CN103095578A - Routing information control method and processing element (PE) device in multiple protocol label switching framework for layer 3 virtual private network (MPLS L3VPN) - Google Patents

Routing information control method and processing element (PE) device in multiple protocol label switching framework for layer 3 virtual private network (MPLS L3VPN) Download PDF

Info

Publication number
CN103095578A
CN103095578A CN2013100362597A CN201310036259A CN103095578A CN 103095578 A CN103095578 A CN 103095578A CN 2013100362597 A CN2013100362597 A CN 2013100362597A CN 201310036259 A CN201310036259 A CN 201310036259A CN 103095578 A CN103095578 A CN 103095578A
Authority
CN
China
Prior art keywords
network
equipment
vpn
route
identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2013100362597A
Other languages
Chinese (zh)
Other versions
CN103095578B (en
Inventor
陈岩
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201310036259.7A priority Critical patent/CN103095578B/en
Publication of CN103095578A publication Critical patent/CN103095578A/en
Application granted granted Critical
Publication of CN103095578B publication Critical patent/CN103095578B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a routing information control method and a processing element (PE) device in a multiple protocol label switching framework for layer 3 virtual private network (MPLS L3VPN). The MPLS L3VPN network comprises a central mechanism network and a plurality of branch mechanism networks. The central mechanism network and the plurality of branch mechanism networks all comprise PE devices. The method is applied to the PE device and comprises that virtual private network (VPN) route issued by a first PE device in the MPLS L3VPN network is received, the VPN route comprises an Export Target attribute, when an internet identity mark is carried by the VPN route, an internet identity that the first PE device belongs to is confirmed according to the network identity mark, wherein the identity is the central mechanism network or the branch mechanism networks, and whether the VPN route is added to a routing list of a first local VAP living example is confirmed according to an internet identity that the PE device belongs to and the confirmed internet identity that the first PE device belongs to.

Description

Routing iinformation control method in MPLS L3VPN network and PE equipment
Technical field
The application relates to network communications technology field, particularly routing iinformation control method and the PE equipment in a kind of MPLS L3VPN network.
Background technology
MPLS(Multiprotocol Label Switching, multiprotocol label switching) L3VPN(Layer3Virtual Private Network, Layer3 Virtual Private Network) be service provider (Service Provider, SP) a kind of based on PE(Provider Edge in vpn solution, the service provider network edge) L3VPN technology, it uses BGP(Border Gateway Protocol, Border Gateway Protocol) issue VPN route on service provider backbone, use mpls protocol to forward the VPN message on service provider backbone.
Fig. 1 is the networking schematic diagram of MPLS L3VPN network, as seen from Figure 1, MPLS L3VPN network mainly comprises the equipment CE(Customer Edge of three types, customer network edge) equipment, PE(Provider Edge, Provider Edge) equipment and P(Provider) equipment:
CE equipment: be the edge device of user network (being website (Site)), Site passes through the CE equipment connection to service provider network.After CE equipment and direct-connected PE equipment are set up syntople, the VPN routing iinformation of this website is distributed to this PE equipment, and acquires the VPN routing iinformation of remote station from this PE equipment.Use BGP/IGP(Interior Gateway Protocol between CE equipment and PE equipment, Interior Gateway Protocol) exchanging routing information, also can use static routing.
PE equipment: be the edge device of service provider network, directly be connected with the CE equipment of Site.In the MPLS network, all processing of VPN are all occurred on PE equipment.After PE equipment is acquired the VPN routing iinformation of CE this locality from direct-connected CE equipment, by BGP and other PE switched vpc N routing iinformation.Pe router is only safeguarded the routing iinformation of the VPN that directly is connected with it, all the VPN routes in not maintenance service provider network.
P equipment: the backbone equipment in service provider network directly is not connected with CE equipment.The P device just will possess the transfer capability of basic MPLS message.
In comprising the MPLS VPN of MPLS L3VPN, the route isolation between different VPN realizes by VPN instance (VPN-instance).PE equipment is that direct-connected Site sets up and safeguard VPN instance.The VPN member relation and the routing rule that comprise corresponding Site in VPN instance.If a Site belongs to a plurality of VPN simultaneously, can comprise the information of all these VPN in the VPN instance of this Site.For guaranteeing independence and the fail safe of VPN data, each VPN instance on PE equipment has relatively independent routing table and LFIB(Label Forwarding Information Base, Label Forwarding Information Base).
MPLS L3VPN uses BGP extended community attribute-Route Target, and (RT, route target) controls the issue of VPN routing iinformation.VPN instance on PE equipment has two class RT attributes:
1, Export Target(export goal) attribute: PE equipment arranged Export Target attribute in these routes before will being distributed to other PE equipment from the VPN-IPv4 route of acquiring with the direct-connected Site of this equipment;
2, Import Target(entrance target) attribute: PE equipment is after receiving the next VPN-IPv4 route of other PE equipment issue, the Import Target attribute of the Export Target attribute in this route and each VPN instance on PE equipment is mated, when with the Import Target attributes match of a VPN instance, this route is joined in the routing table of this VPN instance.
At present, in MPLS L3VPN network, if dispose the identical VPN instance of RT attribute in the PE equipment of a plurality of websites,, these VPN routes with different VPN example of identical RT attribute will be added mutually, cause these different VPN examples mutually to access, be unfavorable for the fail safe of VPN data.Take network shown in Figure 1 as example, dispose VPN instance 1 on PE1, dispose VPN instance 2 on PE2, VPN instance 1 and VPN instance 2 have identical RT attribute: Export Target attribute and Import Target attribute are 100:1.So, PE1 is distributed to PE2 with this VPN route after Export Target attribute 100:1 is set in the VPN of VPN instance 1 route.After PE2 receives this VPN route, determine according to the method described above the Import Target attribute 100:1 coupling of Export Target attribute 100:1 and local VPN instance 2 in this VPN route, this VPN route can be added in the routing table of VPN instance 2.Equally, after PE2 was distributed to PE1 with the VPN route of VPN instance 2, PE1 also can add the VPN route of VPN instance 2 in the routing table of VPN instance 1 to.Thereby the VPN route of VPN instance 1 and VPN instance 2 can add mutually, and these two VPN instance can be accessed mutually, are unfavorable for the fail safe of VPN data.Especially for the enterprise network of using the EVI technology, some station networks are general headquarters' networks of (or being called central authority), and some station networks are the networks of branch, usually need the access between the restriction branch office network.
Usually can adopt the mode of configuration route control strategy on PE equipment in prior art; the adding of VPN route of controlling the outside issue of VPN route and controlling other VPN instance; but; so just need to all configure a large amount of route control strategies on each PE equipment; workload is larger; if the subsequent network popularization also needs to reconfigure the route control strategy, can not satisfy the dynamic change of network.
Summary of the invention
The application provides routing iinformation control method and the PE equipment in a kind of MPLS L3VPN network, the route that limits other VPN instance in the mode that solves prior art employing configuration route control strategy on PE equipment adds, the configuration effort amount that causes is larger, can not satisfy the problem of the dynamic change of network.
The application's technical scheme is as follows:
On the one hand, routing iinformation control method in a kind of MPLS L3VPN network is provided, this MPLS L3VPN network comprises: central authority network and a plurality of branch office network, include in central authority network and branch office network: PE equipment, the method is applied to PE equipment, and the method comprises:
Receive the VPN route that the PE equipment issue in MPLS L3VPN network is come, wherein, include Export Target attribute in this VPN route;
When carrying the network identity mark in this VPN route, determine the identity of the network under a PE equipment according to this network identity mark, wherein, the network identity mark is used to indicate the identity of the network under the PE equipment that sends this VPN route, and identity is central authority network or branch office network;
Identity according to the network under the identity of the network under this equipment and the PE equipment determined, determine whether the VPN route is added to the routing table of the first local VPN instance, wherein, the first VPN instance has the Import Target attribute identical with Export Target attribute in the VPN route.
On the other hand, also provide the PE equipment in a kind of MPLS L3VPN network, this MPLS L3VPN network comprises: central authority network and a plurality of branch office network include in central authority network and branch office network: PE equipment, and PE equipment comprises:
Receiver module, other PE equipment that are used for reception MPLS L3VPN network are issued the VPN route of coming, and wherein, include Export Target attribute in the VPN route;
Determination module, after issuing the VPN route of coming for the PE equipment that receives at receiver module, when carrying the network identity mark in the VPN route, determine the identity of the network under a PE equipment according to this network identity mark, wherein, this network identity mark is used to indicate the identity of the network under the PE equipment that sends this VPN route, and identity is central authority network or branch office network;
Control module, the identity of the network under a PE equipment that is used for determining according to identity and the determination module of the network under this equipment, determine whether the VPN route is added to the routing table of first VPN instance of this equipment, wherein, the first VPN instance has the entrance target Import Target attribute identical with Export Target attribute in the VPN route.
in the application's technical scheme, by increase a network identity mark in the VPN route of issue, the identity that this mark is used to indicate the network under the PE equipment that sends this VPN route is central authority network or branch office network, thereby, after a PE equipment receives the VPN route of other PE equipment (being called a PE equipment) issue, the network that the network identity mark that carries in VPN route according to reception just can be determined under a PE equipment is central authority network or branch office network, then, just can determine whether the VPN route that receives to be added in the routing table of VPN instance (being called the first VPN instance) that VPN instance under local and VPN route this reception has identical RT attribute according to the identity of the identity of the network under this equipment and the network under a PE equipment.Thereby, in the situation that be applied to dispose the identical VPN instance of RT attribute on each PE equipment of MPLS L3VPN network of the mechanisms such as enterprise, the network identity mark that carries in VPN route according to the identity of the network under this equipment and reception, can control neatly the interpolation of VPN route, and need not on PE equipment the loaded down with trivial details route control strategy of configuration large amount of complex, saved workload, and, if subsequent network popularization, do not need to reconfigure the route control strategy yet, can satisfy the dynamic change of network.Use the method for the present embodiment, can improve the Information Security in the MPLS L3VPN network that is applied to the mechanisms such as enterprise.
Description of drawings
Fig. 1 is the networking schematic diagram of MPLS L3VPN network;
Fig. 2 is the flow chart of the routing iinformation control method in the application's the MPLS L3VPN network of embodiment one;
Fig. 3 is the form schematic diagram of the Open message in the application's the BGP of embodiment one;
Fig. 4 is the network identity recognition capability field of adding in the application's the optional parameters of Open message of embodiment one and the form schematic diagram of network identity tag field;
Fig. 5 is the networking schematic diagram that is applied to the MPLS L3VPN network of enterprise of the application's embodiment three;
Fig. 6 is the structural representation of the PE equipment in the application's the MPLS L3VPN network of embodiment four.
Embodiment
The route that prior art adopts the mode of configuration route control strategy on PE equipment to limit other VPN instance adds, can cause like this configuration effort amount larger, and can not satisfy the dynamic change of network, in order to address the above problem, following examples of the application provide routing iinformation control method and a kind of PE equipment that can use the method in a kind of MPLS L3VPN network.
Various mechanisms such as group, enterprise and unit usually by a central authority (for example, general headquarters) and a plurality of branch (for example, branch company) form, central authority and a plurality of branch all have network separately, below the network of central authority is called the central authority network, the network of branch is called branch office network.Therefore, in following examples of the application, the MPLS L3VPN network that is applied to said mechanism comprises: central authority network and a plurality of branch office network include in central authority network and branch office network: PE equipment.
Embodiment one
Routing iinformation control method in the MPLS L3VPN network of the embodiment of the present application can be carried out by any one PE equipment.As shown in Figure 2, the method comprises the following steps:
Step S201 receives the VPN route that a PE equipment (being any one other PE equipment in the MPLS L3VPN network) issue in MPLS L3VPN network is come, and wherein, includes Export Target attribute in this VPN route;
In actual implementation process, the VPN route can be specifically VPN IPv4 route or VPN IPv6 route, and the application does not do restriction to this.
Step S202, when carrying the network identity mark in this VPN route, determine the identity of the network under a PE equipment according to this network identity mark, wherein, the network identity mark is used to indicate the identity of the network under the PE equipment that sends this VPN route, and identity can be central authority network or branch office network;
The one PE equipment is in the time will issuing the VPN route, meeting arrange the Export Target attribute of the VPN instance under network identity mark and this VPN route in the VPN route that will issue, then the VPN route that sets is released, wherein, when the network under a PE equipment is the central authority network, the value of the network identity mark that arranges is the first value, and when the network under a PE equipment was branch office network, the value of the network identity mark of setting was the second value.
Therefore, in step S202, can determine that the identity of the network under a PE equipment is central authority network or branch office network according to the value of the network identity mark that carries in the VPN route that receives.Concrete, when the value of the network identity mark that carries in the VPN route that receives is the first value, can determine the affiliated network of a PE equipment is the central authority network, when the value of the network identity mark that carries in the VPN route that receives was the second value, can determine the affiliated network of a PE equipment was branch office network.
Step S203, identity according to the network under the identity of the network under this equipment and the PE equipment determined, determine whether this VPN route is added to the routing table of the first local VPN instance, wherein, the first VPN instance has the Import Target attribute identical with Export Target attribute in this VPN route.
In actual implementation process, can be in advance the identity of network under this equipment of configuration on PE equipment, thereby the identity that PE equipment can be determined the network under this equipment according to this configuration is central authority network or branch office network.
In this step S203, can according to following three kinds of situations, determine whether the VPN route is added to the routing table of the first local VPN instance:
Situation 1: when the network under this equipment is branch office network, if the network under a PE equipment of determining is branch office network, namely, the VPN route that receives is the VPN route of another branch office network (i.e. branch office network under a PE equipment), directly abandons the VPN route;
Can the network under this equipment be branch office network according to situation 1, and when the VPN route that receives is VPN route in another branch office network, directly the VPN route that receives is abandoned, and this VPN route can not added in the routing table of the local VPN instance (i.e. the first VPN instance) with Import Target attribute identical with the Export Target attribute of this VPN route.Thereby, having limited the VPN route of the VPN instance of a branch office network adds in the VPN instance of the identical RT attribute of having of other branch office networks, guarantee the Information Security between branch, limited the mutual access of each branch office network.
Situation 2: when the network under this equipment is branch office network, if the network under a PE equipment of determining is the central authority network, that is, the VPN route that receives is the VPN route of central authority network, the VPN route is added to the routing table of the first local VPN instance;
Can the network under this equipment be branch office network according to situation 2, and when the VPN route that receives is VPN route in the central authority network, this VPN route is added in the routing table of the local VPN instance (i.e. the first VPN instance) with Import Target attribute identical with the Export Target attribute of this VPN route.Thereby, allow the VPN route of the VPN instance of a branch office network to add in the VPN instance of the identical RT attribute of having of central authority network, guarantee that the central authority network can access branch office network.
Situation 3: when the network under this equipment is the central authority network, if the network under a PE equipment of determining is branch office network, namely, the VPN route that receives is the VPN route of a branch office network (i.e. branch office network under a PE equipment), the routing table of the VPN route being added to the first local VPN instance.
Can the network under this equipment be the central authority network according to situation 3, and when the VPN route that receives is a VPN route in branch office network, this VPN route is added in the routing table of the local VPN instance (i.e. the first VPN instance) with Import Target attribute identical with the Export Target attribute of this VPN route.Thereby, allow the VPN route of the VPN instance of central authority network to add in the VPN instance of the identical RT attribute of having of branch office network, guarantee that branch office network can access the central authority network.
In addition, this PE equipment also needs other PE equipment issues VPN route in the MPLS L3VPN network.Thereby, can also comprise the following steps at this moment above-mentioned method:
Step S301 when issue VPN route, arranges the Export Target attribute of the VPN instance under network identity mark and this VPN route in the VPN route that will issue;
Wherein, when the network under this equipment was the central authority network, the value of the network identity mark of setting was the first value, and when the network under this equipment was branch office network, the value of the network identity mark of setting was the second value.
Step S302, the VPN route that will set in step S301 releases.
in the technical scheme of the embodiment of the present application, by increase a network identity mark in the VPN route of issue, the identity that this mark is used to indicate the network under the PE equipment that sends this VPN route is central authority network or branch office network, thereby, after a PE equipment receives the VPN route of other PE equipment (being called a PE equipment) issue, the network that the value of the network identity mark that carries in the VPN route according to reception just can be determined under a PE equipment is central authority network or branch office network, then, just can determine whether the VPN route that receives to be added in the routing table of VPN instance (being called the first VPN instance) that VPN instance under local and VPN route this reception has identical RT attribute according to the identity of the identity of the network under this equipment and the network under a PE equipment.Thereby, in the situation that be applied to dispose the identical VPN instance of RT attribute on each PE equipment of MPLS L3VPN network of the mechanisms such as enterprise, the network identity mark that carries in the VPN route of PE equipment according to the identity of the network under this equipment and reception, can control neatly the interpolation of VPN route, and need not on PE equipment the loaded down with trivial details route control strategy of configuration large amount of complex, saved workload, and, if subsequent network popularization, do not need to reconfigure the route control strategy yet, can satisfy the dynamic change of network.Use the method for the present embodiment, can improve the Information Security in the MPLS L3VPN network that is applied to the mechanisms such as enterprise.
In addition, in order to realize above-mentioned control method, any PE equipment in MPLS L3VPN network is before carrying out above-mentioned method, also need enable network identification ability, and carry out the negotiation of network identity recognition capability with other PE equipment in MPLS L3VPN network, wherein, to refer to identify the identity of the network under this equipment be central authority network or the ability of branch office network to the network identity recognition capability.Concrete, can be by expansion BGP(Border Gateway Protocol, Border Gateway Protocol) in Open(initial) message realizes the negotiation of network identity recognition capability.Thereby, also comprise step in above-mentioned method: carry out the negotiation of network identity recognition capability by the Open message in BGP and a PE equipment.
Fig. 3 is the form schematic diagram of Open message.The below is explained as follows each the main field in Open message:
The version number of Version:BGP.For BGP-4, its value is 4;
My autonomous system: local No. AS.Can determine it is EBGP(External BGP, external BGP No. AS by two ends relatively) connect or IBGP(Internal BGP internal bgp) connect;
Hold time: retention time.Hold Time will be consulted in two ends when setting up peer relationship, and is consistent.If do not receive the Keepalive(keep-alive of sending the opposite end within this time) message or Update(upgrade) message, think the BGP disconnecting;
BGP identifier:BGP identifier.Form with the IP address represents, is used for identifying bgp router;
Opt Parm Len(Optional Parameters Length): the length of optional parameters.If be 0, there is no optional parameters;
Optional parameters: optional parameters.Be used for multi-protocols expansion functions such as (Multiprotocol Extensions).
As seen from the above, can define the negotiation that relevant field is realized the network identity recognition capability in the Optional parameters field in Open message.In the present embodiment, as shown in Figure 4, two fields have been defined in Optional parameters field: network identity recognition capability (representing with HQ_identify Cap) field, network identity mark (representing with HQ_identify value) field in Fig. 4 in Fig. 4.The below makes an explanation to these two fields.
HQ_identify Cap field: the PE equipment that is used for this Open of expression transmission message has the network identity recognition capability of the identity of the affiliated network of this equipment of identification, and the length of this field can be 1 byte;
HQ_identify value field: the identity that is used to indicate the network under the PE equipment that sends this Open message, when the value of network identity tag field is the first value, the affiliated network of PE equipment that expression sends this Open message is the central authority network, when the value of network identity tag field was the second value, the affiliated network of PE equipment that expression sends this Open message was branch office network.The length of this field can be 1 byte, and wherein, the first value for example can for example can be 0 for 1, the second value.
Embodiment two
Because the VPN route further can be divided into business route and non-business route, wherein, the business route refers to belong to the VPN route of core (namely important) business, non-business route refers to belong to the VPN route of non-core (namely inessential) business, for example, non-business route can be VOIP(Voice over IP, uploads sending voice in IP network) the VPN route of business.In the present embodiment, the interpolation of route is controlled in hope according to the method in embodiment one to the business route, do not add and can not control route to non-business route, therefore, in the application's embodiment, increase a non-service marker (being designated as the V mark) in the VPN route that will issue, it is non-business route that this non-service marker is used to indicate this VPN route.Thereby, after a PE equipment receives the VPN route of other PE equipment issues, can determine that this VPN route is non-business route according to the V mark that carries in this VPN route, thereby, still can add to for non-business route in the routing table of the VPN instance that local and this route have identical RT attribute.
The method of the present embodiment comprises the following steps:
Step S401 receives the VPN route that a PE equipment (being any one other PE equipment in the MPLS L3VPN network) issue in MPLS L3VPN network is come, and wherein, includes Export Target attribute in this VPN route;
In actual implementation process, the VPN route can be specifically VPN IPv4 route or VPN IPv6 route, and the application does not do restriction to this.
Step S402, do not carry the network identity mark in this VPN route, and when carrying non-service marker, it is non-business route that service marker non-according to this determined this VPN route, the routing table of adding this VPN route to first VPN instance, wherein, the first VPN instance has the Import Target attribute identical with Export Target attribute in this VPN route.
Equally, this PE equipment is to a non-business route of PE equipment issue the time, also can increase non-service marker in this non-business route, at this moment, the operation that this PE equipment need to be carried out comprises: when issue VPN route, if the VPN route that will issue is non-business route, the Export Target attribute of the VPN instance under non-service marker and this VPN route is set in the VPN route that will issue, then, the VPN route that sets is released.
in the present embodiment, business route and non-business route are distinguished by non-service marker, before will issuing non-business route, non-business route is arranged non-service marker, and the network identity mark can be set, like this, a PE equipment is after receiving a VPN route, can determine this VPN route according to the non-service marker of carrying in this route is non-business route, thereby, need not consider the identity of the network that this equipment and the PE equipment that sends this VPN route are affiliated, just this VPN route is added in the routing table of the VPN instance that local and this VPN route have identical RT attribute.Before wanting the issuing service route, the business route is arranged the network identity mark according to the method for above-described embodiment one, and non-service marker can be set, thereby, control the interpolation of route according to the method for above-described embodiment one.Non-business route is carried out mark, be conducive to the control to non-business route.
Embodiment three
Take a MPLS L3VPN network that is applied to enterprise shown in Figure 5 as example, describe the method in above-described embodiment one and two in detail.As shown in Figure 5, PE1 belongs to main office network (being the central authority network), PE2 belongs to the network of branch company's (being branch) 1, be called branch company's network 1, PE3 belongs to the network of branch company 2, be called branch company's network 2, these three PE equipment of PE1, PE2 and PE3 are set up VPNv4 neighborhood (MP-BGP) each other.Dispose VPN instance 1 on PE1, dispose VPN instance 2 on PE2, dispose VPN instance 3 on PE3, these three VPN instance have identical RT attribute: Export Target attribute and Import Target attribute are 100:1.
In following method, these three PE equipment have all enabled the network identity recognition capability, and have carried out each other the negotiation of Network Recognition ability.
When PE1 will issue the route 1.1.1.0/24 of VPN instance 1, Export Target attribute 100:1 etc. is set in route 1.1.1.0/24, and network identity mark formation VPN IPv4 route is set, because the network under PE1 is main office network, therefore, the value of this mark is 1; Then, PE1 issue VPN IPv4 route 1.1.1.0/24.After PE2 receives this VPN IPv4 route 1.1.1.0/24, be that 1 network of determining under PE1 is main office network according to the value of the network identity mark that carries in this VPN IPv4 route 1.1.1.0/24, and the network that picks out under this equipment is branch company's network, thereby, this VPN IPv4 route 1.1.1.0/24 is added in the routing table of local VPN instance 2.Equally, PE3 finally also can add this VPNIPv4 route 1.1.1.0/24 in the routing table of local VPN instance 3 after receiving this VPN IPv4 route 1.1.1.0/24.
When PE2 will issue the route 2.2.2.0/24 of VPN instance 2, Export Target attribute 100:1 etc. is set in route 2.2.2.0/24, and network identity mark formation VPN IPv4 route is set, because the network under PE2 is branch company's network, therefore, the value of this mark is 0; Then, PE2 issue VPN IPv4 route 2.2.2.0/24.After PE1 receives this VPN IPv4 route 2.2.2.0/24, be that 0 network of determining under PE2 is branch company's network according to the value of the network identity mark that carries in this VPN IPv4 route 2.2.2.0/24, and the network that picks out under this equipment is main office network, thereby, this VPN IPv4 route 2.2.2.0/24 is added in the routing table of local VPN instance 1.Equally, PE3 is after receiving this VPN IPv4 route 2.2.2.0/24, be that 0 network of determining under PE2 is branch company's network according to the value of the network identity mark that carries in this VPN IPv4 route 2.2.2.0/24, and the network that picks out under this equipment is also branch company's network, thereby, abandon this VPN IPv4 route 2.2.2.0/24, this VPN IPv4 route 2.2.2.0/24 can not added in local VPN instance 3.
When PE3 will issue the route 3.3.3.0/24 of VPN instance 3, Export Target attribute 100:1 etc. is set in route 3.3.3.0/24, and network identity mark formation VPN IPv4 route is set, because the network under PE3 is branch company's network, therefore, the value of this mark is 0; Then, PE3 issue VPN IPv4 route 3.3.3.0/24.After PE1 receives this VPN IPv4 route 3.3.3.0/24, be that 0 network of determining under PE3 is branch company's network according to the value of the network identity mark that carries in this VPN IPv4 route 3.3.3.0/24, and the network that picks out under this equipment is main office network, thereby, this VPN IPv4 route 3.3.3.0/24 is added in the routing table of local VPN instance 1.Equally, PE3 is after receiving this VPN IPv4 route 3.3.3.0/24, be that 0 network of determining under PE3 is branch company's network according to the value of the network identity mark that carries in this VPN IPv4 route 3.3.3.0/24, and the network that picks out under this equipment is also branch company's network, thereby, abandon this VPN IPv4 route 3.3.3.0/24, this VPN IPv4 route 3.3.3.0/24 can not added in the routing table of local VPN instance 3.
When needs are controlled distinctively to business route and non-business route, namely, only the business route is controlled, and can not control non-business route, at this moment, if the VPN IPv4 route 2.2.2.0/24 of VPN IPv4 route 1.1.1.0/24, the PE2 issue of PE1 issue and the VPN IPv4 route 3.3.3.0/24 of PE3 issue are the business routes, carry out issue and the control of route according to above-mentioned method.If the VPN IPv4 route 2.2.2.0/24 of VPN IPv4 route 1.1.1.0/24, the PE2 issue of PE1 issue and the VPN IPv4 route 3.3.3.0/24 of PE3 issue are non-business routes, at this moment, the operation that each PE equipment is carried out is as follows:
When PE1 will issue the route 1.1.1.0/24 of VPN instance 1, Export Target attribute 100:1 etc. is set in route 1.1.1.0/24, and non-service marker is set, form VPN IPv4 route, then, PE1 issue VPN IPv4 route 1.1.1.0/24.After PE2 receives this VPN IPv4 route 1.1.1.0/24, determining this VPN IPv4 route 1.1.1.0/24 according to the non-service marker of carrying in this VPN IPv4 route 1.1.1.0/24 is non-business route, this VPN IPv4 route 1.1.1.0/24 is added in the routing table of local VPN instance 2.Equally, after PE3 receives this VPN IPv4 route 1.1.1.0/24, determining this VPN IPv4 route 1.1.1.0/24 according to the non-service marker of carrying in this VPN IPv4 route 1.1.1.0/24 is non-business route, this VPN IPv4 route 1.1.1.0/24 is added in the routing table of local VPN instance 3.
When PE2 will issue the route 2.2.2.0/24 of VPN instance 2, Export Target attribute 100:1 etc. is set in route 2.2.2.0/24, and non-service marker is set, form VPN IPv4 route, then, PE2 issue VPN IPv4 route 2.2.2.0/24.After PE1 receives this VPN IPv4 route 2.2.2.0/24, determining this VPN IPv4 route 2.2.2.0/24 according to the non-service marker of carrying in this VPN IPv4 route 2.2.2.0/24 is non-business route, this VPN IPv4 route 2.2.2.0/24 is added in the routing table of local VPN instance 1.Equally, after PE3 receives this VPN IPv4 route 2.2.2.0/24, determining this VPN IPv4 route 2.2.2.0/24 according to the non-service marker of carrying in this VPN IPv4 route 2.2.2.0/24 is non-business route, this VPN IPv4 route 2.2.2.0/24 is added in the routing table of local VPN instance 3.
When PE3 will issue the route 3.3.3.0/24 of VPN instance 3, Export Target attribute 100:1 etc. is set in route 3.3.3.0/24, and non-service marker is set, form VPN IPv4 route, then, PE3 issue VPN IPv4 route 3.3.3.0/24.After PE1 receives this VPN IPv4 route 3.3.3.0/24, determining this VPN IPv4 route 3.3.3.0/24 according to the non-service marker of carrying in this VPN IPv4 route 3.3.3.0/24 is non-business route, this VPN IPv4 route 3.3.3.0/24 is added in the routing table of local VPN instance 1.Equally, after PE3 receives this VPN IPv4 route 3.3.3.0/24, determining this VPN IPv4 route 3.3.3.0/24 according to the non-service marker of carrying in this VPN IPv4 route 3.3.3.0/24 is non-business route, this VPN IPv4 route 3.3.3.0/24 is added in the routing table of local VPN instance 3.
Embodiment four
For the method in above-described embodiment one and two, the present embodiment provides a kind of PE equipment that can use the method.As shown in Figure 6, PE equipment comprises with lower module: receiver module 10, determination module 20 and control module 30, wherein:
Receiver module 10, other PE equipment that are used for reception MPLS L3VPN network are issued the VPN route of coming, and wherein, include Export Target attribute in the VPN route;
Determination module 20, after issuing the VPN route of coming for the PE equipment that receives at receiver module 10, when carrying the network identity mark in this VPN route, determine the identity of the network under a PE equipment according to this network identity mark, wherein, the network identity mark is used to indicate the identity of the network under the PE equipment that sends this VPN route, and identity is central authority network or branch office network;
Control module 30, the identity of the network under a PE equipment that is used for determining according to identity and the determination module 20 of the network under this equipment, determine whether this VPN route is added to the routing table of first VPN instance of this equipment, wherein, the first VPN instance has the Import Target attribute identical with Export Target attribute in this VPN route.
Identity for the network under a PE equipment of realizing determining according to identity and the determination module 20 of the network under this equipment, determine whether this VPN route is added to the routing table of first VPN instance of this equipment, control module 30 further comprises: discarding unit and adding device, wherein:
Discarding unit is used for when the network under this equipment is branch office network, if the network under the PE equipment that determination module 20 is determined is branch office network, directly abandons the VPN route that receiver module 10 receives;
Adding device, be used for when the network under this equipment is branch office network, if the network under the PE equipment that determination module 20 is determined is the central authority network, the VPN route that receiver module 10 is received is added the routing table of the first local VPN instance to; Also be used for when the network under this equipment is the central authority network, if the network under the PE equipment that determination module 20 is determined is branch office network, the VPN route that receiver module 10 is received is added the routing table of the first local VPN instance to.
In addition, can also comprise in this PE equipment: module and sending module are set, wherein:
Module is set, this equipment is used for when will be issued the VPN route, the Export Target attribute of the VPN instance under network identity mark and this VPN route is set in the VPN route that will issue, wherein, when the network under this equipment is the central authority network, the value of the network identity mark that arranges is the first value, and when the network under this equipment was branch office network, the value of the network identity mark of setting was the second value;
Sending module is used for arranging the VPN route that module sets and releases.
If need to carry out differentiated treatment to business route and non-business route, that is, only the business route be controlled, and non-business route is not controlled, wherein, the business route is the VPN route that belongs to core business, and non-business route is the VPN route that belongs to non-core services.At this moment, determination module also is used for not carrying the network identity mark when the VPN route, and when carrying non-service marker, determining the VPN route according to non-service marker is non-business route; Control module is also for the routing table of adding the VPN route to first VPN instance.Module is set also to be used for when this equipment will be issued the VPN route, if the VPN route of issuing is non-business route, the Export Target attribute of the VPN instance under non-service marker and this VPN route is set in the VPN route that will issue, and releases by sending module.
In addition, can also comprise in this PE equipment: negotiation module is used for carrying out the negotiation of network identity recognition capability by Open message and the PE equipment of BGP; Wherein, network identity recognition capability field and network identity tag field have been increased in the Optional parameters field in Open message; Network identity recognition capability field is used for representing that the PE equipment of this Open of transmission message has the network identity recognition capability of the identity of the affiliated network of this equipment of identification; The network identity tag field is used to indicate the identity of the network under the PE equipment that sends this Open message, when the value of network identity tag field is the first value, the affiliated network of PE equipment that expression sends this Open message is the central authority network, when the value of network identity tag field was the second value, the affiliated network of PE equipment that expression sends this Open message was branch office network.
To sum up, the above embodiment of the application can reach following technique effect:
(1) by increase a network identity mark in the VPN route of issue, the identity that this mark is used to indicate the network under the PE equipment that sends this VPN route is central authority network or branch office network, thereby, after a PE equipment receives the VPN route of other PE equipment (being called a PE equipment) issue, the network that the network identity mark that carries in VPN route according to reception just can be determined under a PE equipment is central authority network or branch office network, then, just can determine whether the VPN route that receives to be added in the routing table of VPN instance (being called the first VPN instance) that VPN instance under local and VPN route this reception has identical RT attribute according to the identity of the identity of the network under this equipment and the network under a PE equipment.Thereby, in the situation that be applied to dispose the identical VPN instance of RT attribute on each PE equipment of MPLS L3VPN network of the mechanisms such as enterprise, the network identity mark that carries in VPN route according to the identity of the network under this equipment and reception, can control neatly the interpolation of VPN route, and need not on PE equipment the loaded down with trivial details route control strategy of configuration large amount of complex, saved workload, and, if subsequent network popularization, do not need to reconfigure the route control strategy yet, can satisfy the dynamic change of network.Use the method for the present embodiment, can improve the Information Security in the MPLS L3VPN network that is applied to the mechanisms such as enterprise.
(2) business route and non-business route are distinguished by non-service marker, before will issuing non-business route, non-business route is arranged non-service marker, and the network identity mark can be set, like this, a PE equipment is after receiving a VPN route, and can determine this VPN route according to the non-service marker of carrying in this route is non-business route, thereby, this VPN route is added in the routing table of the VPN instance that local and this VPN route have identical RT attribute.Non-business route is carried out mark, be conducive to the control to non-business route.
The above is only the application's preferred embodiment, and is in order to limit the application, not all within the application's spirit and principle, any modification of making, is equal to replacement, improvement etc., within all should being included in the scope of the application's protection.

Claims (11)

1. the routing iinformation control method in a multi-protocol label switching three-layer Virtual Private Network MPLS L3VPN network, described MPLS L3VPN network comprises: central authority network and a plurality of branch office network, include in described central authority network and described branch office network: Provider Edge PE equipment, described method is applied to described PE equipment, it is characterized in that, described method comprises:
Receive the virtual private network route that the PE equipment issue in described MPLS L3VPN network is come, wherein, include export goal Export Target attribute in described VPN route;
When carrying the network identity mark in described VPN route, determine the identity of the network under a described PE equipment according to described network identity mark, wherein, the network identity mark is used to indicate the identity of the network under the PE equipment that sends this VPN route, and described identity is central authority network or branch office network;
Identity according to the network under the identity of the network under this equipment and the described PE equipment determined, determine whether described VPN route is added to the routing table of the first local VPN instance, wherein, described the first VPN instance has the entrance target Import Target attribute identical with Export Target attribute in described VPN route.
2. method according to claim 1, it is characterized in that, described according to the network under this equipment identity and the identity of the network under the described PE equipment determined, determine whether that the method for described VPN route being added to the routing table of the first local VPN instance comprises:
When the network under this equipment is branch office network, if the network under a described PE equipment of determining is branch office network, directly abandon described VPN route, if the network under a described PE equipment of determining is the central authority network, described VPN route is added to the routing table of the first local VPN instance;
When the network under this equipment is the central authority network, if the network under a described PE equipment of determining is branch office network, described VPN route is added to the routing table of the first local VPN instance.
3. method according to claim 1, is characterized in that, also comprises:
When issue VPN route, the Export Target attribute of the VPN instance under network identity mark and this VPN route is set in the VPN route that will issue, the VPN route that sets is released, wherein, when the network under this equipment is the central authority network, the value of the network identity mark that arranges is the first value, and when the network under this equipment was branch office network, the value of the network identity mark of setting was the second value.
4. the described method of any one according to claim 1 to 3, is characterized in that, also comprises:
Carry out the negotiation of network identity recognition capability by the initial Open message in Border Gateway Protocol (BGP) and a PE equipment;
Wherein, network identity recognition capability field and network identity tag field have been increased in the optional parameters Optional parameters field in Open message;
Described network identity recognition capability field is used for representing that the PE equipment of this Open of transmission message has the network identity recognition capability of the identity of the affiliated network of this equipment of identification;
Described network identity tag field is used to indicate the identity of the network under the PE equipment that sends this Open message, when the value of network identity tag field is the first value, the affiliated network of PE equipment that expression sends this Open message is the central authority network, when the value of network identity tag field was the second value, the affiliated network of PE equipment that expression sends this Open message was branch office network.
5. method according to claim 1, is characterized in that, also comprises:
Do not carry the network identity mark in described VPN route, and when carrying non-service marker, determining described VPN route according to described non-service marker is non-business route, the routing table of adding described VPN route to described the first VPN instance, wherein, described non-business route is the VPN route that belongs to non-core services, and it is non-business route that non-service marker is used to indicate this VPN route.
6. method according to claim 5, is characterized in that, also comprises:
When issue VPN route, if the VPN route that will issue is non-business route, the Export Target attribute of the VPN instance under non-service marker and this VPN route is set in the VPN route that will issue, the VPN route that sets is released.
7. the Provider Edge PE equipment in a multi-protocol label switching three-layer Virtual Private Network MPLS L3VPN network, described MPLS L3VPN network comprises: central authority network and a plurality of branch office network, include in described central authority network and described branch office network: PE equipment, it is characterized in that, described PE equipment comprises:
Receiver module, the virtual private network route for other PE equipment issues that receive described MPLS L3VPN network are come wherein, includes export goal Export Target attribute in described VPN route;
Determination module, after issuing the VPN route of coming for the PE equipment that receives at described receiver module, when carrying the network identity mark in described VPN route, determine the identity of the network under a described PE equipment according to described network identity mark, wherein, described network identity mark is used to indicate the identity of the network under the PE equipment that sends this VPN route, and described identity is central authority network or branch office network;
Control module, the identity of the network under a described PE equipment that is used for determining according to identity and the described determination module of the network under this equipment, determine whether described VPN route is added to the routing table of first VPN instance of this equipment, wherein, described the first VPN instance has the entrance target Import Target attribute identical with Export Target attribute in described VPN route.
8. PE equipment according to claim 7, is characterized in that, described control module comprises:
Discarding unit is used for when the network under this equipment is branch office network, if the network under the described PE equipment that described determination module is determined is branch office network, directly abandons the VPN route that described receiver module receives;
Adding device, be used for when the network under this equipment is branch office network, if the network under the described PE equipment that described determination module is determined is the central authority network, the VPN route that described receiver module is received is added the routing table of the first local VPN instance to; Also be used for when the network under this equipment is the central authority network, if the network under the described PE equipment that described determination module is determined is branch office network, the VPN route that described receiver module is received is added the routing table of the first local VPN instance to.
9. PE equipment according to claim 7, is characterized in that, also comprises:
Module is set, this equipment is used for when will be issued the VPN route, the Export Target attribute of the VPN instance under network identity mark and this VPN route is set in the VPN route that will issue, wherein, when the network under this equipment is the central authority network, the value of the network identity mark that arranges is the first value, and when the network under this equipment was branch office network, the value of the network identity mark of setting was the second value;
Sending module is used for the VPN route that module sets to be set to release described.
10. the described PE equipment of any one according to claim 7 to 9, is characterized in that, also comprises:
Negotiation module is used for carrying out the negotiation of network identity recognition capability by initial Open message and a PE equipment of Border Gateway Protocol (BGP);
Wherein, network identity recognition capability field and network identity tag field have been increased in the optional parameters Optional parameters field in Open message;
Described network identity recognition capability field is used for representing that the PE equipment of this Open of transmission message has the network identity recognition capability of the identity of the affiliated network of this equipment of identification;
Described network identity tag field is used to indicate the identity of the network under the PE equipment that sends this Open message, when the value of network identity tag field is the first value, the affiliated network of PE equipment that expression sends this Open message is the central authority network, when the value of network identity tag field was the second value, the affiliated network of PE equipment that expression sends this Open message was branch office network.
11. PE equipment according to claim 9 is characterized in that,
Described determination module, also be used for not carrying the network identity mark when described VPN route, and when carrying non-service marker, determining described VPN route according to described non-service marker is non-business route, wherein, described non-business route is the VPN route that belongs to non-core services, and it is non-business route that non-service marker is used to indicate this VPN route;
Described control module also is used for the routing table of adding described VPN route to described the first VPN instance;
The described module that arranges also is used for when this equipment will be issued the VPN route, if the VPN route that will issue is non-business route, the Export Target attribute of the VPN instance under non-service marker and this VPN route is set in the VPN route that will issue.
CN201310036259.7A 2013-01-29 2013-01-29 Routing iinformation control method in MPLS L3VPN network and PE equipment Active CN103095578B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310036259.7A CN103095578B (en) 2013-01-29 2013-01-29 Routing iinformation control method in MPLS L3VPN network and PE equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310036259.7A CN103095578B (en) 2013-01-29 2013-01-29 Routing iinformation control method in MPLS L3VPN network and PE equipment

Publications (2)

Publication Number Publication Date
CN103095578A true CN103095578A (en) 2013-05-08
CN103095578B CN103095578B (en) 2015-09-30

Family

ID=48207731

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310036259.7A Active CN103095578B (en) 2013-01-29 2013-01-29 Routing iinformation control method in MPLS L3VPN network and PE equipment

Country Status (1)

Country Link
CN (1) CN103095578B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105634950A (en) * 2014-10-30 2016-06-01 中兴通讯股份有限公司 Distribution method, ASBR, PE, and distribution system
CN108259356A (en) * 2017-04-25 2018-07-06 新华三技术有限公司 Route control method and device
CN111800338A (en) * 2020-06-01 2020-10-20 锐捷网络股份有限公司 Cross-AS EVPN route interaction method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070245034A1 (en) * 2006-04-18 2007-10-18 Retana Alvaro E Dynamically configuring and verifying routing information of broadcast networks using link state protocols in a computer network
CN101136832A (en) * 2004-07-13 2008-03-05 华为技术有限公司 Multi-protocol label switching virtual dedicated network and its control and forwarding method
WO2009013582A1 (en) * 2007-07-20 2009-01-29 Telefonaktiebolaget L M Ericsson (Publ) System and method for ethernet label distribution
CN102449964A (en) * 2011-07-22 2012-05-09 华为技术有限公司 Three-layer virtual exclusive network routing control method, apparatus and system
CN102469010A (en) * 2010-11-09 2012-05-23 华为技术有限公司 Method for distributing MPLS label and network device
CN102739519A (en) * 2012-05-30 2012-10-17 福建星网锐捷网络有限公司 Rooted multipoint service implementation method, device and system, and provider edge equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136832A (en) * 2004-07-13 2008-03-05 华为技术有限公司 Multi-protocol label switching virtual dedicated network and its control and forwarding method
US20070245034A1 (en) * 2006-04-18 2007-10-18 Retana Alvaro E Dynamically configuring and verifying routing information of broadcast networks using link state protocols in a computer network
WO2009013582A1 (en) * 2007-07-20 2009-01-29 Telefonaktiebolaget L M Ericsson (Publ) System and method for ethernet label distribution
CN102469010A (en) * 2010-11-09 2012-05-23 华为技术有限公司 Method for distributing MPLS label and network device
CN102449964A (en) * 2011-07-22 2012-05-09 华为技术有限公司 Three-layer virtual exclusive network routing control method, apparatus and system
CN102739519A (en) * 2012-05-30 2012-10-17 福建星网锐捷网络有限公司 Rooted multipoint service implementation method, device and system, and provider edge equipment

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105634950A (en) * 2014-10-30 2016-06-01 中兴通讯股份有限公司 Distribution method, ASBR, PE, and distribution system
CN105634950B (en) * 2014-10-30 2019-06-11 中兴通讯股份有限公司 Distribution method, ASBR, PE and distribution system
CN108259356A (en) * 2017-04-25 2018-07-06 新华三技术有限公司 Route control method and device
WO2018196633A1 (en) * 2017-04-25 2018-11-01 新华三技术有限公司 Routing control
CN108259356B (en) * 2017-04-25 2020-08-04 新华三技术有限公司 Routing control method and device
US11451466B2 (en) 2017-04-25 2022-09-20 New H3C Technologies Co., Ltd. Controlling route
CN111800338A (en) * 2020-06-01 2020-10-20 锐捷网络股份有限公司 Cross-AS EVPN route interaction method and device
CN111800338B (en) * 2020-06-01 2022-09-16 锐捷网络股份有限公司 Cross-AS EVPN route interaction method and device

Also Published As

Publication number Publication date
CN103095578B (en) 2015-09-30

Similar Documents

Publication Publication Date Title
CN110266592A (en) The communication means and device of SRV6 network and IP MPLS network
EP1753175B2 (en) A method for implementing virtual private network
US20160134591A1 (en) VPN Implementation Processing Method and Device for Edge Device
WO2008092357A1 (en) A method and device for establishing a pseudo wire tunnel and transmitting message using it
CN103685026A (en) Virtual network access method and system
CN112422398B (en) Message transmission method and communication device
CN1697408B (en) Method for managing routes in virtual private network based on IPv6
CN106921573B (en) NVo3 method and device for issuing tenant route in network
CN102238057B (en) Ethernet-tree realization method, system, device and network equipment
CN103326940A (en) Method for forwarding message in network and edge device of operator
CN102055647A (en) Three-layer virtual private network (VPN) access method and system
EP2822238B1 (en) Method and device for establishing a pseudo wire
WO2013139270A1 (en) Method, device, and system for implementing layer3 virtual private network
CN103227773A (en) Method and system for establishing virtual private dial-up network connection
CN101160862B (en) Method and system for realizing the consistency of the virtual circuit status
CN103795630B (en) The message transmitting method and device of a kind of label exchange network
CN104092684A (en) Method and device for supporting VPN based on OpenFlow protocol
CN103841026B (en) VPN route managing system and method of router IP protocol stack
CN103095578B (en) Routing iinformation control method in MPLS L3VPN network and PE equipment
WO2005125103A1 (en) A virtual private network system of hybrid site and hybrid backbone network and its realizing method
US8873549B2 (en) Managing L2VPN connectivity after a fiber node split
CN102238040B (en) Method for monitoring CE (Customer Edge router) and routing device
CN101316239B (en) Method for controlling access and forwarding in virtual special LAN service network
CN102238028B (en) Ethernet-tree realization method, system, device and network equipment
CN102739519B (en) Rooted multipoint service implementation method, device and system, and provider edge equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CP03 Change of name, title or address