[go: up one dir, main page]

CN100428737C - A Method to Simplify VPN Network Deployment - Google Patents

A Method to Simplify VPN Network Deployment Download PDF

Info

Publication number
CN100428737C
CN100428737C CNB2005100513520A CN200510051352A CN100428737C CN 100428737 C CN100428737 C CN 100428737C CN B2005100513520 A CNB2005100513520 A CN B2005100513520A CN 200510051352 A CN200510051352 A CN 200510051352A CN 100428737 C CN100428737 C CN 100428737C
Authority
CN
China
Prior art keywords
vpn
information
layer
vlan
data frame
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2005100513520A
Other languages
Chinese (zh)
Other versions
CN1832443A (en
Inventor
于洋
王玮
张海涛
刘建锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CNB2005100513520A priority Critical patent/CN100428737C/en
Priority to PCT/CN2005/002067 priority patent/WO2006094440A1/en
Publication of CN1832443A publication Critical patent/CN1832443A/en
Application granted granted Critical
Publication of CN100428737C publication Critical patent/CN100428737C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供了一种简化VPN网络布署的方法,运行在现有的基于MPLS的二层VPN广域网基础之上,所述网络包括至少一源端PE(局方)设备和一对端PE(局方)设备,主要包括如下步骤:(a)源端PE设备接收到带有VLAN信息的二层数据帧后,借由VLAN与VPN的映射关系表,得到VPN的ID;(b)通过VPN的ID进行目的MAC地址的转发查找,得到目的CE的信息以及封装MPLS两层标签的信息;(c)对端PE设备收到封装后的二层数据帧后,通过设置的VPN ID到VLAN的映射关系表,更改所述封装的VLAN信息并进行转发。采用本发明所提供的方法,可以简化VPN网络的部署。

The present invention provides a method for simplifying VPN network deployment, which runs on the basis of the existing MPLS-based Layer 2 VPN WAN. The network includes at least one source PE (office) device and a pair of PE ( Office side) equipment, mainly includes the following steps: (a) after receiving the layer 2 data frame with VLAN information, the source PE equipment obtains the ID of the VPN by means of the mapping relationship table between VLAN and VPN; (b) obtains the ID of the VPN through the VPN The ID of the destination MAC address is forwarded and searched to obtain the information of the destination CE and the information of the encapsulated MPLS layer 2 label; (c) after the peer PE device receives the encapsulated layer 2 data frame, it passes the set VPN ID to the VLAN's The mapping relationship table is used to change the encapsulated VLAN information and forward it. By adopting the method provided by the invention, the deployment of the VPN network can be simplified.

Description

一种简化VPN网络布署的方法 A Method to Simplify VPN Network Deployment

技术领域 technical field

本发明涉及一种简化VPN(Virtual Private Network,虚拟用户网络)网络布署的方法,尤其涉及一种基于MPLS(Multi-Protocol Label Switch,多协议标签交换技术)的二层VPN网络布署的方法。The present invention relates to a method for simplifying VPN (Virtual Private Network, virtual user network) network deployment, in particular to a method for layer 2 VPN network deployment based on MPLS (Multi-Protocol Label Switch, multi-protocol label switching technology) .

背景技术 Background technique

当前,基于MPLS的二层VPN的主流技术包括有点到点的VPN(VLL,虚拟租用专线)技术,以及点到多点的VPN(VPLS,虚拟私有LAN服务)技术。Currently, the mainstream technologies of MPLS-based Layer 2 VPN include point-to-point VPN (VLL, virtual leased line) technology and point-to-multipoint VPN (VPLS, virtual private LAN service) technology.

基于MPLS的VLL(Virtual Leased Line,虚拟租用专线)技术是采用MPLS标签实现的。用户业务的数据帧在CE(Consumer Edge,用户边缘设备)内部是以普通的以太网数据帧传输,在进入运营商的PE(Provider Edge,供应商边缘)设备后,PE根据用户的VLAN信息和目的MAC信息,查找转发表后得到一个双层的MPLS标签,根据这个双层MPLS标签再得到一个下一跳的目的MAC和VLAN信息,封装后从本设备的相应发送端口发出,发到对端的PE设备。表1显示用户正常数据帧,表2显示MPLS数据帧。MPLS-based VLL (Virtual Leased Line) technology is implemented using MPLS labels. The data frames of user services are transmitted in ordinary Ethernet data frames inside the CE (Consumer Edge, user edge device). After entering the operator's PE (Provider Edge, provider edge) device, the PE Destination MAC information, get a double-layer MPLS label after searching the forwarding table, and then get a next-hop destination MAC and VLAN information according to this double-layer MPLS label, and send it from the corresponding sending port of the device after encapsulation, and send it to the peer's PE equipment. Table 1 shows the user's normal data frame, and Table 2 shows the MPLS data frame.

目的MAC Destination MAC 源MAC Source MAC   VLAN VLAN 静荷 Static lotus   CRC CRC

表1用户正常数据帧Table 1 User normal data frame

  目的MAC Destination MAC   源MAC Source MAC   VLAN VLAN   Lable1 Label1   Lable2 Label2  目的MAC Destination MAC   源MAC Source MAC   VLAN VLAN   静荷 Static load   CRC CRC

表2MPLS数据帧Table 2 MPLS data frame

这个MPLS封装的数据包到了对端PE设备以后,PE设备将两层MPLS的标签去掉,并且从这两层MPLS标签的内层标签得到该VPN用户业务在该设备上的最终出端口信息,将用户VPN的二层以太网数据帧原封不动地从相应出物理端口发出。After the MPLS-encapsulated data packet arrives at the peer PE device, the PE device removes the two-layer MPLS label, and obtains the final egress port information of the VPN user service on the device from the inner label of the two-layer MPLS label. The Layer 2 Ethernet data frame of the user VPN is sent out from the corresponding physical port intact.

如果一个VPN用户有多于两个的VPN接入点,那么就需要用到下面的基于MPLS的VPLS VPN二层转发技术。If a VPN user has more than two VPN access points, then the following MPLS-based VPLS VPN Layer 2 forwarding technology needs to be used.

在基于MPLS的VPLS(Virtual Private LAN Service,虚拟私有LAN服务)VPN组网应用情况下,从一个VPN用户的一个CE接入点上来的用户VPN业务,根据业务的二层目的MAC信息、入物理端口和入VLAN信息情况,有多个目的CE可以选择,也就是说每个CE都与多个CE点是通的,可以与多个CE点下的多个VPN用户下的主机进行通信。表3显示用户正常数据帧,表4显示MPLS数据帧。In the case of MPLS-based VPLS (Virtual Private LAN Service, virtual private LAN service) VPN networking application, the user VPN service coming from a CE access point of a VPN user enters the physical Port and incoming VLAN information, there are multiple destination CEs to choose from, that is to say, each CE can communicate with multiple CE points, and can communicate with hosts under multiple VPN users under multiple CE points. Table 3 shows user normal data frames, and Table 4 shows MPLS data frames.

  目的MAC Destination MAC   源MAC Source MAC   VLAN VLAN   静荷 Static load   CRC CRC

表3用户正常数据帧Table 3 User normal data frame

目的MAC Destination MAC  源MAC Source MAC   VLAN VLAN   Lable1 Label1 Lable2 Label2   目的MAC Destination MAC 源MAC Source MAC VLAN VLAN 静荷 Static lotus CRC CRC

表4MPLS数据帧Table 4 MPLS data frame

从转发层面的数据帧封装形式看,点到多点的VPLS VPN与点到点的VLL VPN封装是一样的过程,也就是说在源PE设备处,将进来的二层以太网数据帧封装两层MPLS标签后发往对端的目的PE设备。目的PE设备接收到封装MPLS两层标签的用户VPN数据帧以后,将两层MPLS标签剥离掉,并根据MPLS标签携带的信息,得到目的物理端口信息,从相应的物理端口发出。From the perspective of data frame encapsulation at the forwarding level, point-to-multipoint VPLS VPN and point-to-point VLL VPN encapsulation are the same process, that is, at the source PE device, the incoming Layer 2 Ethernet data frame is encapsulated in two layer MPLS label and send it to the destination PE device at the opposite end. After the destination PE device receives the user VPN data frame encapsulated with the MPLS double-layer label, it strips off the two-layer MPLS label, and obtains the destination physical port information according to the information carried by the MPLS label, and sends it out from the corresponding physical port.

在上面的两种基于MPLS的二层VPN实现方案中,用户的二层以太网信息和VLAN信息在整个转发过程中都是不能被改变的,因为这些信息都是VPN用户的信息,作为提供VPN业务的提供商或运营商来说,应该只是负责提供二层连通的通信管道,而不能更改用户的任何信息。这是MPLS二层VPN解决方案的初衷和目的。In the above two MPLS-based Layer 2 VPN implementation schemes, the user's Layer 2 Ethernet information and VLAN information cannot be changed during the entire forwarding process, because these information are all VPN user information, as the VPN For service providers or operators, they should only be responsible for providing communication channels for Layer 2 connectivity, and cannot change any information of users. This is the original intention and purpose of the MPLS Layer 2 VPN solution.

但在实际组网应用中,有些环境下的二层VLAN信息是二层VPN业务提供商或者运营商自身添加的,运营商或者是提供物理端口给VPN用户使用,或者是在用户已有的VLAN信息之上再添加一层VLAN信息,总之是运营商可以控制一层或两层VLAN信息权限的应用场合越来越多和越来越普遍,在这种情况下,仍然把所有的VLAN信息都当作是VPN用户的信息来对待和处理,在应用中就会带来很多不合理和VPN部署上的不便利。However, in actual networking applications, the Layer 2 VLAN information in some environments is added by the Layer 2 VPN service provider or the operator itself. A layer of VLAN information is added on top of the information. In short, there are more and more applications where operators can control one or two layers of VLAN information permissions. In this case, all VLAN information is still Treating and processing it as VPN user information will bring a lot of unreasonable and inconvenient VPN deployment in the application.

发明内容 Contents of the invention

本发明目的是解决在现有VPN网络部署中存在的问题,通过将MPLS标签和VLAN信息一起相关考虑,实现简化基于MPLS二层VPN网络的布署,从而在VPN组网应用和部署中带来更多的方便和灵活性。The purpose of the present invention is to solve the existing problems in the deployment of the existing VPN network. By considering the MPLS label and the VLAN information together, the deployment of the MPLS-based Layer 2 VPN network can be simplified, thereby bringing new benefits to the application and deployment of the VPN network. More convenience and flexibility.

为此,本发明提供一种简化VPN网络部署的方法,运行在现有的基于MPLS的二层VPN广域网基础之上,所述网络包括至少一源端供应商边缘PE设备和一对端PE设备,该方法包括如下步骤:To this end, the present invention provides a method for simplifying VPN network deployment, which operates on the basis of the existing MPLS-based Layer 2 VPN WAN, and the network includes at least one source-end provider edge PE device and a pair of end-PE devices , the method includes the following steps:

(a)源端PE设备接收到带有VLAN信息的二层数据帧后,借由VLAN与VPN的映射关系表,得到VPN的ID;(a) After receiving the Layer 2 data frame with VLAN information, the PE device at the source end obtains the ID of the VPN by means of the mapping relationship table between VLAN and VPN;

(b)通过VPN的ID进行目的MAC地址的转发查找,得到目的用户边缘CE设备的信息以及封装MPLS两层标签的信息;(b) carry out the forwarding search of destination MAC address by the ID of VPN, obtain the information of destination user edge CE equipment and the information of encapsulating MPLS two-layer label;

(c)对端PE设备收到封装后的二层数据帧后,通过设置的VPN ID到VLAN的映射关系表,更改所述封装的VLAN信息并进行转发。(c) After receiving the encapsulated Layer 2 data frame, the peer PE device changes the encapsulated VLAN information through the set VPN ID to VLAN mapping table and forwards it.

其中,在所述步骤(b)中,需进一步对二层数据帧进行MPLS两层标签的封装;在二层数据帧进行封装的时候,可以根据具体的传输环境不同,携带不同的识别信息;根据具体的传输环境不同,所述二层数据帧携带的识别信息可以是原始的VLAN信息,或VPN ID的信息,也可以不带任何的VLAN信息。Wherein, in the step (b), it is necessary to further carry out MPLS two-layer label encapsulation to the two-layer data frame; when the two-layer data frame is encapsulated, different identification information can be carried according to the specific transmission environment; Different according to the specific transmission environment, the identification information carried by the two-layer data frame can be the original VLAN information, or the information of the VPN ID, and can also be without any VLAN information.

其中,在步骤(c)中,在更改封装的VLAN信息之前,所述对端PE设备还需从MPLS标签中得到二层数据的VPN ID信息。Wherein, in step (c), before changing the encapsulated VLAN information, the opposite end PE equipment also needs to obtain the VPN ID information of the two-layer data from the MPLS label.

另外,在步骤(c)中,在更改封装的VLAN信息之前,所述对端PE设备还需使用VPN ID加目的MAC地址信息查找得到对端PE设备上的转发目的物理端口。In addition, in step (c), before changing the encapsulated VLAN information, the peer PE device also needs to use the VPN ID plus destination MAC address information to find the forwarding destination physical port on the peer PE device.

另外,在步骤(c)中,对端PE设备根据所述物理端口信息,查找得到在该物理端口下的VPN ID到VLAN的映射表,得到输出该端口时所需要封装的VLAN信息,封装后从相应物理端口发出。In addition, in step (c), the peer PE device searches the mapping table from the VPN ID to the VLAN under the physical port according to the physical port information, obtains the VLAN information that needs to be encapsulated when outputting the port, and after encapsulation Sent from the corresponding physical port.

另外,所述被封装的二层数据帧所带的VLAN信息可以是一层或两层。In addition, the VLAN information carried by the encapsulated layer-2 data frame may be one layer or two layers.

另外,在步骤(a)中,所述源端PE设备还需使用VPN ID进行源MAC地址的学习,并将相应的MAC地址学习到该源端PE设备下属于该VPN用户的相应端口;在步骤(c)之后,所述对端PE设备进一步根据VPN ID信息和MPLS标签交换路径的来源信息,将相应的源MAC地址学习到相应的远端CE之下。In addition, in step (a), the source PE device also needs to use the VPN ID to learn the source MAC address, and learn the corresponding MAC address to the corresponding port belonging to the VPN user under the source PE device; After the step (c), the peer PE device further learns the corresponding source MAC address under the corresponding remote CE according to the source information of the VPN ID information and the MPLS label switching path.

与现有的技术方案相比,本发明通过在源端PE设备中添加VLAN和VPN ID的映射关系,并在对端PE设备中相应的解析并相应变动这种映射关系,增加了运营商对二层以太网数据帧中VLAN信息的控制,从而实现局方单独配置所需要的VPN业务种类,不需要另一方(用户)的配合即可完成,因而使得VPN的部署更加简便、灵活。Compared with the existing technical solutions, the present invention adds the mapping relationship between VLAN and VPN ID in the source-end PE equipment, and correspondingly analyzes and changes the mapping relationship in the opposite-end PE equipment, which increases the operators' awareness of The control of VLAN information in the Layer 2 Ethernet data frame enables the bureau to configure the required VPN service types independently without the cooperation of the other party (user), thus making VPN deployment easier and more flexible.

附图说明 Description of drawings

图1是本发明提供的简化VPN网络部署的方法所应用的典型环境的示意图。FIG. 1 is a schematic diagram of a typical environment where the method for simplifying VPN network deployment provided by the present invention is applied.

图2是本发明简化VPN网络部署的方法的流程图。Fig. 2 is a flow chart of the method for simplifying VPN network deployment in the present invention.

具体实施方式 Detailed ways

本发明的核心思想在于通过在源端PE设备及对端PE设备中配置VLAN与VPN I D的映射关系表,藉由VPN ID为中介,使得在传输数据帧时,源端和对端的VLAN ID信息可以不同,进而实现运营商对VPN网络的布署更加灵活、简便。下面结合附图对本发明做进一步的说明。The core idea of the present invention is that by configuring the mapping relationship table between VLAN and VPN ID in the source-end PE equipment and the opposite-end PE equipment, by using the VPN ID as an intermediary, when transmitting data frames, the VLAN ID of the source end and the opposite end The information can be different, so that the operator can deploy the VPN network more flexibly and conveniently. The present invention will be further described below in conjunction with the accompanying drawings.

本发明提供的组网应用环境与基于现有的MPLS的传统VPN网络一样,但在VPN网络布署上却更加灵活、简便。如图1所示,在图1中显示了企业用户A和B分别通过VPLS服务接各自的三个分支机构局域网。The networking application environment provided by the present invention is the same as the existing MPLS-based traditional VPN network, but the deployment of the VPN network is more flexible and convenient. As shown in Figure 1, in Figure 1, enterprise users A and B are connected to their respective three branch LANs through VPLS services.

在这样的基于MPLS的二层VPN网络部署中,有时需要使用本地化的VLAN判断VPN用户,比如说放在用户A某个机房的某台设备的某个端口下面的某个VLAN与放在另外一个机房的某台设备的某个端口下面的某个VLAN(这两个VLAN的数值不同)是同属于一个VPN用户,需要将他们的二层业务进行互通。机房与机房之间的通信需要通过运营商的MPLS网络,并且该种组网应用支持多点对多点的应用模式,也就是说,一个VPN用户可能有多个业务接入点,从每个业务接入点进来的业务数据帧,都有可能与大于两个的目的接入点进行互通。In such an MPLS-based Layer 2 VPN network deployment, it is sometimes necessary to use localized VLANs to judge VPN users. A certain VLAN (the values of these two VLANs are different) under a certain port of a certain device in a computer room belong to the same VPN user, and their Layer 2 services need to be communicated. Communication between computer rooms needs to pass through the operator's MPLS network, and this kind of networking application supports multipoint-to-multipoint application mode, that is to say, a VPN user may have multiple service access points, from each The service data frames coming in from the service access point may communicate with more than two destination access points.

在上述情形中,从源PE设备进来的VPN用户二层数据帧格式如表5所示;对端PE设备出口处的VPN用户二层数据帧格式如表6所示;或者是如表7、表8所示的两种带有两层VLAN标签的二层数据帧格式。表7是PE设备进来的VPN用户二层数据帧格式;表8是目的PE设备出口处的VPN用户二层数据帧格式。In the above situation, the format of the Layer 2 data frame of the VPN user coming in from the source PE device is shown in Table 5; the format of the Layer 2 data frame of the VPN user at the egress of the peer PE device is shown in Table 6; or it is shown in Table 7, Two types of Layer 2 data frame formats with two layers of VLAN tags shown in Table 8. Table 7 is the format of the Layer 2 data frame of the VPN user incoming from the PE device; Table 8 is the format of the Layer 2 data frame of the VPN user at the egress of the destination PE device.

  目的MAC Destination MAC   源MAC Source MAC   VLAN1 VLAN1   静荷 Static load

表5源PE设备进来的VPN用户二层数据帧格式Table 5 Format of VPN user Layer 2 data frames incoming from the source PE device

  目的MAC Destination MAC 源MAAC sourceMAAC  VLAN2 VLAN2 静荷 Static lotus  CRC CRC

表6目的PE设备出口处的VPN用户二层数据帧格式Table 6 Format of the Layer 2 data frame of the VPN user at the egress of the destination PE device

目的MAC Destination MAC  源MAC Source MAC   VLAN1 VLAN1   VLAN2 VLAN2   静荷 Static load   CRC CRC

表7源PE设备进来的VPN用户二层数据帧格式  目的MAC   源MAC  VLAN3   VLAN4   静荷   CRC Table 7 Format of VPN user Layer 2 data frames incoming from the source PE device Destination MAC Source MAC VLAN3 VLAN4 Static lotus CRC

表8目的PE设备出口处的VPN用户二层数据帧格式Table 8 Format of the Layer 2 data frame of the VPN user at the egress of the destination PE device

进入基于MPLS的二层VPN网络业务提供商的原始二层数据帧,根据具体的报文传输方式不同,可能是带有一层VLAN标签,也可能是带有两层VLAN标签,也可能是不带VLAN标签。在不带VLAN标签的情况下,以太网交换机会根据入物理端口信息自动地给进来的二层数据帧加上一个缺省VLAN信息,因此不带VLAN信息的原始二层数据帧在以后的表述中都按照一层VLAN标签来考虑。The original Layer 2 data frame entering the MPLS-based Layer 2 VPN network service provider may be with one layer of VLAN tags, or with two layers of VLAN tags, or without VLAN tags. In the case of no VLAN tag, the Ethernet switch will automatically add a default VLAN information to the incoming layer 2 data frame according to the incoming physical port information, so the original layer 2 data frame without VLAN information will be described later All are considered according to a layer of VLAN tags.

本发明的完整技术方案包含一层VLAN标签和两(多)层VLAN标签的情况。下面以一层VLAN标签的情况为例进行说明。The complete technical solution of the present invention includes the situation of one layer of VLAN tags and two (multiple) layers of VLAN tags. The following uses the case of one layer of VLAN tags as an example for illustration.

从上面的表中表示出的源PE设备接收的二层数据帧和对端PE设备发送的二层数据帧格式中可以看出,如果是带有一层VLAN标签的原始二层数据帧,那么通过MPLS二层VPN业务提供商网络以后出来的VLAN标签数值与原来的不同,虽然前后两个VLAN标签都是标志同一个VPN用户下的业务,并且应该含义一样,一样对待。但在具体的VLAN数值表现形式上不同。It can be seen from the format of the Layer 2 data frame received by the source PE device and the Layer 2 data frame sent by the peer PE device shown in the above table, if it is an original Layer 2 data frame with a VLAN tag, then pass The value of the VLAN tag coming out of the MPLS Layer 2 VPN service provider network in the future is different from the original one, although the two VLAN tags before and after both mark the services under the same VPN user, and should have the same meaning and be treated the same. However, they are different in the specific form of VLAN numerical representation.

还以图1为例,从逻辑上说,源PE1的VLAN1即用户A分支局域网1(或者是在某物理端口下面VLAN1)对应于VPN用户A,目的PE2下面的VLAN2即用户A分支局域网2(或者是在某物理端口下面的VLAN2)也对应于VPN用户A,目的PE4下面的VLAN3即用户A分支局域网3(或者是在某物理端口下面的VLAN3)也对应于VPN用户A,在整个运营商网络内部,来自三个不同PE点的不同VLAN组成用户A的VPN ID1,该VPN内的所有节点基于二层以太网数据帧的二层通信是通的,并且二层MAC地址可以自动学习和老化,就如同普通的二层数据转发一样。也就是说,各个节点下的MAC地址都以VPN ID1加入端口的形式学习在相应的物理端口之下,在二层数据帧业务发往具体的物理端口时,VPN ID1被替换成相应物理端口下的VPN ID1的相应VLAN表现形式。Taking Figure 1 as an example, logically speaking, the VLAN1 of the source PE1, that is, the branch LAN 1 of user A (or VLAN1 under a certain physical port) corresponds to VPN user A, and the VLAN2 under the destination PE2 is the branch LAN 2 of user A ( Or the VLAN2 below a certain physical port also corresponds to VPN user A, and the VLAN3 below the destination PE4, that is, the branch LAN 3 of user A (or VLAN3 below a certain physical port) also corresponds to VPN user A. Inside the network, different VLANs from three different PE points form User A’s VPN ID1. All nodes in the VPN can communicate based on Layer 2 Ethernet data frames, and Layer 2 MAC addresses can be automatically learned and aged. , just like ordinary Layer 2 data forwarding. That is to say, the MAC address of each node is learned under the corresponding physical port in the form of VPN ID1 joining the port. When the Layer 2 data frame service is sent to a specific physical port, the VPN ID1 is replaced by The corresponding VLAN representation of VPN ID1.

如图1并结合图2所示,以VPN用户A在PE1下面的VLAN1与PE4下面的VLAN3业务互通过程为例,具体转发原理过程说明如下:As shown in Figure 1 and Figure 2, taking VPN user A's service interworking process between VLAN1 under PE1 and VLAN3 under PE4 as an example, the specific forwarding principle process is described as follows:

(1)PE1设备接收到带有VLAN1的二层数据帧以后,使用VLAN1到VPN ID1的映射关系表,得到VPN ID1。(1) After PE1 receives the Layer 2 data frame with VLAN1, it uses the mapping relationship table from VLAN1 to VPN ID1 to obtain VPN ID1.

(2)使用VPN ID1进行目的MAC地址的转发查找,得到目的CE信息,以及封装MPLS两层标签的信息。(2) Use VPN ID1 to perform forwarding lookup of the destination MAC address, obtain destination CE information, and encapsulate MPLS two-layer label information.

(3)将用户的二层数据帧封装在MPLS标签中,发往目的PE4。在封装二层数据帧的时候,由于网络中的具体硬件环境不同,二层以太网数据帧中的VLAN信息数据位可以是一层、二层或者是没有,因此对应的封装过程就可能会有以下几种封装变化:(3) Encapsulate the user's Layer 2 data frame in the MPLS label and send it to the destination PE4. When encapsulating Layer 2 data frames, due to the different specific hardware environments in the network, the VLAN information data bits in Layer 2 Ethernet data frames can be Layer 1, Layer 2 or none, so the corresponding encapsulation process may have The following package variations are available:

a.被封装的二层数据帧带上原始的VLAN1信息。a. The encapsulated Layer 2 data frame carries the original VLAN1 information.

b.被封装的二层数据帧带上VPN ID1的信息。b. The encapsulated Layer 2 data frame carries VPN ID1 information.

c.被封装的二层数据帧不带VLAN1或者VPN ID1信息,即原来的VLAN位置或者是一个空VLAN数值(为全零),或者根本没有VLAN信息,即封装为不带VLAN信息的格式。c. The encapsulated Layer 2 data frame does not have VLAN1 or VPN ID1 information, that is, the original VLAN position is either an empty VLAN value (all zeros), or there is no VLAN information at all, that is, it is encapsulated in a format without VLAN information.

(4)使用VPN ID1进行源MAC地址的学习,将MAC地址学习到相应的PE(4) Use VPN ID1 to learn the source MAC address, and learn the MAC address to the corresponding PE

下属于该VPN用户的相应端口。Under the corresponding port belonging to the VPN user.

(5)MPLS封装的二层数据帧到了对端的PE4设备以后,从MPLS标签中得到用户的二层数据帧。(5) After the MPLS-encapsulated Layer 2 data frame arrives at the peer PE4 device, the user's Layer 2 data frame is obtained from the MPLS label.

(6)在从MPLS封装的数据帧中得到VPN用户二层数据帧时,最重要的是要得到VPN ID1的信息,这个VPN ID1信息需要从MPLS标签中得到。(6) When obtaining VPN user two-layer data frame from the data frame of MPLS encapsulation, the most important thing is to obtain the information of VPN ID1, and this VPN ID1 information needs to obtain from MPLS label.

(7)使用VPN ID1加目的MAC地址信息进行查找,得到该PE4的转发目的物理端口。(7) Use the VPN ID1 plus the destination MAC address information to search to obtain the forwarding destination physical port of the PE4.

(8)根据出物理端口信息,去查找在该物理端口下的VPN ID1与VLAN的映射表,得到输出该端口时所需要封装的VLAN信息,封装后从相应物理端口发出。(8) According to the physical port information, go to search the mapping table of VPN ID1 and VLAN under the physical port, obtain the VLAN information that needs to be encapsulated when outputting the port, and send out from the corresponding physical port after encapsulation.

(9)根据VPN ID 1信息和MPLS虚拟交换路径的来源信息,将目的端口的MAC地址学习到相应的远端CE之下,即对应到源PE1设备连接的发送以太网数据帧的CE。(9) According to the source information of the VPN ID 1 information and the MPLS virtual switching path, the MAC address of the destination port is learned under the corresponding far-end CE, that is, the CE corresponding to the sending Ethernet data frame connected to the source PE1 device.

另外,在上面的转发过程中,从源PE1到目的PE4的转发中,由于穿过运营商网络的带两层MPLS标签封装的VPN用户二层数据帧的MPLS标签内已经携带了VLAN和VPN ID信息,所以二层数据帧内部对应的VLAN信息数据位所携带的信息可以非常灵活,比如可以带原始的VLAN信息,也可以不带,也可以带VPN ID信息,因此具体的处理情况和手段是多种多样的,下面分几种情况进行考虑。In addition, in the above forwarding process, in the forwarding from source PE1 to destination PE4, since the MPLS label of the VPN user's Layer 2 data frame encapsulated with two MPLS labels passing through the carrier network already carries the VLAN and VPN ID information, so the information carried by the corresponding VLAN information data bits inside the Layer 2 data frame can be very flexible, for example, it can carry the original VLAN information, or it can not carry it, or it can carry the VPN ID information, so the specific processing situation and means are There are many kinds, and several situations are considered below.

(1)带VPN ID信息或不带VLAN信息(1) With VPN ID information or without VLAN information

因为VPN ID信息在MPLS标签中已经携带,因此这个信息在VLAN信息中也可以不携带。是否携带,有时关联到硬件转发ASIC的具体实现。因为有些硬件转发ASIC芯片对不带VLAN信息的情况处理比较顺畅一些,如果二层数据帧内部不携带VLAN信息,在这时候,对端的芯片处理动作就比较简单,只需要新插入一层VLAN标签就可以了。Because the VPN ID information has been carried in the MPLS label, this information may not be carried in the VLAN information. Whether it is carried or not is sometimes related to the specific implementation of the hardware forwarding ASIC. Because some hardware forwarding ASIC chips handle the situation without VLAN information more smoothly. If the Layer 2 data frame does not carry VLAN information inside, at this time, the processing action of the opposite chip is relatively simple, and only a new layer of VLAN tags needs to be inserted. That's it.

(2)带原始VLAN信息(2) With original VLAN information

如果是将原始VLAN信息带过运营商网络,那么携带的信息就可以更多一些。因为这时候,用户VPN ID信息是携带在MPLS标签中的,因此可以将其它一些信息携带在VLAN中。比如说,如果一个CE下面还有多个VLAN,那么MPLS携带VPN ID信息,而VLAN标签的位置就可以携带CE下面的不同VLAN信息。If the original VLAN information is carried over the operator's network, more information can be carried. Because at this time, the user VPN ID information is carried in the MPLS label, so other information can be carried in the VLAN. For example, if there are multiple VLANs under a CE, then MPLS carries VPN ID information, and the position of the VLAN label can carry different VLAN information under the CE.

也就是说带VLAN信息通过运营商网络可以提供一个VPN用户下面有多个VLAN的应用需求,并且这多个VLAN在不同的CE点有不同的表现形式。That is to say, the carrier network with VLAN information can provide the application requirements of multiple VLANs under one VPN user, and these multiple VLANs have different manifestations at different CE points.

因此,虽然本发明所叙述的具体实施例中,对端PE是从MPLS标签中获得VPN ID信息进而进一步获得本地VLAN信息的,但是,其具体的实现方式可以是多样的,比如对端PE设备可以不利用二层以太网数据帧MPLS标签内携带的VPN ID信息或VLAN信息,而是在二层以太网数据帧的其他部分携带VPN ID信息或VLAN信息,并利用这些信息实现VLAN信息的本地化转换,因此,不消说,这些变换和应用都是包含在本发明权利要求保护的范围之内的。Therefore, although in the specific embodiment described in the present invention, the peer PE obtains the VPN ID information from the MPLS label and then further obtains the local VLAN information, its specific implementation methods can be various, such as the peer PE device Instead of using the VPN ID information or VLAN information carried in the MPLS label of the Layer 2 Ethernet data frame, other parts of the Layer 2 Ethernet data frame carry VPN ID information or VLAN information, and use these information to realize the localization of the VLAN information. Therefore, it goes without saying that these transformations and applications are all included within the scope of the claims of the present invention.

当然,在多点对多点的应用中,因为多个点的VLAN信息可能各不相同,而二层转发的原理是需要多个MAC地址在一个VLAN中才能互通。因此,带过MPLS网络的VLAN信息最好是代表VPN ID,而不是各个点的局部化VLAN信息,因为这会导致目的点的MAC地址学习问题。如果带过去的是局部化的信息,那么就需要设备本身能够处理这种情况,比如说将局部化的VLAN信息处理后进行二层VPN的学习和转发。Of course, in multipoint-to-multipoint applications, because the VLAN information of multiple points may be different, the principle of Layer 2 forwarding is that multiple MAC addresses need to be in one VLAN to communicate. Therefore, the VLAN information carried over the MPLS network is best to represent the VPN ID, rather than the localized VLAN information of each point, because this will cause the MAC address learning problem of the destination point. If localized information is brought over, the device itself needs to be able to handle this situation, for example, after processing the localized VLAN information, learn and forward Layer 2 VPN.

如上面已经提到的,两层VLAN标签的情况的处理如同一层VLAN标签情况,这两层VLAN标签都是只有本地局部化的含义。也就是说,只在某个接入点上有专门的固定数值,而到了另外一个接入点,标志VPN用户或用户业务的这两层标签都需要被替换成另外两层VLAN标签的数值。As mentioned above, the case of two layers of VLAN tags is handled like the case of one layer of VLAN tags, both of which have only localized meanings. That is to say, there is only a special fixed value on a certain access point, but at another access point, the two layers of tags that mark VPN users or user services need to be replaced with the values of the other two layers of VLAN tags.

综上所述,本发明通过在源端PE设备中添加VLAN和VPN ID的映射关系,并在对端PE设备中相应的解析这种映射关系,增加了运营商对二层以太网数据帧中VLAN信息的控制,实现了可以由一方(局方)单独配置所需要的VPN业务种类,不需要另一方(用户)的配合即可完成,因而使得VPN的部署更加简便、灵活。In summary, the present invention adds the mapping relationship between VLAN and VPN ID in the source-end PE equipment, and correspondingly resolves this mapping relationship in the opposite-end PE equipment. The control of VLAN information realizes that one side (office side) can independently configure the required VPN service types without the cooperation of the other side (users), thus making VPN deployment easier and more flexible.

Claims (10)

1.一种简化VPN网络布署的方法,运行在现有的基于MPLS的二层VPN广域网基础之上,所述网络包括至少一源端供应商边缘PE设备和一对端PE设备,其特征在于,本方法包括如下步骤:1. A method for simplifying VPN network deployment, running on the basis of existing MPLS-based Layer 2 VPN wide area network, said network comprising at least one source provider edge PE device and a pair of end PE devices, characterized in In this method, the method includes the steps of: (a)源端PE设备接收到带有VLAN信息的二层数据帧后,借由VLAN与VPN的映射关系表,得到VPN的ID;(a) After receiving the Layer 2 data frame with VLAN information, the PE device at the source end obtains the ID of the VPN by means of the mapping relationship table between VLAN and VPN; (b)通过VPN的ID进行目的MAC地址的转发查找,得到目的用户边缘CE设备的信息以及封装MPLS两层标签的信息;(b) carry out the forwarding search of destination MAC address by the ID of VPN, obtain the information of destination user edge CE equipment and the information of encapsulating MPLS two-layer label; (c)对端PE设备收到封装后的二层数据帧后,通过设置的VPN ID到VLAN的映射关系表,更改所述封装的VLAN信息并进行转发。(c) After receiving the encapsulated Layer 2 data frame, the peer PE device changes the encapsulated VLAN information through the set VPN ID to VLAN mapping table and forwards it. 2.如权利要求1所述的简化VPN网络布署的方法,其特征在于,在所述步骤(b)中,需进一步对二层数据帧进行MPLS两层标签的封装。2. The method for simplifying VPN network deployment according to claim 1, characterized in that, in the step (b), it is necessary to further encapsulate the layer-2 data frames with MPLS layer-2 labels. 3.如权利要求2所述的简化VPN网络布署的方法,其特征在于,在二层数据帧进行封装的时候,可以根据具体的传输环境不同,携带不同的识别信息。3. The method for simplifying VPN network deployment as claimed in claim 2, characterized in that, when the layer 2 data frame is encapsulated, it can carry different identification information according to different specific transmission environments. 4.如权利要求3所述的简化VPN网络布署的方法,其特征在于,根据具体的传输环境不同,所述二层数据帧携带的识别信息可以是原始的VLAN信息,或VPN ID的信息,也可以不带任何的VLAN信息。4. The method for simplifying VPN network deployment as claimed in claim 3, characterized in that, according to different specific transmission environments, the identification information carried by the two-layer data frame can be original VLAN information or VPN ID information , or without any VLAN information. 5.如权利要求1所述的简化VPN网络布署的方法,其特征在于:在步骤(c)中,在更改封装的VLAN信息之前,所述对端PE设备还需从MPLS标签中得到二层数据的VPN ID信息。5. The method for simplifying VPN network deployment according to claim 1, characterized in that: in step (c), before changing the encapsulated VLAN information, the peer PE device also needs to obtain two Layer data VPN ID information. 6.如权利要求5所述的简化VPN网络布署的方法,其特征在于:在步骤(c)中,在更改封装的VLAN信息之前,所述对端PE设备还需使用VPN ID加目的MAC地址信息查找得到对端PE设备上的转发目的物理端口。6. The method for simplifying VPN network deployment as claimed in claim 5, characterized in that: in step (c), before changing the encapsulated VLAN information, the peer PE device also needs to use the VPN ID to add the destination MAC The address information is searched to obtain the forwarding destination physical port on the peer PE device. 7.如权利要求6所述的简化VPN网络布署的方法,其特征在于:在步骤(c)中,对端PE设备根据所述物理端口信息,查找得到在该物理端口下的VPNID到VLAN的映射表,得到输出该端口时所需要封装的VLAN信息,封装后从相应物理端口发出。7. The method for simplifying VPN network deployment as claimed in claim 6, characterized in that: in step (c), the peer PE device searches for the VPNID to VLAN under the physical port according to the physical port information Mapping table, obtain the VLAN information that needs to be encapsulated when outputting the port, and send it out from the corresponding physical port after encapsulation. 8.如权利要求1所述的简化VPN网络布署的方法,其特征在于,所述被封装的二层数据帧所带的VLAN信息可以是一层或两层。8. The method for simplifying VPN network deployment according to claim 1, wherein the VLAN information carried by the encapsulated layer-2 data frame can be one layer or two layers. 9.如权利要求1所述的简化VPN网络布署的方法,其特征在于,在步骤(a)中,所述源端PE设备还需使用VPN ID进行源MAC地址的学习,并将相应的MAC地址学习到该源端PE设备下属于该VPN用户的相应端口。9. The method for simplifying VPN network deployment as claimed in claim 1, wherein in step (a), the source PE device also needs to use the VPN ID to learn the source MAC address, and the corresponding The MAC address is learned to the corresponding port belonging to the VPN user under the source PE device. 10.如权利要求1所述的简化VPN网络布署的方法,其特征在于,在步骤(c)之后,所述对端PE设备进一步根据VPN ID信息和MPLS标签交换路径的来源信息,将相应的源MAC地址学习到相应的远端CE之下。10. The method for simplifying VPN network deployment according to claim 1, characterized in that, after step (c), the opposite end PE device further converts the corresponding VPN ID information and the source information of the MPLS label switching path The source MAC address of the corresponding remote CE is learned.
CNB2005100513520A 2005-03-08 2005-03-08 A Method to Simplify VPN Network Deployment Expired - Fee Related CN100428737C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNB2005100513520A CN100428737C (en) 2005-03-08 2005-03-08 A Method to Simplify VPN Network Deployment
PCT/CN2005/002067 WO2006094440A1 (en) 2005-03-08 2005-12-01 A method of virtual local area network exchange and the network device thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100513520A CN100428737C (en) 2005-03-08 2005-03-08 A Method to Simplify VPN Network Deployment

Publications (2)

Publication Number Publication Date
CN1832443A CN1832443A (en) 2006-09-13
CN100428737C true CN100428737C (en) 2008-10-22

Family

ID=36994453

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100513520A Expired - Fee Related CN100428737C (en) 2005-03-08 2005-03-08 A Method to Simplify VPN Network Deployment

Country Status (1)

Country Link
CN (1) CN100428737C (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100466576C (en) * 2007-04-30 2009-03-04 深圳市深信服电子科技有限公司 Method for reducing disposition VPN network through self-organization field
CN101087236B (en) * 2007-08-09 2010-06-02 杭州华三通信技术有限公司 VPN access method and device
CN101277245B (en) * 2008-05-06 2012-05-23 华为技术有限公司 Method, system and device for realizing L2VPN cross-domain
CN101345711B (en) * 2008-08-13 2012-08-08 成都市华为赛门铁克科技有限公司 Packet processing method, fire wall equipment and network security system
CN101494601B (en) * 2009-03-06 2011-08-24 中兴通讯股份有限公司 Downlink data configuration method and device
CN102014041B (en) * 2009-09-04 2015-01-28 中兴通讯股份有限公司 PTN (Packet Transport Network) equipment and CES (Circuit Emulation Service) equipment
CN101917347B (en) * 2010-09-03 2012-08-22 烽火通信科技股份有限公司 Crossing method for performing label mapping based on HASH
CN101977123B (en) * 2010-10-28 2012-05-30 北京星网锐捷网络技术有限公司 Method, system and device for generating virtual private local area network site ID
CN102185775B (en) * 2011-05-10 2016-06-22 中兴通讯股份有限公司 Identify method and the multiport Ethernet interface device of multiport Ethernet interface device port
CN105991436B (en) * 2015-02-12 2020-02-07 中兴通讯股份有限公司 Transmission processing method and device for end-to-end service
CN106330499A (en) * 2015-06-25 2017-01-11 中兴通讯股份有限公司 A transmission method and device for time-division multiplexing data, and network-side edge equipment
CN114339494B (en) * 2022-01-05 2023-05-26 烽火通信科技股份有限公司 Method and device for accessing Vlan aggregation service into MPLS in PON
CN115396336A (en) * 2022-08-01 2022-11-25 南京网元通信技术有限公司 A method for active testing of MPLS VPN private line based on software simulation

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1356806A (en) * 2001-12-31 2002-07-03 刘军民 Data forwarding method for implementing virtual channel transmission in LAN
US20020101870A1 (en) * 2001-01-30 2002-08-01 Chase Christopher J. Technique for ethernet access to packet-based services
CN1507230A (en) * 2002-12-10 2004-06-23 ��Ϊ�������޹�˾ A Realization Method of Multi-protocol Label Switching Virtual Private Network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020101870A1 (en) * 2001-01-30 2002-08-01 Chase Christopher J. Technique for ethernet access to packet-based services
CN1356806A (en) * 2001-12-31 2002-07-03 刘军民 Data forwarding method for implementing virtual channel transmission in LAN
CN1507230A (en) * 2002-12-10 2004-06-23 ��Ϊ�������޹�˾ A Realization Method of Multi-protocol Label Switching Virtual Private Network

Also Published As

Publication number Publication date
CN1832443A (en) 2006-09-13

Similar Documents

Publication Publication Date Title
US9100351B2 (en) Method and system for forwarding data in layer-2 network
US8509248B2 (en) Routing frames in a computer network using bridge identifiers
US8861547B2 (en) Method, apparatus, and system for packet transmission
US7787480B1 (en) Routing frames in a trill network using service VLAN identifiers
CN100563211C (en) Method and system for realizing virtual gateway and virtual subnet
Andersson et al. Provider provisioned virtual private network (VPN) terminology
US8228928B2 (en) System and method for providing support for multipoint L2VPN services in devices without local bridging
US8854982B2 (en) Method and apparatus for managing the interconnection between network domains
CN101820392B (en) A kind of method and network processing unit realizing multi-service forwarding
US20100008365A1 (en) Method and system for transparent lan services in a packet network
US20080159309A1 (en) System and method of mapping between local and global service instance identifiers in provider networks
US20120207171A1 (en) Method and Apparatus for Interworking VPLS and Ethernet Networks
US20080019385A1 (en) System and method of mapping between local and global service instance identifiers in provider networks
US8724629B1 (en) E-tree service having extended shared VLAN learning across VPLS network
US7839800B2 (en) Multiple I-service registration protocol (MIRP)
CN100428737C (en) A Method to Simplify VPN Network Deployment
WO2019204098A1 (en) Multi-vrf universal device internet protocol address for fabric edge devices
US20170331720A1 (en) Individual Virtual Private Local Area Network Service Conversion to a Different Virtual Private Network Service
EP2378717A1 (en) Method for interconnecting with nested backbone provider bridges and system thereof
CN103326918A (en) Message forwarding method and message forwarding equipment
CN104079466B (en) A kind of message processing method and equipment
CN100446503C (en) A method and device for enhancing VPN network optimization
CN104348693B (en) A kind of method, apparatus and routing device for realizing two layers of isolation of user equipment
CN1980177A (en) Method for realizing virtual special local network service broadcast
WO2006094440A1 (en) A method of virtual local area network exchange and the network device thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20081022