WO2023138351A1 - Traffic forwarding method, packet sending method, message sending method, and apparatus - Google Patents

Abstract

The present application provides a traffic forwarding method, a packet sending method, a message sending method, and an apparatus, used for forwarding virtual private network (VPN) traffic when a VPN routing table is not used, and improving the forwarding performance of the VPN traffic. The traffic forwarding method is implemented by a first communication apparatus, and specifically comprises: obtaining first traffic filtering information, the first traffic filtering information comprising a VPN tag, a first flow rule, and a first traffic filtering action, wherein the first traffic filtering action comprises a redirected first next hop, the redirected first next hop is a first public Internet protocol (IP) address of a second communication apparatus, and the first traffic filtering action instructs the first communication apparatus to forward traffic matching the first flow rule to the first next hop; and forwarding, according to the first traffic filtering information, the traffic matching the first flow rule.

Description

A flow forwarding method, message sending method, message sending method and device

This application claims the priority of the Chinese patent application filed with the State Intellectual Property Office of China on January 21, 2022, with the application number 202210074405.4, and the title of the invention is "A traffic forwarding method, message sending method, message sending method and device", the entire content of which is incorporated in this application by reference.

technical field

The present application relates to the field of communication technologies, and in particular to a flow forwarding method, a message sending method, a message sending method and a device.

Background technique

Virtual Private Network (VPN) technology can establish a dedicated communication network in a public network. This dedicated communication network may be called a VPN or private network. The Internet Protocol (IP) of the device in the VPN is called the private network IP address. Correspondingly, a public network may be called a public network, and an IP address of a device in the public network is called a public network IP address.

In order to forward VPN traffic, a VPN routing table can be deployed on the Provider Edge (PE) device. The VPN routing table is independent of the public network routing table, including the correspondence between the private network IP address and the outgoing interface of the PE device. If the destination address of the packet is the private IP address of a device in the VPN, after receiving the packet, the PE device looks up the outgoing interface corresponding to the private IP address according to the VPN routing table, and sends the packet through the outgoing interface to forward VPN traffic.

However, the VPN routing table limits the forwarding performance of traffic. For example, as the number of devices in the VPN increases, the number of private network IP addresses recorded in the VPN routing table will also increase accordingly, resulting in an increase in the time consumed by the PE device to search the VPN routing table. In addition, the packet forwarding path cannot be flexibly controlled according to the VPN routing table.

Contents of the invention

The present application provides a traffic forwarding method, a message sending method, a message sending method and a device, which are used to forward VPN traffic without using a VPN routing table, and improve the forwarding performance of VPN traffic.

In a first aspect, the present application provides a traffic forwarding method, which can be applied to a first communication device, where the first communication device is a network device for forwarding VPN traffic, such as a PE device in a public network. Specifically, the traffic forwarding method includes: the first communication device first acquires first traffic filtering information. The first traffic filtering information may be sent by the controller to the first communication device through a notification message, or may be configured by the network management device on the first communication device. The first traffic filtering information includes a VPN label, a first flow rule, and a first traffic filtering action, and the first traffic filtering action includes a first next hop as a redirection, and the first next hop is a first public network IP address of the second communication device. The first traffic filtering action is used to instruct the first communication device to add a VPN label to the packet matching the first flow rule, and forward the VPN tagged packet to the first public network IP address of the second communication device according to the first traffic filtering action. Correspondingly, after acquiring the first traffic filtering information, the first communication device forwards the traffic matching the first traffic rule according to the first traffic filtering information. That is to say, the first communication device forwards the packet matching the first flow rule and adding the VPN label to the specified public network IP address according to the indication of the first flow filtering information. In this way, according to the first traffic filtering information, the forwarding of VPN traffic is realized without using the VPN routing table, and the forwarding delay of VPN traffic is reduced. In addition, through the first traffic filtering information, you can also specify the public network next hop of VPN traffic, flexibly adjust the forwarding path of VPN traffic, and improve the flexible forwarding of VPN traffic. In this way, forwarding the VPN traffic according to the first traffic filtering information can avoid searching the VPN routing table and improve the forwarding performance of the VPN traffic.

In a possible implementation manner, the first traffic filtering information further includes tunnel type information, where the tunnel type information indicates a tunnel type, and the tunnel is a tunnel for forwarding traffic matching the first flow rule. Correspondingly, the first communication device may select a public network tunnel from the multiple public network tunnels between the first communication device and the first IP address of the second communication device according to the tunnel type information as the public network tunnel for forwarding VPN traffic matching the first flow rule. In the technical solution of the present application, the public network tunnel used to forward the VPN traffic matching the first flow rule is called the first tunnel.

In a possible implementation manner, the first communication device acquires the first traffic filtering information through a notification message sent by the controller. Specifically, the notification message sent by the controller to the first communication device is a Border Gateway Protocol (Border Gateway Protocol, BGP) message, and the BGP message includes the first traffic filtering information. Alternatively, the notification message sent by the controller to the first communication device is a Path Computation Element Communication Protocol (Path Computation Element Communication Protocol, PCEP) message.

In a possible implementation manner, the VPN label in the first traffic filtering information may be carried as an extended community (Extended Community) attribute in a BGP message sent by the controller to the first communication device. Specifically, the BGP message includes a first extended community attribute, and the first extended community attribute is used to carry a VPN label.

In a possible implementation manner, the first extended community attribute further includes a tunnel type field, the tunnel type information field is used to carry tunnel type information, the tunnel type information is used to indicate the type of the tunnel, and the tunnel is used to forward VPN traffic matching the first flow rule. Specifically, the tunnel type field in the first extended community attribute is used to carry tunnel type information of the first tunnel.

In a possible implementation manner, the first communication device forwards the VPN traffic matching the first flow rule through the first tunnel. Then, before forwarding the VPN traffic, the first communication device first determines the first tunnel. Specifically, the first communication device iterates the first tunnel according to the first public network IP address of the second communication device in the first traffic filtering information, and the identifier of the first tunnel is called a first tunnel identifier. Next, the first communication device associates and stores the VPN label, the first flow rule, the first public network IP address, and the first tunnel identifier on the forwarding plane of the first communication device. In this way, the forwarding plane of the first communication device includes the first association relationship, and the first association relationship includes the association relationship among the VPN label, the first flow rule, the first public network IP address, and the first tunnel identifier.

In a possible implementation, the first association relationship is stored on the forwarding plane of the first communication device in the form of a first flow rule forwarding entry. Wherein, the first flow rule forwarding entry includes a VPN label, a first index, a first public network IP address, and a first tunnel identifier. Wherein, the first index is used for indexing the first flow rule, and identifies a storage location of the first flow rule in the first communication device.

In a possible implementation, the first association relationship further includes the type of the first tunnel. That is to say, the first association relationship includes the association relationship among the VPN label, the first flow rule, the first public network IP address, the first tunnel identifier, and the type of the first tunnel. Correspondingly, the first flow rule forwarding entry includes a VPN label, a first index, a first public network IP address, a first tunnel identifier, and a type of the first tunnel.

In a possible implementation, the first communication device may also acquire the second traffic filtering information, and forward the VPN traffic according to the second traffic rule information. The second traffic filtering information includes a VPN label, a second traffic rule, and a second traffic filtering action. Wherein, the VPN label in the second traffic filtering information is the same as the VPN label in the first traffic filtering information, and the second traffic filtering action includes a redirected second next hop, and the redirected second next hop is the second public network IP address of the second communication device. That is to say, the second traffic filtering information is used to instruct the first communication device to add a VPN label to the packet matching the second flow rule, and forward it to the second public network IP address of the second communication device. In this way, through the first flow rule and the second flow rule, different VPN traffic flowing through the same device (that is, the second communication device) is distinguished, and flexible forwarding of VPN traffic is realized. Similar to the method for obtaining the first traffic filtering information, the second traffic filtering information may be obtained by the first communication device according to the notification message sent by the controller, or may be configured by the network management device on the first communication device.

In a possible implementation, the first communication device forwards the VPN traffic matching the second flow rule through the public network tunnel. The public network tunnel used to forward the VPN traffic matching the second flow rule is called the second tunnel. Correspondingly, after receiving the second traffic filtering information, the first communication device may iterate the second tunnel according to the second public network IP address of the second communication device. The identity of the second tunnel is called the second tunnel identity. In addition, the first communication device further stores the second association relationship on the forwarding plane of the first communication device. The second association relationship includes the association relationship among the VPN label, the second flow rule, the second public network IP address, and the second tunnel identifier.

In a possible implementation, similar to the first association relationship, the first communication device stores the second association relationship in a form of a second flow rule forwarding entry. Specifically, the second flow rule forwarding entry includes a VPN label, a second index, a second public network IP address, and a second tunnel identifier. The second index is used for indexing the second flow rule, and identifies a storage location of the second flow rule in the first communication device.

A method for the first communication device to forward packets according to the first traffic filtering information is introduced below.

In a possible implementation, the first communication device forwards the packet matching the first flow rule based on the first public network IP address. Specifically, the first communication device receives the first packet through the ingress interface bound to the first association relationship. Next, the first communication device determines whether the first packet matches the first flow rule. If the first packet matches the first flow rule, the first communication device adds a VPN label to the first packet, and sends the first packet with the VPN label added to the first next hop to implement forwarding of VPN traffic. Optionally, the first communication device may search the first flow rule forwarding entry, determine the first index, the VPN label, and the first public network IP address according to the first flow rule forwarding entry, and determine the first flow rule according to the first index.

In a possible implementation, the first communication device forwards the packets matching the first flow rule through the first tunnel. Specifically, the first communication device receives the second message through the ingress interface bound to the first association relationship. Next, the first communication device determines whether the second packet matches the first flow rule. If the second message matches the first flow rule, the first communication device adds a VPN label to the second message, and sends the second message with the VPN label added to the first public network IP address of the second communication device through the first tunnel to realize forwarding of VPN traffic.

In a possible implementation, if the first flow rule forwarding entry includes the first index, the VPN label, the first public network IP address, and the first tunnel identifier, the first communication device may determine the first tunnel identifier according to the first flow rule forwarding entry. Specifically, the first communication device receives the third packet through the ingress interface bound to the first flow rule forwarding entry. The first communication device determines the first index, the VPN label, the first public network IP address, and the first tunnel identifier according to the first flow rule forwarding entry, and determines the first flow rule according to the first index. Next, the first communication device determines whether the third packet matches the first flow rule. If the third message matches the first flow rule, the first communication device adds a VPN label to the third message, and sends the third message with the VPN label added to the first public network IP address of the second communication device through the first tunnel to realize forwarding of VPN traffic.

In a possible implementation, if the first communication device also acquires the second flow matching information, the first communication device forwards the packet matching the second flow rule according to the second flow matching information. Specifically, the first communication device receives the fourth packet through the ingress interface bound to the first flow rule forwarding entry and the second flow rule forwarding entry. Next, the first communication device determines whether the fourth packet matches the first flow rule or the second flow rule. If the fourth packet matches the second flow rule, the first communication device adds a VPN label to the fourth packet, and sends the fourth packet with the VPN tag added to the second public network IP address of the second communication device to implement VPN traffic forwarding.

In a possible implementation, if the second flow rule forwarding entry includes the second index, the VPN label, the second public network IP address, and the second tunnel identifier, the first communication device may determine the second tunnel identifier according to the second flow rule forwarding entry. Specifically, the first communication device receives the fifth packet through the ingress interface bound to the first flow rule forwarding entry and the second flow rule forwarding entry. Next, the first communication device determines whether the fifth packet matches the first flow rule or the second flow rule. If the fifth message matches the second flow rule, the first communication device determines the VPN label, the second public network IP address and the second tunnel identifier according to the second flow rule forwarding entry, thereby adding the VPN label to the fifth message, and sending the fifth message with the VPN label added to the second public network IP address of the second communication device through the second tunnel to realize forwarding of VPN traffic.

In a second aspect, the present application provides a message sending method, which can be applied to a first communication device, where the first communication device is a network device for forwarding VPN traffic, such as a PE device in a public network. The message sending method includes: the first communication device receives the first message. Specifically, the inbound interface on which the first communication device receives the first packet is associated with the first association relationship. The first association relationship includes the association relationship between the first flow rule, the VPN label, and the first traffic filtering action. The first traffic filtering action includes a redirected first next hop, and the redirected first next hop is the first public network IP address of the second communication device. After receiving the first packet, the first communication device determines the first association relationship according to the incoming interface receiving the first packet, determines the first flow rule according to the first association relationship, and determines whether the first packet matches the first flow rule. If the first packet matches the first flow rule, the first communication device adds a VPN label to the first packet according to the first association relationship, and forwards the first packet with the VPN label added to the first IP address of the second communication device. In this way, the VPN traffic is forwarded according to the first traffic filtering information, the forwarding of the VPN traffic is realized without using the VPN routing table, the forwarding delay of the VPN traffic is reduced, and the forwarding performance of the VPN traffic is improved.

In a possible implementation, the first traffic filtering action further includes a first tunnel identifier, configured to instruct the first communication device to forward traffic matching the first flow rule through the first tunnel. Wherein, the first tunnel identifier is used to identify the first tunnel, and the first tunnel is the first public network tunnel established between the first communication device and the second communication device. Correspondingly, when forwarding the first packet, the first communication device sends the first packet with the VPN label added to the first next hop through the first tunnel.

In a possible implementation, the first association relationship is stored on the forwarding plane of the first communication device in the form of a first flow rule forwarding entry. Correspondingly, the first flow rule forwarding entry includes the VPN label, the first index, the first public network IP address of the second communication device, and the first tunnel identifier. Wherein, the first index is used to index the first flow rule.

In a possible implementation, the forwarding plane of the first communication device further includes a second association relationship, the second association relationship includes an association relationship between a second flow rule, a VPN label, and a second traffic filtering action, and the second traffic filtering action includes a redirected second next hop, and the redirected second next hop is a second public network IP address of the second communication device. That is to say, the second association relationship is used to instruct the first communication device to forward the VPN traffic matching the second flow rule to the second public network IP address of the second communication device. Specifically, if the first communication device receives the second packet through the ingress interface bound to the first association relationship and the second association relationship, the first communication device first determines whether the second packet matches the first flow rule or the second flow rule. If the second packet matches the second flow rule, the first communication device adds a VPN label to the second packet, and sends the VPN-added second packet to the second next hop.

In a possible implementation, the second traffic filtering action further includes a second tunnel identifier, configured to instruct the first communication device to forward the traffic matching the second flow rule through the second tunnel. Wherein, the second tunnel identifier is used to identify the second tunnel, and the second tunnel is a second public network tunnel established between the first communication device and the second communication device. Correspondingly, when forwarding the second packet, the first communication device sends the second packet with the VPN label added to the second next hop through the second tunnel.

In a third aspect, the present application provides a message sending method, which is applied to a control and management device, and the control and management device may be a network management device or a controller. If the control management device is a controller, the control management device may be a controller for controlling PE devices in a multi-level controller architecture. Specifically, the message sending method includes: controlling the management device to acquire first traffic filtering information and sending the first traffic filtering information to the first communication device. Wherein, the first flow filtering information includes a VPN label, a first flow rule and a first flow filtering action. The first traffic filtering action includes a redirected first next hop, the redirected first next hop is the first public network IP address of the second communication device, and the first traffic filtering action is used to instruct the first communication device to forward VPN traffic matching the first flow rule to the first next hop. In this way, after receiving the first traffic filtering information, the first communication device can forward the VPN traffic according to the first traffic filtering information instead of the VPN routing table, avoiding searching the VPN routing table, and improving the forwarding performance of the VPN traffic.

In a possible implementation, the control and management device is a network management device, and the control and management device may obtain first traffic filtering information configured on the network management device by a technician.

In a possible implementation, the control management device is a controller, and the control management device may receive the first traffic filtering information sent by the network management device, or obtain the first traffic filtering information configured on the controller by a technician. Alternatively, if the control management device is a controller used to control the PE device in the multi-level controller architecture, the first traffic filtering information may be sent to the control management device by the controller in the multi-level controller architecture that controls the control management device.

In a possible implementation, the first traffic filtering information further includes type information of the first tunnel, where the tunnel type information of the first tunnel is used to indicate the type of the first tunnel. The first tunnel is a public network tunnel established between the first communication device and the second communication device, and is used to forward VPN traffic matching the first flow rule. That is to say, after determining that the message matches the first flow rule, the first communication device may forward the message with the VPN label to the first public network IP address of the second communication device through the first tunnel.

In a possible implementation, the control management device is a controller, and the control management device may send the first traffic filtering information to the first communication apparatus by sending a notification message. Wherein, the notification message sent by the control and management device may be a BGP message or a PCEP message.

In a possible implementation, the control management device is a controller, and the control management device sends the first traffic filtering information to the first communication apparatus through a BGP message. The VPN label in the first traffic filtering information may be carried in the BGP message as an extended community attribute. Specifically, the BGP message includes a first extended community attribute, and the first extended community attribute includes a VPN label.

In a possible implementation, the first extended community attribute further includes a tunnel type field, where the tunnel type field is used to carry tunnel type information, and the tunnel type information is used to be a tunnel type, and the tunnel is a public network tunnel that forwards traffic matching the first flow rule. For example, the tunnel type field may be used to carry the tunnel type information of the above-mentioned first tunnel.

In a possible implementation, the control and management device is a controller, and the control and management device sends the first traffic filtering information to the first communication device through a BGP message. The BGP message also includes a route target (Route Target, RT). The routing target RT is associated with the VPN instance in the first communication device. The first traffic filtering information is used to filter the VPN traffic from the VPN site bound to the VPN instance. Correspondingly, after receiving the BGP message, the first communication device may perform route crossover according to the RT to determine the identifier of the VPN instance corresponding to the first traffic filtering information, thereby determining the ingress interface bound to the first association relationship.

In a possible implementation, the control and management device may also acquire second traffic filtering information, where the second traffic filtering information includes a VPN label, a second flow rule, and a second traffic filtering action, wherein the VPON label in the second traffic filtering information is the same as the VPN label in the first traffic filtering information, and the second traffic filtering action includes a redirected second next hop, and the redirected second next hop is the second public network IP address of the second communication device. That is to say, the second traffic filtering information is used to instruct the first communication device to add a VPN label to the packet matching the second flow rule, and forward it to the second public network IP address of the second communication device. In this way, through the first flow rule and the second flow rule, different VPN traffic flowing through the same device (that is, the second communication device) is distinguished, and flexible forwarding of VPN traffic is realized. .

In a possible implementation, the second traffic filtering information further includes type information of the second tunnel, and the tunnel type information of the second tunnel is used to indicate the type of the second tunnel. The second tunnel is a public network tunnel established between the first communication device and the second communication device, and is used to forward VPN traffic matching the second flow rule. That is to say, after determining that the packet matches the second flow rule, the first communication device may forward the packet with the VPN label to the second public network IP address of the second communication device through the second tunnel.

In a fourth aspect, the present application provides a network device for traffic forwarding, the network device is applied to a first communication device, and includes a processing module and a transceiver module.

Wherein, the processing module is configured to acquire first traffic filtering information, the first traffic filtering information includes a VPN label, a first flow rule, and a first traffic filtering action, wherein the first traffic filtering action includes a redirected first next hop, the redirected first next hop is a first public network IP address of a second communication device, and the first traffic filtering action instructs the first communication device to forward traffic matching the first flow rule to the first next hop; the transceiver module is further configured to forward traffic matching the first traffic rule according to the first traffic filtering information.

In a possible implementation, the first traffic filtering information further includes tunnel type information, where the tunnel type information indicates a type of a tunnel, and the tunnel is used to forward traffic matching the first flow rule.

In a possible implementation, the transceiver module is further configured to receive a BGP message sent by the controller, where the BGP message includes the first traffic filtering information.

In a possible implementation, the BGP message includes a first extended community attribute, and the first extended community attribute carries the VPN label.

In a possible implementation, the first extended community attribute further includes a tunnel type field, where the tunnel type field carries tunnel type information, and the tunnel type information indicates a tunnel type, and the tunnel is used to forward traffic matching the first flow rule.

In a possible implementation, the transceiver module is further configured to receive a PCEP message sent by the controller, where the PCEP message includes the first traffic filtering information.

In a possible implementation, the processing module is configured to iterate a first tunnel according to the first public network IP address, and the first tunnel is a first public network tunnel established between the first communication device and the second communication device; a first association relationship is saved on a forwarding plane, and the first association relationship includes an association relationship between the VPN label, the first flow rule, the first public network IP address, and a first tunnel identifier, and the first tunnel identifier is used to identify the first tunnel.

In a possible implementation, the processing module is configured to store a first flow rule forwarding entry on the forwarding plane, where the first flow rule forwarding entry includes the VPN label, a first index, the first public network IP address, and the first tunnel identifier, and the first index is used to index the first flow rule.

In a possible implementation, the first association relationship further includes the type of the first tunnel.

In a possible implementation, the processing module is further configured to obtain second traffic filtering information, where the second traffic filtering information includes the VPN label, a second flow rule, and a second traffic filtering action, wherein the second traffic filtering action carries a redirected second next hop, the redirected second next hop is the second public network Internet Protocol IP address of the second communication device, and the second traffic filtering action instructs the first communication device to forward traffic matching the second flow rule to the second next hop; and forward traffic matching the second flow rule according to the second traffic filtering information.

In a possible implementation, the processing module is configured to iterate a second tunnel according to the second public network IP address, and the second tunnel is a second public network tunnel established between the first communication device and the second communication device; the second association relationship is saved on the forwarding plane, and the second association relationship includes the association relationship between the VPN label, the second flow rule, the second public network IP address, and a second tunnel identifier, and the second tunnel identifier is used to identify the second tunnel.

In a possible implementation, the transceiver module is configured to receive the first message;

The processing module is configured to add the VPN label to the first packet in response to the first packet matching the first flow rule;

The transceiver module is further configured to send the first packet with the VPN label added to the first next hop.

In a possible implementation, the transceiver module is configured to receive the second message;

The processing module is configured to add the VPN label to the second packet in response to the second packet matching the first flow rule;

The transceiver module is configured to send the second message added with the VPN label to the first next hop through the first tunnel.

In a possible implementation, the transceiver module is configured to receive a third message;

The processing module is configured to, in response to the match between the third packet and the first flow rule, determine the VPN label and the first tunnel identifier corresponding to the first flow rule according to the forwarding entry of the first flow rule, and add the VPN label to the third packet;

The transceiver module is configured to send the third message added with the VPN label to the first next hop through the first tunnel.

In a possible implementation, the transceiver module is configured to receive a fourth message;

The processing module is configured to add the VPN label to the fourth packet in response to the fourth packet matching the second flow rule;

The transceiver module is configured to send the fourth message added with the VPN label to the second next hop.

In a possible implementation, the transceiver module is configured to receive the fifth message;

The processing module is configured to, in response to the fifth packet matching the second flow rule, determine the VPN label and the second tunnel identifier corresponding to the second flow rule according to the forwarding entry of the second flow rule, and add the VPN label to the fifth packet;

The transceiver module is configured to send the fifth packet with the VPN label added to the second next hop through the second tunnel.

In a fifth aspect, the present application provides a network device for sending a message, the network device is applied to a first communication device, and includes a transceiver module and a processing module.

Wherein, the transceiver module is configured to receive the first message;

The processing module is configured to determine a VPN label and a first traffic filtering action according to a first association relationship in response to the first packet matching the first flow rule, the first association relationship includes the association relationship between the first flow rule, the VPN label, and the first traffic filtering action, the first traffic filtering action includes a redirected first next hop, and the redirected first next hop is a first public network IP address of the second communication device; adding the VPN label to the first message;

The transceiving module is configured to send the first packet with the VPN label added to the first next hop.

In a possible implementation, the first traffic filtering action further includes a first tunnel identifier, where the first tunnel identifier is used to identify a first tunnel, and the first tunnel is a first public network tunnel established between the first communication device and the second communication device;

The transceiver module is configured to send the first packet with the VPN label added to the first next hop through the first tunnel.

In a possible implementation, the processing module is configured to determine a VPN label corresponding to the first flow rule and the first tunnel identifier according to a first flow rule forwarding entry, where the first flow rule forwarding entry includes the VPN label, a first index, the first public network IP address, and a first tunnel identifier, and the first index is used to index the first flow rule.

In a possible implementation, the transceiver module is further configured to receive the second message;

The processing module is further configured to determine the VPN label and a second traffic filtering action according to a second association relationship in response to the second message matching the second flow rule, the second association relationship includes the association relationship between the second flow rule, the VPN label, and the second traffic filtering action, and the second traffic filtering action includes a redirected second next hop, the redirected second next hop is a second public network Internet Protocol IP address of the second communication device; adding the VPN label to the second message;

The transceiving module is further configured to send the second message with the VPN label added to the second next hop.

In a possible implementation, the second traffic filtering action further includes a second tunnel identifier, where the second tunnel identifier is used to identify a second tunnel, and the second tunnel is a second public network tunnel established between the first communication device and the second communication device;

The transceiver module is configured to send the second message added with the VPN label to the second next hop through the second tunnel.

In a sixth aspect, the present application provides a control and management device for sending messages, the control and management device is applied to a controller or a network management device, and the control and management device includes a processing module and a transceiver module. Wherein, the processing module is configured to obtain first traffic filtering information, the first traffic filtering information includes a VPN label, a first flow rule, and a first traffic filtering action, wherein the first traffic filtering action includes a redirected first next hop, the redirected first next hop is a first public network IP address of the second communication device, and the first traffic filtering action instructs the first communication device to forward VPN traffic that matches the first flow rule to the first next hop; the transceiver module is configured to send the first traffic filtering information to the first communication device.

In a possible implementation, the first traffic filtering information further includes tunnel type information of a first tunnel, where the tunnel type information of the first tunnel indicates the type of the first tunnel, the first tunnel is used to forward traffic matching the first flow rule, and the first tunnel is a first public network tunnel established between the first communication device and the second communication device.

In a possible implementation, the control management device is a controller, and the transceiver module is configured to send a BGP message to the first communication device, where the BGP message includes the first traffic filtering information.

In a possible implementation, the BGP message includes a first extended community attribute, and the first extended community attribute carries the VPN label.

In a possible implementation, the first extended community attribute further includes a tunnel type field, where the tunnel type field carries tunnel type information, and the tunnel type information indicates a tunnel type, and the tunnel is used to forward traffic matching the first flow rule.

In a possible implementation, the BGP message further includes an RT, the routing target is associated with a VPN instance in the first communication device, and the first traffic filtering information is used to filter VPN traffic from a VPN site bound to the VPN instance.

In a possible implementation, the transceiver module is configured to send a PCEP message to the first communication device, where the PCEP message includes the first traffic filtering information.

In a possible implementation, the processing module is further configured to obtain second traffic filtering information, where the second traffic filtering information includes the VPN label, a second flow rule, and a second traffic filtering action, where the second traffic filtering action includes a redirected second next hop, the redirected second next hop is a second public network IP address of the second communication device, and the second traffic filtering action instructs the first communication device to forward traffic matching the second flow rule to the second next hop; and send the second traffic filtering information to the first communication device.

In a possible implementation, the second traffic filtering information further includes tunnel type information of a second tunnel, where the tunnel type information of the second tunnel indicates the type of the second tunnel, the second tunnel is used to forward traffic matching the second flow rule, and the second tunnel is a second public network tunnel established between the first communication device and the second communication device.

In a seventh aspect, the present application provides a network device, the network device includes a processor and a memory, the memory is used to store instructions or program codes, and the processor is used to call and run the instructions or program codes from the memory, so that the network device executes the method in the first aspect or any one of the possible implementations of the first aspect, or executes the second aspect or the method in any one of the possible implementations of the second aspect.

In an eighth aspect, the present application provides a control and management device, the control and management device includes a processor and a memory, the memory is used to store instructions or program codes, and the processor is used to call and run the instructions or program codes from the memory, and make the control and management device execute the third aspect and the method in any possible implementation manner of the third aspect.

In a ninth aspect, the present application provides a network system, and the network system includes the network device described in the fourth aspect or the fifth aspect, and the control management device described in the sixth aspect.

In a tenth aspect, the present application provides a computer-readable storage medium, including instructions, programs or codes, which, when executed on a processor, implement the traffic forwarding method in the first aspect or in any possible implementation of the first aspect, or the message sending method in the second aspect or in any of the possible implementations of the second aspect, or the message sending method in the third aspect or in any of the possible implementations of the third aspect.

Description of drawings

FIG. 1-A is a schematic diagram of a network architecture provided by an embodiment of the present application;

FIG. 1-B is a schematic diagram of another network architecture provided by the embodiment of the present application;

FIG. 1-C is a schematic diagram of another network architecture provided by the embodiment of the present application;

FIG. 1-D is a schematic diagram of another network architecture provided by the embodiment of the present application;

FIG. 2 is a signaling interaction diagram of a traffic forwarding method provided in an embodiment of the present application;

FIG. 3 is a signaling interaction diagram of a message sending method provided in an embodiment of the present application;

FIG. 4 is a schematic diagram of a format of the first extended community attribute provided by the embodiment of the present application;

FIG. 5 is a signaling interaction diagram of a message sending method provided in an embodiment of the present application;

FIG. 6 is another signaling interaction diagram of the traffic forwarding method provided by the embodiment of the present application;

FIG. 7 is a schematic structural diagram of a device provided in an embodiment of the present application;

FIG. 8 is a schematic structural diagram of a device provided by an embodiment of the present application;

FIG. 9 is a schematic structural diagram of a device provided by an embodiment of the present application.

Detailed ways

In traditional VPN technologies, PE devices forward VPN traffic based on VPN routing tables. However, the VPN routing table affects the forwarding performance of VPN traffic. For example, if the number of IP addresses in the VPN routing table is large, it takes a long time for the PE device to search the VPN routing table, which increases the delay of packets in the VPN traffic. In addition, the VPN routing table specifies the outbound interface and next hop for transmitting packets, which fixes the forwarding path of VPN traffic and limits the flexibility of VPN traffic forwarding.

A network architecture of the embodiment of the present application will be briefly introduced below with reference to FIG. 1-A.

Referring to FIG. 1-A, this figure is a schematic structural diagram of a system provided by an embodiment of the present application. In the system shown in Figure 1-A, it includes device 1, device 2, device 3, CE 1, CE 2, PE 1, PE 2, and P1. Wherein, CE1 is connected to equipment 1 and PE1 respectively, P1 is connected to PE1 and PE2 respectively, and CE2 is connected to PE2, equipment 2 and equipment 3 respectively. Device 1, Device 2, Device 3, CE1, and CE2 belong to VPN1, and PE1, PE2, and P1 belong to the public network. The private network IP address of device 1 is 100.1.1.1, the private network IP address of device 2 is 200.2.2.2, and the private network IP address of device 3 is 300.3.3.3. The ID of the incoming interface connected to CE1 on PE1 is A1, the ID of the outgoing interface connected to P1 on PE1 is A2, and the ID of the incoming interface connected to P1 on PE2 is B1.

In order to isolate different VPNs, different VPN instances are created on the PE device, and each VPN instance maintains a separate VPN routing table (also called a private network routing table), among which, a VPN instance can also be called a virtual routing forwarding (Virtual Routing Forwarding, VRF). Different VPN instances on the PE device can be distinguished through the Virtual Routing Forwarding Identifier (VRF ID). Assuming that the VRF ID of the VPN instance corresponding to VPN1 on PE1 is 1, then the VPN routing table corresponding to VPN1 includes the first correspondence between VRF ID1, the private IP address 200.2.

The VPN instance on the PE device can be bound to the inbound interface of the PE device, which means that the traffic received through the inbound interface is forwarded through the VPN instance. In the scenario shown in Figure 1-A, the inbound interface A1 of PE1 is bound to the VPN instance of VPN1, that is, the inbound interface A1 is associated with VRF ID1.

If device 1 sends packet 1 to device 2 through CE1, then PE1 receives packet 1 with the destination address 200.2.2.2 through ingress interface A1. After receiving packet 1, PE1 determines according to inbound interface A1 that packet 1 is forwarded based on the VPN routing table of VPN1. Next, according to the destination address 200.2.2.2 of the packet 1, PE1 searches the VPN routing table of VPN1 to determine that the outgoing interface corresponding to the packet 1 is the outgoing interface A2, and then forwards the packet 1 through the outgoing interface A2.

Similarly, if device 1 sends packet 2 whose destination is device 3 through CE1, then PE1 receives packet 2 with the destination address 300.3.3.3 through ingress interface A1. After receiving packet 2, PE1 determines according to the inbound interface A1 that packet 2 is forwarded based on the VPN routing table of VPN1. Next, according to the destination address 300.3.3.3 of the packet 2, PE1 searches the VPN routing table of VPN1, determines that the outgoing interface corresponding to the packet 2 is the outgoing interface A2, and forwards the packet 2 through the outgoing interface A2.

Another network architecture of the embodiment of the present application will be briefly introduced below with reference to FIG. 1-B .

Referring to FIG. 1-B, this figure is another schematic structural diagram of the system provided by the embodiment of the present application. On the basis of the system shown in Fig. 1-A, the system shown in Fig. 1-B also includes P2. P2 is connected to PE1 and PE2 respectively. Wherein, the ID of the outgoing interface connected to P2 on PE1 is A3, and the ID of the incoming interface connected to P2 on PE2 is B2.

When generating the VPN routing table, PE1 obtains two routes from CE2, one of which includes device 2's private IP address 200.2.2.2, and the other route includes device 3's private IP address 300.3.3.3. After route calculation, the VPN routing table generated by PE1 includes the correspondence between VPN1's VRF ID1, private network IP address 200.2.2.2, and outgoing interface A2, and the correspondence between VPN1's VRF ID1, private network IP address 300.3.3.3, and outgoing interface A2.

Correspondingly, PE1 forwards the VPN traffic whose destination address is device 2 or device 3 through outbound interface A2.

In some possible implementations, the VPN routing table also includes masks. According to the mask and the private network IP address, the private network routing prefix can be obtained. Correspondingly, the above-mentioned determination of the outgoing interface according to the destination address of the message refers to searching the VPN routing table for a private network routing prefix matching the destination address of the message, and then determining the outgoing interface according to the private network routing prefix.

It can be seen from the above introduction that the impact of the VPN routing table on the forwarding performance of VPN traffic includes but is not limited to the following three aspects.

The first aspect: With the continuous increase of VPN routes, the time for querying the VPN routing table continues to increase, thus increasing the forwarding delay of VPN traffic.

Specifically, the VPN routing table includes private IP addresses of devices in the VPN. Then, with the increase of devices in the VPN, the amount of data in the VPN routing table gradually increases. Correspondingly, the time for PE1 to search the VPN routing table will also increase. In this way, the time-consuming for PE1 to forward packets is increased, which affects the forwarding delay of VPN traffic.

Second, the VPN routing table limits the forwarding path of packets, reducing the flexibility of VPN traffic forwarding.

The VPN routing table specifies the outbound interface and next hop for forwarding packets. That is, after receiving VPN traffic, PE1 forwards it to the next hop through the specified outbound interface according to the VPN routing table. In this way, the forwarding path of the message is limited, and the flexible forwarding of the message cannot be realized.

For example, in the implementation shown in Figure 1-B, the traffic destined for Device 2 and Device 3 is forwarded through the same outbound interface A2, and the traffic destined for different devices cannot be forwarded through different outbound interfaces, and flexible forwarding of traffic cannot be realized.

In the third aspect, it is difficult to change the VPN routing table, which reduces the flexibility of VPN traffic forwarding.

The VPN routing table is generated based on the VPN routes advertised by other devices. Therefore, if the forwarding path of traffic needs to be adjusted, the VPN routing table of VPN1 needs to be modified by device 2 and/or device 3 to perform route advertisement again. It can be seen that forwarding VPN traffic based on the VPN routing table cannot flexibly adjust the traffic forwarding path.

It can be seen from the above introduction that due to the limitation of the VPN routing table, the traffic forwarding technology based on the VPN routing table cannot guarantee the forwarding performance of VPN traffic.

In order to solve the above problem, an embodiment of the present application provides a traffic filtering method, in which the first communication device can forward the traffic matching the traffic rule to the next hop of the public network according to the indication of the traffic filtering information. In this way, VPN traffic is forwarded based on traffic filtering information instead of the VPN routing table, and VPN traffic can be forwarded without using the VPN routing table. In this way, searching the VPN routing table is avoided, and the forwarding performance of VPN traffic is improved.

The method provided in the embodiment of the present application may be applied to the network architecture shown in FIG. 1-A or FIG. 1-B. Wherein, the PE device may be a device with a forwarding function, such as a router (Router) or a switch (Switch). In a possible implementation, PE1 and PE2 are capable of forwarding packets based on a Multiprotocol Label Switching (Multiprotocol Label Switching, MPLS) protocol. In a specific implementation, when the method of the embodiment of the present application is applied to the network architecture shown in FIG. 1-A or FIG. 1-B, the first communication device may be, for example, PE1 in FIG. 1-A and FIG. 1-B, and is used to execute the steps performed by the first communication device in the methods shown in FIG. 2, FIG. 3, FIG. 5 and FIG. 6 below. The second communication device may be, for example, PE2 in FIG. 1-A and FIG. 1-B .

On the basis of the above introduction, the systems shown in Fig. 1-A and Fig. 1-B also include control and management equipment. The control and management device is used to manage PE1. In this embodiment of the present application, the control and management device may be a controller, a network management device, or other devices capable of controlling and/or managing. Specifically, if the control and management device is a network management device, the control and management device may be configured to configure first traffic filtering information on PE1 for performing the steps performed by the network management device in the embodiment shown in FIG. 2 . If the control management device is a controller, the control management device may be used to execute the steps performed by the controller in the embodiments shown in FIG. 2 , FIG. 3 and FIG. 6 below.

If the control and management device is a controller, the system where the control and management device is located may include a multi-level controller architecture. In a multi-level controller architecture, higher-level controllers can control lower-level controllers. A typical multi-level controller architecture includes a parent controller and multiple child controllers. The control management device (and the controller shown in FIG. 2 , FIG. 3 and FIG. 6 ) in this embodiment of the present application may be a controller for controlling PE devices. This controller can be a parent controller or a child controller. The control management device establishes a neighbor relationship with PE1 and sends a message to PE1. As a possible implementation, the neighbor relationship between the control management device and PE1 may be a VPN flow rule (Flow Specification, Flowspec) neighbor relationship, or a VPN neighbor relationship. When the VPN neighbor relationship is established between the control and management device and PE1, it means that the control and management device and PE1 belong to the same VPN.

In a possible implementation manner, one or more public network tunnels may be established between PE1 and PE2, and the public network tunnels may be Label Distribution Protocol (Label Distribution Protocol, LDP) tunnels or Traffic Engineering (Traffic Engineering, TE) tunnels, or other types of tunnels. For example, in the implementation shown in Figure 1-A, a public network tunnel 1 may be established between PE1 and PE2, and the forwarding path corresponding to the public network tunnel 1 is "PE1→P1→PE2". In the implementation shown in Figure 1-B, public network tunnel 1 and public network tunnel 2 are established between PE1 and PE2. Wherein, the forwarding path corresponding to the public network tunnel 1 is "PE1→P1→PE2", and the forwarding path corresponding to the public network tunnel 2 is "PE1→P2→PE2". The tunnel types of the public network tunnels established between PE1 and PE2 can be the same or different.

The technical solution provided by the embodiment of the present application will be described below with reference to FIG. 2 , taking public network tunnel 1 as an LDP-type public network tunnel and public network tunnel 2 as a TE-type public network tunnel as an example. Referring to FIG. 2 , this figure is a signaling interaction diagram of the traffic forwarding method 200 provided in the embodiment of the present application, specifically including the following S201 , S202 and S203 .

S201: The control management device acquires first traffic filtering information.

First, the first traffic filtering information is introduced.

In this embodiment of the present application, the first traffic filtering information includes a VPN label, a first traffic filtering action, and a first flow rule, and is used to instruct the communication device to add the VPN label to a message matching the first flow rule, and forward the message to the first public network IP address of the second communication device.

In the embodiment of the present application, the VPN label is a label assigned by the second communication device to the VPN route. In the present application, the VPN label may be, for example, an MPLS label. Specifically, the second communication device may allocate VPN labels in a manner of per VPN instance per label, or may allocate VPN labels in a manner of per VPN route per label.

If the second communication device allocates a VPN label in a manner of per VPN instance per label, multiple VPN routes belonging to the same VPN have the same VPN label. If the second communication device allocates VPN labels in a per-VPN-route-per-label manner, multiple VPN routes belonging to the same VPN have different VPN labels.

For example, in the implementation shown in Figure 1-A, if PE2 allocates VPN labels per VPN instance, different VPN routes in VPN1 correspond to the same VPN label, and the VPN routes corresponding to device 2 and device 3 correspond to the same VPN label; if PE2 allocates VPN labels per VPN route per label, different VPN routes in VPN1 correspond to different VPN labels, and the VPN routes corresponding to device 2 and VPN routes corresponding to device 3 correspond to different VPN labels.

For ease of description, the second communication device uses a label per VPN instance as an example for introduction in the following.

In this embodiment of the present application, the first flow rule is a restriction on packets, and is used to determine whether the packets need to be redirected to the first next hop. A packet matching the first flow rule is added with a VPN label by the first communication device, and forwarded to the first next hop.

Specifically, the first flow rule may include at least one matching rule for matching the value of the characteristic field of the packet, and is used for limiting the value of the characteristic field in the packet. Correspondingly, in the packet matching the first flow rule, the value of the feature field is consistent with the value defined in the matching rule.

for example. The first flow rule includes a first matching rule and a second matching rule. Packets matching the first flow rule are respectively matched with the first matching rule and the second matching rule. Suppose the first matching rule is used to limit the value of the destination address field in the message, the second matching rule is used to limit the value of the source address field in the message, and the first matching rule includes the first private network IP address, and the second matching rule includes the second private network IP address. Then, the destination address of the packet matching the first flow rule is the first private network IP address, and the source address is the second private network IP address.

Take Figure 1-A as an example for illustration. If the first flow rule is used to match the message sent from device 1 to device 2, then the first matching rule in the first flow rule includes the private network IP address 200.2.2.2, which is used to limit the value of the message destination address field to 200.2.2.2; the second matching rule in the first flow rule includes the private network IP address 100.1.1.1, and is used to limit the value of the message source address field to 100.1.1.1. If PE1 receives packet X, and the destination address of packet X is 200.2.2.2, and the source address is 100.1.1.1, then PE1 determines that packet X matches the first flow rule.

Optionally, the first matching rule and/or the second matching rule may further include a network segment. If the destination address of the packet belongs to the network segment included in the first matching rule, and the source address of the packet belongs to the network segment included in the second matching rule, then the packet matches the first flow rule.

In this embodiment of the present application, the first traffic filtering action includes the first public network IP address of the second communication device, and is used to instruct the first communication device to redirect traffic matching the first flow rule to the first public network IP address of the second communication device. The first public network IP address of the second communication device may also be referred to as the redirected first next hop.

Optionally, the second communication device may correspond to one or more public network IP addresses. For example, the second communication device has multiple interfaces, and each interface may correspond to a public network IP address. Wherein, the public network IP address corresponding to one interface of the second communication device is the above-mentioned first next hop, that is, the first public network IP address. Correspondingly, the first traffic filtering action is used to instruct the first communication device to redirect the traffic matching the first flow rule to the first public network IP address of the second communication device. The second communication device receives traffic matching the first flow rule through the interface corresponding to the first public network IP address.

In some possible implementations, the first traffic filtering information further includes a first tunnel identifier and/or tunnel type information of the first tunnel. The first tunnel identifier is used to identify the first tunnel, for example, it may be a tunnel identifier (Tunnel ID) of the first tunnel. The tunnel type information of the first tunnel is used to indicate the type of the first tunnel. The first tunnel is a first public network tunnel established between the first communication device and the second communication device. Specifically, the first tunnel is a public network tunnel from the first communication device to an interface corresponding to the first public network IP address on the second communication device.

In this way, if there are multiple public network tunnels between the first communication device and the second communication device, the first communication device may determine the first tunnel from the multiple public network tunnels according to the first tunnel type, or the first communication device may select a public network tunnel whose tunnel type matches the tunnel type information of the first tunnel from the multiple public network tunnels as the first tunnel according to the tunnel type information of the first tunnel. That is to say, the first tunnel identifier and/or the tunnel type information of the first tunnel are used to determine the first tunnel.

In this embodiment of the present application, the first traffic filtering information may be configured by a technician on the control and management device. Optionally, if the control management device is a controller, the first traffic filtering information may also be generated by the control management device according to the control message. The control message is a message sent by the upper-level controller of the control and management device to the control and management device, and includes first traffic filtering information.

S202: The control and management device sends first traffic filtering information to the first communication apparatus.

After acquiring the first traffic filtering information, the control management device may send the first traffic filtering information to the first communication device. According to the above introduction, it can be seen that the control and management device may be a network management device or a controller. Correspondingly, the sending of the first traffic filtering information by the control and management device to the first communication device specifically includes but is not limited to the following two manners.

Way 1: The control and management device configures first traffic filtering information on the first communication device.

If the control and management device is a network management device, the control and management device can configure the first traffic filtering information on the first communication device through a command line or a network configuration protocol (Network Configuration Protocol, NETCONF). The above process may also be referred to as static configuration. Correspondingly, the first communication device may acquire the first traffic filtering information based on the content configured by the network management device.

In a possible implementation, the control management device may configure the first flow rule forwarding entry on the forwarding plane of the first communication device, so that the forwarding plane of the first communication device forwards traffic according to the first flow rule forwarding entry. For the introduction of the first-rate rule forwarding entry, refer to the relevant introduction in FIG. 3 , and will not be repeated here.

Manner 2: The control and management device sends a first notification message including the first traffic filtering information to the first communication device.

If the control management device is a controller, the control management device may send the first traffic filtering information to the first communication apparatus through a first notification message. Wherein, the first notification message includes first traffic filtering information. The first notification message may be generated by the control and management device. Alternatively, if there are multiple levels of controllers in the system, the first notification message may also be generated by the upper-level controller of the control and management device and sent to the control and management device. After receiving the first notification message sent by the superior controller, the control management device may forward the first notification message to the first communication device.

In this embodiment of the present application, the first notification message may include one piece of traffic filtering information (that is, first traffic filtering information), or may include multiple pieces of traffic filtering information. For example, the first notification message may include first traffic filtering information and second traffic filtering information.

That is to say, in addition to the static configuration, the first communication device may also obtain the first traffic filtering information through the first notification message. The first notification message is a notification message sent by the controller to the first communication device. The specific implementation process of the second method will be described in detail below in conjunction with FIG. 3 , and will not be repeated here.

S203: The first communication device forwards the traffic matching the first flow rule according to the first traffic filtering information.

If the first communication device receives multiple packets matching the first flow rule, it may be said that the first communication device has received traffic matching the first flow rule. According to the first traffic filtering information, the first communication device adds a VPN label to the packet matching the first flow rule, and forwards the packet with the VPN label added to the first public network IP address of the second communication device. The foregoing process may be referred to as the first communication device forwarding the traffic matching the first flow rule according to the first traffic filtering information.

For a detailed introduction about forwarding VPN traffic by the first communication device, reference may be made to the embodiment shown in FIG. 5 , which will not be repeated here.

In this embodiment of the present application, the control management device sends the first traffic filtering information to the first communication device. The first communication device forwards the packet matching the first flow rule to the designated public network IP address according to the indication of the first flow filtering information. If the packet in the VPN flow matches the first flow rule, the first communication device may forward the packet with the VPN cousin added to the redirected first next hop. In this way, according to the first traffic filtering information, forwarding of VPN traffic is realized without using the VPN routing table. In this way, searching the VPN routing table is avoided, and the forwarding performance of VPN traffic is improved.

Further, in some possible implementations, the control management device may also send the second traffic filtering information to the first communication apparatus. The second traffic filtering information includes a second flow rule, a second public network IP address of the second communication device serving as a redirected second next hop, and the VPN label. According to the second traffic filtering information, the first communication device adds the VPN label to the packet matching the second flow rule, and sends it to the second public network IP address of the second communication device. In this way, different traffic is forwarded to the second communication device through different transmission paths, thereby implementing differentiated transmission of traffic. It can better meet the requirements of traffic transmission and improve the flexible forwarding of VPN traffic.

The technical solution provided by the embodiment of the present application will be described in detail below by taking the first communication device determining the first traffic filtering information according to the first notification message sent by the controller (that is, the second method above) as an example.

Referring to FIG. 3 , this figure is a signaling interaction diagram of a message sending method 300 provided in an embodiment of the present application, specifically including the following S301-S303.

S301: The controller acquires a first notification message.

In order to notify the first communication device of the first traffic filtering information, the controller first obtains a first notification message, and the first notification message includes the first traffic filtering information. Wherein, the first notification message is generated by the controller, or sent to the controller by a superior controller of the controller. Optionally, the first notification message may also include multiple pieces of traffic filtering information, for example, the first notification message may include first traffic filtering information and second traffic filtering information. The basic introduction of the first traffic filtering information can be referred to above, and will not be repeated here.

As a possible implementation, the controller sends a first notification message to the first communication device for notifying the Flowspec route, where the first notification message includes a VPN label, a first flow rule and a first flow filtering action. Correspondingly, the above-mentioned first flow rule may also be called a matching item (Match), and the above-mentioned VPN label and first traffic filtering action may be called an action item (Action).

The VPN label may be reported by the second communication device to the controller, or may be uniformly assigned by the controller.

According to the foregoing introduction, it can be known that the first notification message may further include tunnel type information and/or a first tunnel identifier of the first tunnel.

In this embodiment of the present application, the first notification message may be a BGP message or a PCEP message. Taking the first notification message as a BGP message as an example, the method for carrying the first traffic filtering information in the first notification message is introduced below.

The first notification message may be a BGP update (BGP Update) message. The foregoing first flow rule may be carried in a Network Layer Reachability Information (Network Layer Reachability Information, NLRI) field of the first notification message. The VPN label and the first traffic filtering action can be carried in the extended community attribute of the new BGP. Specifically, the VPN label and the first traffic filtering action may be carried in the same extended community attribute, or may be carried in different extended community attributes.

According to the foregoing introduction, it can be known that the first notification message may further include tunnel type information of the first tunnel. In a specific implementation, the tunnel type information and the VPN label of the first tunnel may be carried in the same extended community attribute. The extended community attribute carrying the tunnel type information and the VPN label of the first tunnel may be referred to as a first extended community attribute. Exemplarily, a specific format of the first extended community attribute may be as shown in FIG. 4 . Wherein, the value of the sub-type (Sub-Type) field of the first extended community attribute is used to identify that the first extended community attribute includes the tunnel type information of the VPN label and the first tunnel, the tunnel type (Tunnel Type) field of the first extended community attribute is used to carry the tunnel type information of the first tunnel, and the MPLS label (MPLS Label) field is used to carry the VPN label.

It can be understood that the tunnel type information of the first tunnel may also be carried in an independent extended community attribute.

According to the foregoing introduction, it can be known that a VPN Flowspec neighbor relationship may exist between the first communication device and the controller. Then the first notification message also includes the first RT. During the process of generating the first association relationship, the first communication device may determine the VPN identifier corresponding to the first traffic filtering action according to the first RT. For the role of the first RT, refer to the introduction of S303, and details will not be repeated here.

S302: The controller sends the first notification message to the first communication device.

After obtaining the first notification message, the controller sends the first notification message to the first communication device, so that the first communication device obtains first traffic filtering information according to the first notification message. Optionally, the controller sending the first notification message to the first communication device may also be referred to as the controller sending the Flowspec route to the first communication device.

S303: The first communication device generates a first association relationship according to the first traffic filtering information.

After receiving the first notification message, the first communication device obtains first traffic filtering information according to the first notification message, and generates a first association relationship based on the first traffic filtering information. Next, the first communication device saves the first association relationship in the forwarding plane, so as to add a VPN label to the packet matching the first flow rule according to the first association relationship and forward it to the first public network IP address of the second communication device.

The first association relationship includes an association relationship between the VPN label, the first flow rule, and the first next-hop IP address.

In this application, the first association relationship specifically includes but is not limited to the following three implementation manners.

Implementation method 1: the first association relationship includes the association relationship between the VPN label, the first flow rule and the next hop, indicating that the packet matching the first flow rule needs to be added with a VPN label and sent to the first public network IP address of the second communication device.

Implementation mode 2: the first association relationship includes the association relationship between the VPN label, the first flow rule, the first tunnel identifier, and the next hop, indicating that the packet matching the first flow rule needs to be added with a VPN label, and sent to the first public network IP address of the second communication device via the first tunnel.

Implementation mode 3: the first association relationship includes the association relationship between the VPN label, the first flow rule, the first tunnel identifier, the tunnel type information of the first tunnel, and the next hop.

In the foregoing second and third implementation manners, the first association relationship includes the first tunnel identifier. The first tunnel identifier may be carried in the first notification message, or may be determined by the first communication device according to the notification message. Specifically, if the first notification message does not include the first tunnel identifier, the first communication device determines the first tunnel identifier according to the notification message. Specifically, determining the first tunnel identifier by the first communication device specifically includes but is not limited to the following two implementation manners.

Implementation manner 1: The first communication device iterates the first tunnel according to the first public network IP address to obtain the first tunnel identifier.

Specifically, the first communication device may search for a public network tunnel reaching the first public network IP address of the second communication device from the multiple tunnels corresponding to the first communication device according to the first public network IP address, and determine the public network tunnel as the first tunnel to obtain the first tunnel identifier.

Implementation Mode 2: The first communication device determines the first tunnel according to the first public network IP address and the tunnel type information of the first tunnel, and obtains the first tunnel identifier.

Specifically, the first communication device first determines one or more public network tunnels between the first communication device and the first public network IP address according to the first public network IP address, and then selects a public network tunnel whose tunnel type is consistent with that of the first tunnel from the one or more public network tunnels as the first tunnel, and obtains the first tunnel identifier.

Embodiment 2 is described with reference to FIG. 1-B. If the first notification message sent by the control and management device to PE1 includes tunnel type information of the first tunnel, and the tunnel type information of the first tunnel indicates that the first tunnel is an LDP-type public network tunnel, then PE1 may determine public network tunnel 1 as the first tunnel. If the tunnel type information of the first tunnel indicates that the first tunnel is a public network tunnel of the TE type, PE1 may determine public network tunnel 2 as the first tunnel.

The foregoing first association relationship may be stored in the forwarding plane of the first communication device in the form of a first flow rule forwarding entry. The forwarding plane of the first communication device forwards the VPN traffic based on the first flow rule forwarding entry. Correspondingly, the first communication device generating the first association relationship according to the first traffic filtering information includes: the control plane of the first communication device generating a first flow rule forwarding entry according to the first traffic filtering information. After the first flow rule forwarding entry is generated, the control of the first communication device delivers the first flow rule forwarding entry to the forwarding plane of the first communication device.

If the first association relationship is the association relationship between the VPN label, the first flow rule and the first public network IP address, the first flow rule forwarding entry includes the VPN label, the first index and the first public network IP address.

If the first association relationship is the association relationship between the VPN label, the first flow rule, the first tunnel identifier and the first public network IP address, the first flow rule forwarding entry includes the VPN label, the first index, the first tunnel identifier and the first public network IP address.

If the first association relationship is the association relationship between the VPN label, the first flow rule, the first tunnel identifier, the tunnel type information of the first tunnel, and the first public network IP address, the first flow rule forwarding entry includes the VPN label, the first index, the first tunnel identifier, the tunnel type information of the first tunnel, and the first public network IP address.

Wherein, the first index is used to index the first flow rule, for example, may be used to identify a storage location of the first flow rule. In this way, when the forwarding plane of the first communication device uses the first flow rule to forward the entry, it can search the first flow rule according to the first index, so as to determine whether the packet matches the first flow rule. Or, in some possible implementation manners, the first-flow rule forwarding entry may also include the first-flow rule.

In some possible implementation manners, the first flow rule forwarding entry further includes the identifier of the VPN instance, and the VPN instance identifier is used to identify the VPN instance corresponding to the first flow rule, for example, it may be the VRF ID corresponding to the first flow rule. In this way, after the first communication device receives the traffic through the ingress interface corresponding to the VRF ID, it can determine according to the VRF ID that the traffic is forwarded based on the first flow rule forwarding entry.

The method for the first communication device to obtain the VPN identifier is introduced below. Obtaining the VRF ID by the first communication device specifically includes but is not limited to the following two implementations.

Implementation mode 1: the first communication device obtains the VRF ID based on the neighbor relationship with the controller.

If the first communication device and the controller are VPN neighbors, and the interface connected to the controller on the first communication device is bound to the VPN instance, then the first communication device may determine the VRF ID based on the interface receiving the first notification message after receiving the first notification message sent by the control management device.

Implementation manner 2: the first communication device obtains the VRF ID based on the first RT.

According to the foregoing introduction, if the first communication device and the controller are VPN Flowspec neighbors, the first notification message sent by the controller also includes the first RT. Then, after receiving the first notification message, the first communication device may perform routing crossover according to the first RT, so as to determine the VRF ID according to the first RT.

The above describes the method for the first communication device to obtain the first traffic filtering information according to the first notification message sent by the controller. The process of forwarding traffic by the first communication device will be introduced below with reference to FIG. 5 . It can be understood that, the method shown in FIG. 5 is executed by the forwarding plane of the first communication device. The first flow rule forwarding entry may be generated by the first communication device according to the first notification message, or may be configured by the network management device on the first communication device.

Referring to FIG. 5 , this figure is a signaling interaction diagram of a message sending method 500 provided in an embodiment of the present application, specifically including the following S501-S504.

S501: The first communication device receives a first message.

In this embodiment of the present application, the source device and the destination device of the first message are devices in the VPN, and the first communication device receives the first message through an inbound interface bound to the VPN. Taking Figure 1-A as an example, the first message can be a message sent from device 1 to device 2 in Figure 1-A, then the destination address of the first message is the private network IP address 200.2.2.2 of device 2, and the source address of the first message is the private network IP address 100.1.1.1 of device 1. PE1 receives the first packet through the inbound interface A1 bound to VPN1.

S502: The first communication device determines that the first packet matches the first flow rule.

After receiving the first message, the first communication device determines the VRF ID corresponding to the first message according to the incoming interface receiving the first message, and then determines to forward the first message based on the first traffic filtering information according to the VRF ID. Next, the first communication device determines whether the first packet matches the first flow rule.

According to the introduction of the embodiment corresponding to FIG. 3 , it can be known that the first communication device stores the first association relationship with the first flow rule forwarding entry. Correspondingly, the first communication device may determine the first flow rule forwarding entry according to the VRF ID corresponding to the first message, and then determine the first flow rule according to the first index in the first flow rule forwarding entry, and then determine whether the first packet matches the first flow rule.

If the first packet matches the first flow rule, the first communication device forwards the first packet according to the first traffic filtering action, and performs S503 and S504. If the first packet does not match the first flow rule, and the first packet does not match any other flow rule corresponding to the VRF ID, the first communication device may search the VPN routing table and forward the first packet according to the VPN routing table.

S503: The first communication device adds a VPN label to the first packet.

S504: The first communication device sends the first packet to which the VPN label is added to the first next hop.

After determining that the first packet matches the first flow rule, the first communication device forwards the first packet according to the first traffic filtering action. Specifically, the first communication device adds a VPN label to the first message, and sends the first message with the VPN label added to the first public network IP address of the second communication device.

According to the foregoing introduction, it can be known that the first flow rule forwarding entry may include the first tunnel identifier. Correspondingly, the first communication device may determine the first tunnel according to the first tunnel identifier, and send the first packet with the VPN label added through the first tunnel.

It can be seen from the above introduction that, through the first traffic filtering information, the controller can configure the first association relationship on the first communication device. After receiving the VPN traffic, the first telecommunications device may determine whether the VPN traffic matches the first flow rule. If the VPN flow matches the first flow rule, the first communication device determines the VPN label and the first next hop corresponding to the first flow rule according to the first association relationship, so as to add a VPN label to the packet in the VPN flow and forward it to the first next hop. The first communication device may forward VPN traffic according to the first traffic filtering information. In this way, searching the VPN routing table is avoided, and the forwarding delay of traffic forwarded by the first communication device is reduced.

In addition, because the first traffic filtering information is configured by the network management device on the first communication device, or the first traffic filtering information is obtained by the first communication device according to the first notification message sent by the controller. If the first association relationship needs to be adjusted, the first traffic filtering information can be reconfigured or a new first advertisement message can be sent, without re-advertising the route and adjusting the VPN routing table. In this way, the forwarding path of traffic can be flexibly adjusted.

In the following, the methods shown in FIGS. 3 and 5 will be introduced in combination with the application scenario shown in FIG. 1-A and taking the control management device as a controller as an example.

To forward the VPN traffic of VPN1, the controller generates a notification message M1 and sends it to PE1. Wherein, the announcement message M1 includes the first RT, the VPN label 100 of VPN1, the flow rule 1, and the first public network IP address 1.1.1.1 of PE2 as the first next hop of redirection. Wherein, the first flow rule is used to match traffic sent from device 1 to device 2 .

After receiving the notification message M1, the first RT of PE1 performs routing crossover to obtain VRF ID1 of VPN1, and generates flow rule forwarding entry 1. Flow rule forwarding entry 1 includes VRF ID1, flow rule index 1 corresponding to flow rule 1, public network IP address 1.1.1.1 of PE2, tunnel type information LDP of public network tunnel 1, tunnel ID 1 of public network tunnel 1, and VPN label 100.

Assuming that device 1 sends packet N1 to device 2 through the public network, PE1 can receive packet N1 forwarded by CE1 through ingress interface A1. According to the inbound interface A1 that receives packet N1, PE1 determines that packet N1 corresponds to VRF ID1, and judges whether packet N1 matches flow rule 1 according to flow rule forwarding entry 1. After confirming that packet N1 matches flow rule 1, PE1 adds VPN1's VPN label 100 to packet N1, and sends packet N1 with VPN label 100 added to PE2 through public network tunnel 1 to implement VPN traffic forwarding. The transmission process of the packet N1 may be shown in FIG. 1-C.

It can be seen from the above introduction that PE1 can generate flow rule forwarding entry 1 according to the notification message sent by the controller. Flow rule forwarding entry 1 instructs PE1 to forward packets matching the first flow rule to the first public IP address of PE2. In this way, after receiving the packet, PE1 can determine whether the packet matches flow rule 1, and if so, PE1 determines VPN label 100 and public network tunnel 1 for forwarding the packet according to flow rule forwarding entry 1. In this way, PE1 does not need to forward the traffic of VPN1 according to the VPN routing table of VPN1. In this way, searching the VPN routing table is avoided, thereby reducing the time for PE1 to forward packets and improving the forwarding performance of VPN1 traffic.

In some possible implementations, multiple forwarding paths exist between the first communication device and the second communication device. For example, in the application scenario shown in Figure 1-B, there are two public network tunnels, public network tunnel 1 and public network tunnel 2, between PE1 and PE2, corresponding to two forwarding paths. In this embodiment of the application, a traffic filtering action can be used to control specific traffic to be transmitted through a specific forwarding path.

Specifically, the first communication device may acquire second traffic filtering information, where the second traffic filtering information includes a VPN label, a second traffic rule, and a second traffic filtering action. The second traffic filtering action includes a redirected second next hop, where the redirected second next hop is the second public network IP address of the second communication device. The first communication device forwards the traffic matching the second flow rule according to the second traffic filtering information. That is to say, for a message matching the second flow rule, the first communication device adds a VPN label to the message, and sends the message to the second public network IP address of the second communication device. In this way, traffic matching the first flow rule in the VPN is sent to the first public network IP address of the second communication device, and traffic matching the second flow rule is sent to the second public network IP address of the second communication device. In this way, the VPN traffic passing through the same device (that is, the second communication device) is sent through different transmission paths, thereby realizing flexible forwarding of the VPN traffic.

Similar to the first traffic filtering information, the second traffic filtering information may be configured by the network management device on the first communication device, or may be acquired by the first communication device according to a notification message sent by the controller. If the first communication device obtains the second traffic filtering information according to the notification message sent by the controller, the second traffic filtering information and the first traffic filtering information may be carried in the same notification message or in different notification messages. If the second traffic filtering information is carried in an independent notification message, in order to distinguish the first notification message carrying the first traffic filtering information, the notification message carrying the second traffic filtering information is called a second notification message.

The following uses an example in which the first communication device obtains the second traffic filtering information according to the second notification message sent by the controller, and will be introduced with reference to the accompanying drawings.

Referring to FIG. 6 , this figure is another signaling interaction diagram of the traffic forwarding method 600 provided in the embodiment of the present application, which specifically includes the following steps S601-S607. It can be understood that the solution shown in FIG. 6 may be implemented on the basis of any corresponding implementation manner in FIG. 2 , FIG. 3 and FIG. 5 .

S601: The controller acquires a second notification message.

In order for the first communication device to obtain the second traffic filtering information, the controller obtains a second notification message and sends it to the first communication device. Similar to the first notification message, the second notification message may be generated by the controller, or sent to the controller by a superior controller of the controller.

The second notification message is used to announce the second traffic filtering information, and the second traffic filtering information includes the VPN label, the second flow rule and the second traffic filtering action. Wherein, the VPN label in the second traffic filtering information and the VPN label in the first traffic filtering information are the same VPN label. The second traffic filtering action includes a redirected second next hop. The second next hop is the second public network IP address of the second communication device. That is to say, the second flow filtering information is used to instruct the device to add a VPN label to the packet matching the second flow rule, and send the packet to the second public network IP address of the second communication device.

In this embodiment of the application, the first public network IP address of the second communication device may be the public network IP address of an interface on the second communication device, and the second public network IP address of the second communication device may be the public network IP address of another interface on the second communication device. Take Figure 1-B as an example for illustration. The first public IP address of the second communication device may be the public IP address 2.2.2.2 of the interface B1 on PE2, and the second public IP address of the second communication device may be the public IP address 22.22.22.22 of the interface B2 on PE2.

Similar to the first notification message, the second notification message may include the second tunnel identifier and/or tunnel type information of the second tunnel. Wherein, the second tunnel identifier is used to identify the second tunnel, and the second tunnel is a public network tunnel between the first communication device and the second public network IP address of the second communication device. Still take Figure 1-B as an example for illustration. If the first public network IP address of the second communication device is the public network IP address 2.2.2.2 of the interface B1, and the second public network IP address of the second communication device is the public network IP address 22.22.22.22 of the interface B2, then the first tunnel is the public network tunnel 1 in FIG. 1-B, and the second tunnel is the public network tunnel 2 in FIG. 1-B.

For the detailed introduction of the second notification message and the second traffic filtering information, refer to the introduction of the first notification message and the first traffic filtering information in FIG. 2 and FIG. 3 , which will not be repeated here.

S602: The controller sends a second notification message to the first communication device.

It can be understood that the controller may send the first notification message and the second notification message together, or may send the first notification message and the second notification message separately. In the implementation manner shown in FIG. 6 , the first traffic filtering information and the second traffic filtering information are sent through two different notification messages (ie, a first notification message and a second notification message). In some other implementations against you, the first traffic filtering information and the second traffic filtering information are sent through the same two notification messages.

S603: The first communication device generates a second association relationship according to the second notification message.

After receiving the second notification message, the first communication device generates a second association relationship according to the second notification message. Wherein, the second association relationship indicates that packets matching the second flow rule need to be encapsulated with a VPN label and sent to the second public network IP address of the second communication device. Specifically, the second association relationship is the association relationship between the VPN label, the second flow rule, and the second public network IP address, or the second association relationship is the association relationship between the VPN label, the second flow rule, the second tunnel identifier, and the second public network IP address, or the second association relationship is the association relationship between the VPN label, the second flow rule, the second tunnel identifier, the tunnel type information of the second tunnel, and the second public network IP address,

Similar to the first association relationship, the second association relationship may be stored in the forwarding plane of the first communication device in the form of a second flow rule forwarding entry. The second flow rule forwarding entry includes a VPN label, a second index, and a second public network IP address. Alternatively, the second flow rule forwarding entry includes a VPN label, a second index, a second tunnel identifier, and a second public network IP address. Alternatively, the second association relationship includes an association relationship among the VPN label, the second index, the second tunnel identifier, and the second public network IP address. Wherein, the second index is used to index the second flow rule, for example, may be used to identify the storage location of the second flow rule. Optionally, the second flow rule forwarding entry may also include the second flow rule.

In the above S601-S603, the second association relationship is obtained by the first communication device according to the second notification message sent by the controller. In some other possible implementations, the second association relationship may also be configured on the first communication device by the network management device.

S604: The first communication device receives the second message.

In this embodiment of the present application, the source device and the destination device of the second message are devices in the VPN, and the destination device of the second message and the source device of the second message are connected through a public network, and the first communication device receives the second message through an inbound interface bound to the VPN. Optionally, the destination device of the second packet is different from the destination device of the first packet. Taking FIG. 1-B as an example, if the first message is a message sent from device 1 to device 2, the second message may be a message sent from device 1 to device 3.

S605: The first communication device determines whether the second packet matches the first flow rule or the second flow rule.

After receiving the second message, the first communication device determines the VPN identifier corresponding to the second message according to the incoming interface receiving the second message, and determines whether the second message matches the first flow rule in the first association relationship or the second flow rule in the second association relationship according to the VPN identifier. If the second packet matches the first flow rule in the first association relationship, the first communication device forwards the second packet according to the methods shown in S503 and S504. If the second packet matches the second flow rule in the second association relationship, the first communication device forwards the second packet according to the methods shown in S606 and S607. If the second packet does not match neither the first flow rule nor the second flow rule, and the second packet does not match any other flow rule corresponding to the VPN identifier, the first communication device forwards the second packet according to the VPN routing table.

S606: The first communication device adds a VPN label to the second packet.

S607: The first communication device sends the second packet to which the VPN label is added to the first next hop.

After determining that the second packet matches the second flow rule, the first communication device adds a VPN label to the second packet, and sends the second packet with the VPN label added to the second public network IP address of the second communication device. In a possible implementation, the second communication device sends the first packet to which the VPN label is added to the second communication device through the second tunnel.

In the above introduction, the first communication device may transmit different traffic to the second communication device through different transmission paths. In this way, different traffic is transmitted to the same device through different transmission paths, realizing differentiated transmission of traffic. It can better meet the requirements of traffic transmission.

For example, assume that the first service flow and the second service flow have different requirements on network performance indicators. Then the first service flow and the second service flow can be distinguished by the first flow rule and the second flow rule, and the first service flow is forwarded through the first tunnel meeting the requirements of the first service flow, and the second service flow is forwarded through the second tunnel meeting the requirements of the second service flow. Alternatively, if the first communication device sends a lot of VPN traffic to the second communication device, the VPN traffic can be distinguished by the first flow rule and the second flow rule, so as to forward the VPN traffic through two forwarding paths, realize load sharing, and reduce the pressure on the forwarding path.

In addition, the first flow rule forwarding entry and the second flow rule forwarding entry are generated by the first communication device according to the notification message sent by the controller. If it is necessary to adjust the forwarding path corresponding to the first flow rule and/or the second flow rule, a new notification message may be issued, so that the first communication device generates a new flow rule forwarding entry. In this way, there is no need to re-advertise VPN routes, which improves the flexibility of VPN traffic forwarding.

In the following, the method shown in FIG. 6 will be introduced in combination with the application scenario shown in FIG. 1-B and taking the control management device as a controller as an example.

To forward the traffic of VPN1, the controller generates a notification message M1 and a notification message M2, and sends the notification message M1 and the notification message M2 to PE1. For the introduction of the notification message M1, refer to the foregoing. The notification message M2 includes the first RT, the VPN label 100 of VPN1, the flow rule 2, and the second public IP address 22.22.22.22 of PE2 as the redirected second next hop. Flow rule 2 is used to match traffic sent from device 1 to device 3

After receiving the notification message M2, PE1 performs route crossover according to the first RT to obtain the VRF ID1 of VPN1, and generates flow rule forwarding entry 2. Flow rule forwarding entry 2 includes VRF ID1, flow rule index 2 corresponding to flow rule 1, second public IP address 22.22.22.22 of PE2, tunnel type information TE of public network tunnel 2, tunnel identifier 2 of public network tunnel 2, and VPN label 100.

Assume that device 1 sends a message N1 to device 2 through the public network. PE1 can receive packet N1 through ingress interface A1, and forward packet N1 through public network tunnel 1. For the specific forwarding process, please refer to the above.

Assume that device 1 sends a message N2 to device 3 through the public network. PE1 can receive packet N2 through ingress interface A1. According to the inbound interface A1 that receives packet N2, PE1 determines that packet N2 corresponds to VRF ID1, and judges whether packet N2 matches flow rule 1 or flow rule 2 according to flow rule forwarding entry 1 and flow rule forwarding entry 2. After confirming that packet N2 matches flow rule 2, PE1 adds VPN label 100 of VPN1 to packet N2, and sends packet N2 with VPN label 100 added to PE2 through public network tunnel 2 to implement VPN traffic forwarding. The transmission process of message N2 may be shown in Figure 1-D.

From the above description, it can be seen that PE1 obtains flow rule forwarding entry 1 and flow rule forwarding entry 2 corresponding to VPN1. Flow rule forwarding entry 1 instructs PE1 to forward packets matching flow rule 1 to the first public IP address of PE2, and flow rule forwarding entry 2 instructs PE1 to forward packets matching flow rule 2 to the second public IP address of PE2. In this way, after receiving the traffic corresponding to VPN1, PE1 can determine whether the traffic matches flow rule 1 or flow rule 2. If the traffic matches flow rule 1, PE1 forwards the traffic to the first public IP address of PE2 according to the indication of flow rule forwarding entry 1; if the traffic matches flow rule 2, PE1 forwards the traffic to the second public IP address of PE2 according to the indication of flow rule forwarding entry 2. In this way, flow rules 1 and 2 are used to distinguish the traffic passing through PE2, realizing flexible forwarding of traffic.

Referring to FIG. 7, the embodiment of the present application also provides a device 700, which can implement the function of the first communication device in the method 200 corresponding to the embodiment shown in FIG. 2, the method 300 corresponding to the embodiment shown in FIG. 3, the method 500 corresponding to the embodiment shown in FIG. 5, and the method 600 corresponding to the embodiment shown in FIG. 6. Alternatively, the device 700 can also implement the method 200 corresponding to the embodiment shown in FIG. 2 , the method 300 corresponding to the embodiment shown in FIG. 3 , the method 500 corresponding to the embodiment shown in FIG. 5 , and the method 600 corresponding to the embodiment shown in FIG. 6 .

The device 700 includes a transceiver 10 and a processing module 720, wherein the transceiver module 710 is configured to perform receiving and/or sending operations performed by the first communication device in the methods corresponding to the above embodiments, and the processing module 720 is configured to perform other operations other than the receiving and/or sending operations performed by the first communication device in the methods corresponding to the above embodiments. Alternatively, the transceiving module 710 is configured to perform receiving and/or sending operations performed by the control management device in the methods corresponding to the above embodiments, and the processing module 720 is configured to perform operations other than the receiving and/or sending operations performed by the control management device in the methods corresponding to the above embodiments

For example, when the device 700 is specifically used to implement the function of the first communication device in method 200, the processing module 720 is configured to acquire first traffic filtering information, the first traffic filtering information includes a VPN label, a first flow rule, and a first traffic filtering action, wherein the first traffic filtering action includes a redirected first next hop, the redirected first next hop is the first public network IP address of the second communication device, and the first traffic filtering action instructs the first communication device to forward traffic matching the first flow rule to the first next hop; The first traffic filtering information forwards traffic matching the first traffic rule.

In an example, when the device 700 is specifically used to implement the function of the first communication device in the method 300, the transceiver module 710 is configured to receive a first notification message sent by the controller, where the first notification message includes first traffic filtering information, and the first traffic filtering information includes a VPN label, a first flow rule, and a first traffic filtering action. The first traffic filtering action includes a redirected first next hop, the redirected first next hop is the first public network IP address of the second communication device, and the first traffic filtering action instructs the first communication device to forward traffic matching the first flow rule to the first next hop. The processing module 720 is configured to generate a first association relationship according to the first traffic filtering information.

In an example, when the device 700 is specifically used to realize the function of the first communication device in the method 500, the transceiving module 710 is configured to receive a first message and send a first message with a VPN label added, the processing module 720 is used to determine whether the first message matches a first flow rule, and determine a VPN label and a first traffic filtering action according to a first association relationship, the first association relationship includes an association relationship between the first flow rule, the VPN label, and the first traffic filtering action, and the first traffic filtering action includes a redirected first next hop, a redirected first next hop Jumping to the first public network IP address of the second communication device; adding the VPN label to the first message.

In an example, when the device 700 is specifically used to implement the function of the first communication device in the method 600, the transceiver module 710 is configured to receive the second notification message, receive the second message, and send the second message with the VPN tag added to the second communication device. Wherein, the second notification message includes second traffic filtering information, the second traffic filtering information includes the VPN label, the second flow rule and the second traffic filtering action, the second traffic filtering action carries a redirected second next hop, and the redirected second next hop is the second public network IP address of the second communication device. The processing module 720 is configured to generate a second association relationship according to the second notification message, and add a VPN label to the second packet in response to the second packet matching the second flow rule.

In an example, when the device 700 is specifically used to implement the function of controlling and managing the device in method 200, the processing module 720 is configured to obtain first traffic filtering information, the first traffic filtering information includes a VPN label, a first flow rule, and a first traffic filtering action, wherein the first traffic filtering action includes a redirected first next hop, the redirected first next hop is the first public network IP address of the second communication device, and the first traffic filtering action instructs the first communication device to forward traffic matching the first flow rule to the first next hop. The transceiving module 710 is configured to send the first traffic filtering information to the first communication device.

In one example, when the function of the device 700 is specifically used to control the function of controlling the device in the implementation method 300, the processing module 720 is used to obtain the first notice message. The first notice message includes the first traffic filtration information includes the VPN label, the first -stage rules, and the first traffic filtration action. The first and next jump is the first public network IP address of the second communication device. The first traffic filtering action indicates the traffic that the first communication device is forwarded to the first jump to the first -class rule. The transceiving module 710 is configured to send the first notification message to the first communication device.

In an example, when the device 700 is specifically configured to implement the function of controlling and managing the device in method 600, the processing module 720 is configured to acquire a second notification message, the second notification message includes second traffic filtering information, and the second traffic filtering information includes a VPN label, a second flow rule, and a first traffic filtering action, wherein the first traffic filtering action includes a redirected second next hop, the redirected second next hop is a second public network IP address of the second communication device, and the second traffic filtering action instructs the first communication device to forward traffic matching the second traffic rule to the second next hop traffic. The transceiving module 710 is configured to send the second notification message to the first communication device.

For the specific execution process, please refer to the detailed description of the corresponding steps in the above embodiments shown in FIG. 2 , FIG. 3 , FIG. 5 and FIG. 6 , which will not be repeated here.

It should be noted that the division of modules in the embodiment of the present application is schematic, and is only a logical function division, and there may be other division methods in actual implementation. Each functional module in the embodiment of the present application may be integrated into one processing module, or each module may exist separately physically, or two or more modules may be integrated into one unit. For example, in the above embodiments, the acquisition unit and the processing unit may be the same module or different modules. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules.

The embodiment of the present application also provides a network system, which is used to implement the traffic forwarding method, the packet sending method, and the message sending method in the foregoing method embodiments. Wherein, the network system includes network equipment and control management equipment. The network device may realize the function of the first communication device in the above method embodiment, and the control and management device may realize the function of the control and management device in the above method embodiment. For the specific execution process, please refer to the detailed description of the corresponding steps in the above method embodiments, and details will not be repeated here.

FIG. 8 is a schematic structural diagram of a device 800 provided in an embodiment of the present application. The above device 700 may be implemented by the device shown in FIG. 8 . Referring to FIG. 8 , the device 800 includes at least one processor 801 , a communication bus 802 , a memory 803 and at least one network interface 804 .

The processor 801 may be a central processing unit (English: central processing unit, abbreviated: CPU), a network processor (English: network processor, abbreviated: NP) or a combination of CPU and NP. The processor can also be an application-specific integrated circuit (English: application-specific integrated circuit, abbreviation: ASIC), a programmable logic device (English: programmable logic device, abbreviation: PLD) or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (English: complex programmable logic device, abbreviated: CPLD), field-programmable logic gate array (English: field-programmable gate array, abbreviated: FPGA), general array logic (English: generic array logic, abbreviated: GAL) or any combination thereof. Processor 801 may refer to one processor, or may include multiple processors. For example, processor 801 and processor 805 shown in FIG. 8 . Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions). Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor.

For example, when the first communication device in FIG. 2 is implemented by the device shown in FIG. 8 , the processor may be configured to obtain first traffic filtering information, the first traffic filtering information includes a VPN label, a first flow rule, and a first traffic filtering action, wherein the first traffic filtering action includes a redirected first next hop, the redirected first next hop is the first public network IP address of the second communication device, and the first traffic filtering action instructs the first communication device to forward traffic matching the first flow rule to the first next hop; forward traffic matching the first flow rule according to the first traffic filtering information.

Communication bus 802 is used to transfer information between processor 801 , network interface 804 and memory 803 .

The memory 803 can be a read-only memory (Read-only Memory, ROM) or other types of static storage devices that can store static information and instructions. The memory 803 can also be a random access memory (Random Access Memory, RAM) or other types of dynamic storage devices that can store information and instructions. Universal Disc, Blu-ray Disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 803 may exist independently, and is connected to the processor 801 through the communication bus 802 . The memory 803 can also be integrated with the processor 801. The storage 803 may refer to one storage, or may include multiple storages. In one embodiment, computer-readable instructions are stored in the memory 803, and the computer-readable instructions include a plurality of software modules, such as a transceiver module and a processing module. After executing each software module, the processor 1003 may perform corresponding operations according to the instructions of each software module. In this embodiment of the present application, an operation performed by a software module actually refers to an operation performed by a processor according to an instruction of the software module.

Optionally, the processor 801 may also store program codes or instructions for executing the technical solutions provided by the embodiments of the present application. In this case, the processor 801 does not need to read the program codes or instructions from the memory 1003 .

The network interface 804 can be a device such as a transceiver for communicating with other devices or a communication network, and the communication network can be Ethernet, radio access network (RAN) or wireless local area network (Wireless Local Area Networks, WLAN). In this embodiment of the present application, the network interface 1004 may be used to receive messages sent by other nodes in the segment routing network, and may also send messages to other nodes in the segment routing network. The network interface 804 may be an Ethernet interface (Ethernet), a Fast Ethernet (Fast Ethernet, FE) interface or a Gigabit Ethernet (Gigabit Ethernet, GE) interface, etc.

In a specific implementation, as an embodiment, the device 800 may include multiple processors, for example, the processor 801 and the processor 805 shown in FIG. 8 . Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).

FIG. 9 is a schematic structural diagram of a device 900 provided by an embodiment of the present application. Each device in FIG. 1-A and FIG. 1-B can be realized by the device shown in FIG. 9 . The device 900 may be specifically configured to implement any one or more operations in the methods corresponding to the foregoing method embodiments. Referring to the schematic structural diagram of the device shown in FIG. 9 , the device 900 includes a main control board and one or more interface boards. The main control board is communicatively connected with the interface board. The main control board is also called a main processing unit (Main Processing Unit, MPU) or a route processing card (Route Processor Card). The main control board includes a CPU and a memory. The main control board is responsible for the control and management of each component in the device 900, including routing calculation, device management and maintenance functions. The interface board is also called a line processing unit (Line Processing Unit, LPU) or a line card (Line Card), which is used to receive and send packets. In some embodiments, the communication between the main control board and the interface board or between the interface board and the interface board is through a bus. In some embodiments, the interface boards communicate through the SFU. In this case, the device 900 also includes the SFU. The SFU communicates with the main control board and the interface board. The SFU is used to forward data between the interface boards. The SFU may also be called a Switch Fabric Unit (SFU). The interface board includes a CPU, a memory, a forwarding engine, and an interface card (Interface Card, IC), where the interface card may include one or more network interfaces. The network interface may be an Ethernet interface, an FE interface, or a GE interface. The CPU communicates with the memory, the forwarding engine and the interface card respectively. The memory is used to store the forwarding table. The forwarding engine is used to forward the received message based on the forwarding table stored in the memory. If the destination address of the received message is the IP address of the device 900, the message is sent to the CPU of the main control board or the interface board for processing; if the destination address of the received message is not the IP address of the device 900, the forwarding table is checked according to the destination. If the next hop and the outgoing interface corresponding to the destination address are found in the forwarding table, the message is forwarded to the corresponding outgoing interface of the destination address. The forwarding engine may be a network processor (Network Processor, NP). The interface card is also called a daughter card, which can be installed on the interface board. It is responsible for converting the photoelectric signal into a data frame, and checking the validity of the data frame before forwarding it to the forwarding engine for processing or the CPU of the interface board. In some embodiments, the CPU can also perform the function of the forwarding engine, such as implementing soft forwarding based on a general-purpose CPU, so that no forwarding engine is needed in the interface board. In some embodiments, the forwarding engine may be implemented by ASIC or Field Programmable Gate Array (Field Programmable Gate Array, FPGA). In some embodiments, the memory storing the forwarding table can also be integrated into the forwarding engine as a part of the forwarding engine.

An embodiment of the present application further provides a chip system, including: a processor, the processor is coupled to a memory, and the memory is used to store a program or an instruction. When the program or instruction is executed by the processor, the chip system implements the traffic forwarding method or message sending method performed by the first communication device in the embodiments shown in FIGS.

Optionally, there may be one or more processors in the chip system. The processor can be realized by hardware or by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented by software, the processor may be a general-purpose processor implemented by reading software codes stored in a memory.

Optionally, there may be one or more memories in the chip system. The memory can be integrated with the processor, or can be set separately from the processor, which is not limited in this application. Exemplarily, the memory can be a non-transitory processor, such as a read-only memory ROM, which can be integrated with the processor on the same chip, or can be respectively arranged on different chips. The application does not specifically limit the type of the memory and the arrangement of the memory and the processor.

Exemplarily, the system-on-a-chip can be an FPGA, an ASIC, a system on chip (System on Chip, SoC), a CPU, an NP, a digital signal processing circuit (Digital Signal Processor, DSP), a microcontroller (Micro Controller Unit, MCU), a programmable controller (Programmable Logic Device, PLD) or other integrated chips.

It should be understood that each step in the foregoing method embodiments may be implemented by an integrated logic circuit of hardware in a processor or instructions in the form of software. The method steps disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.

The embodiment of the present application also provides a computer-readable storage medium, including instructions, which, when running on a processor, implement any one or more operations in the method performed by the first communication device provided in any of the above method embodiments, or implement any one or more operations in the method performed by the control management device provided in any of the above method embodiments.

The embodiment of the present application also provides a computer program product containing instructions, which, when running on a processor, implements any one or more operations in the method performed by the first communication device provided in any of the above method embodiments, or implements any one or more operations in the method performed by the control management device provided in any of the above method embodiments.

The terms "first", "second", "third", "fourth", etc. (if any) in the description and claims of the present application and the above drawings are used to distinguish similar objects and not necessarily to describe a specific order or sequence. It should be understood that the terms so used are interchangeable under appropriate circumstances such that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", and any variations thereof, are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or elements is not necessarily limited to those steps or elements explicitly listed, but may include other steps or elements not expressly listed or inherent to the process, method, product or device.

Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, device and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical module division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be obtained according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each module unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software module units.

If the integrated unit is implemented in the form of a software module unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on such an understanding, the technical solution of the present application essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, the computer software product is stored in a storage medium, and includes several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the application. The aforementioned storage medium includes: various media that can store program codes such as U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk.

Those skilled in the art should be aware that, in the above one or more examples, the functions described in the present invention may be implemented by hardware, software, firmware or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

The specific implementation manners described above further describe the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific implementation modes of the present invention.

As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still modify the technical solutions described in the foregoing embodiments, or equivalently replace some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the various embodiments of the application.

Claims (37)

1. A traffic forwarding method, characterized in that it is performed by a first communication device, and the method includes:

   Obtaining first traffic filtering information, the first traffic filtering information includes a virtual private network VPN label, a first flow rule, and a first traffic filtering action, wherein the first traffic filtering action includes a redirected first next hop, the redirected first next hop is a first public network Internet protocol IP address of the second communication device, and the first traffic filtering action instructs the first communication device to forward traffic matching the first flow rule to the first next hop;

   Forwarding traffic matching the first flow rule according to the first traffic filtering information.
2. The method according to claim 1, wherein the first traffic filtering information further includes tunnel type information, the tunnel type information indicates a type of tunnel, and the tunnel is used to forward traffic matching the first flow rule.
3. The method according to claim 1, wherein said obtaining the first traffic filtering information comprises:

   receiving a Border Gateway Protocol BGP message sent by the controller, where the BGP message includes the first traffic filtering information.
4. The method according to claim 3, wherein the BGP message includes a first extended community attribute, and the first extended community attribute carries the VPN label.
5. The method according to claim 4, wherein the first extended community attribute further includes a tunnel type field, the tunnel type field carries tunnel type information, the tunnel type information indicates a type of tunnel, and the tunnel is used to forward traffic matching the first flow rule.
6. The method according to claim 1 or 2, wherein said obtaining the first traffic filtering information comprises:

   Receive a path computation element communication protocol PCEP message sent by the controller, where the PCEP message includes the first traffic filtering information.
7. The method according to any one of claims 1-6, wherein before forwarding traffic matching the first flow rule according to the first traffic filtering information, the method further comprises:

   Iterating a first tunnel according to the first public network IP address, where the first tunnel is a first public network tunnel established between the first communication device and the second communication device;

   The first association relationship is saved on the forwarding plane, and the first association relationship includes the association relationship between the VPN label, the first flow rule, the first public network IP address and the first tunnel identifier, and the first tunnel identifier is used to identify the first tunnel.
8. The method according to claim 7, wherein storing the first association relationship on the forwarding plane comprises:

   A first flow rule forwarding entry is stored on the forwarding plane, the first flow rule forwarding entry includes the VPN label, a first index, the first public network IP address and the first tunnel identifier, and the first index is used to index the first flow rule.
9. The method according to claim 7 or 8, wherein the first association relationship further includes the type of the first tunnel.
10. The method according to any one of claims 1-9, wherein the method further comprises:

    Acquiring second traffic filtering information, the second traffic filtering information includes the VPN label, a second flow rule, and a second traffic filtering action, wherein the second traffic filtering action carries a redirected second next hop, the redirected second next hop is the second public network Internet Protocol IP address of the second communication device, and the second traffic filtering action instructs the first communication device to forward traffic matching the second flow rule to the second next hop;

    Forwarding traffic matching the second flow rule according to the second traffic filtering information.
11. The method according to claim 10, characterized in that the method further comprises:

    Iterating a second tunnel according to the second public network IP address, where the second tunnel is a second public network tunnel established between the first communication device and the second communication device;

    The second association relationship is stored on the forwarding plane, and the second association relationship includes the association relationship between the VPN label, the second flow rule, the second public network IP address and a second tunnel identifier, and the second tunnel identifier is used to identify the second tunnel.
12. The method according to any one of claims 1-11, wherein the forwarding of the traffic matching the first flow rule according to the first traffic filtering information comprises:

    receiving the first message;

    Adding the VPN label to the first packet in response to the first packet matching the first flow rule;

    Send the first packet with the VPN label added to the first next hop.
13. The method according to any one of claims 7-9, wherein the forwarding of the traffic matching the first flow rule according to the first traffic filtering information comprises:

    receiving the second message;

    Adding the VPN label to the second packet in response to the second packet matching the first flow rule;

    sending the second packet to which the VPN label is added to the first next hop through the first tunnel.
14. The method according to claim 8, wherein the forwarding of the traffic matching the first flow rule according to the first traffic filtering information comprises:

    receiving the third message;

    In response to the match between the third packet and the first flow rule, determine the VPN label and the first tunnel identifier corresponding to the first flow rule according to the forwarding entry of the first flow rule;

    adding the VPN label to the third packet;

    sending the third packet with the VPN label added to the first next hop through the first tunnel.
15. The method according to claim 10, wherein the forwarding of traffic matching the flow rule according to the second traffic filtering information comprises:

    receiving the fourth message;

    Adding the VPN label to the fourth packet in response to the fourth packet matching the second flow rule;

    Send the fourth packet after adding the VPN label to the second next hop.
16. The method according to claim 11, wherein the forwarding of traffic matching the flow rule according to the second traffic filtering information comprises:

    receiving the fifth message;

    In response to the fifth packet matching the second flow rule, determine the VPN label and the second tunnel identifier corresponding to the second flow rule according to the second flow rule forwarding entry;

    adding the VPN label to the fifth message;

    sending the fifth packet with the VPN label added to the second next hop through the second tunnel.
17. A message sending method, characterized in that the method is applied to a first communication device, comprising:

    receiving the first message;

    In response to the first packet matching the first flow rule, determining a virtual private network VPN label and a first traffic filtering action according to a first association relationship, the first association relationship including the first flow rule, the VPN label and the first traffic filtering action The association relationship between the first traffic filtering action includes a redirected first next hop, and the redirected first next hop is a first public network Internet Protocol IP address of the second communication device;

    adding the VPN label to the first packet;

    Send the first packet with the VPN label added to the first next hop.
18. The method according to claim 17, wherein the first traffic filtering action further includes a first tunnel identifier, the first tunnel identifier is used to identify a first tunnel, and the first tunnel is a first public network tunnel established between the first communication device and the second communication device;

    The sending the first message after adding the VPN label to the first next hop includes:

    sending the first packet with the VPN label added to the first next hop through the first tunnel.
19. The method according to claim 18, further comprising:

    According to the first flow rule forwarding entry, determine the VPN label corresponding to the first flow rule and the first tunnel identifier, the first flow rule forwarding entry includes the VPN label, a first index, the first public network IP address and a first tunnel identifier, and the first index is used to index the first flow rule.
20. The method according to any one of claims 17-19, wherein the method further comprises:

    receiving the second message;

    In response to the second packet matching the second flow rule, determining the VPN label and a second traffic filtering action according to a second association relationship, the second association relationship includes an association relationship between the second flow rule, the VPN label, and the second traffic filtering action, and the second traffic filtering action includes a redirected second next hop, and the redirected second next hop is a second public network Internet Protocol IP address of the second communication device;

    adding the VPN label to the second packet;

    Send the second packet to which the VPN label is added to the second next hop.
21. The method according to claim 20, wherein the second traffic filtering action further includes a second tunnel identifier, the second tunnel identifier is used to identify a second tunnel, and the second tunnel is a second public network tunnel established between the first communication device and the second communication device;

    The sending the second message after adding the VPN label to the second next hop includes:

    sending the second packet to which the VPN label is added to the second next hop through the second tunnel.
22. A message sending method, characterized in that the method is applied to control and management equipment, including:

    Acquiring first traffic filtering information, the first traffic filtering information includes a virtual private network VPN label, a first flow rule, and a first traffic filtering action, wherein the first traffic filtering action includes a redirected first next hop, the redirected first next hop is a first public network Internet Protocol IP address of the second communication device, and the first traffic filtering action instructs the first communication device to forward VPN traffic that matches the first flow rule to the first next hop;

    sending the first traffic filtering information to the first communication device.
23. The method according to claim 22, wherein the first traffic filtering information further includes tunnel type information of a first tunnel, the tunnel type information of the first tunnel indicates the type of the first tunnel, the first tunnel is used to forward traffic matching the first flow rule, and the first tunnel is a first public network tunnel established between the first communication device and the second communication device.
24. The method according to claim 22, wherein the control management device is a controller, and sending the first traffic filtering information to the first communication device comprises:

    sending a Border Gateway Protocol BGP message to the first communication device, where the BGP message includes the first traffic filtering information.
25. The method according to claim 24, wherein the BGP message includes a first extended community attribute, and the first extended community attribute carries the VPN label.
26. The method according to claim 25, wherein the first extended community attribute further includes a tunnel type field, and the tunnel type field carries tunnel type information, and the tunnel type information indicates a type of a tunnel, and the tunnel is used to forward traffic matching the first flow rule.
27. The method according to any one of claims 24-26, wherein the BGP message further includes a routing target RT, the routing target is associated with the VPN instance in the first communication device, and the first traffic filtering information is used to filter VPN traffic from a VPN site bound to the VPN instance.
28. The method according to claim 22 or 23, wherein the control management device is a controller, and sending the first traffic filtering information to the first communication device comprises:

    Sending a path computation element communication protocol PCEP message to the first communication device, where the PCEP message includes the first traffic filtering information.
29. The method according to any one of claims 22-28, further comprising:

    Acquire second traffic filtering information, where the second traffic filtering information includes the VPN label, a second flow rule, and a second traffic filtering action, wherein the second traffic filtering action includes a redirected second next hop, the redirected second next hop is a second public network IP address of the second communication device, and the second traffic filtering action instructs the first communication device to forward traffic matching the second flow rule to the second next hop;

    sending the second traffic filtering information to the first communication device.
30. The method according to claim 29, wherein the second traffic filtering information further includes tunnel type information of a second tunnel, the tunnel type information of the second tunnel indicates the type of the second tunnel, the second tunnel is used to forward traffic matching the second flow rule, and the second tunnel is a second public network tunnel established between the first communication device and the second communication device.
31. A network device, characterized in that the network device includes a transceiver module and a processing module, the transceiver module is used to perform the receiving and/or sending operation in the method according to any one of claims 1-21; the processing module is used to perform operations other than the receiving and/or sending operation in the method according to any one of claims 1-21.
32. A control and management device, characterized in that the control and management device includes a transceiver module and a processing module, the transceiver module is used to perform the receiving and/or sending operation in the method according to any one of claims 22-30, and the processing module is used to perform operations other than the receiving and/or sending operation in the method according to any one of claims 22-30.
33. A network device, characterized in that the network device includes a memory and a processor, the memory is used to store instructions, and the processor is used to run the instructions, so that the network device executes the traffic forwarding method according to any one of claims 1-16, or executes the message sending method according to any one of claims 17-21.
34. A control management device, characterized in that the control management device includes a memory and a processor, the memory is used to store instructions, and the processor is used to run the instructions, so that the control management device executes the message sending method according to any one of claims 22-30.
35. A network system, characterized in that the network system includes a network device and a control management device, the network device is used to execute the method according to any one of claims 1-21, and the control management device is used to execute the method according to any one of claims 22-30.
36. A computer-readable storage medium, characterized by comprising instructions, which, when executed on a processor, implement the method according to any one of claims 1-30.
37. A computer program product, characterized in that it includes a program, and when the program is run on a processor, the method described in any one of claims 1-30 above is performed.

Images