CN101674245A - Exit port route filtering method and device - Google Patents
Exit port route filtering method and device Download PDFInfo
- Publication number
- CN101674245A CN101674245A CN200910204201A CN200910204201A CN101674245A CN 101674245 A CN101674245 A CN 101674245A CN 200910204201 A CN200910204201 A CN 200910204201A CN 200910204201 A CN200910204201 A CN 200910204201A CN 101674245 A CN101674245 A CN 101674245A
- Authority
- CN
- China
- Prior art keywords
- irt
- virtual private
- private network
- belongs
- address family
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001914 filtration Methods 0.000 title claims abstract description 79
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000007704 transition Effects 0.000 claims description 39
- 238000012002 interactive response technology Methods 0.000 description 9
- 238000001931 thermography Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000008676 import Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides an exit port route filtering method and a device. The exit port route filtering method comprises the following steps: receiving a network-layer accessibility information message carrying an input route target (IRT); acquiring the IRT and a virtual private network to which the IRT belongs according to the network-layer accessibility information message; andcarrying out the exit port route filtering according to the IRT and the virtual private network to which the IRT belongs. The embodiment can distribute the route according to needs when carrying out the exit port route filtering.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for filtering an egress route.
Background
An egress Route Filtering (ORF) technology of an existing Virtual Private Network (VPN) supports all VPNs that use a Route Target (RT) for Route Filtering. The VPNs using the RT for route filtering are classified into the following four types: internet Protocol version 4Layer 3 Virtual Private network (IPv 4L3VPN, Internet Protocol version 4Layer 3 VPN), Internet Protocol version 6 Layer 3 Virtual Private network (IPv 6L3VPN, Internet Protocol version 6 Layer 3 VPN), Layer2 Virtual Private network (L2VPN, Layer2 VPN), and Virtual Private LAN Service (VPLS).
The RT is an extended community attribute of a Border routing Protocol (BGP) and is used for performing route filtering; the RT can be divided into two parts: an output Route Target (ERT, Export Route Target) and an input Route Target (IRT, Import Route Target), wherein the ERT represents the Route attribute sent by the site, and the IRT represents which routes are interested by the site; only if the ERT of the sending-end router matches the IRT of the receiving-end router will the receiving-end router add the route to the routing table.
In the prior art, a router issues IRTs of all types of VPNs to a peer (router) in the form of Network Layer Reachability Information (NLRI) messages of a Multi-protocol border routing protocol (MP-BGP) using the same address family (1, 132), and the peer filters the routing at an exit according to the received IRT. However, when the router issues the IRT, it does not identify what type of VPN route filtering the IRT is used for, so in the prior art, when the peer performs egress route filtering, it cannot implement on-demand routing.
Disclosure of Invention
The embodiment of the invention provides a method and a device for filtering an egress route, which are used for releasing a route as required when the egress route is filtered.
The method and the device for filtering the outlet route provided by the embodiment of the invention are realized as follows:
an egress route filtering method comprising:
receiving a network layer reachability information message, wherein the network layer reachability information message carries an Input Routing Target (IRT);
acquiring the IRT and the virtual private network to which the IRT belongs according to the network layer reachability information message;
and carrying out outlet route filtering according to the IRT and the virtual private network to which the IRT belongs.
An egress routing filter device, comprising:
the receiving module is used for receiving a network layer accessibility information message, and the network layer accessibility information message carries an input routing target IRT;
an obtaining module, configured to obtain the IRT and a virtual private network to which the IRT belongs according to the network layer reachability information packet;
and the egress route filtering module is used for performing egress route filtering according to the IRT and the virtual private network to which the IRT belongs.
As can be seen from the above technical solutions provided by the embodiments of the present invention, the network layer reachability information packet in the embodiments of the present invention carries an IRT, and the virtual private network to which the IRT belongs can be acquired according to the network layer reachability information packet, so that IRTs of VPNs of different types can be distinguished from each other, and thus, when performing egress route filtering, VPN route filtering can be accurately guided, and a route can be released as needed when performing the egress route filtering.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description only illustrate some embodiments of the present invention, and it is obvious for those skilled in the art to obtain drawings of other embodiments without creative efforts based on the drawings.
Fig. 1 is a flowchart of an egress route filtering method 1 according to an embodiment of the present invention;
fig. 2 is a flowchart of an egress route filtering method 2 according to an embodiment of the present invention;
fig. 3 is a flowchart of an egress route filtering method 3 according to an embodiment of the present invention;
fig. 4 is a block diagram of an egress route filtering apparatus 1 according to an embodiment of the present invention;
fig. 5 is a block diagram of an egress route filtering module embodiment 1 according to an embodiment of the present invention;
fig. 6 is a block diagram of an egress route filtering module embodiment 2 according to an embodiment of the present invention;
fig. 7 is a block diagram of an egress route filtering apparatus in embodiment 2 according to the present invention;
fig. 8 is a block diagram of an egress route filtering apparatus in embodiment 3 according to the present invention.
Detailed Description
The embodiment of the invention provides an outlet route filtering method and device.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
referring to fig. 1, fig. 1 is a flowchart of an egress route filtering method 1 according to an embodiment of the present invention, where the egress route filtering method includes:
s101: and receiving a network layer reachability information message, wherein the network layer reachability information message carries an input routing target IRT.
In practical application, a transmitting-end router takes RT as a route and transmits the RT to a peer (a receiving-end router) in a form of a network layer reachability information NLRI message of MP-BGP; the peer receives the NLRI message and realizes ORF based on RT; wherein, the RT includes IRT, that is, the NLRI message carries IRT. The format of the NLRI message can be specifically referred to the relevant specification in RFC 4684.
S102: and acquiring the IRT and the virtual private network to which the IRT belongs according to the network layer reachability information message.
In this embodiment, the sending-end router identifies IRTs configured by different types of VPNs, which may specifically be implemented by any one of the following manners:
(1) the IRT configured by different types of VPN can be sent through different address families;
(2) adding an optional transition attribute in the NLRI message for identifying the type of ORF of VPN for which the IRT in the NLRI message is used;
the optional transition attribute adopts TLV format, namely, the optional transition attribute adopts the forms of Type, Length and Value; in this embodiment, address family information of an IRT configured by different types of VPNs is used as the Value of the optional transition attribute, and the address family information of the IRT is address family information corresponding to the different types of VPNs.
The peer can acquire the IRT and the sending address family information of the NLRI message according to the NLRI message, so as to acquire the virtual private network to which the IRT belongs according to the sending address family information;
or, the peer may obtain a Value in the optional transition attribute, that is, address family information of the IRT configured by the different types of VPNs, according to the optional transition attribute in the NLRI message, so that the virtual private network to which the IRT belongs may be obtained according to the address family information of the IRT.
The peer can simultaneously support various types of virtual private networks, and establishes a corresponding neighbor relation with the opposite end under an address family corresponding to each virtual private network; each neighbor has a method and a format for sending NLRI messages.
In this embodiment, after the peer acquires the IRT and the virtual private network to which the IRT belongs, the peer stores the IRT in a neighbor of an address family corresponding to the virtual private network to which the IRT belongs according to the virtual private network to which the IRT belongs, and uses the neighbor as an egress policy when the neighbor sends a route.
S103: and carrying out outlet route filtering according to the IRT and the virtual private network to which the IRT belongs.
In this embodiment, the peer performs route filtering at its egress according to the IRT and the virtual private network to which the IRT belongs, and specifically may be:
the peer judges whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network supported by the peer, and if not, the peer does not send a route; if yes, judging whether the IRT is matched with the ERT preset by the matched virtual private network, if not, not sending a route, and if so, sending the route to the virtual private network to which the IRT belongs.
Or,
the peer judges whether the IRT is matched with an ERT preset by a virtual private network supported by the peer, and if not, the peer does not send a route; if so, judging whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network to which the matched ERT belongs, if not, not sending a route, and if so, sending the route to the virtual private network to which the IRT belongs.
The network layer reachability information message of this embodiment carries an IRT, and the peer may acquire a virtual private network to which the IRT belongs according to the network layer reachability information message, so that IRTs of different types of VPNs are differentiated, and thus the peer may accurately direct VPN route filtering when performing egress route filtering, and implement that a route is issued as needed when performing egress route filtering.
Example two
Referring to fig. 2, fig. 2 is a flowchart of an egress route filtering method 2 according to an embodiment of the present invention, where the egress route filtering method includes:
s201: and receiving a network layer reachability information message, wherein the network layer reachability information message carries an input routing target IRT.
In practical application, the sending-end router and the receiving-end router are two adjacent routers, and the two adjacent routers respectively establish different types of VPN neighbors. The transmitting end router takes the RT as a route and transmits the RT to a peer (a receiving end router) in the form of a network layer reachability information NLRI message of MP-BGP; the peer receives the NLRI message and realizes ORF based on RT; wherein, the RT includes IRT, that is, the NLRI message carries IRT. The format of the NLRI message can be specifically referred to the relevant specification in RFC 4684.
S202: and acquiring the sending address family information of the network layer reachable information message according to the network layer reachable information message.
In this embodiment, the peer may support multiple types of virtual private networks simultaneously, and establish a corresponding neighbor relationship with the peer under the address family corresponding to each virtual private network; each neighbor has a method and a format for sending NLRI messages.
The NLRI message carries different types of IRTs configured by VPNs, and is sent through different address families, so that the NLRI message is used for identifying the ORF of the IRT for the different types of VPNs.
The peer acquires the sending address family information of the NLRI message according to the received NLRI message so as to acquire the virtual private network to which the IRT belongs; the transmitting address family information includes: a master address family and a first slave address family; the master address family is the master address family of the virtual private network to which the IRT belongs, and the first slave address family is 132. The main address family of the IPv4L3VPN is 1, the main address family of the IPv6L3VPN is 2, the main address family of the VPLS is 25, and the main address family of the L2VPN is 196.
S203: and acquiring the virtual private network to which the IRT belongs according to the sending address family information.
In this embodiment, acquiring the virtual private network to which the IRT belongs according to the sending address family information may specifically be implemented by any one of the following manners:
when the sending address family information is (1, 132), the virtual private network to which the IRT belongs is an Internet protocol version 4layer 3 virtual private network IPv4L3 VPN;
when the sending address family information is (2, 132), the virtual private network to which the IRT belongs is an Internet protocol version 6 layer 3 virtual private network IPv6L3 VPN;
when the sending address family information is (25, 132), the virtual private network to which the IRT belongs is a virtual private local area network (VPLS);
and when the sending address family information is (196, 132), the virtual private network to which the IRT belongs is a layer2 virtual private network L2 VPN.
After the peer acquires the IRT and the virtual private network to which the IRT belongs, the peer stores the IRT in a neighbor of an address family corresponding to the virtual private network to which the IRT belongs according to the virtual private network to which the IRT belongs, and the neighbor is used as an exit strategy when the neighbor sends a route.
S204: and carrying out outlet route filtering according to the IRT and the virtual private network to which the IRT belongs.
In this embodiment, the peer performs route filtering at its egress according to the IRT and the virtual private network to which the IRT belongs, and specifically may be:
(1) the peer judges whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network supported by the peer, and if not, the peer does not send a route; if yes, judging whether the IRT is matched with the ERT preset by the matched virtual private network, if not, not sending a route, and if so, sending the route to the virtual private network to which the IRT belongs.
Among them, there may be a plurality of virtual private network types supported by the peer itself, for example: the peer supports IPv4L3VPN and IPv6L3 VPN; and if the virtual private network to which the IRT belongs is a VPLS at the moment, the peer directly does not send the route.
If the peer supports IPv4L3VPN and IPv6L3VPN, and the virtual private network to which the IRT belongs is IPv4L3VPN, then the virtual private network IPv4L3VPN to which the IRT belongs is matched with the virtual private network IPv4L3VPN type supported by the peer; then judging whether the IRT is matched with the ERT preset by the matched IPv4L3VPN, if not, not sending a route, and if so, sending the route to the virtual private network IPv4L3VPN to which the IRT belongs.
Or,
(2) the peer judges whether the IRT is matched with an ERT preset by a virtual private network supported by the peer, and if not, the peer does not send a route; if so, judging whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network to which the matched ERT belongs, if not, not sending a route, and if so, sending the route to the virtual private network to which the IRT belongs.
Among them, there may be a plurality of virtual private network types supported by the peer itself, for example: the peer supports IPv4L3VPN and IPv6L3VPN, and correspondingly, ERTs preset in IPv4L3VPN and IPv6L3VPN are respectively 200: 1 and 100: 1; the peer judges whether the IRT is matched with an ERT preset in an IPv4L3VPN and an IPv6L3VPN, if not, the routing is not sent; if the matching is carried out, for example, the IRT is 100: 1, the IRT is matched with the ERT in the IPv6L3VPN, whether the virtual private network to which the IRT belongs is matched with the virtual private network IPv6L3VPN type to which the matched ERT belongs is judged, if the matching is not carried out, for example, the virtual private network to which the IRT belongs is the IPv4L3VPN, the peer does not send the route, and if the matching is carried out, the route is sent to the virtual private network IPv6L3VPN to which the IRT belongs.
In a specific implementation, preferably, when the virtual private network sends the NLRI, the peer queries the IRT received by the neighbor under the virtual private network, compares the ERT carried by the NLRI with the IRT received by the neighbor, and sends the route to the neighbor of the corresponding virtual private network if the two are matched.
In this embodiment, the sending address family information of the IRT of different types of VPNs is different, and the peer can acquire the virtual private network to which the IRT belongs according to the sending address family information of the IRT, so that the IRT of different types of VPNs can be distinguished from each other, and thus the peer can accurately guide VPN route filtering when performing egress route filtering, and realize that a route is issued as required when performing egress route filtering.
EXAMPLE III
Referring to fig. 3, fig. 3 is a flowchart of an egress route filtering method according to embodiment 3 of the present invention, where the egress route filtering method includes:
s301: and receiving a network layer reachability information message, wherein the network layer reachability information message carries an input routing target IRT.
In practical application, a sending end router and a receiving end router are adjacent routers, after two adjacent routers successfully negotiate the capability of a VPN ORF address family, the sending end router takes RT as a route and sends the RT to a peer (the receiving end router) in the form of a network layer reachability information NLRI message of MP-BGP by using an address family (1, 132); the peer receives the NLRI message and realizes ORF based on RT; wherein, the RT includes IRT, that is, the NLRI message carries IRT. The format of the NLRI message can be specifically referred to the relevant specification in RFC 4684.
S302: and acquiring an optional transition attribute from the network layer reachable information message, wherein the optional transition attribute is used for identifying the virtual private network to which the IRT belongs.
In this embodiment, the peer may support multiple types of virtual private networks simultaneously, and establish a corresponding neighbor relationship with the peer under the address family corresponding to each virtual private network; each neighbor has a method and a format for sending NLRI messages.
Adding an optional transition attribute to the NLRI message, wherein the optional transition attribute is used for identifying the type of ORF of VPN for which the IRT in the NLRI message is used; the optional transition attribute adopts TLV format, namely, the optional transition attribute adopts the forms of Type, Length and Value; in this embodiment, address family information of an IRT configured by different types of VPNs is used as the Value of the optional transition attribute, where the address family information of the IRT is address family information corresponding to the different types of VPNs.
S303: judging whether the optional transition attribute is identified, if so, executing S304; if not, S305 is performed.
S304: and acquiring the address family information of the IRT from the optional transition attribute, determining the virtual private network to which the IRT belongs according to the address family information of the IRT, and executing S306.
When the peer identifies the optional transition attribute, the Value of the optional transition attribute can be obtained from the optional transition attribute, namely the address family information of the IRT can be obtained; wherein the address family information of the IRT comprises: a master address family and a second slave address family; the main address family is a main address family of a virtual private network to which the IRT belongs, and the second slave address family is a slave address family of the virtual private network to which the IRT belongs.
The virtual private network to which the IRT belongs may be determined according to the address family information of the IRT, and may specifically be implemented by any one of the following manners:
when the address family information of the IRT is (1, 128), the virtual private network to which the IRT belongs is an Internet protocol version 4layer 3 virtual private network IPv4L3 VPN;
when the address family information of the IRT is (2, 128), the virtual private network to which the IRT belongs is an Internet protocol version 6 layer 3 virtual private network IPv6L3 VPN;
when the address family information of the IRT is (25, 65), the virtual private network to which the IRT belongs is a virtual private local area network (VPLS);
and when the address family information of the IRT is (196, 128), the virtual private network to which the IRT belongs is a layer2 virtual private network L2 VPN.
S305: the virtual private network to which the IRT belongs is IPv4L3VPN, IPv6L3VPN, VPLS and L2 VPN.
When the peer does not recognize the optional transition attribute, the IRT may be used for ORFs of all types of VPNs, i.e., the virtual private network to which the IRT belongs is IPv4L3VPN, IPv6L3VPN, VPLS, and L2 VPN.
S306: and carrying out outlet route filtering according to the IRT and the virtual private network to which the IRT belongs.
In this embodiment, when the peer identifies the optional transition attribute, performing egress route filtering according to the IRT and the virtual private network to which the IRT belongs, which may specifically be:
(1) the peer judges whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network supported by the peer, and if not, the peer does not send a route; if yes, judging whether the IRT is matched with the ERT preset by the matched virtual private network, if not, not sending a route, and if so, sending the route to the virtual private network to which the IRT belongs.
Among them, there may be a plurality of virtual private network types supported by the peer itself, for example: the peer supports IPv4L3VPN and IPv6L3 VPN; and if the virtual private network to which the IRT belongs is a VPLS at the moment, the peer directly does not send the route.
If the peer supports IPv4L3VPN and IPv6L3VPN, and the virtual private network to which the IRT belongs is IPv4L3VPN, then the virtual private network IPv4L3VPN to which the IRT belongs is matched with the virtual private network IPv4L3VPN type supported by the peer; and then judging whether the IRT is matched with the ERT preset by the matched IPv4L3VPN, if not, not sending a route, and if so, sending the route to the virtual private network IPv4L3VPN to which the IRT belongs.
Or,
(2) the peer judges whether the IRT is matched with an ERT preset by a virtual private network supported by the peer, and if not, the peer does not send a route; if so, judging whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network to which the matched ERT belongs, if not, not sending a route, and if so, sending the route to the virtual private network to which the IRT belongs.
Among them, there may be a plurality of virtual private network types supported by the peer itself, for example: the peer supports IPv4L3VPN and IPv6L3VPN, and correspondingly, ERTs preset in the IPv4L3VPN and the IPv6L3VPN are respectively 200: 1 and 100: 1; the peer judges whether the IRT is matched with an ERT preset in an IPv4L3VPN and an IPv6L3VPN, if not, the routing is not sent; if the matching is carried out, for example, the IRT is 100: 1, the IRT is matched with the ERT in the IPv6L3VPN, whether the virtual private network to which the IRT belongs is matched with the virtual private network IPv6L3VPN type to which the matched ERT belongs is judged, if the matching is not carried out, for example, the virtual private network to which the IRT belongs is the IPv4L3VPN, the peer does not send the route, and if the matching is carried out, the route is sent to the virtual private network IPv6L3VPN to which the IRT belongs.
In this embodiment, when the peer does not recognize the optional transition attribute, the virtual private network to which the IRT belongs is IPv4L3VPN, IPv6L3VPN, VPLS, and L2VPN, that is, the IRT may be used for ORFs of all types of VPNs, in this case, the embodiment defaults that the virtual private network to which the IRT belongs is matched with the type of virtual private network supported by itself, so as long as it is determined whether the IRT is matched with an ERT preset in the virtual private network supported by itself, and if not, no route is sent; if yes, sending the route to the virtual private network IPv6L3VPN to which the IRT belongs.
In this embodiment, after the peer acquires the IRT and the virtual private network to which the IRT belongs, the peer stores the IRT in a neighbor of an address family corresponding to the virtual private network to which the IRT belongs according to the virtual private network to which the IRT belongs, and uses the neighbor as an egress policy when the neighbor sends a route.
Preferably, when the virtual private network sends the NLRI, the peer queries the IRT received by the neighbor under the virtual private network, compares the ERT carried by the NLRI with the IRT received by the neighbor, and sends the route to the neighbor of the corresponding virtual private network if the two are matched.
The optional transition attribute of the NLRI message of this embodiment carries address family information of IRTs of different types of VPNs, and the peer can know the virtual private network to which the IRT belongs according to the address family information of the IRT in the optional transition attribute, so that the IRTs of different types of VPNs are differentiated, and thus the peer can accurately direct VPN route filtering when performing egress route filtering, and realize that routes are issued as needed when performing egress route filtering.
Example four
Referring to fig. 4, fig. 4 is a block diagram of an egress routing filter apparatus embodiment 1 provided in an embodiment of the present invention, where the egress routing filter apparatus includes:
the receiving module 401 is configured to receive a network layer reachability information packet, where the network layer reachability information packet carries an input routing target IRT.
An obtaining module 402, configured to obtain the IRT and the virtual private network to which the IRT belongs according to the network layer reachability information packet.
According to the NLRI message, the sending address family information of the IRT and the NLRI message can be obtained, so that the virtual private network to which the IRT belongs is obtained according to the sending address family information;
or,
according to the optional transition attribute in the NLRI message, a Value in the optional transition attribute, that is, address family information of an IRT configured by different types of VPNs, may be obtained, so that a virtual private network to which the IRT belongs may be obtained according to the address family information of the IRT.
An egress route filtering module 403, configured to perform egress route filtering according to the IRT and the virtual private network to which the IRT belongs.
The exit route filtering module 403 may include a second determination sub-module 4031, a first processing sub-module 4032, and a second processing sub-module 4033, as shown in fig. 5;
the second determining submodule 4031 is configured to determine whether the virtual private network to which the IRT belongs matches a virtual private network type supported by the IRT, and generate a second determination result.
The first processing sub-module 4032 is configured to not send a route if the second determination result is negative; and when the second judgment result is yes, judging whether the IRT is matched with the ERT preset by the matched virtual private network, and generating a third judgment result.
The second processing sub-module 4033 is configured to, when the third determination result is negative, not send a route; and when the third judgment result is yes, sending a route to the virtual private network to which the IRT belongs.
Or, in another example, the egress route filtering module 403 includes a third determining sub-module 4034, a third processing sub-module 4035, and a fourth processing sub-module 4036, as shown in fig. 6;
and the third determining sub-module 4034 is configured to determine whether the IRT matches an ERT preset in a virtual private network supported by the IRT, and generate a fourth determination result.
The third processing sub-module 4035 is configured to, when the fourth determination result is negative, not send a route; and if so, judging whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network to which the matched ERT belongs, and generating a fifth judgment result.
The fourth processing sub-module 4036 is configured to, if the fifth determination result is negative, not send a route; and when the fifth judgment result is yes, sending a route to the virtual private network to which the IRT belongs.
The obtaining module of this embodiment obtains the IRT and the virtual private network to which the IRT belongs according to the network layer reachability information packet, so that the IRTs of different types of VPNs are distinguished from each other, and thus the egress route filtering module can accurately guide VPN route filtering when performing egress route filtering, and realize that a route is released as needed when performing egress route filtering.
EXAMPLE five
Referring to fig. 7, fig. 7 is a block diagram of an egress route filtering apparatus embodiment 2 according to an embodiment of the present invention, where the egress route filtering apparatus includes:
a receiving module 701, configured to receive a network layer reachability information packet, where the network layer reachability information packet carries an input routing target IRT.
The receiving module 701 is similar to the receiving module 401 in the fourth embodiment in function, and will not be described herein too much.
An obtaining module 702, including a first obtaining sub-module 7021 and a second obtaining sub-module 7022;
the first obtaining sub-module 7021 is configured to obtain, according to the network layer reachable information packet, sending address family information of the network layer reachable information packet.
The second obtaining sub-module 7022 is configured to obtain, according to the sending address family information, a virtual private network to which the IRT belongs.
The second obtaining sub-module 7022 includes any one of the following sub-modules:
a first virtual private network determining submodule, configured to, when the sending address family information is (1, 132), determine that the virtual private network to which the IRT belongs is an internet protocol version 4layer 3 virtual private network IPv4L3 VPN;
a second virtual private network determining submodule, configured to, when the sending address family information is (2, 132), determine that the virtual private network to which the IRT belongs is an internet protocol version 6 layer 3 virtual private network IPv6L3 VPN;
a third virtual private network determining submodule, configured to, when the sending address family information is (25, 132), determine that a virtual private network to which the IRT belongs is a virtual private local area network VPLS;
and a fourth virtual private network determining submodule, configured to, when the sending address family information is (196, 132), determine that the virtual private network to which the IRT belongs is a layer2 virtual private network L2 VPN.
An egress route filtering module 703, configured to perform egress route filtering according to the IRT and the virtual private network to which the IRT belongs.
The egress route filter module 703 is similar in function to the egress route filter module 403 and will not be described in detail herein.
In this embodiment, the sending address family information of the IRT of different types of VPNs is different, and the virtual private network to which the IRT belongs can be known according to the sending address family information of the IRT, so that the IRT of different types of VPNs can be distinguished from each other, so that VPN route filtering can be accurately guided when outlet route filtering is performed, and routing can be issued as needed when the outlet route filtering is performed.
EXAMPLE six
Referring to fig. 8, fig. 8 is a block diagram of an egress route filtering apparatus embodiment 3 according to an embodiment of the present invention, where the egress route filtering apparatus includes:
a receiving module 801, configured to receive a network layer reachability information packet, where the network layer reachability information packet carries an input routing target IRT.
The receiving module 801 has a function similar to that of the receiving module 401 in the fourth embodiment, and will not be described herein too much.
An obtaining module 802, including a third obtaining submodule 8021, a first judging submodule 8022, a fourth obtaining submodule 8023, a first determining submodule 8024 and a second determining submodule 8025;
the third obtaining sub-module 8021 is configured to obtain an optional transition attribute from the network layer reachable information packet, where the optional transition attribute is used to identify a virtual private network to which the IRT belongs.
The first determining submodule 8022 is configured to determine whether to identify the optional transition attribute, and generate a first determining result.
The fourth obtaining sub-module 8023 is configured to, when the first determination result is yes, obtain the address family information of the IRT from the optional transition attribute.
The first determining submodule 8024 is configured to determine, according to the address family information of the IRT, a virtual private network to which the IRT belongs.
The first determination submodule 8024 includes any one of the following submodules:
and a fifth virtual private network determining submodule, configured to, when the address family information of the IRT is (1, 128), determine that the virtual private network to which the IRT belongs is an internet protocol version 4layer 3 virtual private network IPv4L3 VPN.
And a sixth virtual private network determining submodule, configured to, when the address family information of the IRT is (2, 128), determine that the virtual private network to which the IRT belongs is an internet protocol version 6 layer 3 virtual private network IPv6L3 VPN.
And a seventh virtual private network determining submodule, configured to, when the address family information of the IRT is (25, 65), determine that the virtual private network to which the IRT belongs is a virtual private local area network VPLS.
And an eighth virtual private network determining submodule, configured to, when the address family information of the IRT is (196, 128), determine that the virtual private network to which the IRT belongs is a layer2 virtual private network L2 VPN.
The second determining submodule 8025 is configured to, when the first determination result is negative, determine that the virtual private network to which the IRT belongs is any one of the following four types: IPv4L3VPN, IPv6L3VPN, VPLS, and L2 VPN.
And an egress route filtering module 803, configured to perform egress route filtering according to the IRT and the virtual private network to which the IRT belongs.
The egress route filter module 803 is functionally similar to the egress route filter module 403 and will not be described in greater detail herein.
The optional transition attribute of the NLRI message of this embodiment carries address family information of the IRT of the different types of VPNs, and the virtual private network to which the IRT belongs can be known according to the address family information of the IRT in the optional transition attribute, so that the IRTs of the different types of VPNs are distinguished from each other, and thus, when outlet routing filtering is performed, VPN routing filtering can be accurately guided, and routing can be issued as needed when the outlet routing filtering is performed.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
As can be seen from the above description of the embodiments of the present invention, it is clear to those skilled in the art that the embodiments of the present invention can be implemented by software plus a necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially or partially implemented in the form of software products, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and include instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The foregoing is merely a preferred embodiment of the invention and is not intended to limit the invention in any manner. Although the present invention has been described with reference to the preferred embodiments, it is not intended to be limited thereto. Those skilled in the art can make numerous possible variations and modifications to the present teachings, or modify equivalent embodiments to equivalent variations, without departing from the scope of the present teachings, using the methods and techniques disclosed above. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical essence of the present invention are still within the scope of the protection of the technical solution of the present invention, unless the contents of the technical solution of the present invention are departed.
Claims (15)
1. An egress route filtering method, comprising:
receiving a network layer reachability information message, wherein the network layer reachability information message carries an Input Routing Target (IRT);
acquiring the IRT and the virtual private network to which the IRT belongs according to the network layer reachability information message;
and carrying out outlet route filtering according to the IRT and the virtual private network to which the IRT belongs.
2. The method according to claim 1, wherein the obtaining the virtual private network to which the IRT belongs according to the network layer reachability information packet specifically includes:
acquiring the sending address family information of the network layer reachable information message according to the network layer reachable information message;
and acquiring the virtual private network to which the IRT belongs according to the sending address family information.
3. The method of claim 2, wherein sending address family information comprises: a master address family and a first slave address family; the master address family is the master address family of the virtual private network to which the IRT belongs, and the first slave address family is 132.
4. The method according to claim 3, wherein the obtaining the virtual private network to which the IRT belongs according to the sending address family information is implemented by any one of:
when the sending address family information is (1, 132), the virtual private network to which the IRT belongs is an internet protocol version 4layer 3 virtual private network IPv4L3 VPN;
when the sending address family information is (2, 132), the virtual private network to which the IRT belongs is an internet protocol version 6 layer 3 virtual private network IPv6L3 VPN;
when the sending address family information is (25, 132), the virtual private network to which the IRT belongs is a virtual private local area network (VPLS);
and when the sending address family information is (196, 132), the virtual private network to which the IRT belongs is a layer2 virtual private network L2 VPN.
5. The method according to claim 1, wherein the obtaining the virtual private network to which the IRT belongs according to the network layer reachability information packet specifically includes:
acquiring an optional transition attribute from the network layer reachable information message, wherein the optional transition attribute is used for identifying a virtual private network to which the IRT belongs;
judging whether the optional transition attribute is identified, if so, acquiring the address family information of the IRT from the optional transition attribute, and determining the virtual private network to which the IRT belongs according to the address family information of the IRT; if not, the virtual private network to which the IRT belongs is IPv4L3VPN, IPv6L3VPN, VPLS and L2 VPN.
6. The method of claim 5, wherein the address family information of the IRT comprises: a master address family and a second slave address family; the main address family is a main address family of a virtual private network to which the IRT belongs, and the second slave address family is a slave address family of the virtual private network to which the IRT belongs.
7. The method according to claim 6, wherein the determining, according to the address family information of the IRT, the virtual private network to which the IRT belongs specifically includes:
when the address family information of the IRT is (1, 128), the virtual private network to which the IRT belongs is an internet protocol version 4layer 3 virtual private network IPv4L3 VPN;
when the address family information of the IRT is (2, 128), the virtual private network to which the IRT belongs is an internet protocol version 6 layer 3 virtual private network IPv6L3 VPN;
when the address family information of the IRT is (25, 65), the virtual private network to which the IRT belongs is a virtual private local area network (VPLS);
and when the address family information of the IRT is (196, 128), the virtual private network to which the IRT belongs is a layer2 virtual private network L2 VPN.
8. The method according to any one of claims 1 to 7, wherein the performing egress route filtering according to the IRT and a virtual private network to which the IRT belongs specifically includes:
judging whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network supported by the IRT, if not, not sending a route; if yes, judging whether the IRT is matched with an ERT preset by the matched virtual private network, if not, not sending a route, and if so, sending the route to the virtual private network to which the IRT belongs;
or,
judging whether the IRT is matched with an ERT preset by a virtual private network supported by the IRT, if not, not sending a route; if so, judging whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network to which the matched ERT belongs, if not, not sending a route, and if so, sending the route to the virtual private network to which the IRT belongs.
9. An egress routing filter apparatus, comprising:
the receiving module is used for receiving a network layer accessibility information message, and the network layer accessibility information message carries an input routing target IRT;
an obtaining module, configured to obtain the IRT and a virtual private network to which the IRT belongs according to the network layer reachability information packet;
and the egress route filtering module is used for performing egress route filtering according to the IRT and the virtual private network to which the IRT belongs.
10. The apparatus of claim 9, wherein the obtaining module comprises:
the first obtaining submodule is used for obtaining the sending address family information of the network layer reachable information message according to the network layer reachable information message;
and the second obtaining submodule is used for obtaining the virtual private network to which the IRT belongs according to the sending address family information.
11. The apparatus of claim 10, wherein the second obtaining submodule comprises any one of:
a first virtual private network determining submodule, configured to, when the sending address family information is (1, 132), determine that the virtual private network to which the IRT belongs is an internet protocol version 4layer 3 virtual private network IPv4L3 VPN;
a second virtual private network determining submodule, configured to, when the sending address family information is (2, 132), determine that the virtual private network to which the IRT belongs is an internet protocol version 6 layer 3 virtual private network IPv6L3 VPN;
a third virtual private network determining submodule, configured to, when the sending address family information is (25, 132), determine that a virtual private network to which the IRT belongs is a virtual private local area network VPLS;
and a fourth virtual private network determining submodule, configured to, when the sending address family information is (196, 132), determine that the virtual private network to which the IRT belongs is a layer2 virtual private network L2 VPN.
12. The apparatus of claim 9, wherein the obtaining module comprises:
a third obtaining sub-module, configured to obtain an optional transition attribute from the network layer reachable information packet, where the optional transition attribute is used to identify a virtual private network to which the IRT belongs;
the first judgment submodule is used for judging whether the optional transition attribute is identified or not and generating a first judgment result;
a fourth obtaining sub-module, configured to, if the first determination result is yes, obtain address family information of the IRT from the optional transition attribute;
the first determining submodule is used for determining the virtual private network to which the IRT belongs according to the address family information of the IRT;
a second determining submodule, configured to, when the first determination result is negative, determine that the virtual private network to which the IRT belongs is any one of the following four types: IPv4L3VPN, IPv6L3VPN, VPLS, and L2 VPN.
13. The apparatus of claim 12, wherein the first determining submodule comprises any one of:
a fifth virtual private network determining submodule, configured to, when the address family information of the IRT is (1, 128), determine that a virtual private network to which the IRT belongs is an internet protocol version 4layer 3 virtual private network IPv4L3 VPN;
a sixth virtual private network determining submodule, configured to, when the address family information of the IRT is (2, 128), determine that a virtual private network to which the IRT belongs is an internet protocol version 6 layer 3 virtual private network IPv6L3 VPN;
a seventh virtual private network determining submodule, configured to, when the address family information of the IRT is (25, 65), determine that a virtual private network to which the IRT belongs is a virtual private local area network VPLS;
and an eighth virtual private network determining submodule, configured to, when the address family information of the IRT is (196, 128), determine that the virtual private network to which the IRT belongs is a layer2 virtual private network L2 VPN.
14. The apparatus of any of claims 9-13, wherein the egress routing filter module comprises:
the second judgment submodule is used for judging whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network supported by the IRT, and generating a second judgment result;
the first processing submodule is used for not sending the route when the second judgment result is negative; when the second judgment result is yes, judging whether the IRT is matched with the ERT preset by the matched virtual private network, and generating a third judgment result;
the second processing submodule is used for not sending the route when the third judgment result is negative; and when the third judgment result is yes, sending a route to the virtual private network to which the IRT belongs.
15. The apparatus of any of claims 9-13, wherein the egress routing filter module comprises:
the third judgment submodule is used for judging whether the IRT is matched with the ERT preset by the virtual private network supported by the IRT, and generating a fourth judgment result;
the third processing submodule is used for not sending the route when the fourth judgment result is negative; when the fourth judgment result is yes, judging whether the virtual private network to which the IRT belongs is matched with the type of the virtual private network to which the matched ERT belongs, and generating a fifth judgment result;
the fourth processing submodule is used for not sending the route when the fifth judgment result is negative; and when the fifth judgment result is yes, sending a route to the virtual private network to which the IRT belongs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102042012A CN101674245B (en) | 2009-10-10 | 2009-10-10 | Exit port route filtering method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102042012A CN101674245B (en) | 2009-10-10 | 2009-10-10 | Exit port route filtering method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101674245A true CN101674245A (en) | 2010-03-17 |
| CN101674245B CN101674245B (en) | 2012-06-06 |
Family
ID=42021240
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102042012A Active CN101674245B (en) | 2009-10-10 | 2009-10-10 | Exit port route filtering method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101674245B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611632A (en) * | 2012-04-12 | 2012-07-25 | 福建星网锐捷网络有限公司 | VPLS (Virtual Private LAN Service) output route filtering method and device based on BGP (Border Gateway Protocol) |
| CN106059882A (en) * | 2016-05-05 | 2016-10-26 | 杭州华三通信技术有限公司 | Route insertion method and device |
| CN109379289A (en) * | 2018-09-25 | 2019-02-22 | 新华三技术有限公司合肥分公司 | Route filtering strategy processing method and processing device |
| CN110505152A (en) * | 2019-09-11 | 2019-11-26 | 迈普通信技术股份有限公司 | Route filtering method, device and electronic equipment |
| WO2020043106A1 (en) * | 2018-08-30 | 2020-03-05 | 华为技术有限公司 | Communication method and communication device |
| CN113438159A (en) * | 2020-03-23 | 2021-09-24 | 华为技术有限公司 | Transmission method and device of segmented routing strategy and network transmission system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101155175B (en) * | 2006-09-27 | 2011-06-15 | 华为技术有限公司 | Method and device for routing filter based on BGP protocol |
| CN101145904A (en) * | 2007-11-07 | 2008-03-19 | 杭州华三通信技术有限公司 | A method, device and system for data packet transmission |
| CN101340372B (en) * | 2008-08-21 | 2012-09-19 | 中国移动通信集团公司 | Number automatic routing method, updating method, eliminating method, router and equipment |
-
2009
- 2009-10-10 CN CN2009102042012A patent/CN101674245B/en active Active
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611632A (en) * | 2012-04-12 | 2012-07-25 | 福建星网锐捷网络有限公司 | VPLS (Virtual Private LAN Service) output route filtering method and device based on BGP (Border Gateway Protocol) |
| CN106059882A (en) * | 2016-05-05 | 2016-10-26 | 杭州华三通信技术有限公司 | Route insertion method and device |
| CN106059882B (en) * | 2016-05-05 | 2020-10-13 | 新华三技术有限公司 | Route insertion method and device |
| WO2020043106A1 (en) * | 2018-08-30 | 2020-03-05 | 华为技术有限公司 | Communication method and communication device |
| US11805049B2 (en) | 2018-08-30 | 2023-10-31 | Huawei Technologies Co., Ltd. | Communication method and communications device |
| CN109379289A (en) * | 2018-09-25 | 2019-02-22 | 新华三技术有限公司合肥分公司 | Route filtering strategy processing method and processing device |
| CN109379289B (en) * | 2018-09-25 | 2021-08-06 | 新华三技术有限公司合肥分公司 | Method and device for processing route filtering strategy |
| CN110505152A (en) * | 2019-09-11 | 2019-11-26 | 迈普通信技术股份有限公司 | Route filtering method, device and electronic equipment |
| CN110505152B (en) * | 2019-09-11 | 2022-02-22 | 迈普通信技术股份有限公司 | Route filtering method and device and electronic equipment |
| CN113438159A (en) * | 2020-03-23 | 2021-09-24 | 华为技术有限公司 | Transmission method and device of segmented routing strategy and network transmission system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101674245B (en) | 2012-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3200402B1 (en) | Segment routing information obtainment method and segment routing network establishment method | |
| CN101674245B (en) | Exit port route filtering method and device | |
| US20160134591A1 (en) | VPN Implementation Processing Method and Device for Edge Device | |
| US20100027549A1 (en) | Method and apparatus for providing virtual private network identifier | |
| CN106921572B (en) | A kind of method, apparatus and system for propagating qos policy | |
| CN103200102B (en) | A kind of service routing method, device and system | |
| WO2018006654A1 (en) | Method, apparatus and system for processing flowspec message | |
| KR20140073590A (en) | Border gateway protocol extension for the host joining/leaving a virtual private network | |
| US9088499B2 (en) | Routing generation for implementation of fiber channel over ethernet | |
| CN103684959B (en) | VPN realization method and PE equipment | |
| CN106789637B (en) | Cross-domain service intercommunication path establishment method, controller and system | |
| CN109729019B (en) | Speed limiting method and device for special line service in EVPN (Ethernet virtual private network) networking | |
| US20120099598A1 (en) | Method, device and system for establishing a pseudo wire | |
| WO2013139270A1 (en) | Method, device, and system for implementing layer3 virtual private network | |
| CN103209125B (en) | A kind of transmission method of label information and equipment | |
| US20120163381A1 (en) | Multiple Label Based Processing of Frames | |
| CN103001886B (en) | A kind of ECT smooth migration method and apparatus | |
| WO2014206354A1 (en) | Method, device and system for establishing traffic engineering label switch path | |
| CN103457794B (en) | Method and system for confirming faults of IP bearer network | |
| CN115567440A (en) | Method and device for realizing communication between local area networks | |
| CN110636059B (en) | Network attack defense system, method, SDN controller, router, device and medium | |
| CN103986600B (en) | One kind is found automatically based on multi-protocols business network and filter method, system | |
| CN114268583B (en) | SDN-based dual-stack backbone management method and device and electronic equipment | |
| CN106034075A (en) | Method and device for distributing label for VPN routing | |
| CN112054962B (en) | Method and device for realizing multicast |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |