CN1630249A - A method for realizing hierarchical management of user sites in VPN - Google Patents
A method for realizing hierarchical management of user sites in VPN Download PDFInfo
- Publication number
- CN1630249A CN1630249A CN 200310123978 CN200310123978A CN1630249A CN 1630249 A CN1630249 A CN 1630249A CN 200310123978 CN200310123978 CN 200310123978 CN 200310123978 A CN200310123978 A CN 200310123978A CN 1630249 A CN1630249 A CN 1630249A
- Authority
- CN
- China
- Prior art keywords
- vpn
- user site
- equipment
- routing iinformation
- local
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000008859 change Effects 0.000 claims abstract description 10
- 230000006855 networking Effects 0.000 abstract description 6
- 230000008676 import Effects 0.000 description 29
- 230000008878 coupling Effects 0.000 description 9
- 238000010168 coupling process Methods 0.000 description 9
- 238000005859 coupling reaction Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 7
- 238000007726 management method Methods 0.000 description 7
- 239000012467 final product Substances 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 101150068276 ERT1 gene Proteins 0.000 description 1
- 108700027649 Mitogen-Activated Protein Kinase 3 Proteins 0.000 description 1
- 102100024193 Mitogen-activated protein kinase 1 Human genes 0.000 description 1
- 108700015928 Mitogen-activated protein kinase 13 Proteins 0.000 description 1
- 102100024192 Mitogen-activated protein kinase 3 Human genes 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Abstract
This invention refers to a method for realizing subscriber station site hierarchical management in VPN (Virtual Private Network), which realizes hierarchical management in RFC2547 based PP.VPN networking, the VPN demancation in one PE equipment may managed by network manager of local PE equipment, the VPN demancation of whole PE is managed by network manager of whole network, so the VPN relation change in local PE equipment does not affect the VPN relation of whole network and between other station sites of other PE equipment.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to the method that realizes the user site differentiated control among a kind of VPN (Virtual PrivateNetwork, Virtual Private Network).
Background technology
VPN be enterprise or specific user colony utilize public network (as the Internet resources of operator) make up the private network of oneself, to satisfy self application demand; By VPN, enterprise or specific user colony can set up safe and reliable connection, transmit data at low cost between its branch, long-distance user, business parnter etc.Traditional VPN network is based upon on IP (Internet protocol) technical foundation, and it uses the IP network facility to private wide area network emulation, is that enterprise or specific user colony utilize public ip network to make up the private network of oneself.MPLS/BGP VPN then is that a kind of MPLS (multiprotocol label switching) technology and BGP (Border Gateway Protocol) of using in public network provides IP vpn service, with it is that the basis has formed RFC2547 standard (RFC, request note agreement, the standard of Internet), the described VPN of this standard is a kind of PP VPN (Provider Provide VPN, the VPN that operator provides), VPN equipment is positioned at network side, provide VPN service by operator for the user, subscriber equipment does not need perception VPN, as long as be connected to the PE equipment that operator provides.The networking structure of MPLS/BGP VPN as shown in Figure 1, the equipment that comprises among the figure is respectively:
CE (Custom Edge, customer edge) router or equipment: be a part in the user network, can directly link to each other, be used for the SITE (user site) of VPN is connected to PE equipment by interface with the backbone network of operator.
PE (Provider Edge, the backbone network edge) router or equipment: i.e. provider edge router, it is the edge device of carrier network, it is the realization body of MPLS/BGP vpn service, it is that each VPN user site is safeguarded an independently routing table, directly links to each other with user's CE equipment; In the MPLS network, all processing of VPN are all occurred on the PE equipment.
P (Provider, backbone network core router): the P in the carrier network, the CE equipment of mainly getting along well directly links to each other.The P router has the basic transfer capability of MPLS.
Described CE and PE equipment mainly are to divide from operator and user's range of management, and CE equipment and PE equipment are respectively the borders of both range of managements.Use E-BGP (External BGP) or IGP (Interior Gateway Protocol) Routing Protocol exchanging routing information between CE and the PE equipment, can certainly use static routing, CE equipment needn't be supported MPLS or VPN is had perception, passes through MP-IBGP (multi-protocols Interior Gateway Protocol) exchanging routing information between the inner PE equipment of VPN.
The networking structure of BGP/MPLS VPN has been described in the front, the association attributes of BGP/MPLS VPN is introduced respectively below again:
A VPN is made up of a plurality of SITE usually, on PE equipment, corresponding VRF (the VPN routing/forwarding instance of each SITE, VPN route/forwarding instance), VRF mainly comprises: a series of interfaces and the management information of IP route table, Label Forwarding Information Base, use Label Forwarding Information Base, described management information comprises RD (Route Distinguisher, route is differentiated symbol), route filtering strategy, member interface tabulation etc.
Use BGP and VPN-IPv4 address issue VPN routing iinformation between the PE equipment.There are 12 bytes a VPN-IPv4 address, and beginning is the RD of 8 bytes, is the IPv4 address of 4 bytes below, as shown in Figure 2.The service supplier can distribute RD independently, usually AS (AutonomousSystem--autonomous system) number of special use is guaranteed the overall uniqueness of each RD as the part of RD.Like this, even the 4 byte IPv4 address overlaps that comprise in the VPN-IPv4 address, the VPN-IPv4 address still can keep the overall situation unique.PE equipment is the IPv4 routing iinformation from the route that CE receives, and is introduced into as required in the VRF routing table, needs additional described RD this moment.Be generally all routing iinformations that come from same SITE identical RD is set.
Vpn-Target (VPN destination) attribute is used for finally determining that the VPN of whole network divides, owing to there is not clear and definite VPN sign among the MPLS/BGP VPN, so need to rely on the Vpn-Target attribute to determine can receive between the different SITE route of which SITE, which SITE is the route of this SITE can be received by.Concretely, there is the set of two Vpn-Target attributes in PE equipment: a set is used to append to the route that receives from certain SITE, is called Export Vpn-Targets; Which route another set is used for determining to introduce the routing table of this SITE, is called Import Vpn-Targets.By entrained Vpn-target (VPN destination) attribute of coupling route, can obtain the member relation of VPN.Coupling Vpn-Target attribute can be used for filtering the routing iinformation that PE equipment receives.As shown in Figure 2, when receiving MPLS VPN route, if Export Vpn-Targets wherein (is ERT1, ERT2, ..., ERTn) there is identical item in set with Import Vpn-Targets set, and then corresponding route is effective, if there is not identical item in Export Vpn-Targets set with Import Vpn-Targets set, then corresponding route will be rejected as invalid route.
When propagating routing iinformation by IGP or E-BGP between CE equipment and the PE equipment, PE obtains the routing table of this VPN, is stored among the independent VRF.Guarantee inner connectedness by IGP between each PE that whole network comprises, propagate VPN by IBGP and form information and routing iinformation, and finish the renewal of VRF separately.By upgrading the routing table of CE, finish the route switching between each CE thus again with the route switching between the CE of directly linking to each other.
Finished in the whole network between the PE equipment, and after the route switching between PE equipment and the CE equipment, just can carry out the VPN message forwarding.The VPN message is transmitted the two-layer label mode of using.Ground floor (skin) label exchanges in backbone network inside, has represented the LSP (label switched path) from PE to opposite end PE, and the VPN message utilizes this layer label, just can arrive opposite end PE along LSP.Use the second layer (internal layer) label when opposite end PE arrives CE, vpn label has been indicated message to arrive which SITE and has promptly been arrived which CE.Like this, according to vpn label, just can find the interface that E-Packets.
This shows that in PP VPN (Provider ProvideVPN is called for short PP VPN, the VPN that the operator provides) solution based on RFC2547, the VPN relation forms by a kind of strategy matching at present, that is to say does not have explicit VPN sign.Such as on local PE two VRF:VRF1 being arranged, VRF2, two corresponding VRF:VRF1 are also arranged on PE of far-end, VRF2, by disposing import vpn-target (input VPN destination) attribute and export vpn-target (output VPN destination) attribute of the VRF of local and far-end respectively, form corresponding matching relationship, so just can receive and dispatch needs route, form final VPN and concern.
Therefore, the VPN that the import vpn-target attribute of any one VRF or the variation of export vpn-target attribute all can have influence on whole net divides, and causes whole net VPN relation to change.In some applications, dispose a plurality of VRF usually on the PE equipment, promptly connected a plurality of SITE respectively, these VRF respectively with other PE equipment on VRF formed different VPN relation respectively.And it is to be managed by the webmaster of whole network that the VPN of whole network divides, and importvpn-target attribute and the export vpn-target attribute of the different VRF of unified planning comprise the division management of the relation of the VPN between the different VRF on the PE equipment.
Because network topology is normally divided according to the region, the VPN client who connects on PE equipment belongs to same zone, also, they may belong to same manager simultaneously because being expert to have stable political situation to manage, therefore, usually wish to have VPN relation more flexibly between them, the VPN relation of promptly wishing each different VPN client on the PE equipment can manage independently, that is to say the VPN on the PE equipment is divided authority localization fully, the keeper who transfers to local PE equipment manages.For example, the office net of government, there is an independently PE equipment in each city, there are several big functional departments in each city, such as: finance, occurrences in human life etc., insert this PE equipment respectively, identical functional department between each city belongs to same VPN respectively, and different functional institutions belongs to different VPN, can not exchange visits.But may be in a VPN between several big functional departments in incity, same city; wherein several systems are in a VPN on the also possible PE; therefore; this VPN relation may change through regular meeting, and the variation of this local VPN relation does not wish to have influence on the VPN relation of other urban customers usually.
Yet, the VPN attribute change of any one VRF can have influence on the VPN division of whole network at present, this has brought significant limitation just for the realization of the demand, can't realize in last example that promptly the variation of local VPN relation does not have influence on the VPN relation of other urban customers.
Summary of the invention
In view of above-mentioned existing in prior technology shortcoming, the purpose of this invention is to provide the method that realizes the user site differentiated control in a kind of Virtual Private Network, to realize that the member management authority among the whole VPN is carried out differentiated control, be convenient to adjust neatly among the VPN VPN relation between each user site.
The objective of the invention is to be achieved through the following technical solutions:
Realize the method for user site differentiated control in described a kind of Virtual Private Network, comprising:
A, definite all user site that need carry out differentiated control;
B, dispose local VPN (Virtual Private Network) objective attribute target attribute respectively at the user site of determining;
C, each user site of determining carry out the introducing of the routing iinformation that each user site sends according to the local VPN destination attribute of configuration;
Exchange visits according to the routing iinformation of introducing between D, definite user site.
Described steps A comprises:
The user site that the definite user site that need exchange visits is carried out differentiated control as needs on the PE (backbone network edge) of backbone network equipment.
Among the present invention, the described local VPN destination attribute of step B is:
Definition is only at the attribute information of determining to carry out can carry out between all user site of differentiated control Routing Information Exchange.
Described step B comprises:
To determining that the user site that need exchange visits disposes local input VPN (Virtual Private Network) objective attribute target attribute and local output VPN destination attribute respectively.
Described step C comprises:
Whether this locality output VPN destination community set in the routing iinformation on the local PE equipment that each user site of determining judgement is received exists identical item with this locality input VPN destination community set of this user site configuration, if exist, then introduce this routing iinformation, otherwise, refusal is introduced this routing iinformation, and described local PE equipment is meant the PE equipment at corresponding user site place.
Described step C further comprises:
The routing transmitting example of C1, user site correspondence judges whether the output VPN destination community set in the routing iinformation of receiving exists identical item with the input VPN destination community set of this user site configuration, if exist, then introduce this routing iinformation, otherwise, execution in step C2;
C2, continue to judge that whether the routing iinformation received is the routing iinformation on the local PE equipment, if execution in step C3, otherwise refusal is introduced this routing iinformation;
C3, continue to judge whether this locality output VPN destination community set in the routing iinformation on the local PE equipment of receiving exists identical item with this locality input VPN destination community set of this user site configuration, if exist, then introduce this routing iinformation, otherwise refusal is introduced this routing iinformation.
Realize in the described Virtual Private Network being to carry out described steps A and also comprising step e before in the method for user site differentiated control:
E, in network, need among the VPN to determine to change each user site of VPN relation, and judge whether each user site is on the same PE equipment, if, execution in step A then, otherwise, execution in step F;
F, dispose I/O VPN destination attribute respectively for described each user site;
G, described each user site carry out the introducing of the routing iinformation that each user site sends according to the I/O VPN destination attribute of configuration;
Exchange visits according to the routing iinformation of introducing between H, described each user site.
Realize in the method for user site differentiated control in the Virtual Private Network of the present invention:
Described step B is: the user site that is respectively definite by the webmaster of the PE equipment at the user site place of determining disposes local VPN destination attribute;
Described step F is: the webmaster by whole network is that described each user site disposes I/O VPN destination attribute respectively.
Among the present invention, the processing of the routing iinformation that described each user site of step C and step G is sent comprises:
When user site other user site on the PE at place equipment send routing iinformation, carrying VPN destination attribute and local VPN destination attribute for this user site configuration;
When user site other user site beyond the PE at place equipment send routing iinformation, then only carrying VPN destination attribute for this user site configuration.
Be that the described network of step e can be MPLS/BGP VPN (based on the VPN of multiprotocol label switching/Border Gateway Protocol) or the L2VPN that realizes based on draft-kompella-ppvpn-l2vpn-Ox.txt (about the draft of two-layer VPN) draft among the present invention.
As seen from the above technical solution provided by the invention, the present invention is in the networking based on the PPVPN of RFC2547, realized the classification of VPN administration authority, VPN on PE equipment divides and can be managed independently by the webmaster of local PE equipment fully, the VPN of whole net divides then and is managed independently by the webmaster of whole net, thereby make the variation of the VPN relation on the local PE equipment can not have influence on the VPN relation of whole network, and the VPN between the user site on other PE equipment relation, solve the VPN that existing in prior technology can't realize that the variation of local VPN relation does not have influence on other urban customers effectively and concerned problem.Be example still with the example described in the background technology, realization of the present invention, make and to concern when changing as the VPN between the user site on the PE equipment of the office net of government, only carry out reconfiguring of VPN relation by local VPN destination attribute and get final product, and concern for the VPN on whole government office net and online other PE equipment and not produce any influence by the webmaster of this PE equipment.
Description of drawings
Fig. 1 is a BGP/MPLS VPN networking structure schematic diagram;
Fig. 2 filters the schematic diagram on road for route target community;
Fig. 3 is the flow chart of ten thousand methods of the present invention;
Fig. 4 is a BGP/MPLS VPN networking structure example schematic.
Embodiment
The present invention has independently administration authority by the keeper who makes a PE equipment (being webmaster) to the relation of the VPN between the user site that inserts on the corresponding PE equipment, to solve existing problem in the prior art, realize in whole Virtual Private Network that promptly vertically the VPN division authority of (being whole network) belongs to whole network of network keeper, laterally the VPN of (single PE equipment) divides the keeper that authority belongs to a PE equipment, thereby make in the VPN application, vertically VPN can distinguish intercommunication, and laterally VPN can independently change the VPN relation.
Description by background technology can be known, in the PP vpn solution of RFC2547, a VRF has import vpn-target attribute and export vpn-target attribute, in these two attributes, the importvpn-target attribute has determined a VRF can receive which VPN route in the whole net, and export vpn-target attribute has determined that the route of this VRF can be received by which VRF in the whole net.The PP vpn solution that the present invention is based on RFC2547 has proposed a kind of new VPN attribute: local Vpn-target (local VPN destination) attribute, described local VPN destination attribute for definition only at the attribute information of determining to carry out can carry out between all user site of differentiated control Routing Information Exchange, be specifically as follows definition only the CE equipment room of exchanging visits of the needs on same PE equipment carry out the attribute of Routing Information Exchange, this attribute comprises local import vpn-target (local input VPN destination) attribute and localexport vpn-target (local output VPN destination) attribute, and application principle and the application principle of two attributes in existing VRF of two attributes when carrying out route switching is similar.
Described local Vpn-target attribute only acts on the VPN route on the PE equipment at place, specifically describe as follows: described local import vpn-target attribute will only be used for determining receiving the VPN route which user site on the PE equipment at place is sent, and the VPN route that other PE equipment are sent does not work; Described local export vpn-target attribute can not be attached to the PE equipment that sends to other on the route of VRF of this user site correspondence, its only can be on same PE equipment other VRF work when introducing the route of this VRF, promptly with same PE equipment on the local importvpn-target attribute list coupling of other VRF, to determine whether to need to introduce the route among this VRF.
Among the present invention, relation between the vpn-target attribute of a VRF and the local vpn-target attribute is as follows: a plurality of because the Vpn-target of a VRF and Local vpn-target attribute generally have respectively, therefore represent with Vpn-target attribute list and Local vpn-target attribute list respectively.
The front is described for the main thought and the main technological means that adopts of invention, is described further below in conjunction with the embodiment of accompanying drawing to the method for stating of the present invention, referring to Fig. 3, specifically may further comprise the steps:
Step 31: determine according to actual needs and need adjust to the relation of the VPN in the whole Virtual Private Network, and further determine to carry out all user site that VPN concerns, for example, needs according to network operation are revised as the user site that can't exchange visits originally on the same PE equipment can exchange visits, and perhaps the user site that can't exchange visits originally on the different PE equipment are revised as and can exchange visits or the like;
Step 32: judge whether described all user site are positioned on the same PE equipment, if be on the same PE equipment, then execution in step 33, otherwise, execution in step 36;
Step 33: each user site is carried out the configuration of local VPN destination attribute, comprise the local input of configuration VPN destination attribute and local output VPN destination attribute;
Step 34: the local VPN destination attribute based on step 33 configuration carries out the introducing of the VPN routing iinformation of each user site, promptly upgrades routing iinformation among the VRF of each user site based on the local VPN destination attribute of step 33 configuration;
Step 35: each user site on the same PE equipment is exchanged visits according to the routing iinformation of introducing, after promptly passing through the processing of step 34, each user site just can be exchanged visits based on the routing iinformation after upgrading, and has realized the change based on the VPN relation of each user site.
Step 36: each user site is carried out the configuration of VPN destination attribute, comprise configuration input VPN destination attribute and output VPN destination attribute;
Step 37: the VPN destination attribute based on step 36 configuration carries out the introducing of the VPN routing iinformation of each user site, promptly upgrades routing iinformation among the VRF of each user site based on the VPN destination attribute of step 36 configuration;
Step 38: each user site on the different PE equipment is exchanged visits according to the routing iinformation of introducing, after promptly passing through the processing of step 37, each user site just can be exchanged visits based on the routing iinformation that upgrades among the VRF of back, has realized the change based on the VPN relation of each user site.
Whether wherein the processing procedure of the introducing of the routing iinformation that relates in the processing procedure of step 34 and step 37 and previously described processing procedure are similar, be to mate according to VPN destination attribute or local VPN destination attribute to determine whether to introduce corresponding routing iinformation.In the present invention, when a user site is received the VPN routing iinformation and judged whether to introduce described VPN routing iinformation by the VRF of correspondence, can divide following several disposition:
(1) if routing iinformation send by other PE equipment, then this VRF will use the import vpn-target tabulation of user site to remove to mate the entrained export vpn-target attribute list of VPN route, if a coupling is wherein arranged, then determine to receive this VPN route, otherwise do not receive;
(2) account for and send if routing iinformation is local other subscriber stations of PE equipment, then this VRF at first uses import vpn-target to tabulate to mate the entrained export vpn-target attribute list of route, if coupling, then introduce this routing iinformation, if do not match, then the local import vpn-target attribute list with this VRF mates the local export vpn-target attribute list that this route is carried, if coupling, introduce route, otherwise refusal is introduced this route; Described local PE equipment is meant the PE equipment at the user site place that receives the VPN routing iinformation.
Above-mentioned two kinds of situations can at first be judged described routing iinformation and be sent by other PE equipment in concrete implementation procedure, still are to be sent by other user site of local PE equipment, then, adopt above-mentioned corresponding processing procedure to handle respectively; Also can at first use the importvpn-target tabulation of user site to remove to mate the entrained export vpn-target attribute list of VPN route, if a coupling is wherein arranged, then determine to receive this VPN route (promptly introducing this routing iinformation), otherwise continuing the described routing iinformation of judgement is sent by other PE equipment, still send by other user site of local PE equipment, if other PE equipment are sent, then refusal is introduced this routing iinformation, otherwise, continue to mate the localexport vpn-target attribute list that this route is carried with the local import vpn-target attribute list of this VRF, if coupling, then introduce this routing iinformation, otherwise refusal is introduced this routing iinformation.
Among the present invention, whether vpn-target attribute list between the VRF on PE and local vpn-target attribute list can be done coupling each other and determine whether to introduce route, that is to say that VPN destination attribute and local VPN destination attribute are separately separately uses, and uses when introducing routing iinformation mutually between the user site of local VPN destination attribute power on same PE equipment.
Below again in conjunction with Fig. 4, concrete application to method of the present invention is illustrated, backbone network has three PE equipment among Fig. 4, three SITE have been connected on each PE equipment, respectively corresponding three functional departments' offices of one's respective area, finance, market, certainly need intercommunication between three identical functional departments in common three zones, therefore, need dispose different VPN respectively, can be respectively vpn_BanGong VPN for three kinds of functional departments in the whole network, vpn_CaiWu VPN and vpn_ShiChang VPN, and can not exchange visits between the different functional institutions of different regions.
Dividing for the VPN on the whole network is to be responsible for by the whole keeper who nets, so the keeper of whole net need do following VPN configuration respectively on three PE equipment, divides respectively to realize three VPN:
Ip vrf vpn_BanGong: the VPN that creates a vpn_BanGong by name;
Rd 100: 1: the RD of vpn_BanGong was configured to 100: 1;
Import vpn-target 100: 1: will import the VPN destination attribute configuration is 100: 1;
Export vpn-target 100: 1: will export the VPN destination attribute configuration is 100: 1;
Ip vrf vpn_CaiWu: the VPN that creates a vpn_CaiWu by name;
Rd 100: 2: the RD of vpn_CAIWU was configured to 100: 2;
Import vpn-target 100: 2: will import the VPN destination attribute configuration is 100: 2;
Export vpn-target 100: 2: will export the VPN destination attribute configuration is 100: 2;
Ip vrf vpn_ShiChang: the VPN that creates a vpn_ShiChang by name;
Rd 100: 3: the RD of vpn_ShiChang was configured to 100: 3;
Import vpn-target 100: 3: will import the VPN destination attribute configuration is 100: 3;
Export vpn-target 100: 3: will export the VPN destination attribute configuration is 100: 3;
Through above-mentioned configuration, trizonal identical functional department is disposed in the same VPN, just can guarantee the intercommunication of trizonal identical functional department, and three regional different functional institutions can not intercommunication because belonging to different VPN.
Simultaneously, insert between three functional departments of same PE equipment owing to belong to three functional departments of same regional branch, so also have different intercommunication demands usually, to visit finance such as office, this is inevitable in the practical application, and may be a kind of more flexible and changeable VPN relation between each department in same zone, promptly local VPN relation may often change.The demand of the various special VPN relation on the common PE equipment should not have any influence to the functional department on other PE equipment.And the variation of this VPN flexibly relation is considered what the simplification of management and convenience also should not managed by the keeper of whole net usually, only needing keeper on this PE equipment to manage gets final product, and for guaranteeing the fail safe and the stability of network, when the keeper of local PE equipment concern at the VPN of the local functional department of management, any operation (correct or misoperation) should not concern the VPN of whole net and not exert an influence.
To exchange visits as office in the branch among Fig. 41 and finance function department, only need to increase following configuration on the whole net configure base in front and get final product, be specially:
Ip vrf vpn_BanGong: the VPN that creates a vpn_BanGong by name;
Rd 100: 1: the RD of vpn_BanGong was configured to 100: 1;
Import vpn-target 100: 1: will import the VPN destination attribute configuration is 100: 1;
Export vpn-target 100: 1: will export the VPN destination attribute configuration is 100: 1;
Localimport vpn-target 200: 1: it is 200: 1 that the VPN destination attribute configuration is imported in this locality;
Local export vpn-target 200: 1: it is 200: 1 that the VPN destination attribute configuration is exported in this locality;
Ip vrf vpn_CaiWu: the VPN that creates a vpn_CaiWu by name;
Rd 100: 2: the RD of vpn_CaiWu was configured to 100: 2;
Import vpn-target 100: 2: will import the VPN destination attribute configuration is 100: 2;
Export vpn-target 100: 2: will export the VPN destination attribute configuration is 100: 2;
Local import vpn-target 200: 1: it is 200: 1 that the VPN destination attribute configuration is imported in this locality;
Local export vpn-target 200: 1: it is 200: 1 that the VPN destination attribute configuration is exported in this locality;
Configuration by vpn_BanGong and the above-mentioned Local vpn-target of vpn_CaiWu, both exchanging visits have just been formed, and the local export vpn-target of configuration can not send with route, localimport vpn-target attribute list can not act on the route that any other PE comes yet, and only can act on local VPN route.Therefore the such configuration that increases newly can not produce any influence to the VPN relation of whole net, is the wish according to the keeper of local PE equipment, has revised local VPN relation.On other PE equipment, also have identical demand, can do following configuration such as needing financial VPN and market VPN to exchange visits in the branch 2:
Ip vrf vpn_CaiWu: the VPN that creates a vpn_CaiWu by name;
Rd 100: 2: the RD of vpn_CaiWu was configured to 100: 2;
Import vpn-target 100: 2: will import the VPN destination attribute configuration is 100: 2;
Export vpn-target 100: 2: will export the VPN destination attribute configuration is 100: 2;
Local import vpn-target 200: 1: it is 200: 1 that the VPN destination attribute configuration is imported in this locality;
Local export vpn-target 200: 1: it is 200: 1 that the VPN destination attribute configuration is exported in this locality;
Ip vrf vpn_ShiChang: the VPN that creates a vpn_ShiChang by name;
Rd 100: 3: the RD of vpn_ShiChang was configured to 100: 3;
Import vpn-target 100: 3: will import the VPN destination attribute configuration is 100: 3;
Export vpn-target 100: 3: will export the VPN destination attribute configuration is 100: 3;
Local import vpn-target 200: 1: it is 200: 1 that the VPN destination attribute configuration is imported in this locality;
Local export vpn-target 200: 1: it is 200: 1 that the VPN destination attribute configuration is exported in this locality;
As can be seen, though it is overlapping Local vpn-target attribute to have occurred in the configuration of vpn_ShiChang in two branches and vpn_CaiWu, can not cause the mistake of the different function parts in two branches to be exchanged visits yet.
The present invention also is applicable to other and the similar VPN of MPLS/BGP VPN except that being applicable to MPLS/BGP VPN, for example the L2VPN that realizes based on draft-kompella-ppvpn-l2vpn-Ox.txt (about the draft of two-layer VPN).
The above; only be the preferable embodiment of the present invention; but protection scope of the present invention is not limited thereto; anyly be familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement; all should be encompassed within protection scope of the present invention, as apply the present invention to other and preceding as described in the network class network medium.Therefore, protection scope of the present invention should be as the criterion with the protection range of claims.
Claims (10)
1, realize the method for user site differentiated control in a kind of Virtual Private Network, it is characterized in that comprising:
A, definite all user site that need carry out differentiated control;
B, dispose local VPN (Virtual Private Network) objective attribute target attribute respectively at the user site of determining;
C, each user site of determining carry out the introducing of the routing iinformation that each user site sends according to the local VPN destination attribute of configuration;
Exchange visits according to the routing iinformation of introducing between D, definite user site.
2, realize the method for user site differentiated control in the Virtual Private Network according to claim 1, it is characterized in that described steps A comprises:
The user site that the definite user site that need exchange visits is carried out differentiated control as needs on the PE (backbone network edge) of backbone network equipment.
3, realize the method for user site differentiated control in the Virtual Private Network according to claim 1, it is characterized in that the described local VPN destination attribute of step B is:
Definition is only at the attribute information of determining to carry out can carry out between all user site of differentiated control Routing Information Exchange.
4, according to the method that realizes the user site differentiated control in claim 1, the 2 or 3 described Virtual Private Networks, it is characterized in that described step B comprises:
To determining that the user site that need exchange visits disposes local input VPN (Virtual Private Network) objective attribute target attribute and local output VPN destination attribute respectively.
5, realize the method for user site differentiated control in the Virtual Private Network according to claim 4, it is characterized in that described step C comprises:
Whether this locality output VPN destination community set in the routing iinformation on the local PE equipment that each user site of determining judgement is received exists identical item with this locality input VPN destination community set of this user site configuration, if exist, then introduce this routing iinformation, otherwise, refusal is introduced this routing iinformation, and described local PE equipment is meant the PE equipment at corresponding user site place.
6, realize the method for user site differentiated control in the Virtual Private Network according to claim 5, it is characterized in that described step C further comprises:
The routing transmitting example of C1, user site correspondence judges whether the output VPN destination community set in the routing iinformation of receiving exists identical item with the input VPN destination community set of this user site configuration, if exist, then introduce this routing iinformation, otherwise, execution in step C2;
C2, continue to judge that whether the routing iinformation received is the routing iinformation on the local PE equipment, if execution in step C3, otherwise refusal is introduced this routing iinformation;
C3, continue to judge whether this locality output VPN destination community set in the routing iinformation on the local PE equipment of receiving exists identical item with this locality input VPN destination community set of this user site configuration, if exist, then introduce this routing iinformation, otherwise refusal is introduced this routing iinformation.
7, realize the method for user site differentiated control in the Virtual Private Network according to claim 1, it is characterized in that carrying out described steps A and also comprise step e before:
E, in network, need among the VPN to determine to change each user site of VPN relation, and judge whether each user site is on the same PE equipment, if, execution in step A then, otherwise, execution in step F;
F, dispose I/O VPN destination attribute respectively for described each user site;
G, described each user site carry out the introducing of the routing iinformation that each user site sends according to the I/O VPN destination attribute of configuration;
Exchange visits according to the routing iinformation of introducing between H, described each user site.
8, realize the method for user site differentiated control in the Virtual Private Network according to claim 7, it is characterized in that:
Described step B is: the user site that is respectively definite by the webmaster of the PE equipment at the user site place of determining disposes local VPN destination attribute;
Described step F is: the webmaster by whole network is that described each user site disposes I/O VPN destination attribute respectively.
9, according to the method that realizes the user site differentiated control in claim 1 or the 7 described Virtual Private Networks, it is characterized in that the processing of the routing iinformation that described each user site of step C and step G is sent comprises:
When user site other user site on the PE at place equipment send routing iinformation, carrying VPN destination attribute and local VPN destination attribute for this user site configuration;
When user site other user site beyond the PE at place equipment send routing iinformation, then only carrying VPN destination attribute for this user site configuration.
10, realize the method for user site differentiated control in the Virtual Private Network according to claim 7, it is characterized in that the described network of step e can be MPLS/BGP VPN (based on the VPN of multiprotocol label switching/Border Gateway Protocol) or the L2VPN that realizes based on draft-kompella-ppvpn-l2vpn-Ox.txt (about the draft of two-layer VPN) draft.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101239789A CN1317851C (en) | 2003-12-19 | 2003-12-19 | A method for realizing hierarchical management of user sites in VPN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101239789A CN1317851C (en) | 2003-12-19 | 2003-12-19 | A method for realizing hierarchical management of user sites in VPN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1630249A true CN1630249A (en) | 2005-06-22 |
| CN1317851C CN1317851C (en) | 2007-05-23 |
Family
ID=34844911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101239789A Expired - Fee Related CN1317851C (en) | 2003-12-19 | 2003-12-19 | A method for realizing hierarchical management of user sites in VPN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1317851C (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100420201C (en) * | 2005-10-14 | 2008-09-17 | 华为技术有限公司 | Method and system for managing user marginal device |
| CN102104532A (en) * | 2009-12-22 | 2011-06-22 | 杭州华三通信技术有限公司 | Fault switching method and system and hub provider edge (Hub PE) router |
| CN101312424B (en) * | 2007-05-25 | 2011-11-16 | 杭州华三通信技术有限公司 | VPN construction recovery method and apparatus |
| CN102281533A (en) * | 2011-08-03 | 2011-12-14 | 华为技术有限公司 | Method, system and router for establishing LSP based on RT |
| CN102325072A (en) * | 2011-05-17 | 2012-01-18 | 杭州华三通信技术有限公司 | Method for automatically discovering VPN (Virtual Private Network) and equipment |
| CN101662412B (en) * | 2008-08-26 | 2013-12-18 | 北京兴网汇通科技有限公司 | Method for managing control plane-based virtual private network resources in IP telecommunication network system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2002166640A (en) * | 2000-04-12 | 2002-06-11 | Oji Paper Co Ltd | Ink jet recording sheet |
| KR100431207B1 (en) * | 2002-05-14 | 2004-05-12 | 주식회사 케이티 | Exteranet ip-vpn service provinding methode in mpls based network |
| CN1214583C (en) * | 2002-08-23 | 2005-08-10 | 华为技术有限公司 | Three layer virtual private network and its construction method |
| CN100502343C (en) * | 2003-05-22 | 2009-06-17 | 华为技术有限公司 | Method of intercommunication of multi-protocol label exchange virtual special network |
-
2003
- 2003-12-19 CN CNB2003101239789A patent/CN1317851C/en not_active Expired - Fee Related
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100420201C (en) * | 2005-10-14 | 2008-09-17 | 华为技术有限公司 | Method and system for managing user marginal device |
| CN101312424B (en) * | 2007-05-25 | 2011-11-16 | 杭州华三通信技术有限公司 | VPN construction recovery method and apparatus |
| CN101662412B (en) * | 2008-08-26 | 2013-12-18 | 北京兴网汇通科技有限公司 | Method for managing control plane-based virtual private network resources in IP telecommunication network system |
| CN102104532A (en) * | 2009-12-22 | 2011-06-22 | 杭州华三通信技术有限公司 | Fault switching method and system and hub provider edge (Hub PE) router |
| CN102104532B (en) * | 2009-12-22 | 2014-02-12 | 杭州华三通信技术有限公司 | Fault switching method and system and hub provider edge (Hub PE) router |
| CN102325072A (en) * | 2011-05-17 | 2012-01-18 | 杭州华三通信技术有限公司 | Method for automatically discovering VPN (Virtual Private Network) and equipment |
| CN102325072B (en) * | 2011-05-17 | 2013-12-11 | 杭州华三通信技术有限公司 | Method for automatically discovering VPN (Virtual Private Network) and equipment |
| CN102281533A (en) * | 2011-08-03 | 2011-12-14 | 华为技术有限公司 | Method, system and router for establishing LSP based on RT |
| WO2012149854A1 (en) * | 2011-08-03 | 2012-11-08 | 华为技术有限公司 | Rt-based method, system, and router for establishing lsp |
| CN102281533B (en) * | 2011-08-03 | 2014-01-08 | 华为技术有限公司 | Method, system and router for establishing LSP based on RT |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1317851C (en) | 2007-05-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1254059C (en) | Method of realizing special multiple-protocol label exchanging virtual network | |
| US7032022B1 (en) | Statistics aggregation for policy-based network | |
| EP1143663B1 (en) | System and method for selective LDAP database synchronisation | |
| US6678835B1 (en) | State transition protocol for high availability units | |
| EP2704372B1 (en) | Method for virtual private cloud to access network, network side device and data centre device | |
| CN1610331A (en) | Communication apparatus and method for inter-AS routing | |
| EP2012470A1 (en) | A method, apparatus, and system implementing the vpn configuration service | |
| JP2008504777A (en) | Virtual broadcast network for inter-domain communication | |
| CN101079729A (en) | Method for reserving network resource | |
| CN1708031A (en) | Method for realizing virtual special network | |
| CN1849787A (en) | Provision of services by reserving resources in a communications network having resource management | |
| CN1297105C (en) | Method for implementing multirole main machine based on virtual local network | |
| CN1323522C (en) | Method for determining relation between routers at fringe of client site and virtual private network | |
| CN1317851C (en) | A method for realizing hierarchical management of user sites in VPN | |
| CN1716901A (en) | Virtual special network system of mixed station mixed skeleton network and its realizing method | |
| CN1180583C (en) | Realizing method and system of special network in wideband virtual network | |
| CN1595890A (en) | Virtual connectivity with subscribe-notify service | |
| KR20230051274A (en) | Automated connectivity to cloud resources | |
| CN1647486A (en) | Device for managing data filters | |
| CN101304337A (en) | Method and apparatus for generating access topology of service VPN | |
| CN101030882A (en) | Method for accessing user network management platform | |
| CN101304338B (en) | Method and apparatus for discovering equipment in multi-protocol label switching three-layer VPN | |
| CN1744541A (en) | Method for realizing virtual private network business in multi-layer label switch network | |
| CN1728664A (en) | Method and system for configuring network management for virtual private network | |
| US20070025377A1 (en) | Method and system for automatic generation of route distinguishers for virtual private networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070523 |