CN110868352B - Private network application identification system and method, SDN controller and P device - Google Patents

Private network application identification system and method, SDN controller and P device Download PDF

Info

Publication number
CN110868352B
CN110868352B CN201911115198.7A CN201911115198A CN110868352B CN 110868352 B CN110868352 B CN 110868352B CN 201911115198 A CN201911115198 A CN 201911115198A CN 110868352 B CN110868352 B CN 110868352B
Authority
CN
China
Prior art keywords
label
mpls
vpn
message
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911115198.7A
Other languages
Chinese (zh)
Other versions
CN110868352A (en
Inventor
李�诚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201911115198.7A priority Critical patent/CN110868352B/en
Publication of CN110868352A publication Critical patent/CN110868352A/en
Application granted granted Critical
Publication of CN110868352B publication Critical patent/CN110868352B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a private network application identification system and method, an SDN controller and P equipment, relates to the field of data communication, and realizes the visualization of private network application flow in a service provider network. The system at least comprises P equipment and an SDN controller, wherein the SDN controller is used for receiving an outlet PE equipment address corresponding to the MPLS message and a VPN label and message characteristic information which are distributed by the outlet PE equipment in the MPLS message from the P equipment, comparing the received outlet PE equipment address and the VPN label distributed by the outlet PE equipment with the corresponding relation of the PE equipment address, the VPN label distributed by the PE equipment and the VPN which are obtained in advance, determining the VPN corresponding to the MPLS message, and determining the private network application corresponding to the MPLS message by combining the message characteristic information.

Description

Private network application identification system and method, SDN controller and P device
Technical Field
The invention belongs to the field of data communication, and particularly relates to a private network application identification system and method, an SDN controller and P equipment.
Background
The Multi-Protocol Label Switching (MPLS) technology is a backbone network technology widely applied at present, and introduces a connection-oriented Label Switching concept on a connectionless IP network, combines a third layer routing technology with a second layer Switching technology, and fully exerts the flexibility of IP routing and the simplicity of second layer Switching, so that many operators and enterprises adopt the MPLS technology to build their own networks to realize cross-regional, safe, reliable and manageable network services.
A Virtual Private Network (VPN) is a Private Network emulated in a general Network architecture, where multiple sites of a VPN user are connected to each other through a service provider Network (public Network), and all sites in the Private Network (user Network) can cross the service provider Network to communicate with each other, run Private Network applications, and be isolated from other VPNs. A Multi-Protocol Label Switching three-layer Virtual Private Network (MPLS L3VPN) is a Network technology that allows a service Provider to use its MPLS backbone Network to provide a three-layer Virtual Private Network (VPN) service for a user, where in an MPLS L3VPN Network, a Border Gateway Protocol (BGP) is usually used to publish VPN routing information in the service Provider backbone Network, and MPLS technology is used to forward application traffic of a Private Network from one VPN site to another VPN site, where the MPLS Network mainly relates to three Network devices, namely, a user Network Edge (CE) device, a service Provider Edge (PE) device, and a service Provider Network (Provider P) device. In an MPLS L3VPN network, how to realize visualization of private network application traffic in a service provider network is a development requirement of a network technology, and the following two solutions are available for solving the existing private application identification:
one solution is: the private network application is identified by using a Differentiated Services Code Point (DSCP) field in an IP message or an EXP field in an MPLS label (public network label and private network label), and the P device identifies the private network application by analyzing the value of the DSCP field or the EXP field so as to realize the visualization of the private network flow in the MPLS network. However, the DSCP field and the EXP field are generally used to define the Service priority, so as to provide a differentiated Quality of Service (QoS) Service based on different Service priorities, if the original meanings of the DSCP field and the EXP field are changed, the QoS Service of a network is affected, and the DSCP field and the EXP field have limited lengths, and only a limited number of private network applications can be identified, a value corresponding to the private network application needs to be planned and defined in advance over the entire network, the value is not universal for the private definition, additional deployment needs to be added on the ingress PE device, and a corresponding value is set in a message after matching the traffic of the private network application.
The other solution is as follows: the method is characterized in that an MPLS extended label is used for carrying an identifier of a private network application, and a P device identifies the private network application by analyzing the MPLS extended label.
In summary, it can be known from the analysis that, in the MPLS L3VPN network, the two solutions for solving the problem of poor generality and limited application of the private network application identification scheme have a large impact on the existing MPLS packet processing logic, and additional deployment is required.
Disclosure of Invention
The embodiment of the invention provides a private network application identification system and method, an SDN controller and P equipment, which are used for solving the problems that the existing private network application identification scheme is poor in universality and limited in application, the existing MPLS message processing logic is greatly influenced, and extra deployment is needed.
In view of the above, in a first aspect, an embodiment of the present invention provides a private network application identification system, which includes at least a service provider network P device and a software defined network SDN controller,
the P device is configured to receive a multi-protocol label switching MPLS packet sent by an ingress service provider network edge PE device, obtain an egress PE device address corresponding to the MPLS packet, and analyze the MPLS packet to obtain a virtual private network VPN label and packet feature information allocated by the egress PE device; sending the address of the outlet PE device, the VPN label distributed by the outlet PE device and the message characteristic information to the SDN controller;
the SDN controller is configured to receive, from the P device, an outlet PE device address corresponding to the MPLS packet and a VPN label and packet feature information allocated to the outlet PE device in the MPLS packet, compare the received outlet PE device address and the received VPN label allocated to the outlet PE device with a pre-obtained correspondence between the PE device address and the VPN label allocated to the PE device, determine a VPN corresponding to the MPLS packet, and determine, in combination with the packet feature information, a private network application corresponding to the MPLS packet.
In a second aspect, an embodiment of the present invention provides a method for identifying a private network application, where the method includes:
a service provider network P device receives a multi-protocol label switching (MPLS) message sent by an entrance service provider network edge (PE) device, acquires an exit PE device address corresponding to the MPLS message, and analyzes the MPLS message to acquire a Virtual Private Network (VPN) label and message characteristic information distributed by the exit PE device; sending the outlet PE device address, the VPN label distributed by the outlet PE device and the message characteristic information to a Software Defined Network (SDN) controller;
the SDN controller receives an outlet PE device address corresponding to the MPLS message and a VPN label and message characteristic information which are distributed by the outlet PE device in the MPLS message from the P device, compares the received outlet PE device address and the VPN label distributed by the outlet PE device with the pre-obtained corresponding relation between the PE device address, the VPN label distributed by the PE device and the VPN, determines the VPN corresponding to the MPLS message, and determines the private network application corresponding to the MPLS message by combining the message characteristic information.
In a third aspect, an embodiment of the present invention provides a private network application identification method, which is applied to a software defined network SDN controller, and the method includes:
receiving an exit service provider network edge (PE) device address corresponding to a multi-protocol label switching (MPLS) message sent by a service provider network (P) device, and a Virtual Private Network (VPN) label and message characteristic information distributed by the exit PE device in the MPLS message;
and comparing the received outlet PE equipment address and the VPN label distributed by the outlet PE equipment with the pre-acquired corresponding relationship between the PE equipment address and the VPN label distributed by the PE equipment, determining the VPN corresponding to the MPLS message, and determining the private network application corresponding to the MPLS message by combining the message characteristic information.
In a fourth aspect, an embodiment of the present invention provides a private network application identification method, which is applied to a service provider network P device, and the method includes:
receiving a multi-protocol label switching (MPLS) message sent by PE equipment at the edge of an ingress service provider network, acquiring an egress PE equipment address corresponding to the MPLS message, analyzing the MPLS message and acquiring a Virtual Private Network (VPN) label and message characteristic information distributed by the egress PE equipment; and sending the outlet PE device address, the VPN label allocated by the outlet PE device and the message characteristic information to a Software Defined Network (SDN) controller, so that the SDN controller determines the private network application corresponding to the MPLS message according to the outlet PE device address, the VPN label allocated by the outlet PE device and the message characteristic information.
In a fifth aspect, an embodiment of the present invention provides a software defined network, SDN, controller, where the SDN controller includes:
a receiving module, configured to receive an address of an edge PE device of an egress service provider network corresponding to a multi-protocol label switching MPLS packet sent by a P device of a service provider network, and a VPN label and packet feature information allocated to the egress PE device in the MPLS packet;
and the identification module is used for comparing the received outlet PE equipment address and the VPN label distributed by the outlet PE equipment with the pre-acquired corresponding relationship between the PE equipment address and the VPN label distributed by the PE equipment, determining the VPN corresponding to the MPLS message, and determining the private network application corresponding to the MPLS message by combining the message characteristic information.
In a sixth aspect, an embodiment of the present invention provides a service provider network P device, where the P device includes:
a receiving module, configured to receive a multi-protocol label switching MPLS packet sent by an ingress service provider network edge PE device;
the acquisition module is used for acquiring an outlet PE equipment address corresponding to the MPLS message, analyzing the MPLS message and acquiring a Virtual Private Network (VPN) label and message characteristic information distributed by the outlet PE equipment;
and the sending module is used for sending the address of the outlet PE device, the VPN label distributed by the outlet PE device and the message characteristic information to a Software Defined Network (SDN) controller.
The system and the method for identifying the private network application, the SDN controller and the P device provided by the embodiment of the invention realize the visualization of the private network application flow in the service provider network, can more effectively realize the monitoring of the network, quickly identify the network abnormality and the network attack, better help the fault diagnosis and the security defense, and ensure the normal operation of the service. The private network application identification method provided by the embodiment of the invention does not need to modify DSCP fields in IP messages or EXP fields in MPLS labels, and does not influence QoS service; the whole network planning and the definition of the private network application identification are not required in advance, and the universality of the private network application identification mode is stronger; the number of private network applications is not limited, and the expansibility is better; extra deployment is not needed to be added on the entrance PE equipment, and the implementation is simpler; excessive additional processing is not required to be added on each network device, and the forwarding performance of the network device can be effectively guaranteed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic diagram of an exemplary private network application identification system;
FIG. 2 is a schematic diagram of an SR label stack providing an example;
FIG. 3 is a flow diagram of an exemplary method of private network application identification;
FIG. 4 is a flow diagram of an exemplary method of private network application identification;
FIG. 5 is a flow diagram of an exemplary method of private network application identification;
figure 6 is a schematic diagram of an SDN controller;
fig. 7 is a schematic structural diagram of a P device.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The system architecture and the service scenario described in the embodiment of the present invention are for more clearly illustrating the technical solution of the embodiment of the present invention, and do not form a limitation on the technical solution provided in the embodiment of the present invention, and it can be known by those skilled in the art that the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems along with the evolution of the system architecture and the appearance of a new service scenario.
The above method is described in detail with reference to specific examples.
With the increasing demand of users, users want to visualize application traffic in a Network, and especially in a Network based on a Software Defined Network (SDN) controller, it is the most basic requirement to expose application traffic on the SDN controller, which needs to be able to distinguish and identify applications corresponding to Network traffic. The existing application for identifying the network traffic in the network is mainly realized by an IP five-tuple (source IP address, source port, destination IP address, destination port and protocol number). However, in the MPLS L3VPN network, the IP addresses of the private networks may overlap, and therefore, the problem of identifying the private application corresponding to the network traffic in the MPLS L3VPN network cannot be solved only by using the IP quintuple. Or two methods for solving the private network application identification mentioned in the background art, but through analysis, the two solutions for solving the private network application identification are not common in the MPLS L3VPN network, so that there are many limitations, the influence on the existing MPLS message processing logic is large, and additional deployment is required. Therefore, in order to meet the requirement of visualization of private network application traffic in an MPLS L3VPN network, a private network application identification method which is more general, has fewer restrictions, has less influence on the existing MPLS packet processing logic, and is simpler to implement is required.
Based on this, the embodiment of the invention provides a private network application identification system and method, an SDN controller and a P device, so as to realize identification of a private network application corresponding to network traffic in an MPLS L3VPN network by using the SDN controller. In the embodiment of the invention, the private network application corresponding to certain network flow is uniquely determined by combining the message characteristic information with the VPN. The following is a detailed description with reference to specific examples.
Example 1
An embodiment of the present invention provides a private network application identification system, as shown in fig. 1, the system at least includes a P device and an SDN controller, the SDN controller establishes a communication connection with the P device, in order to better describe the private network application identification system provided by the embodiment of the present invention, in fig. 1, two CE devices CE1 and CE2, an Ingress PE (or referred to as Ingress PE) device and an Egress PE (or referred to as Egress PE) device are further exemplarily provided, and the SDN controller establishes a communication connection with all PE devices in a network. Communication connection can be established between the SDN controller and the devices P, PE through various protocols, such as Network Configuration Protocol (NETCONF) connection.
When the CE1 in the customer network communicates with the CE2 in the customer network, the CE1 sends an IP packet to the ingress PE device. The entrance PE device packages the MPLS label head of the received IP message, packages the VPN label distributed by the exit PE device and the label corresponding to the exit PE device address in the MPLS label head, and sends the packaged MPLS message to the P device. Wherein, the VPN label allocated by the egress PE device is sent to the ingress PE device by the egress PE device.
It is to be understood that the ingress PE device and the egress PE device are determined according to the flow direction, and do not form a limitation on a certain PE device, and any PE device may be used as both the ingress PE device and the egress PE device.
Optionally, the ingress PE device encapsulates the VPN label allocated by the egress PE device in a bottom label of the MPLS label header, and encapsulates a label corresponding to the egress PE device address in an outer label of the MPLS label header. In the embodiment of the present invention, a bottom label (or referred to as an inner label), that is, a private network label (VPN label), is allocated to a private network route (VPN route) by a Border Gateway Protocol (BGP) Protocol on an egress PE device, different VPN labels are allocated to different VPN routes, a VPN on the egress PE device can be uniquely determined by the VPN label, and the VPN label is notified to the ingress PE device. The outer layer Label, that is, the public network Label, may be a Label Distribution Protocol (LDP) Label, a Resource ReSerVation Protocol (RSVP-TE) Label based on Traffic Engineering extension, a Segment Routing (SR) Label, or other labels.
It is understood that the MPLS label header may include multiple layers of labels, for example, the MPLS label header includes multiple layers of labels [100,200,300], [100,200,300] is a label stack, the innermost layer of labels is called inner layer labels, also called bottom label (i.e. 300 in the label stack), the other labels except the inner layer of labels are outer layer labels (i.e. 100,200 in the label stack), and the outermost layer of labels of the outer layer of labels is called top label (i.e. 100 in the label stack).
The method comprises the steps that P equipment receives an MPLS message sent by entrance PE equipment, obtains an exit PE equipment address corresponding to the MPLS message, analyzes the MPLS message and obtains a VPN label and message characteristic information distributed by the exit PE equipment; and sending the obtained address of the outlet PE device, the VPN label distributed by the outlet PE device and the message characteristic information to the SDN controller.
In the embodiment of the invention, the P device prestores the label mapping corresponding to all the PE device addresses. Therefore, the P device obtains the address of the egress PE device corresponding to the MPLS packet, analyzes the MPLS packet to obtain the VPN label and packet feature information allocated to the egress PE device, and includes: the P device searches a Forwarding Equivalence Class (FEC for short) corresponding to the label mapping according to an outer layer label of an MPLS label head of the MPLS message to obtain an outlet PE device address; analyzing a stack bottom label of the MPLS label head to obtain a VPN label distributed by the PE equipment at the outlet; analyzing an IP header of the MPLS packet to obtain packet feature information, where the packet feature information may include IP quintuple information, and obviously, the packet feature information may also include IP quintuple or other information, which is not specifically limited herein.
Specifically, after receiving the MPLS packet, the P device first processes a top Label in the MPLS Label header, and searches for an Incoming Label Map (ILM) according to the Label;
if the found ILM is the ILM installed by the LDP protocol, the FEC corresponding to the ILM is an IP prefix, and the IP prefix is the address of the exit PE device.
If the found ILM is the ILM installed by the RSVP-TE protocol, the FEC corresponding to the ILM is the destination address of the RSVP-TE tunnel, and the destination address of the RSVP-TE tunnel is the exit PE equipment address;
if the searched ILM is a segment routing Prefix-to-label mapping SR Prefix ILM, the FEC corresponding to the ILM is an IP Prefix, and the IP Prefix is the address of the outlet PE equipment;
if the searched ILM is a segment routing adjacent access label mapping SR Adj ILM, then a segment routing Prefix SR Prefix label of the penultimate layer in the MPLS label head needs to be searched, and then the SR Prefix ILM is searched according to the SR Prefix label, so that the FEC corresponding to the ILM is an IP Prefix, and the IP Prefix is the address of the outlet PE equipment. The SR Prefix label of the penultimate layer in the MPLS label header is added at the end of the SR label stack when the SDN controller issues the SR label stack to the ingress PE device, and is the SR Prefix label corresponding to the address of the egress PE device. Therefore, SR label stacks issued by the SDN controller to the ingress PE device sequentially include: and SR Adj labels corresponding to all links passing through the path from the entrance PE equipment to the exit PE equipment in sequence and SR Prefix labels corresponding to the addresses of the exit PE equipment. As shown in fig. 2, an exemplary SR tag stack diagram is provided, where 20 is an SR Adj tag between PE1 and PE3, 30 is an SR Adj tag between PE3 and PE2, and 500 is an SR Prefix tag corresponding to the PE2 address. The SR label stack issued by the SDN controller to PE1 is {20,30,500 }.
And after the stack top label is processed, other labels in the MPLS label head are continuously processed, stack bottom positions of the MPLS labels are checked one by one, and a stack bottom label is found, wherein the stack bottom label is a VPN label distributed by the PE equipment at the outlet. And after the MPLS label head is analyzed, the IP head is continuously analyzed, and the message characteristic information is obtained from the IP head. The message characteristic information comprises IP quintuple information.
In the embodiment of the present invention, for example, the outer label is an SR label, on the ingress PE device, a layer of VPN label (bottom label of stack) is first laminated for the private network IP packet, and then an SR label stack (outer label) is laminated to form an MPLS label header, where the penultimate label in the MPLS label header is an SR Prefix label.
In the embodiment of the present invention, only when the outer label is an SR Adj label, an SR Prefix label needs to be added to the MPLS label header, and the SR Prefix label is not a special label, and all devices can correctly identify and process the SR Prefix label, and otherwise, no label needs to be added to the MPLS label header.
In the embodiment of the invention, the SDN controller acquires addresses of the PE devices, VPN labels distributed by the PE devices and corresponding relations of VPNs in advance from all the PE devices and stores the addresses, the VPN labels and the corresponding relations of VPNs to the local devices. If the VPN label allocated by the PE device changes, the PE device may actively send an announcement message to the SDN controller.
The SDN controller receives an outlet PE device address corresponding to the MPLS message and a VPN label and message characteristic information which are distributed by the outlet PE device in the MPLS message from the P device, compares the received outlet PE device address and the VPN label distributed by the outlet PE device with the pre-acquired corresponding relation between the PE device address, the VPN label distributed by the PE device and the VPN, determines the VPN corresponding to the MPLS message, and determines the private network application corresponding to the MPLS message by combining the message characteristic information. Thereby realizing the visualization of the private network application traffic in the service provider network.
In the embodiment of the invention, after the P device receives the MPLS packet sent by the ingress PE device, the address of the egress PE device and the VPN label allocated to the egress PE device may be determined by the outer label and the bottom label carried in the MPLS label header of the MPLS packet, and the IP quintuple information analyzed from the IP header obtained by stripping the MPLS label header is added to distinguish different private network application flows, and the flow information is recorded by using the address of the egress PE device, the VPN label allocated to the egress PE device, and the IP quintuple as a keyword. The SDN controller acquires flow information which takes an outlet PE device address, a VPN label distributed by the outlet PE device and an IP quintuple as keywords from the P device through a NETCONF protocol, wherein the flow information can be actively acquired by the SDN controller or actively sent to the SDN controller by the P device. And the SDN controller determines a VPN corresponding to the flow according to the outlet PE device address in the flow information and a VPN label distributed by the outlet PE device, and determines a private network application corresponding to the flow by combining an IP five-element group. Therefore, the visualization of the private network application traffic on the P device is realized.
Optionally, in the embodiment of the present invention, the visualization of the private network application traffic on the PE device may also be implemented by using an SDN controller, in an MPLS L3VPN network, a VPN may be distinguished on an ingress PE device by using a VPN Routing Forwarding Instance (VRF for short) bound to a receiving interface of an IP packet, and a VPN may be distinguished on an egress PE device by using a VRF bound to a sending interface of an IP packet, but the P device is not directly connected to the CE device. The P device only has basic MPLS forwarding capability and does not maintain VPN information, and therefore there is no VRF information on the P device to distinguish between VPNs. Therefore, in the embodiment of the present invention, the SDN controller may further obtain, from the PE device, a correspondence between a VRF index of the PE device and a VPN in advance, so that after obtaining traffic information using the VRF index + IP quintuple as a key from the PE device, the SDN controller identifies the VPN corresponding to the traffic according to the VRF index in the traffic information, and identifies a private network application corresponding to the traffic by combining the IP quintuple.
The private network application identification system provided by the embodiment of the invention realizes the visualization of the private network application flow in the service provider network, can more effectively realize the monitoring of the network, quickly identify network abnormality and network attack, better help fault diagnosis and security defense and ensure the normal operation of services.
Example 2
The embodiment of the invention provides a private network application identification method, as shown in fig. 3, the method comprises the following steps:
301, a P device receives an MPLS packet sent by an ingress PE device, obtains an egress PE device address corresponding to the MPLS packet, and analyzes the MPLS packet to obtain a VPN label and packet feature information allocated by the egress PE device; and sending the obtained address of the outlet PE device, the VPN label distributed by the outlet PE device and the message characteristic information to the SDN controller.
In the embodiment of the present invention, the egress PE device actively sends information, such as a VPN label, allocated by the egress PE device to the ingress PE device. After receiving an IP message sent by CE equipment in a user network, an entrance PE equipment encapsulates the IP message by an MPLS label head, encapsulates a VPN label distributed by an exit PE equipment in a stack bottom label of the MPLS label head, encapsulates a label corresponding to an exit PE equipment address in an outer layer label of the MPLS label head, and sends the encapsulated MPLS message to a P equipment.
In this step, acquiring an address of an egress PE device corresponding to the MPLS packet, analyzing the MPLS packet to acquire a VPN label and packet feature information allocated to the egress PE device, specifically including: searching a forwarding equivalence class corresponding to the label mapping according to an outer layer label of an MPLS label head of the MPLS message to obtain an outlet PE device address; analyzing a stack bottom label of the MPLS label head to obtain a VPN label distributed by the PE equipment at the outlet; and analyzing an IP header of the MPLS message to obtain message characteristic information, wherein the message characteristic information comprises IP quintuple information.
In the embodiment of the invention, the P device prestores the label mapping corresponding to all the PE device addresses. After receiving an MPLS message sent by an entrance PE device, a P device firstly processes a stack top Label in an MPLS Label head and searches an Incoming Label Map (ILM) according to the Label;
if the found ILM is the ILM installed by the LDP protocol, the FEC corresponding to the ILM is an IP prefix, and the IP prefix is the address of the exit PE device.
If the found ILM is the ILM installed by the RSVP-TE protocol, the FEC corresponding to the ILM is the destination address of the RSVP-TE tunnel, and the destination address of the RSVP-TE tunnel is the exit PE equipment address;
if the searched ILM is a segment routing Prefix-to-label mapping SR Prefix ILM, the FEC corresponding to the ILM is an IP Prefix, and the IP Prefix is the address of the outlet PE equipment;
if the searched ILM is a segment routing adjacent access label mapping SR Adj ILM, then a segment routing Prefix SR Prefix label of the penultimate layer in the MPLS label head needs to be searched, and then the SR Prefix ILM is searched according to the SR Prefix label, so that the FEC corresponding to the ILM is an IP Prefix, and the IP Prefix is the address of the outlet PE equipment. The SR Prefix label of the penultimate layer in the MPLS label header is added at the end of the SR label stack when the SDN controller issues the SR label stack to the ingress PE device, and is the SR Prefix label corresponding to the address of the egress PE device. Therefore, SR label stacks issued by the SDN controller to the ingress PE device sequentially include: and SR Adj labels corresponding to all links passing through the path from the entrance PE equipment to the exit PE equipment in sequence and SR Prefix labels corresponding to the addresses of the exit PE equipment.
And after the stack top label is processed, other labels in the MPLS label head are continuously processed, stack bottom positions of the MPLS labels are checked one by one, and a stack bottom label is found, wherein the stack bottom label is a VPN label distributed by the PE equipment at the outlet. And after the MPLS label head is analyzed, the IP head is continuously analyzed, and the message characteristic information is obtained from the IP head. The message feature information may include IP quintuple information, and obviously may also include other information, which is not described herein.
Step 302, the SDN controller receives an exit PE device address corresponding to the MPLS packet and a VPN label and packet feature information allocated to the exit PE device in the MPLS packet from the P device, compares the received exit PE device address and VPN label allocated to the exit PE device with correspondence between a pre-obtained PE device address and a VPN label allocated to the PE device, determines a VPN corresponding to the MPLS packet, and determines a private network application corresponding to the MPLS packet by combining the packet feature information. Thereby realizing the visualization of the private network application traffic in the service provider network.
In the embodiment of the present invention, the SDN controller obtains, from the PE device, the address of the PE device, and the correspondence between the VPN label allocated to the PE device and the VPN in advance.
The private network application identification method provided by the embodiment of the invention realizes the visualization of the private network application flow in the service provider network, can more effectively realize the monitoring of the network, quickly identify network abnormality and network attack, better help fault diagnosis and security defense and ensure the normal operation of services. The private network application identification method provided by the embodiment of the invention does not need to modify DSCP fields in IP messages or EXP fields in MPLS labels, and does not influence QoS service; the whole network planning and the definition of the private network application identification are not required in advance, and the mode for identifying the private network application has stronger universality; the number of private network applications is not limited, and the expansibility is better; extra deployment is not needed to be added on the entrance PE equipment, and the implementation is simpler; excessive additional processing is not required to be added to the P equipment, and the forwarding performance of the network equipment can be effectively guaranteed.
Example 3
An embodiment of the present invention provides a private network application identification method, which is applied to an SDN controller, and as shown in fig. 4, the method includes:
step 401, receiving an exit PE device address corresponding to the MPLS packet sent by the P device, and a VPN label and packet feature information allocated to the exit PE device in the MPLS packet. The message feature information may include IP quintuple information.
Step 402, comparing the received outlet PE device address and the VPN label allocated to the outlet PE device with the pre-obtained correspondence between the PE device address and the VPN label allocated to the PE device, determining the VPN corresponding to the MPLS packet, and determining the private network application corresponding to the MPLS packet by combining the packet characteristic information. Thereby realizing the visualization of the private network application traffic in the service provider network.
In the embodiment of the present invention, the SDN controller obtains, in advance, the PE device addresses from all the PE devices, and the correspondence between VPN labels allocated to the PE devices and VPNs.
Optionally, in the embodiment of the present invention, the visualization of the private network application traffic on the PE device may also be implemented by using an SDN controller, in an MPLS L3VPN network, a VPN may be distinguished on an ingress PE device by using a VPN Routing Forwarding Instance (VRF for short) bound to a receiving interface of an IP packet, and a VPN may be distinguished on an egress PE device by using a VRF bound to a sending interface of an IP packet, but the P device is not directly connected to the CE. The P device only has basic MPLS forwarding capability and does not maintain VPN information, and therefore there is no VRF information on the P device to distinguish between VPNs. Therefore, in the embodiment of the present invention, the SDN controller may further obtain, from the PE device, a correspondence between a VRF index of the PE device and a VPN in advance, so that after obtaining traffic information using the VRF index + IP quintuple as a key from the PE device, the SDN controller identifies the VPN corresponding to the traffic according to the VRF index in the traffic information, and identifies a private network application corresponding to the traffic by combining the IP quintuple. So as to realize the visualization of the private network application traffic on the PE device.
The private network application identification method provided by the embodiment of the invention realizes the visualization of the private network application flow in the service provider network, can more effectively realize the monitoring of the network, quickly identify network abnormality and network attack, better help fault diagnosis and security defense and ensure the normal operation of services.
By adopting the private network application identification method provided by the embodiment of the invention, the P equipment in the MPLS L3VPN network and the private network application on the PE equipment can be effectively identified without modifying the DSCP field in the IP message or the EXP field in the MPLS label, and the QoS service is not influenced; the whole network planning and the definition of the private network application identification are not required in advance, and the mode for identifying the private network application has stronger universality; the number of private network applications is not limited, and the expansibility is better; extra deployment is not needed to be added on the entrance PE equipment, and the implementation is simpler; excessive additional processing is not required to be added on each network device, and the forwarding performance of the network device can be effectively guaranteed.
Example 4
The embodiment of the invention provides a private network application identification method, which is applied to P equipment, and as shown in 5, the method comprises the following steps:
step 501, receiving an MPLS packet sent by an ingress PE device.
Step 502, obtaining an address of an egress PE device corresponding to the MPLS packet, analyzing the MPLS packet to obtain a VPN label and packet feature information allocated to the egress PE device; and sending the obtained address of the outlet PE device, the VPN label distributed by the outlet PE device and the message characteristic information to an SDN controller, so that the SDN controller determines the private network application corresponding to the MPLS message according to the address of the outlet PE device, the VPN label distributed by the outlet PE device and the message characteristic information. Thereby realizing the visualization of the private network application traffic in the service provider network.
Specifically, acquiring an address of an egress PE device corresponding to the MPLS packet, analyzing the MPLS packet to acquire a VPN label and packet feature information allocated to the egress PE device, specifically includes:
searching a forwarding equivalence class corresponding to the label mapping according to an outer layer label of an MPLS label head of the MPLS message to obtain an outlet PE device address;
analyzing a stack bottom label of the MPLS label head to obtain a VPN label distributed by the PE equipment at the outlet;
analyzing an IP header of the MPLS packet to obtain packet feature information, where the packet feature information may include IP quintuple information.
In the embodiment of the invention, the P device prestores the label mapping corresponding to all the PE device addresses.
Specifically, after receiving the MPLS packet, the P device first processes a top Label in the MPLS Label header, and searches for an Incoming Label Map (ILM) according to the Label;
if the found ILM is the ILM installed by the LDP protocol, the FEC corresponding to the ILM is an IP prefix, and the IP prefix is the address of the exit PE device.
If the found ILM is the ILM installed by the RSVP-TE protocol, the FEC corresponding to the ILM is the destination address of the RSVP-TE tunnel, and the destination address of the RSVP-TE tunnel is the exit PE equipment address;
if the searched ILM is a segment routing Prefix-to-label mapping SR Prefix ILM, the FEC corresponding to the ILM is an IP Prefix, and the IP Prefix is the address of the outlet PE equipment;
if the searched ILM is a segment routing adjacent access label mapping SR Adj ILM, then a segment routing Prefix SR Prefix label of the penultimate layer in the MPLS label head needs to be searched, and then the SR Prefix ILM is searched according to the SR Prefix label, so that the FEC corresponding to the ILM is an IP Prefix, and the IP Prefix is the address of the outlet PE equipment. The SR Prefix label of the penultimate layer in the MPLS label header is added at the end of the SR label stack when the SDN controller issues the SR label stack to the ingress PE device, and is the SR Prefix label corresponding to the address of the egress PE device. Therefore, SR label stacks issued by the SDN controller to the ingress PE device sequentially include: and SR Adj labels corresponding to all links passing through the path from the entrance PE equipment to the exit PE equipment in sequence and SR Prefix labels corresponding to the addresses of the exit PE equipment.
And after the stack top label is processed, other labels in the MPLS label head are continuously processed, stack bottom positions of the MPLS labels are checked one by one, and a stack bottom label is found, wherein the stack bottom label is a VPN label distributed by the PE equipment at the outlet. And after the MPLS label head is analyzed, the IP head is continuously analyzed, and the message characteristic information is obtained from the IP head. The message characteristic information comprises IP quintuple information.
In the embodiment of the present invention, because the original message processing on the P device also searches for the corresponding ILM through the outer layer label, the embodiment of the present invention needs to additionally search for the forwarding equivalence class corresponding to the incoming label mapping corresponding to the segment routing prefix label to obtain the address of the egress PE device only when the outer layer label is the segment routing adjacent label on the basis of the original message processing. In the embodiment of the invention, the label at the bottom of the stack is acquired without completely analyzing the whole label head, and only the stack bottom positions of the labels are checked one by one. Therefore, excessive extra processing is not required to be added on the P device, and the forwarding performance of the P device is effectively guaranteed.
The private network application identification method provided by the embodiment of the invention realizes the visualization of the private network application flow in the service provider network, can more effectively realize the monitoring of the network, quickly identify network abnormality and network attack, better help fault diagnosis and security defense and ensure the normal operation of services. The private network application identification method provided by the embodiment of the invention does not need to modify DSCP fields in IP messages or EXP fields in MPLS labels, and does not influence QoS service; the whole network planning and the definition of the private network application identification are not required in advance, and the mode for identifying the private network application has stronger universality; the number of the private network applications is not limited, and the expansibility is better.
Example 5
An embodiment of the present invention provides an SDN controller, and as shown in fig. 6, an SDN controller 60 includes:
the receiving module 601 is configured to receive an address of an egress PE device corresponding to an MPLS packet sent by a P device, and a VPN label and packet feature information allocated to the egress PE device in the MPLS packet. The message feature information may include IP quintuple information.
The identifying module 602 is configured to compare the received address of the egress PE device and the VPN label allocated to the egress PE device with the pre-obtained correspondence between the address of the PE device and the VPN label allocated to the PE device, determine a VPN corresponding to the MPLS packet, and determine, by combining the packet feature information, a private network application corresponding to the MPLS packet.
Optionally, in the embodiment of the present invention, the SDN controller may obtain, in advance, the PE device addresses from all the PE devices, and the corresponding relationship between the VPN labels allocated to the PE devices and the VPNs, and store the obtained relationships to the local devices.
By adopting the private network application identification method provided by the embodiment, the SDN controller provided by the embodiment of the invention can effectively identify the private network application on P equipment and PE equipment in an MPLS L3VPN network without modifying DSCP fields in IP messages or EXP fields in MPLS labels and influencing QoS service; the whole network planning and the definition of the private network application identification are not required in advance, and the mode for identifying the private network application has stronger universality; the number of private network applications is not limited, and the expansibility is better; extra deployment is not needed to be added on the entrance PE equipment, and the implementation is simpler; excessive additional processing is not required to be added on each network device, and the forwarding performance of the network device can be effectively guaranteed.
Example 6
An embodiment of the present invention provides a service provider network P device, as shown in fig. 7, a P device 70 includes:
a receiving module 701, configured to receive an MPLS packet sent by an ingress PE device.
The obtaining module 702 obtains an address of the egress PE device corresponding to the MPLS packet, and analyzes the MPLS packet to obtain a VPN label and packet feature information allocated to the egress PE device.
A sending module 703 is configured to send the address of the egress PE device, the VPN label allocated by the egress PE device, and the message feature information to the SDN controller.
The P device provided by the embodiment of the invention realizes the visualization of private network application flow in a service provider network, can more effectively realize the monitoring of the network, quickly identify network abnormality and network attack, better help fault diagnosis and security defense and ensure the normal operation of services. The private network application identification method provided by the embodiment of the invention does not need to modify DSCP fields in IP messages or EXP fields in MPLS labels, and does not influence QoS service; the whole network planning and the definition of the private network application identification are not required in advance, and the mode for identifying the private network application has stronger universality; the number of the private network applications is not limited, and the expansibility is better.
An embodiment of the present invention provides an electronic device, and specifically, the electronic device includes: the system comprises a processor, a memory and a computer program stored on the memory and capable of running on the processor, wherein the computer program realizes the steps of the private network application identification method provided by any one of the above embodiments when being executed by the processor.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements multiple processes of the private network application identification method provided in the foregoing embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here. Examples of the computer-readable storage medium include a Random-Access Memory (RAM), a Read-Only Memory (ROM), a Flash Memory (Flash Memory), a Hard Disk Drive (HDD), a Solid-State Drive (SSD), and an optical disc.
It should be noted that the memory above can include volatile memory, such as random access memory; non-volatile memory, such as read-only memory, flash memory, hard disks, solid state disks, etc.; combinations of the above categories of memory may also be included.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the functional module described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the present invention.

Claims (11)

1. A private network application identification system, characterized in that the system comprises at least a service provider network P device and a software defined network, SDN, controller,
the P device is configured to receive a multi-protocol label switching MPLS packet sent by an ingress service provider network edge PE device, obtain an egress PE device address corresponding to the MPLS packet, and analyze the MPLS packet to obtain a virtual private network VPN label and packet feature information allocated by the egress PE device; sending the address of the outlet PE device, the VPN label distributed by the outlet PE device and the message characteristic information to the SDN controller;
the SDN controller is configured to receive, from the P device, an outlet PE device address corresponding to the MPLS packet and a VPN label and packet feature information allocated to the outlet PE device in the MPLS packet, compare the received outlet PE device address and the received VPN label allocated to the outlet PE device with a pre-obtained correspondence between the PE device address and the VPN label allocated to the PE device, determine a VPN corresponding to the MPLS packet, and determine, in combination with the packet feature information, a private network application corresponding to the MPLS packet.
2. The system of claim 1,
the P device is also used for pre-storing the label-in mapping corresponding to the PE device address; and/or
The SDN controller is further configured to obtain, from the PE device in advance, a corresponding relationship between a PE device address and a VPN label allocated by the PE device and a VPN.
3. The system of claim 2,
the P device is specifically configured to search a forwarding equivalence class corresponding to an ingress label mapping according to an outer label of an MPLS label header of the MPLS packet to obtain an address of the egress PE device;
analyzing a stack bottom label of the MPLS label head to obtain a VPN label distributed by the export PE equipment;
and analyzing the IP header of the MPLS message to obtain the message characteristic information, wherein the message characteristic information comprises IP quintuple information.
4. A private network application identification method is characterized by comprising the following steps:
a service provider network P device receives a multi-protocol label switching (MPLS) message sent by an entrance service provider network edge (PE) device, acquires an exit PE device address corresponding to the MPLS message, and analyzes the MPLS message to acquire a Virtual Private Network (VPN) label and message characteristic information distributed by the exit PE device; sending the outlet PE device address, the VPN label distributed by the outlet PE device and the message characteristic information to a Software Defined Network (SDN) controller;
the SDN controller receives an outlet PE device address corresponding to the MPLS message and a VPN label and message characteristic information which are distributed by the outlet PE device in the MPLS message from the P device, compares the received outlet PE device address and the VPN label distributed by the outlet PE device with the pre-obtained corresponding relation between the PE device address, the VPN label distributed by the PE device and the VPN, determines the VPN corresponding to the MPLS message, and determines the private network application corresponding to the MPLS message by combining the message characteristic information.
5. The method according to claim 4, wherein before the P device receives the MPLS packet sent by the ingress PE, the method further comprises:
the P device prestores the label-in mapping corresponding to the PE device address; and/or
The SDN controller obtains a PE device address and a corresponding relation between a VPN label distributed by the PE device and a VPN from the PE device in advance.
6. The method of claim 5,
the acquiring an address of the egress PE device corresponding to the MPLS packet, and analyzing the MPLS packet to acquire a VPN label and packet feature information allocated to the egress PE device specifically include:
searching a forwarding equivalence class corresponding to the label mapping according to an outer layer label of the MPLS label head of the MPLS message to obtain the address of the outlet PE device;
analyzing a stack bottom label of the MPLS label head to obtain a VPN label distributed by the export PE equipment;
and analyzing the IP header of the MPLS message to obtain the message characteristic information, wherein the message characteristic information comprises IP quintuple information.
7. A private network application identification method is applied to a Software Defined Network (SDN) controller, and comprises the following steps:
receiving an exit service provider network edge (PE) device address corresponding to a multi-protocol label switching (MPLS) message sent by a service provider network (P) device, and a Virtual Private Network (VPN) label and message characteristic information distributed by the exit PE device in the MPLS message;
and comparing the received outlet PE equipment address and the VPN label distributed by the outlet PE equipment with the pre-acquired corresponding relationship between the PE equipment address and the VPN label distributed by the PE equipment, determining the VPN corresponding to the MPLS message, and determining the private network application corresponding to the MPLS message by combining the message characteristic information.
8. A private network application identification method is applied to a service provider network P device, and the method comprises the following steps:
receiving a multi-protocol label switching (MPLS) message sent by PE equipment at the edge of an ingress service provider network, acquiring an egress PE equipment address corresponding to the MPLS message, analyzing the MPLS message and acquiring a Virtual Private Network (VPN) label and message characteristic information distributed by the egress PE equipment; and sending the outlet PE device address, the VPN label allocated by the outlet PE device and the message characteristic information to a Software Defined Network (SDN) controller, so that the SDN controller determines the private network application corresponding to the MPLS message according to the outlet PE device address, the VPN label allocated by the outlet PE device and the message characteristic information.
9. The method according to claim 8, wherein the obtaining an address of an egress PE device corresponding to the MPLS packet, and analyzing the MPLS packet to obtain a VPN label and packet feature information allocated to the egress PE device specifically includes:
searching a forwarding equivalence class corresponding to the label mapping according to an outer layer label of the MPLS label head of the MPLS message to obtain the address of the outlet PE device;
analyzing a stack bottom label of the MPLS label head to obtain a VPN label distributed by the export PE equipment;
and analyzing the IP header of the MPLS message to obtain the message characteristic information, wherein the message characteristic information comprises IP quintuple information.
10. A software defined network, SDN, controller, the SDN controller comprising:
a receiving module, configured to receive an address of an edge PE device of an egress service provider network corresponding to a multi-protocol label switching MPLS packet sent by a P device of a service provider network, and a VPN label and packet feature information allocated to the egress PE device in the MPLS packet;
and the identification module is used for comparing the received outlet PE equipment address and the VPN label distributed by the outlet PE equipment with the pre-acquired corresponding relationship between the PE equipment address and the VPN label distributed by the PE equipment, determining the VPN corresponding to the MPLS message, and determining the private network application corresponding to the MPLS message by combining the message characteristic information.
11. A service provider network P device, the P device comprising:
a receiving module, configured to receive a multi-protocol label switching MPLS packet sent by an ingress service provider network edge PE device;
the acquisition module is used for acquiring an outlet PE equipment address corresponding to the MPLS message, analyzing the MPLS message and acquiring a Virtual Private Network (VPN) label and message characteristic information distributed by the outlet PE equipment;
a sending module, configured to send the address of the egress PE device, the VPN label allocated by the egress PE device, and the packet feature information to a software defined network SDN controller; enabling the SDN controller to receive an outlet PE device address corresponding to the MPLS message and a VPN label and message characteristic information which are distributed by the outlet PE device in the MPLS message from the P device, comparing the received outlet PE device address and the VPN label distributed by the outlet PE device with the pre-obtained corresponding relation between the PE device address, the VPN label distributed by the PE device and the VPN, determining the VPN corresponding to the MPLS message, and determining the private network application corresponding to the MPLS message by combining the message characteristic information.
CN201911115198.7A 2019-11-14 2019-11-14 Private network application identification system and method, SDN controller and P device Active CN110868352B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911115198.7A CN110868352B (en) 2019-11-14 2019-11-14 Private network application identification system and method, SDN controller and P device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911115198.7A CN110868352B (en) 2019-11-14 2019-11-14 Private network application identification system and method, SDN controller and P device

Publications (2)

Publication Number Publication Date
CN110868352A CN110868352A (en) 2020-03-06
CN110868352B true CN110868352B (en) 2022-04-15

Family

ID=69654000

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911115198.7A Active CN110868352B (en) 2019-11-14 2019-11-14 Private network application identification system and method, SDN controller and P device

Country Status (1)

Country Link
CN (1) CN110868352B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113688289B (en) * 2020-05-19 2023-11-24 中移(成都)信息通信科技有限公司 Data packet key field matching method, device, equipment and storage medium
CN112637154B (en) * 2020-12-09 2022-06-21 迈普通信技术股份有限公司 Equipment authentication method and device, electronic equipment and storage medium
CN112737951B (en) * 2020-12-28 2022-08-30 网络通信与安全紫金山实验室 End-to-end SR control method, system and readable storage medium in public and private network mixed scene
EP4297346A1 (en) * 2021-03-19 2023-12-27 Huawei Technologies Co., Ltd. Traffic control method and related device
CN113949662B (en) * 2021-11-18 2023-04-21 新华三大数据技术有限公司 Message forwarding method, device, network equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1866868A (en) * 2006-01-18 2006-11-22 华为技术有限公司 Multi protocol label switched network flow managing system and method
CN101488925A (en) * 2009-03-03 2009-07-22 中兴通讯股份有限公司 Method for collecting and designing VPN flow by using Netflow
CN101631089A (en) * 2009-08-27 2010-01-20 杭州华三通信技术有限公司 Flow calculating method, flow calculating device and flow calculating system based on private network VPN
WO2015000173A1 (en) * 2013-07-05 2015-01-08 华为技术有限公司 Tunnel establishment method, label allocation method, device, and network system
CN104734981A (en) * 2015-04-11 2015-06-24 广州咨元信息科技有限公司 Device interconnectional relation-based method of precisely recognizing service traffic of MPLS VPN (multi-protocol label switching virtual private network)
CN108259338A (en) * 2017-06-20 2018-07-06 新华三技术有限公司 A kind of private network application and identification method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8284696B2 (en) * 2007-12-17 2012-10-09 Cisco Technology, Inc. Tracking customer edge traffic

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1866868A (en) * 2006-01-18 2006-11-22 华为技术有限公司 Multi protocol label switched network flow managing system and method
CN101488925A (en) * 2009-03-03 2009-07-22 中兴通讯股份有限公司 Method for collecting and designing VPN flow by using Netflow
CN101631089A (en) * 2009-08-27 2010-01-20 杭州华三通信技术有限公司 Flow calculating method, flow calculating device and flow calculating system based on private network VPN
WO2015000173A1 (en) * 2013-07-05 2015-01-08 华为技术有限公司 Tunnel establishment method, label allocation method, device, and network system
CN104734981A (en) * 2015-04-11 2015-06-24 广州咨元信息科技有限公司 Device interconnectional relation-based method of precisely recognizing service traffic of MPLS VPN (multi-protocol label switching virtual private network)
CN108259338A (en) * 2017-06-20 2018-07-06 新华三技术有限公司 A kind of private network application and identification method and device

Also Published As

Publication number Publication date
CN110868352A (en) 2020-03-06

Similar Documents

Publication Publication Date Title
CN110868352B (en) Private network application identification system and method, SDN controller and P device
EP4102785A1 (en) Message processing method and apparatus, and network device and storage medium
US9723106B2 (en) Service function chaining branching
EP3210345B1 (en) Transparent network service header path proxies
CN107026791B (en) Virtual private network VPN service optimization method and device
CN101656670B (en) Routing device having integrated MPLS-aware firewall
US20210243117A1 (en) In-situ operation, administration, and maintenance in segment routing with multiprotocol label switching networks
CN103650456B (en) The layout of the service delivery location of the distributed computing services of logic-based topology
CN111385207B (en) Service data forwarding method, network device and network system
CN102461089B (en) For the method and apparatus using label to carry out strategy execution
CN112262553A (en) Apparatus and method for tracking packets in a packet processing pipeline of a software defined network switch
US9143408B2 (en) Interprovider virtual private network path identification
EP1811728B2 (en) Method, system and device of traffic management in a multi-protocol label switching network
US11588730B2 (en) Label management method, data stream processing method, and device
CN101631089B (en) Flow calculating method, flow calculating device and flow calculating system based on private network VPN
WO2018000890A1 (en) Method and device for establishing virtual private network
CN110417655B (en) Method and device for forwarding data message
EP3783837B1 (en) Service fault locating method and apparatus
CN113132235B (en) Data message processing method based on virtual circuit and construction method of forwarding table item
CN111200549B (en) Method and device for acquiring routing information
CN103746914A (en) Method, device and system for building corresponding relationship between private network label and primary VRF (VPN (virtual private network) routing and forwarding table)
CN112671650A (en) End-to-end SR control method, system and readable storage medium under SD-WAN scene
US8553539B2 (en) Method and system for packet traffic congestion management
CN111865805B (en) Multicast GRE message processing method and system
WO2019001101A1 (en) Routing path analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 610041 nine Xing Xing Road 16, hi tech Zone, Sichuan, Chengdu

Patentee after: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd.

Address before: 610041 15-24 floor, 1 1 Tianfu street, Chengdu high tech Zone, Sichuan

Patentee before: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd.