WO2015143849A1 - Procédé et appareil de traitement de paquet de réseau privé virtuel (vpn) et support de d'informations - Google Patents

Procédé et appareil de traitement de paquet de réseau privé virtuel (vpn) et support de d'informations Download PDF

Info

Publication number
WO2015143849A1
WO2015143849A1 PCT/CN2014/086667 CN2014086667W WO2015143849A1 WO 2015143849 A1 WO2015143849 A1 WO 2015143849A1 CN 2014086667 W CN2014086667 W CN 2014086667W WO 2015143849 A1 WO2015143849 A1 WO 2015143849A1
Authority
WO
WIPO (PCT)
Prior art keywords
vsi
forwarding
access
vpn
members
Prior art date
Application number
PCT/CN2014/086667
Other languages
English (en)
Chinese (zh)
Inventor
张宝亚
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015143849A1 publication Critical patent/WO2015143849A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the invention relates to the field of multi-protocol label switching (MPLS) virtual private network (VPN) packet communication technology, and in particular, to a VPN message processing method and device, and a storage medium.
  • MPLS multi-protocol label switching
  • VPN virtual private network
  • Virtual Private LAN Service is a widely used Layer 2 Virtual Private Networks (L2VPN) technology, which is commonly used for enterprise users' VPN interconnection.
  • VPLS maintains a forwarding table for the different VPN users by the edge router (PE, Provider Edge) through the Virtual Switch Instance (VSI).
  • PE Edge router
  • VSI Virtual Switch Instance
  • the forwarding tables of the VSIs are independent of each other, thus ensuring service isolation and ensuring services. Private property.
  • VPLS implements the forwarding of services between different VPN users through a VSI.
  • some nodes cannot directly communicate with each other.
  • the VPLS must exist. Many invalid broadcast copies, so not only waste system bandwidth, causing internal circuit blockage, but also reduce the forwarding performance of VPLS.
  • the technical problem to be solved by the present invention is to provide a VPN message processing method and device, and a storage medium.
  • a packet processing method for a virtual private network VPN includes:
  • the VSI and the forwarding VSI are separately configured.
  • the access processing is performed according to the access VSI, and then the forwarding process is performed according to the forwarding VSI.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • the access VSI is bound to all members of the current E-TREE service, and includes index information of all members;
  • the forwarding VSI includes index information of the middle member.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • the broadcast table of the access VSI includes broadcast information of all members of the E-TREE service; and the VSI for forwarding includes broadcast information of all the root members of the E-TREE service;
  • the MAC address of all members in the E-TREE service learns the access VSI; for the Root member in the E-TREE service, the MAC address that has learned to access the VSI is synchronized to the forwarding VSI.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • the access VSIs are two or more, each corresponding to each VPN that is inter-VPN-connected, and each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs, and a super-member index that can communicate with each other across VPNs. information;
  • the forwarding VSI includes member index information of all access VSIs.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • each access VSI All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
  • the learned MAC address is synchronized to the forwarding VSI in each access VSI; each access VSI Synchronize the learned MAC addresses on its super members to other access VSIs.
  • the split configuration is configured to access the VSI and the VSI for forwarding, including:
  • the member attribute is configured to identify whether the current interface is the specified interface.
  • the access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
  • the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
  • the access processing is performed according to the access VSI
  • the forwarding processing is performed according to the forwarding VSI, including:
  • the MAC address learning is performed according to the access VPN_ID, and the forwarding table is searched by using the VPN_ID for forwarding. If the destination address is found, the MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, the forwarding is performed according to the forwarding. Use the VPN_ID to find the broadcast table of the forwarding VSI and perform broadcast forwarding.
  • the method further includes:
  • the access processing and forwarding processing are performed according to the access VSI.
  • the method includes:
  • the leaf members that can communicate with some members, or the super-cross-VPN interworking services that can communicate with each other across the VPN perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI;
  • the access processing and forwarding processing are performed according to the access VSI.
  • a packet processing device for a virtual private network VPN includes:
  • the configuration unit is configured to access the VSI separately from any PW interface or AC interface. And forwarding with VSI;
  • the processing unit is configured to perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
  • the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
  • the access VSI is bound to all members of the current E-TREE service, and includes index information of all members;
  • the forwarding VSI includes index information of the middle member.
  • the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including: the broadcast table of the access VSI includes broadcast information of all members of the E-TREE service, and the forwarding VSI includes E - The broadcast information of all the root members of the TREE service; the MAC address of all members in the E-TREE service learns the access VSI, and the root member of the E-TREE service learns the MAC address of the access VSI. Synchronize to the forwarding VSI.
  • the configuration unit when the two or more VPNs are connected to each other, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
  • the access VSIs are two or more, each corresponding to each VPN that is inter-VPN-connected, and each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs, and a super-member index that can communicate with each other across VPNs. information;
  • the forwarding VSI includes member index information of all access VSIs.
  • the configuration unit when the two or more VPNs are connected to each other, the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
  • each access VSI All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
  • Each learned VSI synchronizes the learned MAC address to the forwarding VSI; each access VSI Synchronize the learned MAC addresses on its super members to other access VSIs.
  • the configuration unit is configured to separately configure the access VSI and the forwarding VSI, including:
  • the member attribute is configured to identify whether the current interface is the specified interface.
  • the access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
  • the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
  • the processing unit is configured to perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI, including:
  • the MAC address learning is performed according to the access VPN_ID, and the forwarding table is searched by using the VPN_ID for forwarding. If the destination address is found, the MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, the forwarding is performed according to the forwarding. Use the VPN_ID to find the broadcast table of the forwarding VSI and perform broadcast forwarding.
  • the processing unit is further configured to: perform access processing and forwarding processing on the interfaces other than the designated interface according to the access VSI.
  • the processing unit is configured to:
  • the leaf members that can communicate with some members, or the super-cross-VPN interworking services that can communicate with each other across the VPN perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI;
  • the access processing and forwarding processing are performed according to the access VSI.
  • a storage medium storing a computer program configured to execute the aforementioned VPN message processing method.
  • VPN message provided by the embodiment of the present invention
  • the method and the device can be configured to perform the forwarding processing based on the forwarding table in the forwarding VSI by using the VSI and the forwarding VSI on the interface. This can improve the processing of the members and the horizontal split in the VPLS network. Reduce the impact of invalid broadcast replication on the internal bandwidth of the device and improve VPLS forwarding performance.
  • FIG. 1 is a flowchart of a method for processing a VPN packet according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of constructing a forwarding entry in a VPN packet processing method according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a structure of a VPN packet processing apparatus according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a networking example of an E-TREE service
  • FIG. 5 is a schematic diagram of an E-TREE networking structure and VPN packet processing according to an embodiment of the present invention
  • FIG. 6 is a flowchart of a method for processing a VPN packet in an E-TREE service according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of networking of a cross-VPN interworking service according to Embodiment 2 of the present invention.
  • FIG. 8 is a schematic diagram of processing VPN packets in a cross-VPN interworking service according to Embodiment 2 of the present invention.
  • FIG. 9 is a flowchart of a VPN packet processing method in a cross-VPN interworking service according to Embodiment 2 of the present invention.
  • two VSIs are configured, one VSI is an access VSI and the other VSI is a forwarding VSI; that is, for any one PW interface or AC interface, it is connected to the VSI and The forwarding is configured by the VSI.
  • the egress encapsulation information is determined by the access VSI.
  • the forwarding VSI is configured to store the forwarding table, and the index egress encapsulation, but does not process the packet encapsulation.
  • the MAC address is learned by the access VSI.
  • Forwarding uses the VSI to save the forwarding table. In actual applications, whether the access VSI and the forwarding VSI are separated can be automatically determined according to the networking type. Generated or specified by command configuration.
  • the VPN packet processing method may include the following steps:
  • Step 101 Separate and configure the VSI for access and the VSI for forwarding for any one of the PW interfaces or the AC interface.
  • the split configuration access VSI and the forwarding VSI including: the access VSI binding all members of the current E-TREE service, including index information of all members;
  • the forwarding VSI includes index information of the root member.
  • each access VSI includes common member index information that can communicate with each other only in the VPN to which it belongs, and super member index information that can communicate with each other across the VPN.
  • the forwarding VSI includes member index information of all access VSIs.
  • Step 102 Perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
  • the process of separately configuring the VSI and the VSI for forwarding may include: configuring a member attribute in the AC interface table or the PW attribute table, where the member attribute is configured to identify whether the current interface is the specified interface; in the AC interface table or PW
  • the accessing VPN_ID and the forwarding VPN_ID are configured in the attribute table, and the access VPN_ID corresponds to the accessing VSI, and the forwarding VPN_ID corresponds to the forwarding VSI; when the member attribute identifies that the current interface is the designated interface, the access VPN_ID It is different from the VPN_ID for forwarding; otherwise, the access VPN_ID is the same as the VPN_ID for forwarding.
  • performing access processing according to the access VSI, and performing forwarding processing according to the forwarding VSI may include: performing MAC address learning according to the access VPN_ID, and using the VPN_ID for forwarding to search for a forwarding table; if the destination address is found The MAC address unicast processing is performed according to the forwarding VPN_ID of the corresponding forwarding VSI, and if the destination address is not found, The broadcast table of the VSI for forwarding is searched according to the VPN_ID for forwarding, and broadcast forwarding is performed.
  • step 102 the access processing and the forwarding processing are performed according to the access VSI for other interfaces except the specified interface. During the actual process, you can determine whether the interface is the specified interface based on the member attributes configured on the interface.
  • a leaf member that can communicate with only a part of the E-TREE service, or a super member that can communicate with each other across the VPN in the inter-VPN interworking service performs access processing according to the access VSI, and performs forwarding processing according to the VSI for forwarding;
  • the access processing and forwarding processing are performed according to the access VSI.
  • the interface table, the forwarding table, and the encapsulation table are configured according to FIG. 1 to implement the VPN packet in the embodiment of the present invention. deal with.
  • InVPN_ID indicates access VPN_ID, corresponding to access VSI
  • FwVPN_ID indicates forwarding VPN_ID, corresponding to forwarding VSI. For the specified interface, you need to use FwVPN_ID to find the forwarding table when forwarding.
  • the egress encapsulation pointer in the forwarding table corresponding to the InVPN_ID and the egress encapsulation pointer of the forwarding table corresponding to the FwVPN_ID may be the same, and the identifier is forwarded from the same interface.
  • the flag flag representing the member attribute can be set only on the specified interface. If the current interface is set with the flag flag, the current interface is the specified interface. If the current interface does not have the flag flag set, the current interface is not the specified interface.
  • the Flag flag can be set in the leaf member interface of the E-TREE service, and/or the super member interface in the inter-VPN interworking service, in the root member interface of the E-TREE service, and/or inter-VPN communication. The normal member interface in the service does not set this Flag flag. In this way, in the E-TREE service and the inter-VPN interworking service, it is only necessary to find whether the Flag flag bit exists in the AC interface table or the PW attribute table. It can be judged whether its interface is the specified interface.
  • the processing model of the E-TREE network and the cross-VPN network forwarding plane can be unified by the control table shown in Figure 2, and can be determined by the control plane whether it is E-TREE networking or cross-VPN networking.
  • the Flag flag of the above-mentioned identifier member attribute can be reset or deleted to be compatible with the normal VPLS forwarding. .
  • the VPN packet processing apparatus may include:
  • the configuration unit 31 is configured to separate the VSI and the forwarding VSI for any one of the PW interfaces or the AC interfaces.
  • the processing unit 32 is configured to perform access processing according to the access VSI for the designated interface, and perform forwarding processing according to the forwarding VSI.
  • the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including: the access VSI binding all members of the current E-TREE service, including indexes of all members Information:
  • the forwarding VSI includes index information of the root member, and the root member can communicate with any other member of the current E-TREE service.
  • the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including: the broadcast table of the access VSI includes broadcast information of all members of the E-TREE service, and the forwarding VSI includes The broadcast information of all the root members of the E-TREE service; the MAC address of all the members in the E-TREE service learns the access VSI, and the root member of the E-TREE service learns the MAC that accesses the VSI. The address is synchronized to the forwarding VSI.
  • the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including:
  • the access VSIs are two or more, which respectively correspond to VPNs that are inter-VPN-connected.
  • Each access VSI includes common member index information that can only communicate with each other in the VPN to which it belongs. Super member index information of VPN mutual visits;
  • the forwarding VSI includes member index information of all access VSIs.
  • the configuration unit 31 is configured to separately configure the access VSI and the forwarding VSI, including:
  • each access VSI All members of each access VSI are written into the broadcast table of the VSI for forwarding; each access VSI writes members of the VSI and other super-members of the access VSI into its own broadcast table;
  • Each learned VSI synchronizes the learned MAC address to the forwarding VSI; each access VSI synchronizes the learned MAC address of its super member to other access VSIs.
  • the configuration unit 31 is configured to separately configure the access VSI and the VSI for forwarding, and may include:
  • the member attribute is configured to identify whether the current interface is the specified interface.
  • the access VPN_ID and the forwarding VPN_ID are configured in the AC interface table or the PW attribute table, and the access VPN_ID corresponds to the access VSI, and the forwarding VPN_ID corresponds to the forwarding VSI;
  • the access VPN_ID is different from the forwarding VPN_ID; otherwise, the access VPN_ID is the same as the forwarding VPN_ID.
  • the processing unit 32 is configured to perform access processing according to the access VSI, and perform forwarding processing according to the forwarding VSI, including: performing MAC address learning according to the access VPN_ID, and using the VPN_ID for forwarding to look up the forwarding table; The destination address is subjected to MAC address unicast processing and forwarding according to the forwarding VPN_ID of the corresponding forwarding VSI. If the destination address is not found, the forwarding VSI broadcast table is searched according to the forwarding VPN_ID and broadcasted.
  • the processing unit 32 is further configured to perform access processing and forwarding processing on the interfaces other than the designated interface according to the access VSI.
  • the processing unit 32 is configured to: perform access processing according to the access VSI, and perform forwarding processing according to the access VSI for the leaf member that can communicate with only the member of the E-TREE service or the super-member that can communicate with each other across the VPN. Forward processing with VSI; for E-TREE service
  • the access member and the normal member in the inter-VPN interworking service are both access processing and forwarding processing according to the access VSI.
  • the VPN packet processing method and device provided by the embodiments of the present invention can be configured as multiple scenarios such as a VPLS Hub-Spoke, multiple E-TREEs, and a cross-VPN interworking network. It should be noted that the separation of the access VSI and the forwarding VSI in the various embodiments of the present invention is also configured as a virtual Pseudo Wire Service (VPWS). The specific implementation process is similar and will not be described again.
  • VPWS virtual Pseudo Wire Service
  • the Leaf node prevents member interworking through member isolation or PW horizontal splitting.
  • the flow diagram is an example of a plurality of E-TREE networks.
  • the E-TREE network includes one Root-PE, two Leaf-PEs, and four CEs, of which CE11 and CE12 are The root CE, CE13 and CE14 are both leaf CEs.
  • CE13 is connected to the root-PE through Leaf-PE11.
  • the CE14 is connected to the root-PE through Leaf-PE12.
  • Both CE11 and CE12 are connected to the root-PE.
  • the CE and the PE communicate with each other through the AC interface.
  • the PE and the PE communicate with each other through the PW interface.
  • the AC11 interface is between CE11 and the root-PE.
  • the AC12 interface is between CE12 and the local device.
  • the AC13 interface is between CE11 and Leaf-PE11.
  • the AC14 interface is between CE14 and Leaf-PE12.
  • the PW11 interface is between the Leaf-PE11 and the Root-PE.
  • the PW12 interface is between the Leaf-PE12 and the Root-PE.
  • the Leaf interface is not interoperable. That is to say, in the E-TREE service, Leaf members cannot communicate with each other.
  • VSIs are defined: Normal_VSI and Root_VSI. After configuring E-TREE, configure the specified Root_VSI for Normal_VSI. In this way, two VSIs are created for the VPN.
  • the Normal_VSI contains all members (including the Root member and The leaf member is indexed, which is similar to the VSI used by the E-TREE service in the related art.
  • the Root_VSI only contains all the root member index information and is not configured as a service binding. Specifically, for the root member, since it can communicate with any member, the forwarding VSI forwarding table includes all the root member indexes and the leaf member indexes, and the corresponding forwarding table is managed by Normal_VSI; for the Leaf member, since it can only Communicate with the Root member, and the corresponding forwarding table is managed by the Root_VSI.
  • the device can forward based on Normal_VSI.
  • forwarding can be performed based on the above two VSIs.
  • the normal_VSI is configured as the signaling management and is responsible for the maintenance of the PW.
  • the Root_VSI is not responsible for the signaling management.
  • the forwarding table member contains the PW of the root type established by the Normal_VSI, and is only the VPN of the local attribute.
  • the difference between Normal_VSI and Root_VSI is that the MAC address contained in the VSI is different from the broadcast table forwarding entry.
  • the MAC address learning is determined by the access VSI of the AC or the PW. Therefore, in the embodiment of the present invention, the default MAC address is learned in the Normal_VSI to ensure compatibility with the normal E-TREE address learning.
  • the broadcast table of the Normal_VSI includes broadcast information of all members in the E-TREE, whether for AC or PW; the broadcast table in the Root_VSI only contains broadcast information of all the root members.
  • the Root_VSI is specified for the Normal_VSI, the MAC address learned by the root member is synchronized to the Root_VSI.
  • Root_VSI a broadcast table containing all the root members is created for the Root_VSI.
  • the root member learns the MAC address in the Normal_VSI and needs to synchronize with the Root_VSI through the control plane to forward the stream received by the Leaf interface.
  • the Leaf member learns that the MAC address is the same as the normal VPLS MAC processing and does not need to be synchronized to the Root_VSI.
  • the access VSI is Normal_VSI, that is, the processing of MAC address learning is first learned into the Normal_VSI, but
  • the forwarding VSI is Root_VSI; for Root members, the VSI for access and forwarding is Normal_VSI.
  • the cross-VSI synchronization processing of the MAC address table is uniformly processed by the control plane; the MAC aging is initiated by the Normal_VSI, and the MAC address of the associated Root_VSI is aging synchronized by the control plane.
  • the VPN_ID saved in the interface attribute table may be extended, and two types of IDs are saved: one is the access VPN_ID, and the other is the VPN_ID for forwarding; If the access VPN_ID is the same as the forwarding VPN_ID, the normal VPLS forwarding process is used. If the access VPN_ID is different from the forwarding VPN_ID, the VPLS forwarding process is performed by using the two VSIs in the embodiment of the present invention.
  • the VPLS forwarding process when the VPLS forwarding process is performed, if the access VPN_ID is the same as the forwarding VPN_ID, the normal VPLS forwarding process is used; if the access VPN_ID is different from the forwarding VPN_ID, the access member is processed based on the Normal_VSI and forwarded based on the Root_VSI. Processing; for Root members, their access and forwarding are based on Normal_VSI.
  • the broadcast forwarding table of the leaf member only includes the information about the root member, which reduces the isolation filtering of the leaf member to the leaf member, and improves the broadcast performance.
  • the root member is the same as the original forwarding, as long as the port is isolated.
  • the isolation processing between the above-mentioned processing Leaf members is also naturally supported, and the unicast does not need to be additionally subjected to member isolation processing.
  • the switching process between normal E-TREE forwarding and efficient E-TREE forwarding is well guaranteed, and the handover process does not affect traffic forwarding.
  • FIG. 2 it is a schematic diagram of an E-TREE networking in the embodiment of the present invention, where the E-TREE network includes five CEs (CE21, CE22, CE23, CE24, CE25) and four PEs (PE21, PE21, PE23, and PE24), where CE21, CE22, and CE23 are Leaf CEs, CE24 and CE25 are Root CEs, and CE21, CE22, and CE23 are connected to PE23, PE21, and PE22 through AC interfaces.
  • PE21 and PE22 are connected to PEs through PE interfaces.
  • the PE23 is connected to the PW24.
  • the PW23 is connected to the PW24 through the PW interface.
  • the CE24 and CE25 which are the root nodes, are connected to the PE24 and PW23 through the AC interface.
  • two separate VSIs are configured: Normal_VSI and Root_VSI. All members (including the root member and the leaf member) are bound to the Normal_VSI.
  • the Normal_VSI contains index information of all members (including the root member and the leaf member), similar to the VSI used by the E-TREE service in the related art.
  • the Root_VSI only contains all the root member index information and is not configured as a service binding.
  • the normal E-TREE forwarding normal_VSI instance is set up, and the PE23 is configured as the E-TREE service.
  • the AC interface table and the PW attribute table respectively set the member attribute flag (ie, the Leaf/Root attribute flag), E. - VPN identity of the TREE service (access VPN_ID and forwarding VPN_ID);
  • the Root_VSI includes all the Root members in the E-TREE and sets the Root_VPN_ID. If the Normal_VSI has learned the MAC address before configuring the Root_VSI, the MAC address learned by the Root member in the Normal_VSI is synchronized to the Root_VSI. ;
  • the forwarding VPN_ID is used as the Root_VPN_ID
  • the access VPN_ID is used as the Normal_VSI_ID
  • the access VPN_ID and the forwarding VPN_ID are the same, and both are used as the Normal_VSI_ID.
  • Root_VSI When you delete the Root_VSI of the Normal_VSI, you only need to change the forwarding VPN_ID set in the interface attribute of the Leaf member in the E-TREE to Normal_VPN_ID. Root_VSI's own MAC address and broadcast table can be deleted slowly.
  • the normal VSI is used as the access VSI for data forwarding and MAC address learning, and then the Root_VSI is used as the forwarding VSI for MAC address unicast forwarding or broadcast forwarding.
  • the normal_VSI performs the outbound interface encapsulation to complete the packet forwarding.
  • the normal_VSI is used as the access VSI and the forwarding VSI, and the data forwarding and MAC address learning, MAC address unicast processing, or broadcast forwarding are performed according to the Normal_VSI.
  • the packet forwarding is complete.
  • both the Leaf member and the Root member learn MAC address from the Normal_VSI, perform MAC synchronization to the Root_VSI, and synchronize the MAC addresses of all the Root members to the Root_VSI.
  • the process of forwarding the E-TREE service is as follows: When the traffic is received on the interface, the AC interface table or the PW attribute table is obtained to obtain the Leaf/Root attribute of the interface; the Leaf/Root attribute is used to determine the leaf. The member is also a member of the root. If the packet is received from the root member, the interface attribute of the root attribute table is the same as the VPN_ID for forwarding. The corresponding parameter is Normal_VPN_ID. If the traffic is received by the leaf member, the leaf interface attribute table has two VPN_IDs. , a Normal_VPN_ID, a Root_VPN_ID;
  • MAC address learning is performed according to SMAC+Normal_VPN_ID. If it is a new MAC address, it is synchronized to the Root_VSI through the control plane; for the Leaf member, the MAC address also learns the MAC address according to the SMAC+Normal_VPN_ID, but the MAC address is not synchronized to the Root_VSI;
  • the MAC address is unicast and forwarded according to the DMAC+Normal_VPN_ID; if it is a Leaf member, the MAC address is unicast and forwarded according to the DMAC+Root_VPN_ID;
  • the broadcast table of the normal_VSI is forwarded and broadcasted according to the Normal_VPN_ID.
  • the broadcast table of the Root_VSI is searched according to the Root_VPN_ID and broadcasted.
  • the specific implementation process of the E-TREE service forwarding process may include the following steps:
  • Step 601 receiving a message on the AC or PW
  • Step 602 Search for an AC interface table or a PW attribute table. If the packet is received on the AC, the AC interface table is searched. If the packet is received on the PW, the PW attribute table is searched.
  • Step 603 it is determined whether the member of the received message is a Leaf member, if yes, proceed to step 604, if not, proceed to step 605;
  • the member attribute flag (ie, the Leaf/Root attribute flag) set in the AC interface table and the PW attribute table may be used to determine whether the member of the received packet is a Leaf member.
  • Step 604 performing MAC address learning according to SMAC (Source MAC, Media Access Control) + Normal_VPN_ID, and using the associated DMAC + Root_VPN_ID in the AC or PW to find the forwarding table, continue to step 606;
  • SMAC Source MAC, Media Access Control
  • Normal_VPN_ID Normal_VPN_ID
  • Step 605 Perform MAC address learning according to the SMAC+Normal_VPN_ID, and the control plane synchronizes the MAC address to the Root_VSI, and searches the forwarding table according to the DMAC (destination MAC)+Normal_VPN_ID;
  • Step 606 Has the destination address been found in the forwarding table? If no, proceed to step 607, and if yes, proceed to step 608;
  • Step 607 For the root member, look for the Normal_VSI; for the Leaf member, look for the Root_VSI, and copy the packet to the member one by one;
  • Step 608 whether the exit is PW, if it is to continue to step 609, if not continue to step 610;
  • Step 609 Perform AC forwarding. Specifically, the local AC is forwarded for the packets received by the AC, and the PW label is forwarded to the AC for the packets received by the PW, and the process ends.
  • Step 610 The PW packet is encapsulated and forwarded. Specifically, the PW label is forwarded and forwarded by the PW, and the process ends.
  • cross-VPN interworking If some members of the VPN instance are required to access not only the members of the VPN but also other VPN members, other members can only communicate with each other within the VPN, which is called cross-VPN interworking.
  • a Super_VSI is defined for two or more VSIs that are inter-VPN interworking, and the Super_VSI is different from the VSI corresponding to different VPNs, and the difference is that the included forwarding members are different.
  • Each VPN of the VPN interworking includes the forwarding members in the VPN and the super members that can communicate with each other across the VPN.
  • the Super_VSI includes all the members in all the VSIs.
  • the member means Member.
  • the corresponding logical exit is AC or PW.
  • Members have the root/leaf in TREE according to their attributes.
  • cross-VPN interworking there are members that can communicate with each other across VPNs and non-cross-VPN members.
  • the VSI in each VPN is configured as signaling management and is responsible for the maintenance of the PW.
  • the Super_VSI is not responsible for signaling management.
  • the forwarding table contains the PW established by each VSI, but only a local attribute VPN.
  • the VSI broadcast table in each VPN includes the super members of other VPNs in addition to the members in the VPN; the broadcast table of the Super_VSI includes indexes of all members in each VSI.
  • the MAC address learns the MAC address learned by the members in VSI and VSI2 of each VPN, and simultaneously synchronizes with the Super_VSI for the super-member to forward the unicast forwarding of the flow. This ensures compatibility with normal VPLS processing.
  • the MAC address table learned by each VSI member is synchronized to the Super_VSI, and a broadcast table including all member indexes in each VSI is established for the Super_VSI.
  • the MAC address learned by each VSI super member is synchronized with the specified Super_VSI and synchronized with the VSIs of other VPNs to provide an ordinary member's response processing for the super member to cross VPN access.
  • the cross-VPN synchronization processing of the MAC address table is uniformly processed through the control plane. All MAC aging is initiated by the VSI to which the member belongs. The system plane aging synchronization of the associated VPN and the MAC address in the Super_VSI.
  • the VPN_ID saved in the AC interface table and the PW attribute table is extended to store two VSI information: one is access VPN_ID, and the other is forwarding VPN_ID. If the two VPN_IDs are the same, it is normal VPLS forwarding processing; If the access VPN_ID is different from the forwarding VPN_ID, the VPLS forwarding process is performed in the following manner according to the embodiment of the present invention.
  • All members are bound to their own VPN, ensuring that devices can be forwarded according to the normal VSI.
  • Super_VSI includes all members in each VSI by default.
  • the access VSI is the VSI in which the VSI is located, that is, the processing of the MAC address learning first learns the VSI in which it is located, and the VSI for forwarding is Super_VSI; for the ordinary member, the VSI for access and forwarding is where it is located.
  • VPN VSI The so-called super member is the member with the most privilege. It can be considered in any VSI, but in reality, it is often in a certain VSI, but it has a large privilege. In the networking, you can select the VSI that it is based on its attributes.
  • the network architecture of cross-VPN mutual access shown in Figure 4 includes two VPNs, namely VPN1 and VPN2.
  • VPN1 there are CE31, CE32, CE33, CE34, and VPN2.
  • CE35, CE36, and CE37, PEs include PE31, PE32, PE33, and PE34.
  • PE31 is connected to PE32, PE33, and PE34 through PW31, PW32, PW33, and PW34.
  • the PE30 and CE35 are connected to each other through AC30.
  • Between PE31 and CE31, PE33 and CE34 are connected through AC31.
  • the PE31 and CE32 are connected to each other through AC32.
  • the PE31 and CE36 are connected through AC33.
  • PE31 is a super member of PW32 and AC31 in VPN1
  • other members of VPN1 include PW31, PW33, PW34, AC30, AC32, and AC33 are common members.
  • PW33, PW34, and AC33 in VPN2 on PE31 are common members;
  • the so-called members in the VSI are just a local concept, not for different devices.
  • the number is just a local concept, and the CE and PE numbers are divided for the network, but the CE and PE are different devices. The number can be repeated.
  • VPN1 and VPN2 need to communicate with each other across VPNs.
  • VPN1 is configured with VSI1
  • VPN2 is configured with VSI2
  • VSI1 and VSI2 are common VSIs.
  • a Super_VSI is also defined.
  • the main difference between the Super_VSI and the VSI1 and the VSI2 is that the forwarding members are different.
  • the VSI1 and the VSI2 respectively manage the ordinary members of the VPN, namely VPN1 and VPN2, and the super members who can exchange visits between VPN1 and VPN2.
  • the Super_VSI contains all members of both VPNs (VPN1 and VPN2).
  • VSI1 and VSI2 are established.
  • VPN1 and VPN2 are connected to each other.
  • the VSI1 on the PE31 includes four members: AC1, AC2, PW1, and PW2.
  • VSI2 includes two members, AC3 and PW3.
  • the configuration process includes: configuring super-member attributes in VSI1 and VSI2 (that is, accessing members across VPNs).
  • VSI1 has super members AC1 and PW2
  • VSI2 has no super members.
  • the cross-VPN access flag, the access VPN_ID, and the forwarding VPN_ID are set.
  • the cross-VPN access flag is not set, the access VPN_ID and the forwarding VPN_ID are the same, that is, the respective Local_VPN_ID,
  • the broadcast member only contains the members of its own instance.
  • the configuration is as follows: Super_VSI is configured for VSI1 and VSI2, and the VPN_ID corresponding to Super_VSI is Super_VPN_ID.
  • the AC interface table or PW attribute table of the super-member is modified. Modify the forwarding with the VPN_ID to the Super_VPN_ID, and write the members of the VSI1 and VSI2 to the broadcast table of the Super_VSI. For the VSI1 and VSI2, write the super member of the other party to the broadcast table; VSI1 and VSI2 will be configured with the Super_VSI.
  • the interface attribute of the super-member in the VSI is changed to the Local_VPN_ID by the forwarding VPN_ID, the cross-VPN access flag is reset, and the super-members of other VPNs included in the broadcast table of the VSI1 and VSI2 are deleted.
  • the service is forwarded according to ordinary VPLS.
  • the MAC address and broadcast table of the Super_VSI itself can be deleted slowly.
  • FIG. 5 it is a schematic diagram of a VPLS forwarding process in the cross-VPN mutual access example shown in FIG. among them, Representing a super member, Means ordinary members, Indicates the stream received by ordinary members in VPN1. Indicates the stream received by ordinary members in VPN2. Indicates the stream received by the super member, and the black arrow line indicates the MAC address synchronization process.
  • the MAC address learning is performed by using the SMAC+Local_VPN_ID, and the MAC address of the member is learned by the VSI of the member. Specifically, the MAC addresses of the AC31, AC32, PW31, and PW32 are learned into the VSI1, and the MAC addresses of the AC33 and PW33 are learned into the VSI2. For the super-member, the learned MAC address is synchronized to the Super_VSI and another VSI through the control plane; for ordinary members, the MAC address is only synchronized to the Super_VSI, but is not synchronized to another VSI;
  • the Super_VSI broadcast table is searched according to Super_VPN_ID and broadcasted; For the traffic received by ordinary members, the broadcast table is searched according to the VSI and broadcasted.
  • the specific implementation process of the cross-VPN service processing may include the following steps:
  • Step 901 Receive a message.
  • Step 902 Search for an AC interface table or a PW attribute table to obtain a super member attribute of the access side.
  • the AC table or the tag attribute table is obtained to obtain whether the interface is a super member, and the Local_VPN_ID is obtained from the AC interface table or the PW attribute table, and the VPN_ID is forwarded (if the super member interface corresponds to the Super_VPN_ID, otherwise the local_VPN_ID is corresponding) ;
  • Step 903 it is determined whether it is a super member; if not, continue to step 904, otherwise, continue to step 905;
  • Step 904 learning the MAC address with the SMAC+Local_VPN_ID, the control plane synchronizes the SMAC address to the VSI associated with the other VPN, and synchronizes with the Super_VSI, and searches the forwarding table according to the DMAC+Super_VPN_ID, and proceeds to step 906;
  • Step 905 Learning the MAC address by using SMAC+Local_VPN_ID, synchronizing the MAC address to the Super_VSI, and searching for the forwarding table according to the DMAC+Local_VPN_ID;
  • Step 906 whether the destination address is found in the forwarding table, if not, proceed to step 907, otherwise continue to step 908;
  • Step 907 Search for a broadcast table by using Super_VPN_ID, and copy the message and send it to the members one by one;
  • Step 908 whether the exit is PW, if it is to continue to step 909, otherwise continue to step 910;
  • Step 909 the packet is forwarded locally by the AC, and the current process ends.
  • Step 910 After the PW encapsulation is performed, the packet is forwarded, and the current process ends.
  • the above method only uses two VPNs as an example, but not The limit is only two. In the case of more than two VPN exchange visits, the above method can also be implemented.
  • the embodiment of the invention further describes a storage medium, wherein the storage medium stores a computer program, and the computer program is configured to execute the VPN message processing method of the foregoing embodiments.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • the invention can implement the forwarding processing based on the forwarding table in the forwarding VSI by using the forwarding VSI and the forwarding VSI on the interface, and can improve the processing of the members and the horizontal splitting in the VPLS networking, and reduce the invalid broadcast replication. Impact on the internal bandwidth of the device and improve VPLS forwarding performance.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé de traitement de paquet de réseau privé virtuel (VPN). Le procédé consiste : pour une interface PW quelconque ou une interface AC quelconque, à configurer séparément un VSI d'accès ou un VSI de transfert ; et pour une interface désignée, à réaliser un accès selon le VSI d'accès puis à réaliser un transfert selon le VSI de transfert. L'invention concerne également de manière correspondante un appareil de traitement de paquet de VPN.
PCT/CN2014/086667 2014-03-24 2014-09-16 Procédé et appareil de traitement de paquet de réseau privé virtuel (vpn) et support de d'informations WO2015143849A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410112715.6A CN104954255B (zh) 2014-03-24 2014-03-24 一种vpn报文处理方法及装置
CN201410112715.6 2014-03-24

Publications (1)

Publication Number Publication Date
WO2015143849A1 true WO2015143849A1 (fr) 2015-10-01

Family

ID=54168621

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/086667 WO2015143849A1 (fr) 2014-03-24 2014-09-16 Procédé et appareil de traitement de paquet de réseau privé virtuel (vpn) et support de d'informations

Country Status (2)

Country Link
CN (1) CN104954255B (fr)
WO (1) WO2015143849A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106169969B (zh) * 2016-08-31 2020-01-10 华为技术有限公司 建立虚拟专用网标签交换路径方法、相关设备和系统
CN111726286A (zh) * 2017-03-14 2020-09-29 华为技术有限公司 Evpn报文处理方法、设备及系统
CN109474527B (zh) * 2018-12-13 2021-04-06 新华三技术有限公司成都分公司 一种报文转发方法及装置
CN111800328A (zh) * 2020-06-22 2020-10-20 上海益络信息技术有限公司 一种vpn报文处理方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921441A (zh) * 2006-09-28 2007-02-28 华为技术有限公司 一种虚拟专用局域网的报文转发方法及装置
CN102045250A (zh) * 2009-10-26 2011-05-04 杭州华三通信技术有限公司 Vpls中组播报文的转发方法和服务提供商边缘设备
CN102170385A (zh) * 2010-02-27 2011-08-31 华为技术有限公司 一种以太树业务中以太网帧的发送方法和运营商边缘设备
US20130227673A1 (en) * 2012-02-27 2013-08-29 Electronics And Telecommunications Research Institute Apparatus and method for cloud networking

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100499584C (zh) * 2005-12-02 2009-06-10 中兴通讯股份有限公司 一种虚拟专用局域网服务广播的实现方法
CN102325073B (zh) * 2011-07-06 2016-06-29 杭州华三通信技术有限公司 一种基于vpls的报文处理方法及其装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921441A (zh) * 2006-09-28 2007-02-28 华为技术有限公司 一种虚拟专用局域网的报文转发方法及装置
CN102045250A (zh) * 2009-10-26 2011-05-04 杭州华三通信技术有限公司 Vpls中组播报文的转发方法和服务提供商边缘设备
CN102170385A (zh) * 2010-02-27 2011-08-31 华为技术有限公司 一种以太树业务中以太网帧的发送方法和运营商边缘设备
US20130227673A1 (en) * 2012-02-27 2013-08-29 Electronics And Telecommunications Research Institute Apparatus and method for cloud networking

Also Published As

Publication number Publication date
CN104954255B (zh) 2019-12-24
CN104954255A (zh) 2015-09-30

Similar Documents

Publication Publication Date Title
US9806906B2 (en) Flooding packets on a per-virtual-network basis
US9871721B2 (en) Multicasting a data message in a multi-site network
US20180054325A1 (en) Method and apparatus for implementing a flexible virtual local area network
WO2018040530A1 (fr) Procédé et appareil permettant de déterminer la migration d'une machine virtuelle
TW202026896A (zh) 在網路路由環境中的非同步物件管理機制
US10230619B2 (en) Message processing method and system in multi-homing access overlay network
US20110280248A1 (en) Hierarchical Isolated Learning and Flooding for Metro Ethernet Bridging Domains
WO2015143849A1 (fr) Procédé et appareil de traitement de paquet de réseau privé virtuel (vpn) et support de d'informations
WO2018028676A1 (fr) Interfonctionnement entre un réseau privé virtuel ethernet (evpn) et un réseau public
JP2014135721A (ja) データセンタネットワークのトラフィックを分配するための装置および方法
CN111935013B (zh) 流量转发控制方法及装置、流量转发方法及芯片、交换机
WO2019085975A1 (fr) Procédé d'affichage de topologie de réseau et dispositif de gestion de réseau
US20150304127A1 (en) Method and Apparatus for Accessing Shortest Path Bridging Network in Multi-homing Manner
CN112422398B (zh) 消息传输方法及通信装置
US9197598B2 (en) MAC address distribution
WO2016124105A1 (fr) Procédé, dispositif et système d'apprentissage d'adresse de contrôle d'accès au support
US11177979B2 (en) Synchronizing route
WO2018214817A1 (fr) Procédé, dispositif et appareil de transfert de paquet, et support de stockage
WO2019128612A1 (fr) Procédé et dispositif permettant de traiter un paquet de protocole de routage
WO2016091027A1 (fr) Procédé d'agrégation de règles et dispositif pour traduction d'adresse réseau et liste de commande d'accès
CN108512737B (zh) 一种数据中心ip层互联的方法和sdn控制器
WO2015149432A1 (fr) Procédé de commande et dispositif de commande pour une dérivation d'adresse de contrôle d'accès au support (mac)
US9654304B2 (en) Method and apparatus for sending transparent interconnection of lots of links data frame
WO2016173196A1 (fr) Procédé et appareil d'apprentissage de relation de mappage d'adresses
CN113923162B (zh) 一种报文转发方法、装置、设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14887539

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14887539

Country of ref document: EP

Kind code of ref document: A1