WO2015143849A1 - Vpn packet processing method and apparatus and storage medium - Google Patents

Vpn packet processing method and apparatus and storage medium Download PDF

Info

Publication number
WO2015143849A1
WO2015143849A1 PCT/CN2014/086667 CN2014086667W WO2015143849A1 WO 2015143849 A1 WO2015143849 A1 WO 2015143849A1 CN 2014086667 W CN2014086667 W CN 2014086667W WO 2015143849 A1 WO2015143849 A1 WO 2015143849A1
Authority
WO
WIPO (PCT)
Prior art keywords
vsi
forwarding
access
vpn
members
Prior art date
Application number
PCT/CN2014/086667
Other languages
French (fr)
Chinese (zh)
Inventor
张宝亚
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015143849A1 publication Critical patent/WO2015143849A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the invention relates to the field of multi-protocol label switching (MPLS) virtual private network (VPN) packet communication technology, and in particular, to a VPN message processing method and device, and a storage medium.
  • MPLS multi-protocol label switching
  • VPN virtual private network
  • Virtual Private LAN Service is a widely used Layer 2 Virtual Private Networks (L2VPN) technology, which is commonly used for enterprise users' VPN interconnection.
  • VPLS maintains a forwarding table for the different VPN users by the edge router (PE, Provider Edge) through the Virtual Switch Instance (VSI).
  • PE Edge router
  • VSI Virtual Switch Instance
  • the forwarding tables of the VSIs are independent of each other, thus ensuring service isolation and ensuring services. Private property.
  • VPLS implements the forwarding of services between different VPN users through a VSI.
  • some nodes cannot directly communicate with each other.
  • the VPLS must exist. Many invalid broadcast copies, so not only waste system bandwidth, causing internal circuit blockage, but also reduce the forwarding performance of VPLS.
  • the technical problem to be solved by the present invention is to provide a VPN message processing method and device, and a storage medium.
  • a packet processing method for a virtual private network VPN includes:
  • the VSI and the forwarding VSI are separately configured.
  • the access processing is performed according to the access VSI, and then the forwarding process is performed according to the forwarding VSI.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • the access VSI is bound to all members of the current E-TREE service, and includes index information of all members;
  • the forwarding VSI includes index information of the middle member.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • the broadcast table of the access VSI includes broadcast information of all members of the E-TREE service; and the VSI for forwarding includes broadcast information of all the root members of the E-TREE service;
  • the MAC address of all members in the E-TREE service learns the access VSI; for the Root member in the E-TREE service, the MAC address that has learned to access the VSI is synchronized to the forwarding VSI.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • the access VSIs are two or more, each corresponding to each VPN that is inter-VPN-connected, and each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs, and a super-member index that can communicate with each other across VPNs. information;
  • the forwarding VSI includes member index information of all access VSIs.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • each access VSI All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
  • the learned MAC address is synchronized to the forwarding VSI in each access VSI; each access VSI Synchronize the learned MAC addresses on its super members to other access VSIs.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • the member attribute is configured to identify whether the current interface is the specified interface.
  • the access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
  • the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
  • the access processing is performed according to the access VSI
  • the forwarding processing is performed according to the forwarding VSI, including:
  • the MAC address learning is performed according to the access VPN_ID, and the forwarding table is searched by using the VPN_ID for forwarding. If the destination address is found, the MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, the forwarding is performed according to the forwarding. Use the VPN_ID to find the broadcast table of the forwarding VSI and perform broadcast forwarding.
  • the method further includes:
  • the access processing and forwarding processing are performed according to the access VSI.
  • the method includes:
  • the leaf members that can communicate with some members, or the super-cross-VPN interworking services that can communicate with each other across the VPN perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI;
  • the access processing and forwarding processing are performed according to the access VSI.
  • a packet processing device for a virtual private network VPN includes:
  • the configuration unit is configured to access the VSI separately from any PW interface or AC interface. And forwarding with VSI;
  • the processing unit is configured to perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
  • the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
  • the access VSI is bound to all members of the current E-TREE service, and includes index information of all members;
  • the forwarding VSI includes index information of the middle member.
  • the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including: the broadcast table of the access VSI includes broadcast information of all members of the E-TREE service, and the forwarding VSI includes E - The broadcast information of all the root members of the TREE service; the MAC address of all members in the E-TREE service learns the access VSI, and the root member of the E-TREE service learns the MAC address of the access VSI. Synchronize to the forwarding VSI.
  • the configuration unit when the two or more VPNs are connected to each other, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
  • the access VSIs are two or more, each corresponding to each VPN that is inter-VPN-connected, and each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs, and a super-member index that can communicate with each other across VPNs. information;
  • the forwarding VSI includes member index information of all access VSIs.
  • the configuration unit when the two or more VPNs are connected to each other, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
  • each access VSI All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
  • Each learned VSI synchronizes the learned MAC address to the forwarding VSI; each access VSI Synchronize the learned MAC addresses on its super members to other access VSIs.
  • the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
  • the member attribute is configured to identify whether the current interface is the specified interface.
  • the access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
  • the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
  • the processing unit is configured to perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI, including:
  • the MAC address learning is performed according to the access VPN_ID, and the forwarding table is searched by using the VPN_ID for forwarding. If the destination address is found, the MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, the forwarding is performed according to the forwarding. Use the VPN_ID to find the broadcast table of the forwarding VSI and perform broadcast forwarding.
  • the processing unit is further configured to: perform access processing and forwarding processing on the interfaces other than the designated interface according to the access VSI.
  • the processing unit is configured to:
  • the leaf members that can communicate with some members, or the super-cross-VPN interworking services that can communicate with each other across the VPN perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI;
  • the access processing and forwarding processing are performed according to the access VSI.
  • a storage medium storing a computer program configured to execute the aforementioned VPN message processing method.
  • VPN message provided by the embodiment of the present invention
  • the method and the device can be configured to perform the forwarding processing based on the forwarding table in the forwarding VSI by using the VSI and the forwarding VSI on the interface. This can improve the processing of the members and the horizontal split in the VPLS network. Reduce the impact of invalid broadcast replication on the internal bandwidth of the device and improve VPLS forwarding performance.
  • FIG. 1 is a flowchart of a method for processing a VPN packet according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of constructing a forwarding entry in a VPN packet processing method according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a structure of a VPN packet processing apparatus according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a networking example of an E-TREE service
  • FIG. 5 is a schematic diagram of an E-TREE networking structure and VPN packet processing according to an embodiment of the present invention
  • FIG. 6 is a flowchart of a method for processing a VPN packet in an E-TREE service according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of networking of a cross-VPN interworking service according to Embodiment 2 of the present invention.
  • FIG. 8 is a schematic diagram of processing VPN packets in a cross-VPN interworking service according to Embodiment 2 of the present invention.
  • FIG. 9 is a flowchart of a VPN packet processing method in a cross-VPN interworking service according to Embodiment 2 of the present invention.
  • two VSIs are configured, one VSI is an access VSI and the other VSI is a forwarding VSI; that is, for any one PW interface or AC interface, it is connected to the VSI and The forwarding is configured by the VSI.
  • the egress encapsulation information is determined by the access VSI.
  • the forwarding VSI is configured to store the forwarding table, and the index egress encapsulation, but does not process the packet encapsulation.
  • the MAC address is learned by the access VSI.
  • Forwarding uses the VSI to save the forwarding table. In actual applications, whether the access VSI and the forwarding VSI are separated can be automatically determined according to the networking type. Generated or specified by command configuration.
  • the VPN packet processing method may include the following steps:
  • Step 101 Separate and configure the VSI for access and the VSI for forwarding for any one of the PW interfaces or the AC interface.
  • the split configuration access VSI and the forwarding VSI including: the access VSI binding all members of the current E-TREE service, including index information of all members;
  • the forwarding VSI includes index information of the root member.
  • each access VSI includes common member index information that can communicate with each other only in the VPN to which it belongs, and super member index information that can communicate with each other across the VPN.
  • the forwarding VSI includes member index information of all access VSIs.
  • Step 102 Perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
  • the process of separately configuring the VSI and the VSI for forwarding may include: configuring a member attribute in the AC interface table or the PW attribute table, where the member attribute is configured to identify whether the current interface is the specified interface; in the AC interface table or PW
  • the accessing VPN_ID and the forwarding VPN_ID are configured in the attribute table, and the access VPN_ID corresponds to the accessing VSI, and the forwarding VPN_ID corresponds to the forwarding VSI; when the member attribute identifies that the current interface is the designated interface, the access VPN_ID It is different from the VPN_ID for forwarding; otherwise, the access VPN_ID is the same as the VPN_ID for forwarding.
  • performing access processing according to the access VSI, and performing forwarding processing according to the forwarding VSI may include: performing MAC address learning according to the access VPN_ID, and using the VPN_ID for forwarding to search for a forwarding table; if the destination address is found The MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, The broadcast table of the VSI for forwarding is searched according to the VPN_ID for forwarding, and broadcast forwarding is performed.
  • step 102 the access processing and the forwarding processing are performed according to the access VSI for other interfaces except the specified interface. During the actual process, you can determine whether the interface is the specified interface based on the member attributes configured on the interface.
  • a leaf member that can communicate with only a part of the E-TREE service, or a super member that can communicate with each other across the VPN in the inter-VPN interworking service performs access processing according to the access VSI, and performs forwarding processing according to the VSI for forwarding;
  • the access processing and forwarding processing are performed according to the access VSI.
  • the interface table, the forwarding table, and the encapsulation table are configured according to FIG. 1 to implement the VPN packet in the embodiment of the present invention. deal with.
  • InVPN_ID indicates access VPN_ID, corresponding to access VSI
  • FwVPN_ID indicates forwarding VPN_ID, corresponding to forwarding VSI. For the specified interface, you need to use FwVPN_ID to find the forwarding table when forwarding.
  • the egress encapsulation pointer in the forwarding table corresponding to the InVPN_ID and the egress encapsulation pointer of the forwarding table corresponding to the FwVPN_ID may be the same, and the identifier is forwarded from the same interface.
  • the flag flag representing the member attribute can be set only on the specified interface. If the current interface is set with the flag flag, the current interface is the specified interface. If the current interface does not have the flag flag set, the current interface is not the specified interface.
  • the Flag flag can be set in the leaf member interface of the E-TREE service, and/or the super member interface in the inter-VPN interworking service, in the root member interface of the E-TREE service, and/or inter-VPN communication. The normal member interface in the service does not set this Flag flag. In this way, in the E-TREE service and the inter-VPN interworking service, it is only necessary to find whether the Flag flag bit exists in the AC interface table or the PW attribute table. It can be judged whether its interface is the specified interface.
  • the processing model of the E-TREE network and the cross-VPN network forwarding plane can be unified by the control table shown in Figure 2, and can be determined by the control plane whether it is E-TREE networking or cross-VPN networking.
  • the Flag flag of the above-mentioned identifier member attribute can be reset or deleted to be compatible with the normal VPLS forwarding. .
  • the VPN packet processing apparatus may include:
  • the configuration unit 31 is configured to separate the VSI and the forwarding VSI for any one of the PW interfaces or the AC interfaces.
  • the processing unit 32 is configured to perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
  • the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including: the access VSI binding all members of the current E-TREE service, including indexes of all members Information:
  • the forwarding VSI includes index information of the root member, and the root member can communicate with any other member of the current E-TREE service.
  • the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including: the broadcast table of the access VSI includes broadcast information of all members of the E-TREE service, and the forwarding VSI includes The broadcast information of all the root members of the E-TREE service; the MAC address of all the members in the E-TREE service learns the access VSI, and the root member of the E-TREE service learns the MAC that accesses the VSI. The address is synchronized to the forwarding VSI.
  • the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including:
  • the access VSIs are two or more, which respectively correspond to VPNs that are inter-VPN-connected.
  • Each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs. Super member index information of VPN mutual visits;
  • the forwarding VSI includes member index information of all access VSIs.
  • the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including:
  • each access VSI All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
  • Each learned VSI synchronizes the learned MAC address to the forwarding VSI; each access VSI synchronizes the learned MAC address of its super member to other access VSIs.
  • the configuration unit 31 is configured to separately configure the access VSI and the VSI for forwarding, and may include:
  • the member attribute is configured to identify whether the current interface is the specified interface.
  • the access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
  • the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
  • the processing unit 32 is configured to perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI, including: performing MAC address learning according to the access VPN_ID, and using the VPN_ID for forwarding to look up the forwarding table; The destination address is subjected to MAC address unicast processing and forwarding according to the forwarding VPN_ID of the corresponding forwarding VSI. If the destination address is not found, the forwarding VSI broadcast table is searched according to the forwarding VPN_ID and broadcasted.
  • the processing unit 32 is further configured to perform access processing and forwarding processing on the interfaces other than the designated interface according to the access VSI.
  • the processing unit 32 is configured to: perform access processing according to the access VSI, and perform forwarding processing according to the access VSI for the leaf member that can communicate with only the member of the E-TREE service or the super-member that can communicate with each other across the VPN. Forward processing with VSI; for E-TREE service
  • the access member and the normal member in the inter-VPN interworking service are both access processing and forwarding processing according to the access VSI.
  • the VPN packet processing method and device provided by the embodiments of the present invention can be configured as multiple scenarios such as a VPLS Hub-Spoke, multiple E-TREEs, and a cross-VPN interworking network. It should be noted that the separation of the access VSI and the forwarding VSI in the various embodiments of the present invention is also configured as a virtual Pseudo Wire Service (VPWS). The specific implementation process is similar and will not be described again.
  • VPWS virtual Pseudo Wire Service
  • the Leaf node prevents member interworking through member isolation or PW horizontal splitting.
  • the flow diagram is an example of a plurality of E-TREE networks.
  • the E-TREE network includes one Root-PE, two Leaf-PEs, and four CEs, of which CE11 and CE12 are The root CE, CE13 and CE14 are both leaf CEs.
  • CE13 is connected to the root-PE through Leaf-PE11.
  • the CE14 is connected to the root-PE through Leaf-PE12.
  • Both CE11 and CE12 are connected to the root-PE.
  • the CE and the PE communicate with each other through the AC interface.
  • the PE and the PE communicate with each other through the PW interface.
  • the AC11 interface is between CE11 and the root-PE.
  • the AC12 interface is between CE12 and the local device.
  • the AC13 interface is between CE11 and Leaf-PE11.
  • the AC14 interface is between CE14 and Leaf-PE12.
  • the PW11 interface is between the Leaf-PE11 and the Root-PE.
  • the PW12 interface is between the Leaf-PE12 and the Root-PE.
  • the Leaf interface is not interoperable. That is to say, in the E-TREE service, Leaf members cannot communicate with each other.
  • VSIs are defined: Normal_VSI and Root_VSI. After configuring E-TREE, configure the specified Root_VSI for Normal_VSI. In this way, two VSIs are created for the VPN.
  • the Normal_VSI contains all members (including the Root member and The leaf member is indexed, which is similar to the VSI used by the E-TREE service in the related art.
  • the Root_VSI only contains all the root member index information and is not configured as a service binding. Specifically, for the root member, since it can communicate with any member, the forwarding VSI forwarding table includes all the root member indexes and the leaf member indexes, and the corresponding forwarding table is managed by Normal_VSI; for the Leaf member, since it can only Communicate with the Root member, and the corresponding forwarding table is managed by the Root_VSI.
  • the device can forward based on Normal_VSI.
  • forwarding can be performed based on the above two VSIs.
  • the normal_VSI is configured as the signaling management and is responsible for the maintenance of the PW.
  • the Root_VSI is not responsible for the signaling management.
  • the forwarding table member contains the PW of the root type established by the Normal_VSI, and is only the VPN of the local attribute.
  • the difference between Normal_VSI and Root_VSI is that the MAC address contained in the VSI is different from the broadcast table forwarding entry.
  • the MAC address learning is determined by the access VSI of the AC or the PW. Therefore, in the embodiment of the present invention, the default MAC address is learned in the Normal_VSI to ensure compatibility with the normal E-TREE address learning.
  • the broadcast table of the Normal_VSI includes broadcast information of all members in the E-TREE, whether for AC or PW; the broadcast table in the Root_VSI only contains broadcast information of all the root members.
  • the Root_VSI is specified for the Normal_VSI, the MAC address learned by the root member is synchronized to the Root_VSI.
  • Root_VSI a broadcast table containing all the root members is created for the Root_VSI.
  • the root member learns the MAC address in the Normal_VSI and needs to synchronize with the Root_VSI through the control plane to forward the stream received by the Leaf interface.
  • the Leaf member learns that the MAC address is the same as the normal VPLS MAC processing and does not need to be synchronized to the Root_VSI.
  • the access VSI is Normal_VSI, that is, the processing of MAC address learning is first learned into the Normal_VSI, but
  • the forwarding VSI is Root_VSI; for Root members, the VSI for access and forwarding is Normal_VSI.
  • the cross-VSI synchronization processing of the MAC address table is uniformly processed by the control plane; the MAC aging is initiated by the Normal_VSI, and the MAC address of the associated Root_VSI is aging synchronized by the control plane.
  • the VPN_ID saved in the interface attribute table may be extended, and two types of IDs are saved: one is the access VPN_ID, and the other is the VPN_ID for forwarding; If the access VPN_ID is the same as the forwarding VPN_ID, the normal VPLS forwarding process is used. If the access VPN_ID is different from the forwarding VPN_ID, the VPLS forwarding process is performed by using the two VSIs in the embodiment of the present invention.
  • the VPLS forwarding process when the VPLS forwarding process is performed, if the access VPN_ID is the same as the forwarding VPN_ID, the normal VPLS forwarding process is used; if the access VPN_ID is different from the forwarding VPN_ID, the access member is processed based on the Normal_VSI and forwarded based on the Root_VSI. Processing; for Root members, their access and forwarding are based on Normal_VSI.
  • the broadcast forwarding table of the leaf member only includes the information about the root member, which reduces the isolation filtering of the leaf member to the leaf member, and improves the broadcast performance.
  • the root member is the same as the original forwarding, as long as the port is isolated.
  • the isolation processing between the above-mentioned processing Leaf members is also naturally supported, and the unicast does not need to be additionally subjected to member isolation processing.
  • the switching process between normal E-TREE forwarding and efficient E-TREE forwarding is well guaranteed, and the handover process does not affect traffic forwarding.
  • FIG. 2 it is a schematic diagram of an E-TREE networking in the embodiment of the present invention, where the E-TREE network includes five CEs (CE21, CE22, CE23, CE24, CE25) and four PEs (PE21, PE21, PE23, and PE24), where CE21, CE22, and CE23 are Leaf CEs, CE24 and CE25 are Root CEs, and CE21, CE22, and CE23 are connected to PE23, PE21, and PE22 through AC interfaces.
  • PE21 and PE22 are connected to PEs through PE interfaces.
  • the PE23 is connected to the PW24.
  • the PW23 is connected to the PW24 through the PW interface.
  • the CE24 and CE25 which are the root nodes, are connected to the PE24 and PW23 through the AC interface.
  • two separate VSIs are configured: Normal_VSI and Root_VSI. All members (including the root member and the leaf member) are bound to the Normal_VSI.
  • the Normal_VSI contains index information of all members (including the root member and the leaf member), similar to the VSI used by the E-TREE service in the related art.
  • the Root_VSI only contains all the root member index information and is not configured as a service binding.
  • the normal E-TREE forwarding normal_VSI instance is set up, and the PE23 is configured as the E-TREE service.
  • the AC interface table and the PW attribute table respectively set the member attribute flag (ie, the Leaf/Root attribute flag), E. - VPN identity of the TREE service (access VPN_ID and forwarding VPN_ID);
  • the Root_VSI includes all the Root members in the E-TREE and sets the Root_VPN_ID. If the Normal_VSI has learned the MAC address before configuring the Root_VSI, the MAC address learned by the Root member in the Normal_VSI is synchronized to the Root_VSI. ;
  • the forwarding VPN_ID is used as the Root_VPN_ID
  • the access VPN_ID is used as the Normal_VSI_ID
  • the access VPN_ID and the forwarding VPN_ID are the same, and both are used as the Normal_VSI_ID.
  • Root_VSI When you delete the Root_VSI of the Normal_VSI, you only need to change the forwarding VPN_ID set in the interface attribute of the Leaf member in the E-TREE to Normal_VPN_ID. Root_VSI's own MAC address and broadcast table can be deleted slowly.
  • the normal VSI is used as the access VSI for data forwarding and MAC address learning, and then the Root_VSI is used as the forwarding VSI for MAC address unicast forwarding or broadcast forwarding.
  • the normal_VSI performs the outbound interface encapsulation to complete the packet forwarding.
  • the normal_VSI is used as the access VSI and the forwarding VSI, and the data forwarding and MAC address learning, MAC address unicast processing, or broadcast forwarding are performed according to the Normal_VSI.
  • the packet forwarding is complete.
  • both the Leaf member and the Root member learn MAC address from the Normal_VSI, perform MAC synchronization to the Root_VSI, and synchronize the MAC addresses of all the Root members to the Root_VSI.
  • the process of forwarding the E-TREE service is as follows: When the traffic is received on the interface, the AC interface table or the PW attribute table is obtained to obtain the Leaf/Root attribute of the interface; the Leaf/Root attribute is used to determine the leaf. The member is also a member of the root. If the packet is received from the root member, the interface attribute of the root attribute table is the same as the VPN_ID for forwarding. The corresponding parameter is Normal_VPN_ID. If the traffic is received by the leaf member, the leaf interface attribute table has two VPN_IDs. , a Normal_VPN_ID, a Root_VPN_ID;
  • MAC address learning is performed according to SMAC+Normal_VPN_ID. If it is a new MAC address, it is synchronized to the Root_VSI through the control plane; for the Leaf member, the MAC address also learns the MAC address according to the SMAC+Normal_VPN_ID, but the MAC address is not synchronized to the Root_VSI;
  • the MAC address is unicast and forwarded according to the DMAC+Normal_VPN_ID; if it is a Leaf member, the MAC address is unicast and forwarded according to the DMAC+Root_VPN_ID;
  • the broadcast table of the normal_VSI is forwarded and broadcasted according to the Normal_VPN_ID.
  • the broadcast table of the Root_VSI is searched according to the Root_VPN_ID and broadcasted.
  • the specific implementation process of the E-TREE service forwarding process may include the following steps:
  • Step 601 receiving a message on the AC or PW
  • Step 602 Search for an AC interface table or a PW attribute table. If the packet is received on the AC, the AC interface table is searched. If the packet is received on the PW, the PW attribute table is searched.
  • Step 603 it is determined whether the member of the received message is a Leaf member, if yes, proceed to step 604, if not, proceed to step 605;
  • the member attribute flag (ie, the Leaf/Root attribute flag) set in the AC interface table and the PW attribute table may be used to determine whether the member of the received packet is a Leaf member.
  • Step 604 performing MAC address learning according to SMAC (Source MAC, Media Access Control) + Normal_VPN_ID, and using the associated DMAC + Root_VPN_ID in the AC or PW to find the forwarding table, continue to step 606;
  • SMAC Source MAC, Media Access Control
  • Normal_VPN_ID Normal_VPN_ID
  • Step 605 Perform MAC address learning according to the SMAC+Normal_VPN_ID, and the control plane synchronizes the MAC address to the Root_VSI, and searches the forwarding table according to the DMAC (destination MAC)+Normal_VPN_ID;
  • Step 606 Has the destination address been found in the forwarding table? If no, proceed to step 607, and if yes, proceed to step 608;
  • Step 607 For the root member, look for the Normal_VSI; for the Leaf member, look for the Root_VSI, and copy the packet to the member one by one;
  • Step 608 whether the exit is PW, if it is to continue to step 609, if not continue to step 610;
  • Step 609 Perform AC forwarding. Specifically, the local AC is forwarded for the packets received by the AC, and the PW label is forwarded to the AC for the packets received by the PW, and the process ends.
  • Step 610 The PW packet is encapsulated and forwarded. Specifically, the PW label is forwarded and forwarded by the PW, and the process ends.
  • cross-VPN interworking If some members of the VPN instance are required to access not only the members of the VPN but also other VPN members, other members can only communicate with each other within the VPN, which is called cross-VPN interworking.
  • a Super_VSI is defined for two or more VSIs that are inter-VPN interworking, and the Super_VSI is different from the VSI corresponding to different VPNs, and the difference is that the included forwarding members are different.
  • Each VPN of the VPN interworking includes the forwarding members in the VPN and the super members that can communicate with each other across the VPN.
  • the Super_VSI includes all the members in all the VSIs.
  • the member means Member.
  • the corresponding logical exit is AC or PW.
  • Members have the root/leaf in TREE according to their attributes.
  • cross-VPN interworking there are members that can communicate with each other across VPNs and non-cross-VPN members.
  • the VSI in each VPN is configured as signaling management and is responsible for the maintenance of the PW.
  • the Super_VSI is not responsible for signaling management.
  • the forwarding table contains the PW established by each VSI, but only a local attribute VPN.
  • the VSI broadcast table in each VPN includes the super members of other VPNs in addition to the members in the VPN; the broadcast table of the Super_VSI includes indexes of all members in each VSI.
  • the MAC address learns the MAC address learned by the members in VSI and VSI2 of each VPN, and simultaneously synchronizes with the Super_VSI for the super-member to forward the unicast forwarding of the flow. This ensures compatibility with normal VPLS processing.
  • the MAC address table learned by each VSI member is synchronized to the Super_VSI, and a broadcast table including all member indexes in each VSI is established for the Super_VSI.
  • the MAC address learned by each VSI super member is synchronized with the specified Super_VSI and synchronized with the VSIs of other VPNs to provide an ordinary member's response processing for the super member to cross VPN access.
  • the cross-VPN synchronization processing of the MAC address table is uniformly processed through the control plane. All MAC aging is initiated by the VSI to which the member belongs. The system plane aging synchronization of the associated VPN and the MAC address in the Super_VSI.
  • the VPN_ID saved in the AC interface table and the PW attribute table is extended to store two VSI information: one is access VPN_ID, and the other is forwarding VPN_ID. If the two VPN_IDs are the same, it is normal VPLS forwarding processing; If the access VPN_ID is different from the forwarding VPN_ID, the VPLS forwarding process is performed in the following manner according to the embodiment of the present invention.
  • All members are bound to their own VPN, ensuring that devices can be forwarded according to the normal VSI.
  • Super_VSI includes all members in each VSI by default.
  • the access VSI is the VSI in which the VSI is located, that is, the processing of the MAC address learning first learns the VSI in which it is located, and the VSI for forwarding is Super_VSI; for the ordinary member, the VSI for access and forwarding is where it is located.
  • VPN VSI The so-called super member is the member with the most privilege. It can be considered in any VSI, but in reality, it is often in a certain VSI, but it has a large privilege. In the networking, you can select the VSI that it is based on its attributes.
  • the network architecture of cross-VPN mutual access shown in Figure 4 includes two VPNs, namely VPN1 and VPN2.
  • VPN1 there are CE31, CE32, CE33, CE34, and VPN2.
  • CE35, CE36, and CE37, PEs include PE31, PE32, PE33, and PE34.
  • PE31 is connected to PE32, PE33, and PE34 through PW31, PW32, PW33, and PW34.
  • the PE30 and CE35 are connected to each other through AC30.
  • Between PE31 and CE31, PE33 and CE34 are connected through AC31.
  • the PE31 and CE32 are connected to each other through AC32.
  • the PE31 and CE36 are connected through AC33.
  • PE31 is a super member of PW32 and AC31 in VPN1
  • other members of VPN1 include PW31, PW33, PW34, AC30, AC32, and AC33 are common members.
  • PW33, PW34, and AC33 in VPN2 on PE31 are common members;
  • the so-called members in the VSI are just a local concept, not for different devices.
  • the number is just a local concept, and the CE and PE numbers are divided for the network, but the CE and PE are different devices. The number can be repeated.
  • VPN1 and VPN2 need to communicate with each other across VPNs.
  • VPN1 is configured with VSI1
  • VPN2 is configured with VSI2
  • VSI1 and VSI2 are common VSIs.
  • a Super_VSI is also defined.
  • the main difference between the Super_VSI and the VSI1 and the VSI2 is that the forwarding members are different.
  • the VSI1 and the VSI2 respectively manage the ordinary members of the VPN, namely VPN1 and VPN2, and the super members who can exchange visits between VPN1 and VPN2.
  • the Super_VSI contains all members of both VPNs (VPN1 and VPN2).
  • VSI1 and VSI2 are established.
  • VPN1 and VPN2 are connected to each other.
  • the VSI1 on the PE31 includes four members: AC1, AC2, PW1, and PW2.
  • VSI2 includes two members, AC3 and PW3.
  • the configuration process includes: configuring super-member attributes in VSI1 and VSI2 (that is, accessing members across VPNs).
  • VSI1 has super members AC1 and PW2
  • VSI2 has no super members.
  • the cross-VPN access flag, the access VPN_ID, and the forwarding VPN_ID are set.
  • the cross-VPN access flag is not set, the access VPN_ID and the forwarding VPN_ID are the same, that is, the respective Local_VPN_ID,
  • the broadcast member only contains the members of its own instance.
  • the configuration is as follows: Super_VSI is configured for VSI1 and VSI2, and the VPN_ID corresponding to Super_VSI is Super_VPN_ID.
  • the AC interface table or PW attribute table of the super-member is modified. Modify the forwarding with the VPN_ID to the Super_VPN_ID, and write the members of the VSI1 and VSI2 to the broadcast table of the Super_VSI. For the VSI1 and VSI2, write the super member of the other party to the broadcast table; VSI1 and VSI2 will be configured with the Super_VSI.
  • the interface attribute of the super-member in the VSI is changed to the Local_VPN_ID by the forwarding VPN_ID, the cross-VPN access flag is reset, and the super-members of other VPNs included in the broadcast table of the VSI1 and VSI2 are deleted.
  • the service is forwarded according to ordinary VPLS.
  • the MAC address and broadcast table of the Super_VSI itself can be deleted slowly.
  • FIG. 5 it is a schematic diagram of a VPLS forwarding process in the cross-VPN mutual access example shown in FIG. among them, Representing a super member, Means ordinary members, Indicates the stream received by ordinary members in VPN1. Indicates the stream received by ordinary members in VPN2. Indicates the stream received by the super member, and the black arrow line indicates the MAC address synchronization process.
  • the MAC address learning is performed by using the SMAC+Local_VPN_ID, and the MAC address of the member is learned by the VSI of the member. Specifically, the MAC addresses of the AC31, AC32, PW31, and PW32 are learned into the VSI1, and the MAC addresses of the AC33 and PW33 are learned into the VSI2. For the super-member, the learned MAC address is synchronized to the Super_VSI and another VSI through the control plane; for ordinary members, the MAC address is only synchronized to the Super_VSI, but is not synchronized to another VSI;
  • the Super_VSI broadcast table is searched according to Super_VPN_ID and broadcasted; For the traffic received by ordinary members, the broadcast table is searched according to the VSI and broadcasted.
  • the specific implementation process of the cross-VPN service processing may include the following steps:
  • Step 901 Receive a message.
  • Step 902 Search for an AC interface table or a PW attribute table to obtain a super member attribute of the access side.
  • the AC table or the tag attribute table is obtained to obtain whether the interface is a super member, and the Local_VPN_ID is obtained from the AC interface table or the PW attribute table, and the VPN_ID is forwarded (if the super member interface corresponds to the Super_VPN_ID, otherwise the local_VPN_ID is corresponding) ;
  • Step 903 it is determined whether it is a super member; if not, continue to step 904, otherwise, continue to step 905;
  • Step 904 learning the MAC address with the SMAC+Local_VPN_ID, the control plane synchronizes the SMAC address to the VSI associated with the other VPN, and synchronizes with the Super_VSI, and searches the forwarding table according to the DMAC+Super_VPN_ID, and proceeds to step 906;
  • Step 905 Learning the MAC address by using SMAC+Local_VPN_ID, synchronizing the MAC address to the Super_VSI, and searching for the forwarding table according to the DMAC+Local_VPN_ID;
  • Step 906 whether the destination address is found in the forwarding table, if not, proceed to step 907, otherwise continue to step 908;
  • Step 907 Search for a broadcast table by using Super_VPN_ID, and copy the message and send it to the members one by one;
  • Step 908 whether the exit is PW, if it is to continue to step 909, otherwise continue to step 910;
  • Step 909 the packet is forwarded locally by the AC, and the current process ends.
  • Step 910 After the PW encapsulation is performed, the packet is forwarded, and the current process ends.
  • the above method only uses two VPNs as an example, but not The limit is only two. In the case of more than two VPN exchange visits, the above method can also be implemented.
  • the embodiment of the invention further describes a storage medium, wherein the storage medium stores a computer program, and the computer program is configured to execute the VPN message processing method of the foregoing embodiments.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • the invention can implement the forwarding processing based on the forwarding table in the forwarding VSI by using the forwarding VSI and the forwarding VSI on the interface, and can improve the processing of the members and the horizontal splitting in the VPLS networking, and reduce the invalid broadcast replication. Impact on the internal bandwidth of the device and improve VPLS forwarding performance.

Abstract

Disclosed is a VPN packet processing method. The method comprises: for any PW interface or AC interface, separately configuring an access VSI and a forwarding VSI; and for a designated interface, performing access according to the access VSI and then performing forwarding according to the forwarding VSI. Also correspondingly disclosed is a VPN packet processing apparatus.

Description

VPN报文处理方法及装置、存储介质VPN packet processing method and device, and storage medium 技术领域Technical field
发明涉及多协议标签交换(MPLS)虚拟专用网(VPN,Virtual Private Network)分组通信技术领域,尤其涉及一种VPN报文处理方法及装置、存储介质。The invention relates to the field of multi-protocol label switching (MPLS) virtual private network (VPN) packet communication technology, and in particular, to a VPN message processing method and device, and a storage medium.
背景技术Background technique
虚拟专用局域网业务(VPLS,Virtual Private LAN Service)是一种广泛应用的二层虚拟专用网(L2VPN,Layer 2 Virtual Private Networks)技术,常用于企业用户VPN互联。VPLS通过虚拟交换实例(VSI,Virtual Switch Instance)由边缘路由器(PE,Provider Edge)为不同的VPN用户单独维护一张转发表,各VSI之间转发表相互独立,从而实现业务的隔离,保证业务的私有属性。Virtual Private LAN Service (VPLS) is a widely used Layer 2 Virtual Private Networks (L2VPN) technology, which is commonly used for enterprise users' VPN interconnection. VPLS maintains a forwarding table for the different VPN users by the edge router (PE, Provider Edge) through the Virtual Switch Instance (VSI). The forwarding tables of the VSIs are independent of each other, thus ensuring service isolation and ensuring services. Private property.
VPLS通过一个VSI实现不同VPN用户之间业务的转发,而VPLS中又存在某些节点之间不能直接互通的情况,通过查询VSI在节点之间转发流量时,例如广播处理时,必将会存在很多无效的广播复制,如此,不仅浪费系统宽带,导致设备内部线路阻塞,而且会降低VPLS的转发性能。VPLS implements the forwarding of services between different VPN users through a VSI. In the VPLS, some nodes cannot directly communicate with each other. When the VSI is queried between nodes, for example, during broadcast processing, the VPLS must exist. Many invalid broadcast copies, so not only waste system bandwidth, causing internal circuit blockage, but also reduce the forwarding performance of VPLS.
发明内容Summary of the invention
本发明要解决的技术问题是提供一种VPN报文处理方法及装置、存储介质。The technical problem to be solved by the present invention is to provide a VPN message processing method and device, and a storage medium.
为达到上述目的,本发明实施例的技术方案是这样实现的:To achieve the above objective, the technical solution of the embodiment of the present invention is implemented as follows:
一种虚拟专用网VPN的报文处理方法,所述方法包括:A packet processing method for a virtual private network VPN, the method includes:
对于任意一个PW接口或者AC接口,分离配置接入VSI和转发用VSI; For any PW interface or AC interface, the VSI and the forwarding VSI are separately configured.
对于指定接口,根据所述接入VSI进行接入处理,再根据所述转发用VSI进行转发处理。For the specified interface, the access processing is performed according to the access VSI, and then the forwarding process is performed according to the forwarding VSI.
上述方案中,对于点到多点E-TREE业务,所述分离配置接入VSI和转发用VSI,包括:In the foregoing solution, for the point-to-multipoint E-TREE service, the split configuration is configured to access the VSI and the VSI for forwarding, including:
所述接入VSI绑定当前E-TREE业务的所有成员,包含所有成员的索引信息;The access VSI is bound to all members of the current E-TREE service, and includes index information of all members;
所述转发用VSI包含中Root成员的索引信息。The forwarding VSI includes index information of the middle member.
上述方案中,对于E-TREE业务,所述分离配置接入VSI和转发用VSI,包括:In the foregoing solution, for the E-TREE service, the split configuration is configured to access the VSI and the VSI for forwarding, including:
所述接入VSI的广播表包含E-TREE业务所有成员的广播信息;所述转发用VSI包含E-TREE业务所有Root成员的广播信息;The broadcast table of the access VSI includes broadcast information of all members of the E-TREE service; and the VSI for forwarding includes broadcast information of all the root members of the E-TREE service;
E-TREE业务中所有成员上的MAC地址学习到所述接入VSI;对于E-TREE业务中的Root成员,将已学习到接入VSI的MAC地址同步到所述转发用VSI。The MAC address of all members in the E-TREE service learns the access VSI; for the Root member in the E-TREE service, the MAC address that has learned to access the VSI is synchronized to the forwarding VSI.
上述方案中,对于跨VPN互通业务,两个或两个以上VPN互通时,所述分离配置接入VSI和转发用VSI,包括:In the foregoing solution, when the two or more VPNs communicate with each other, the split configuration is configured to access the VSI and the VSI for forwarding, including:
所述接入VSI为两个或两个以上,分别对应跨VPN互通的各VPN,各接入VSI包含仅能够在其所属VPN内互通的普通成员索引信息和能够跨VPN互访的超级成员索引信息;The access VSIs are two or more, each corresponding to each VPN that is inter-VPN-connected, and each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs, and a super-member index that can communicate with each other across VPNs. information;
所述转发用VSI包含所有接入VSI的成员索引信息。The forwarding VSI includes member index information of all access VSIs.
上述方案中,对于跨VPN互通业务,两个或两个以上VPN互通时,所述分离配置接入VSI和转发用VSI,包括:In the foregoing solution, when the two or more VPNs communicate with each other, the split configuration is configured to access the VSI and the VSI for forwarding, including:
将各接入VSI的所有成员都写入转发用VSI的广播表;各接入VSI将本VSI中的成员以及其他接入VSI中的超级成员写入自身的广播表;All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
各接入VSI中将学习到的MAC地址同步到转发用VSI;各接入VSI 将其超级成员上已学习到的MAC地址同步到其他接入VSI。The learned MAC address is synchronized to the forwarding VSI in each access VSI; each access VSI Synchronize the learned MAC addresses on its super members to other access VSIs.
上述方案中,所述分离配置接入VSI和转发用VSI,包括:In the foregoing solution, the split configuration is configured to access the VSI and the VSI for forwarding, including:
在AC接口表或PW属性表配置成员属性,该成员属性配置为标识当前接口是否为所述指定接口;Configure a member attribute in the AC interface table or the PW attribute table. The member attribute is configured to identify whether the current interface is the specified interface.
在AC接口表或PW属性表中配置接入VPN_ID和转发用VPN_ID,接入VPN_ID对应所述接入VSI,转发用VPN_ID对应所述转发用VSI;The access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
在所述成员属性标识当前接口为指定接口时,所述接入VPN_ID与转发用VPN_ID不同;否则,所述接入VPN_ID与转发用VPN_ID相同。When the member attribute identifies that the current interface is the designated interface, the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
上述方案中,根据所述接入VSI进行接入处理,根据所述转发用VSI进行转发处理,包括:In the above solution, the access processing is performed according to the access VSI, and the forwarding processing is performed according to the forwarding VSI, including:
根据接入VPN_ID进行MAC地址学习,利用转发用VPN_ID查找转发表;如果查找到目的地址,根据对应转发用VSI的转发用VPN_ID进行MAC地址单播处理并转发,如果没有查找到目的地址,根据转发用VPN_ID查找转发用VSI的广播表并进行广播转发。The MAC address learning is performed according to the access VPN_ID, and the forwarding table is searched by using the VPN_ID for forwarding. If the destination address is found, the MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, the forwarding is performed according to the forwarding. Use the VPN_ID to find the broadcast table of the forwarding VSI and perform broadcast forwarding.
上述方案中,所述方法还包括:In the above solution, the method further includes:
对于所述指定接口之外的其他接口,其接入处理和转发处理均根据接入VSI进行。For other interfaces except the specified interface, the access processing and forwarding processing are performed according to the access VSI.
上述方案中,所述方法包括:In the above solution, the method includes:
对于E-TREE业务中仅能够与部分成员互通的Leaf成员、或跨VPN互通业务中能够跨VPN互访的超级成员,根据接入VSI进行接入处理,根据转发用VSI进行转发处理;For the E-TREE service, only the leaf members that can communicate with some members, or the super-cross-VPN interworking services that can communicate with each other across the VPN, perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI;
对于E-TREE业务中的Root成员、或跨VPN互通业务中的普通成员,其接入处理和转发处理均根据接入VSI进行。For the root member in the E-TREE service or the ordinary member in the inter-VPN interworking service, the access processing and forwarding processing are performed according to the access VSI.
一种虚拟专用网VPN的报文处理装置,所述装置包括:A packet processing device for a virtual private network VPN, the device includes:
配置单元,配置为对任意一个PW接口或AC接口,分离配置接入VSI 和转发用VSI;The configuration unit is configured to access the VSI separately from any PW interface or AC interface. And forwarding with VSI;
处理单元,配置为对于指定接口,根据所述接入VSI进行接入处理,再根据所述转发用VSI进行转发处理。The processing unit is configured to perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
上述方案中,对于点到多点E-TREE业务,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:In the above solution, for the point-to-multipoint E-TREE service, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
所述接入VSI绑定当前E-TREE业务的所有成员,包含所有成员的索引信息;The access VSI is bound to all members of the current E-TREE service, and includes index information of all members;
所述转发用VSI包含中Root成员的索引信息。The forwarding VSI includes index information of the middle member.
上述方案中,In the above scheme,
对于E-TREE业务,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:所述接入VSI的广播表包含E-TREE业务所有成员的广播信息,所述转发用VSI包含E-TREE业务所有Root成员的广播信息;E-TREE业务中所有成员上的MAC地址学习到所述接入VSI,对于E-TREE业务中的Root成员,将其已学习到接入VSI的MAC地址同步到所述转发用VSI。For the E-TREE service, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including: the broadcast table of the access VSI includes broadcast information of all members of the E-TREE service, and the forwarding VSI includes E - The broadcast information of all the root members of the TREE service; the MAC address of all members in the E-TREE service learns the access VSI, and the root member of the E-TREE service learns the MAC address of the access VSI. Synchronize to the forwarding VSI.
上述方案中,对于跨VPN互通业务,两个或两个以上VPN互通时,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:In the foregoing solution, when the two or more VPNs are connected to each other, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
所述接入VSI为两个或两个以上,分别对应跨VPN互通的各VPN,各接入VSI包含仅能够在其所属VPN内互通的普通成员索引信息和能够跨VPN互访的超级成员索引信息;The access VSIs are two or more, each corresponding to each VPN that is inter-VPN-connected, and each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs, and a super-member index that can communicate with each other across VPNs. information;
所述转发用VSI包含所有接入VSI的成员索引信息。The forwarding VSI includes member index information of all access VSIs.
上述方案中,对于跨VPN互通业务,两个或两个以上VPN互通时,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:In the foregoing solution, when the two or more VPNs are connected to each other, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
将各接入VSI的所有成员都写入转发用VSI的广播表;各接入VSI将本VSI中的成员以及其他接入VSI中的超级成员写入自身的广播表;All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
各接入VSI中将已学习到的MAC地址同步到转发用VSI;各接入VSI 将其超级成员上已学习到的MAC地址同步到其他接入VSI。Each learned VSI synchronizes the learned MAC address to the forwarding VSI; each access VSI Synchronize the learned MAC addresses on its super members to other access VSIs.
上述方案中,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:In the above solution, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
在AC接口表或PW属性表配置成员属性,该成员属性配置为标识当前接口是否为所述指定接口;Configure a member attribute in the AC interface table or the PW attribute table. The member attribute is configured to identify whether the current interface is the specified interface.
在AC接口表或PW属性表中配置接入VPN_ID和转发用VPN_ID,接入VPN_ID对应所述接入VSI,转发用VPN_ID对应所述转发用VSI;The access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
在所述成员属性标识当前接口为指定接口时,所述接入VPN_ID与转发用VPN_ID不同;否则,所述接入VPN_ID与转发用VPN_ID相同。When the member attribute identifies that the current interface is the designated interface, the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
上述方案中,所述处理单元配置为根据所述接入VSI进行接入处理,根据所述转发用VSI进行转发处理,包括:In the above solution, the processing unit is configured to perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI, including:
根据接入VPN_ID进行MAC地址学习,利用转发用VPN_ID查找转发表;如果查找到目的地址,根据对应转发用VSI的转发用VPN_ID进行MAC地址单播处理并转发,如果没有查找到目的地址,根据转发用VPN_ID查找转发用VSI的广播表并进行广播转发。The MAC address learning is performed according to the access VPN_ID, and the forwarding table is searched by using the VPN_ID for forwarding. If the destination address is found, the MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, the forwarding is performed according to the forwarding. Use the VPN_ID to find the broadcast table of the forwarding VSI and perform broadcast forwarding.
上述方案中,所述处理单元还配置为:对于所述指定接口之外的其他接口,其接入处理和转发处理均根据接入VSI进行。In the above solution, the processing unit is further configured to: perform access processing and forwarding processing on the interfaces other than the designated interface according to the access VSI.
上述方案中,所述处理单元配置为:In the above solution, the processing unit is configured to:
对于E-TREE业务中仅能够与部分成员互通的Leaf成员、或跨VPN互通业务中能够跨VPN互访的超级成员,根据接入VSI进行接入处理,根据转发用VSI进行转发处理;For the E-TREE service, only the leaf members that can communicate with some members, or the super-cross-VPN interworking services that can communicate with each other across the VPN, perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI;
对于E-TREE业务中的Root成员、或跨VPN互通业务中的普通成员,其接入处理和转发处理均根据接入VSI进行。For the root member in the E-TREE service or the ordinary member in the inter-VPN interworking service, the access processing and forwarding processing are performed according to the access VSI.
一种存储介质,所述存储介质中存储有计算机程序,所述计算机程序配置为执行前述的VPN报文处理方法。本发明实施例提供的VPN报文处 理方法及装置,通过在接口上分离配置接入VSI和转发用VSI,指定接口可以基于转发用VSI中的转发表来进行转发处理,这样可以改进VPLS组网中成员以及水平分割的处理方法,降低无效广播复制对设备内部带宽造成的影响,提升VPLS转发性能。A storage medium storing a computer program configured to execute the aforementioned VPN message processing method. VPN message provided by the embodiment of the present invention The method and the device can be configured to perform the forwarding processing based on the forwarding table in the forwarding VSI by using the VSI and the forwarding VSI on the interface. This can improve the processing of the members and the horizontal split in the VPLS network. Reduce the impact of invalid broadcast replication on the internal bandwidth of the device and improve VPLS forwarding performance.
附图说明DRAWINGS
图1为本发明实施例VPN报文处理方法的流程图;FIG. 1 is a flowchart of a method for processing a VPN packet according to an embodiment of the present invention;
图2为本发明实施例VPN报文处理方法中转发表项的建表示意图;2 is a schematic diagram of constructing a forwarding entry in a VPN packet processing method according to an embodiment of the present invention;
图3为本发明实施例VPN报文处理装置的组成结构示意图;3 is a schematic structural diagram of a structure of a VPN packet processing apparatus according to an embodiment of the present invention;
图4为E-TREE业务的一个组网示例示意图;4 is a schematic diagram of a networking example of an E-TREE service;
图5为本发明实施例一E-TREE组网结构及VPN报文处理示意图;FIG. 5 is a schematic diagram of an E-TREE networking structure and VPN packet processing according to an embodiment of the present invention;
图6为本发明实施例一E-TREE业务中VPN报文处理方法的流程图。FIG. 6 is a flowchart of a method for processing a VPN packet in an E-TREE service according to an embodiment of the present invention.
图7为本发明实施例二跨VPN互通业务的组网示意图;FIG. 7 is a schematic diagram of networking of a cross-VPN interworking service according to Embodiment 2 of the present invention;
图8为本发明实施例二跨VPN互通业务中VPN报文处理示意图;FIG. 8 is a schematic diagram of processing VPN packets in a cross-VPN interworking service according to Embodiment 2 of the present invention;
图9为本发明实施例二跨VPN互通业务中VPN报文处理方法的流程图。FIG. 9 is a flowchart of a VPN packet processing method in a cross-VPN interworking service according to Embodiment 2 of the present invention.
具体实施方式detailed description
以下结合附图以及实施例,对本发明进行进一步详细说明。应当理解,此处所描述。The invention will be further described in detail below with reference to the drawings and embodiments. It should be understood that described herein.
在本发明的各种实施例中:配置两个VSI,其中一个VSI为接入VSI,另一个VSI是转发用VSI;也就是说,对于任意一个PW接口或者AC接口,将其接入VSI和转发用VSI分离配置,出口封装信息由接入VSI决定,转发用VSI配置为保存转发表,索引出口封装,但是不处理报文封装;在转发处理中,由接入VSI进行MAC地址学习,由转发用VSI保存转发表。实际应用中,接入VSI和转发用VSI具体是否分离可以根据组网类型自动 生成或者通过命令配置指定。In various embodiments of the present invention, two VSIs are configured, one VSI is an access VSI and the other VSI is a forwarding VSI; that is, for any one PW interface or AC interface, it is connected to the VSI and The forwarding is configured by the VSI. The egress encapsulation information is determined by the access VSI. The forwarding VSI is configured to store the forwarding table, and the index egress encapsulation, but does not process the packet encapsulation. In the forwarding process, the MAC address is learned by the access VSI. Forwarding uses the VSI to save the forwarding table. In actual applications, whether the access VSI and the forwarding VSI are separated can be automatically determined according to the networking type. Generated or specified by command configuration.
在本发明的各种实施例中,如图1所示,VPN报文处理方法可以包括如下步骤:In various embodiments of the present invention, as shown in FIG. 1, the VPN packet processing method may include the following steps:
步骤101:对于任意一个PW接口或者AC接口,分离配置接入VSI和转发用VSI;Step 101: Separate and configure the VSI for access and the VSI for forwarding for any one of the PW interfaces or the AC interface.
例如,对于点到多点E-TREE业务,所述分离配置接入VSI和转发用VSI,包括:所述接入VSI绑定当前E-TREE业务的所有成员,包含所有成员的索引信息;所述转发用VSI包含中Root(根)成员的索引信息。For example, for the point-to-multipoint E-TREE service, the split configuration access VSI and the forwarding VSI, including: the access VSI binding all members of the current E-TREE service, including index information of all members; The forwarding VSI includes index information of the root member.
对于跨VPN互通业务,两个或两个以上VPN互通时,所述分离配置接入VSI和转发用VSI,包括:所述接入VSI为两个或两个以上,分别对应跨VPN互通的各VPN,各接入VSI包含仅能够在其所属VPN内互通的普通成员索引信息和能够跨VPN互访的超级成员索引信息;所述转发用VSI包含所有接入VSI的成员索引信息。For the inter-VPN interworking service, when the two or more VPNs communicate with each other, the separate configuration is configured to access the VSI and the VSI for forwarding, including: the access VSI is two or more, respectively corresponding to each of the inter-VPN interworking In the VPN, each access VSI includes common member index information that can communicate with each other only in the VPN to which it belongs, and super member index information that can communicate with each other across the VPN. The forwarding VSI includes member index information of all access VSIs.
步骤102:对于指定接口,根据所述接入VSI进行接入处理,再根据所述转发用VSI进行转发处理。Step 102: Perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
具体的,分离配置接入VSI和转发用VSI的过程可以包括:在AC接口表或PW属性表配置成员属性,该成员属性配置为标识当前接口是否为所述指定接口;在AC接口表或PW属性表中配置接入VPN_ID和转发用VPN_ID,接入VPN_ID对应所述接入VSI,转发用VPN_ID对应所述转发用VSI;在所述成员属性标识当前接口为指定接口时,所述接入VPN_ID与转发用VPN_ID不同;否则,所述接入VPN_ID与转发用VPN_ID相同。Specifically, the process of separately configuring the VSI and the VSI for forwarding may include: configuring a member attribute in the AC interface table or the PW attribute table, where the member attribute is configured to identify whether the current interface is the specified interface; in the AC interface table or PW The accessing VPN_ID and the forwarding VPN_ID are configured in the attribute table, and the access VPN_ID corresponds to the accessing VSI, and the forwarding VPN_ID corresponds to the forwarding VSI; when the member attribute identifies that the current interface is the designated interface, the access VPN_ID It is different from the VPN_ID for forwarding; otherwise, the access VPN_ID is the same as the VPN_ID for forwarding.
步骤102中,根据所述接入VSI进行接入处理,根据所述转发用VSI进行转发处理,可以包括:根据接入VPN_ID进行MAC地址学习,利用转发用VPN_ID查找转发表;如果查找到目的地址,根据对应转发用VSI的转发用VPN_ID进行MAC地址单播处理并转发,如果没有查找到目的地址, 根据转发用VPN_ID查找转发用VSI的广播表并进行广播转发。In step 102, performing access processing according to the access VSI, and performing forwarding processing according to the forwarding VSI may include: performing MAC address learning according to the access VPN_ID, and using the VPN_ID for forwarding to search for a forwarding table; if the destination address is found The MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, The broadcast table of the VSI for forwarding is searched according to the VPN_ID for forwarding, and broadcast forwarding is performed.
此外,在步骤102中还可以包括:对于所述指定接口之外的其他接口,其接入处理和转发处理均根据接入VSI进行。实际处理过程中,可以根据接口配置的成员属性判断接口是否为指定接口。In addition, in step 102, the access processing and the forwarding processing are performed according to the access VSI for other interfaces except the specified interface. During the actual process, you can determine whether the interface is the specified interface based on the member attributes configured on the interface.
例如,对于E-TREE业务中仅能够与部分成员互通的Leaf成员、或跨VPN互通业务中能够跨VPN互访的超级成员,根据接入VSI进行接入处理,根据转发用VSI进行转发处理;对于E-TREE业务中的Root成员、或跨VPN互通业务中的普通成员,其接入处理和转发处理均根据接入VSI进行。For example, a leaf member that can communicate with only a part of the E-TREE service, or a super member that can communicate with each other across the VPN in the inter-VPN interworking service, performs access processing according to the access VSI, and performs forwarding processing according to the VSI for forwarding; For the root member in the E-TREE service or the ordinary member in the inter-VPN interworking service, the access processing and forwarding processing are performed according to the access VSI.
如图2所示,分离配置接入VSI和转发用VSI时的转发表项示意图,可以将接口表、转发表、封装表按照图1进行建表,实现本发明各实施例中的VPN报文处理。As shown in FIG. 2, the interface table, the forwarding table, and the encapsulation table are configured according to FIG. 1 to implement the VPN packet in the embodiment of the present invention. deal with.
具体的,如图2所示,在AC接口表或PW属性表中,通过配置一个Flag标志位配置当前接口的成员属性;同时,在AC接口表或PW属性表中配置两个VPN_ID,分别为接入VPN_ID和转发用VPN_ID,图2中InVPN_ID表示接入VPN_ID,对应接入VSI,FwVPN_ID表示转发用VPN_ID,对应转发用VSI。对于指定接口,转发时需要使用FwVPN_ID查找转发表。同时,InVPN_ID对应的转发表中的出口封装指针和FwVPN_ID对应的转发表的出口封装指针,可以相同,标识从同一个接口转发出去。Specifically, as shown in FIG. 2, in the AC interface table or the PW attribute table, configure a flag flag to configure the member attributes of the current interface. At the same time, configure two VPN_IDs in the AC interface table or the PW attribute table, respectively. Access VPN_ID and forwarding VPN_ID, InVPN_ID in Figure 2 indicates access VPN_ID, corresponding to access VSI, FwVPN_ID indicates forwarding VPN_ID, corresponding to forwarding VSI. For the specified interface, you need to use FwVPN_ID to find the forwarding table when forwarding. At the same time, the egress encapsulation pointer in the forwarding table corresponding to the InVPN_ID and the egress encapsulation pointer of the forwarding table corresponding to the FwVPN_ID may be the same, and the identifier is forwarded from the same interface.
例如,可以只在指定接口上设置代表成员属性的Flag标志位,如果当前接口设置有该Flag标志位则表示当前接口为指定接口,如果当前接口没有设置Flag标志位则表示当前接口不是指定接口。例如,可以在E-TREE业务的Leaf(叶子)成员接口、和/或跨VPN互通业务中的超级成员接口设置此Flag标志位,在E-TREE业务的Root成员接口、和/或跨VPN互通业务中的普通成员接口不设置此Flag标志位。如此,在E-TREE业务、跨VPN互通业务中只需要查找AC接口表或PW属性表中是否存在Flag标志位即 可判断其接口是否为指定接口。For example, the flag flag representing the member attribute can be set only on the specified interface. If the current interface is set with the flag flag, the current interface is the specified interface. If the current interface does not have the flag flag set, the current interface is not the specified interface. For example, the Flag flag can be set in the leaf member interface of the E-TREE service, and/or the super member interface in the inter-VPN interworking service, in the root member interface of the E-TREE service, and/or inter-VPN communication. The normal member interface in the service does not set this Flag flag. In this way, in the E-TREE service and the inter-VPN interworking service, it is only necessary to find whether the Flag flag bit exists in the AC interface table or the PW attribute table. It can be judged whether its interface is the specified interface.
通过以上图2所示的建表模型,可以统一E-TREE组网和跨VPN组网转发平面的处理模型,可以由控制平面区分是E-TREE组网还是跨VPN组网,以进行相应的MAC地址同步以及FwVPN_ID广播表的控制。The processing model of the E-TREE network and the cross-VPN network forwarding plane can be unified by the control table shown in Figure 2, and can be determined by the control plane whether it is E-TREE networking or cross-VPN networking. MAC address synchronization and control of the FwVPN_ID broadcast table.
另外,如果设备接口表无法支持FwVPN_ID字段,也就说,如果设备接口无法支持分离配置接入VSI和转发用VSI,可以将上述标识成员属性的Flag标志位复位或删除,以兼容普通的VPLS转发。In addition, if the device interface table cannot support the FwVPN_ID field, that is, if the device interface cannot support the split configuration access VSI and the forwarding VSI, the Flag flag of the above-mentioned identifier member attribute can be reset or deleted to be compatible with the normal VPLS forwarding. .
如图3所示,本发明各实施例中,VPN报文处理装置可以包括:As shown in FIG. 3, in various embodiments of the present invention, the VPN packet processing apparatus may include:
配置单元31,配置为对任意一个PW接口或AC接口,分离配置接入VSI和转发用VSI;The configuration unit 31 is configured to separate the VSI and the forwarding VSI for any one of the PW interfaces or the AC interfaces.
处理单元32,配置为对于指定接口,根据所述接入VSI进行接入处理,再根据所述转发用VSI进行转发处理。The processing unit 32 is configured to perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
对于点到多点E-TREE业务,所述配置单元31配置为分离配置接入VSI和转发用VSI,包括:所述接入VSI绑定当前E-TREE业务的所有成员,包含所有成员的索引信息;所述转发用VSI包含中Root成员的索引信息,该Root成员能够与当前E-TREE业务中其他任意成员互通。For the point-to-multipoint E-TREE service, the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including: the access VSI binding all members of the current E-TREE service, including indexes of all members Information: The forwarding VSI includes index information of the root member, and the root member can communicate with any other member of the current E-TREE service.
对于E-TREE业务,所述配置单元31配置为分离配置接入VSI和转发用VSI,包括:所述接入VSI的广播表包含E-TREE业务所有成员的广播信息,所述转发用VSI包含E-TREE业务所有Root成员的广播信息;E-TREE业务中所有成员上的MAC地址学习到所述接入VSI,对于E-TREE业务中的Root成员,将其已学习到接入VSI的MAC地址同步到所述转发用VSI。For the E-TREE service, the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including: the broadcast table of the access VSI includes broadcast information of all members of the E-TREE service, and the forwarding VSI includes The broadcast information of all the root members of the E-TREE service; the MAC address of all the members in the E-TREE service learns the access VSI, and the root member of the E-TREE service learns the MAC that accesses the VSI. The address is synchronized to the forwarding VSI.
两个或两个以上VPN互通时,所述配置单元31配置为分离配置接入VSI和转发用VSI,包括:When two or more VPNs are interconnected, the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including:
所述接入VSI为两个或两个以上,分别对应跨VPN互通的各VPN,各接入VSI包含仅能够在其所属VPN内互通的普通成员索引信息和能够跨 VPN互访的超级成员索引信息;The access VSIs are two or more, which respectively correspond to VPNs that are inter-VPN-connected. Each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs. Super member index information of VPN mutual visits;
所述转发用VSI包含所有接入VSI的成员索引信息。The forwarding VSI includes member index information of all access VSIs.
对于跨VPN互通业务,两个或两个以上VPN互通时,所述配置单元31配置为分离配置接入VSI和转发用VSI,包括:For the inter-VPN interworking service, when two or more VPNs are connected to each other, the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including:
将各接入VSI的所有成员都写入转发用VSI的广播表;各接入VSI将本VSI中的成员以及其他接入VSI中的超级成员写入自身的广播表;All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
各接入VSI中将已学习到的MAC地址同步到转发用VSI;各接入VSI将其超级成员上已学习到的MAC地址同步到其他接入VSI。Each learned VSI synchronizes the learned MAC address to the forwarding VSI; each access VSI synchronizes the learned MAC address of its super member to other access VSIs.
所述配置单元31配置为分离配置接入VSI和转发用VSI,可以包括:The configuration unit 31 is configured to separately configure the access VSI and the VSI for forwarding, and may include:
在AC接口表或PW属性表配置成员属性,该成员属性配置为标识当前接口是否为所述指定接口;Configure a member attribute in the AC interface table or the PW attribute table. The member attribute is configured to identify whether the current interface is the specified interface.
在AC接口表或PW属性表中配置接入VPN_ID和转发用VPN_ID,接入VPN_ID对应所述接入VSI,转发用VPN_ID对应所述转发用VSI;The access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
在所述成员属性标识当前接口为指定接口时,所述接入VPN_ID与转发用VPN_ID不同;否则,所述接入VPN_ID与转发用VPN_ID相同。When the member attribute identifies that the current interface is the designated interface, the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
所述处理单元32配置为根据所述接入VSI进行接入处理,根据所述转发用VSI进行转发处理,包括:根据接入VPN_ID进行MAC地址学习,利用转发用VPN_ID查找转发表;如果查找到目的地址,根据对应转发用VSI的转发用VPN_ID进行MAC地址单播处理并转发,如果没有查找到目的地址,根据转发用VPN_ID查找转发用VSI的广播表并进行广播转发。The processing unit 32 is configured to perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI, including: performing MAC address learning according to the access VPN_ID, and using the VPN_ID for forwarding to look up the forwarding table; The destination address is subjected to MAC address unicast processing and forwarding according to the forwarding VPN_ID of the corresponding forwarding VSI. If the destination address is not found, the forwarding VSI broadcast table is searched according to the forwarding VPN_ID and broadcasted.
所述处理单元32还配置为:对于所述指定接口之外的其他接口,其接入处理和转发处理均根据接入VSI进行。The processing unit 32 is further configured to perform access processing and forwarding processing on the interfaces other than the designated interface according to the access VSI.
所述处理单元32配置为:对于E-TREE业务中仅能够与部分成员互通的Leaf成员、或跨VPN互通业务中能够跨VPN互访的超级成员,根据接入VSI进行接入处理,根据转发用VSI进行转发处理;对于E-TREE业务 中的Root成员、或跨VPN互通业务中的普通成员,其接入处理和转发处理均根据接入VSI进行。The processing unit 32 is configured to: perform access processing according to the access VSI, and perform forwarding processing according to the access VSI for the leaf member that can communicate with only the member of the E-TREE service or the super-member that can communicate with each other across the VPN. Forward processing with VSI; for E-TREE service The access member and the normal member in the inter-VPN interworking service are both access processing and forwarding processing according to the access VSI.
本发明各实施例提供的VPN报文处理方法及装置可以适配置为VPLS的Hub-Spoke、多根E-TREE、跨VPN互通的组网等多种场景。需要说明的是,本发明各种实施例中接入VSI和转发用VSI的分离也适配置为虚拟伪线业务(VPWS,Virtual Pseudo Wire Service),其具体实现过程类似,不再赘述。The VPN packet processing method and device provided by the embodiments of the present invention can be configured as multiple scenarios such as a VPLS Hub-Spoke, multiple E-TREEs, and a cross-VPN interworking network. It should be noted that the separation of the access VSI and the forwarding VSI in the various embodiments of the present invention is also configured as a virtual Pseudo Wire Service (VPWS). The specific implementation process is similar and will not be described again.
实施例一 Embodiment 1
点到多点(E-TREE)组网中,Leaf节点通过成员隔离或者PW水平分割阻止成员互通。In the point-to-multipoint (E-TREE) network, the Leaf node prevents member interworking through member isolation or PW horizontal splitting.
如图4所示,为多根E-TREE组网示例的流量示意图,其中,E-TREE网络中包括一个Root-PE、两个Leaf-PE、和四个CE,其中,CE11和CE12均为Root CE,CE13和CE14均为Leaf CE,CE13通过Leaf-PE11连接Root-PE,CE14通过Leaf-PE12连接Root-PE,CE11和CE12均连接在Root-PE上。各CE与PE之间通过AC接口互通,PE与PE之间通过PW接口互通。如图4所示,CE11与Root-PE之间是AC11接口,CE12与Root-PE之间是AC12接口,CE13与Leaf-PE11之间是AC13接口,CE14与Leaf-PE12之间是AC14接口,Leaf-PE11与Root-PE之间是PW11接口,Leaf-PE12与Root-PE之间是PW12接口。由图1可知,Leaf接口是不能互通的。也就是说,在E-TREE业务中,Leaf成员之间是不能互通的。As shown in Figure 4, the flow diagram is an example of a plurality of E-TREE networks. The E-TREE network includes one Root-PE, two Leaf-PEs, and four CEs, of which CE11 and CE12 are The root CE, CE13 and CE14 are both leaf CEs. CE13 is connected to the root-PE through Leaf-PE11. The CE14 is connected to the root-PE through Leaf-PE12. Both CE11 and CE12 are connected to the root-PE. The CE and the PE communicate with each other through the AC interface. The PE and the PE communicate with each other through the PW interface. As shown in Figure 4, the AC11 interface is between CE11 and the root-PE. The AC12 interface is between CE12 and the local device. The AC13 interface is between CE11 and Leaf-PE11. The AC14 interface is between CE14 and Leaf-PE12. The PW11 interface is between the Leaf-PE11 and the Root-PE. The PW12 interface is between the Leaf-PE12 and the Root-PE. As can be seen from Figure 1, the Leaf interface is not interoperable. That is to say, in the E-TREE service, Leaf members cannot communicate with each other.
本发明实施例中,对于每个E-TREE业务,定义两种VSI:Normal_VSI和Root_VSI。在配置完E-TREE后,为Normal_VSI配置指定的Root_VSI,这样,为VPN创建了两个VSI。In the embodiment of the present invention, for each E-TREE service, two types of VSIs are defined: Normal_VSI and Root_VSI. After configuring E-TREE, configure the specified Root_VSI for Normal_VSI. In this way, two VSIs are created for the VPN.
所有的成员(包括Root成员A11、A12和Leaf成员PW11、PW12)都绑定到Normal_VSI中,Normal_VSI包含所有成员(包括Root成员和 Leaf成员)索引信息,类似于相关技术中E-TREE业务所使用的VSI,而Root_VSI仅包含所有Root成员索引信息,不配置为业务绑定。具体来说,对于Root成员,由于其可以和任何成员互通,其转发用VSI转发表中包含所有Root成员索引以及Leaf成员索引,对应的转发表由Normal_VSI进行管理;对于Leaf成员,由于其只能同Root成员通信,对应的转发表由Root_VSI进行管理。All members (including the root member A11, A12, and Leaf members PW11 and PW12) are bound to the Normal_VSI. The Normal_VSI contains all members (including the Root member and The leaf member is indexed, which is similar to the VSI used by the E-TREE service in the related art. The Root_VSI only contains all the root member index information and is not configured as a service binding. Specifically, for the root member, since it can communicate with any member, the forwarding VSI forwarding table includes all the root member indexes and the leaf member indexes, and the corresponding forwarding table is managed by Normal_VSI; for the Leaf member, since it can only Communicate with the Root member, and the corresponding forwarding table is managed by the Root_VSI.
对于E-TREE业务,对于仅仅支持一个VSI的设备,设备可以基于Normal_VSI进行转发。对于支持接入VSI和转发用VSI分离的设备,也就是说,对于支持两种VSI的设备,可以基于上述两种VSI进行转发。For E-TREE services, for devices that only support one VSI, the device can forward based on Normal_VSI. For a device that supports access VSI and VSI separation for forwarding, that is, for devices supporting two types of VSI, forwarding can be performed based on the above two VSIs.
Normal_VSI配置为信令管理,负责PW的维护,而Root_VSI不负责信令管理,转发表成员包含Normal_VSI建立的Root类型的PW,只是本地属性的VPN。The normal_VSI is configured as the signaling management and is responsible for the maintenance of the PW. The Root_VSI is not responsible for the signaling management. The forwarding table member contains the PW of the root type established by the Normal_VSI, and is only the VPN of the local attribute.
Normal_VSI与Root_VSI的区别在于VSI包含的MAC地址和广播表转发表项不同。MAC地址学习由AC或者PW的接入VSI确定,因此,本发明实施例中默认MAC地址学习到Normal_VSI中,以保证和普通E-TREE地址学习上的兼容。在本发明实施例中,无论是针对AC还是PW,Normal_VSI的广播表包含了E-TREE中所有成员的广播信息;Root_VSI中的广播表仅仅包含所有Root成员的广播信息。为Normal_VSI指定Root_VSI时,将Root成员上学习到的MAC地址同步到Root_VSI中,同时,为Root_VSI创建包含所有Root成员的广播表。实际应用中,Root成员学习到Normal_VSI中的MAC地址,需要经过控制平面向Root_VSI同步,以供Leaf接口收到的流单播转发。但是Leaf成员学习到MAC地址和普通VPLS MAC处理相同,不需要向Root_VSI同步。The difference between Normal_VSI and Root_VSI is that the MAC address contained in the VSI is different from the broadcast table forwarding entry. The MAC address learning is determined by the access VSI of the AC or the PW. Therefore, in the embodiment of the present invention, the default MAC address is learned in the Normal_VSI to ensure compatibility with the normal E-TREE address learning. In the embodiment of the present invention, the broadcast table of the Normal_VSI includes broadcast information of all members in the E-TREE, whether for AC or PW; the broadcast table in the Root_VSI only contains broadcast information of all the root members. When the Root_VSI is specified for the Normal_VSI, the MAC address learned by the root member is synchronized to the Root_VSI. At the same time, a broadcast table containing all the root members is created for the Root_VSI. In the actual application, the root member learns the MAC address in the Normal_VSI and needs to synchronize with the Root_VSI through the control plane to forward the stream received by the Leaf interface. However, the Leaf member learns that the MAC address is the same as the normal VPLS MAC processing and does not need to be synchronized to the Root_VSI.
针对E-TREE业务的VPLS转发处理,对于Leaf成员,其接入VSI是Normal_VSI,即MAC地址学习等处理由首先学习到Normal_VSI中,但其 转发用VSI是Root_VSI;对于Root成员,其接入和转发用VSI都是Normal_VSI。For the VPLS forwarding process of the E-TREE service, for the Leaf member, the access VSI is Normal_VSI, that is, the processing of MAC address learning is first learned into the Normal_VSI, but The forwarding VSI is Root_VSI; for Root members, the VSI for access and forwarding is Normal_VSI.
具体的,对于Normal_VSI与Root_VSI中的MAC地址表来说,MAC地址表的跨VSI同步处理通过控制平面统一处理;MAC老化由Normal_VSI发起,再由控制平面将关联Root_VSI中的MAC地址进行老化同步。Specifically, for the MAC address table in the Normal_VSI and the Root_VSI, the cross-VSI synchronization processing of the MAC address table is uniformly processed by the control plane; the MAC aging is initiated by the Normal_VSI, and the MAC address of the associated Root_VSI is aging synchronized by the control plane.
具体的,对于Normal_VSI与Root_VSI的数据转发层面,可以将接口属性表(AC接口表和PW属性表)保存的VPN_ID进行扩展,保存两种ID:一个是接入VPN_ID,一个是转发用VPN_ID;如果接入VPN_ID与转发用VPN_ID相同,则采用普通VPLS转发处理;如果接入VPN_ID与转发用VPN_ID不同,则采用本发明实施例所述两种VSI结合的方式进行VPLS转发处理。即进行VPLS转发处理时,如果接入VPN_ID与转发用VPN_ID相同,则采用普通VPLS转发处理;如果接入VPN_ID与转发用VPN_ID不同,则对于Leaf成员,基于Normal_VSI进行接入处理,基于Root_VSI进行转发处理;对于Root成员,其接入和转发均基于Normal_VSI进行。Specifically, for the data forwarding layer of the Normal_VSI and the Root_VSI, the VPN_ID saved in the interface attribute table (the AC interface table and the PW attribute table) may be extended, and two types of IDs are saved: one is the access VPN_ID, and the other is the VPN_ID for forwarding; If the access VPN_ID is the same as the forwarding VPN_ID, the normal VPLS forwarding process is used. If the access VPN_ID is different from the forwarding VPN_ID, the VPLS forwarding process is performed by using the two VSIs in the embodiment of the present invention. That is, when the VPLS forwarding process is performed, if the access VPN_ID is the same as the forwarding VPN_ID, the normal VPLS forwarding process is used; if the access VPN_ID is different from the forwarding VPN_ID, the access member is processed based on the Normal_VSI and forwarded based on the Root_VSI. Processing; for Root members, their access and forwarding are based on Normal_VSI.
实际应用中,如果E-TREE组网中设备的AC接口表以及PW属性表无法支持接入VSI和转发用VSI分离,则可以不为Normal_VSI指定Root_VSI,保证E-TREE可以按照传统的VPLS进行转发。In actual applications, if the AC interface table and the PW attribute table of the device in the E-TREE network cannot support the VSI and the VSI for forwarding, you can specify the Root_VSI for the Normal_VSI and ensure that the E-TREE can be forwarded according to the traditional VPLS. .
本发明实施例中,Leaf成员的广播转发表只包含了Root成员相关信息,减少了Leaf成员到Leaf成员的隔离过滤,提高了广播性能。Root成员和原来的转发一样,只要隔离本端口就可以了。同时,上述处理Leaf成员之间的隔离处理也天然地支持,单播不需要另外再做成员隔离处理。此外,也很好地保证了普通E-TREE转发和高效E-TREE转发之间的切换处理,切换过程不会影响到流量转发。In the embodiment of the present invention, the broadcast forwarding table of the leaf member only includes the information about the root member, which reduces the isolation filtering of the leaf member to the leaf member, and improves the broadcast performance. The root member is the same as the original forwarding, as long as the port is isolated. At the same time, the isolation processing between the above-mentioned processing Leaf members is also naturally supported, and the unicast does not need to be additionally subjected to member isolation processing. In addition, the switching process between normal E-TREE forwarding and efficient E-TREE forwarding is well guaranteed, and the handover process does not affect traffic forwarding.
如图2所示,为本发明实施例E-TREE组网示例示意图,其中,E-TREE组网中包含5个CE(CE21、CE22、CE23、CE24、CE25)和4个PE(PE21、 PE22、PE23、PE24),其中,CE21、CE22、CE23为Leaf CE,CE24、CE25为Root CE,CE21、CE22、CE23分别通过AC接口连接在PE23、PE21、PE22上,PE21、PE22通过PE接口与PE23连接,PW23通过PW接口连接PW24,作为Root节点的CE24、CE25分别通过AC接口连接PE24、PW23。在该E-TREE组网中,配置有两个分离的VSI:Normal_VSI和Root_VSI。其中,所有的成员(包括Root成员和Leaf成员)都绑定到Normal_VSI中,Normal_VSI包含所有成员(包括Root成员和Leaf成员)索引信息,类似于相关技术中E-TREE业务所使用的VSI,而Root_VSI仅包含所有Root成员索引信息,不配置为业务绑定。As shown in FIG. 2, it is a schematic diagram of an E-TREE networking in the embodiment of the present invention, where the E-TREE network includes five CEs (CE21, CE22, CE23, CE24, CE25) and four PEs (PE21, PE21, PE23, and PE24), where CE21, CE22, and CE23 are Leaf CEs, CE24 and CE25 are Root CEs, and CE21, CE22, and CE23 are connected to PE23, PE21, and PE22 through AC interfaces. PE21 and PE22 are connected to PEs through PE interfaces. The PE23 is connected to the PW24. The PW23 is connected to the PW24 through the PW interface. The CE24 and CE25, which are the root nodes, are connected to the PE24 and PW23 through the AC interface. In the E-TREE network, two separate VSIs are configured: Normal_VSI and Root_VSI. All members (including the root member and the leaf member) are bound to the Normal_VSI. The Normal_VSI contains index information of all members (including the root member and the leaf member), similar to the VSI used by the E-TREE service in the related art. The Root_VSI only contains all the root member index information and is not configured as a service binding.
首先建立普通的E-TREE转发用Normal_VSI实例,PE23上配置为E-TREE业务;E-TREE业务配置时,AC接口表以及PW属性表分别设置成员属性标志(即Leaf/Root属性标志)、E-TREE业务的VPN标识(接入VPN_ID和转发用VPN_ID);First, the normal E-TREE forwarding normal_VSI instance is set up, and the PE23 is configured as the E-TREE service. When the E-TREE service is configured, the AC interface table and the PW attribute table respectively set the member attribute flag (ie, the Leaf/Root attribute flag), E. - VPN identity of the TREE service (access VPN_ID and forwarding VPN_ID);
为Normal_VSI指定Root_VSI,Root_VSI中包含E-TREE中所有的Root成员,并对应设置Root_VPN_ID;如果在配置Root_VSI之前,Normal_VSI已经学习到MAC地址,则将Normal_VSI中Root成员学习到的MAC地址同步到Root_VSI中;Specify the Root_VSI for the Normal_VSI. The Root_VSI includes all the Root members in the E-TREE and sets the Root_VPN_ID. If the Normal_VSI has learned the MAC address before configuring the Root_VSI, the MAC address learned by the Root member in the Normal_VSI is synchronized to the Root_VSI. ;
对于Leaf成员,转发用VPN_ID作为Root_VPN_ID,接入VPN_ID作为Normal_VSI_ID;对于Root成员,接入VPN_ID和转发用VPN_ID相同,均作为Normal_VSI_ID。For the Leaf member, the forwarding VPN_ID is used as the Root_VPN_ID, and the access VPN_ID is used as the Normal_VSI_ID. For the Root member, the access VPN_ID and the forwarding VPN_ID are the same, and both are used as the Normal_VSI_ID.
删除Normal_VSI的Root_VSI时,配置删除后只需要将E-TREE中的Leaf成员的接口属性中设置的转发用VPN_ID修改为Normal_VPN_ID就可以了。Root_VSI自身的MAC地址和广播表,可以慢慢删除。When you delete the Root_VSI of the Normal_VSI, you only need to change the forwarding VPN_ID set in the interface attribute of the Leaf member in the E-TREE to Normal_VPN_ID. Root_VSI's own MAC address and broadcast table can be deleted slowly.
E-TREE业务转发处理过程中,如图3所示,
Figure PCTCN2014086667-appb-000001
表示Leaf成员之间转发的数据流路径,
Figure PCTCN2014086667-appb-000002
表示Root成员之间转发的数据流路径;其中,对 于Leaf成员,以Normal_VSI作为接入VSI进行数据转发和MAC地址学习,再以Root_VSI作为转发VSI进行MAC地址单播转发或广播转发,最后再根据Normal_VSI进行出接口封装完成报文转发;其中,对于Root成员,以Normal_VSI作为接入VSI和转发VSI,根据Normal_VSI进行数据转发和MAC地址学习、MAC地址单播处理或广播转发,最后进行出接口封装完成报文转发;这里,无论是对于Leaf成员还是Root成员,都是由Normal_VSI进行MAC地址学习,再向Root_VSI进行MAC同步,将所有Root成员的MAC地址同步给Root_VSI。During the E-TREE service forwarding process, as shown in Figure 3,
Figure PCTCN2014086667-appb-000001
Indicates the data flow path forwarded between Leaf members.
Figure PCTCN2014086667-appb-000002
Indicates the data flow path forwarded by the root member. For the leaf member, the normal VSI is used as the access VSI for data forwarding and MAC address learning, and then the Root_VSI is used as the forwarding VSI for MAC address unicast forwarding or broadcast forwarding. The normal_VSI performs the outbound interface encapsulation to complete the packet forwarding. In the case of the root member, the normal_VSI is used as the access VSI and the forwarding VSI, and the data forwarding and MAC address learning, MAC address unicast processing, or broadcast forwarding are performed according to the Normal_VSI. The packet forwarding is complete. Here, both the Leaf member and the Root member learn MAC address from the Normal_VSI, perform MAC synchronization to the Root_VSI, and synchronize the MAC addresses of all the Root members to the Root_VSI.
本发明实施例中,在E-TREE业务转发处理过程简述如下:当接口上收到流量时,查找AC接口表或者PW属性表获得接口的Leaf/Root属性;基于Leaf/Root属性判断是Leaf成员还是Root成员,如果是从Root成员收到的报文,Root属性表的接口属性和转发用VPN_ID相同,对应的是Normal_VPN_ID;如果是Leaf成员收到的流量,Leaf接口属性表有两个VPN_ID,一个Normal_VPN_ID,一个Root_VPN_ID;In the embodiment of the present invention, the process of forwarding the E-TREE service is as follows: When the traffic is received on the interface, the AC interface table or the PW attribute table is obtained to obtain the Leaf/Root attribute of the interface; the Leaf/Root attribute is used to determine the leaf. The member is also a member of the root. If the packet is received from the root member, the interface attribute of the root attribute table is the same as the VPN_ID for forwarding. The corresponding parameter is Normal_VPN_ID. If the traffic is received by the leaf member, the leaf interface attribute table has two VPN_IDs. , a Normal_VPN_ID, a Root_VPN_ID;
对于Root成员,根据SMAC+Normal_VPN_ID进行MAC地址学习。如果是新的MAC地址,经过控制平面同步到Root_VSI中;对于Leaf成员,MAC地址同样根据SMAC+Normal_VPN_ID进行MAC地址学习,但是MAC地址不向Root_VSI同步;For the root member, MAC address learning is performed according to SMAC+Normal_VPN_ID. If it is a new MAC address, it is synchronized to the Root_VSI through the control plane; for the Leaf member, the MAC address also learns the MAC address according to the SMAC+Normal_VPN_ID, but the MAC address is not synchronized to the Root_VSI;
如果查找到目的地址,对于Root成员,根据DMAC+Normal_VPN_ID进行MAC地址单播处理并转发;如果是Leaf成员,根据DMAC+Root_VPN_ID进行MAC地址单播处理并转发;If the destination address is found, for the Root member, the MAC address is unicast and forwarded according to the DMAC+Normal_VPN_ID; if it is a Leaf member, the MAC address is unicast and forwarded according to the DMAC+Root_VPN_ID;
如果没有查找到目的地址,则对于Root成员收到的报文,根据Normal_VPN_ID查找Normal_VSI的广播表并进行广播转发;对于Leaf成员收到的报文,根据Root_VPN_ID查找Root_VSI的广播表并进行广播转发。 If the destination address is not found, the broadcast table of the normal_VSI is forwarded and broadcasted according to the Normal_VPN_ID. For the packets received by the leaf member, the broadcast table of the Root_VSI is searched according to the Root_VPN_ID and broadcasted.
具体的,如图6所示,结合图5,E-TREE业务转发处理的具体实现流程可以包括如下步骤:Specifically, as shown in FIG. 6, in combination with FIG. 5, the specific implementation process of the E-TREE service forwarding process may include the following steps:
步骤601,在AC或PW上接收报文; Step 601, receiving a message on the AC or PW;
步骤602,查找AC接口表或PW属性表;如果在AC上接收报文,则查找AC接口表,如果是在PW上接收报文,则查找PW属性表;Step 602: Search for an AC interface table or a PW attribute table. If the packet is received on the AC, the AC interface table is searched. If the packet is received on the PW, the PW attribute table is searched.
步骤603,判断接收报文的成员是否为Leaf成员,如果是,则继续步骤604,如果不是,则继续步骤605; Step 603, it is determined whether the member of the received message is a Leaf member, if yes, proceed to step 604, if not, proceed to step 605;
具体的,可以通过查找AC接口表以及PW属性表中设置的成员属性标志(即Leaf/Root属性标志)来判断接收报文的成员是否为Leaf成员;Specifically, the member attribute flag (ie, the Leaf/Root attribute flag) set in the AC interface table and the PW attribute table may be used to determine whether the member of the received packet is a Leaf member.
步骤604,根据SMAC(源MAC,Media Access Control)+Normal_VPN_ID进行MAC地址学习,并利用AC或PW中关联的DMAC+Root_VPN_ID查找转发表,继续步骤606; Step 604, performing MAC address learning according to SMAC (Source MAC, Media Access Control) + Normal_VPN_ID, and using the associated DMAC + Root_VPN_ID in the AC or PW to find the forwarding table, continue to step 606;
步骤605,根据SMAC+Normal_VPN_ID进行MAC地址学习,控制平面将MAC地址同步到Root_VSI中,并根据DMAC(目的MAC)+Normal_VPN_ID查找转发表;Step 605: Perform MAC address learning according to the SMAC+Normal_VPN_ID, and the control plane synchronizes the MAC address to the Root_VSI, and searches the forwarding table according to the DMAC (destination MAC)+Normal_VPN_ID;
步骤606,在所述转发表中是否已经查找到目的地址?如果否,继续步骤607,如果是则继续步骤608;Step 606: Has the destination address been found in the forwarding table? If no, proceed to step 607, and if yes, proceed to step 608;
步骤607,对于Root成员,查找Normal_VSI;对于Leaf成员,查找Root_VSI,报文复制向成员逐一发送;Step 607: For the root member, look for the Normal_VSI; for the Leaf member, look for the Root_VSI, and copy the packet to the member one by one;
步骤608,出口是否为PW,如果是继续步骤609,如果否继续步骤610; Step 608, whether the exit is PW, if it is to continue to step 609, if not continue to step 610;
步骤609,进行AC转发;具体的,对于AC接收的报文则进行本地AC转发,对于PW接收的报文则弹出PW标签转发给AC,流程结束;Step 609: Perform AC forwarding. Specifically, the local AC is forwarded for the packets received by the AC, and the PW label is forwarded to the AC for the packets received by the PW, and the process ends.
步骤610,PW报文封装转发,具体的,对于PW接收的报文,进行PW标签交换转发出去,流程结束。Step 610: The PW packet is encapsulated and forwarded. Specifically, the PW label is forwarded and forwarded by the PW, and the process ends.
实施例二 Embodiment 2
如果要求VPN实例中的部分成员不仅可以访问本VPN内的成员,而且还可以访问其它VPN的成员,而另外一些成员只能在本VPN内部互访,称为跨VPN互通。If some members of the VPN instance are required to access not only the members of the VPN but also other VPN members, other members can only communicate with each other within the VPN, which is called cross-VPN interworking.
本发明实施例中,为解决跨VPN互通的问题,为跨VPN互通的两个或两个以上的VSI定义一个Super_VSI,Super_VSI与对应不同VPN的VSI不同,其区别在于包含的转发成员不同,跨VPN互通的各个VPN,其VSI包含本VPN内的转发成员和能够跨VPN互访的超级成员,而Super_VSI包含所有VSI中的所有成员;这里,成员是含义是Member,对于一个VPN而言,就是其对应的逻辑出口,是AC、或者PW,成员根据其属性在TREE中有Root/leaf之称,在跨VPN互通中有可以跨VPN互通的成员和非跨VPN互通的成员。In the embodiment of the present invention, in order to solve the problem of inter-VPN interworking, a Super_VSI is defined for two or more VSIs that are inter-VPN interworking, and the Super_VSI is different from the VSI corresponding to different VPNs, and the difference is that the included forwarding members are different. Each VPN of the VPN interworking includes the forwarding members in the VPN and the super members that can communicate with each other across the VPN. The Super_VSI includes all the members in all the VSIs. Here, the member means Member. For a VPN, The corresponding logical exit is AC or PW. Members have the root/leaf in TREE according to their attributes. In cross-VPN interworking, there are members that can communicate with each other across VPNs and non-cross-VPN members.
各VPN中的VSI配置为信令管理,负责PW的维护,而Super_VSI不负责信令管理,转发表包含各VSI建立的PW,只是一个本地属性VPN。The VSI in each VPN is configured as signaling management and is responsible for the maintenance of the PW. The Super_VSI is not responsible for signaling management. The forwarding table contains the PW established by each VSI, but only a local attribute VPN.
对于广播表,各VPN中的VSI广播表除了包含本VPN内的成员外,还包含其它VPN的超级成员;Super_VSI的广播表包含各VSI中所有成员的索引。For the broadcast table, the VSI broadcast table in each VPN includes the super members of other VPNs in addition to the members in the VPN; the broadcast table of the Super_VSI includes indexes of all members in each VSI.
对于MAC地址学习,MAC地址学习到各VPN的VSI中,VSI1、VSI2中成员学习到的MAC地址,同时,向Super_VSI进行同步,以供超级成员转发流的单播转发。这样可以保证和普通VPLS处理上的兼容。For MAC address learning, the MAC address learns the MAC address learned by the members in VSI and VSI2 of each VPN, and simultaneously synchronizes with the Super_VSI for the super-member to forward the unicast forwarding of the flow. This ensures compatibility with normal VPLS processing.
具体的,在指定各VSI对应的Super_VSI时,将各VSI成员上学习到的MAC地址表同步到Super_VSI中,同时为Super_VSI建立包含各VSI中所有成员索引的广播表。每个VSI超级成员上学习到的MAC地址,除了向指定的Super_VSI同步外,还向其他VPN的VSI同步,以提供普通成员对于超级成员跨VPN访问的应答处理。MAC地址表的跨VPN同步处理通过控制平面统一处理。所有的MAC老化,由成员所属的VSI发起老化,控 制平面将关联VPN以及Super_VSI中的MAC地址进行老化同步。Specifically, when the Super_VSI corresponding to each VSI is specified, the MAC address table learned by each VSI member is synchronized to the Super_VSI, and a broadcast table including all member indexes in each VSI is established for the Super_VSI. The MAC address learned by each VSI super member is synchronized with the specified Super_VSI and synchronized with the VSIs of other VPNs to provide an ordinary member's response processing for the super member to cross VPN access. The cross-VPN synchronization processing of the MAC address table is uniformly processed through the control plane. All MAC aging is initiated by the VSI to which the member belongs. The system plane aging synchronization of the associated VPN and the MAC address in the Super_VSI.
在数据转发层面,将AC接口表和PW属性表保存的VPN_ID进行扩展,保存两个VSI信息:一个是接入VPN_ID,一个是转发用VPN_ID,如果两个VPN_ID相同,则就是普通VPLS转发处理;如果接入VPN_ID与转发用VPN_ID不同,则采用本发明实施例下述方式进行VPLS转发处理。At the data forwarding level, the VPN_ID saved in the AC interface table and the PW attribute table is extended to store two VSI information: one is access VPN_ID, and the other is forwarding VPN_ID. If the two VPN_IDs are the same, it is normal VPLS forwarding processing; If the access VPN_ID is different from the forwarding VPN_ID, the VPLS forwarding process is performed in the following manner according to the embodiment of the present invention.
所有的成员均绑定到自身所在的VPN,保证设备可以按照普通的VSI进行转发。对于支持接入VSI和转发用VSI分离的设备,为各VSI配置指定一个Super_VSI,Super_VSI默认包含各VSI中的所有成员。对于超级成员,其接入VSI是自身所在的VSI,即MAC地址学习等处理首先学习到自身所在的VSI中,其转发用VSI是Super_VSI;对于普通成员,其接入和转发用VSI是其所在VPN的VSI。所谓的超级成员是具有最大权限的成员,可以认为在任意一个VSI中,但是实际情况下,往往还是在某个VSI中的,只是有较大的权限。组网中可以根据其属性选择其所在的VSI。All members are bound to their own VPN, ensuring that devices can be forwarded according to the normal VSI. For a device that supports access VSI and VSI separation for forwarding, specify one Super_VSI for each VSI configuration. Super_VSI includes all members in each VSI by default. For a super-member, the access VSI is the VSI in which the VSI is located, that is, the processing of the MAC address learning first learns the VSI in which it is located, and the VSI for forwarding is Super_VSI; for the ordinary member, the VSI for access and forwarding is where it is located. VPN VSI. The so-called super member is the member with the most privilege. It can be considered in any VSI, but in reality, it is often in a certain VSI, but it has a large privilege. In the networking, you can select the VSI that it is based on its attributes.
以两个VPN互通为例,如图4所示的跨VPN互访的网络架构,其中包含了两个VPN,分别是VPN1和VPN2,在VPN1中有CE31、CE32、CE33、CE34,VPN2中有CE35、CE36、CE37,PE包括PE31、PE32、PE33、PE34,PE31分别通过PW31、PW32、PW33、PW34连接PE32、PE33、PE34,PE32与CE33之间、以及PE34与CE35之间均通过AC30连接,PE31与CE31之间、PE33与CE34之间均通过AC31连接,PE31与CE32之间、PE33与CE37之间均通过AC32连接,PE31与CE36之间通过AC33连接。其中,PE31在VPN1中PW32和AC31是超级成员,VPN1其他成员包括PW31、PW33、PW34、AC30、AC32、以及AC33均为普通成员,PE31上VPN2中PW33、PW34、AC33均是普通成员;实际应用中,VSI中所谓的成员只是一个本地概念,并不是对不同设备而言的。编号只是一个本地概念,而CE、PE编号是对于网络而言进行却分,但是CE和PE本身是不同的设备, 编号是可以重复的。Take two VPN interworkings as an example. The network architecture of cross-VPN mutual access shown in Figure 4 includes two VPNs, namely VPN1 and VPN2. In VPN1, there are CE31, CE32, CE33, CE34, and VPN2. CE35, CE36, and CE37, PEs include PE31, PE32, PE33, and PE34. PE31 is connected to PE32, PE33, and PE34 through PW31, PW32, PW33, and PW34. The PE30 and CE35 are connected to each other through AC30. Between PE31 and CE31, PE33 and CE34 are connected through AC31. The PE31 and CE32 are connected to each other through AC32. The PE31 and CE36 are connected through AC33. Among them, PE31 is a super member of PW32 and AC31 in VPN1, and other members of VPN1 include PW31, PW33, PW34, AC30, AC32, and AC33 are common members. PW33, PW34, and AC33 in VPN2 on PE31 are common members; The so-called members in the VSI are just a local concept, not for different devices. The number is just a local concept, and the CE and PE numbers are divided for the network, but the CE and PE are different devices. The number can be repeated.
对于图4,如果PE31和PE33之间同时存在VPN2的连接PW34,如果还将PW32配置为Super属性,则对于CE34发送到CE36的流量存在双份流量。这时,在PE33上配置CE34为超级成员,流量分别经过PW32、PW33发送到PE31上,PE31上发送PW32配置为普通成员属性,PE31上PW32收到的流量在VSI1内转发,PW34收到的流量在VSI2中转发;For Figure 4, if the PW34 of the VPN2 exists between the PE31 and the PE33, if the PW32 is also configured as the Super attribute, there is double traffic for the traffic sent by the CE34 to the CE36. At this time, CE34 is configured as the super-member on PE33, and the traffic is sent to PE31 through PW32 and PW33. The PW32 is configured as the common member attribute on PE31. The traffic received by PW32 on PE31 is forwarded in VSI1, and the traffic received by PW34 is received. Forwarding in VSI2;
VPN1和VPN2需要跨VPN互通,VPN1配置有VSI1,VPN2配置有VSI2,VSI1和VSI2是普通的VSI。这里,还定义了一个Super_VSI,该Super_VSI与VSI1、VSI2的主要区别在于转发成员不一样,VSI1、VSI2分别管理本VPN内即VPN1、VPN2的普通成员以及能够跨VPN1和VPN2进行互访的超级成员,Super_VSI包含两个VPN(VPN1和VPN2)内的所有成员。如图4所示,建立VSI1和VSI2,PE31上存在VPN1和VPN2的跨VPN互访,则PE31上VSI1包含AC1、AC2、PW1、PW2四个成员,VSI2上包含AC3、PW3两个成员;VPN1 and VPN2 need to communicate with each other across VPNs. VPN1 is configured with VSI1, VPN2 is configured with VSI2, and VSI1 and VSI2 are common VSIs. Here, a Super_VSI is also defined. The main difference between the Super_VSI and the VSI1 and the VSI2 is that the forwarding members are different. The VSI1 and the VSI2 respectively manage the ordinary members of the VPN, namely VPN1 and VPN2, and the super members who can exchange visits between VPN1 and VPN2. The Super_VSI contains all members of both VPNs (VPN1 and VPN2). As shown in Figure 4, VSI1 and VSI2 are established. On the PE31, VPN1 and VPN2 are connected to each other. The VSI1 on the PE31 includes four members: AC1, AC2, PW1, and PW2. VSI2 includes two members, AC3 and PW3.
配置过程包括:配置VSI1、VSI2中的超级成员属性(即跨VPN访问成员),在图4中VSI1中有超级成员AC1和PW2,VSI2无超级成员。在AC接口表以及PW属性表中设置跨VPN访问标志、接入VPN_ID和转发用VPN_ID,在跨VPN访问标志不置位时,其中的接入VPN_ID和转发用VPN_ID相同,即为各自的Local_VPN_ID,其广播成员只包含自身实例的成员;在跨VPN访问标志不置位时,则采用如下配置:分别为VSI1和VSI2配置指定Super_VSI,Super_VSI对应的VPN_ID为Super_VPN_ID,修改超级成员的AC接口表或PW属性表,将其转发用VPN_ID修改为Super_VPN_ID,将VSI1、VSI2中的成员都写入Super_VSI的广播表中,对于VSI1、VSI2将对方的超级成员写入到自己的广播表中;VSI1、VSI2将配置Super_VSI之前已经学习到MAC地址同步到Super_VSI中,并且 VSI1将超级成员上学习的MAC地址同步到VSI2中。这样,就完成了整个跨VPN转发实例的配置。如此,VSI1中的超级成员学习到的地址向VSI2中同步,VSI2中的超级成员学习到的地址向VSI1中同步;Super_VSI的广播表包含两个VPN的所有成员索引;普通成员收到的流的转发处理和普通的VPLS转发类似,只是其转发表还包含了跨VPN的超级成员,实现了跨VPN的通信控制。The configuration process includes: configuring super-member attributes in VSI1 and VSI2 (that is, accessing members across VPNs). In Figure 4, VSI1 has super members AC1 and PW2, and VSI2 has no super members. In the AC interface table and the PW attribute table, the cross-VPN access flag, the access VPN_ID, and the forwarding VPN_ID are set. When the cross-VPN access flag is not set, the access VPN_ID and the forwarding VPN_ID are the same, that is, the respective Local_VPN_ID, The broadcast member only contains the members of its own instance. When the cross-VPN access flag is not set, the configuration is as follows: Super_VSI is configured for VSI1 and VSI2, and the VPN_ID corresponding to Super_VSI is Super_VPN_ID. The AC interface table or PW attribute table of the super-member is modified. Modify the forwarding with the VPN_ID to the Super_VPN_ID, and write the members of the VSI1 and VSI2 to the broadcast table of the Super_VSI. For the VSI1 and VSI2, write the super member of the other party to the broadcast table; VSI1 and VSI2 will be configured with the Super_VSI. I have learned about MAC address synchronization to Super_VSI before, and VSI1 synchronizes the MAC address learned by the super member to VSI2. In this way, the configuration of the entire cross-VPN forwarding instance is completed. In this way, the address learned by the super-members in VSI1 is synchronized to VSI2, and the address learned by the super-members in VSI2 is synchronized to VSI1; the broadcast table of Super_VSI contains all member indexes of two VPNs; the flow received by ordinary members Forwarding processing is similar to normal VPLS forwarding, except that its forwarding table also contains super-members across VPNs, enabling communication control across VPNs.
需要删除Super_VSI时,则将VSI中超级成员的接口属性用转发VPN_ID修改为Local_VPN_ID,将跨VPN访问标记复位,将VSI1、VSI2的广播表中包含的其它VPN的超级成员删除掉,这样就可以实现业务按照普通VPLS转发。Super_VSI自身的MAC地址和广播表,可以慢慢删除。If the Super_VSI needs to be deleted, the interface attribute of the super-member in the VSI is changed to the Local_VPN_ID by the forwarding VPN_ID, the cross-VPN access flag is reset, and the super-members of other VPNs included in the broadcast table of the VSI1 and VSI2 are deleted. The service is forwarded according to ordinary VPLS. The MAC address and broadcast table of the Super_VSI itself can be deleted slowly.
如图5所示,为图4所示跨VPN互访示例中VPLS转发处理过程示意图。其中,
Figure PCTCN2014086667-appb-000003
表示超级成员,
Figure PCTCN2014086667-appb-000004
表示普通成员,
Figure PCTCN2014086667-appb-000005
表示VPN1中普通成员接收的流,
Figure PCTCN2014086667-appb-000006
表示VPN2中普通成员接收的流,
Figure PCTCN2014086667-appb-000007
表示超级成员接收的流,黑色箭头线表示MAC地址同步过程。As shown in FIG. 5, it is a schematic diagram of a VPLS forwarding process in the cross-VPN mutual access example shown in FIG. among them,
Figure PCTCN2014086667-appb-000003
Representing a super member,
Figure PCTCN2014086667-appb-000004
Means ordinary members,
Figure PCTCN2014086667-appb-000005
Indicates the stream received by ordinary members in VPN1.
Figure PCTCN2014086667-appb-000006
Indicates the stream received by ordinary members in VPN2.
Figure PCTCN2014086667-appb-000007
Indicates the stream received by the super member, and the black arrow line indicates the MAC address synchronization process.
如图8所示,在入接口侧收到流量时,查找AC表或者标签属性表获得接口是否是超级成员,并从AC接口表或PW属性表中获取到Local_VPN_ID,以及转发用VPN_ID(如果是超级成员对应Super_VPN_ID,否则对应的是Local_VPN_ID);As shown in Figure 8, when receiving traffic on the inbound interface, look up the AC table or the tag attribute table to obtain whether the interface is a super member, and obtain the Local_VPN_ID from the AC interface table or the PW attribute table, and forward the VPN_ID (if yes) The super member corresponds to Super_VPN_ID, otherwise it corresponds to Local_VPN_ID);
然后用SMAC+Local_VPN_ID进行MAC地址学习,由成员所属的VSI学习MAC地址,具体的,将AC31、AC32、PW31、PW32的MAC地址学习到VSI1中,将AC33、PW33的MAC地址学习到VSI2中;对于超级成员,学习到的MAC地址,经过控制平面同步到Super_VSI以及另外一个VSI中;对于普通成员,MAC地址只向Super_VSI同步,但是不向另外一个VSI同步;Then, the MAC address learning is performed by using the SMAC+Local_VPN_ID, and the MAC address of the member is learned by the VSI of the member. Specifically, the MAC addresses of the AC31, AC32, PW31, and PW32 are learned into the VSI1, and the MAC addresses of the AC33 and PW33 are learned into the VSI2. For the super-member, the learned MAC address is synchronized to the Super_VSI and another VSI through the control plane; for ordinary members, the MAC address is only synchronized to the Super_VSI, but is not synchronized to another VSI;
如果查找到MAC地址,对于超级成员,根据DMAC+Super_VPN_ID 进行MAC地址单播处理;对于普通成员,根据DMAC+Local_VPN_ID进行MAC地址单播处理;如果没有查找到MAC地址,则对于超级成员收到的流,根据Super_VPN_ID查找Super_VSI的广播表并进行广播转发;对于普通成员收到的流量,根据所属VSI查找广播表并进行广播转发。If a MAC address is found, for a super member, according to DMAC+Super_VPN_ID Performing MAC address unicast processing; for ordinary members, performing MAC address unicast processing according to DMAC+Local_VPN_ID; if no MAC address is found, for the stream received by the super member, the Super_VSI broadcast table is searched according to Super_VPN_ID and broadcasted; For the traffic received by ordinary members, the broadcast table is searched according to the VSI and broadcasted.
如图9所示,跨VPN业务处理的具体实现流程可以包括如下步骤:As shown in FIG. 9, the specific implementation process of the cross-VPN service processing may include the following steps:
步骤901,接收报文;Step 901: Receive a message.
步骤902,查找AC接口表或PW属性表获取接入侧的超级成员属性;Step 902: Search for an AC interface table or a PW attribute table to obtain a super member attribute of the access side.
具体的,查找AC表或者标签属性表获得接口是否是超级成员,并从AC接口表或PW属性表中获取到Local_VPN_ID,以及转发用VPN_ID(如果是超级成员接口对应Super_VPN_ID,否则对应的是Local_VPN_ID);Specifically, the AC table or the tag attribute table is obtained to obtain whether the interface is a super member, and the Local_VPN_ID is obtained from the AC interface table or the PW attribute table, and the VPN_ID is forwarded (if the super member interface corresponds to the Super_VPN_ID, otherwise the local_VPN_ID is corresponding) ;
步骤903,判断是否为超级成员;如果否,继续步骤904,否则,继续步骤905; Step 903, it is determined whether it is a super member; if not, continue to step 904, otherwise, continue to step 905;
步骤904,用SMAC+Local_VPN_ID学习MAC地址,控制平面将该SMAC地址同步到关联其他VPN的VSI中,并向Super_VSI同步,根据DMAC+Super_VPN_ID查找转发表,继续步骤906; Step 904, learning the MAC address with the SMAC+Local_VPN_ID, the control plane synchronizes the SMAC address to the VSI associated with the other VPN, and synchronizes with the Super_VSI, and searches the forwarding table according to the DMAC+Super_VPN_ID, and proceeds to step 906;
步骤905,用SMAC+Local_VPN_ID学习MAC地址,将该MAC地址同步到Super_VSI中,并根据DMAC+Local_VPN_ID查找转发表;Step 905: Learning the MAC address by using SMAC+Local_VPN_ID, synchronizing the MAC address to the Super_VSI, and searching for the forwarding table according to the DMAC+Local_VPN_ID;
步骤906,在转发表中是否查找到了目的地址,如果否,继续步骤907,否则继续步骤908; Step 906, whether the destination address is found in the forwarding table, if not, proceed to step 907, otherwise continue to step 908;
步骤907,用Super_VPN_ID查找广播表,并将报文复制后向成员逐一发送;Step 907: Search for a broadcast table by using Super_VPN_ID, and copy the message and send it to the members one by one;
步骤908,出口是否为PW,如果是继续步骤909,否则继续步骤910; Step 908, whether the exit is PW, if it is to continue to step 909, otherwise continue to step 910;
步骤909,通过AC将报文在本地转发,当前流程结束;Step 909, the packet is forwarded locally by the AC, and the current process ends.
步骤910,执行PW封装后将报文转发出去,当前流程结束。Step 910: After the PW encapsulation is performed, the packet is forwarded, and the current process ends.
对于跨VPN的互访,上述方法仅仅是以两个VPN为例说明,但是不 限制只是两个,在有超过两个以上的VPN互访也可以按照上述方法实现。For mutual access across VPNs, the above method only uses two VPNs as an example, but not The limit is only two. In the case of more than two VPN exchange visits, the above method can also be implemented.
本发明实施例还记载了一种存储介质,所述存储介质中存储有计算机程序,所述计算机程序配置为执行前述各实施例的VPN报文处理方法。The embodiment of the invention further describes a storage medium, wherein the storage medium stores a computer program, and the computer program is configured to execute the VPN message processing method of the foregoing embodiments.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。 These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
工业实用性Industrial applicability
本发明通过在接口上分离配置接入VSI和转发用VSI,指定接口可以基于转发用VSI中的转发表来进行转发处理,可以改进VPLS组网中成员以及水平分割的处理方法,降低无效广播复制对设备内部带宽造成的影响,提升VPLS转发性能。The invention can implement the forwarding processing based on the forwarding table in the forwarding VSI by using the forwarding VSI and the forwarding VSI on the interface, and can improve the processing of the members and the horizontal splitting in the VPLS networking, and reduce the invalid broadcast replication. Impact on the internal bandwidth of the device and improve VPLS forwarding performance.
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。 The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims (19)

  1. 一种虚拟专用网VPN的报文处理方法,其中,所述方法包括:A packet processing method for a virtual private network VPN, where the method includes:
    对于任意一个PW接口或者AC接口,分离配置接入VSI和转发用VSI;For any PW interface or AC interface, the VSI and the forwarding VSI are separately configured.
    对于指定接口,根据所述接入VSI进行接入处理,再根据所述转发用VSI进行转发处理。For the specified interface, the access processing is performed according to the access VSI, and then the forwarding process is performed according to the forwarding VSI.
  2. 根据权利要求1所述的方法,其中,对于点到多点E-TREE业务,所述分离配置接入VSI和转发用VSI,包括:The method of claim 1, wherein for the point-to-multipoint E-TREE service, the separate configuration access VSI and forwarding VSI comprises:
    所述接入VSI绑定当前E-TREE业务的所有成员,包含所有成员的索引信息;The access VSI is bound to all members of the current E-TREE service, and includes index information of all members;
    所述转发用VSI包含中Root成员的索引信息。The forwarding VSI includes index information of the middle member.
  3. 根据权利要求1或2所述的方法,其中,对于E-TREE业务,所述分离配置接入VSI和转发用VSI,包括:The method according to claim 1 or 2, wherein, for the E-TREE service, the separate configuration access VSI and forwarding VSI includes:
    所述接入VSI的广播表包含E-TREE业务所有成员的广播信息;所述转发用VSI包含E-TREE业务所有Root成员的广播信息;The broadcast table of the access VSI includes broadcast information of all members of the E-TREE service; and the VSI for forwarding includes broadcast information of all the root members of the E-TREE service;
    E-TREE业务中所有成员上的MAC地址学习到所述接入VSI;对于E-TREE业务中的Root成员,将已学习到接入VSI的MAC地址同步到所述转发用VSI。The MAC address of all members in the E-TREE service learns the access VSI; for the Root member in the E-TREE service, the MAC address that has learned to access the VSI is synchronized to the forwarding VSI.
  4. 根据权利要求1所述的方法,其中,对于跨VPN互通业务,两个或两个以上VPN互通时,所述分离配置接入VSI和转发用VSI,包括:The method of claim 1, wherein, for the inter-VPN interworking service, when the two or more VPNs are interconnected, the separate configuration accesses the VSI and the VSI for forwarding, including:
    所述接入VSI为两个或两个以上,分别对应跨VPN互通的各VPN,各接入VSI包含仅能够在其所属VPN内互通的普通成员索引信息和能够跨VPN互访的超级成员索引信息;The access VSIs are two or more, each corresponding to each VPN that is inter-VPN-connected, and each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs, and a super-member index that can communicate with each other across VPNs. information;
    所述转发用VSI包含所有接入VSI的成员索引信息。The forwarding VSI includes member index information of all access VSIs.
  5. 根据权利要求1或4所述的方法,其中,对于跨VPN互通业务,两个或两个以上VPN互通时,所述分离配置接入VSI和转发用VSI,包括: The method according to claim 1 or 4, wherein, for the inter-VPN interworking service, when the two or more VPNs communicate with each other, the separate configuration accesses the VSI and the VSI for forwarding, including:
    将各接入VSI的所有成员都写入转发用VSI的广播表;各接入VSI将本VSI中的成员以及其他接入VSI中的超级成员写入自身的广播表;All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
    各接入VSI中将学习到的MAC地址同步到转发用VSI;各接入VSI将其超级成员上已学习到的MAC地址同步到其他接入VSI。The learned MAC addresses are synchronized to the forwarding VSIs in each access VSI; each access VSI synchronizes the learned MAC addresses on its super members to other access VSIs.
  6. 根据权利要求1、2或4所述的方法,其中,所述分离配置接入VSI和转发用VSI,包括:The method according to claim 1, 2 or 4, wherein the split configuration access VSI and forwarding VSI comprises:
    在AC接口表或PW属性表配置成员属性,该成员属性配置为标识当前接口是否为所述指定接口;Configure a member attribute in the AC interface table or the PW attribute table. The member attribute is configured to identify whether the current interface is the specified interface.
    在AC接口表或PW属性表中配置接入VPN_ID和转发用VPN_ID,接入VPN_ID对应所述接入VSI,转发用VPN_ID对应所述转发用VSI;The access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
    在所述成员属性标识当前接口为指定接口时,所述接入VPN_ID与转发用VPN_ID不同;否则,所述接入VPN_ID与转发用VPN_ID相同。When the member attribute identifies that the current interface is the designated interface, the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
  7. 根据权利要求6所述的方法,其中,根据所述接入VSI进行接入处理,根据所述转发用VSI进行转发处理,包括:The method according to claim 6, wherein the performing the access processing according to the access VSI, and performing the forwarding processing according to the forwarding VSI, includes:
    根据接入VPN_ID进行MAC地址学习,利用转发用VPN_ID查找转发表;如果查找到目的地址,根据对应转发用VSI的转发用VPN_ID进行MAC地址单播处理并转发,如果没有查找到目的地址,根据转发用VPN_ID查找转发用VSI的广播表并进行广播转发。The MAC address learning is performed according to the access VPN_ID, and the forwarding table is searched by using the VPN_ID for forwarding. If the destination address is found, the MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, the forwarding is performed according to the forwarding. Use the VPN_ID to find the broadcast table of the forwarding VSI and perform broadcast forwarding.
  8. 根据权利要求1或7所述的方法,其中,所述方法还包括:The method of claim 1 or 7, wherein the method further comprises:
    对于所述指定接口之外的其他接口,其接入处理和转发处理均根据接入VSI进行。For other interfaces except the specified interface, the access processing and forwarding processing are performed according to the access VSI.
  9. 根据权利要求1或7所述的方法,其中,所述方法包括:The method of claim 1 or 7, wherein the method comprises:
    对于E-TREE业务中仅能够与部分成员互通的Leaf成员、或跨VPN互通业务中能够跨VPN互访的超级成员,根据接入VSI进行接入处理,根据转发用VSI进行转发处理; For the E-TREE service, only the leaf members that can communicate with some members, or the super-cross-VPN interworking services that can communicate with each other across the VPN, perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI;
    对于E-TREE业务中的Root成员、或跨VPN互通业务中的普通成员,其接入处理和转发处理均根据接入VSI进行。For the root member in the E-TREE service or the ordinary member in the inter-VPN interworking service, the access processing and forwarding processing are performed according to the access VSI.
  10. 一种虚拟专用网VPN的报文处理装置,其中,所述装置包括:A packet processing device for a virtual private network VPN, where the device includes:
    配置单元,配置为对任意一个PW接口或AC接口,分离配置接入VSI和转发用VSI;The configuration unit is configured to connect to the VSI and the VSI for forwarding on any PW interface or AC interface.
    处理单元,配置为对于指定接口,根据所述接入VSI进行接入处理,再根据所述转发用VSI进行转发处理。The processing unit is configured to perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
  11. 根据权利要求10所述的装置,其中,对于点到多点E-TREE业务,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:The apparatus according to claim 10, wherein, for the point-to-multipoint E-TREE service, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
    所述接入VSI绑定当前E-TREE业务的所有成员,包含所有成员的索引信息;The access VSI is bound to all members of the current E-TREE service, and includes index information of all members;
    所述转发用VSI包含中Root成员的索引信息。The forwarding VSI includes index information of the middle member.
  12. 根据权利要求10或11所述的装置,其中,The apparatus according to claim 10 or 11, wherein
    对于E-TREE业务,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:所述接入VSI的广播表包含E-TREE业务所有成员的广播信息,所述转发用VSI包含E-TREE业务所有Root成员的广播信息;E-TREE业务中所有成员上的MAC地址学习到所述接入VSI,对于E-TREE业务中的Root成员,将其已学习到接入VSI的MAC地址同步到所述转发用VSI。For the E-TREE service, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including: the broadcast table of the access VSI includes broadcast information of all members of the E-TREE service, and the forwarding VSI includes E - The broadcast information of all the root members of the TREE service; the MAC address of all members in the E-TREE service learns the access VSI, and the root member of the E-TREE service learns the MAC address of the access VSI. Synchronize to the forwarding VSI.
  13. 根据权利要求10所述的装置,其中,对于跨VPN互通业务,两个或两个以上VPN互通时,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:The device according to claim 10, wherein, for the inter-VPN interworking service, when two or more VPNs are interconnected, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
    所述接入VSI为两个或两个以上,分别对应跨VPN互通的各VPN,各接入VSI包含仅能够在其所属VPN内互通的普通成员索引信息和能够跨VPN互访的超级成员索引信息;The access VSIs are two or more, each corresponding to each VPN that is inter-VPN-connected, and each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs, and a super-member index that can communicate with each other across VPNs. information;
    所述转发用VSI包含所有接入VSI的成员索引信息。 The forwarding VSI includes member index information of all access VSIs.
  14. 根据权利要求10或13所述的装置,其中,对于跨VPN互通业务,两个或两个以上VPN互通时,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:The device according to claim 10 or 13, wherein, for the inter-VPN interworking service, when two or more VPNs are interconnected, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
    将各接入VSI的所有成员都写入转发用VSI的广播表;各接入VSI将本VSI中的成员以及其他接入VSI中的超级成员写入自身的广播表;All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
    各接入VSI中将已学习到的MAC地址同步到转发用VSI;各接入VSI将其超级成员上已学习到的MAC地址同步到其他接入VSI。Each learned VSI synchronizes the learned MAC address to the forwarding VSI; each access VSI synchronizes the learned MAC address of its super member to other access VSIs.
  15. 根据权利要求10、11或13所述的装置,其中,所述配置单元配置为分离配置接入VSI和转发用VSI,包括:The apparatus according to claim 10, 11 or 13, wherein the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
    在AC接口表或PW属性表配置成员属性,该成员属性配置为标识当前接口是否为所述指定接口;Configure a member attribute in the AC interface table or the PW attribute table. The member attribute is configured to identify whether the current interface is the specified interface.
    在AC接口表或PW属性表中配置接入VPN_ID和转发用VPN_ID,接入VPN_ID对应所述接入VSI,转发用VPN_ID对应所述转发用VSI;The access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
    在所述成员属性标识当前接口为指定接口时,所述接入VPN_ID与转发用VPN_ID不同;否则,所述接入VPN_ID与转发用VPN_ID相同。When the member attribute identifies that the current interface is the designated interface, the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
  16. 根据权利要求15所述的装置,其中,所述处理单元配置为根据所述接入VSI进行接入处理,根据所述转发用VSI进行转发处理,包括:The apparatus according to claim 15, wherein the processing unit is configured to perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI, including:
    根据接入VPN_ID进行MAC地址学习,利用转发用VPN_ID查找转发表;如果查找到目的地址,根据对应转发用VSI的转发用VPN_ID进行MAC地址单播处理并转发,如果没有查找到目的地址,根据转发用VPN_ID查找转发用VSI的广播表并进行广播转发。The MAC address learning is performed according to the access VPN_ID, and the forwarding table is searched by using the VPN_ID for forwarding. If the destination address is found, the MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, the forwarding is performed according to the forwarding. Use the VPN_ID to find the broadcast table of the forwarding VSI and perform broadcast forwarding.
  17. 根据权利要求10或16所述的装置,其中,所述处理单元还配置为:对于所述指定接口之外的其他接口,其接入处理和转发处理均根据接入VSI进行。The apparatus according to claim 10 or 16, wherein the processing unit is further configured to perform access processing and forwarding processing according to the access VSI for other interfaces than the designated interface.
  18. 根据权利要求10或16所述的装置,其中,所述处理单元配置为: The apparatus of claim 10 or 16, wherein the processing unit is configured to:
    对于E-TREE业务中仅能够与部分成员互通的Leaf成员、或跨VPN互通业务中能够跨VPN互访的超级成员,根据接入VSI进行接入处理,根据转发用VSI进行转发处理;For the E-TREE service, only the leaf members that can communicate with some members, or the super-cross-VPN interworking services that can communicate with each other across the VPN, perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI;
    对于E-TREE业务中的Root成员、或跨VPN互通业务中的普通成员,其接入处理和转发处理均根据接入VSI进行。For the root member in the E-TREE service or the ordinary member in the inter-VPN interworking service, the access processing and forwarding processing are performed according to the access VSI.
  19. 一种存储介质,所述存储介质中存储有计算机程序,所述计算机程序配置为执行权利要求1至9任一项所述的VPN报文处理方法。 A storage medium storing a computer program, the computer program being configured to execute the VPN message processing method according to any one of claims 1 to 9.
PCT/CN2014/086667 2014-03-24 2014-09-16 Vpn packet processing method and apparatus and storage medium WO2015143849A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410112715.6 2014-03-24
CN201410112715.6A CN104954255B (en) 2014-03-24 2014-03-24 VPN message processing method and device

Publications (1)

Publication Number Publication Date
WO2015143849A1 true WO2015143849A1 (en) 2015-10-01

Family

ID=54168621

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/086667 WO2015143849A1 (en) 2014-03-24 2014-09-16 Vpn packet processing method and apparatus and storage medium

Country Status (2)

Country Link
CN (1) CN104954255B (en)
WO (1) WO2015143849A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106169969B (en) * 2016-08-31 2020-01-10 华为技术有限公司 Method, related equipment and system for establishing label switching path of virtual private network
CN108574630B (en) * 2017-03-14 2020-06-02 华为技术有限公司 EVPN message processing method, device and system
CN109474527B (en) * 2018-12-13 2021-04-06 新华三技术有限公司成都分公司 Message forwarding method and device
CN111800328A (en) * 2020-06-22 2020-10-20 上海益络信息技术有限公司 VPN message processing method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921441A (en) * 2006-09-28 2007-02-28 华为技术有限公司 Method and device for message transfer of virtual private local area network
CN102045250A (en) * 2009-10-26 2011-05-04 杭州华三通信技术有限公司 Forwarding method for multicast message in VPLS, and service provider edge equipment
CN102170385A (en) * 2010-02-27 2011-08-31 华为技术有限公司 Method for transmitting Ethernet frame in Ethernet tree business and provider edge device
US20130227673A1 (en) * 2012-02-27 2013-08-29 Electronics And Telecommunications Research Institute Apparatus and method for cloud networking

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100499584C (en) * 2005-12-02 2009-06-10 中兴通讯股份有限公司 Method for realizing virtual special local network service broadcast
CN102325073B (en) * 2011-07-06 2016-06-29 杭州华三通信技术有限公司 A kind of message processing method based on VPLS and device thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921441A (en) * 2006-09-28 2007-02-28 华为技术有限公司 Method and device for message transfer of virtual private local area network
CN102045250A (en) * 2009-10-26 2011-05-04 杭州华三通信技术有限公司 Forwarding method for multicast message in VPLS, and service provider edge equipment
CN102170385A (en) * 2010-02-27 2011-08-31 华为技术有限公司 Method for transmitting Ethernet frame in Ethernet tree business and provider edge device
US20130227673A1 (en) * 2012-02-27 2013-08-29 Electronics And Telecommunications Research Institute Apparatus and method for cloud networking

Also Published As

Publication number Publication date
CN104954255B (en) 2019-12-24
CN104954255A (en) 2015-09-30

Similar Documents

Publication Publication Date Title
US9871721B2 (en) Multicasting a data message in a multi-site network
US20180054325A1 (en) Method and apparatus for implementing a flexible virtual local area network
WO2018040530A1 (en) Method and apparatus for determining virtual machine migration
TW202026896A (en) Asynchronous object manager in a network routing environment
US20110299531A1 (en) Flooding packets on a per-virtual-network basis
EP2997702B1 (en) Compressing singly linked lists sharing common nodes for multi-destination group expansion
US20110280248A1 (en) Hierarchical Isolated Learning and Flooding for Metro Ethernet Bridging Domains
WO2015143849A1 (en) Vpn packet processing method and apparatus and storage medium
WO2018028676A1 (en) Interworking of ethernet virtual private network (evpn) and public network
JP2014135721A (en) Device and method for distributing traffic of data center network
CN111935013B (en) Flow forwarding control method and device, flow forwarding method and chip, and switch
WO2019085975A1 (en) Network topology display method and network management device
US20150304127A1 (en) Method and Apparatus for Accessing Shortest Path Bridging Network in Multi-homing Manner
CN112422398B (en) Message transmission method and communication device
US9197598B2 (en) MAC address distribution
WO2016124105A1 (en) Media access control address learning method, device and system
US11177979B2 (en) Synchronizing route
WO2018214817A1 (en) Packet forwarding method, device and apparatus, and storage medium
JP2022507436A (en) Data center traffic sharing methods, equipment, devices and storage media
WO2019128612A1 (en) Method and device for processing routing protocol packet
WO2016091027A1 (en) Rule aggregation method and device for network address translation and access control list
CN108512737B (en) Data center IP layer interconnection method and SDN controller
WO2015149432A1 (en) Controlling method and controlling device for mac address drifting
US9654304B2 (en) Method and apparatus for sending transparent interconnection of lots of links data frame
WO2016173196A1 (en) Method and apparatus for learning address mapping relationship

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14887539

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14887539

Country of ref document: EP

Kind code of ref document: A1