WO2013139270A1 - Method, device, and system for implementing layer3 virtual private network - Google Patents

Method, device, and system for implementing layer3 virtual private network Download PDF

Info

Publication number
WO2013139270A1
WO2013139270A1 PCT/CN2013/072915 CN2013072915W WO2013139270A1 WO 2013139270 A1 WO2013139270 A1 WO 2013139270A1 CN 2013072915 W CN2013072915 W CN 2013072915W WO 2013139270 A1 WO2013139270 A1 WO 2013139270A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
packet
multicast
routing
address
Prior art date
Application number
PCT/CN2013/072915
Other languages
French (fr)
Chinese (zh)
Inventor
徐小虎
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2013139270A1 publication Critical patent/WO2013139270A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, device, and system for implementing a three-layer virtual private network (VPN).
  • VPN virtual private network
  • a virtual private network is a virtual private network provided by an operator to a user through its public network.
  • the VPN member nodes that are geographically separated from each other are connected to the corresponding carrier border device through the client device, and form the customer's VPN network through the operator's public network.
  • the VPN implementation is divided into the following two types: Layer 3 Virtual Private Network (L3VPN), which requires the operator's border device to participate in the calculation and delivery of the customer route. , and a Layer 2 Virtual Private Network (L2VPN;) that does not require carrier edge devices to participate in the calculation and delivery of customer routes.
  • L3VPN Layer 3 Virtual Private Network
  • L2VPN Layer 2 Virtual Private Network
  • the Provider Edge (PE) devices that belong to the same VPN exchange VPN routing information through the Border Gateway Protocol (BGP). Manually configure the BGP protocol on each PE.
  • IP Internet Protocol
  • Each VPN has a global VPN ID.
  • each PE device allocates a local VPN label to the VPN for data forwarding.
  • the PE performs the VPN deployment by interacting with the PEs through the BGP packets carrying the VPN parameters.
  • the number of PEs is generally very large, and the configuration of the BGP protocol is correspondingly cumbersome and complicated.
  • the existing L3VPN solution requires a large number of complex parameter configurations on the PEs, such as VPN-related parameter configuration and BGP neighbor parameter configuration.
  • Embodiments of the present invention provide a method, device, and system for implementing a three-layer virtual private network. It can improve the automation configuration and automation operation capability of VPN.
  • a method for implementing a three-layer virtual private network comprising:
  • the first carrier edge PE device receives the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried.
  • the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried.
  • the second PE device When the second PE device is connected to the same VPN device, the second PE device performs a routing protocol interaction with the second VPN device to generate a VPN route corresponding to the same VPN.
  • a forwarding table the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
  • a first carrier edge PE device including:
  • the neighbor receiving unit is configured to receive the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is corresponding to the second PE device.
  • a network determining unit configured to determine, according to the VPN ID corresponding to the first PE device and the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device;
  • a routing interaction unit configured to perform, when the second PE device and the first PE device are connected to the same VPN, perform the routing protocol packet exchange in the same VPN with the second PE device, to generate the same
  • the VPN routing forwarding table corresponding to the VPN wherein the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
  • a system for implementing a three-layer virtual private network comprising: a first PE device and a second PE device;
  • the first PE device is configured to receive a virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second Determining, by the PE device, the IP address, the VPN ID, and the VPN label; determining, according to the VPN ID corresponding to the first PE device, and the VPN ID corresponding to the second PE device, whether the second PE device is the first PE The device is connected to the same VPN; when the second PE device is connected to the same VPN as the first PE device, performing the same with the second PE device
  • the routing protocol packets in the VPN are exchanged, and the VPN routing forwarding table corresponding to the same VPN is generated, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device, and the second The VPN label assigned by the PE device to the same VPN.
  • the method, the device and the system for implementing the three-layer virtual private network provided by the embodiment of the present invention add the VPN neighbor discovery message by extending the TLV ⁇ 1, and carry the VPN ID and the VPN label in the VPN neighbor discovery message, so that Determine and the first by identifying the VPN ID in the VPN neighbor discovery message.
  • a PE device belongs to the same VPN PE device and exchanges routing protocol packets with the PE device in the same VPN. Compared with the existing technology, the PE device can discover the PEs of the same VPN and complete the routing protocol. The interaction of the text eliminates a lot of manual configuration work, and improves the automatic configuration and automatic operation capability of the VPN.
  • FIG. 1 is a flowchart of a method for implementing a three-layer virtual private network according to Embodiment 1 of the present invention
  • FIG. 2 is a flowchart of a method for implementing a three-layer virtual private network according to Embodiment 2 of the present invention
  • 4 is a flowchart of another method for implementing a three-layer virtual private network according to Embodiment 2 of the present invention
  • FIG. 5 is a schematic diagram of a VPN connection situation according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a first PE device according to Embodiment 3 of the present invention.
  • FIG. 7 is a schematic structural diagram of another first PE device according to Embodiment 3 of the present invention.
  • FIG. 8 is a schematic structural diagram of another first PE device according to Embodiment 3 of the present invention.
  • FIG. 9 is a schematic structural diagram of another first PE device according to Embodiment 3 of the present invention.
  • FIG. 10 is a schematic diagram of a system composition for implementing a three-layer virtual private network according to Embodiment 3 of the present invention.
  • the Provider Edge (PE) device and the Cus tomer Edge Router (CE) need to exchange routing information.
  • the routing exchange between the PE and the CE may use static routing, or may use Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and intermediate system to Dynamic Routing Protocols such as Intermediate System to Intermediate System (ISIS) and BGP.
  • PEs belonging to the same VPN can exchange VPN routing information through the 0SPF protocol or the ISIS protocol.
  • the Provider Router (P) does not need to know the routing information of the customer's VPN network. This transparency can effectively reduce the burden on the P router and improve the scalability of the network and the flexibility of service development.
  • the PE After receiving the IP data packet sent from the local CE, the PE searches for the best route matching the destination address of the IP data packet through the routing forwarding table corresponding to the VPN to which the CE belongs, and then uses the multi-protocol label switching (Mul t iprotocol Label Swi tching). , MPLS) or IP tunneling, transmitting the IP data packet to the next hop PE device across the carrier MPLS/IP network.
  • Mul t iprotocol Label Swi tching MPLS
  • IP tunneling transmitting the IP data packet to the next hop PE device across the carrier MPLS/IP network.
  • the embodiment of the present invention mainly improves the automatic configuration of the L3VPN technology. Therefore, the VPNs improved in the following refers to the L3VPN.
  • An embodiment of the present invention provides a method for implementing a three-layer virtual private network. As shown in FIG. 1, the method includes:
  • the first PE device receives the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type-Length-Value (TLV) packet. Carrying an IP address, a VPN ID, and a VPN label corresponding to the second PE device.
  • TLV extended type-Length-Value
  • the VPN neighbor finds that the message is an extended TLV packet, for example, a TLV packet in the ISIS protocol or a TLV packet in the 0SPF protocol. Specifically, the VPN neighbor discovery packet under the ISIS protocol is shown in Table 1.
  • the extended ISIS TLV contains the message type identifier (type), the TLV packet length (length), and the TLV message content (value).
  • a specific message type identifier (type) can be defined for a TLV dedicated to VPN neighbor discovery. So when any PE in the public network is set up When receiving the VPN neighbor discovery packet, the device can determine the usage of the TLV according to the type identifier.
  • the Next-hop address field is used to fill in the IP address of the PE device that sends the VPN neighbor discovery message.
  • Value contains the VPN ID and VPN label written in pairs. For example, a VPN ID can occupy 32 bits, of which 20 bits have a VPN ID, and 12 bits are reserved. Similarly, VPN tags can also occupy 32 bits, of which 20 are written with VPN tags and 12 bits are reserved.
  • the VPN neighbor discovery packet under the 0SPF protocol is shown in Table 1.
  • the extended OSPF TLV includes a packet type identifier (type), a TLV packet length (length), and a TLV packet content (value).
  • type a packet type identifier
  • length a TLV packet length
  • value a TLV packet content
  • a type identifier such that when any one of the PE devices in the public network receives the VPN neighbor discovery message, the TLV can be determined according to the type identifier.
  • type identifier such that when any one of the PE devices in the public network receives the VPN neighbor discovery message, the TLV can be determined according to the type identifier.
  • For the method of filling in the value field reference may be made to the method of filling the ISIS TLV, which is not described herein again.
  • a VPN neighbor discovery packet can carry a pair of VPN IDs and VPN labels that exist in pairs. For example, if the second PE device is only connected to the VPN1, the second PE device can write the VPN ID of the VPN1 and the VPN label allocated by the second PE device to the VPN1 in the VPN neighbor discovery message.
  • the first PE device may be configured according to the VPN.
  • the neighbor finds the VPN ID carried in the text (that is, the VPN ID corresponding to the second PE device) and the VPN ID of the first PE device, and determines whether the second PE device is connected to the same VPN as the first PE device.
  • the first PE device may perform the routing protocol protocol in the same VPN with the second PE device to complete the subsequent VPN configuration process.
  • the VPN ID of the VPN1 carried in the VPN neighbor discovery packet may also be recorded.
  • the second PE device allocates the VPN label of the VPN1 and the IP address of the second PE device, so as to perform subsequent routing protocol packet interaction.
  • the second PE device can write the VPN ID of the VPN1 and the VPN label allocated by the second PE device to the VPN1 in the VPN neighbor discovery message.
  • the ID and the VPN label assigned by the second PE device to VPN2.
  • the first PE device may use the VPN ID corresponding to the VPN (for example, VPN1) connected to the first PE device and the VPN ID carried in the received VPN neighbor discovery message (ie, The VPN ID corresponding to the VPN to which the second PE device is connected is compared to determine whether there is a matching VPN ID.
  • the second PE device can perform the routing protocol packet exchange in the same VPN with the second PE device to complete the subsequent VPN configuration process.
  • the VPN ID of the VPN1 carried in the VPN neighbor discovery packet, the VPN label assigned by the second PE device to the VPN1, and the IP address of the second PE may be recorded, so as to perform subsequent routing protocol packet exchange.
  • the first PE device may distinguish, by using the VPN ID, whether the sender of the VPN neighbor discovery message and the first A PE device belongs to the same VPN.
  • the VPN corresponds to the VPN ID
  • the first PE device is configured as a member node of one or more VPNs. Therefore, the first PE device records the VPN ID of the VPN to which the first PE device belongs.
  • the second PE device that sends the VPN neighbor discovery packet allocates a VPN label to the VPN to which the second PE device belongs.
  • the first PE device determines the report according to the type identifier.
  • the packet is a VPN neighbor discovery packet, and the VPN ID in the va lue field is compared with the VPN ID of the first PE device to determine whether the second PE device and the first PE device are connected to the same VPN.
  • the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
  • the routing information is written into the routing protocol packet in advance, and interacts with the determined second PE device that is connected to the same VPN as the first PE device.
  • the routing protocol packet is a Link State Advertisement (LSSA) protocol packet under the 0SPF protocol, or a Link State Protocol Data Unit (LSP) protocol under the ISIS protocol.
  • LSSA Link State Advertisement
  • LSP Link State Protocol Data Unit
  • the LSA protocol document uses a specific destination multicast IP address
  • the LSP protocol message uses a specific destination multicast media access control (MAC) address for the second PE device.
  • MAC media access control
  • the method for implementing the three-layer virtual private network defines the VPN neighbor discovery >3 ⁇ 4 text by extending the TLV message, and carries the VPN ID and the VPN label in the VPN neighbor discovery document, thereby identifying the VPN neighbor by identifying the VPN neighbor
  • the VPN ID in the packet identifies the PE device that belongs to the same VPN as the first PE device, and performs the routing protocol packet exchange with the PE device in the same VPN.
  • the device can automatically discover the PEs that belong to the same VPN and complete the routing protocol packet exchange. This eliminates a lot of manual configuration and improves the automatic configuration and automatic operation of the VPN.
  • An embodiment of the present invention provides a method for implementing a three-layer virtual private network, as shown in FIG. 2, include:
  • the first PE device sends a VPN neighbor discovery packet to the second PE device, so that the first PE device is discovered by the second PE device that is connected to the same PE device.
  • the first PE device may be any PE device in a VPN.
  • three PE devices are connected in the VPN1, namely, node A, node B, and node C, respectively. Any one of the PE devices (Node A) is taken as the first PE device.
  • Nodes B and C are two neighboring nodes that are connected to the same VPN device as the first PE device (Node A).
  • Node D is a PE device in the public network, but it is not a PE device connected to VPN1, so it is not a neighbor node of Node A in terms of VPN1.
  • the VPN deployment may overlap, that is, the member nodes include nodes A and D for VPN2, so node D is the neighbor node of node A for VPN2.
  • the remaining nodes in the public network including nodes ⁇ C and D, can be used as the second PE device.
  • the VPN neighbor discovery packet sent by the node A to the other nodes in the public network includes the VPN label assigned by the node A to the VPN1.
  • the VPN label is unique in the same VPN and is used for identification. Issue the sender (node A) of the VPN neighbor discovery message.
  • the VPN neighbor discovery packet further includes a VPN ID, where the VPN ID is an identifier of a VPN to which the node A is connected. For example, the VPN label assigned by node A to VPN1 is 100.
  • the VPN ID (VPN1) and the VPN label (100) of node A can be written in the va lue field of the VPN neighbor discovery message, so the VPN ID and VPN label are in the neighbor. It is found that the messages exist in pairs. It can be understood that a VPN neighbor can find a pair of existing VPN IDs and VPN labels, and can also carry multiple pairs of VPN IDs and VPN labels at the same time.
  • the first PE device receives a VPN neighbor discovery packet sent by the second PE device.
  • the configuration of the VPN neighbor discovery packet is the same as that described in the step 201.
  • the other nodes in the public network can also send the VPN configuration information to the first PE device by using the VPN neighbor discovery packet.
  • the VPN neighbor discovery packet is an extended TLV packet, and carries an IP address corresponding to the second PE device that sends the VPN neighbor discovery message, a VPN ID, and a VPN assignment of the second PE device to which the second PE device is connected.
  • a VPN neighbor discovery packet can carry multiple pairs of VPN IDs and VPN labels at the same time, so the first PE device receives the VPN neighbor discovery.
  • the message needs to be parsed and the VPN information of the first PE device is identified.
  • node A the first PE device itself is connected to VPN1, so the VPN ID of VPN1 can be identified in the received VPN neighbor discovery message.
  • the VPN ID of the VPN1 is obtained, and thus the neighbor node (Node B) that belongs to the VPN1 is found, and the corresponding Node B is assigned the VPN label of the VPN1 (200). And the IP address of Node B is recorded.
  • node X if another VPN neighbor discovery message sent by the second PE device (node X) that is not connected to the same VPN by the node A is received, the matching VPN ID cannot be resolved from the node, and the node X is not used as the neighbor node. .
  • the VPN ID corresponding to the same VPN, the VPN label allocated by the second PE device to the same VPN, and the IP address of the second PE device are recorded in the VPN neighbor list.
  • each VPN connected to the first PE device may have a VPN neighbor list, and the IP address of the second PE device belonging to the same VPN may be recorded in the VPN neighbor list and allocated for the same VPN.
  • VPN label For example, node A corresponds to the VPN neighbor list of VPN1, and the IP address of node B and the VPN label 200 assigned by node B to VPN1, and the IP address of node C and the VPN label 300 assigned by node C to VPN1. For example, if node A is connected to both VPN1 and VPN2, then two corresponding VPN neighbor lists can be generated on node A.
  • the first PE device may also generate a shared VPN neighbor list for multiple VPNs connected to the first device.
  • the shared VPN neighbor list the VPN ID of each VPN to which the first PE device is connected, the IP address of the PE device included in each VPN, and the VPN label may be recorded.
  • the node A can identify the IP address of the Node B belonging to the VPN1 and the VPN label assigned by the Node B to the VPN1 from the shared VPN neighbor list according to the VPN ID of the VPN1.
  • the first routing protocol packet is sent by the first tunnel, and the first tunnel encapsulation information carries the VPN label allocated by the second PE device to the same VPN.
  • the routing protocol packet is used to convey the reachability of the route, so that each member PE device in the same VPN generates a VPN routing forwarding table, and finds the best path according to the VPN routing forwarding table in the service communication to transmit the service data to the routing data.
  • Next hop PE device is used to convey the reachability of the route, so that each member PE device in the same VPN generates a VPN routing forwarding table, and finds the best path according to the VPN routing forwarding table in the service communication to transmit the service data to the routing data.
  • the VPN tag type to be carried in the first tunnel encapsulation information may be set as a downstream distribution tag type, so that the second PE device determines the identification manner of the VPN tag.
  • the node A sends the VPN label (200) allocated by the node B, which was previously obtained through the VPN neighbor discovery, to the VPN1, and writes it into the first tunnel encapsulation information, and sets it as a downstream allocation label, so that when the node B receives After the first routing protocol packet, the node B has been assigned to the VPN1, and the first routing protocol packet is determined to be a routing protocol packet belonging to the VPN1.
  • the second routing protocol packet is sent by the second tunnel, and the second tunnel encapsulation information carries the VPN label allocated by the first PE device to the same VPN.
  • the node A receives the encapsulated second routing protocol packet sent by the node B (the second PE device) through the point-to-point tunnel, and parses the VPN label (1 00) carried in the second tunnel encapsulation information. After determining which VPN (VPN1) the node A has assigned to the VPN, it can be determined that the currently received second routing protocol packet is a routing protocol packet belonging to the VPN1.
  • the VPN routing forwarding table may include a prefix, a next hop (that is, an IP address of each PE device in the same VPN), and the like. Information, in order to determine an optimal path according to the VPN routing forwarding table during service transmission.
  • the method of the embodiment shown in FIG. 2 may further include:
  • the best transmission path can be determined according to the VPN routing forwarding table corresponding to the same VPN, and the service data is sent to the best next hop PE device.
  • the routing protocol packet interaction may be performed through a point-to-point tunnel, and the routing protocol packet interaction may be performed through a dedicated private network multicast tree dedicated to each VPN.
  • the method for implementing a three-layer virtual private network provided by an embodiment of the present invention may include:
  • the third routing protocol packet is encapsulated to obtain a first multicast packet, and is sent to another PE device in the private public network multicast tree by using the private public network multicast tree corresponding to the same VPN.
  • the private network multicast tree includes all the PE devices connected to the same VPN, and the destination address of the first multicast packet is a multicast group address corresponding to the private public network multicast tree.
  • Each private public network multicast tree has a multicast group address, that is, the same VPN corresponds to a private public network multicast tree and corresponds to a multicast group address.
  • the public network multicast tree is a carrier multicast tree
  • the private public network multicast tree is a non-aggregated multicast tree
  • the shared public network multicast tree is an aggregated multicast tree.
  • a dedicated public network multicast tree can be pre-configured to set all member PEs belonging to the same VPN as leaf nodes of a private public network multicast tree.
  • VPN1 consisting of three member PE devices (nodes A, B, and C) corresponds to a private public network multicast tree 1
  • the leaf nodes of the private public network multicast tree 1 include nodes A, B, and C.
  • the private public network multicast tree 1 sends the first multicast packet to the node B at the same time.
  • the node analyzes the multicast group address carried in the first multicast packet, so as to determine that the currently received first multicast packet belongs to the VPN1, and then the The routing information in the third routing protocol packet records and generates a VPN routing forwarding table corresponding to VPN1.
  • the private public network multicast tree corresponding to the same VPN, a second multicast packet that is obtained by the second PE device and is encapsulated by the fourth routing protocol packet, according to the second multicast packet. The destination address determines the corresponding VPN.
  • the destination address of the second multicast packet is a multicast group address corresponding to the private public network multicast tree.
  • the first PE device is a member node of the VPN and is also a leaf node of the public network multicast tree. Therefore, the received fourth routing protocol packet can be determined by receiving the multicast group address carried in the second multicast packet. Which VPN belongs to the corresponding VPN routing forwarding table.
  • the VPN routing forwarding table may include information such as an IP address (next hop) and a prefix of each PE device connected to the same VPN, so as to determine an optimal path according to the VPN routing forwarding table in the service transmission process.
  • the embodiment shown in FIG. 3 may further include step 308, which is the same as step 208.
  • routing protocol packet interaction may also be performed by using a shared public network multicast tree shared by multiple VPNs.
  • the method for implementing a three-layer virtual private network provided by the embodiment of the present invention may include:
  • the third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the destination address of the third multicast packet is the multicast corresponding to the shared public network multicast tree. Group address.
  • the shared public network multicast tree includes all the member PE devices in the at least two VPNs sharing the shared public network multicast tree, and the VPN label allocation is independent of each other for different VPNs, so
  • the third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the VPN label is set as an upstream distribution label. In this way, when the other PEs in the public network multicast tree receive the third multicast packet, the VPN label carried in the third multicast packet can be processed as an upstream distribution label.
  • the second PE device may determine that the VPN label is
  • the first PE device allocates the VPN label as the VPN, that is, determines the VPN corresponding to the VPN label.
  • the source IP address of the fourth multicast packet is used to search the VPN neighbor list, and the label determines the VPN corresponding to the sixth routing protocol.
  • the fourth multicast packet carries the VPN label allocated by the second PE device to the same VPN, and the source IP address of the fourth multicast packet is the IP address of the second PE device, The destination address of the fourth multicast packet is the multicast group address corresponding to the shared public network multicast tree.
  • the second PE device sets the type of the VPN label to be carried in the fourth multicast packet to the upstream allocation label type before the fourth multicast device sends the fourth multicast packet, so that the first PE device determines the identification manner of the VPN label.
  • the source IP address of the fourth multicast packet and the carried VPN tag are used to query the VPN neighbor list, and after finding an entry that matches both the source IP address and the VPN label, the matching entry is determined to belong.
  • the VPN label recorded in the VPN neighbor list is the VPN label assigned to the VPN by the upstream PE device (for the first PE device, the upstream PE device is the second PE device).
  • the VPN routing forwarding table may include information such as a prefix and a next hop (that is, an IP address of each member PE device in the same VPN), so as to determine an optimal path according to the VPN routing forwarding table in the service transmission process.
  • the embodiment shown in FIG. 4 may further include step 408, which is the same as step 208.
  • step 408 which is the same as step 208.
  • the method for implementing the three-layer virtual private network adds the VPN neighbor discovery>3 ⁇ 4 text by extending the TLV message, and carries the VPN ID and the VPN label in the VPN neighbor discovery, so that the VPN neighbor can be identified.
  • the VPN IDs in the packets are determined to be the PEs of the same VPN, and the PEs in the same VPN are configured to exchange routing protocol packets.
  • the VPN neighbor discovery packet automatically discovers the PEs that belong to the same VPN and completes the routing protocol packet exchange. This eliminates a lot of manual configuration and improves the automatic configuration and automatic operation of the VPN.
  • the embodiment of the present invention provides a first carrier edge (PE) device, as shown in FIG. 6, which may include: a neighbor receiving unit 51, a network determining unit 52, and a routing interaction unit 53.
  • PE carrier edge
  • the neighbor receiving unit 51 is configured to receive a virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried. Corresponding IP address, VPN ID and VPN label.
  • the network determining unit 52 is configured to determine, according to the VPN ID corresponding to the first PE device and the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device.
  • the routing interaction unit 53 is configured to: when the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, perform the routing protocol in the same VPN with the second PE device.
  • the packet exchanges the VPN routing forwarding table corresponding to the same VPN, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device, and the second PE device.
  • the VPN label assigned by the same VPN is configured to: when the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, perform the routing protocol in the same VPN with the second PE device.
  • the packet exchanges the VPN routing forwarding table corresponding to the same VPN, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device, and the second PE device.
  • the VPN label assigned by the same VPN is configured to: when the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, perform the routing protocol in the same VPN with the second
  • the first PE device may further include: a neighbor list unit 54.
  • the neighboring list unit 54 is configured to: after the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, the VPN ID corresponding to the same VPN, and the second PE device a VPN label assigned to the same VPN and an IP of the second PE device The address is recorded in the VPN neighbor list.
  • the routing interaction unit 53 includes: a first sending module 531.
  • the first sending module 531 is configured to send, by using the point-to-point tunnel, the first routing protocol packet to the second PE device that is recorded in the VPN neighbor list, where the first routing protocol packet passes the first tunnel After being encapsulated, the first tunnel encapsulation information carries the VPN label allocated by the second PE device to the same VPN.
  • the type of the VPN label to be carried in the first tunnel encapsulation information is set to a downstream allocation label type, so that the second PE device determines the identification manner of the VPN label.
  • the routing interaction unit 53 further includes: a first receiving module 532 and a first generating module 533.
  • the first receiving module 532 is configured to receive, by using the point-to-point tunnel, the second routing protocol packet sent by the second PE device, where the second routing protocol packet is encapsulated and sent by the second tunnel, and the second The tunnel encapsulation information carries the VPN label allocated by the first PE device to the same VPN.
  • the first generation module 533 is configured to determine, according to the VPN label carried in the encapsulated second routing protocol packet, the VPN corresponding to the second routing protocol packet, and generate, according to the content of the second routing protocol packet VPN routing forwarding table.
  • the routing interaction unit 53 includes: a second sending module 534.
  • the second sending module 534 is configured to encapsulate the third routing protocol packet to obtain the first multicast packet, and send the same to the other public network multicast tree through the dedicated public network multicast tree corresponding to the same VPN. PE equipment.
  • the private network multicast tree includes all the PE devices connected to the same VPN, and the destination address of the first multicast packet is a multicast group address corresponding to the private public network multicast tree.
  • routing interaction unit 53 further includes: a second receiving module 535 and a second generating module 536.
  • the second receiving module 535 is configured to receive by using a dedicated public network multicast tree corresponding to the same VPN. a second multicast packet obtained by the second PE device, which is encapsulated by the fourth routing protocol packet, where the destination address of the second multicast packet is a multicast group corresponding to the private public network multicast tree. address.
  • the second generation module 536 is configured to determine a corresponding VPN according to the destination address of the second multicast packet, and generate a corresponding VPN routing forwarding table according to the content of the fourth routing protocol packet.
  • the routing interaction unit 53 includes: a third sending module 537.
  • the third sending module 537 is configured to encapsulate the fifth routing protocol packet to obtain a third multicast packet, and send the packet to the other PE device in the shared public network multicast tree through the shared public network multicast tree.
  • the third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the destination address of the third multicast packet is a multicast group corresponding to the shared public network multicast tree. address.
  • the type of the VPN tag carried in the third multicast packet is set to the upstream distribution tag type, so that the second PE device determines the identification mode of the VPN tag.
  • routing interaction unit 53 further includes: a third receiving module 538 and a third generating module 539.
  • the third receiving module 538 is configured to receive, by using the public network multicast tree, a fourth multicast packet that is encapsulated by the second routing protocol packet sent by the second PE device, where the fourth multicast The packet carries the VPN label allocated by the second PE device to the same VPN, the source IP address of the fourth multicast packet is the IP address of the second PE device, and the destination address of the fourth multicast packet It is the multicast group address corresponding to the shared public network multicast tree.
  • the third generation module 539 is configured to search the VPN neighbor list according to the VPN label carried by the fourth multicast packet and the source IP address of the fourth multicast packet, and determine the corresponding message of the sixth routing protocol packet.
  • the VPN generates a corresponding VPN routing forwarding table according to the content of the sixth routing protocol packet.
  • the routing protocol packet is an LSA protocol document of the 0SPF protocol or an LSP protocol text of the ISIS protocol, where the LSA protocol document uses a specific destination multicast IP address.
  • the LSP protocol packet uses a specific destination multicast MAC address, so that the second PE device receives the LSA protocol packet or the LSP protocol packet according to the specific destination multicast IP address. Or a specific destination multicast MAC address, identifying the routing protocol The discussion is sent to the CPU for protocol processing.
  • the embodiment of the present invention further provides a system for implementing a three-layer virtual private network. As shown in FIG. 10, the system includes: a first PE device 61 and a second PE device 62.
  • the first PE device 61 is configured to receive a VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried. Corresponding IP address, VPN ID, and VPN label; determining, according to the VPN ID corresponding to the first PE device 61 and the VPN ID corresponding to the second PE device 62, whether the second PE device 62 and the first A PE device 61 is connected to the same VPN; when the second PE device 62 is connected to the same VPN as the first PE device 61, the routing protocol in the same VPN is performed with the second PE device 62. The interaction, the VPN routing forwarding table corresponding to the same VPN is generated, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device 62, and the second PE device 62. The VPN label assigned by the same VPN.
  • the VPN neighbor discovery packet is defined by the extended TLV packet, and the VPN ID and the VPN label are carried in the VPN neighbor discovery packet, so that By identifying the VPN IDs in the VPN neighbor discovery packets, the PEs that belong to the same VPN are identified, and the PEs in the same VPN are configured to exchange routing protocol packets. You can use the VPN neighbor discovery packets to automatically discover the PEs that belong to the same VPN and complete the routing protocol packet exchange. This eliminates a lot of personnel workload and improves the automatic configuration and automatic operation of the VPN.
  • the embodiments of the present invention can be implemented by means of software plus necessary general hardware, and of course, by hardware, but in many cases, the former is better.
  • Implementation Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, which is stored in a readable storage medium, such as A floppy disk, hard disk or optical disk of a computer, including a number of instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.
  • a computer device which may be a personal computer, a server, or a network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a method, a device, and a system for implementing a Layer3 virtual private network, which relate to the field of communications technologies and may improve the automated configuration and automated operational capability of the VPN. The method in the embodiment of the present invention comprises: a first PE device receiving a virtual private network (VPN) neighbor discovery packet sent by a second PE device, the VPN neighbor discovery packet being an extended type length value (TLV) packet, and carrying an IP address, a VPN ID and a VPN label that correspond to the second PE device; determining whether the second PE device and the first PE device are connected to one same VPN according to a VPN ID corresponding to the first PE device and the VPN ID corresponding to the second PE device; and when the second PE device and the first PE device are connected to one same VPN, performing routing protocol packet interaction in the same VPN with the second PE device. Embodiments of the present invention are mainly used in an implementation process of the L3VPN.

Description

实现三层虚拟专用网络的方法、 设备及系统 技术领域 本发明涉及通信技术领域,尤其涉及一种实现三层虚拟专用网络( VPN ) 的方法、 设备及系统。  TECHNICAL FIELD The present invention relates to the field of communications technologies, and in particular, to a method, device, and system for implementing a three-layer virtual private network (VPN).
背景技术 虚拟专用网络 ( Virtual Private Network, VPN)是运营商通过其公 网向用户提供的虚拟的专有网络。 地理上彼此分离的 VPN成员节点通过客 户端设备连接到对应的运营商边界设备,通过运营商的公网组成客户的 VPN 网络。根据运营商边界设备是否参与客户的路由计算和传递, VPN的实现方 式分为以下两种: 需要运营商边界设备参与客户路由的计算和传递的三层 虚拟专用网络 ( Layer3 Virtual Private Network, L3VPN ), 和不需要运 营商边界设备参与客户路由的计算和传递的二层虚拟专用网络(Layer2 Virtual Private Network, L2VPN;)。 BACKGROUND A virtual private network (VPN) is a virtual private network provided by an operator to a user through its public network. The VPN member nodes that are geographically separated from each other are connected to the corresponding carrier border device through the client device, and form the customer's VPN network through the operator's public network. According to whether the carrier border device participates in the route calculation and delivery of the client, the VPN implementation is divided into the following two types: Layer 3 Virtual Private Network (L3VPN), which requires the operator's border device to participate in the calculation and delivery of the customer route. , and a Layer 2 Virtual Private Network (L2VPN;) that does not require carrier edge devices to participate in the calculation and delivery of customer routes.
在 L3VPN技术中, 属于同一 VPN的运营商边缘(Provider Edge, PE ) 设备之间通过边界网关协议(Border Gateway Protocol, BGP)才艮文交互 VPN 路由信息。 在各个 PE上人工配置 BGP协议 ^艮文中携带的 VPN ID、 VPN标签、 邻居参数、 路由器的一个互联网协议 ( Internet Protocol, IP)地址等等。 其中, 每个 VPN对应有一个全局的 VPN ID。 在一个 VPN中每个 PE设备为该 VPN分配一个本地的 VPN标签, 用于数据转发。 PE通过携带上述 VPN参数 信息的 BGP协议报文在 PE间交互, 完成 VPN的部署。 而 PE的数量一般很 多, BGP协议 "^文的配置工作也相应的 4艮繁瑣复杂。  In the L3VPN technology, the Provider Edge (PE) devices that belong to the same VPN exchange VPN routing information through the Border Gateway Protocol (BGP). Manually configure the BGP protocol on each PE. The VPN ID, VPN label, neighbor parameters, and an Internet Protocol (IP) address of the router. Each VPN has a global VPN ID. In a VPN, each PE device allocates a local VPN label to the VPN for data forwarding. The PE performs the VPN deployment by interacting with the PEs through the BGP packets carrying the VPN parameters. The number of PEs is generally very large, and the configuration of the BGP protocol is correspondingly cumbersome and complicated.
由于现有 L3VPN方案部署过程中要求在各个 PE节点上做大量复杂的参 数配置, 比如 VPN相关参数配置, 以及 BGP邻居参数配置等, 导致自动化 配置程度较低。  The existing L3VPN solution requires a large number of complex parameter configurations on the PEs, such as VPN-related parameter configuration and BGP neighbor parameter configuration.
发明内容 本发明的实施例提供一种实现三层虚拟专用网络的方法、 设备及系统, 可以提高 VPN的自动化配置和自动化运营能力。 SUMMARY OF THE INVENTION Embodiments of the present invention provide a method, device, and system for implementing a three-layer virtual private network. It can improve the automation configuration and automation operation capability of VPN.
为达到上述目的, 本发明的实施例釆用如下技术方案:  In order to achieve the above object, embodiments of the present invention use the following technical solutions:
一种实现三层虚拟专用网络的方法, 包括:  A method for implementing a three-layer virtual private network, comprising:
第一运营商边缘 PE设备接收第二 PE设备发送的虚拟专用网络 VPN邻 居发现报文, 其中, 所述 VPN邻居发现报文为扩展后的类型长度数值 TLV 报文, 携带所述第二 PE设备对应的 IP地址、 VPN ID和 VPN标签;  The first carrier edge PE device receives the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried. Corresponding IP address, VPN ID and VPN label;
根据所述第一 PE设备对应的 VPN ID和所述第二 PE设备对应的 VPN ID, 确定所述第二 PE设备是否与所述第一 PE设备连接到同一 VPN;  Determining, according to the VPN ID corresponding to the first PE device, the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device;
当所述第二 PE设备与所述第一 PE设备连接到同一 VPN时, 与所述第 二 PE设备进行所述同一 VPN内的路由协议 ^艮文交互, 生成所述同一 VPN对 应的 VPN路由转发表, 所述 VPN路由转发表包括所述同一 VPN的 VPN ID、 所述第二 PE设备的 IP地址和所述第二 PE设备为所述同一 VPN分配的 VPN 标签。  When the second PE device is connected to the same VPN device, the second PE device performs a routing protocol interaction with the second VPN device to generate a VPN route corresponding to the same VPN. a forwarding table, the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
一种第一运营商边缘 PE设备, 包括:  A first carrier edge PE device, including:
邻居接收单元, 用于接收第二 PE设备发送的虚拟专用网络 VPN邻居发 现报文; 其中, 所述 VPN邻居发现报文为扩展后的类型长度数值 TLV报文, 携带所述第二 PE设备对应的 IP地址、 VPN ID和 VPN标签;  The neighbor receiving unit is configured to receive the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is corresponding to the second PE device. IP address, VPN ID and VPN label;
网络确定单元, 用于根据所述第一 PE设备对应的 VPN ID和所述第二 PE设备对应的 VPN ID, 确定所述第二 PE设备是否与所述第一 PE设备连接 到同一 VPN;  a network determining unit, configured to determine, according to the VPN ID corresponding to the first PE device and the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device;
路由交互单元, 用于在所述第二 PE设备与所述第一 PE设备连接到同 一 VPN时, 与所述第二 PE设备进行所述同一 VPN内的路由协议报文交互, 生成所述同一 VPN对应的 VPN路由转发表, 其中所述 VPN路由转发表包括 所述同一 VPN的 VPN ID、 所述第二 PE设备的 IP地址和所述第二 PE设备为 所述同一 VPN分配的 VPN标签。  a routing interaction unit, configured to perform, when the second PE device and the first PE device are connected to the same VPN, perform the routing protocol packet exchange in the same VPN with the second PE device, to generate the same The VPN routing forwarding table corresponding to the VPN, wherein the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
一种实现三层虚拟专用网络的系统, 包括: 第一 PE设备和第二 PE设 备; 所述第一 PE设备, 用于接收第二 PE设备发送的虚拟专用网络 VPN邻 居发现报文, 其中, 所述 VPN邻居发现报文为扩展后的类型长度数值 TLV 报文, 携带所述第二 PE设备对应的 IP地址、 VPN ID和 VPN标签; 根据所 述第一 PE设备对应的 VPN ID和所述第二 PE设备对应的 VPN ID, 确定所述 第二 PE设备是否与所述第一 PE设备连接到同一 VPN; 当所述第二 PE设备 与所述第一 PE设备连接到同一 VPN时, 与所述第二 PE设备进行所述同一A system for implementing a three-layer virtual private network, comprising: a first PE device and a second PE device; The first PE device is configured to receive a virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second Determining, by the PE device, the IP address, the VPN ID, and the VPN label; determining, according to the VPN ID corresponding to the first PE device, and the VPN ID corresponding to the second PE device, whether the second PE device is the first PE The device is connected to the same VPN; when the second PE device is connected to the same VPN as the first PE device, performing the same with the second PE device
VPN内的路由协议报文交互, 生成所述同一 VPN对应的 VPN路由转发表, 所 述 VPN路由转发表包括所述同一 VPN的 VPN ID、 所述第二 PE设备的 IP地 址和所述第二 PE设备为所述同一 VPN分配的 VPN标签。 The routing protocol packets in the VPN are exchanged, and the VPN routing forwarding table corresponding to the same VPN is generated, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device, and the second The VPN label assigned by the PE device to the same VPN.
本发明实施例提供的实现三层虚拟专用网络的方法、 设备及系统, 通 过扩展 TLV^ l增加了 VPN邻居发现^艮文, 将 VPN ID和 VPN标签携带在 VPN邻 居发现报文中, 从而可以通过识别 VPN邻居发现报文中的 VPN ID确定与第一 The method, the device and the system for implementing the three-layer virtual private network provided by the embodiment of the present invention add the VPN neighbor discovery message by extending the TLV^1, and carry the VPN ID and the VPN label in the VPN neighbor discovery message, so that Determine and the first by identifying the VPN ID in the VPN neighbor discovery message.
PE设备属于同一 VPN的 PE设备, 并与同一 VPN内的 PE设备完成路由协议报文 交互, 与现有技术相比, 可以通过邻居发现报文自动发现属于同一 VPN的 PE 设备并完成路由协议报文交互, 免去了大量的人工配置工作, 提高了 VPN的 自动化配置和自动化运营能力。 A PE device belongs to the same VPN PE device and exchanges routing protocol packets with the PE device in the same VPN. Compared with the existing technology, the PE device can discover the PEs of the same VPN and complete the routing protocol. The interaction of the text eliminates a lot of manual configuration work, and improves the automatic configuration and automatic operation capability of the VPN.
附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对 实施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员 来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得其他的附 图。 BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments or the description of the prior art will be briefly described below, and obviously, in the following description The drawings are only some of the embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative work.
图 1为本发明实施例 1中的一种实现三层虚拟专用网络的方法流程图; 图 2为本发明实施例 2中的一种实现三层虚拟专用网络的方法流程图; 图 3为本发明实施例 2 中的另一种实现三层虚拟专用网络的方法流程 图; 图 4为本发明实施例 2 中的另一种实现三层虚拟专用网络的方法流程 图; 1 is a flowchart of a method for implementing a three-layer virtual private network according to Embodiment 1 of the present invention; FIG. 2 is a flowchart of a method for implementing a three-layer virtual private network according to Embodiment 2 of the present invention; Another flowchart of a method for implementing a three-layer virtual private network in Embodiment 2 of the present invention; 4 is a flowchart of another method for implementing a three-layer virtual private network according to Embodiment 2 of the present invention;
图 5为本发明实施例的一种 VPN连接情况举例;  FIG. 5 is a schematic diagram of a VPN connection situation according to an embodiment of the present invention;
图 6为本发明实施例 3中的一种第一 PE设备组成示意图;  6 is a schematic structural diagram of a first PE device according to Embodiment 3 of the present invention;
图 7为本发明实施例 3中的另一种第一 PE设备组成示意图;  FIG. 7 is a schematic structural diagram of another first PE device according to Embodiment 3 of the present invention; FIG.
图 8为本发明实施例 3中的另一种第一 PE设备组成示意图;  8 is a schematic structural diagram of another first PE device according to Embodiment 3 of the present invention;
图 9为本发明实施例 3中的另一种第一 PE设备组成示意图;  9 is a schematic structural diagram of another first PE device according to Embodiment 3 of the present invention;
图 10为本发明实施例 3中的一种实现三层虚拟专用网络的系统组成示 意图。  FIG. 10 is a schematic diagram of a system composition for implementing a three-layer virtual private network according to Embodiment 3 of the present invention.
具体实施方式 实现 L3VPN 时, 运营商边缘 ( Provider Edge, PE )设备和客户端路由 器( Cus tomer Edge Router , CE ) 需要进行路由信息的交互。 PE和 CE之间 的路由交换可以釆用静态路由, 也可以釆用路由信息协议 (Rout ing Informat ion Protocol , RIP )、 开放式最短路径优先( Open Shortes t Path Firs t , OSPF )、中间系统到中间系统 ( Intermediate Sys tem to Intermediate Sys tem, ISIS )和 BGP等动态路由协议。 而属于同一 VPN的 PE之间可以通 过 0SPF 协议或 ISIS 协议交互 VPN路由信息。 运营商路由器 (Provider Router , 简称 P )并不需要知道客户 VPN网络的路由信息, 这种透明性可以 有效减小 P路由器的负担, 提高网络的扩展性和业务开展的灵活性。 PE接 收到从本地 CE发送过来的 IP数据包以后, 通过在该 CE所属 VPN对应的路 由转发表查找 IP数据包目的地址匹配的最佳路由, 然后使用多协议标记交 换(Mul t iprotocol Label Swi tching , MPLS )或 IP隧道, 将该 IP数据包 跨运营商 MPLS/ IP网络传送到下一跳 PE设备。 When implementing L3VPN, the Provider Edge (PE) device and the Cus tomer Edge Router (CE) need to exchange routing information. The routing exchange between the PE and the CE may use static routing, or may use Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and intermediate system to Dynamic Routing Protocols such as Intermediate System to Intermediate System (ISIS) and BGP. PEs belonging to the same VPN can exchange VPN routing information through the 0SPF protocol or the ISIS protocol. The Provider Router (P) does not need to know the routing information of the customer's VPN network. This transparency can effectively reduce the burden on the P router and improve the scalability of the network and the flexibility of service development. After receiving the IP data packet sent from the local CE, the PE searches for the best route matching the destination address of the IP data packet through the routing forwarding table corresponding to the VPN to which the CE belongs, and then uses the multi-protocol label switching (Mul t iprotocol Label Swi tching). , MPLS) or IP tunneling, transmitting the IP data packet to the next hop PE device across the carrier MPLS/IP network.
需要说明的是, 本发明实施例主要针对 L3VPN技术的自动化配置做出 改进, 因此后文中提高的 VPN均指 L3VPN。  It should be noted that the embodiment of the present invention mainly improves the automatic configuration of the L3VPN technology. Therefore, the VPNs improved in the following refers to the L3VPN.
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进 行清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没 有作出创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的 范围。 实施例 1 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention. Rather than all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention. Example 1
本发明实施例提供一种实现三层虚拟专用网络的方法, 如图 1 所示, 包括:  An embodiment of the present invention provides a method for implementing a three-layer virtual private network. As shown in FIG. 1, the method includes:
101、 第一 PE设备接收第二 PE设备发送的虚拟专用网络 VPN邻居发现 报文, 其中, 所述 VPN 邻居发现报文为扩展后的类型长度数值 (Type-Length-Value, TLV)报文, 携带所述第二 PE设备对应的 IP地址、 VPN ID和 VPN标签。  The first PE device receives the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type-Length-Value (TLV) packet. Carrying an IP address, a VPN ID, and a VPN label corresponding to the second PE device.
其中, VPN邻居发现^艮文为扩展后的 TLV ·^艮文, 例如, ISIS协议下的 TLV报文, 或 0SPF协议下的 TLV报文。 具体的, ISIS协议下的 VPN邻居发 现报文如表 1所示。  The VPN neighbor finds that the message is an extended TLV packet, for example, a TLV packet in the ISIS protocol or a TLV packet in the 0SPF protocol. Specifically, the VPN neighbor discovery packet under the ISIS protocol is shown in Table 1.
0 1 2 3  0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
| Type=UPN |  | Type=UPN |
Length  Length
IPuU r IPu6 Next-hop Address IPuU r IPu6 Next-hop Address
(128 bits)  (128 bits)
Resy (12 bits) I UPN ID (2Θ bits) Resy (12 bits) I UPN ID (2Θ bits)
Resu (12 bits) I UPN Label (20 bits) Resu (12 bits) I UPN ID (2Θ bits)  Resu (12 bits) I UPN Label (20 bits) Resu (12 bits) I UPN ID (2Θ bits)
Resu (12 bits) I UPN Label (2Θ bits) 表 1  Resu (12 bits) I UPN Label (2Θ bits) Table 1
在表 1中, 扩展后的 ISIS TLV包含报文类型标识( type ), TLV报文长 度( length)和 TLV报文内容( value )。 可以为专用于 VPN邻居发现的 TLV 定义一个特定的报文类型标识 (type)。 这样当公共网络中任何一个 PE设 备接收到所述 VPN邻居发现报文时便可根据 type标识确定其 TLV的用途。 Next-hop address字段用来填写发送该 VPN邻居发现 ^艮文的 PE设备的 IP 地址。 Value包含成对写入的 VPN ID和 VPN标签。 例如, VPN ID可以占用 32位, 其中有 20位写有 VPN ID, 另外还有 12位作为保留位。 类似的, VPN 标签也可以占用 32位, 其中 20为写有 VPN标签, 另外还有 12位作为保留 位。 可以根据需要调整保留位的长度, 根据 VPN ID或 VPN标签的填写需要, 也可以写满 32位的 VPN ID或 VPN标签。 可以理解的是, 在实际应用场景 中 value字段的具体划分, 可以根据实际 VPN的需要进行调整。 In Table 1, the extended ISIS TLV contains the message type identifier (type), the TLV packet length (length), and the TLV message content (value). A specific message type identifier (type) can be defined for a TLV dedicated to VPN neighbor discovery. So when any PE in the public network is set up When receiving the VPN neighbor discovery packet, the device can determine the usage of the TLV according to the type identifier. The Next-hop address field is used to fill in the IP address of the PE device that sends the VPN neighbor discovery message. Value contains the VPN ID and VPN label written in pairs. For example, a VPN ID can occupy 32 bits, of which 20 bits have a VPN ID, and 12 bits are reserved. Similarly, VPN tags can also occupy 32 bits, of which 20 are written with VPN tags and 12 bits are reserved. You can adjust the length of the reserved bits as needed. You can also write a 32-bit VPN ID or VPN label according to the VPN ID or VPN label. It can be understood that the specific division of the value field in the actual application scenario can be adjusted according to the needs of the actual VPN.
0 1 2 3 β 1 2 3 4 5 6 7 8 9 Β 1 2 3 ¾ 5 6 7 8 9 Β 1 2 3 ΐι 5 6 7 8 9 β 1 0 1 2 3 β 1 2 3 4 5 6 7 8 9 Β 1 2 3 3⁄4 5 6 7 8 9 Β 1 2 3 ΐι 5 6 7 8 9 β 1
Type 1 Length  Type 1 Length
IPu4 Next-hop Address  IPu4 Next-hop Address
Resu (12 bits) 1 UPN ID (2Q bits)  Resu (12 bits) 1 UPN ID (2Q bits)
Resu (12 bits) 1 UPN Label (20 bits) Resu (12 bits) 1 UPN ID (2Q bits)  Resu (12 bits) 1 UPN Label (20 bits) Resu (12 bits) 1 UPN ID (2Q bits)
Resu (12 bits) 1 UPN Label (20 bits) 表 2  Resu (12 bits) 1 UPN Label (20 bits) Table 2
或者, 在 0SPF协议下的 VPN邻居发现报文如表 1所示。 在表 2中, 扩 展后的 OSPF TLV 包含报文类型标识(type)、 TLV报文长度(length)和 TLV报文内容( value )0 可以为专用于 VPN邻居发现的 TLV定义一个特定的 报文类型标识( type ), 这样当公共网络中任何一个 PE设备接收到所述 VPN 邻居发现报文时便可根据 type标识确定其 TLV的用途。 Value字段的填写 方法可以参考 ISIS TLV的填写方法, 本发明实施例这里不再赘述。 Or, the VPN neighbor discovery packet under the 0SPF protocol is shown in Table 1. In Table 2, the extended OSPF TLV includes a packet type identifier (type), a TLV packet length (length), and a TLV packet content (value). 0 A specific packet can be defined for a TLV dedicated to VPN neighbor discovery. A type identifier (type), such that when any one of the PE devices in the public network receives the VPN neighbor discovery message, the TLV can be determined according to the type identifier. For the method of filling in the value field, reference may be made to the method of filling the ISIS TLV, which is not described herein again.
举例来说,在一条 VPN邻居发现报文中可以携带一对成对存在的 VPN ID 和 VPN标签。 例如, 第二 PE设备仅连接到 VPN1, 则第二 PE设备可在 VPN 邻居发现报文中写入 VPN1的 VPN ID以及第二 PE设备为 VPN1分配的 VPN 标签。 当第一 PE设备接收到所述 VPN邻居发现报文后, 可以根据所述 VPN 邻居发现"¾文中携带的 VPN ID (即所述第二 PE设备对应的 VPN ID )和第 一 PE设备的 VPN ID, 确定第二 PE设备是否是与第一 PE设备连接到同一 VPN。 若是的话, 第一 PE设备可以与所述第二 PE设备进行同一 VPN内的路 由协议 ^艮文交互, 完成后续 VPN配置流程。 或者, 也可以记录所述 VPN邻 居发现报文中携带的 VPN1的 VPNID、 第二 PE设备为 VPN1分配的 VPN标签 以及第二 PE设备的 IP地址, 以便后续进行路由协议报文交互。 For example, a VPN neighbor discovery packet can carry a pair of VPN IDs and VPN labels that exist in pairs. For example, if the second PE device is only connected to the VPN1, the second PE device can write the VPN ID of the VPN1 and the VPN label allocated by the second PE device to the VPN1 in the VPN neighbor discovery message. After receiving the VPN neighbor discovery packet, the first PE device may be configured according to the VPN. The neighbor finds the VPN ID carried in the text (that is, the VPN ID corresponding to the second PE device) and the VPN ID of the first PE device, and determines whether the second PE device is connected to the same VPN as the first PE device. The first PE device may perform the routing protocol protocol in the same VPN with the second PE device to complete the subsequent VPN configuration process. Alternatively, the VPN ID of the VPN1 carried in the VPN neighbor discovery packet may also be recorded. The second PE device allocates the VPN label of the VPN1 and the IP address of the second PE device, so as to perform subsequent routing protocol packet interaction.
当然,在一条 VPN邻居发现 >¾文中也可以同时携带多对成对存在的 VPN ID和 VPN标签。 例如, 第二 PE设备同时连接到 VPN1和 VPN2 , 则第二 PE 设备可在 VPN邻居发现报文中成对的写入 VPN1的 VPN ID以及第二 PE设备 为 VPN1分配的 VPN标签, VPN2的 VPN ID以及第二 PE设备为 VPN2分配的 VPN标签。 当第一 PE设备接收到所述 VPN邻居发现报文后, 可以将第一 PE 设备所连接的 VPN (例如 VPN1 )对应的 VPN ID与接收到的 VPN邻居发现才艮 文中携带的 VPN ID (即第二 PE设备所连接的 VPN对应的 VPN ID)比对, 确 定是否有匹配的 VPN ID。 第一 PE设备确定出第二 PE设备与第一 PE设备连 接到同一 VPN ( VPN1 )后, 可以与所述第二 PE设备进行同一 VPN内的路由 协议报文交互, 完成后续 VPN配置流程。 或者, 也可以将 VPN邻居发现报 文中携带的 VPN1的 VPN ID、 第二 PE设备为 VPN1分配的 VPN标签以及第二 PE的 IP地址记录下来, 以便后续进行路由协议报文交互。  Of course, in a VPN neighbor discovery >3⁄4 text, it is also possible to carry multiple pairs of VPN IDs and VPN tags in pairs. For example, if the second PE device is connected to VPN1 and VPN2 at the same time, the second PE device can write the VPN ID of the VPN1 and the VPN label allocated by the second PE device to the VPN1 in the VPN neighbor discovery message. The ID and the VPN label assigned by the second PE device to VPN2. After receiving the VPN neighbor discovery packet, the first PE device may use the VPN ID corresponding to the VPN (for example, VPN1) connected to the first PE device and the VPN ID carried in the received VPN neighbor discovery message (ie, The VPN ID corresponding to the VPN to which the second PE device is connected is compared to determine whether there is a matching VPN ID. After the first PE device determines that the second PE device and the first PE device are connected to the same VPN (VPN1), the second PE device can perform the routing protocol packet exchange in the same VPN with the second PE device to complete the subsequent VPN configuration process. Alternatively, the VPN ID of the VPN1 carried in the VPN neighbor discovery packet, the VPN label assigned by the second PE device to the VPN1, and the IP address of the second PE may be recorded, so as to perform subsequent routing protocol packet exchange.
102、 根据所述第一 PE设备对应的 VPN ID和所述第二 PE设备对应的 VPN ID, 确定所述第二 PE设备是否与所述第一 PE设备连接到同一 VPN。  102. Determine, according to the VPN ID corresponding to the first PE device, and the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device.
举例来说, 在第一 PE设备确定与自身连接到同一 VPN的 PE设备有哪 些之前, 所述第一 PE设备可以通过 VPN ID区分所述 VPN邻居发现 ^艮文的 发送方是否与所述第一 PE设备属于同一 VPN。 具体的, VPN与 VPN ID—— 对应, 第一 PE设备已预先被配置成为一个或多个 VPN的成员节点, 因此第 一 PE设备记录有所述第一 PE设备所属 VPN的 VPN ID。 并且,发送所述 VPN 邻居发现报文的第二 PE设备本身为所述第二 PE设备所属 VPN分配了 VPN 标签。 第一 PE设备接收到 VPN邻居发现报文后, 根据 type标识确定该报 文是 VPN邻居发现报文, 并读取 va lue字段中的 VPN ID, 与第一 PE设备的 VPN ID进行比对, 则可以确定第二 PE设备与第一 PE设备是否连接到同一 VPN。 For example, before the first PE device determines which PE devices are connected to the same VPN, the first PE device may distinguish, by using the VPN ID, whether the sender of the VPN neighbor discovery message and the first A PE device belongs to the same VPN. Specifically, the VPN corresponds to the VPN ID, and the first PE device is configured as a member node of one or more VPNs. Therefore, the first PE device records the VPN ID of the VPN to which the first PE device belongs. And the second PE device that sends the VPN neighbor discovery packet allocates a VPN label to the VPN to which the second PE device belongs. After receiving the VPN neighbor discovery packet, the first PE device determines the report according to the type identifier. The packet is a VPN neighbor discovery packet, and the VPN ID in the va lue field is compared with the VPN ID of the first PE device to determine whether the second PE device and the first PE device are connected to the same VPN.
103、 当所述第二 PE设备与所述第一 PE设备连接到同一 VPN时, 与所 述第二 PE设备进行所述同一 VPN内的路由协议报文交互,生成所述同一 VPN 对应的 VPN路由转发表, 所述 VPN路由转发表包括所述同一 VPN的 VPN ID、 所述第二 PE设备的 IP地址和所述第二 PE设备为所述同一 VPN分配的 VPN 标签。  103. When the second PE device and the first PE device are connected to the same VPN, perform the routing protocol packet exchange in the same VPN with the second PE device, and generate the VPN corresponding to the same VPN. The routing forwarding table, the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
举例来说, 预先将路由信息写入所述路由协议报文, 并与已确定出的 与第一 PE设备连接到同一 VPN的第二 PE设备进行交互。 所述路由协议报 文为 0SPF协议下的链路状态通告(Link Sta te Adver t i sement , LSA )协 议报文, 或 I SIS协议下的链路状态协议数据单元(Link Sta te PDU, LSP ) 协议 文;其中,所述 LSA协议 文釆用特定的目的组播 IP地址,所述 LSP 协议报文釆用特定的目的组播媒介访问控制(Media Acces s Control , MAC) 地址, 以便第二 PE设备收到 LSA协议报文或 LSP协议报文之后, 根据所述 特定的目的组播 IP地址或特定的目的组播 MAC地址, 识别所述路由协议报 文并上送 CPU进行协议处理。  For example, the routing information is written into the routing protocol packet in advance, and interacts with the determined second PE device that is connected to the same VPN as the first PE device. The routing protocol packet is a Link State Advertisement (LSSA) protocol packet under the 0SPF protocol, or a Link State Protocol Data Unit (LSP) protocol under the ISIS protocol. The LSA protocol document uses a specific destination multicast IP address, and the LSP protocol message uses a specific destination multicast media access control (MAC) address for the second PE device. After receiving the LSA protocol packet or the LSP protocol packet, the routing protocol packet is identified and sent to the CPU for protocol processing according to the specific destination multicast IP address or the specific destination multicast MAC address.
本发明实施例提供的实现三层虚拟专用网络的方法, 通过扩展 TLV报 文定义了 VPN邻居发现>¾文, 将 VPN ID和 VPN标签携带在 VPN邻居发现才艮 文中, 从而可以通过识别 VPN邻居发现报文中的 VPN ID确定与第一 PE设 备属于同一个 VPN的 PE设备, 并与同一 VPN内的 PE设备完成路由协议报 文交互, 与现有技术中需要大量人工配置 PE设备的技术相比, 可以通过邻 居发现报文自动发现属于同一 VPN的 PE设备并完成路由协议报文交互, 免 去了大量的人工配置工作, 提高了 VPN的自动化配置和自动化运营能力。 实施例 2  The method for implementing the three-layer virtual private network provided by the embodiment of the present invention defines the VPN neighbor discovery >3⁄4 text by extending the TLV message, and carries the VPN ID and the VPN label in the VPN neighbor discovery document, thereby identifying the VPN neighbor by identifying the VPN neighbor The VPN ID in the packet identifies the PE device that belongs to the same VPN as the first PE device, and performs the routing protocol packet exchange with the PE device in the same VPN. The device can automatically discover the PEs that belong to the same VPN and complete the routing protocol packet exchange. This eliminates a lot of manual configuration and improves the automatic configuration and automatic operation of the VPN. Example 2
本发明实施例提供一种实现三层虚拟专用网络的方法, 如图 2 所示, 包括: An embodiment of the present invention provides a method for implementing a three-layer virtual private network, as shown in FIG. 2, include:
201、 第一 PE设备向第二 PE设备发送 VPN邻居发现报文, 以便与所述 第一 PE设备连接到同一 VPN的第二 PE设备发现所述第一 PE设备。  The first PE device sends a VPN neighbor discovery packet to the second PE device, so that the first PE device is discovered by the second PE device that is connected to the same PE device.
举例来说, 所述第一 PE设备可以是一个 VPN中的任意一个 PE设备, 例如, 如图 5所示, VPN1中连接有 3个 PE设备, 分别是节点 A、 节点 B和 节点 C , 以其中任意一个 PE设备(节点 A )作为第一 PE设备为例, 节点 B 和 C就是与第一 PE设备(节点 A )连接到同一 VPN的两个邻居节点。 节点 D是公共网络中的一个 PE设备, 但并不是连接到 VPN1的 PE设备, 因此就 VPN1而言不是节点 A的邻居节点。 需要说明的是, VPN的部署可以发生重 叠, 也就是说对 VPN2而言成员节点包括节点 A和 D, 因此对于 VPN2而言节 点 D是节点 A的邻居节点。 公网中的其余节点, 包括节点 ^ C、 D均可作 为第二 PE设备。  For example, the first PE device may be any PE device in a VPN. For example, as shown in FIG. 5, three PE devices are connected in the VPN1, namely, node A, node B, and node C, respectively. Any one of the PE devices (Node A) is taken as the first PE device. Nodes B and C are two neighboring nodes that are connected to the same VPN device as the first PE device (Node A). Node D is a PE device in the public network, but it is not a PE device connected to VPN1, so it is not a neighbor node of Node A in terms of VPN1. It should be noted that the VPN deployment may overlap, that is, the member nodes include nodes A and D for VPN2, so node D is the neighbor node of node A for VPN2. The remaining nodes in the public network, including nodes ^ C and D, can be used as the second PE device.
其中, 节点 A发送给公网中其余节点(第二 PE设备 )的 VPN邻居发现 报文中包含节点 A为 VPN1分配的 VPN标签, 所述 VPN标签在同一个 VPN中 是唯一的,用于标识发出该 VPN邻居发现报文的发出方(节点 A )。所述 VPN 邻居发现报文中还包含 VPN ID , 所述 VPN ID是节点 A所连接到的 VPN的标 识。 例如, 节点 A为 VPN1分配的 VPN标签是 100 , 可以在 VPN邻居发现报 文的 va lue字段中写入 VPN ID ( VPN1 )和节点 A的 VPN标签 ( 100 ),因此 VPN ID和 VPN标签在邻居发现报文中是成对存在的。 可以理解的是, 在一 条 VPN邻居发现 "^文中可以携带一个成对存在的 VPN ID和 VPN标签, 也可 以同时携带多个成对存在的 VPN ID和 VPN标签。  The VPN neighbor discovery packet sent by the node A to the other nodes in the public network (the second PE device) includes the VPN label assigned by the node A to the VPN1. The VPN label is unique in the same VPN and is used for identification. Issue the sender (node A) of the VPN neighbor discovery message. The VPN neighbor discovery packet further includes a VPN ID, where the VPN ID is an identifier of a VPN to which the node A is connected. For example, the VPN label assigned by node A to VPN1 is 100. The VPN ID (VPN1) and the VPN label (100) of node A can be written in the va lue field of the VPN neighbor discovery message, so the VPN ID and VPN label are in the neighbor. It is found that the messages exist in pairs. It can be understood that a VPN neighbor can find a pair of existing VPN IDs and VPN labels, and can also carry multiple pairs of VPN IDs and VPN labels at the same time.
202、 第一 PE设备接收第二 PE设备发送的 VPN邻居发现报文。  202. The first PE device receives a VPN neighbor discovery packet sent by the second PE device.
其中, 与步骤 201 中所描述的 VPN邻居发现报文的形式相同, 公网中 其余节点也可以通过 VPN邻居发现报文向所述第一 PE设备发送 VPN的配置 信息。 所述 VPN邻居发现报文为扩展后的 TLV报文, 携带有发出所述 VPN 邻居发现 ^艮文的第二 PE设备对应的 IP地址、 VPN ID和第二 PE设备为其所 连接的 VPN分配的 VPN标签。 203、 根据所述第一 PE设备对应的 VPN ID和所述第二 PE设备对应的 VPN ID, 确定所述第二 PE设备是否与所述第一 PE设备连接到同一 VPN。 The configuration of the VPN neighbor discovery packet is the same as that described in the step 201. The other nodes in the public network can also send the VPN configuration information to the first PE device by using the VPN neighbor discovery packet. The VPN neighbor discovery packet is an extended TLV packet, and carries an IP address corresponding to the second PE device that sends the VPN neighbor discovery message, a VPN ID, and a VPN assignment of the second PE device to which the second PE device is connected. VPN label. 203. Determine, according to the VPN ID corresponding to the first PE device, and the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device.
举例来说, 由于公网中存在有多个 VPN, —个 VPN邻居发现报文中可以 同时携带多个成对存在的 VPN ID和 VPN标签, 因此所述第一 PE设备在接 收到 VPN邻居发现报文后, 就需要解析报文并识别所述第一 PE设备所关心 的 VPN信息。 仍以图 5为例, 节点 A (第一 PE设备)本身连接到 VPN1 , 因 此可以在接收到的 VPN邻居发现报文中识别 VPN1的 VPN ID。 例如, 接收到 节点 B发送的 VPN邻居发现报文后从中解析得到 VPN1的 VPN ID , 因此发现 了同属于 VPN1的邻居节点 (节点 B ), 将对应的节点 B为 VPN1分配的 VPN 标签( 200 )和节点 B的 IP地址记录下来。 或者, 若接收到其他与节点 A 未连接到同一 VPN的第二 PE设备(节点 X )发送的 VPN邻居发现报文时, 则无法从中解析到匹配的 VPN ID, 从而不将节点 X作为邻居节点。  For example, because there are multiple VPNs in the public network, a VPN neighbor discovery packet can carry multiple pairs of VPN IDs and VPN labels at the same time, so the first PE device receives the VPN neighbor discovery. After the message, the message needs to be parsed and the VPN information of the first PE device is identified. As shown in Figure 5, node A (the first PE device) itself is connected to VPN1, so the VPN ID of VPN1 can be identified in the received VPN neighbor discovery message. For example, after receiving the VPN neighbor discovery message sent by the Node B, the VPN ID of the VPN1 is obtained, and thus the neighbor node (Node B) that belongs to the VPN1 is found, and the corresponding Node B is assigned the VPN label of the VPN1 (200). And the IP address of Node B is recorded. Or, if another VPN neighbor discovery message sent by the second PE device (node X) that is not connected to the same VPN by the node A is received, the matching VPN ID cannot be resolved from the node, and the node X is not used as the neighbor node. .
204、将所述同一 VPN对应的 VPN ID、 所述第二 PE设备为所述同一 VPN 分配的 VPN标签和所述第二 PE设备的 IP地址记录到 VPN邻居列表中。  204. The VPN ID corresponding to the same VPN, the VPN label allocated by the second PE device to the same VPN, and the IP address of the second PE device are recorded in the VPN neighbor list.
举例来说, 所述第一 PE设备所连接的每个 VPN可以对应有一个 VPN邻 居列表, 在 VPN邻居列表中可以记录有属于同一 VPN的第二 PE设备的 IP 地址和为所述同一 VPN分配的 VPN标签。 例如, 节点 A对应于 VPN1的 VPN 邻居列表中可以记录有节点 B的 IP地址和节点 B为 VPN1分配的 VPN标签 200 , 以及节点 C的 IP地址和节点 C为 VPN1分配的 VPN标签 300。 举例来 说, 若节点 A既连接到 VPN1又连接到 VPN2 , 则可以在节点 A上分别生成两 个对应的 VPN邻居列表。  For example, each VPN connected to the first PE device may have a VPN neighbor list, and the IP address of the second PE device belonging to the same VPN may be recorded in the VPN neighbor list and allocated for the same VPN. VPN label. For example, node A corresponds to the VPN neighbor list of VPN1, and the IP address of node B and the VPN label 200 assigned by node B to VPN1, and the IP address of node C and the VPN label 300 assigned by node C to VPN1. For example, if node A is connected to both VPN1 and VPN2, then two corresponding VPN neighbor lists can be generated on node A.
又举例来说,所述第一 PE设备也可以为所述第一设备所连接的多个 VPN 生成一个共用的 VPN邻居列表。 在这个共用的 VPN邻居列表中, 可以记录 有第一 PE设备所连接的各个 VPN的 VPN ID、 各个 VPN中包含的 PE设备的 IP地址以及 VPN标签。 例如, 节点 A可以根据 VPN1的 VPN ID , 从共用的 VPN邻居列表中辨识出属于 VPN1的节点 B的 IP地址以及节点 B为 VPN1分 配的 VPN标签。 205、 通过点到点隧道向所述 VPN邻居列表中记录的第二 PE设备发送 第一路由协议报文。 For another example, the first PE device may also generate a shared VPN neighbor list for multiple VPNs connected to the first device. In the shared VPN neighbor list, the VPN ID of each VPN to which the first PE device is connected, the IP address of the PE device included in each VPN, and the VPN label may be recorded. For example, the node A can identify the IP address of the Node B belonging to the VPN1 and the VPN label assigned by the Node B to the VPN1 from the shared VPN neighbor list according to the VPN ID of the VPN1. 205. Send a first routing protocol packet to the second PE device that is recorded in the VPN neighbor list by using a point-to-point tunnel.
其中, 所述第一路由协议报文经第一隧道封装后发送, 第一隧道封装 信息中携带所述第二 PE设备为所述同一 VPN分配的 VPN标签。 路由协议报 文是用于传达路由可达性的报文,以便同一 VPN中各个成员 PE设备生成 VPN 路由转发表, 在业务通信中根据所述 VPN路由转发表找到最佳路径将业务 数据传输给下一跳 PE设备。  The first routing protocol packet is sent by the first tunnel, and the first tunnel encapsulation information carries the VPN label allocated by the second PE device to the same VPN. The routing protocol packet is used to convey the reachability of the route, so that each member PE device in the same VPN generates a VPN routing forwarding table, and finds the best path according to the VPN routing forwarding table in the service communication to transmit the service data to the routing data. Next hop PE device.
举例来说, 在所述第一隧道封装信息中将携带的 VPN标签类型可以被 设置为下游分配标签类型,以便第二 PE设备确定所述 VPN标签的识别方式。 例如,节点 A将之前通过 VPN邻居发现^艮文得到的节点 B为 VPN1分配的 VPN 标签( 200 ), 写入到第一隧道封装信息中, 并且设置为下游分配标签, 这 样当节点 B接收到所述第一路由协议报文后, 由于之前节点 B已将 200分 配给了 VPN1 ,便可确定所述第一路由协议报文是属于 VPN1的路由协议报文。  For example, the VPN tag type to be carried in the first tunnel encapsulation information may be set as a downstream distribution tag type, so that the second PE device determines the identification manner of the VPN tag. For example, the node A sends the VPN label (200) allocated by the node B, which was previously obtained through the VPN neighbor discovery, to the VPN1, and writes it into the first tunnel encapsulation information, and sets it as a downstream allocation label, so that when the node B receives After the first routing protocol packet, the node B has been assigned to the VPN1, and the first routing protocol packet is determined to be a routing protocol packet belonging to the VPN1.
206、 通过点到点隧道接收第二 PE设备发送的第二路由协议报文, 根 据所述封装后的第二路由协议报文携带的 VPN标签确定所述第二路由协议 才艮文对应的 VPN。  The receiving, by the point-to-point tunnel, the second routing protocol packet sent by the second PE device, and determining, according to the VPN label carried in the encapsulated second routing protocol packet, the VPN corresponding to the second routing protocol .
其中, 其中所述第二路由协议报文经第二隧道封装后发送, 第二隧道 封装信息中携带所述第一 PE设备为所述同一 VPN分配的 VPN标签。  The second routing protocol packet is sent by the second tunnel, and the second tunnel encapsulation information carries the VPN label allocated by the first PE device to the same VPN.
例如, 节点 A (第一 PE设备 )接收到节点 B (第二 PE设备 )通过点对 点隧道发送的封装后的第二路由协议报文, 解析第二隧道封装信息中携带 的 VPN标签 ( 1 00 ), 确定节点 A将 1 00分配给了哪个 VPN ( VPN1 ), 便可确 定当前接收到的第二路由协议报文是属于 VPN1的路由协议报文。  For example, the node A (the first PE device) receives the encapsulated second routing protocol packet sent by the node B (the second PE device) through the point-to-point tunnel, and parses the VPN label (1 00) carried in the second tunnel encapsulation information. After determining which VPN (VPN1) the node A has assigned to the VPN, it can be determined that the currently received second routing protocol packet is a routing protocol packet belonging to the VPN1.
207、 根据所述第二路由协议报文的内容生成对应的 VPN路由转发表。 其中, 通过步骤 206已经确定所述第一 PE设备通过点对点隧道接收到 的第二路由协议报文所属的 VPN ,则可以将第二路由协议报文中携带的路由 信息记录下来, 生成 VPN路由转发表。 举例来说, 在 VPN路由转发表中可 以包含前缀、 下一跳(也就是所述同一 VPN中各个 PE设备的 IP地址)等 信息, 以便在业务传输过程中依据所述 VPN路由转发表确定最佳路径。 举例来说, 图 2所示实施例的方法还可以包括: 207. Generate a corresponding VPN routing forwarding table according to the content of the second routing protocol packet. If the VPN of the second routing protocol packet received by the first PE device through the point-to-point tunnel is determined, the routing information carried in the second routing protocol packet may be recorded to generate a VPN routing route. Published. For example, the VPN routing forwarding table may include a prefix, a next hop (that is, an IP address of each PE device in the same VPN), and the like. Information, in order to determine an optimal path according to the VPN routing forwarding table during service transmission. For example, the method of the embodiment shown in FIG. 2 may further include:
208、 根据所述同一 VPN的 VPN路由转发表进行业务传输。  208. Perform service transmission according to the VPN routing forwarding table of the same VPN.
其中, 在同一 VPN 内进行业务传输的过程中, 可以根据所述同一 VPN 对应的 VPN路由转发表确定最佳传输路径, 将业务数据发送给最佳的下一 跳 PE设备。  In the process of performing service transmission in the same VPN, the best transmission path can be determined according to the VPN routing forwarding table corresponding to the same VPN, and the service data is sent to the best next hop PE device.
在本发明实施例的另一种应用场景中, 可以不通过点对点隧道进行路 由协议报文交互, 而是通过每个 VPN 专用的专用公网组播树进行路由协议 报文交互。 如图 3 所示, 本发明实施例提供的实现三层虚拟专用网络的方 法可以包括:  In another application scenario of the embodiment of the present invention, the routing protocol packet interaction may be performed through a point-to-point tunnel, and the routing protocol packet interaction may be performed through a dedicated private network multicast tree dedicated to each VPN. As shown in FIG. 3, the method for implementing a three-layer virtual private network provided by an embodiment of the present invention may include:
301-304与步骤 201-204相同。  301-304 are the same as steps 201-204.
305、 将第三路由协议报文封装得到第一组播包, 并通过所述同一 VPN 对应的专用公网组播树发送给所述专用公网组播树上的其他 PE设备。  305. The third routing protocol packet is encapsulated to obtain a first multicast packet, and is sent to another PE device in the private public network multicast tree by using the private public network multicast tree corresponding to the same VPN.
其中, 所述专用公网组播树中包含连接到所述同一 VPN中的全部 PE设 备, 所述第一组播包的目的地址是所述专用公网组播树对应的组播组地址。 每个专用公网组播树都对应有一个组播组地址, 也就是同一 VPN对应于一 个专用公网组播树, 并对应于一个组播组地址。  The private network multicast tree includes all the PE devices connected to the same VPN, and the destination address of the first multicast packet is a multicast group address corresponding to the private public network multicast tree. Each private public network multicast tree has a multicast group address, that is, the same VPN corresponds to a private public network multicast tree and corresponds to a multicast group address.
具体的, 公网组播树是运营商组播树, 专用公网组播树是非聚合组播 树, 而共用公网组播树是聚合组播树。 专用公网组播树可以通过预先配置, 将属于同一 VPN的全部成员 PE设备都设置成专用公网组播树的叶子节点。 例如, 有三个成员 PE设备 (节点 A、 B和 C )组成的 VPN1对应有一个专用 公网组播树 1 , 专用公网组播树 1的叶子节点包括节点 A、 B和 C。 当节点 A 将第三路由协议报文封装成第一组播包并通过专用公网组播树 1 发送时, 专用公网组播树 1会将该第一组播包同时发送给节点 B和 C。 当节点 B和 C 接收到所述第一组播包时, 解析所述第一组播包中携带的组播组地址, 从 而确定当前接收到的第一组播包属于 VPN1 , 然后将所述第三路由协议报文 中的路由信息记录并生成 VPN1对应的 VPN路由转发表。 306、 通过所述同一 VPN对应的专用公网组播树接收所述第二 PE设备 发送的由第四路由协议报文封装后得到的第二组播包, 根据所述第二组播 包的目的地址确定对应的 VPN。 Specifically, the public network multicast tree is a carrier multicast tree, and the private public network multicast tree is a non-aggregated multicast tree, and the shared public network multicast tree is an aggregated multicast tree. A dedicated public network multicast tree can be pre-configured to set all member PEs belonging to the same VPN as leaf nodes of a private public network multicast tree. For example, VPN1 consisting of three member PE devices (nodes A, B, and C) corresponds to a private public network multicast tree 1, and the leaf nodes of the private public network multicast tree 1 include nodes A, B, and C. When the node A encapsulates the third routing protocol packet into the first multicast packet and sends it through the private public network multicast tree 1, the private public network multicast tree 1 sends the first multicast packet to the node B at the same time. C. When the first multicast packet is received by the node B, the node analyzes the multicast group address carried in the first multicast packet, so as to determine that the currently received first multicast packet belongs to the VPN1, and then the The routing information in the third routing protocol packet records and generates a VPN routing forwarding table corresponding to VPN1. 306. Receive, by the private public network multicast tree corresponding to the same VPN, a second multicast packet that is obtained by the second PE device and is encapsulated by the fourth routing protocol packet, according to the second multicast packet. The destination address determines the corresponding VPN.
其中, 所述第二组播包的目的地址是所述专用公网组播树对应的组播 组地址。 第一 PE设备作为 VPN的成员节点, 也是专业公网组播树的叶子节 点, 因此可以通过接收到的第二组播包中携带的组播组地址确定当前接收 到的第四路由协议报文属于哪个 VPN , 从而写入对应的 VPN路由转发表中。  The destination address of the second multicast packet is a multicast group address corresponding to the private public network multicast tree. The first PE device is a member node of the VPN and is also a leaf node of the public network multicast tree. Therefore, the received fourth routing protocol packet can be determined by receiving the multicast group address carried in the second multicast packet. Which VPN belongs to the corresponding VPN routing forwarding table.
307、 根据所述第四路由协议报文的内容生成对应的 VPN路由转发表。 其中, 将第四路由协议报文中携带的路由信息记录下来, 生成该 VPN 对应的 VPN路由转发表。 在 VPN路由转发表中可以包含连接到同一 VPN的 各个 PE设备的 IP地址(下一跳)、 前缀等信息, 以便在业务传输过程中依 据所述 VPN路由转发表确定最佳路径。  307. Generate a corresponding VPN routing forwarding table according to the content of the fourth routing protocol packet. The routing information carried in the fourth routing protocol packet is recorded, and the VPN routing forwarding table corresponding to the VPN is generated. The VPN routing forwarding table may include information such as an IP address (next hop) and a prefix of each PE device connected to the same VPN, so as to determine an optimal path according to the VPN routing forwarding table in the service transmission process.
举例来说, 图 3所示实施例还可以包括步骤 308 , 与步骤 208相同。 在本发明实施例的另一种应用场景中, 也可以通过由多个 VPN共用的 共用公网组播树进行路由协议报文交互。 如图 4 所示, 本发明实施例提供 的实现三层虚拟专用网络的方法可以包括:  For example, the embodiment shown in FIG. 3 may further include step 308, which is the same as step 208. In another application scenario of the embodiment of the present invention, routing protocol packet interaction may also be performed by using a shared public network multicast tree shared by multiple VPNs. As shown in FIG. 4, the method for implementing a three-layer virtual private network provided by the embodiment of the present invention may include:
401-404与步骤 201-204相同。  401-404 are the same as steps 201-204.
405、 将第五路由协议报文封装得到第三组播包, 并通过共用公网组播 树发送给所述共用公网组播树上的其他 PE设备。  405. Encapsulate the fifth routing protocol packet to obtain a third multicast packet, and send the packet to the other PE device in the shared public network multicast tree through the shared public network multicast tree.
其中, 所述第三组播包中携带所述第一 PE设备为所述同一 VPN分配的 VPN标签,所述第三组播包的目的地址是所述共用公网组播树对应的组播组 地址。所述共用公网组播树中包含共用所述共用公网组播树的至少两个 VPN 内的全部成员 PE设备,对于不同的 VPN而言 VPN标签的分配是相互独立的, 因此可以在所述第三组播包中携带所述第一 PE设备为所述同一 VPN分配的 VPN标签, 并将该 VPN标签设置为上游分配标签。 这样, 当共用公网组播树 中的其他 PE设备接收到所述第三组播包时 ,便可将第三组播包中携带的 VPN 标签作为上游分配标签来处理。 第二 PE设备可以确定所述 VPN标签被所述 第一 PE设备分配作为哪个 VPN的 VPN标签了, 即确定所述 VPN标签对应的 VPN。 The third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the destination address of the third multicast packet is the multicast corresponding to the shared public network multicast tree. Group address. The shared public network multicast tree includes all the member PE devices in the at least two VPNs sharing the shared public network multicast tree, and the VPN label allocation is independent of each other for different VPNs, so The third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the VPN label is set as an upstream distribution label. In this way, when the other PEs in the public network multicast tree receive the third multicast packet, the VPN label carried in the third multicast packet can be processed as an upstream distribution label. The second PE device may determine that the VPN label is The first PE device allocates the VPN label as the VPN, that is, determines the VPN corresponding to the VPN label.
406、 通过所述共用公网组播树接收所述第二 PE设备发送的由第六路 由协议报文封装后得到的第四组播包, 根据所述第四组播包携带的 VPN和 所述第四组播包的源 IP地址查找所述 VPN邻居列表, 标签确定所述第六路 由协议 4艮文对应的 VPN。  406. Receive, by using the public network multicast tree, a fourth multicast packet that is obtained by the second PE device and is encapsulated by the sixth routing protocol packet, according to the VPN and the carried by the fourth multicast packet. The source IP address of the fourth multicast packet is used to search the VPN neighbor list, and the label determines the VPN corresponding to the sixth routing protocol.
其中,所述第四组播包携带所述第二 PE设备为所述同一 VPN分配的 VPN 标签, 所述第四组播包的源 IP地址是所述第二 PE设备的 IP地址, 所述第 四组播包的目的地址是所述共用公网组播树对应的组播组地址。 第二 PE设 备在发送所述第四组播包之前在所述第四组播包中将携带的 VPN标签类型 设置为上游分配标签类型,以便第一 PE设备确定所述 VPN标签的识别方式。 具体的, 可以通过第四组播包的源 IP地址以及携带的 VPN标签, 查询 VPN 邻居列表,查找到与所述源 I P地址以及 VPN标签两项信息都匹配的条目后, 确定匹配的条目属于哪个 VPN ,便可确定当前接收到的包含第六路由协议报 文的第四组播包属于哪个 VPN了, 从而写入对应的 VPN路由转发表, 以便 同一 VPN 内的业务通信。 其中, VPN邻居列表中记录的 VPN标签都是通过 VPN邻居发现报文得到的上游 PE设备 (对第一 PE设备而言, 上游 PE设备 是第二 PE设备 ) 为该 VPN分配的 VPN标签。  The fourth multicast packet carries the VPN label allocated by the second PE device to the same VPN, and the source IP address of the fourth multicast packet is the IP address of the second PE device, The destination address of the fourth multicast packet is the multicast group address corresponding to the shared public network multicast tree. The second PE device sets the type of the VPN label to be carried in the fourth multicast packet to the upstream allocation label type before the fourth multicast device sends the fourth multicast packet, so that the first PE device determines the identification manner of the VPN label. Specifically, the source IP address of the fourth multicast packet and the carried VPN tag are used to query the VPN neighbor list, and after finding an entry that matches both the source IP address and the VPN label, the matching entry is determined to belong. Which VPN can determine which VPN the fourth multicast packet containing the sixth routing protocol packet belongs to, so as to write the corresponding VPN routing forwarding table, so that the service communication in the same VPN. The VPN label recorded in the VPN neighbor list is the VPN label assigned to the VPN by the upstream PE device (for the first PE device, the upstream PE device is the second PE device).
407、 根据所述第六路由协议报文的内容生成对应的 VPN路由转发表。 其中,根据步骤 406中确定出来的 VPN, 将第六路由协议报文中携带的 路由信息记录下来, 生成该 VPN对应的 VPN路由转发表。 在 VPN路由转发 表中可以包含前缀、 下一跳(也就是所述同一 VPN中各个成员 PE设备的 IP 地址)等信息, 以便在业务传输过程中依据所述 VPN路由转发表确定最佳 路径。  407. Generate a corresponding VPN routing forwarding table according to the content of the sixth routing protocol packet. The routing information carried in the sixth routing protocol packet is recorded according to the VPN determined in step 406, and the VPN routing forwarding table corresponding to the VPN is generated. The VPN routing forwarding table may include information such as a prefix and a next hop (that is, an IP address of each member PE device in the same VPN), so as to determine an optimal path according to the VPN routing forwarding table in the service transmission process.
举例来说, 图 4所示实施例还可以包括步骤 408 , 与步骤 208相同。 需要说明的是,本发明实施例中部分步骤的具体描述可以参考实施例 1 中对应内容, 本发明实施例这里将不再——赘述。 本发明实施例提供的实现三层虚拟专用网络的方法, 通过扩展 TLV报 文增加了 VPN邻居发现>¾文, 将 VPN ID和 VPN标签携带在 VPN邻居发现才艮 文中,从而可以通过识别 VPN邻居发现报文中的 VPN ID确定属于同一个 VPN 的 PE设备, 并与同一 VPN内的 PE设备完成路由协议报文交互, 与现有技 术中需要大量复杂人工配置 PE设备的技术相比, 可以通过 VPN邻居发现报 文自动发现属于同一 VPN的 PE设备并完成路由协议报文交互, 免去了大量 的人工配置工作, 提高了 VPN的自动化配置和自动化运营能力。 实施例 3 For example, the embodiment shown in FIG. 4 may further include step 408, which is the same as step 208. It should be noted that the specific description of some steps in the embodiments of the present invention may refer to the corresponding content in Embodiment 1, and the embodiments of the present invention will not be repeated here. The method for implementing the three-layer virtual private network provided by the embodiment of the present invention adds the VPN neighbor discovery>3⁄4 text by extending the TLV message, and carries the VPN ID and the VPN label in the VPN neighbor discovery, so that the VPN neighbor can be identified. The VPN IDs in the packets are determined to be the PEs of the same VPN, and the PEs in the same VPN are configured to exchange routing protocol packets. Compared with the technology in the prior art that requires a large number of complex manual configuration of PE devices, The VPN neighbor discovery packet automatically discovers the PEs that belong to the same VPN and completes the routing protocol packet exchange. This eliminates a lot of manual configuration and improves the automatic configuration and automatic operation of the VPN. Example 3
本发明实施例提供一种第一运营商边缘(Prov ider Edge , PE )设备, 如图 6所示, 可以包括: 邻居接收单元 51、 网络确定单元 52、 路由交互单 元 53。  The embodiment of the present invention provides a first carrier edge (PE) device, as shown in FIG. 6, which may include: a neighbor receiving unit 51, a network determining unit 52, and a routing interaction unit 53.
邻居接收单元 51 ,用于接收第二 PE设备发送的虚拟专用网络 VPN邻居 发现报文; 其中, 所述 VPN邻居发现报文为扩展后的类型长度数值 TLV报 文, 携带所述第二 PE设备对应的 IP地址、 VPN ID和 VPN标签。  The neighbor receiving unit 51 is configured to receive a virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried. Corresponding IP address, VPN ID and VPN label.
网络确定单元 52 , 用于根据所述第一 PE设备对应的 VPN ID和所述第 二 PE设备对应的 VPN ID , 确定所述第二 PE设备是否与所述第一 PE设备连 接到同一 VPN。  The network determining unit 52 is configured to determine, according to the VPN ID corresponding to the first PE device and the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device.
路由交互单元 53 , 用于在所述网络确定单元 52确定所述第二 PE设备 与所述第一 PE设备连接到同一 VPN时, 与所述第二 PE设备进行所述同一 VPN内的路由协议报文交互, 生成所述同一 VPN对应的 VPN路由转发表, 其 中所述 VPN路由转发表包括所述同一 VPN的 VPN ID、 所述第二 PE设备的 IP地址和所述第二 PE设备为所述同一 VPN分配的 VPN标签。  The routing interaction unit 53 is configured to: when the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, perform the routing protocol in the same VPN with the second PE device. The packet exchanges the VPN routing forwarding table corresponding to the same VPN, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device, and the second PE device. The VPN label assigned by the same VPN.
可选地, 如图 7所示, 该第一 PE设备还可以包括: 邻居列表单元 54。 邻居列表单元 54 , 用于在所述网络确定单元 52确定所述第二 PE设备 与所述第一 PE设备连接到同一 VPN之后, 将所述同一 VPN对应的 VPN ID、 所述第二 PE设备为所述同一 VPN分配的 VPN标签和所述第二 PE设备的 IP 地址记录到 VPN邻居列表中。 Optionally, as shown in FIG. 7, the first PE device may further include: a neighbor list unit 54. The neighboring list unit 54 is configured to: after the network determining unit 52 determines that the second PE device and the first PE device are connected to the same VPN, the VPN ID corresponding to the same VPN, and the second PE device a VPN label assigned to the same VPN and an IP of the second PE device The address is recorded in the VPN neighbor list.
可选的, 进一步的, 所述路由交互单元 53包括: 第一发送模块 531。 第一发送模块 531 ,用于通过点到点隧道向所述 VPN邻居列表中记录的 所述第二 PE设备发送第一路由协议报文, 其中, 所述第一路由协议报文经 第一隧道封装后发送, 在第一隧道封装信息中携带所述第二 PE设备为所述 同一 VPN分配的 VPN标签。  Optionally, the routing interaction unit 53 includes: a first sending module 531. The first sending module 531 is configured to send, by using the point-to-point tunnel, the first routing protocol packet to the second PE device that is recorded in the VPN neighbor list, where the first routing protocol packet passes the first tunnel After being encapsulated, the first tunnel encapsulation information carries the VPN label allocated by the second PE device to the same VPN.
其中, 在所述第一隧道封装信息中将携带的 VPN标签类型设置为下游 分配标签类型, 以便第二 PE设备确定所述 VPN标签的识别方式。  The type of the VPN label to be carried in the first tunnel encapsulation information is set to a downstream allocation label type, so that the second PE device determines the identification manner of the VPN label.
又举例来说, 所述路由交互单元 53还包括: 第一接收模块 532、 第一 生成模块 533。  For example, the routing interaction unit 53 further includes: a first receiving module 532 and a first generating module 533.
第一接收模块 532 , 用于通过所述点到点隧道接收所述第二 PE设备发 送的第二路由协议报文, 其中所述第二路由协议报文经第二隧道封装后发 送, 第二隧道封装信息中携带所述第一 PE设备为所述同一 VPN分配的 VPN 标签。  The first receiving module 532 is configured to receive, by using the point-to-point tunnel, the second routing protocol packet sent by the second PE device, where the second routing protocol packet is encapsulated and sent by the second tunnel, and the second The tunnel encapsulation information carries the VPN label allocated by the first PE device to the same VPN.
第一生成模块 533 ,用于根据封装后的第二路由协议报文携带的 VPN标 签确定所述第二路由协议报文对应的 VPN;根据所述第二所述路由协议报文 的内容生成对应的 VPN路由转发表。  The first generation module 533 is configured to determine, according to the VPN label carried in the encapsulated second routing protocol packet, the VPN corresponding to the second routing protocol packet, and generate, according to the content of the second routing protocol packet VPN routing forwarding table.
如图 8 所示, 在本发明实施例的另一种应用场景中, 所述路由交互单 元 53包括: 第二发送模块 534。  As shown in FIG. 8, in another application scenario of the embodiment of the present invention, the routing interaction unit 53 includes: a second sending module 534.
第二发送模块 534 , 用于将第三路由协议报文封装得到第一组播包, 并 通过所述同一 VPN对应的专用公网组播树发送给所述专用公网组播树上的 其他 PE设备。  The second sending module 534 is configured to encapsulate the third routing protocol packet to obtain the first multicast packet, and send the same to the other public network multicast tree through the dedicated public network multicast tree corresponding to the same VPN. PE equipment.
其中, 所述专用公网组播树中包含连接到所述同一 VPN中的全部 PE设 备, 所述第一组播包的目的地址是所述专用公网组播树对应的组播组地址。  The private network multicast tree includes all the PE devices connected to the same VPN, and the destination address of the first multicast packet is a multicast group address corresponding to the private public network multicast tree.
进一步的, 所述路由交互单元 53还包括: 第二接收模块 535、 第二生 成模块 536。  Further, the routing interaction unit 53 further includes: a second receiving module 535 and a second generating module 536.
第二接收模块 535 ,用于通过所述同一 VPN对应的专用公网组播树接收 所述第二 PE设备发送的由第四路由协议报文封装后得到的第二组播包, 其 中所述第二组播包的目的地址是所述专用公网组播树对应的组播组地址。 The second receiving module 535 is configured to receive by using a dedicated public network multicast tree corresponding to the same VPN. a second multicast packet obtained by the second PE device, which is encapsulated by the fourth routing protocol packet, where the destination address of the second multicast packet is a multicast group corresponding to the private public network multicast tree. address.
第二生成模块 536 , 用于根据所述第二组播包的目的地址确定对应的 VPN; 根据所述第四路由协议报文的内容生成对应的 VPN路由转发表。  The second generation module 536 is configured to determine a corresponding VPN according to the destination address of the second multicast packet, and generate a corresponding VPN routing forwarding table according to the content of the fourth routing protocol packet.
如图 9 所示, 在本发明实施例的另一种应用场景中, 所述路由交互单 元 53包括: 第三发送模块 537。  As shown in FIG. 9, in another application scenario of the embodiment of the present invention, the routing interaction unit 53 includes: a third sending module 537.
第三发送模块 537 , 用于将第五路由协议报文封装得到第三组播包, 并 通过共用公网组播树发送给所述共用公网组播树上的其他 PE设备。 其中所 述第三组播包中携带所述第一 PE设备为所述同一 VPN分配的 VPN标签, 所 述第三组播包的目的地址是所述共用公网组播树对应的组播组地址。 在所 述第三组播包中将携带的 VPN标签类型设置为上游分配标签类型, 以便第 二 PE设备确定所述 VPN标签的识别方式。  The third sending module 537 is configured to encapsulate the fifth routing protocol packet to obtain a third multicast packet, and send the packet to the other PE device in the shared public network multicast tree through the shared public network multicast tree. The third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the destination address of the third multicast packet is a multicast group corresponding to the shared public network multicast tree. address. The type of the VPN tag carried in the third multicast packet is set to the upstream distribution tag type, so that the second PE device determines the identification mode of the VPN tag.
进一步的, 所述路由交互单元 53还包括: 第三接收模块 538、 第三生 成模块 539。  Further, the routing interaction unit 53 further includes: a third receiving module 538 and a third generating module 539.
第三接收模块 538 , 用于通过所述共用公网组播树接收所述第二 PE设 备发送的由第六路由协议报文封装后得到的第四组播包, 其中所述第四组 播包携带所述第二 PE设备为所述同一 VPN分配的 VPN标签, 所述第四组播 包的源 IP地址是所述第二 PE设备的 IP地址, 所述第四组播包的目的地址 是所述共用公网组播树对应的组播组地址。  The third receiving module 538 is configured to receive, by using the public network multicast tree, a fourth multicast packet that is encapsulated by the second routing protocol packet sent by the second PE device, where the fourth multicast The packet carries the VPN label allocated by the second PE device to the same VPN, the source IP address of the fourth multicast packet is the IP address of the second PE device, and the destination address of the fourth multicast packet It is the multicast group address corresponding to the shared public network multicast tree.
第三生成模块 539 ,用于根据所述第四组播包携带的 VPN标签和所述第 四组播包的源 IP地址查找所述 VPN邻居列表, 确定所述第六路由协议报文 对应的 VPN;根据所述第六路由协议报文的内容生成对应的 VPN路由转发表。  The third generation module 539 is configured to search the VPN neighbor list according to the VPN label carried by the fourth multicast packet and the source IP address of the fourth multicast packet, and determine the corresponding message of the sixth routing protocol packet. The VPN generates a corresponding VPN routing forwarding table according to the content of the sixth routing protocol packet.
需要说明的是,在实施例 1-3中,所述路由协议报文为 0SPF协议的 LSA 协议 文或 I S I S协议的 LSP协议 文; 其中, 所述 LSA协议 文釆用特定 的目的组播 IP地址, 所述 LSP协议 文釆用特定的目的组播 MAC地址, 以 便所述第二 PE设备收到所述 LSA协议报文或所述 LSP协议报文之后, 根据 所述特定的目的组播 IP地址或特定的目的组播 MAC地址, 识别所述路由协 议才艮文并上送 CPU进行协议处理。 It should be noted that, in the embodiment 1-3, the routing protocol packet is an LSA protocol document of the 0SPF protocol or an LSP protocol text of the ISIS protocol, where the LSA protocol document uses a specific destination multicast IP address. The LSP protocol packet uses a specific destination multicast MAC address, so that the second PE device receives the LSA protocol packet or the LSP protocol packet according to the specific destination multicast IP address. Or a specific destination multicast MAC address, identifying the routing protocol The discussion is sent to the CPU for protocol processing.
本发明实施例还提供一种实现三层虚拟专用网络的系统,如图 10所示, 包括: 第一 PE设备 61和第二 PE设备 62。  The embodiment of the present invention further provides a system for implementing a three-layer virtual private network. As shown in FIG. 10, the system includes: a first PE device 61 and a second PE device 62.
所述第一 PE设备 61 ,用于接收第二 PE设备发送的 VPN邻居发现报文, 其中, 所述 VPN邻居发现报文为扩展后的类型长度数值 TLV报文, 携带所 述第二 PE设备 62对应的 IP地址、 VPN ID和 VPN标签; 根据所述第一 PE 设备 61对应的 VPN ID和所述第二 PE设备 62对应的 VPN ID, 确定所述第 二 PE设备 62是否与所述第一 PE设备 61连接到同一 VPN; 当所述第二 PE 设备 62与所述第一 PE设备 61连接到同一 VPN时, 与所述第二 PE设备 62 进行所述同一 VPN 内的路由协议 ^艮文交互, 生成所述同一 VPN对应的 VPN 路由转发表, 所述 VPN路由转发表包括所述同一 VPN的 VPN ID、 所述第二 PE设备 62的 IP地址和所述第二 PE设备 62为所述同一 VPN分配的 VPN标 签。  The first PE device 61 is configured to receive a VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried. Corresponding IP address, VPN ID, and VPN label; determining, according to the VPN ID corresponding to the first PE device 61 and the VPN ID corresponding to the second PE device 62, whether the second PE device 62 and the first A PE device 61 is connected to the same VPN; when the second PE device 62 is connected to the same VPN as the first PE device 61, the routing protocol in the same VPN is performed with the second PE device 62. The interaction, the VPN routing forwarding table corresponding to the same VPN is generated, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device 62, and the second PE device 62. The VPN label assigned by the same VPN.
需要说明的是, 本发明实施例中部分功能模块的具体描述可以参考实 施例 1和实施例 1中对应内容, 本发明实施例这里将不再——赘述。  It should be noted that the specific description of some of the functional modules in the embodiments of the present invention may refer to the corresponding content in Embodiment 1 and Embodiment 1, and the embodiments of the present invention will not be repeated here.
本发明实施例提供的实现三层虚拟专用网络的系统及第一 PE设备, 通 过扩展 TLV报文定义了 VPN邻居发现报文,将 VPN ID和 VPN标签携带在 VPN 邻居发现报文中, 从而可以通过识别 VPN邻居发现报文中的 VPN ID确定属 于同一个 VPN的 PE设备, 并与同一 VPN内的 PE设备完成路由协议报文交 互, 与现有技术中需要人工配置各个 PE的技术相比, 可以通过 VPN邻居发 现报文自动发现属于同一 VPN的 PE设备并完成路由协议报文交互, 免去了 大量的人员工作量, 提高了 VPN的自动化配置和自动化运营能力。  The system for implementing the three-layer virtual private network and the first PE device provided by the embodiment of the present invention, the VPN neighbor discovery packet is defined by the extended TLV packet, and the VPN ID and the VPN label are carried in the VPN neighbor discovery packet, so that By identifying the VPN IDs in the VPN neighbor discovery packets, the PEs that belong to the same VPN are identified, and the PEs in the same VPN are configured to exchange routing protocol packets. You can use the VPN neighbor discovery packets to automatically discover the PEs that belong to the same VPN and complete the routing protocol packet exchange. This eliminates a lot of personnel workload and improves the automatic configuration and automatic operation of the VPN.
通过以上的实施方式的描述, 所属领域的技术人员可以清楚地了解到 本发明实施例可借助软件加必需的通用硬件的方式来实现, 当然也可以通 过硬件, 但很多情况下前者是更佳的实施方式。 基于这样的理解, 本发明 实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产 品的形式体现出来, 该计算机软件产品存储在可读取的存储介质中, 如计 算机的软盘, 硬盘或光盘等, 包括若干指令用以使得一台计算机设备(可 以是个人计算机, 服务器, 或者网络设备等)执行本发明各个实施例所述 的方法。 Through the description of the above embodiments, those skilled in the art can clearly understand that the embodiments of the present invention can be implemented by means of software plus necessary general hardware, and of course, by hardware, but in many cases, the former is better. Implementation. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, which is stored in a readable storage medium, such as A floppy disk, hard disk or optical disk of a computer, including a number of instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局 限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可 轻易想到变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明 的保护范围应以所述权利要求的保护范围为准。  The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims

权利要求 Rights request
1、 一种实现三层虚拟专用网络的方法, 其特征在于, 包括: A method for implementing a three-layer virtual private network, comprising:
第一运营商边缘 PE设备接收第二 PE设备发送的虚拟专用网络 VPN邻 居发现报文, 其中, 所述 VPN邻居发现报文为扩展后的类型长度数值 TLV 报文, 携带所述第二 PE设备对应的 IP地址、 VPN ID和 VPN标签;  The first carrier edge PE device receives the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is carried. Corresponding IP address, VPN ID and VPN label;
根据所述第一 PE设备对应的 VPN ID和所述第二 PE设备对应的 VPN ID, 确定所述第二 PE设备是否与所述第一 PE设备连接到同一 VPN;  Determining, according to the VPN ID corresponding to the first PE device, the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device;
当所述第二 PE设备与所述第一 PE设备连接到同一 VPN时, 与所述第 二 PE设备进行所述同一 VPN内的路由协议 ^艮文交互, 生成所述同一 VPN对 应的 VPN路由转发表, 所述 VPN路由转发表包括所述同一 VPN的 VPN ID、 所述第二 PE设备的 IP地址和所述第二 PE设备为所述同一 VPN分配的 VPN 标签。  When the second PE device is connected to the same VPN device, the second PE device performs a routing protocol interaction with the second VPN device to generate a VPN route corresponding to the same VPN. a forwarding table, the VPN routing forwarding table includes a VPN ID of the same VPN, an IP address of the second PE device, and a VPN label allocated by the second PE device to the same VPN.
2、 根据权利要求 1所述的方法, 其特征在于, 在所述确定所述第二 PE 设备与所述第一 PE设备连接到同一 VPN之后, 还包括:  The method according to claim 1, wherein after the determining that the second PE device and the first PE device are connected to the same VPN, the method further includes:
将所述同一 VPN对应的 VPN ID、 所述第二 PE设备为所述同一 VPN分配 的 VPN标签和所述第二 PE设备的 IP地址记录到 VPN邻居列表中。  The VPN ID corresponding to the same VPN, the VPN label allocated by the second PE device to the same VPN, and the IP address of the second PE device are recorded in the VPN neighbor list.
3、 根据权利要求 2所述的方法, 其特征在于, 所述与所述第二 PE设 备进行所述同一 VPN内的路由协议报文交互, 包括:  The method according to claim 2, wherein the performing, by the second PE device, the routing protocol packet exchange in the same VPN, the method includes:
通过点到点隧道向所述 VPN邻居列表中记录的所述第二 PE设备发送第 一路由协议报文, 其中, 所述第一路由协议报文经第一隧道封装后发送, 第一隧道封装信息中携带所述第二 PE设备为所述同一 VPN分配的 VPN标签。  Transmitting, by the point-to-point tunnel, the first routing protocol packet to the second PE device that is recorded in the VPN neighbor list, where the first routing protocol packet is encapsulated and sent by the first tunnel, and the first tunnel encapsulation is performed. The information carries the VPN label allocated by the second PE device to the same VPN.
4、 根据权利要求 3所述的方法, 其特征在于, 所述与所述第二 PE设 备进行所述同一 VPN内的路由协议报文交互, 还包括:  The method according to claim 3, wherein the performing, by the second PE device, the routing protocol packet exchange in the same VPN, further comprising:
通过所述点到点隧道接收所述第二 PE设备发送的第二路由协议报文, 其中所述第二路由协议报文经第二隧道封装后发送, 第二隧道封装信息中 携带所述第一 PE设备为所述同一 VPN分配的 VPN标签;  Receiving, by the point-to-point tunnel, the second routing protocol packet sent by the second PE device, where the second routing protocol packet is encapsulated and sent by the second tunnel, and the second tunnel encapsulation information carries the a VPN label assigned by the PE device to the same VPN;
相应地, 所述生成所述同一 VPN对应的 VPN路由转发表包括: 根据所述封装后的第二路由协议报文携带的 VPN标签确定所述第二路 由协议 4艮文对应的 VPN; Correspondingly, the generating the VPN routing forwarding table corresponding to the same VPN includes: Determining, according to the VPN label carried in the encapsulated second routing protocol packet, the VPN corresponding to the second routing protocol
根据所述第二路由协议报文的内容生成对应的 VPN路由转发表。  And generating a corresponding VPN routing forwarding table according to the content of the second routing protocol packet.
5、 根据权利要求 1所述的方法, 其特征在于, 所述与所述第二 PE设 备进行所述同一 VPN内的路由协议报文交互, 包括:  The method according to claim 1, wherein the performing, by the second PE device, the routing protocol packet exchange in the same VPN, the method includes:
将第三路由协议报文封装得到第一组播包, 并通过所述同一 VPN对应 的专用公网组播树发送给所述专用公网组播树上的其他 PE设备; 其中所述 专用公网组播树中包含连接到所述同一 VPN中的全部 PE设备, 所述第一组 播包的目的地址是所述专用公网组播树对应的组播组地址。  Encapsulating the third routing protocol packet to obtain the first multicast packet, and sending the packet to the other PE device in the private network of the private public network through the private public network multicast tree corresponding to the same VPN; The network multicast tree includes all the PEs connected to the same VPN, and the destination address of the first multicast packet is a multicast group address corresponding to the private public network multicast tree.
6、 根据权利要求 5所述的方法, 其特征在于, 所述与所述第二 PE设 备进行所述同一 VPN内的路由协议报文交互, 还包括:  The method according to claim 5, wherein the performing, by the second PE device, the routing protocol packet exchange in the same VPN, further comprising:
通过所述同一 VPN对应的专用公网组播树接收所述第二 PE设备发送的 由第四路由协议报文封装后得到的第二组播包, 所述第二组播包的目的地 址是所述专用公网组播树对应的组播组地址;  Receiving, by the private public network multicast tree corresponding to the same VPN, a second multicast packet that is obtained by the second PE device and encapsulated by the fourth routing protocol packet, where the destination address of the second multicast packet is a multicast group address corresponding to the private public network multicast tree;
相应地, 所述生成所述同一 VPN对应的 VPN路由转发表, 包括: 根据所述第二组播包的目的地址确定对应的 VPN;  Correspondingly, the generating the VPN routing forwarding table corresponding to the same VPN includes: determining, according to the destination address of the second multicast packet, a corresponding VPN;
根据所述第四路由协议报文的内容生成对应的 VPN路由转发表。  And generating a corresponding VPN routing forwarding table according to the content of the fourth routing protocol packet.
7、 根据权利要求 2所述的方法, 其特征在于, 所述与所述第二 PE设 备进行所述同一 VPN内的路由协议报文交互, 包括:  The method according to claim 2, wherein the performing, by the second PE device, the routing protocol packet exchange in the same VPN includes:
将第五路由协议报文封装得到第三组播包, 并通过共用公网组播树发 送给所述共用公网组播树上的其他 PE设备, 所述第三组播包中携带所述第 一 PE设备为所述同一 VPN分配的 VPN标签, 所述第三组播包的源 IP地址 是所述第一 PE设备的 IP地址, 所述第三组播包的目的地址是所述共用公 网组播树对应的组播组地址。  Encapsulating the fifth routing protocol packet to obtain a third multicast packet, and sending the packet to the other PE device in the shared public network multicast tree through the shared public network multicast tree, where the third multicast packet carries the The first PE device is a VPN label allocated by the same VPN, the source IP address of the third multicast packet is an IP address of the first PE device, and the destination address of the third multicast packet is the shared The multicast group address corresponding to the public network multicast tree.
8、 根据权利要求 7所述的方法, 其特征在于, 所述与所述第二 PE设 备进行所述同一 VPN内的路由协议报文交互, 还包括:  The method according to claim 7, wherein the performing, by the second PE device, the routing protocol packet exchange in the same VPN, further comprising:
通过所述共用公网组播树接收所述第二 PE设备发送的由第六路由协议 报文封装后得到的第四组播包, 所述第四组播包携带所述第二 PE设备为所 述同一 VPN分配的 VPN标签, 所述第四组播包的源 IP地址是所述第二 PE 设备的 IP地址, 所述第四组播包的目的地址是所述共用公网组播树对应的 组播组地址; Receiving, by the shared public network multicast tree, the sixth routing protocol sent by the second PE device a fourth multicast packet obtained by the packet encapsulation, wherein the fourth multicast packet carries a VPN label allocated by the second PE device to the same VPN, and a source IP address of the fourth multicast packet is the The IP address of the second PE device, and the destination address of the fourth multicast packet is a multicast group address corresponding to the shared public network multicast tree;
相应地, 所述生成所述同一 VPN对应的 VPN路由转发表, 包括: 根据所述第四组播包携带的 VPN标签和所述第四组播包的源 IP地址查 找所述 VPN邻居列表, 确定所述第六路由协议报文对应的 VPN;  Correspondingly, the generating the VPN routing forwarding table corresponding to the same VPN includes: searching the VPN neighbor list according to the VPN label carried by the fourth multicast packet and the source IP address of the fourth multicast packet, Determining a VPN corresponding to the sixth routing protocol packet;
根据所述第六路由协议报文的内容生成对应的 VPN路由转发表。  Generating a corresponding VPN routing forwarding table according to the content of the sixth routing protocol packet.
9、根据权利要求 1所述的方法,其特征在于,所述路由协议报文为 0SPF 协议下的链路状态通告 LSA协议报文或 ISIS协议下的链路状态协议数据单 元 LSP协议 文; 其中, 所述 LSA协议 文釆用特定的目的组播 IP地址, 所述 LSP协议报文釆用特定的目的组播 MAC地址, 以便所述第二 PE设备收 到所述 LSA协议 >¾文或所述 LSP协议 ^艮文之后, 根据所述特定的目的组播 IP地址或特定的目的组播 MAC地址, 识别所述路由协议 ^艮文并上送 CPU进 行协议处理。  The method according to claim 1, wherein the routing protocol message is a link state advertisement LSA protocol message under the 0SPF protocol or a link state protocol data unit LSP protocol message under the ISIS protocol; The LSA protocol document uses a specific destination multicast IP address, and the LSP protocol message uses a specific destination multicast MAC address, so that the second PE device receives the LSA protocol>3⁄4 text or After the LSP protocol is described, the routing protocol is identified and sent to the CPU for protocol processing according to the specific destination multicast IP address or the specific destination multicast MAC address.
10、 一种第一运营商边缘 PE设备, 其特征在于, 包括:  10. A first carrier edge PE device, comprising:
邻居接收单元, 用于接收第二 PE设备发送的虚拟专用网络 VPN邻居发 现报文; 其中, 所述 VPN邻居发现报文为扩展后的类型长度数值 TLV报文, 携带所述第二 PE设备对应的 IP地址、 VPN ID和 VPN标签;  The neighbor receiving unit is configured to receive the virtual private network VPN neighbor discovery packet sent by the second PE device, where the VPN neighbor discovery packet is an extended type length value TLV packet, and the second PE device is corresponding to the second PE device. IP address, VPN ID and VPN label;
网络确定单元, 用于根据所述第一 PE设备对应的 VPN ID和所述第二 PE设备对应的 VPN ID, 确定所述第二 PE设备是否与所述第一 PE设备连接 到同一 VPN;  a network determining unit, configured to determine, according to the VPN ID corresponding to the first PE device and the VPN ID corresponding to the second PE device, whether the second PE device is connected to the same VPN as the first PE device;
路由交互单元, 用于在所述网络确定单元确定所述第二 PE设备与所述 第一 PE设备连接到同一 VPN时, 与所述第二 PE设备进行所述同一 VPN内 的路由协议报文交互, 生成所述同一 VPN对应的 VPN路由转发表, 其中所 述 VPN路由转发表包括所述同一 VPN的 VPN ID、 所述第二 PE设备的 IP地 址和所述第二 PE设备为所述同一 VPN分配的 VPN标签。 a routing interaction unit, configured to: when the network determining unit determines that the second PE device and the first PE device are connected to the same VPN, perform routing protocol packets in the same VPN with the second PE device The VPN routing forwarding table corresponding to the same VPN is generated, where the VPN routing forwarding table includes the VPN ID of the same VPN, the IP address of the second PE device, and the second PE device are the same VPN assigned VPN label.
11、 根据权利要求 10所述的第一 PE设备, 其特征在于, 还包括: 邻居列表单元, 用于在所述网络确定单元确定所述第二 PE设备与所述 第一 PE设备连接到同一 VPN之后, 将所述同一 VPN对应的 VPN ID、 所述第 二 PE设备为所述同一 VPN分配的 VPN标签和所述第二 PE设备的 IP地址记 录到 VPN邻居列表中。 The first PE device according to claim 10, further comprising: a neighbor list unit, configured to determine, at the network determining unit, that the second PE device is connected to the first PE device After the VPN, the VPN ID corresponding to the same VPN, the VPN label allocated by the second PE device for the same VPN, and the IP address of the second PE device are recorded in the VPN neighbor list.
12、 根据权利要求 1 1所述的第一 PE设备, 其特征在于, 所述路由交 互单元包括:  The first PE device according to claim 1, wherein the routing interaction unit comprises:
第一发送模块, 用于通过点到点隧道向所述 VPN邻居列表中记录的所 述第二 PE设备发送第一路由协议报文, 其中, 所述第一路由协议报文经第 一隧道封装后发送, 第一隧道封装信息中携带所述第二 PE设备为所述同一 VPN分配的 VPN标签。  a first sending module, configured to send, by using a point-to-point tunnel, the first routing protocol packet to the second PE device that is recorded in the VPN neighbor list, where the first routing protocol packet is encapsulated by the first tunnel After the first tunnel encapsulation information carries the VPN label allocated by the second PE device to the same VPN.
1 3、 根据权利要求 12所述的第一 PE设备, 其特征在于, 所述路由交 互单元还包括:  The first PE device according to claim 12, wherein the routing interaction unit further comprises:
第一接收模块, 用于通过所述点到点隧道接收所述第二 PE设备发送的 第二路由信息报文, 其中所述第二路由协议报文经第二隧道封装后发送, 第二隧道封装信息中携带所述第一 PE设备为所述同一 VPN分配的 VPN标签; 第一生成模块, 用于根据所述封装后的第二路由协议报文携带的 VPN 标签确定所述第二路由协议报文对应的 VPN;根据所述第二路由协议报文的 内容生成对应的 VPN路由转发表。  a first receiving module, configured to receive, by using the point-to-point tunnel, a second routing information packet sent by the second PE device, where the second routing protocol packet is encapsulated and sent by the second tunnel, and the second tunnel is sent The encapsulation information carries the VPN label allocated by the first PE device to the same VPN. The first generation module is configured to determine the second routing protocol according to the VPN label carried in the encapsulated second routing protocol packet. The VPN corresponding to the packet generates a corresponding VPN routing forwarding table according to the content of the second routing protocol packet.
14、 根据权利要求 1 0所述的第一 PE设备, 其特征在于, 所述路由交 互单元包括:  The first PE device according to claim 10, wherein the routing interaction unit comprises:
第二发送模块, 用于将第三路由协议报文封装得到第一组播包, 并通 过所述同一 VPN对应的专用公网组播树发送给所述专用公网组播树上的其 他 PE设备;  a second sending module, configured to encapsulate the third routing protocol packet to obtain the first multicast packet, and send the packet to the other PEs in the private public network by using the private public network multicast tree corresponding to the same VPN Equipment
其中, 所述专用公网组播树中包含连接到所述同一 VPN中的全部 PE设 备, 所述第一组播包的目的地址是所述专用公网组播树对应的组播组地址。  The private network multicast tree includes all the PE devices connected to the same VPN, and the destination address of the first multicast packet is a multicast group address corresponding to the private public network multicast tree.
15、 根据权利要求 14所述的第一 PE设备, 其特征在于, 所述路由交 互单元还包括: The first PE device according to claim 14, wherein the routing is performed The mutual unit also includes:
第二接收模块, 用于通过所述同一 VPN对应的专用公网组播树接收所 述第二 PE设备发送的由第四路由信息报文封装后得到的第二组播包, 其中 所述第二组播包的目的地址是所述专用公网组播树对应的组播组地址; 第二生成模块, 用于根据所述第二组播包的目的地址确定对应的 VPN; 根据所述第四路由协议报文的内容生成对应的 VPN路由转发表。  a second receiving module, configured to receive, by using a dedicated public network multicast tree corresponding to the same VPN, a second multicast packet that is encapsulated by the second routing information packet sent by the second PE device, where the The destination address of the second multicast packet is the multicast group address corresponding to the private multicast network; the second generation module is configured to determine a corresponding VPN according to the destination address of the second multicast packet; The content of the four routing protocol packets generates a corresponding VPN routing forwarding table.
16、 根据权利要求 11所述的第一 PE设备, 其特征在于, 所述路由交 互单元包括:  The first PE device according to claim 11, wherein the routing interaction unit comprises:
第三发送模块, 用于将第五路由协议报文封装得到第三组播包, 并通 过共用公网组播树发送给所述共用公网组播树上的其他 PE设备; 其中所述 第三组播包中携带所述第一 PE设备为所述同一 VPN分配的 VPN标签, 所述 第三组播包的源 IP地址是所述第一 PE设备的 IP地址, 所述第三组播包的 目的地址是所述共用公网组播树对应的组播组地址。  a third sending module, configured to encapsulate the fifth routing protocol packet to obtain a third multicast packet, and send the packet to the other PE device in the shared public network multicast tree through the shared public network multicast tree; The third multicast packet carries the VPN label allocated by the first PE device to the same VPN, and the source IP address of the third multicast packet is an IP address of the first PE device, and the third multicast The destination address of the packet is the multicast group address corresponding to the shared public network multicast tree.
17、 根据权利要求 16所述的第一 PE设备, 其特征在于, 所述路由交 互单元还包括:  The first PE device according to claim 16, wherein the routing interaction unit further comprises:
第三接收模块, 用于通过所述共用公网组播树接收所述第二 PE设备发 送的由第六路由协议报文封装后得到的第四组播包, 其中所述第四组播包 携带所述第二 PE设备为所述同一 VPN分配的 VPN标签, 所述第四组播包的 源 IP地址是所述第二 PE设备的 IP地址, 所述第四组播包的目的地址是所 述共用公网组播树对应的组播组地址;  a third receiving module, configured to receive, by using the public network multicast tree, a fourth multicast packet that is encapsulated by the second routing protocol packet sent by the second PE device, where the fourth multicast packet is Carrying the VPN label assigned by the second PE device to the same VPN, the source IP address of the fourth multicast packet is an IP address of the second PE device, and the destination address of the fourth multicast packet is The multicast group address corresponding to the shared public network multicast tree;
第三生成模块, 用于根据所述第四组播包携带的 VPN标签和所述第四 组播包的源 IP地址查找所述 VPN邻居列表, 确定所述第六路由协议报文对 应的 VPN; 根据所述第六路由协议报文的内容生成对应的 VPN路由转发表。  a third generation module, configured to search the VPN neighbor list according to the VPN label carried by the fourth multicast packet and the source IP address of the fourth multicast packet, and determine the VPN corresponding to the sixth routing protocol packet And generating a corresponding VPN routing forwarding table according to the content of the sixth routing protocol packet.
18、 根据权利要求 10所述的第一 PE设备, 其特征在于, 所述路由协 议报文为 0SPF协议下的链路状态通告 LSA协议报文或 ISIS 协议下的链路 状态协议数据单元 LSP协议报文; 其中, 所述 LSA协议报文釆用特定的目 的组播 IP地址, 所述 LSP协议报文釆用特定的目的组播 MAC地址, 以便所 述第二 PE设备收到所述 LSA协议报文或所述 LSP协议报文之后, 根据所述 特定的目的组播 IP地址或特定的目的组播 MAC地址, 识别所述路由协议报 文并上送 CPU进行协议处理。 The first PE device according to claim 10, wherein the routing protocol message is a link state advertisement LSA protocol message under the 0SPF protocol or a link state protocol data unit LSP protocol under the ISIS protocol. a packet, where the LSA protocol packet uses a specific destination multicast IP address, and the LSP protocol packet uses a specific destination multicast MAC address, so as to After receiving the LSA protocol packet or the LSP protocol packet, the second PE device identifies the routing protocol packet according to the specific destination multicast IP address or a specific destination multicast MAC address. Send the CPU for protocol processing.
19、 一种实现三层虚拟专用网络的系统, 其特征在于, 包括: 如权利要求 10-18中任一项所述的第一 PE设备和所述第二 PE设备。  A system for implementing a three-layer virtual private network, comprising: the first PE device and the second PE device according to any one of claims 10-18.
PCT/CN2013/072915 2012-03-23 2013-03-20 Method, device, and system for implementing layer3 virtual private network WO2013139270A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210081768.7 2012-03-23
CN201210081768.7A CN103326915A (en) 2012-03-23 2012-03-23 Method, device and system for achieving three-layer VPN

Publications (1)

Publication Number Publication Date
WO2013139270A1 true WO2013139270A1 (en) 2013-09-26

Family

ID=49195455

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/072915 WO2013139270A1 (en) 2012-03-23 2013-03-20 Method, device, and system for implementing layer3 virtual private network

Country Status (2)

Country Link
CN (1) CN103326915A (en)
WO (1) WO2013139270A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765815A (en) * 2020-06-05 2021-12-07 华为技术有限公司 Method, equipment and system for sharing multicast message load
CN114650248A (en) * 2020-12-02 2022-06-21 中国电信股份有限公司 Method and system for processing routing information and boundary router of autonomous system

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105515802B (en) * 2014-09-22 2019-04-12 新华三技术有限公司 Network virtualization method and device
CN104486225B (en) * 2014-12-19 2018-04-20 新华三技术有限公司 Applied to the message forwarding method and equipment in TRILL network
CN104618375B (en) * 2015-01-30 2018-09-28 普联技术有限公司 A kind of discovery method and device of the network equipment
CN106572021B (en) * 2015-10-09 2021-07-06 中兴通讯股份有限公司 Method for realizing network virtualization superposition and network virtualization edge node
CN106169969B (en) * 2016-08-31 2020-01-10 华为技术有限公司 Method, related equipment and system for establishing label switching path of virtual private network
CN110719237B (en) * 2018-07-13 2022-01-07 华为技术有限公司 Method, device, equipment and storage medium for transmitting message
CN111163009B (en) * 2020-02-20 2021-06-22 盛科网络(苏州)有限公司 Method and device for realizing three-layer multicast in port expansion system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040088389A1 (en) * 2002-11-05 2004-05-06 Tenor Networks, Inc. Methods and apparatus for automated edge device configuration in a heterogeneous network
CN1960299A (en) * 2005-11-04 2007-05-09 中兴通讯股份有限公司 Method of automatic establishing virtual dedicated network topology based on exchange network of multiprotocol tags
CN101180839A (en) * 2005-03-28 2008-05-14 思科技术公司 Method and apparatus for the creation and maintenance of a self-adjusting repository of service level diagnostics test points for network based vpns
CN101379765A (en) * 2005-11-18 2009-03-04 思科技术公司 Techniques for configuring customer equipment for network operations from provider edge
CN101834794A (en) * 2010-05-06 2010-09-15 杭州华三通信技术有限公司 Method and device for forwarding message through backbone network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040088389A1 (en) * 2002-11-05 2004-05-06 Tenor Networks, Inc. Methods and apparatus for automated edge device configuration in a heterogeneous network
CN101180839A (en) * 2005-03-28 2008-05-14 思科技术公司 Method and apparatus for the creation and maintenance of a self-adjusting repository of service level diagnostics test points for network based vpns
CN1960299A (en) * 2005-11-04 2007-05-09 中兴通讯股份有限公司 Method of automatic establishing virtual dedicated network topology based on exchange network of multiprotocol tags
CN101379765A (en) * 2005-11-18 2009-03-04 思科技术公司 Techniques for configuring customer equipment for network operations from provider edge
CN101834794A (en) * 2010-05-06 2010-09-15 杭州华三通信技术有限公司 Method and device for forwarding message through backbone network

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765815A (en) * 2020-06-05 2021-12-07 华为技术有限公司 Method, equipment and system for sharing multicast message load
CN113765815B (en) * 2020-06-05 2024-03-26 华为技术有限公司 Method, equipment and system for sharing multicast message load
CN114650248A (en) * 2020-12-02 2022-06-21 中国电信股份有限公司 Method and system for processing routing information and boundary router of autonomous system
CN114650248B (en) * 2020-12-02 2023-07-18 中国电信股份有限公司 Processing method and system of routing information and autonomous system boundary router

Also Published As

Publication number Publication date
CN103326915A (en) 2013-09-25

Similar Documents

Publication Publication Date Title
CN109218178B (en) Message processing method and network equipment
WO2020029976A1 (en) Vpn cross-domain implementation method, device, and border node
EP3002913B1 (en) Tunnel establishment method, label allocation method, device, and network system
CN112511444B (en) Multicast traffic transmission method, device, communication node and storage medium
WO2018166253A1 (en) Evpn packet processing method, device and system
WO2013139270A1 (en) Method, device, and system for implementing layer3 virtual private network
WO2015165311A1 (en) Method for transmitting data packet and provider edge device
WO2021258754A1 (en) Message indication method and apparatus, and device and storage medium
WO2020134139A1 (en) Service data forwarding method, network device, and network system
US8861547B2 (en) Method, apparatus, and system for packet transmission
WO2016066072A1 (en) Method and device for realizing communication between nvo3 network and mpls network
CN101277245B (en) Method, system and apparatus for implementing L2VPN field across
WO2015184852A1 (en) Sr information obtainment method and sr network establishment method
WO2014194749A1 (en) Vpn implementation processing method and apparatus for edge device
CN102413060B (en) User private line communication method and equipment used in VPLS (Virtual Private LAN (Local Area Network) Service) network
WO2014194711A1 (en) Packet processing method, device label processing method, and device
WO2008098493A1 (en) A method for aggregating routes, a method for forwarding messages and an autonomous system border router
WO2013182061A1 (en) Network label distribution method, device and system
WO2013139159A1 (en) Method for forwarding packet in network and provider edge device
WO2009135392A1 (en) Method, system and device of signaling control
WO2013107245A1 (en) Method, device and system for implementing multicast in transparent interconnection of lots of links (trill) campus
WO2020098611A1 (en) Method and apparatus for acquiring routing information
WO2008011818A1 (en) Method of realizing hierarchy-virtual private lan service and network system
CN102571375B (en) Multicast forwarding method and device as well as network device
WO2013139234A1 (en) Method, device and network system for multicast transmission

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13764724

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13764724

Country of ref document: EP

Kind code of ref document: A1