WO2005125103A1 - Systeme de reseau prive virtuel d'un site hybride et reseau de base hybride et procede de mise en oeuvre associe - Google Patents
Systeme de reseau prive virtuel d'un site hybride et reseau de base hybride et procede de mise en oeuvre associe Download PDFInfo
- Publication number
- WO2005125103A1 WO2005125103A1 PCT/CN2005/000869 CN2005000869W WO2005125103A1 WO 2005125103 A1 WO2005125103 A1 WO 2005125103A1 CN 2005000869 W CN2005000869 W CN 2005000869W WO 2005125103 A1 WO2005125103 A1 WO 2005125103A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- ipv4
- ipv6
- route
- routes
- user site
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Definitions
- the present invention relates to virtual private network technology, and in particular, to a virtual backbone of a hybrid site hybrid backbone network with Internet Protocol version 4 (Internet Protocol version 4) and Internet Protocol version 6 (IPv6). Private network system and its implementation method. Background of the invention
- a virtual private network (Virtual Private Networking, VPN) is a virtual private network established on a public network. It has the same excellent security, reliability, and manageability as a private network.
- VPN replaces traditional dial-up access, using the Internet (Internet) public network or operator network resources as a continuation of the enterprise's private network, saving expensive leased line lease fees.
- Internet Internet
- VPNs can use tunneling protocols, identity verification and data encryption technologies to ensure The security of communication is welcomed by enterprise users.
- VPNs can bring many benefits through the construction of VPNs. For example, by using VPNs, enterprises can save a lot of expenses for daily communication of enterprises; they can conduct remote teaching and remote monitoring to achieve unified corporate management; and they can also improve the internal business information circulation of enterprises. safety. It is foreseeable that VPN is the inevitable trend of enterprise internal network design, information management, and circulation.
- the MPLS (Layer 3, L3) VPN model is shown in Figure 1.
- the model includes three components: a user edge router (Custom Edge Router, CE) located at the edge of the customer premise network, and located at the edge of the backbone network.
- the CE router is an integral part of the customer premises network, and there are interfaces directly connected to the backbone network of the operator.
- the CE router does not sense the existence of the VPN and does not need to maintain the entire routing information of the VPN.
- the PE router is the operator network.
- the edge device is directly connected to the CE router of the user.
- the MPLS network all processing of the VPN is done on the PE router.
- the P router is in the carrier network and is not directly connected to the CE router.
- the P router has MPLS. Basic signaling capabilities and forwarding capabilities. Those skilled in the art can understand that the division of CE and PE is mainly divided from the management scope of operators and users, and CE and PE are the boundaries of the management scope of both.
- CE routers and PE routers can use routing protocols such as External Border Gateway Protocol (External BGP, EBGP) or Interior Gateway Protocol (Interior Gateway Protocol, IGP) to exchange routing information, or static routes.
- EBGP External Border Gateway Protocol
- IGP Interior Gateway Protocol
- the CE does not need to support MPLS and does not need to sense the entire network route of the VPN.
- the entire network route of the VPN is outsourced to the operator to complete. PE.
- the entire network routing information of the VPN is exchanged through the Multi-Protocol Border Gateway Protocol (MP-BGP).
- MP-BGP Multi-Protocol Border Gateway Protocol
- a VPN is composed of multiple user sites (Sites).
- each site corresponds to a VPN Routing / Forwarding instance (VRF).
- VRF VPN Routing / Forwarding instance
- IP Internet Protocol
- the interface and management information include a route distinguishing identifier (Route Distinguishes RD), a route filtering policy, and a list of member interfaces.
- the site's VRF in VPN actually integrates the site's VPN membership and routing rules.
- the system maintains a separate set of routing tables and label forwarding tables for each VRF, and stores message forwarding information in the routing table and label forwarding tables of each VRF. This prevents data from leaking out of the VPN and prevents data from entering outside the VPN.
- routing information is transmitted between the CE and the PE through the Interior Gateway Protocol (IGP) or EBGP.
- IGP Interior Gateway Protocol
- EBGP EBGP
- the PE obtains the VPN routing table and stores it in a separate VRF.
- PEs use IGP to ensure normal IP connectivity, and use IBGP to propagate VPN composition information and routes, and update their VRFs. Route exchange between CEs.
- a new address family-VPN-IPv4 address is used.
- a VPN-IPv4 address has 12 bytes, starting with an 8-byte RD, followed by a 4-byte IPv4 address.
- PE uses RD to identify routing information from different VPNs. Operators can assign RDs independently, but need to use their dedicated AS number as part of the RD to ensure the global uniqueness of each RD.
- VPN-IPv4 address with RD zero is the same as globally unique
- An IPv4 address is synonymous.
- the route received by the PE from the CE is an IPv4 route and needs to be imported into the VRF routing table. At this time, an RD needs to be attached. In a common implementation, set the same RD for all routes from the same user site.
- the Route Target attribute is used to identify the set of sites that can use a route, that is, which sites can receive the route, and which sites can receive the routes transmitted by the PE router. All PE routers connected to the site specified in the Route Target will receive routes with this attribute. After the PE router receives the route containing this attribute, it adds it to the corresponding routing table.
- a PE router has two sets of Route Target attributes: one set is used to attach to routes received from a site, and is called Export Route Targets; the other set is used to determine which routes can be imported into the routing table of this site, called Is Import Route Targets. Membership of the VPN can be obtained by matching the Route Target attribute carried in the route. Matching the Route Target attribute can be used to filter the routing information received by the PE router.
- Figure 2 is a schematic diagram of filtering received routes by matching the Route Target attribute.
- VPN 4 text forwarding uses two layers of labeling.
- the first layer that is, the outer label is exchanged inside the backbone network, represents a Label Switched Path (LSP) from PE to the peer (PEER).
- LSP Label Switched Path
- PEER peer
- VPN packets can use this layer label to The LSP reaches the peer PE.
- the second layer that is, the inner label
- the inner label indicates to which site the packet arrives, or more specifically, to which CE. In this way, the interface that forwards the packet can be found based on the inner label.
- IPv4 Internet Engineering Task Force
- IPv6 In order to continue to provide various services in the IPv4 environment during the evolution from IPv4 to IPv6, VPN solutions on IPv6 networks must be studied simultaneously. Because IPv6 itself is still in the experimental stage, there is no formal large-scale commercial use, and there is no formal VPN service application under IPv6 networks.
- each IPv6 site is connected to at least one dual stack of the IPv4 backbone network and supports the MP-BGP PE router, that is, the 6PE router shown in FIG. 3.
- the 6PE router is called a Double Stack BGP (DS-BGP) router, that is, a DS-BGP router.
- the DS-BGP router has at least one IPv4 address on the IPv4 side and at least one IPv6 address on the IPv6 side, and the IPv4 address must be routable in the IPv4 network.
- the ingress DS-BGP router passes the IPv6 data packet.
- the MPLS tunnel that is, the LSP, is transparently transmitted to the egress DS-BGP router.
- the DS-BGP router can use its IPv4 address when advertising its own address as the next hop of the BGP route, and use MPLS tunnels or other IPv4 address-based tunnels, such as Generic Route Encapsulation (GRE) protocol tunnels, IP security protocols. (IP Security Protocol, IPsec) tunnels; IPv6 addresses can also be used and corresponding tunnels, such as 6to4 tunnels, Intra-Site Automatic Tunnel Access Protocol (ISATAP) tunnels, and use these tunnel requirements Address form.
- GRE Generic Route Encapsulation
- IP security protocols IP security protocols.
- IP Security Protocol, IPsec IP Security Protocol
- IPv6 addresses can also be used and corresponding tunnels, such as 6to4 tunnels, Intra-Site Automatic Tunnel Access Protocol (ISATAP) tunnels, and use these tunnel requirements Address form.
- IPv4 IPv6
- IPv6 IPv6
- Both user networks and backbone networks may be IPv4 networks or IPv6 networks, or IPv4 / IPv6 mixed networks. This requires that the VPN services under the new generation network can adapt to complex network environments and can be applied to IPv4 networks, IPv6 networks, or mixed IPv4 / IPv6 networks.
- a main object of the present invention is to provide a virtual private network system with a mixed-site hybrid backbone network.
- sites based on different IP versions can be The bone-thousand networks of different IP versions access each other and carry out VPN services.
- Another main objective of the present invention is to provide a method for implementing a virtual private network of a mixed-site hybrid backbone network, which can enable sites based on different IP versions to access each other and develop VPN services through backbone networks based on different IP versions .
- the present invention provides a virtual private network system of a hybrid site and hybrid backbone.
- the system includes a virtual private network user site, a user network edge router CE, a backbone network edge router PE, and a backbone network.
- the user site accesses the backbone network to transmit data to each other through the CE and the PE, and the virtual private network system includes a user site based on the internetworking protocol version 4 IPv4 and version 6 IPv6;
- the backbone network includes IPv4 single domain and IPv6 single domain;
- IPv4 single domain and the IPv6 single domain are connected to each other through an ASBR that supports IPv4 and IPv6 dual protocol stacks.
- the CE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes and / or IPv6 routes;
- the PE supports an IPv4 protocol stack or an IPv6 protocol stack or an IPv4 and IPv6 dual protocol stack, which stores IPv4 routes and IPv6 routes;
- Data is transmitted between the user sites according to the routes stored by the CE and the PE.
- the CE and the PE connecting the user site and the single domain support the IPv4 and IPv6 dual protocol stacks.
- IPv4 routes For CEs of IPv4 user sites that need to access IPv6 user sites, store IPv4 routes and IPv6 routes; For CEs of IPv6 user sites that need to access IPv4 user sites, only IPv6 routes are stored; for CEs of IPv4 user sites that only access IPv4 user sites, only CE IPv4 routing.
- IPv4 and IPv6 user sites to form a unified format of IPv4 and IPv6 address information
- the user site and the backbone network learn and advertise routes, and publish IPv4 routes and IPv6 routes to the PE in the system and the CE connected to the PE;
- the backbone network distributes inner labels and outer labels
- the data packet of the user site is encapsulated and forwarded through the backbone network by encapsulating the inner label and the outer label.
- route distinguisher + IPv4 address is adopted between the IPv4 user sites to form an IPv4 address with an address family identifier of 1; between an IPv4 user site and an IPv6 user site. Between points, and between IPv6 user sites It takes the form of "route distinguisher + IPv6 address" to form an IPv6 address with an address family identifier of 2.
- IPv4 user site that communicates with an IPv6 user site can map the IPv4 address ABCD to an IPv6 address of the form 0 :: A: B: C: D, and then combine it with a routing identifier to form a place. IPv6 with an address family identifier of 2 address.
- CE advertises the aggregated IPv4 user site or IPv6 user site route to the connected PE;
- the PE advertises IPv4 routes and IPv6 routes learned from the CE to other PEs and ASBRs in the single domain.
- the ASBR in another single domain will learn IPv4 routes from the source ASBR in the single domain. And IPv6 routes are advertised to PEs in this single domain;
- the PE advertises IPv4 routes and IPv6 routes learned from other PEs and IPv4 routes and IPv6 routes learned from ASBR to the CEs connected to it.
- the step B2 may further include:
- the PE router learns the IPv4 route and IPv6 route learned from the CE router, plus the routing identifier RD, address family identifier AFI, and subsequent address family identifier SAFI according to the VPN and routing IP version to which it belongs; forming a routing target that includes RD, AFI, and SAFL Community attributes Route Target, a unified form of routing information for IPv4 addresses / IPv6 addresses.
- the internal border gateway protocol based on the single domain IP version may be used to publish the route of the user site of the CE connected to the PE;
- step B3 the ASBR publishes a route to another different version of the single-domain ASBR through the IPv6-based multi-protocol external border gateway protocol;
- step B4 the ASBR publishes the learned route to the peer PE in the domain through the internal border gateway protocol based on the IP version of the single domain.
- the step B5 may include the following sub-steps:
- the CE connected to the IPv4 user site and the PE connected to the CE run an IPv6-based routing protocol to learn routes; the PE converts the saved IPv4 user site route from the ABCD / n form to 0 :: A: B: C: D / (96 + n) IPv6 route, published to the CE through IPv6 routing protocol;
- the CE restores the IPv4 route in the form of ABCD / n, and saves the route of the IPv6 user site as IPv6. routing.
- the step B5 may include Include the following sub-steps:
- the CE connected to the IPv6 user site and the PE connected to the CE run a routing protocol based on IPv6 to learn routes;
- the CE directly stores the route of the IPv4 user site as an IPv6 route in the form of 0 :: A: B: C: D / (96 + n), and saves the route of the IPv6 user site in the original form.
- step B For an IPv4 user site that only accesses an IPv4 user site, in step B, only a IPv4 routing protocol can be run between a CE connected to the IPv4 user site and a PE connected to the CE, and only learn and save other IPv4 users. IPv4 routes for the site, and IPv6 routes are discarded.
- the PE may decide whether to learn and publish to the user site according to the extended target community attribute of the multi-protocol border gateway protocol.
- step C the inner label is allocated by the ingress PE, which is used to distinguish different user sites connected by the same ingress PE, and the inner label is distributed to the corresponding egress PE along with the route when the route is advertised;
- the outer label is allocated in a single domain by running a label allocation protocol, a resource reservation protocol-traffic engineering, or a label allocation protocol that constrains routing. Between different single domains, it is an external border gateway protocol.
- the step D may include the following sub-steps:
- the egress PE forwards the data of the Internet Protocol between the egress PE and the destination user site according to the inner label and the routing table stored by the egress PE.
- the step D2 may include the following sub-steps:
- the ASBR forwards the data packet to the next adjacent single-domain ASBR according to the outer label allocated between the ASBRs;
- the ASBR forwards the data packet to the egress PE.
- the topology relationship between the user sites can be achieved by matching the routing target community attributes.
- the virtual private network system of the mixed-site hybrid backbone network of the present invention and the implementation method thereof differ from the prior art in that the present invention runs IPv4 / IPv6 dual routing on CE routers and PE routers.
- Table configure IPv4 and IPv6 protocol stacks according to the network connection between CE routers and PE routers, perform VPN addressing and necessary IPv4 address and IPv6 address translation for VPN user sites, and then advertise and assign routes, and use multiple layers
- the label realizes the data forwarding, so as to realize the VPN in the case of the mixed site mixed backbone network.
- a VPN can be formed in the case where the user network and the backbone network transition from IPv4 to IPv6, so that the VPN solution in the network transition period has greater flexibility and reduces
- the complexity of small network equipment upgrades makes the transition from IPv4 to IPv6 smoother and greatly improves the economics and feasibility of network upgrades.
- FIG. 1 is a schematic diagram of the system composition of MPLS L3 VPN defined by RFC2547bis
- FIG. 2 is a schematic diagram of filtering received routes by matching Route Target attributes
- FIG. 3 is a schematic diagram of a system composition for implementing a BGP / MPLS VPN with a 6PE solution
- FIG. 4 is a schematic diagram of a hybrid site hybrid backbone network VPN system composition according to a preferred embodiment of the present invention .
- the virtual private network system of the mixed-site hybrid backbone network of the present invention and an implementation method thereof run an IPv4 / IPv6 dual routing table on a CE router and a PE router, and configure IPv4 and IPv6 based on the network connection between the CE router and the PE router.
- a protocol stack that performs VPN addressing and necessary IPv4 and IPv6 address translation for VPN user sites, and then publishes and distributes routes, and implements data forwarding through the use of multi-layer labels. This is achieved in the case of mixed-site hybrid backbone networks. VPN.
- the virtual private network system of the hybrid site hybrid backbone network of the present invention includes a backbone network and a user network.
- the backbone network is used to advertise VPN routes, establish switching paths, and complete data exchange.
- the backbone network includes autonomous systems using different address families.
- the autonomous systems are connected through an autonomous system border router (ASBR) at the edge of the autonomous system.
- ASBR autonomous system border router
- a single domain can be considered as an autonomous system, that is, the backbone network can include one or more IPv4 single domains and one or more IPv6 single domains.
- the IPv4 single domain and IPv6 single domain support IPv4 and IPv6 dual protocols.
- the ASBRs of the stack are connected.
- each single domain also contains the original P router and PE router.
- the PE router configures the IPv4 protocol stack or IPv6 protocol stack or the IPv4 and IPv6 dual protocol stacks according to the network connection.
- the routes published by the backbone network include VPN-IPv4 routes and VPN-IPv6 routes.
- the routes of user sites connected to PE routers in the autonomous system are first advertised between PEs and ASBRs in the autonomous system, and then ASBRs publish the learned routes to each other through EBGP.
- the route is then advertised by the ASBR to the peer inside the autonomous system to which it belongs through the IBGP, that is, the PE router, and finally the PE router advertises the route to the CE router.
- the route advertisement method will be described in detail below.
- the user network includes a CE router connected to the backbone network and user stations connected to it.
- the user site includes both an IPv4 site and an IPv6 site, and each user site includes multiple hosts with different addresses.
- the CE router supports a corresponding protocol stack according to the IP version of the user network and the IP version of the autonomous system connected to the CE router.
- the PE router supports the corresponding protocol stack according to the IP version of the autonomous system to which it belongs and the IP version of the user site to which it is connected.
- a CE router and a corresponding PE router connected to an IPv4 site of an IPv4 backbone network need only support the IPv4 protocol stack, and a CE and a corresponding PE connected to an IPv6 site of the IPv6 backbone network only need to support the IPv6 protocol stack and connect to the IPv4 backbone
- the CEs of the IPv6 sites of the network, the CEs of the IPv4 sites connected to the IPv6 backbone network, and the PE equipment accessing these CEs need to support the IPv4 / IPv6 dual protocol stack.
- IPv4 sites and IPv6 sites in the same VPN may have a mutual access relationship
- routers in IPv4 sites that need to access IPv6 sites need to save IPv6 routes, that is, these IPv4 sites need to support IPv4-IPv6 mixed address schemes.
- FIG. 4 is a schematic diagram of a composition of a VPN system for a hybrid site hybrid backbone network according to a preferred embodiment of the present invention.
- the backbone network in the VPN system shown in FIG. 4 is a dual domain, which includes: a backbone network including an IPv4 single domain and an IPv6 single domain, PE routers at the edge of the backbone network: PE1 ⁇ PE4; P routers inside the backbone network (Not shown in Figure 1); CE routers at the edge of the user network: CE1 ⁇ CE8; and user sites connected to the PE through the CE; each user site contains one or more hosts with different addresses.
- the IPv4 domain and the IPv6 domain are connected to each other through ASBR1 and ASBR2.
- VPNA includes IPv4 and IPv6 sites: an IPv6 site connected by CE1, an IPv4 site connected by CE4, an IPv6 site connected by CE5, and an IPv4 site connected by CE8.
- VPNB contains only IPv4 sites: IPv4 sites connected by CE2, IPv4 sites connected by CE3, IPv4 sites connected by CE6, and IPv4 sites connected by CE7.
- only VPNA and VPNB are taken as examples, and the backbone network includes only one IPv4 domain and one IPv6 domain as an example.
- the system may include many VPNs, and the backbone network may also include multiple domains.
- the Address Family Identifier (AFI) domain in MP-BGP uses the value 1 assigned to the IPv4 address family by RFC 1700; IPv4 sites The mutual communication with the IPv6 site and the mutual communication between the two IPv6 sites use IPv6 addresses.
- the AFI domain in MP-BGP can use the value 2 assigned to the IPv6 address family by RFC 1700. It should be noted that when the IPv4 site and the IPv6 site communicate with each other, the IPv4 address A.B.C.D in the IPv4 site is mapped to the corresponding IPv6 address in the form of 0 :: A: B: C: D.
- SAFI VPN address address family identifier
- IPv4 sites in the VPN are allowed to continue to use private IPv4 addresses, and allow sites of different VPNs to use the same private IPv4 address.
- RD + IPv4 address
- IPv6 address IPv6 address
- IPv4 address ABCD in the IPv4 site communicating with the IPv6 site is mapped into an IPv6 address of the form 0 :: A: B: C: D, and then combined with the RD to form VPN-IPv6. address.
- each CE router aggregates the address of each user site to form a corresponding routing entry. Then, the routing learning and distribution processing of VPN sites, the processing of label distribution, and the processing of VPN data forwarding can be performed. These processes are explained in detail below.
- the processing of VPN site routing learning and publishing includes the following processes:
- CE routers distribute the aggregated routes to PE routers connected to them.
- the CEs of the IPv6 sites connected to the IPv4 backbone network, the CEs of the IPv4 sites connected to the IPv6 backbone network, and the PE devices accessing these CEs all support the IPv4 / IPv6 dual protocol stack. Therefore, the PE here can learn the IPv4 or / and IPv6 routes published by the CE.
- Step 2 The PE router distributes the IPv4 routes and IPv6 routes learned from the CE router to other PE routers and ASBRs in the autonomous system.
- VPN and routing IP version plus RD, AFI, SAFI and other information form a unified form of routing information including RD, AFI, SAFI, Route Target and IPv4 / IPv6 routing.
- the PE router still uses VRF to save routes of different VPNs.
- VRF an IPv4 route and an IPv6 route are separately saved for different AFIs of each VPN.
- the IPv4 based PE router and ASBR are routed through a fully-connected IPv4-based multi-protocol internal border gateway protocol (Multi-Protocol Internal BGP, MP-IBGP) or Use a route reflector to advertise the route of the VPN user site connected to the PE of the IPv4 network.
- MP-IBGP Multi-Protocol Internal BGP
- the PE router in the IPv6 network and its ASBR pass through a fully-connected IPv6-based MP-IBGP or The route reflector advertises the route of the VPN site connected to the PE router of the IPv6 network.
- IPv4 routes and IPv6 routes are only sent as transmitted data.
- IPv4-based MP-IBGP or IPv6-based MP-IBGP is used only. It is related to the version of the network and has nothing to do with the specific data in it, so regardless of whether the data transmitted in it is an IPv4 route or an IPv6 route, both MP-IBGP can be transmitted.
- the ASBR advertises the learned route to the ASBR of another autonomous system.
- ASBRs between IPv4 and IPv6 networks publish corresponding routes to their peers through an IPv6-based Multi-Protocol External Border Gateway Protocol (Multi-Protocol External BGP, MP-IBGP). Since the ASBRs in this embodiment both support IPv4 and IPv6 dual stack protocols, no matter whether the two autonomous systems are IPv4 or IPv6, they can advertise routes to each other by running IPv6 based on MP-IBGP.
- MP-IBGP Multi-Protocol External Border Gateway Protocol
- the ASBR of another autonomous system advertises the learned route to the PE of the autonomous system.
- the ASBR runs the MP-IBGP protocol of the autonomous system version, and distributes the learned routes IPv4 and IPv6 to the PE of the autonomous system.
- the PE router advertises the routes learned from the ASBR and other PE routers to the CE routers connected to it. After CE router receives IPv4 route and / or IPv6 route Save.
- the corresponding IPv4 route and IPv6 route are stored in the CE router in the IPv4 site of the VPN, and the CE router is used as a proxy (Proxy) when the VPN site accesses other sites.
- the CE router is used as a proxy (Proxy) when the VPN site accesses other sites.
- routing matching is performed, according to the Rout Target Whether the destination user site included in the visit is an IPv4 user site or an IPv6 user site matches an IPv4 route or an IPv6 route, respectively.
- the CE router of the IPv6 user site in the VPN only saves IPv6 routes.
- IPv6 routing Before the PE router connected to the IPv6 site advertises the routes of other IPv4 sites to the site, it needs to convert the IPv4 route ABCD / n to 0 :: A: B: C: D / (96 + n) IPv6 routing.
- a CE router and a PE router that need to access an IPv4 user site of an IPv6 VPN user site run an IPv6-based routing protocol to learn both an IPv6 route and an IPv4 route at the same time.
- ABCD / n is converted into an IPv6 route of 0 :: A: B: C: D / (96 + n), which is advertised to the CE router through the IPv6 routing protocol, and restored to the IPv4 route of ABCD / n in the CE router.
- the IPv6 routes of other IPv6 user sites are still saved as IPv6 routes in the CE router. Match the IPv4 route when the IPv4 user site visits the IPv4 site, and match the IPv6 route when the IPv6 site is visited.
- an IPv6 user site that needs to access an IPv4 VPN user site.
- the CE router and the PE router also run IPv6-based routing protocols to learn the routes of other sites. For the routes of other IPv4 user sites, they are directly stored as 0. :: A: B: C: D / (96 + n) forms of IPv6 routes. For routes of other IPv6 user sites, the original form is saved. It should be noted that in A.B.C.D / n described above, A.B.C.D is the network segment address and n is the mask.
- the CE also advertises the route to the router at the user site, which is stored by the router at the user site.
- the routing table of the user site if the user site to which the CE connects does not include a router, then in step 5, the CE stores the routing table of the user site.
- IPv4 user sites do not need to access other IPv6 user sites in the topology relationship determined by the Route Target attribute, their CE routers and PE routers need only run IPv4-based routing protocols, and only Learn and save IPv4 routes of other IPv4 user sites, and discard IPv6 routes.
- the PE router decides whether to learn and publish it to the corresponding user site according to the MP-BGP Route Target extended community attribute.
- an egress PE router advertises a VPN route to its BGP peer, it carries the corresponding Export Route Target and the inner label assigned by the egress PE to the VPN site.
- the BGP peer is not an ASBR, the received VPN route is matched with the Import Route Target configured on the BGP peer. If the match is successful, the route is received and published to the user site corresponding to the corresponding VRF.
- BGP The peer is an ASBR between two autonomous systems, and is sent to the peer ASBR through EBGP.
- the peer ASBR advertises the route to the IBGP peer in the local domain, and performs route target matching on the IBGP peer to determine whether to accept it. And publish the route to the corresponding user site.
- the process of label distribution may be performed in a manner described below.
- Different VPN sites connected to the same egress PE are distinguished by the egress PE assigning different inner labels.
- the inner labels are advertised to the corresponding PE along with the routes when the routes are advertised through MP-BGP.
- both the IPv4 backbone network and the IPv6 backbone network run a Label Distribution Protocol (LDP) or a Resource Reservation Protocol (RSVP)-Traffic Engineering (TE) / Constrained Routing.
- LDP Label Distribution Protocol
- RSVP Resource Reservation Protocol
- TE Traffic Engineering
- CR-LDP Label Distribution Protocol
- This outer label is only used for forwarding between the two ASBRs.
- how to assign the outer label of the LSP to the ASBR bidirectional connection through MP-EBGP can refer to RFC3107 »
- the data forwarding process includes the following types of forwarding: IP data forwarding between the source user site and the ingress (Ingress) PE router; label data forwarding between the Ingress PE router and the Egress PE router; and Egress PE to IP data forwarding between destination user sites. They are described separately below.
- the forwarding of IP data packets from the source user site to the ingress PE router follows a normal IP forwarding process.
- the CE router at the user site stores two types of IPv4 / IPv6 routing tables.
- IPv4 / IPv6 routing tables When the source user site that needs to access the IPv4 / IPv6 destination user site performs IP data forwarding, it can be based on the destination user site being IPv4.
- the station or IPv6 station queries the corresponding routing table and forwards the data packet to the Ingress PE according to the corresponding routing table.
- the label data forwarding between the Ingress PE router and the Egress PE router requires adding an Egress PE as the destination site's inner label to the packet on the Ingress PE, and then adding a label distribution protocol in the autonomous domain where the Ingress PE is located.
- LDP RSVP-TE / CR-LDP LDP RSVP-TE / CR-LDP
- the outer label assigned by MP-EBGP between the ASBR of the system and the local ASBR is forwarded to the ASBR of the next neighboring autonomous system, and then the data packet is forwarded to the egress PE along the LSP in the next neighboring autonomous system.
- the IP data forwarding from the egress PE to the destination user site requires that the egress PE determine the destination user site by distinguishing the inner tags after receiving the data packet containing the inner tag, and follow the corresponding rules based on the source user site and the destination user site type.
- the routing table is forwarded to the destination master Machine. In this step, the IPv4 routing table is queried only when the source user site and the destination user site are both IPv4 sites, and in other cases, the IPv6 routing table is queried.
- the method in RFC 2547bis can still be used, that is, by matching This is achieved by using Route Target.
- Route Target This is exactly the same as the mechanism for advertising and learning routes between PEs, that is, determining whether to learn the routing table based on the topology of the VPN, and implementing the topology of the VPN according to the routing table.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100494741A CN100440844C (zh) | 2004-06-16 | 2004-06-16 | 实现混合站点混合骨干网虚拟专用网的系统和方法 |
CN200410049474.1 | 2004-06-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005125103A1 true WO2005125103A1 (fr) | 2005-12-29 |
Family
ID=35510100
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2005/000869 WO2005125103A1 (fr) | 2004-06-16 | 2005-06-16 | Systeme de reseau prive virtuel d'un site hybride et reseau de base hybride et procede de mise en oeuvre associe |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN100440844C (fr) |
WO (1) | WO2005125103A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10623374B2 (en) | 2017-06-09 | 2020-04-14 | Microsoft Technology Licensing, Llc | Automatic network identification for enhanced communications administration |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101043411B (zh) * | 2006-03-24 | 2012-05-23 | 华为技术有限公司 | 混合网络中实现移动vpn的方法及系统 |
CN101114971A (zh) * | 2006-07-27 | 2008-01-30 | 华为技术有限公司 | 基于IPv6地址结构实现虚拟专用网的方法 |
CN101102228B (zh) * | 2007-08-08 | 2010-06-02 | 华为技术有限公司 | 一种流量统计的方法及装置 |
CN101753417B (zh) * | 2008-12-03 | 2012-05-23 | 华为技术有限公司 | 计算和确定路由的方法、路径计算单元和确定路由的系统 |
CN101931584A (zh) * | 2009-06-22 | 2010-12-29 | 中兴通讯股份有限公司 | 支持同一系统中多种协议栈之间数据转发的方法和系统 |
CN101841481B (zh) * | 2010-04-30 | 2015-08-12 | 中兴通讯股份有限公司 | 虚拟专用网络路由转发实例的实现方法及装置 |
CN102571523A (zh) * | 2012-01-19 | 2012-07-11 | 福建星网锐捷网络有限公司 | 一种配置信息确定方法、装置以及系统 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010016914A1 (en) * | 2000-02-21 | 2001-08-23 | Nec Corporation | IP virtual private network constructing method and IP virtual private network |
CN1414749A (zh) * | 2002-08-23 | 2003-04-30 | 华为技术有限公司 | 一种三层虚拟私有网络及其构建方法 |
KR20030089922A (ko) * | 2002-05-20 | 2003-11-28 | 전민희 | 가상사설망을 이용한 통신처리시스템에서의 온라인 과금송수신장치 및 방법 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1199405C (zh) * | 2002-07-23 | 2005-04-27 | 华为技术有限公司 | 用虚拟路由器构建的企业外部虚拟专网系统及方法 |
-
2004
- 2004-06-16 CN CNB2004100494741A patent/CN100440844C/zh not_active Expired - Fee Related
-
2005
- 2005-06-16 WO PCT/CN2005/000869 patent/WO2005125103A1/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010016914A1 (en) * | 2000-02-21 | 2001-08-23 | Nec Corporation | IP virtual private network constructing method and IP virtual private network |
KR20030089922A (ko) * | 2002-05-20 | 2003-11-28 | 전민희 | 가상사설망을 이용한 통신처리시스템에서의 온라인 과금송수신장치 및 방법 |
CN1414749A (zh) * | 2002-08-23 | 2003-04-30 | 华为技术有限公司 | 一种三层虚拟私有网络及其构建方法 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10623374B2 (en) | 2017-06-09 | 2020-04-14 | Microsoft Technology Licensing, Llc | Automatic network identification for enhanced communications administration |
Also Published As
Publication number | Publication date |
---|---|
CN1710877A (zh) | 2005-12-21 |
CN100440844C (zh) | 2008-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111865898B (zh) | 基于流规则协议的通信方法、设备和系统 | |
US9843507B2 (en) | Enhanced hierarchical virtual private local area network service (VPLS) system and method for ethernet-tree (E-tree) services | |
CN111865796B (zh) | 用于网络业务的路径计算单元中央控制器(pcecc) | |
WO2006002598A1 (fr) | Systeme vpn de reseau federateur hybride a site hybride et son procede de mise en oeuvre | |
Gleeson et al. | A framework for IP based virtual private networks | |
EP1713197B1 (fr) | Procede de realisation d'une ligne privee virtuelle | |
US7339929B2 (en) | Virtual private LAN service using a multicast protocol | |
US8098656B2 (en) | Method and apparatus for implementing L2 VPNs on an IP network | |
US6789121B2 (en) | Method of providing a virtual private network service through a shared network, and provider edge device for such network | |
CN107040469A (zh) | 网络设备及方法 | |
EP1811728B2 (fr) | Procédé, système et dispositif de gestion de trafic dans un réseau de commutation d'étiquette à protocoles multiples | |
WO2006005260A1 (fr) | Reseau prive virtuel et procede de commande et de transmission d'acheminement | |
WO2005122490A1 (fr) | Procede de mise eu place d'un reseau prive virtuel | |
WO2005101730A1 (fr) | Systeme et procede permettant d'assurer une qualite de service dans un reseau virtuel prive | |
KR20040019129A (ko) | 레이블 분배 프로토콜의 확장을 이용한 QoS지원 2계층가상 사설 망 양방향 터널 설정 및 구성정보 분배방법 | |
JP2011508575A (ja) | リンク状態プロトコル制御型イーサネット・ネットワーク上でのvpnの実装 | |
WO2006105718A1 (fr) | Procede d'adaptation d'un mpls-vpn a un reseau hybride | |
WO2005112350A1 (fr) | Procede de gestion de chemin dans un reseau prive virtuel utilisant le protocole ipv6 | |
WO2005125103A1 (fr) | Systeme de reseau prive virtuel d'un site hybride et reseau de base hybride et procede de mise en oeuvre associe | |
WO2007112691A1 (fr) | Système, procédé et dispositif réseau permettant à un client de réseau privé virtuel (vpn) d'accéder à un réseau public | |
WO2008011818A1 (fr) | Procédé de fourniture d'un service réseau local privé virtuel à hiérarchie et système réseau | |
WO2005114944A1 (fr) | Procede de mise en place d'un reseau prive virtuel de sites ipv4 et ipv6 | |
WO2013139270A1 (fr) | Procédé, dispositif et système pour implémenter un réseau privé virtuel en couche 3 | |
US20180309594A1 (en) | Systems and Methods for Creating an Integrated Layer 2-Layer 3 Hybrid VPN Network | |
CN103634210B (zh) | 发现vpls实例的对端pe设备的方法及设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |