | 2016-10-17 | 2018-04-24 | 华为技术有限公司 | A kind of method to E-Packet, apparatus and system |
| CN108322423A (en) * | 2017-01-16 | 2018-07-24 | 医渡云(北京)技术有限公司 | Service network system and the method and apparatus of transmission, reception information |
| CN108696430A (en) * | 2018-06-05 | 2018-10-23 | 烽火通信科技股份有限公司 | The route filtering method of LDP is realized in a kind of IPRAN systems |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1414749A (en) * | 2002-08-23 | 2003-04-30 | 华为技术有限公司 | Three layer virtual private network and its construction method |
| CN101136832A (en) * | 2004-07-13 | 2008-03-05 | 华为技术有限公司 | Multi-protocol label switching virtual dedicated network and its control and forwarding method |
| US20080101390A1 (en) * | 2005-08-09 | 2008-05-01 | Chunzhe Hu | Method and system for implementing hierarchical vpls |
-
2011
- 2011-11-02 CN CN201110341754XA patent/CN102394804A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1414749A (en) * | 2002-08-23 | 2003-04-30 | 华为技术有限公司 | Three layer virtual private network and its construction method |
| CN101136832A (en) * | 2004-07-13 | 2008-03-05 | 华为技术有限公司 | Multi-protocol label switching virtual dedicated network and its control and forwarding method |
| US20080101390A1 (en) * | 2005-08-09 | 2008-05-01 | Chunzhe Hu | Method and system for implementing hierarchical vpls |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103856403B (en) * | 2012-11-30 | 2018-06-05 | 华为技术有限公司 | message control method and device |
| CN103856403A (en) * | 2012-11-30 | 2014-06-11 | 华为技术有限公司 | Message control method and apparatus |
| CN106713137B (en) * | 2015-11-13 | 2020-02-18 | 中国电信股份有限公司 | VPN method, device and system based on segmented routing and SDN technology |
| CN106713137A (en) * | 2015-11-13 | 2017-05-24 | 中国电信股份有限公司 | VPN method based on segment routing and SDN technology and device and system thereof |
| CN105939262A (en) * | 2016-05-09 | 2016-09-14 | 杭州迪普科技有限公司 | Label allocation method and device |
| CN105939262B (en) * | 2016-05-09 | 2020-03-06 | 杭州迪普科技股份有限公司 | Label distribution method and device |
| WO2018068748A1 (en) * | 2016-10-14 | 2018-04-19 | 华为技术有限公司 | Method for determining virtual network topological structure, and provider edge device |
| CN107959610A (en) * | 2016-10-14 | 2018-04-24 | 华为技术有限公司 | Determine the method and provider edge equipment of virtual network topology |
| CN107959610B (en) * | 2016-10-14 | 2021-06-22 | 华为技术有限公司 | Method for determining virtual network topological structure and operator edge equipment |
| CN107959611A (en) * | 2016-10-17 | 2018-04-24 | 华为技术有限公司 | A kind of method to E-Packet, apparatus and system |
| CN107959611B (en) * | 2016-10-17 | 2021-03-23 | 华为技术有限公司 | Method, device and system for forwarding message |
| CN108322423A (en) * | 2017-01-16 | 2018-07-24 | 医渡云(北京)技术有限公司 | Service network system and the method and apparatus of transmission, reception information |
| CN108696430A (en) * | 2018-06-05 | 2018-10-23 | 烽火通信科技股份有限公司 | The route filtering method of LDP is realized in a kind of IPRAN systems |
| CN108696430B (en) * | 2018-06-05 | 2020-08-25 | 烽火通信科技股份有限公司 | Routing filtering method for realizing LDP (routing description protocol) in IPRAN (Internet protocol radio Access network) system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105049350B (en) | Utilize the method, apparatus and system of the Segment routing of the reciprocity engineering in outlet | |
| Farrel et al. | GMPLS: architecture and applications | |
| CN106664252B (en) | Realize method, equipment and the system of service chaining | |
| CN103229468B (en) | Packet-switched resources distribution method and equipment | |
| TW202034737A (en) | Routing optimizations in a network computing environment | |
| CN100505746C (en) | Method for implement virtual leased line | |
| RU2302035C2 (en) | 3-level virtual vpn network and method for building the same | |
| CN1938997B (en) | Method, connection controller and system for differential forwarding in address-based carrier networks | |
| CN100372336C (en) | MPLS VPN and its control and forwarding method | |
| US7145878B2 (en) | Avoiding overlapping segments in transparent LAN services on ring-based networks | |
| KR101643911B1 (en) | Method and related apparatus for establishing link-diverse traffic paths in a telecommunications network | |
| CN105871722A (en) | Tag structure and tag message forwarding method and device | |
| CN106464522A (en) | A method and system for network function placement | |
| CN102394804A (en) | VPN system building method and VPN system | |
| CN102055665B (en) | OSPF point-to-multipoint over broadcast or NBMA mode | |
| US8000323B2 (en) | Method and system for announcing traffic engineering parameters of composite transport groups | |
| US20070177527A1 (en) | Planning routes and allocating identifiers to routes in a managed frame-forwarding network | |
| CN101572669A (en) | Transmitting method of VPN message as well as allocating and deleting method of the router marks thereof | |
| Zhang et al. | An overview of virtual private network (VPN): IP VPN and optical VPN | |
| CN102546433A (en) | Data forwarding method based on MPLS (Multi Protocol Label Switching) VPN (Virtual Private Network) and PEs (Provider Edges) | |
| CN106936714A (en) | The processing method and PE equipment and system of a kind of VPN | |
| CN101355516B (en) | Method and system for providing service quality tactics for various virtual special network | |
| CN102891903B (en) | A kind of NAT method and equipment | |
| CN107959611B (en) | Method, device and system for forwarding message | |
| CN102474451A (en) | Linking inner and outer mpls labels |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120328 |
|
| WD01 | Invention patent application deemed withdrawn after publication |