CN103095578B - Routing iinformation control method in MPLS L3VPN network and PE equipment - Google Patents

Routing iinformation control method in MPLS L3VPN network and PE equipment Download PDF

Info

Publication number
CN103095578B
CN103095578B CN201310036259.7A CN201310036259A CN103095578B CN 103095578 B CN103095578 B CN 103095578B CN 201310036259 A CN201310036259 A CN 201310036259A CN 103095578 B CN103095578 B CN 103095578B
Authority
CN
China
Prior art keywords
network
equipment
vpn
route
belonging
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310036259.7A
Other languages
Chinese (zh)
Other versions
CN103095578A (en
Inventor
陈岩
王伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201310036259.7A priority Critical patent/CN103095578B/en
Publication of CN103095578A publication Critical patent/CN103095578A/en
Application granted granted Critical
Publication of CN103095578B publication Critical patent/CN103095578B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

This application discloses the routing iinformation control method in a kind of MPLS L3VPN network and PE equipment, this MPLSL3VPN network comprises: central authority network and multiple branch office network, include in central authority network and branch office network: PE equipment, the method is applied to PE equipment, the method comprises: the PE equipment received in MPLS L3VPN network issues the VPN route of coming, and includes Export Target attribute in this VPN route; When carrying network identity mark in this VPN route, determine the identity of the network belonging to a PE equipment according to this network identity mark, identity is central authority network or branch office network; The identity of the network belonging to this equipment and the identity of the network belonging to a PE equipment determined, determine whether the routing table of VPN route being added to the first local VPN instance.

Description

Routing iinformation control method in MPLS L3VPN network and PE equipment
Technical field
The application relates to network communication technology field, the routing iinformation control method particularly in a kind of MPLS L3VPN network and PE equipment.
Background technology
MPLS (Multiprotocol Label Switching, multiprotocol label switching) L3VPN (Layer 3 VirtualPrivate Network, Layer3 Virtual Private Network) be service provider (Service Provider, SP) one in vpn solution is based on PE (Provider Edge, service provider network edge) L3VPN technology, it uses BGP (Border Gateway Protocol, Border Gateway Protocol) on service provider backbone, issue VPN route, use mpls protocol on service provider backbone, forward VPN message.
Fig. 1 is the networking schematic diagram of MPLS L3VPN network, as seen from Figure 1, MPLS L3VPN network mainly comprises equipment CE (the Customer Edge of three types, customer network edge) equipment, PE (Provider Edge, Provider Edge) equipment and P (Provider) equipment:
CE equipment: the edge device being user network (i.e. website (Site)), Site passes through CE equipment connection to service provider network.After CE equipment and direct-connected PE equipment set up syntople, the VPN routing iinformation of this website is distributed to this PE equipment, and acquires the VPN routing iinformation of remote station from this PE equipment.Use BGP/IGP (Interior Gateway Protocol, Interior Gateway Protocol) exchanging routing information between CE equipment and PE equipment, also can use static routing.
PE equipment: the edge device being service provider network, is directly connected with the CE equipment of Site.In an mpls network, all process of VPN are all occurred on PE equipment.After PE equipment acquires the VPN routing iinformation of CE this locality from direct-connected CE equipment, by BGP and other PE switched vpc N routing iinformation.Pe router only safeguards the routing iinformation of the VPN be directly connected with it, all VPN routes in not maintenance service provider network.
P equipment: the backbone equipment in service provider network, is not directly connected with CE equipment.P equipment only needs the transfer capability possessing basic MPLS message.
In the MPLS VPN comprising MPLS L3VPN, the route isolation between different VPN is realized by VPN instance (VPN-instance).PE equipment is that direct-connected Site sets up and safeguards VPN instance.VPN member relation and the routing rule of corresponding Site is comprised in VPN instance.If a Site belongs to multiple VPN simultaneously, then can comprise the information of all these VPN in the VPN instance of this Site.For ensureing independence and the fail safe of VPN data, each VPN instance on PE equipment has relatively independent routing table and LFIB (Label ForwardingInformation Base, Label Forwarding Information Base).
MPLS L3VPN uses BGP extended community attribute-Route Target, and (RT, route target) carrys out the issue of control VPN routing iinformation.VPN instance on PE equipment has two class RT attributes:
1, Export Target (export goal) attribute: PE equipment, before the VPN-IPv4 acquired from the Site direct-connected with this equipment route is distributed to other PE equipment, arranges Export Target attribute in these routes;
2, Import Target (entrance target) attribute: PE equipment is after receiving the next VPN-IPv4 route of other PE equipment issue, Export Target attribute in this route is mated with the Import Target attribute of each VPN instance on PE equipment, when Import Target attributes match with a VPN instance, this route is joined in the routing table of this VPN instance.
At present, in MPLS L3VPN network, if be configured with the identical VPN instance of RT attribute in the PE equipment of multiple website, then, these VPN routes with the different VPN example of identical RT attribute will be added mutually, cause these different VPN examples mutually to access, be unfavorable for the fail safe of VPN data.For the network shown in Fig. 1, PE1 is configured with on VPN instance 1, PE2 and is configured with VPN instance 2, VPN instance 1 and VPN instance 2 have identical RT attribute: Export Target attribute and Import Target attribute are 100:1.So, this VPN route is distributed to PE2 arrange Export Target attribute 100:1 in the VPN route of VPN instance 1 after by PE1.After PE2 receives this VPN route, determine that the ExportTarget attribute 100:1 in this VPN route mates with the Import Target attribute 100:1 of local VPN instance 2 according to the method described above, then this VPN route can be added in the routing table of VPN instance 2.Equally, after the VPN route of VPN instance 2 is distributed to PE1 by PE2, the VPN route of VPN instance 2 also can be added in the routing table of VPN instance 1 by PE1.Thus the VPN route of VPN instance 1 and VPN instance 2 can add mutually, these two VPN instance can be accessed mutually, are unfavorable for the fail safe of VPN data.Especially for the enterprise network of application EVI technology, some station networks are the networks of general headquarters (or being called central authority), and some station networks are the networks of branch, usually need to limit the access between branch office network.
Usually the mode configuring route control strategy on PE equipment can be adopted in prior art; adding of the outside issue carrying out control VPN route and the VPN route controlling other VPN instance; but; so just need all to configure a large amount of route control strategy on each PE equipment; workload is larger; if subsequent network popularization, also need to reconfigure route control strategy, the dynamic change of network can not be met.
Prior art adopts the mode configuring route control strategy on PE equipment to add to the route limiting other VPN instance, configuration effort amount can be caused so larger, and the dynamic change of network can not be met, in order to solve the problem, following examples of the application provide routing iinformation control method in a kind of MPLS L3VPN network and a kind of can PE equipment to apply the method.
The various mechanisms such as such as group, enterprise and unit usually by a central authority (such as, general headquarters) and multiple branch is (such as, branch company) composition, central authority and multiple branch all have respective network, below the network of central authority is called central authority network, the network of branch is called branch office network.Therefore, in following examples of the application, the MPLS L3VPN network being applied to said mechanism comprises: central authority network and multiple branch office network, include in central authority network and branch office network: PE equipment.
Summary of the invention
This application provides the routing iinformation control method in a kind of MPLS L3VPN network and PE equipment, the mode configuring route control strategy on PE equipment is adopted to add to the route limiting other VPN instance to solve prior art, the configuration effort amount caused is comparatively large, can not meet the problem of the dynamic change of network.
The technical scheme of the application is as follows:
On the one hand, provide the routing iinformation control method in a kind of MPLS L3VPN network, this MPLS L3VPN network comprises: central authority network and multiple branch office network, include in central authority network and branch office network: PE equipment, the method is applied to PE equipment, and the method comprises:
The PE equipment received in MPLS L3VPN network issues the VPN route of coming, and wherein, includes Export Target attribute in this VPN route;
When carrying network identity mark in this VPN route, the identity of the network belonging to a PE equipment is determined according to this network identity mark, wherein, network identity mark is used to indicate the identity of the network belonging to PE equipment sending this VPN route, and identity is central authority network or branch office network;
The identity of the network belonging to this equipment and the identity of the network belonging to a PE equipment determined, determine whether the routing table of VPN route being added to the first local VPN instance, wherein, the first VPN instance has the Import Target attribute identical with the Export Target attribute in VPN route.
On the other hand, additionally provide the PE equipment in a kind of MPLS L3VPN network, this MPLS L3VPN network comprises: central authority network and multiple branch office network, include in central authority network and branch office network: PE equipment, and PE equipment comprises:
Receiver module, issues the VPN route of coming for other PE equipment received in MPLS L3VPN network, wherein, includes Export Target attribute in VPN route;
Determination module, for receiving after a PE equipment issues the VPN route of coming at receiver module, when carrying network identity mark in VPN route, the identity of the network belonging to a PE equipment is determined according to this network identity mark, wherein, this network identity mark is used to indicate the identity of the network belonging to PE equipment sending this VPN route, and identity is central authority network or branch office network;
Control module, for the identity of the network belonging to the PE equipment that identity and the determination module of the network belonging to this equipment are determined, determine whether the routing table of the first VPN instance VPN route being added to this equipment, wherein, the first VPN instance has the entrance target ImportTarget attribute identical with the Export Target attribute in VPN route.
In the technical scheme of the application, by increasing a network identity mark in the VPN route issued, the identity that this mark is used to indicate the network belonging to PE equipment sending this VPN route is central authority network or branch office network, thus, after PE equipment receives the VPN route that other PE equipment (being called a PE equipment) issue, network identity mark according to carrying in the VPN route received just can determine that the network belonging to a PE equipment is central authority network or branch office network, then, whether the identity of the identity of the network belonging to this equipment and the network belonging to a PE equipment just can determine the VPN route of reception to be added to locally has in the routing table of VPN instance (being called the first VPN instance) of identical RT attribute with the VPN instance belonging to VPN route that is this reception.Thus, each PE equipment of MPLS L3VPN network being applied to the mechanisms such as enterprise is configured with RT attribute identical VPN instance, the network identity mark carried in the identity of the network belonging to this equipment and the VPN route of reception, can the interpolation of control VPN route neatly, and without the need to configuring the loaded down with trivial details route control strategy of large amount of complex on PE equipment, save workload, and, if subsequent network popularization, do not need to reconfigure route control strategy, the dynamic change of network can be met yet.Use the method for the present embodiment, the Information Security be applied in the MPLS L3VPN network of the mechanisms such as enterprise can be improved.
Accompanying drawing explanation
Fig. 1 is the networking schematic diagram of MPLS L3VPN network;
Fig. 2 is the flow chart of the routing iinformation control method in the MPLS L3VPN network of the embodiment one of the application;
Fig. 3 is the form schematic diagram of the Open message in the BGP of the embodiment one of the application;
Fig. 4 is the form schematic diagram of network identity recognition capability field and the network identity tag field of adding in the optional parameters of the Open message of the embodiment one of the application;
Fig. 5 is the networking schematic diagram that of the embodiment three of the application is applied to the MPLS L3VPN network of enterprise;
Fig. 6 is the structural representation of the PE equipment in the MPLS L3VPN network of the embodiment four of the application.
Embodiment
Embodiment one
Routing iinformation control method in the MPLS L3VPN network of the embodiment of the present application can be performed by any one PE equipment.As shown in Figure 2, the method comprises the following steps:
Step S201, the PE equipment (being any one other PE equipment in MPLS L3VPN network) received in MPLS L3VPN network issues the VPN route of coming, and wherein, includes ExportTarget attribute in this VPN route;
In actual implementation process, VPN route can be specifically VPN IPv4 route or VPN IPv6 route, and the application does not limit this.
Step S202, when carrying network identity mark in this VPN route, the identity of the network belonging to a PE equipment is determined according to this network identity mark, wherein, network identity mark is used to indicate the identity of the network belonging to PE equipment sending this VPN route, and identity can be central authority network or branch office network;
One PE equipment is when issuing VPN route, the Export Target attribute of network identity mark and the VPN instance belonging to this VPN route can be set in the VPN route that will issue, then the VPN route set is released, wherein, when the network belonging to a PE equipment is central authority network, the value of the network identity mark arranged is the first value, and when the network belonging to a PE equipment is branch office network, the value of the network identity mark of setting is the second value.
Therefore, in step S202, the identity of the network can determined belonging to a PE equipment according to the value of the network identity mark carried in the VPN route received is central authority network or branch office network.Concrete, when the value of the network identity mark carried in the VPN route received is the first value, can determine that the network belonging to a PE equipment is central authority network, when the value of the network identity mark carried in the VPN route received is the second value, can determine that the network belonging to a PE equipment is branch office network.
Step S203, the identity of the network belonging to this equipment and the identity of the network belonging to a PE equipment determined, determine whether the routing table of this VPN route being added to the first local VPN instance, wherein, the first VPN instance has the Import Target attribute identical with the Export Target attribute in this VPN route.
In actual implementation process, the identity of the network belonging to this equipment can be configured in advance on PE equipment, thus the identity of the network that PE equipment can be determined belonging to this equipment according to this configuration is central authority network or branch office network.
In this step S203, according to following three kinds of situations, the routing table of VPN route being added to the first local VPN instance can be determined whether:
Situation 1: when the network belonging to this equipment is branch office network, if the network belonging to a PE equipment determined is branch office network, namely, the VPN route received is the VPN route of another branch office network (branch office network namely belonging to a PE equipment), then directly abandon VPN route;
Can the network belonging to this equipment be branch office network according to situation 1, and the VPN route received is when being the VPN route in another branch office network, directly the VPN route of reception is abandoned, and this VPN route can not be added to local having in the routing table of VPN instance (i.e. the first VPN instance) of the Import Target attribute identical with the Export Target attribute of this VPN route.Thus, what the VPN route limiting the VPN instance of a branch office network added other branch office networks to has in the VPN instance of identical RT attribute, ensure that the Information Security between branch, limit the mutual access of each branch office network.
Situation 2: when the network belonging to this equipment is branch office network, if the network belonging to a PE equipment determined is central authority network, that is, the VPN route received is the VPN route of central authority network, then VPN route is added to the routing table of the first local VPN instance;
Can the network belonging to this equipment be branch office network according to situation 2, and the VPN route received is when being the VPN route in central authority network, this VPN route is added to local having in the routing table of VPN instance (i.e. the first VPN instance) of the Import Target attribute identical with the Export Target attribute of this VPN route.Thus, allow the VPN route of the VPN instance of a branch office network to add having in the VPN instance of identical RT attribute of central authority network to, guarantee that central authority network can access branch office network.
Situation 3: when the network belonging to this equipment is central authority network, if the network belonging to a PE equipment determined is branch office network, namely, the VPN route received is the VPN route of a branch office network (branch office network namely belonging to a PE equipment), then VPN route is added to the routing table of the first local VPN instance.
Can the network belonging to this equipment be central authority network according to situation 3, and the VPN route received is when being the VPN route in a branch office network, this VPN route is added to local having in the routing table of VPN instance (i.e. the first VPN instance) of the Import Target attribute identical with the Export Target attribute of this VPN route.Thus, allow the VPN route of the VPN instance of central authority network to add having in the VPN instance of identical RT attribute of branch office network to, guarantee that branch office network can access central authority network.
In addition, this PE equipment also needs to issue VPN route to other PE equipment in MPLS L3VPN network.Thus, can also comprise the following steps in now above-mentioned method:
Step S301, when issuing VPN route, arranges the Export Target attribute of network identity mark and the VPN instance belonging to this VPN route in the VPN route that will issue;
Wherein, when the network belonging to this equipment is central authority network, the value of the network identity mark of setting is the first value, and when the network belonging to this equipment is branch office network, the value of the network identity mark of setting is the second value.
Step S302, releases the VPN route set in step S301.
In the technical scheme of the embodiment of the present application, by increasing a network identity mark in the VPN route issued, the identity that this mark is used to indicate the network belonging to PE equipment sending this VPN route is central authority network or branch office network, thus, after PE equipment receives the VPN route that other PE equipment (being called a PE equipment) issue, value according to the network identity mark carried in the VPN route received just can determine that the network belonging to a PE equipment is central authority network or branch office network, then, whether the identity of the identity of the network belonging to this equipment and the network belonging to a PE equipment just can determine the VPN route of reception to be added to locally has in the routing table of VPN instance (being called the first VPN instance) of identical RT attribute with the VPN instance belonging to VPN route that is this reception.Thus, each PE equipment of MPLS L3VPN network being applied to the mechanisms such as enterprise is configured with RT attribute identical VPN instance, the network identity mark carried in the identity of the network of PE equipment belonging to this equipment and the VPN route of reception, can the interpolation of control VPN route neatly, and without the need to configuring the loaded down with trivial details route control strategy of large amount of complex on PE equipment, save workload, and, if subsequent network popularization, do not need to reconfigure route control strategy, the dynamic change of network can be met yet.Use the method for the present embodiment, the Information Security be applied in the MPLS L3VPN network of the mechanisms such as enterprise can be improved.
In addition, in order to realize above-mentioned control method, any PE equipment in MPLS L3VPN network is before performing above-mentioned method, also need enable network identification capability, and carry out the negotiation of network identity recognition capability with other PE equipment in MPLS L3VPN network, wherein, network identity recognition capability refers to that the identity of the network that can identify belonging to this equipment is the ability of central authority network or branch office network.Concrete, the negotiation of network identity recognition capability can be realized by Open (initially) message in expansion BGP (Border Gateway Protocol, Border Gateway Protocol).Thus, also comprise step in above-mentioned method: the negotiation being carried out network identity recognition capability by the Open message in BGP and a PE equipment.
Fig. 3 is the form schematic diagram of Open message.Below each primary fields in Open message is explained as follows:
The version number of Version:BGP.For BGP-4, its value is 4;
My autonomous system: local No. AS.Can determine it is that EBGP (External BGP, external BGP) connects or IBGP (Internal BGP, internal bgp) connects by compare two ends No. AS;
Hold time: retention time.When setting up peer relationship, Hold Time will be consulted in two ends, and is consistent.If do not receive Keepalive (keep-alive) message or Update (renewal) message sent opposite end within this time, then think BGP disconnecting;
BGP identifier:BGP identifier.Represent in the form of an ip address, be used for identifying bgp router;
Opt Parm Len (Optional Parameters Length): the length of optional parameters.If be 0, then there is no optional parameters;
Optional parameters: optional parameters.For functions such as multi-protocols expansion (Multiprotocol Extensions).
As seen from the above, relevant field can be defined to realize the negotiation of network identity recognition capability in the Optional parameters field in Open message.In the present embodiment, as shown in Figure 4, in Optional parameters field, two fields are defined: network identity recognition capability (representing with HQ_identify Cap in the diagram) field, network identity mark (representing with HQ_identify value in the diagram) field.Below these two fields are made an explanation.
HQ_identify Cap field: for representing that the PE equipment sending this Open message has the network identity recognition capability of the identity of the network identified belonging to this equipment, the length of this field can be 1 byte;
HQ_identify value field: the identity being used to indicate the network belonging to PE equipment sending this Open message, when the value of network identity tag field is the first value, represent that the network belonging to PE equipment sending this Open message is central authority network, when the value of network identity tag field is the second value, represent that the network belonging to PE equipment sending this Open message is branch office network.The length of this field can be 1 byte, and wherein, the first value can be such as the 1, second value can be such as 0.
Embodiment two
Because VPN route can be divided into business route and non-traffic route further, wherein, business route refers to the VPN route belonging to core (namely important) business, non-traffic route refers to the VPN route belonging to non-core (namely inessential) business, such as, non-traffic route can be the VPN route of VOIP (Voice over IP, transmits voice on ip networks) business.In the present embodiment, wish to business route according to the method Dominating paths in embodiment one by interpolation, and to non-traffic route can not Dominating paths by adding, therefore, in the embodiment of the application, in the VPN route that will issue, increase a non-traffic mark (being designated as V mark), it is non-traffic route that this non-traffic mark is used to indicate this VPN route.Thus, after a PE equipment receives the VPN route of other PE equipment issue, can determine that this VPN route is non-traffic route according to the V mark carried in this VPN route, thus, still can add local having in the routing table of the VPN instance of identical RT attribute with this route to for non-traffic route.
The method of the present embodiment comprises the following steps:
Step S401, the PE equipment (being any one other PE equipment in MPLS L3VPN network) received in MPLS L3VPN network issues the VPN route of coming, and wherein, includes ExportTarget attribute in this VPN route;
In actual implementation process, VPN route can be specifically VPN IPv4 route or VPN IPv6 route, and the application does not limit this.
Step S402, when not carrying network identity mark in this VPN route, and when carrying non-traffic mark, determine that this VPN route is non-traffic route according to this non-traffic mark, this VPN route is added to the routing table of the first VPN instance, wherein, the first VPN instance has the Import Target attribute identical with the Export Target attribute in this VPN route.
Equally, this PE equipment is when issuing non-traffic route to a PE equipment, also non-traffic mark can be increased in this non-traffic route, now, this PE equipment needs the operation performed to comprise: when issuing VPN route, is non-traffic route to the VPN route issued, then in the VPN route that will issue, arrange the Export Target attribute of non-traffic mark and the VPN instance belonging to this VPN route, then, the VPN route set is released.
In the present embodiment, business route and non-traffic route are distinguished by non-traffic mark, before will issuing non-traffic route, non-traffic mark is arranged to non-traffic route, and network identity mark can not be set, like this, a PE equipment is after receiving a VPN route, can determine that this VPN route is non-traffic route according to the non-traffic mark carried in this route, thus, do not need the identity of the network belonging to PE equipment considered this equipment and send this VPN route, just this VPN route is added to local having in the routing table of the VPN instance of identical RT attribute with this VPN route.Before wanting issuing service route, to business route according to the method for above-described embodiment one arrange network identity mark, and can not arrange non-traffic mark, thus, according to above-described embodiment one method Dominating paths by interpolation.Non-traffic route is marked, is conducive to the control to non-traffic route.
Embodiment three
Be applied to the MPLS L3VPN network of enterprise for shown in Fig. 5, describe the method in above-described embodiment one and two in detail.As shown in Figure 5, PE1 belongs to main office network (i.e. central authority network), PE2 belongs to the network of branch company (i.e. branch) 1, be called branch office network 1, PE3 belongs to the network of branch company 2, be called that these three PE equipment of branch office network 2, PE1, PE2 and PE3 set up VPNv4 neighborhood (MP-BGP) each other.PE1 is configured with VPN instance 1, PE2 is configured with on VPN instance 2, PE3 and is configured with VPN instance 3, these three VPN instance have identical RT attribute: Export Target attribute and Import Target attribute are 100:1.
In following method, these three PE equipment all enable network identity recognition capability, and that this has been the negotiation of Network Recognition ability.
When PE1 will issue the route 1.1.1.0/24 of VPN instance 1, in route 1.1.1.0/24, arrange Export Target attribute 100:1 etc., and arrange network identity mark formation VPN IPv4 route, the network belonging to PE1 is main office network, therefore, the value of this mark is 1; Then, PE1 issues VPN IPv4 route 1.1.1.0/24.After PE2 receives this VPN IPv4 route 1.1.1.0/24, value according to the network identity mark carried in this VPN IPv4 route 1.1.1.0/24 determines that the network belonging to PE1 is main office network for 1, and the network picked out belonging to this equipment is branch office network, thus, this VPN IPv4 route 1.1.1.0/24 is added in the routing table of local VPN instance 2.Equally, this VPNIPv4 route 1.1.1.0/24, after receiving this VPN IPv4 route 1.1.1.0/24, finally also can add in the routing table of local VPN instance 3 by PE3.
When PE2 will issue the route 2.2.2.0/24 of VPN instance 2, in route 2.2.2.0/24, arrange Export Target attribute 100:1 etc., and arrange network identity mark formation VPN IPv4 route, the network belonging to PE2 is branch office network, therefore, the value of this mark is 0; Then, PE2 issues VPN IPv4 route 2.2.2.0/24.After PE1 receives this VPN IPv4 route 2.2.2.0/24, value according to the network identity mark carried in this VPN IPv4 route 2.2.2.0/24 determines that the network belonging to PE2 is branch office network for 0, and the network picked out belonging to this equipment is main office network, thus, this VPN IPv4 route 2.2.2.0/24 is added in the routing table of local VPN instance 1.Equally, PE3 is after receiving this VPN IPv4 route 2.2.2.0/24, value according to the network identity mark carried in this VPN IPv4 route 2.2.2.0/24 determines that the network belonging to PE2 is branch office network for 0, and the network picked out belonging to this equipment is also branch office network, thus, abandon this VPN IPv4 route 2.2.2.0/24, this VPN IPv4 route 2.2.2.0/24 can not be added in local VPN instance 3.
When PE3 will issue the route 3.3.3.0/24 of VPN instance 3, in route 3.3.3.0/24, arrange Export Target attribute 100:1 etc., and arrange network identity mark formation VPN IPv4 route, the network belonging to PE3 is branch office network, therefore, the value of this mark is 0; Then, PE3 issues VPN IPv4 route 3.3.3.0/24.After PE1 receives this VPN IPv4 route 3.3.3.0/24, value according to the network identity mark carried in this VPN IPv4 route 3.3.3.0/24 determines that the network belonging to PE3 is branch office network for 0, and the network picked out belonging to this equipment is main office network, thus, this VPN IPv4 route 3.3.3.0/24 is added in the routing table of local VPN instance 1.Equally, PE2 is after receiving this VPN IPv4 route 3.3.3.0/24, value according to the network identity mark carried in this VPN IPv4 route 3.3.3.0/24 determines that the network belonging to PE3 is branch office network for 0, and the network picked out belonging to this equipment is also branch office network, thus, abandon this VPN IPv4 route 3.3.3.0/24, this VPN IPv4 route 3.3.3.0/24 can not be added in the routing table of local VPN instance 2.
When needs control distinctively to business route and non-traffic route, namely, only business route is controlled, and can not non-traffic route be controlled, now, if the VPN IPv4 route 3.3.3.0/24 that the VPN IPv4 route 2.2.2.0/24 that VPN IPv4 route 1.1.1.0/24, PE2 that PE1 issues issue and PE3 issues is business route, then carry out issue and the control of route according to above-mentioned method.If the VPN IPv4 route 3.3.3.0/24 that the VPN IPv4 route 2.2.2.0/24 that VPN IPv4 route 1.1.1.0/24, PE2 that PE1 issues issue and PE3 issues is non-traffic route, now, the operation that each PE equipment performs is as follows:
When PE1 will issue the route 1.1.1.0/24 of VPN instance 1, arrange Export Target attribute 100:1 etc. in route 1.1.1.0/24, and arrange non-traffic mark, form VPN IPv4 route, then, PE1 issues VPN IPv4 route 1.1.1.0/24.After PE2 receives this VPN IPv4 route 1.1.1.0/24, non-traffic mark according to carrying in this VPN IPv4 route 1.1.1.0/24 determines that this VPN IPv4 route 1.1.1.0/24 is non-traffic route, then added to by this VPN IPv4 route 1.1.1.0/24 in the routing table of local VPN instance 2.Equally, after PE3 receives this VPN IPv4 route 1.1.1.0/24, non-traffic mark according to carrying in this VPN IPv4 route 1.1.1.0/24 determines that this VPN IPv4 route 1.1.1.0/24 is non-traffic route, then added to by this VPN IPv4 route 1.1.1.0/24 in the routing table of local VPN instance 3.
When PE2 will issue the route 2.2.2.0/24 of VPN instance 2, arrange Export Target attribute 100:1 etc. in route 2.2.2.0/24, and arrange non-traffic mark, form VPN IPv4 route, then, PE2 issues VPN IPv4 route 2.2.2.0/24.After PE1 receives this VPN IPv4 route 2.2.2.0/24, non-traffic mark according to carrying in this VPN IPv4 route 2.2.2.0/24 determines that this VPN IPv4 route 2.2.2.0/24 is non-traffic route, then added to by this VPN IPv4 route 2.2.2.0/24 in the routing table of local VPN instance 1.Equally, after PE3 receives this VPN IPv4 route 2.2.2.0/24, non-traffic mark according to carrying in this VPN IPv4 route 2.2.2.0/24 determines that this VPN IPv4 route 2.2.2.0/24 is non-traffic route, then added to by this VPN IPv4 route 2.2.2.0/24 in the routing table of local VPN instance 3.
When PE3 will issue the route 3.3.3.0/24 of VPN instance 3, arrange Export Target attribute 100:1 etc. in route 3.3.3.0/24, and arrange non-traffic mark, form VPN IPv4 route, then, PE3 issues VPN IPv4 route 3.3.3.0/24.After PE1 receives this VPN IPv4 route 3.3.3.0/24, non-traffic mark according to carrying in this VPN IPv4 route 3.3.3.0/24 determines that this VPN IPv4 route 3.3.3.0/24 is non-traffic route, then added to by this VPN IPv4 route 3.3.3.0/24 in the routing table of local VPN instance 1.Equally, after PE2 receives this VPN IPv4 route 3.3.3.0/24, non-traffic mark according to carrying in this VPN IPv4 route 3.3.3.0/24 determines that this VPN IPv4 route 3.3.3.0/24 is non-traffic route, then added to by this VPN IPv4 route 3.3.3.0/24 in the routing table of local VPN instance 2.
Embodiment four
For the method in above-described embodiment one and two, present embodiments provide a kind of can PE equipment to apply the method.As shown in Figure 6, PE equipment comprises with lower module: receiver module 10, determination module 20 and control module 30, wherein:
Receiver module 10, issues the VPN route of coming for other PE equipment received in MPLS L3VPN network, wherein, includes Export Target attribute in VPN route;
Determination module 20, for receiving after a PE equipment issues the VPN route of coming at receiver module 10, when carrying network identity mark in this VPN route, the identity of the network belonging to a PE equipment is determined according to this network identity mark, wherein, network identity mark is used to indicate the identity of the network belonging to PE equipment sending this VPN route, and identity is central authority network or branch office network;
Control module 30, for the identity of the network belonging to the PE equipment that identity and the determination module 20 of the network belonging to this equipment are determined, determine whether the routing table of the first VPN instance this VPN route being added to this equipment, wherein, the first VPN instance has the ImportTarget attribute identical with the Export Target attribute in this VPN route.
In order to the identity of the network belonging to the PE equipment that the identity and determination module 20 that realize the network belonging to this equipment are determined, determine whether the routing table of the first VPN instance this VPN route being added to this equipment, control module 30 comprises further: discarding unit and adding device, wherein:
Discarding unit, when being branch office network for the network belonging to this equipment, if the network belonging to a PE equipment that determination module 20 is determined is branch office network, then directly abandons the VPN route that receiver module 10 receives;
Adding device, when being branch office network for the network belonging to this equipment, if the network belonging to a PE equipment that determination module 20 is determined is central authority network, then the VPN route that receiver module 10 receives is added to the routing table of the first local VPN instance; When being also central authority network for the network belonging to this equipment, if the network belonging to a PE equipment that determination module 20 is determined is branch office network, then the VPN route that receiver module 10 receives is added to the routing table of the first local VPN instance.
In addition, can also comprise in this PE equipment: module and sending module are set, wherein:
Module is set, for when this equipment will issue VPN route, the Export Target attribute of network identity mark and the VPN instance belonging to this VPN route is set in the VPN route that will issue, wherein, when the network belonging to this equipment is central authority network, the value of the network identity mark arranged is the first value, and when the network belonging to this equipment is branch office network, the value of the network identity mark of setting is the second value;
Sending module, for releasing the VPN route arranging module installation good.
If need to carry out differentiated treatment to business route and non-traffic route, that is, only business route is controlled, and non-traffic route is not controlled, wherein, business route is the VPN route belonging to core business, and non-traffic route is the VPN route belonging to non-core services.Now, according to non-traffic mark, determination module also for marking when not carrying network identity in VPN route, and when carrying non-traffic mark, determines that VPN route is non-traffic route; Control module is also for adding the routing table of the first VPN instance to by VPN route.Module is set also for when this equipment will issue VPN route, VPN route to issue is non-traffic route, the Export Target attribute of non-traffic mark and the VPN instance belonging to this VPN route is then set in the VPN route that will issue, and is released by sending module.
In addition, can also comprise in this PE equipment: negotiation module, for being carried out the negotiation of network identity recognition capability by the Open message in BGP and a PE equipment; Wherein, network identity recognition capability field and network identity tag field is added in the Optional parameters field in Open message; Network identity recognition capability field is for representing that the PE equipment sending this Open message has the network identity recognition capability of the identity of the network identified belonging to this equipment; Network identity tag field is used to indicate the identity of the network belonging to PE equipment sending this Open message, when the value of network identity tag field is the first value, represent that the network belonging to PE equipment sending this Open message is central authority network, when the value of network identity tag field is the second value, represent that the network belonging to PE equipment sending this Open message is branch office network.
To sum up, the above embodiment of the application can reach following technique effect:
(1) by increasing a network identity mark in the VPN route issued, the identity that this mark is used to indicate the network belonging to PE equipment sending this VPN route is central authority network or branch office network, thus, after PE equipment receives the VPN route that other PE equipment (being called a PE equipment) issue, network identity mark according to carrying in the VPN route received just can determine that the network belonging to a PE equipment is central authority network or branch office network, then, whether the identity of the identity of the network belonging to this equipment and the network belonging to a PE equipment just can determine the VPN route of reception to be added to locally has in the routing table of VPN instance (being called the first VPN instance) of identical RT attribute with the VPN instance belonging to VPN route that is this reception.Thus, each PE equipment of MPLS L3VPN network being applied to the mechanisms such as enterprise is configured with RT attribute identical VPN instance, the network identity mark carried in the identity of the network belonging to this equipment and the VPN route of reception, can the interpolation of control VPN route neatly, and without the need to configuring the loaded down with trivial details route control strategy of large amount of complex on PE equipment, save workload, and, if subsequent network popularization, do not need to reconfigure route control strategy, the dynamic change of network can be met yet.Use the method for the present embodiment, the Information Security be applied in the MPLS L3VPN network of the mechanisms such as enterprise can be improved.
(2) business route and non-traffic route are distinguished by non-traffic mark, before will issuing non-traffic route, non-traffic mark is arranged to non-traffic route, and network identity mark can not be set, like this, a PE equipment is after receiving a VPN route, can determine that this VPN route is non-traffic route according to the non-traffic mark carried in this route, thus, this VPN route is added to local having in the routing table of the VPN instance of identical RT attribute with this VPN route.Non-traffic route is marked, is conducive to the control to non-traffic route.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, within all spirit in the application and principle, any amendment made, equivalent replacements, improvement etc., all should be included within scope that the application protects.

Claims (11)

1. the routing iinformation control method in a multi-protocol label switching three-layer Virtual Private Network MPLS L3VPN network, described MPLS L3VPN network comprises: central authority network and multiple branch office network, include in described central authority network and described branch office network: Provider Edge PE equipment, described method is applied to described PE equipment, it is characterized in that, described method comprises:
The PE equipment received in described MPLS L3VPN network issues the virtual private network route of coming, and wherein, includes export goal Export Target attribute in described VPN route;
When carrying network identity mark in described VPN route, the identity of the network belonging to a described PE equipment is determined according to described network identity mark, wherein, network identity mark is used to indicate the identity of the network belonging to PE equipment sending this VPN route, and described identity is central authority network or branch office network;
The identity of the network belonging to this equipment and the identity of the network belonging to a described PE equipment determined, determine whether the routing table of described VPN route being added to the first local VPN instance, wherein, described first VPN instance has the entrance target Import Target attribute identical with the Export Target attribute in described VPN route.
2. method according to claim 1, it is characterized in that, the identity of described network belonging to this equipment and the identity of the network belonging to a described PE equipment determined, determine whether that the method for the routing table of described VPN route being added to the first local VPN instance comprises:
When the network belonging to this equipment is branch office network, if the network belonging to a described PE equipment determined is branch office network, then directly abandon described VPN route, if the network belonging to a described PE equipment determined is central authority network, then described VPN route is added to the routing table of the first local VPN instance;
When the network belonging to this equipment is central authority network, if the network belonging to a described PE equipment determined is branch office network, then described VPN route is added to the routing table of the first local VPN instance.
3. method according to claim 1, is characterized in that, also comprises:
When issuing VPN route, the Export Target attribute of network identity mark and the VPN instance belonging to this VPN route is set in the VPN route that will issue, the VPN route set is released, wherein, when the network belonging to this equipment is central authority network, the value of the network identity mark arranged is the first value, and when the network belonging to this equipment is branch office network, the value of the network identity mark of setting is the second value.
4. according to the method in any one of claims 1 to 3, it is characterized in that, also comprise:
The negotiation of network identity recognition capability is carried out by the initial Open message in Border Gateway Protocol (BGP) and a PE equipment;
Wherein, network identity recognition capability field and network identity tag field is added in the optional parameters Optional parameters field in Open message;
Described network identity recognition capability field is for representing that the PE equipment sending this Open message has the network identity recognition capability of the identity of the network identified belonging to this equipment;
Described network identity tag field is used to indicate the identity of the network belonging to PE equipment sending this Open message, when the value of network identity tag field is the first value, represent that the network belonging to PE equipment sending this Open message is central authority network, when the value of network identity tag field is the second value, represent that the network belonging to PE equipment sending this Open message is branch office network.
5. method according to claim 1, is characterized in that, also comprises:
When not carrying network identity mark in described VPN route, and when carrying non-traffic mark, determine that described VPN route is non-traffic route according to described non-traffic mark, described VPN route is added to the routing table of described first VPN instance, wherein, described non-traffic route is the VPN route belonging to non-core services, and it is non-traffic route that non-traffic mark is used to indicate this VPN route.
6. method according to claim 5, is characterized in that, also comprises:
When issuing VPN route, be non-traffic route to the VPN route issued, then the Export Target attribute of non-traffic mark and the VPN instance belonging to this VPN route be set in the VPN route that will issue, the VPN route set is released.
7. the Provider Edge PE equipment in a multi-protocol label switching three-layer Virtual Private Network MPLS L3VPN network, described MPLS L3VPN network comprises: central authority network and multiple branch office network, include in described central authority network and described branch office network: PE equipment, it is characterized in that, described PE equipment comprises:
Receiver module, issues the virtual private network route of coming for other PE equipment received in described MPLS L3VPN network, wherein, includes export goal Export Target attribute in described VPN route;
Determination module, for receiving after a PE equipment issues the VPN route of coming at described receiver module, when carrying network identity mark in described VPN route, the identity of the network belonging to a described PE equipment is determined according to described network identity mark, wherein, described network identity mark is used to indicate the identity of the network belonging to PE equipment sending this VPN route, and described identity is central authority network or branch office network;
Control module, for the identity of the network belonging to the described PE equipment that identity and the described determination module of the network belonging to this equipment are determined, determine whether the routing table of the first VPN instance described VPN route being added to this equipment, wherein, described first VPN instance has the entrance target Import Target attribute identical with the Export Target attribute in described VPN route.
8. PE equipment according to claim 7, is characterized in that, described control module comprises:
Discarding unit, when being branch office network for the network belonging to this equipment, if the network belonging to a described PE equipment that described determination module is determined is branch office network, then directly abandons the VPN route that described receiver module receives;
Adding device, when being branch office network for the network belonging to this equipment, if the network belonging to a described PE equipment that described determination module is determined is central authority network, then the VPN route that described receiver module receives is added to the routing table of the first local VPN instance; When being also central authority network for the network belonging to this equipment, if the network belonging to a described PE equipment that described determination module is determined is branch office network, then the VPN route that described receiver module receives is added to the routing table of the first local VPN instance.
9. PE equipment according to claim 7, is characterized in that, also comprise:
Module is set, for when this equipment will issue VPN route, the Export Target attribute of network identity mark and the VPN instance belonging to this VPN route is set in the VPN route that will issue, wherein, when the network belonging to this equipment is central authority network, the value of the network identity mark arranged is the first value, and when the network belonging to this equipment is branch office network, the value of the network identity mark of setting is the second value;
Sending module, for releasing the described VPN route arranging module installation good.
10. the PE equipment according to any one of claim 7 to 9, is characterized in that, also comprise:
Negotiation module, for carrying out the negotiation of network identity recognition capability by the initial Open message in Border Gateway Protocol (BGP) and a PE equipment;
Wherein, network identity recognition capability field and network identity tag field is added in the optional parameters Optional parameters field in Open message;
Described network identity recognition capability field is for representing that the PE equipment sending this Open message has the network identity recognition capability of the identity of the network identified belonging to this equipment;
Described network identity tag field is used to indicate the identity of the network belonging to PE equipment sending this Open message, when the value of network identity tag field is the first value, represent that the network belonging to PE equipment sending this Open message is central authority network, when the value of network identity tag field is the second value, represent that the network belonging to PE equipment sending this Open message is branch office network.
11. PE equipment according to claim 9, is characterized in that,
Described determination module, also for marking when not carrying network identity in described VPN route, and when carrying non-traffic mark, determine that described VPN route is non-traffic route according to described non-traffic mark, wherein, described non-traffic route is the VPN route belonging to non-core services, and it is non-traffic route that non-traffic mark is used to indicate this VPN route;
Described control module, also for described VPN route being added to the routing table of described first VPN instance;
Describedly arranging module, also for when this equipment will issue VPN route, is non-traffic route to the VPN route issued, then in the VPN route that will issue, arrange the Export Target attribute of non-traffic mark and the VPN instance belonging to this VPN route.
CN201310036259.7A 2013-01-29 2013-01-29 Routing iinformation control method in MPLS L3VPN network and PE equipment Active CN103095578B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310036259.7A CN103095578B (en) 2013-01-29 2013-01-29 Routing iinformation control method in MPLS L3VPN network and PE equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310036259.7A CN103095578B (en) 2013-01-29 2013-01-29 Routing iinformation control method in MPLS L3VPN network and PE equipment

Publications (2)

Publication Number Publication Date
CN103095578A CN103095578A (en) 2013-05-08
CN103095578B true CN103095578B (en) 2015-09-30

Family

ID=48207731

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310036259.7A Active CN103095578B (en) 2013-01-29 2013-01-29 Routing iinformation control method in MPLS L3VPN network and PE equipment

Country Status (1)

Country Link
CN (1) CN103095578B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105634950B (en) * 2014-10-30 2019-06-11 中兴通讯股份有限公司 Distribution method, ASBR, PE and distribution system
CN108259356B (en) 2017-04-25 2020-08-04 新华三技术有限公司 Routing control method and device
CN111800338B (en) * 2020-06-01 2022-09-16 锐捷网络股份有限公司 Cross-AS EVPN route interaction method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136832A (en) * 2004-07-13 2008-03-05 华为技术有限公司 Multi-protocol label switching virtual dedicated network and its control and forwarding method
WO2009013582A1 (en) * 2007-07-20 2009-01-29 Telefonaktiebolaget L M Ericsson (Publ) System and method for ethernet label distribution
CN102449964A (en) * 2011-07-22 2012-05-09 华为技术有限公司 Three-layer virtual exclusive network routing control method, apparatus and system
CN102469010A (en) * 2010-11-09 2012-05-23 华为技术有限公司 Method for distributing MPLS label and network device
CN102739519A (en) * 2012-05-30 2012-10-17 福建星网锐捷网络有限公司 Rooted multipoint service implementation method, device and system, and provider edge equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9043487B2 (en) * 2006-04-18 2015-05-26 Cisco Technology, Inc. Dynamically configuring and verifying routing information of broadcast networks using link state protocols in a computer network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136832A (en) * 2004-07-13 2008-03-05 华为技术有限公司 Multi-protocol label switching virtual dedicated network and its control and forwarding method
WO2009013582A1 (en) * 2007-07-20 2009-01-29 Telefonaktiebolaget L M Ericsson (Publ) System and method for ethernet label distribution
CN102469010A (en) * 2010-11-09 2012-05-23 华为技术有限公司 Method for distributing MPLS label and network device
CN102449964A (en) * 2011-07-22 2012-05-09 华为技术有限公司 Three-layer virtual exclusive network routing control method, apparatus and system
CN102739519A (en) * 2012-05-30 2012-10-17 福建星网锐捷网络有限公司 Rooted multipoint service implementation method, device and system, and provider edge equipment

Also Published As

Publication number Publication date
CN103095578A (en) 2013-05-08

Similar Documents

Publication Publication Date Title
CN108574630B (en) EVPN message processing method, device and system
CN111510379B (en) EVPN message processing method, device and system
CN104219147B (en) The VPN of edge device realizes processing method and processing device
WO2017162095A1 (en) Communication method, device and system based on flow specification protocol
CN101047636B (en) Method and system for end-to-end pseudo-line simulation virtual leased line access virtual special network
CN100550841C (en) Autonomous System Boundary Router, AS Boundary Router route issuing method and Autonomous System Boundary Router, AS Boundary Router
WO2008092357A1 (en) A method and device for establishing a pseudo wire tunnel and transmitting message using it
CN110266592A (en) The communication means and device of SRV6 network and IP MPLS network
WO2015165311A1 (en) Method for transmitting data packet and provider edge device
CN101110745A (en) Method, device and system for engaging second layer network and third layer network
CN102025591A (en) Method and system for implementing virtual private network
WO2006002598A1 (en) A vpn system of a hybrid-site hybrid backbone network and an implementing method thereof
CN102098202B (en) Virtual private topology control method, device and system
WO2013139270A1 (en) Method, device, and system for implementing layer3 virtual private network
WO2011160517A1 (en) Tunnel switching method and system for multi-protocol label switching services
CN100563194C (en) The method for building up of LSP
CN102238057A (en) Ethernet-tree realization method, system, device and network equipment
CN101160862B (en) Method and system for realizing the consistency of the virtual circuit status
CN103795630A (en) Message transmitting method and device of label switching network
WO2005125103A1 (en) A virtual private network system of hybrid site and hybrid backbone network and its realizing method
WO2005114944A1 (en) A method for implementing ipv4 and ipv6 mixing sites virtual private network
CN103095578B (en) Routing iinformation control method in MPLS L3VPN network and PE equipment
CN103841026B (en) VPN route managing system and method of router IP protocol stack
CN100502400C (en) Double-attach/multi-attach logical packet network method and supplier equipment
CN102724126A (en) Method, device and equipment for forwarding Ethernet tree (E-tree) service message

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.