[go: up one dir, main page]

CN107959611B - A method, device and system for forwarding messages - Google Patents

A method, device and system for forwarding messages Download PDF

Info

Publication number
CN107959611B
CN107959611B CN201610902960.6A CN201610902960A CN107959611B CN 107959611 B CN107959611 B CN 107959611B CN 201610902960 A CN201610902960 A CN 201610902960A CN 107959611 B CN107959611 B CN 107959611B
Authority
CN
China
Prior art keywords
network device
packet
l3vpn
policy route
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610902960.6A
Other languages
Chinese (zh)
Other versions
CN107959611A (en
Inventor
王雪伟
夏寅贲
董杰
陈国义
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201610902960.6A priority Critical patent/CN107959611B/en
Publication of CN107959611A publication Critical patent/CN107959611A/en
Application granted granted Critical
Publication of CN107959611B publication Critical patent/CN107959611B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/20Hop count for routing purposes, e.g. TTL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/35Switches specially adapted for specific applications
    • H04L49/354Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请提供了一种L3VPN中转发报文的方法、装置和系统。该方法包括:在运营商边缘PE设备的VPN实例内配置策略路由,使得PE设备根据所述策略路由转发接收的报文。因此,本申请提供的报文转发方法能够引导报文通过拼接的L3VPN隧道通信,满足了跨越多个L3VPN隧道的通信需求。进而实现了租户对网络的访问控制,使得组网更加灵活。

Figure 201610902960

The present application provides a method, device and system for forwarding packets in an L3VPN. The method includes: configuring a policy route in the VPN instance of the operator edge PE device, so that the PE device forwards the received message according to the policy route. Therefore, the packet forwarding method provided by the present application can guide the packet to communicate through the spliced L3VPN tunnel, and meet the communication requirement across multiple L3VPN tunnels. This further enables tenants to control access to the network, making networking more flexible.

Figure 201610902960

Description

一种转发报文的方法,装置及系统A method, device and system for forwarding messages

技术领域technical field

本申请涉及通信技术领域,尤其涉及一种转发报文的方法、装置及系统。The present application relates to the field of communication technologies, and in particular, to a method, device and system for forwarding a message.

背景技术Background technique

VPN是运营商通过其公网向用户提供的虚拟专用网络(Virtual PrivateNetwork,VPN),即在用户的角度,VPN是用户的一个专有网络。对于运营商来说,公网包括公共的骨干网和公共的运营商边界设备。地理上彼此分离的VPN成员站点通过用户边缘(Customer Edge,CE)设备连接到对应的运营商边缘(Provider Edge,PE)设备,通过运营商的公网组成客户的VPN网络。A VPN is a virtual private network (Virtual Private Network, VPN) provided by an operator to a user through its public network, that is, from the perspective of a user, a VPN is a private network of the user. For operators, the public network includes the public backbone network and public operator border equipment. The geographically separated VPN member sites are connected to corresponding provider edge (Provider Edge, PE) devices through a customer edge (Customer Edge, CE) device, and a customer's VPN network is formed through the operator's public network.

三层VPN(Layer 3Virtual Private Network,L3VPN)应用于有L3需求的私网业务。L3VPN业务采用类似于传统路由的方式进行互联网协议(Internet Protocol,IP)分组的转发。在路由器接收到IP数据包后,在转发表中查找IP数据包的目的地址,使用预先建立的通道进行IP数据包的传送。Layer 3 VPN (Layer 3Virtual Private Network, L3VPN) is applied to private network services that require L3. The L3VPN service forwards Internet Protocol (Internet Protocol, IP) packets in a manner similar to traditional routing. After the router receives the IP data packet, it looks up the destination address of the IP data packet in the forwarding table, and uses the pre-established channel to transmit the IP data packet.

现有的L3VPN技术是一个虚拟网络的实现方案,L3VPN的信令协议是边界网关协议(Border Gateway Protocol,BGP),PE设备之间是内部边界网关协议(Internal BorderGateway Protocol,IBGP)对等体(PEER)关系。为了防止路由黑洞,BGP协议规定,PE设备从一个IBGP对等体收到的路由不能再向另一个IBGP对等体发布。因此,PE设备只有自己IBGP对等体的路由,没有一跳之外的PE设备的路由。The existing L3VPN technology is an implementation scheme of a virtual network. The signaling protocol of L3VPN is Border Gateway Protocol (BGP), and between PE devices is Internal Border Gateway Protocol (IBGP) peers ( PEER) relationship. To prevent route black hole, the BGP protocol stipulates that the route received by a PE device from one IBGP peer cannot be advertised to another IBGP peer. Therefore, the PE device only has the routes of its own IBGP peers, and does not have the routes of the PE devices beyond one hop.

对于采用L3VPN实现的用户的业务组网来说,如果业务节点之间通过L3VPN隧道通信,则没有建立直连L3VPN隧道的节点之间无法通信。For the user's service networking implemented by L3VPN, if the service nodes communicate through the L3VPN tunnel, the nodes that have not established the directly connected L3VPN tunnel cannot communicate with each other.

发明内容SUMMARY OF THE INVENTION

本申请提供了一种L3VPN中转发报文的方法、装置和系统,能够满足跨越多个L3VPN隧道的节点之间的通信需求。The present application provides a method, device and system for forwarding packets in an L3VPN, which can meet the communication requirements between nodes spanning multiple L3VPN tunnels.

第一方面,本申请提供了一种L3VPN中转发报文的方法。该L3VPN包括第一网络设备、第二网络设备和第三网络设备,所述第一网络设备与所述第二网络设备之间建立第一L3VPN隧道,所述第二网络设备和所述第三网络设备之间建立第二L3VPN隧道。首先,该第一网络设备接收报文,然后根据接收所述报文的入接口以及所述报文的目的地址在与所述入接口绑定的VPN实例中查找与所述报文匹配的第一策略路由。所述第一策略路由用于指示到达所述报文的目的地址的下一跳为所述第二网络设备。查找到与所述报文匹配的所述第一策略路由后,根据所述第一策略路由的指示,该第一网络设备通过所述第一L3VPN隧道将所述报文发送给所述第二网络设备。其中,所述第二网络设备存储有到达所述报文的目的地址的转发表项,所述转发表项用于指示所述第二网络设备向所述第三网络设备转发所述报文,所述第二L3VPN隧道用于所述第二网络设备向所述第三网络设备发送所述报文。In a first aspect, the present application provides a method for forwarding packets in an L3VPN. The L3VPN includes a first network device, a second network device and a third network device, a first L3VPN tunnel is established between the first network device and the second network device, the second network device and the third network device A second L3VPN tunnel is established between network devices. First, the first network device receives the packet, and then searches the VPN instance bound to the inbound interface for the first matching packet in the VPN instance bound to the inbound interface according to the inbound interface that received the packet and the destination address of the packet. A policy routing. The first policy route is used to indicate that the next hop to the destination address of the packet is the second network device. After finding the first policy route matching the packet, according to the indication of the first policy route, the first network device sends the packet to the second through the first L3VPN tunnel Network equipment. Wherein, the second network device stores a forwarding entry that reaches the destination address of the packet, and the forwarding entry is used to instruct the second network device to forward the packet to the third network device, The second L3VPN tunnel is used by the second network device to send the message to the third network device.

结合第一方面,在第一方面的第一种可能的实现方式中,所述第一网络设备为PE设备,所述PE设备接收CE设备发送的所述报文。With reference to the first aspect, in a first possible implementation manner of the first aspect, the first network device is a PE device, and the PE device receives the packet sent by the CE device.

结合第一方面,在第一方面的第二种可能的实现方式中,所述第一网络设备接收第四网络设备发送的所述报文。所述第四网络设备配置有第二策略路由,所述第二策略路由用于指示到达所述报文的目的地址的下一跳为所述第一网络设备。所述第四网络设备和所述第一网络设备之间建立有第三L3VPN隧道。所述第四网络设备通过所述第三L3VPN隧道向所述第一网络设备发送所述报文。With reference to the first aspect, in a second possible implementation manner of the first aspect, the first network device receives the packet sent by the fourth network device. The fourth network device is configured with a second policy route, and the second policy route is used to indicate that the next hop to the destination address of the packet is the first network device. A third L3VPN tunnel is established between the fourth network device and the first network device. The fourth network device sends the packet to the first network device through the third L3VPN tunnel.

结合第一方面以及上述可能的方式,在第一方面的第三种可能的实现方式中,在所述第一网络设备接收所述报文之前,所述第一网络设备接收控制管理设备发送的配置消息。所述配置消息携带所述第一策略路由。所述第一网络设备,根据所述配置消息获取所述第一策略路由。In combination with the first aspect and the above possible manners, in a third possible implementation manner of the first aspect, before the first network device receives the message, the first network device receives the message sent by the control and management device. Configuration messages. The configuration message carries the first policy route. The first network device obtains the first policy route according to the configuration message.

通过在所述第一网络设备的VPN实例内配置所述第一策略路由,引导报文通过拼接的所述第一L3VPN隧道和第二L3VPN隧道通信,实现了租户对网络的访问控制。租户在VPN内各站点之间能够实现互相通信。VPN内的业务组网能够根据用户的需求进行拓扑,而不必局限于传统的全站点full mesh或是轮毂-辐条hub-spoke组网,因此,组网方式更加灵活。By configuring the first policy route in the VPN instance of the first network device, the guide message communicates through the spliced first L3VPN tunnel and the second L3VPN tunnel, thereby realizing the access control of the tenant to the network. Tenants can communicate with each other between sites in the VPN. The service networking within the VPN can be topologically based on user requirements, rather than being limited to the traditional full-site full mesh or hub-spoke hub-spoke networking. Therefore, the networking method is more flexible.

第二方面,本申请提供了一种L3VPN中转发报文的方法。所述L3VPN包括第一网络设备、第二网络设备和第三网络设备,所述第一网络设备与所述第二网络设备之间建立第一L3VPN隧道,所述第二网络设备和第三网络设备之间建立第二L3VPN隧道。首先,控制管理设备生成配置消息。所述配置消息用于在与所述第一网络设备的第一接口绑定的VPN实例中配置策略路由,所述策略路由用于指示到达所述报文的目的地址的下一跳为所述第二网络设备。然后,该控制管理设备向所述第一网络设备发送该配置消息。其中,所述第一L3VPN隧道用于所述第一网络设备向所述第二网络设备发送所述报文。所述第二网络设备存储有到达所述报文的目的地址的转发表项,所述转发表项用于指示所述第二网络设备向所述第三网络设备转发所述报文。所述第二L3VPN隧道用于所述第二网络设备向所述第三网络设备发送所述报文。In a second aspect, the present application provides a method for forwarding packets in an L3VPN. The L3VPN includes a first network device, a second network device and a third network device, a first L3VPN tunnel is established between the first network device and the second network device, the second network device and the third network device A second L3VPN tunnel is established between the devices. First, the control management device generates a configuration message. The configuration message is used to configure a policy route in the VPN instance bound to the first interface of the first network device, and the policy route is used to indicate that the next hop to the destination address of the packet is the the second network device. Then, the control and management device sends the configuration message to the first network device. The first L3VPN tunnel is used for the first network device to send the message to the second network device. The second network device stores a forwarding entry that reaches the destination address of the packet, and the forwarding entry is used to instruct the second network device to forward the packet to the third network device. The second L3VPN tunnel is used by the second network device to send the message to the third network device.

通过控制管理设备在第一网络设备的VPN实例内配置策略路由,引导报文通过拼接的所述第一L3VPN隧道和第二L3VPN隧道通信,实现了租户对网络的访问控制。租户还可以根据需求优化网络带宽,设置个性化业务链等,租户在VPN内各站点之间能够实现互相通信,VPN内的业务组网能够根据用户的需求进行拓扑,使得组网更加灵活。By controlling the management device to configure policy routing in the VPN instance of the first network device, and guiding packets to communicate through the spliced first L3VPN tunnel and the second L3VPN tunnel, the tenant's access control to the network is implemented. Tenants can also optimize network bandwidth and set personalized service chains according to their needs. Tenants can communicate with each other between sites in the VPN. The service networking in the VPN can be topologically based on user needs, making the networking more flexible.

第三方面,本申请提供了一种转发报文的装置,该装置应用于L3VPN中,用于执行第一方面以及第一方面任意可能的实现方式中的方法的模块。In a third aspect, the present application provides an apparatus for forwarding a message. The apparatus is applied in an L3VPN, and is used for executing the first aspect and the modules of the method in any possible implementation manner of the first aspect.

第四方面,本申请提供了一种通信系统,该通信系统应用于三层虚拟专用网L3VPN中,所述通信系统包括控制管理设备、第一网络设备、第二网络设备和第三网络设备。所述第一网络设备与所述第二网络设备之间建立第一L3VPN隧道。所述第二网络设备和所述第三网络设备之间建立第二L3VPN隧道。其中,In a fourth aspect, the present application provides a communication system, which is applied in a Layer 3 virtual private network L3VPN, and the communication system includes a control and management device, a first network device, a second network device, and a third network device. A first L3VPN tunnel is established between the first network device and the second network device. A second L3VPN tunnel is established between the second network device and the third network device. in,

所述控制管理设备,用于向所述第一网络设备发送第一配置消息。所述第一配置消息携带第一策略路由,所述第一配置消息用于在与所述第一网络设备的第一接口绑定的第一VPN实例中配置所述第一策略路由。所述第一策略路由用于指示到达所述报文的目的地址的下一跳为所述第二网络设备。所述第一网络设备,用于从所述第一接口接收所述报文,并根据所述报文的目的地址,在所述第一VPN实例中查找与所述报文匹配的所述第一策略路由。所述第一网络设备,还用于根据所述第一策略路由的指示,通过所述第一L3VPN隧道向所述第二网络设备发送所述报文。所述第二网络设备存储有到达所述报文的目的地址的转发表项。所述转发表项用于指示所述第二网络设备向所述第三网络设备转发所述报文。所述第二L3VPN隧道用于所述第二网络设备向所述第三网络设备发送所述报文。可选的,所述控制管理设备可以是控制器或网络管理设备。The control and management device is configured to send a first configuration message to the first network device. The first configuration message carries a first policy route, and the first configuration message is used to configure the first policy route in the first VPN instance bound to the first interface of the first network device. The first policy route is used to indicate that the next hop to the destination address of the packet is the second network device. The first network device is configured to receive the packet from the first interface, and search for the first VPN instance that matches the packet according to the destination address of the packet. A policy routing. The first network device is further configured to send the packet to the second network device through the first L3VPN tunnel according to the instruction of the first policy route. The second network device stores a forwarding entry that reaches the destination address of the packet. The forwarding table entry is used to instruct the second network device to forward the packet to the third network device. The second L3VPN tunnel is used by the second network device to send the message to the third network device. Optionally, the control management device may be a controller or a network management device.

根据本申请提供的通信系统,通过控制管理设备在所述第一网络设备的VPN实例内配置策略路由,引导报文通过拼接的所述第一L3VPN隧道和第二L3VPN隧道通信,实现了租户对网络的访问控制。租户在VPN内各站点之间能够实现互相通信,VPN内的业务组网能够根据用户的需求进行拓扑,使得组网更加灵活。According to the communication system provided by the present application, the policy routing is configured in the VPN instance of the first network device by the control and management device, and the guide message is communicated through the spliced first L3VPN tunnel and the second L3VPN tunnel, so that tenants can be connected to each other. Network access control. Tenants can communicate with each other between sites in the VPN, and the service networking in the VPN can be topologically based on user requirements, making the networking more flexible.

结合第四方面,在第四方面的第一种可能的实现方式中,所述通信系统还包括第四网络设备,所述第四网络设备和所述第一网络设备之间建立有第三L3VPN隧道。其中,所述控制管理设备,还用于向所述第四网络设备发送第二配置消息。所述第二配置消息携带第二策略路由,所述第二配置消息用于在与所述第四网络设备的第二接口绑定的第二VPN实例中绑定所述第二策略路由。所述第二策略路由用于指示到达所述报文的目的地址的下一跳为所述第一网络设备。所述第四网络设备,用于从所述第二接口接收所述报文,并根据所述报文的目的地址,在所述第二VPN实例中查找与所述报文匹配的所述第二策略路由。所述第四网络设备,还用于根据所述第二策略路由的指示,通过所述第三L3VPN隧道向所述第一网络设备转发所述报文。所述第一网络设备,具体用于接收所述第四网络设备转发的所述报文。With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the communication system further includes a fourth network device, and a third L3VPN is established between the fourth network device and the first network device tunnel. Wherein, the control and management device is further configured to send a second configuration message to the fourth network device. The second configuration message carries a second policy route, and the second configuration message is used to bind the second policy route in a second VPN instance bound to the second interface of the fourth network device. The second policy route is used to indicate that the next hop to the destination address of the packet is the first network device. The fourth network device is configured to receive the packet from the second interface, and according to the destination address of the packet, search for the second VPN instance that matches the packet in the second VPN instance. Two-policy routing. The fourth network device is further configured to forward the packet to the first network device through the third L3VPN tunnel according to the instruction of the second policy route. The first network device is specifically configured to receive the packet forwarded by the fourth network device.

第五方面,本申请提供了一种转发报文的装置,该装置应用于L3VPN中,该装置包括:输入接口、输出接口、处理器和存储器。其中,输入接口、输出接口、处理器以及所述存储器之间可以通过总线系统相连。该存储器用于存储程序、指令或代码,所述处理器用于执行所述存储器中的程序、指令或代码,完成第一方面、第一方面的任意可能的实现方式的方法。In a fifth aspect, the present application provides an apparatus for forwarding a message, the apparatus is applied in an L3VPN, and the apparatus includes: an input interface, an output interface, a processor and a memory. Wherein, the input interface, the output interface, the processor and the memory can be connected through a bus system. The memory is used for storing programs, instructions or codes, and the processor is used for executing the programs, instructions or codes in the memory to complete the first aspect and the method of any possible implementation manner of the first aspect.

第六方面,本申请提供了一种控制管理设备,该控制管理设备用于L3VPN中,该控制管理设备包括:输入接口、输出接口、处理器和存储器。其中,输入接口、输出接口、处理器以及所述存储器之间可以通过总线系统相连。该存储器用于存储程序、指令或代码,所述处理器用于执行所述存储器中的程序、指令或代码,完成第二方面的方法。In a sixth aspect, the present application provides a control and management device, the control and management device is used in an L3VPN, and the control and management device includes: an input interface, an output interface, a processor and a memory. Wherein, the input interface, the output interface, the processor and the memory can be connected through a bus system. The memory is used to store programs, instructions or codes, and the processor is used to execute the programs, instructions or codes in the memory to complete the method of the second aspect.

第七方面,本申请实施例提供了一种计算机可读存储介质,用于存储计算机程序,该计算机程序用于执行第一方面、第一方面的任意可能的实现方式以及第二方面的方法的指令。In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium for storing a computer program, and the computer program is used to execute the first aspect, any possible implementation manner of the first aspect, and the method of the second aspect. instruction.

附图说明Description of drawings

为了更清楚地说明本申请实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present application more clearly, the following briefly introduces the accompanying drawings used in the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

图1为根据本申请实施例的应用场景示意图;1 is a schematic diagram of an application scenario according to an embodiment of the present application;

图2(a)为根据本申请实施例的一种用于转发报文的方法的流程示意图;2(a) is a schematic flowchart of a method for forwarding a message according to an embodiment of the present application;

图2(b)为根据本申请实施例的一种用于转发报文的方法的流程示意图;FIG. 2(b) is a schematic flowchart of a method for forwarding a message according to an embodiment of the present application;

图3为根据本申请实施例的另一种用于转发报文的方法的流程示意图FIG. 3 is a schematic flowchart of another method for forwarding a packet according to an embodiment of the present application

图4为根据本申请实施例的一种用于转发报文的装置的示意图;4 is a schematic diagram of an apparatus for forwarding a message according to an embodiment of the present application;

图5为根据本申请实施例的一种用于转发报文的装置的示意图;5 is a schematic diagram of an apparatus for forwarding a message according to an embodiment of the present application;

图6为根据本申请实施例的一种用于转发报文的装置的硬件结构示意图;6 is a schematic diagram of a hardware structure of an apparatus for forwarding a message according to an embodiment of the present application;

图7为根据本申请实施例的一种用于转发报文的装置的硬件结构示意图。FIG. 7 is a schematic diagram of a hardware structure of an apparatus for forwarding a packet according to an embodiment of the present application.

具体实施方式Detailed ways

本申请实施例描述的应用场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。The application scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. With the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

除非有相反的说明,本申请实施例提及“第一”、“第二”、“第三”、“第四”以及“第五”等序数词用于对多个对象进行区分,不用于限定多个对象的顺序。Unless stated to the contrary, the ordinal numbers such as "first", "second", "third", "fourth", and "fifth" mentioned in the embodiments of the present application are used to distinguish multiple objects, and are not used for Restricts the order of multiple objects.

本申请实施例中所述的“VPN实例(VPN Instance)”是PE设备为直接相连的VPN站点建立并维护的一个实体,每个VPN站点在PE设备上都有自己独立的VPN实例,即PE设备中为不同VPN站点分别维护有VPN实例。通常,VPN实例也被称之为VPN路由转发表(VPNRouting and Forwarding table,VRF),每个VRF对应一个VPN,具有独立的路由表、转发表、相应的接口以及管理信息等。所述管理信息包括但不限于成员接口列表,路由过滤策略。通过在PE设备上部署VRF,不同VPN的路由存放在不同的VRF中,可以达到VPN路由或流量隔离的目的。The "VPN Instance" described in the embodiments of this application is an entity established and maintained by the PE device for the directly connected VPN sites. Each VPN site has its own independent VPN instance on the PE device, that is, the PE The device maintains VPN instances for different VPN sites. Usually, a VPN instance is also called a VPN Routing and Forwarding table (VRF), and each VRF corresponds to a VPN and has an independent routing table, a forwarding table, corresponding interfaces, and management information. The management information includes but is not limited to the member interface list and routing filtering policy. By deploying VRFs on PE devices, routes of different VPNs are stored in different VRFs, which can achieve the purpose of VPN route or traffic isolation.

本申请实施例中所述的“控制管理设备”,用于对网络中转发设备的资源进行控制和/或管理,包括但不限于软件定义网络(Software-Defined network,SDN)控制器,网络管理设备(下文中简称为“网管”)。所述转发设备用于对报文进行转发处理,具体可以为传统路径计算单元(英文:Path Computation Element,PCE)网络中的传统路由器、交换机等路由转发设备,也可以是基于控制转发分离的SDN中的路由器、交换机等路由转发设备,本申请实施例对此不做限定。The "control management device" described in the embodiments of this application is used to control and/or manage the resources of the forwarding device in the network, including but not limited to a software-defined network (Software-Defined network, SDN) controller, network management equipment (hereinafter referred to as "network management"). The forwarding device is used to forward and process the message, and may specifically be a traditional router, switch or other routing forwarding device in a traditional Path Computation Element (English: Path Computation Element, PCE) network, or an SDN based on control and forwarding separation Routers, switches, and other routing and forwarding devices, which are not limited in this embodiment of the present application.

下面结合图1对本申请实施例的应用场景进行示例性的说明。The following describes an exemplary application scenario of the embodiment of the present application with reference to FIG. 1 .

图1示出了本申请实施例应用的L3VPN网络100,所述网络100包括服务商提供的骨干网和多个VPN站点。所述骨干网包括第一网络设备PE1、第二网络设备PE2、第三网络设备PE3、第四网络设备PE4、第五网络设备PE5以及多个P(Provider)设备110。所述多个VPN站点包括site1-site6。其中,site1、site2、site3和site4属于VPN1,site5和site6属于VPN2。PE1为与CE1直连的运营商边缘(Provider Edge,PE)设备;PE2为分别与CE2和CE5直连的PE设备;PE3为与CE3直连的PE设备;PE4为与CE4直连的PE设备;PE5为与CE6直连的PE设备。site1中IP地址为1.1.1.1的主机A通过CE1与PE1通信。Site3中IP地址为1.1.1.2的主机B通过CE3与PE3通信。PE1与PE2是IBGP对等体,PE1和PE2通过L3VPN隧道通信。PE1与PE4是IBGP对等体,PE1和PE4通过L3VPN隧道通信。PE2与PE3是IBGP对等体,PE2和PE3通过L3VPN隧道通信。PE2和PE4是IBGP对等体,PE2和PE4通过L3VPN隧道通信。PE1和PE3之间没有直连的L3VPN隧道,PE4和PE3之间也没有直连的L3VPN隧道。根据BGP协议的规定,PE2收到IBGP对等体PE3发布的路由后,不能将该路由发布给另一个IBGP对等体PE1,同理,也不能将该路由发布给IBGP对等体PE4。因此,PE1和PE4只有到达PE2的路由,但是没有到达PE3的路由。在PE1与PE3之间没有直连的L3VPN隧道的情况下,即使PE2与PE3之间有带宽资源,主机A也无法访问主机B。VPN1内的站点之间无法实现任意的访问控制。FIG. 1 shows an L3VPN network 100 applied by an embodiment of the present application, where the network 100 includes a backbone network provided by a service provider and multiple VPN sites. The backbone network includes a first network device PE1 , a second network device PE2 , a third network device PE3 , a fourth network device PE4 , a fifth network device PE5 and a plurality of P (Provider) devices 110 . The plurality of VPN sites include site1-site6. Among them, site1, site2, site3, and site4 belong to VPN1, and site5 and site6 belong to VPN2. PE1 is a provider edge (Provider Edge, PE) device directly connected to CE1; PE2 is a PE device directly connected to CE2 and CE5 respectively; PE3 is a PE device directly connected to CE3; PE4 is a PE device directly connected to CE4 ; PE5 is a PE device directly connected to CE6. Host A whose IP address is 1.1.1.1 in site1 communicates with PE1 through CE1. Host B whose IP address is 1.1.1.2 in Site3 communicates with PE3 through CE3. PE1 and PE2 are IBGP peers, and PE1 and PE2 communicate through the L3VPN tunnel. PE1 and PE4 are IBGP peers, and PE1 and PE4 communicate through the L3VPN tunnel. PE2 and PE3 are IBGP peers, and PE2 and PE3 communicate through the L3VPN tunnel. PE2 and PE4 are IBGP peers, and PE2 and PE4 communicate through the L3VPN tunnel. There is no directly connected L3VPN tunnel between PE1 and PE3, nor is there any directly connected L3VPN tunnel between PE4 and PE3. According to the provisions of the BGP protocol, after PE2 receives the route advertised by the IBGP peer PE3, it cannot advertise the route to another IBGP peer PE1. Similarly, it cannot advertise the route to the IBGP peer PE4. Therefore, PE1 and PE4 only have routes to PE2, but no routes to PE3. If there is no direct L3VPN tunnel between PE1 and PE3, even if there are bandwidth resources between PE2 and PE3, host A cannot access host B. Arbitrary access control cannot be implemented between sites within VPN1.

本申请中所述的“L3VPN隧道”是指PE设备之间用于承载L3VPN业务的隧道,例如可以是静态的标签交换路径(Lable Switched Path,LSP)隧道,基于通用路由封装协议(Generic Routing Encapsulation,GRE)的隧道,MPLS标签分发协议(Lable DistributionProtocol,LDP)的LSP隧道,以及MPLS针对流量工程扩展的资源预留协议(ResourceReservation Protocol-Traffic Engineering,RSVP-TE)隧道等,本申请实施例对此不做具体限定。The "L3VPN tunnel" described in this application refers to a tunnel between PE devices for carrying L3VPN services, such as a static Label Switched Path (LSP) tunnel based on the Generic Routing Encapsulation Protocol (Generic Routing Encapsulation Protocol). , GRE) tunnels, MPLS Label Distribution Protocol (Lable Distribution Protocol, LDP) LSP tunnels, and MPLS resource reservation protocol (Resource Reservation Protocol-Traffic Engineering, RSVP-TE) tunnels extended for traffic engineering, etc. This is not specifically limited.

图1中所示的多个P设备110,例如P路由器,为骨干网中的骨干路由器,不与用户的CE设备直接相连。P设备具备基本的MPLS转发能力,维护到PE的路由,不需要了解任何VPN的路由信息。The plurality of P devices 110 shown in FIG. 1 , such as P routers, are backbone routers in the backbone network, and are not directly connected to the CE device of the user. The P device has basic MPLS forwarding capabilities, maintains the route to the PE, and does not need to know any VPN routing information.

CE设备为用户网络边缘设备,有接口直接与PE设备相连。CE设备可以是路由器或交换机,也可以是一台主机。CE设备“感知”不到VPN的存在,也无需支持多协议标签交换(Multiprotocol Label Switching,MPLS)。The CE device is the edge device of the user network and has an interface directly connected to the PE device. The CE device can be a router or switch, or a host. The CE device does not "perceive" the existence of the VPN, and does not need to support Multiprotocol Label Switching (MPLS).

PE设备为服务提供商网络的边缘设备,通常是一台路由器。与用户的CE设备直接相连,对VPN的所有处理都发生在PE上。当CE与直接相连的PE建立邻接关系后,CE把本节点的VPN路由发布给PE,并从PE学习到远端VPN的路由。CE与PE之间使用BGP或内部网关协议(Interior Gateway Protocol,IGP)交换路由信息,也可以使用静态路由。PE从CE学到CE的VPN路由信息后,通过BGP与其它PE交换VPN路由信息,PE路由器维护与它直接相连的VPN的路由信息以及远端PE发布过来的VPN路由信息,但是不维护服务提供商网络中所有的VPN路由信息。The PE device is the edge device of the service provider's network, usually a router. It is directly connected to the user's CE device, and all processing of the VPN takes place on the PE. After the CE establishes an adjacency relationship with the directly connected PE, the CE advertises the VPN route of this node to the PE, and learns the route of the remote VPN from the PE. BGP or Interior Gateway Protocol (Interior Gateway Protocol, IGP) is used to exchange routing information between CE and PE, and static routes can also be used. After the PE learns the CE's VPN routing information from the CE, it exchanges VPN routing information with other PEs through BGP. The PE router maintains the VPN routing information directly connected to it and the VPN routing information advertised by the remote PE, but does not maintain service provision. All VPN routing information in the commercial network.

应理解,图1中仅示例性的示出了5个PE设备,2个VPN,5个P设备、6个CE设备以及6个VPN站点,该网络可以包括任意其它数量的PE设备、VPN、P设备、CE设备以及VPN站点,本申请实施例对此不做限定。It should be understood that FIG. 1 only exemplarily shows 5 PE devices, 2 VPNs, 5 P devices, 6 CE devices and 6 VPN sites, and the network may include any other number of PE devices, VPNs, The P device, the CE device, and the VPN site are not limited in this embodiment of the present application.

下面结合图2(a)对本申请实施例提供的一种L3VPN中转发报文的方法200进行详细说明。该方法200可以应用于图1所示的网络100。但本申请实施例不限于此。如图2(a)所示,所述方法200包括:A method 200 for forwarding a packet in an L3VPN provided by an embodiment of the present application will be described in detail below with reference to FIG. 2( a ). The method 200 can be applied to the network 100 shown in FIG. 1 . However, the embodiments of the present application are not limited thereto. As shown in Figure 2(a), the method 200 includes:

S201、控制管理设备生成第一配置消息。S201. The control and management device generates a first configuration message.

具体地,该L3VPN中包括第一网络设备、第二网络设备和第三网络设备,所述第一网络设备与所述第二网络设备之间建立第一L3VPN隧道,所述第二网络设备和第三网络设备之间建立第二L3VPN隧道。控制管理设备生成第一配置消息,该第一配置消息携带第一策略路由。该第一配置消息用于在与所述第一网络设备的第一接口绑定的第一VPN实例中配置所述第一策略路由。该当第一网络设备从该第一接口接收报文时,根据该第一策略路由的指示转发所述报文。下文中,将第一VPN实例称之为VRF1。所述第一策略路由用于指示所述第一网络设备将从所述第一接口接收到的与所述第一策略路由匹配的报文发送给所述第二网络设备。所述第一网络设备通过所述第一L3VPN隧道将所述报文发送给所述第二网络设备。所述第二网络设备存储有到达所述报文的目的地址的转发表项,所述第二网络设备根据所述转发表项的指示,将所述报文转发给所述第三网络设备。所述第二网络设备通过所述第二L3VPN隧道将所述报文转发给所述第三网络设备。Specifically, the L3VPN includes a first network device, a second network device, and a third network device, and a first L3VPN tunnel is established between the first network device and the second network device, and the second network device and the second network device establish a first L3VPN tunnel. A second L3VPN tunnel is established between the third network devices. The control and management device generates a first configuration message, where the first configuration message carries the first policy route. The first configuration message is used to configure the first policy route in the first VPN instance bound to the first interface of the first network device. When the first network device receives the packet from the first interface, it forwards the packet according to the instruction of the first policy route. Hereinafter, the first VPN instance will be referred to as VRF1. The first policy route is used to instruct the first network device to send a packet received from the first interface that matches the first policy route to the second network device. The first network device sends the packet to the second network device through the first L3VPN tunnel. The second network device stores a forwarding entry that reaches the destination address of the packet, and the second network device forwards the packet to the third network device according to an indication of the forwarding entry. The second network device forwards the packet to the third network device through the second L3VPN tunnel.

在一个具体的实施方式中,结合图1,该第一网络设备例如可以是图1所示的PE1。在另一个具体的实施方式中,结合图1,该第一网络设备例如可以是图1所示的PE4。在第一网络设备的第一接口,例如接口1,绑定VRF1,网络设备在该VRF1内配置所述第一策略路由。该第一策略路由例如可以是:对于目的地址是1.1.1.2的报文,从第二接口,例如接口2,发送到第二网络设备。该第二网络设备例如可以是图1所示的PE2。可选的,还可以在该第一策略路由中配置第一网络设备与该第二网络设备之间通信时所能够占用的带宽。本领域技术人员可以理解,可以根据用户的实际需求对第一策略路由进行具体配置,本申请对此不作具体限定。In a specific implementation manner, with reference to FIG. 1 , the first network device may be, for example, PE1 shown in FIG. 1 . In another specific implementation manner, with reference to FIG. 1 , the first network device may be, for example, PE4 shown in FIG. 1 . A first interface of the first network device, such as interface 1, is bound to a VRF1, and the network device configures the first policy route in the VRF1. For example, the first policy route may be: for a packet whose destination address is 1.1.1.2, it is sent from the second interface, for example, interface 2, to the second network device. The second network device may be, for example, PE2 shown in FIG. 1 . Optionally, the bandwidth that can be occupied during communication between the first network device and the second network device may also be configured in the first policy route. Those skilled in the art can understand that the first policy routing can be specifically configured according to the actual needs of the user, which is not specifically limited in this application.

在一个具体的实施方式中,所述控制管理设备可以是软件定义网络(Software-Defined Networking,SDN)控制器。控制器还可以称之为控制设备,控制系统,控制节点等。可选地,该控制器可以具体为智能网络控制器(Smart Network Controller,SNC)。在另一个具体的实施方式中,所述控制管理设备可以是网管。但本申请实施例不限于此。结合图1,对于租户需要跨越多个L3VPN隧道通信的需求,比如,主机A要访问主机B,需要拼接多个L3VPN隧道来实现其访问需求。通过控制器或网管在第一网络设备上配置第一策略路由,指导第一网络设备将报文转发至第二网络设备。In a specific implementation manner, the control and management device may be a software-defined networking (Software-Defined Networking, SDN) controller. The controller may also be referred to as a control device, a control system, a control node, and the like. Optionally, the controller may specifically be a Smart Network Controller (Smart Network Controller, SNC). In another specific embodiment, the control and management device may be a network management device. However, the embodiments of the present application are not limited thereto. With reference to Figure 1, for the requirement of a tenant to communicate across multiple L3VPN tunnels, for example, if host A wants to access host B, multiple L3VPN tunnels need to be spliced to achieve its access requirement. The first policy route is configured on the first network device through the controller or the network management device, and the first network device is instructed to forward the packet to the second network device.

应理解,在本申请实施例中,所述控制器与所述第一网络设备可以通过南向接口协议,例如,开放流OpenFlow协议,BGP协议或路径计算单元交互协议(Path ComputationElement Communication Protocol,PCEP),来发送所述配置消息,以配置所述第一策略路由,但本申请不限于此。It should be understood that, in this embodiment of the present application, the controller and the first network device may use a southbound interface protocol, for example, an OpenFlow protocol, a BGP protocol, or a Path Computation Element Communication Protocol (PCEP). ) to send the configuration message to configure the first policy route, but the application is not limited to this.

进一步的,在本申请实施例中,所述网管和所述第一网络设备之间可以基于简单网络管理协议(Simple network management protocol,SNMP)或网络配置协议(NetworkConfiguration Protocol,NETCONF)来发送所述配置消息,以配置所述第一策略路由,但本申请不限于此。Further, in this embodiment of the present application, the network management and the first network device may send the information based on a Simple Network Management Protocol (Simple Network Management Protocol, SNMP) or a Network Configuration Protocol (Network Configuration Protocol, NETCONF). configuration message to configure the first policy route, but the application is not limited to this.

S202、控制管理设备向所述第一网络设备发送所述第一配置消息。S202. The control and management device sends the first configuration message to the first network device.

S203、第一网络设备接收所述第一配置消息。S203. The first network device receives the first configuration message.

S204、所述第一网络设备根据所述第一配置消息获取所述第一策略路由。S204. The first network device acquires the first policy route according to the first configuration message.

所述第一网络设备根据所述第一配置消息获取所述第一策略路由,将第一策略路由保存到VRF1的策略路由表中,指导报文转发。所述策略路由表的格式例如可以如表1所示。The first network device acquires the first policy route according to the first configuration message, saves the first policy route in the policy routing table of VRF1, and instructs packet forwarding. The format of the policy routing table may be as shown in Table 1, for example.

路由前缀routing prefix 协议protocol 出接口Outgoing interface 下一跳Next hop 192.168.2.0/24192.168.2.0/24 DirectDirect GE0/0/3GE0/0/3 192.168.2.254192.168.2.254 1.1.1.2/241.1.1.2/24 DirectDirect GE0/0/4GE0/0/4 192.168.200.1192.168.200.1

应理解,结合图1,当主机A想要访问主机B时,控制器或网管可以仅在PE1上配置所述第一策略路由,此时,PE1对应于上述的第一网络设备,所述第一策略路由指导所述报文经由PE1转发至PE2。PE2上具有达到主机B的路由,因此,PE2接收到PE1发送的所述报文后,通过在VPN实例中查询预先存储的转发表项,确定将报文转发至PE3,以完成主机A对主机B的访问。可选的,所述控制器或网管也可以在所述PE4上配置所述第一策略路由,在所述PE1上配置第二策略路由,该第二策略路由用于指示到达所述报文的目的地址的下一跳为PE4。此时,PE4对应于上述的第一网络设备。当PE1接收CE1发送的报文时,根据所述第二策略路由,将报文转发至PE4。PE4接收到PE1发送的报文后,根据所述第一策略路由的指示,将报文转发至PE2,最后经由PE2将报文转发至PE3,以完成主机A对主机B的访问。It should be understood that, with reference to FIG. 1, when host A wants to access host B, the controller or network management can configure the first policy route only on PE1. At this time, PE1 corresponds to the above-mentioned first network device. A policy route directs the packet to be forwarded to PE2 via PE1. PE2 has a route to reach host B. Therefore, after receiving the packet sent by PE1, PE2 determines to forward the packet to PE3 by querying the pre-stored forwarding entry in the VPN instance, so as to complete the connection between host A and host B. B's visit. Optionally, the controller or network management can also configure the first policy route on the PE4, and configure the second policy route on the PE1, and the second policy route is used to indicate the destination of the arriving packet. The next hop of the destination address is PE4. At this time, PE4 corresponds to the above-mentioned first network device. When PE1 receives the packet sent by CE1, it forwards the packet to PE4 according to the second policy route. After receiving the packet sent by PE1, PE4 forwards the packet to PE2 according to the instruction of the first policy route, and finally forwards the packet to PE3 via PE2, so as to complete the access of host A to host B.

在本申请实施例中,在该第一网络设备与该第二网络设备之间通过第一L3VPN隧道通信,该第二网络设备与该第三网络设备之间通过第二L3VPN隧道通信,而该第一网络设备与该第三网络设备之间没有直连的L3VPN隧道的情况下。通过控制管理设备在第一网络设备的VPN实例内配置策略路由,引导报文通过拼接的所述第一L3VPN隧道和第二L3VPN隧道通信,实现了租户对网络的访问控制。租户还可以根据需求优化网络带宽,设置个性化业务链等,租户在VPN内各站点之间能够实现互相通信,VPN内的业务组网能够根据用户的需求进行拓扑,使得组网更加灵活。In this embodiment of the present application, the first network device and the second network device communicate through the first L3VPN tunnel, the second network device and the third network device communicate through the second L3VPN tunnel, and the In the case where there is no directly connected L3VPN tunnel between the first network device and the third network device. By controlling the management device to configure policy routing in the VPN instance of the first network device, and guiding packets to communicate through the spliced first L3VPN tunnel and the second L3VPN tunnel, the tenant's access control to the network is implemented. Tenants can also optimize network bandwidth and set personalized service chains according to their needs. Tenants can communicate with each other between sites in the VPN. The service networking in the VPN can be topologically based on user needs, making the networking more flexible.

可选的,所述L3VPN还可以包括第四网络设备。所述第四网络设备和所述第一网络设备之间建立第三L3VPN隧道。在一个具体的实施方式中,结合图1,所述第一网络设备是PE4,所述第二网络设备是PE2,所述第三网络设备是PE3,所述第四网络设备是PE1。如图2(b)所示,所述方法200还可以包括S205-S208。Optionally, the L3VPN may further include a fourth network device. A third L3VPN tunnel is established between the fourth network device and the first network device. In a specific implementation manner, referring to FIG. 1 , the first network device is PE4, the second network device is PE2, the third network device is PE3, and the fourth network device is PE1. As shown in FIG. 2(b), the method 200 may further include S205-S208.

S205、控制管理设备生成第二配置消息。S205. The control and management device generates a second configuration message.

具体地,控制管理设备生成该第二配置消息,该第一配置消息携带第二策略路由。该第一配置消息用于在与所述第四网络设备的第二接口绑定的第二VPN实例中配置所述第二策略路由。该当第四网络设备从该第二接口接收报文时,根据该第二策略路由的指示转发所述报文。所述第二策略路由用于指示所述第四网络设备将从所述第二接口接收到的与所述第二策略路由匹配的报文发送给所述第一网络设备。所述第四网络设备通过所述第三L3VPN隧道将所述报文发送给所述第一网络设备。Specifically, the control and management device generates the second configuration message, and the first configuration message carries the second policy route. The first configuration message is used to configure the second policy route in the second VPN instance bound to the second interface of the fourth network device. When receiving the packet from the second interface, the fourth network device forwards the packet according to the instruction of the second policy route. The second policy route is used to instruct the fourth network device to send the packet received from the second interface that matches the second policy route to the first network device. The fourth network device sends the packet to the first network device through the third L3VPN tunnel.

S206、控制管理设备向所述第四网络设备发送所述第二配置消息。S206. The control and management device sends the second configuration message to the fourth network device.

S207、第四网络设备接收所述第二配置消息。S207. The fourth network device receives the second configuration message.

S208、所述第四网络设备根据所述第二配置消息获取所述第二策略路由。S208. The fourth network device acquires the second policy route according to the second configuration message.

关于S205-S208的具体实现方式与S201-S204类似,此处不再赘述。本申请对S205-S208与S201-S204的执行顺序不作具体限定,即S205-S208可以在S201-S204之前执行,也可以在S201-S204之后执行。The specific implementation manner of S205-S208 is similar to that of S201-S204, and details are not repeated here. This application does not specifically limit the execution order of S205-S208 and S201-S204, that is, S205-S208 may be executed before S201-S204, or may be executed after S201-S204.

下面结合图3对本申请实施例提供的一种L3VPN中转发报文的方法300进行详细说明,该L3VPN包括第一网络设备、第二网络设备和第三网络设备,所述第一网络设备与所述第二网络设备之间建立第一L3VPN隧道,所述第二网络设备和所述第三网络设备之间建立第二L3VPN隧道。该方法可以用于图1所示的网络100,但不申请实施例不限于此。如图3所示,所述方法包括:S301-S303。A method 300 for forwarding packets in an L3VPN provided by an embodiment of the present application will be described in detail below with reference to FIG. 3 . The L3VPN includes a first network device, a second network device, and a third network device, and the first network device is connected to the A first L3VPN tunnel is established between the second network devices, and a second L3VPN tunnel is established between the second network device and the third network device. This method can be used in the network 100 shown in FIG. 1 , but the embodiment is not limited thereto. As shown in FIG. 3 , the method includes: S301-S303.

S301、第一网络设备接收报文。S301. A first network device receives a packet.

在一个具体的实施方式中,所述第一网络设备为PE设备,接收第一CE设备发送的所述报文。所述第一CE设备与所述第一网络设备直连。结合图1,所述第一PE设备具体可以是PE1,所述第一CE设备具体可以是CE1。In a specific implementation manner, the first network device is a PE device, and receives the packet sent by the first CE device. The first CE device is directly connected to the first network device. With reference to FIG. 1 , the first PE device may specifically be PE1, and the first CE device may specifically be CE1.

在另一个具体的实施方式中,所述第一网络设备接收第四网络设备发送的所述报文。所述第四网络设备配置有第二策略路由,所述第二策略路由用于指示到达所述报文的目的地址的下一跳为所述第一网络设备。所述第四网络设备和所述第一网络设备之间建立有第三L3VPN隧道,所述第三L3VPN隧道用于所述第四网络设备向所述第一网络设备发送所述报文。结合图1,所述第四网络设备具体可以是PE1,所述第一网络设备具体可以是PE4。In another specific implementation manner, the first network device receives the packet sent by the fourth network device. The fourth network device is configured with a second policy route, and the second policy route is used to indicate that the next hop to the destination address of the packet is the first network device. A third L3VPN tunnel is established between the fourth network device and the first network device, and the third L3VPN tunnel is used for the fourth network device to send the message to the first network device. With reference to FIG. 1 , the fourth network device may specifically be PE1, and the first network device may specifically be PE4.

S302、该第一网络设备根据接收所述报文的入接口以及所述报文的目的地址,查找与所述报文匹配的第一策略路由。S302. The first network device searches for a first policy route matching the packet according to the ingress interface that receives the packet and the destination address of the packet.

具体地,所述第一网络设备接收所述报文的入接口,例如接口1,绑定第一VPN实例,简称VRF1,在VRF1内配置有所述第一策略路由。该第一策略路由例如可以是:对于目的地址是1.1.1.2的报文,从第二接口,例如接口2,发送到第二网络设备。所述第一网络设备接收到述报文以后,根据所述报文的目的地址,在所述VRF1中查找与所述报文匹配的第一策略路由。Specifically, the ingress interface on which the first network device receives the packet, such as interface 1, is bound to a first VPN instance, VRF1 for short, and the first policy route is configured in VRF1. For example, the first policy route may be: for a packet whose destination address is 1.1.1.2, it is sent from the second interface, for example, interface 2, to the second network device. After receiving the packet, the first network device searches the VRF1 for a first policy route matching the packet according to the destination address of the packet.

S303、该第一网络设备向第二网络设备转发所述报文。S303. The first network device forwards the packet to the second network device.

具体地,该第一网络设备根据所述第一策略路由,确定发送所述报文的出接口,并确定下一跳设备为所述第二网络设备。所述第一网络设备通过所述第一L3VPN隧道将所述报文发送给所述第二网络设备。例如,当采用MPLS网络传输所述报文时,该第一网络设备为所述报文封装外层MPLS标签和内层VPN标签,MPLS网络利用报文的外层标签,通过所述第一L3VPN隧道,将所述报文发送至第二网络设备。当第二网络设备接收到所述第一网络设备发送的所述报文时,根据报文的目的IP地址查找转发表项,将所述报文转发到第三网络设备。所述第二网络设备通过所述第二L3VPN隧道将所述报文发送给所述第三网络设备。当所述第三网络设备接收到所述第二网络设备发送的所述报文后,将所述报文发送到与其直连的第二CE设备。所述第二CE设备接收到所述报文后,根据正常的IP报文的转发流程将报文发送到目的地。结合图1,所述第二网络设备具体可以是图1所示的PE2,所述第三网络设备具体可以是图1所示的PE3,所述第二CE设备具体可以是图1所示的CE3。Specifically, the first network device determines the outbound interface for sending the packet according to the first policy route, and determines that the next hop device is the second network device. The first network device sends the packet to the second network device through the first L3VPN tunnel. For example, when using the MPLS network to transmit the message, the first network device encapsulates the outer MPLS label and the inner VPN label for the message, and the MPLS network uses the outer label of the message to pass the first L3VPN tunnel, and send the packet to the second network device. When receiving the packet sent by the first network device, the second network device searches for a forwarding entry according to the destination IP address of the packet, and forwards the packet to the third network device. The second network device sends the packet to the third network device through the second L3VPN tunnel. After receiving the packet sent by the second network device, the third network device sends the packet to the second CE device directly connected to the third network device. After receiving the packet, the second CE device sends the packet to the destination according to a normal IP packet forwarding process. With reference to FIG. 1 , the second network device may specifically be PE2 shown in FIG. 1 , the third network device may specifically be PE3 shown in FIG. 1 , and the second CE device may specifically be the PE2 shown in FIG. 1 . CE3.

根据本申请实施例提供的上述方法,通过在所述第一网络设备的VRF内配置所述第一策略路由,引导报文通过拼接的所述第一L3VPN隧道和第二L3VPN隧道通信,实现了租户对网络的访问控制。租户在VPN内各站点之间能够实现互相通信。VPN内的业务组网能够根据用户的需求进行拓扑,而不必局限于传统的全网点full mesh或是轮毂-辐条hub-spoke组网,因此,组网方式更加灵活。According to the above-mentioned method provided by the embodiment of the present application, by configuring the first policy route in the VRF of the first network device, and guiding the packet to communicate through the spliced first L3VPN tunnel and second L3VPN tunnel, the implementation of Tenant access control to the network. Tenants can communicate with each other between sites in the VPN. The service networking within the VPN can be topologically based on user needs, rather than being limited to the traditional full mesh or hub-spoke hub-spoke networking. Therefore, the networking method is more flexible.

图4是根据本申请一实施例的用于在L3VPN中转发报文的控制管理设备的示意图。该L3VPN包括第一网络设备、第二网络设备和第三网络设备,所述第一网络设备与所述第二网络设备之间建立第一L3VPN隧道,所述第二网络设备和第三网络设备之间建立第二L3VPN隧道。该设备可以用于执行图2所示的方法200。如图4所示,该设备包括:处理模块401和发送模块402。FIG. 4 is a schematic diagram of a control and management device for forwarding packets in an L3VPN according to an embodiment of the present application. The L3VPN includes a first network device, a second network device and a third network device, a first L3VPN tunnel is established between the first network device and the second network device, the second network device and the third network device A second L3VPN tunnel is established between them. The apparatus may be used to perform the method 200 shown in FIG. 2 . As shown in FIG. 4 , the device includes: a processing module 401 and a sending module 402 .

该处理模块401,用于生成第一配置消息,所述第一配置消息用于在与所述第一网络设备的第一接口绑定的VPN实例中配置所述第一策略路由,该第一策略路由用于指示到达所述报文的目的地址的下一跳为所述第二网络设备。The processing module 401 is configured to generate a first configuration message, where the first configuration message is used to configure the first policy route in the VPN instance bound to the first interface of the first network device, the first configuration message The policy route is used to indicate that the next hop to the destination address of the packet is the second network device.

该发送模块402,用于向所述第一网络设备发送所述第一配置消息。The sending module 402 is configured to send the first configuration message to the first network device.

所述第一L3VPN隧道用于所述第一网络设备向所述第二网络设备发送所述报文,所述第二网络设备存储有到达所述报文的目的地址的转发表项,所述转发表项用于指示所述第二网络设备向所述第三网络设备转发所述报文,所述第二L3VPN隧道用于所述第二网络设备向所述第三网络设备发送所述报文。The first L3VPN tunnel is used by the first network device to send the message to the second network device, and the second network device stores a forwarding entry that reaches the destination address of the message, and the second network device stores a forwarding entry to the destination address of the message. The forwarding table entry is used to instruct the second network device to forward the packet to the third network device, and the second L3VPN tunnel is used for the second network device to send the packet to the third network device arts.

根据本申请实施例提供的上述控制管理设备,通过在所述第一网络设备的VRF内配置所述第一策略路由,引导报文通过拼接的所述第一L3VPN隧道和第二L3VPN隧道通信,实现了租户对网络的访问控制。租户在VPN内各站点之间能够实现互相通信。VPN内的业务组网能够根据用户的需求进行拓扑,而不必局限于传统的full mesh或是hub-spoke组网,因此,组网方式更加灵活。According to the above-mentioned control and management device provided by the embodiment of the present application, by configuring the first policy route in the VRF of the first network device, the guide packet is communicated through the spliced first L3VPN tunnel and the second L3VPN tunnel, Implemented tenant access control to the network. Tenants can communicate with each other between sites in the VPN. The service networking within the VPN can be topologically based on user requirements, rather than being limited to traditional full mesh or hub-spoke networking. Therefore, the networking method is more flexible.

在本申请实施例中,在该第一网络设备与该第二网络设备之间通过第一L3VPN隧道通信,该第二网络设备与该第三网络设备之间通过第二L3VPN隧道通信,而该第一网络设备与该第三网络设备之间没有直连的L3VPN隧道的情况下。通过控制管理设备在第一网络设备的VPN实例内配置策略路由,引导报文通过拼接的所述第一L3VPN隧道和第二L3VPN隧道通信,实现了租户对网络的访问控制。租户还可以根据需求优化网络带宽,设置个性化业务链等,租户在VPN内各站点之间能够实现互相通信,VPN内的业务组网能够根据用户的需求进行拓扑,使得组网更加灵活。In this embodiment of the present application, the first network device and the second network device communicate through the first L3VPN tunnel, the second network device and the third network device communicate through the second L3VPN tunnel, and the In the case where there is no directly connected L3VPN tunnel between the first network device and the third network device. By controlling the management device to configure policy routing in the VPN instance of the first network device, and guiding packets to communicate through the spliced first L3VPN tunnel and the second L3VPN tunnel, the tenant's access control to the network is implemented. Tenants can also optimize network bandwidth and set personalized service chains according to their needs. Tenants can communicate with each other between sites in the VPN. The service networking in the VPN can be topologically based on user needs, making the networking more flexible.

可选的,所述L3VPN还包括第四网络设备,所述第四网络设备与所述第一网络设备之间建立第三L3VPN隧道。该处理模块401,还用于生成第二配置消息,所述第二配置消息用于在与所述第四网络设备的第二接口绑定的第二VPN实例中配置第二策略路由。所述第二策略路由用于指示到达所述报文的目的地址的下一跳为所述第一网络设备。所述第四网络设备通过所述第二接口接收所述报文,根据所述报文的目的地址,在所述第二VPN实例中查找与所述报文匹配的所述第二策略路由。根据所述第二策略路由的指示,所述第四网络设备通过所述第三L3VPN隧道将所述报文发送给所述第一网络设备。Optionally, the L3VPN further includes a fourth network device, and a third L3VPN tunnel is established between the fourth network device and the first network device. The processing module 401 is further configured to generate a second configuration message, where the second configuration message is used to configure a second policy route in the second VPN instance bound to the second interface of the fourth network device. The second policy route is used to indicate that the next hop to the destination address of the packet is the first network device. The fourth network device receives the packet through the second interface, and searches for the second policy route matching the packet in the second VPN instance according to the destination address of the packet. According to the indication of the second policy route, the fourth network device sends the packet to the first network device through the third L3VPN tunnel.

图5是根据本申请另一实施例提供的用于转发报文的装置500的示意图。该装置500应用于L3VPN中,所述L3VPN包括第一网络设备、第二网络设备和第三网络设备。所述第一网络设备与所述第二网络设备之间建立第一L3VPN隧道,所述第二网络设备和所述第三网络设备之间建立第二L3VPN隧道。所述装置500位于所述第一网络设备中。该第一网络设备例如可以是图1所示的设备PE1或PE4,该装置500可以用于执行图3所示的方法300。该装置500包括:接收模块501、处理模块502和发送模块503。FIG. 5 is a schematic diagram of an apparatus 500 for forwarding a packet according to another embodiment of the present application. The apparatus 500 is applied in an L3VPN, where the L3VPN includes a first network device, a second network device and a third network device. A first L3VPN tunnel is established between the first network device and the second network device, and a second L3VPN tunnel is established between the second network device and the third network device. The apparatus 500 is located in the first network device. The first network device may be, for example, the device PE1 or PE4 shown in FIG. 1 , and the apparatus 500 may be used to execute the method 300 shown in FIG. 3 . The apparatus 500 includes: a receiving module 501 , a processing module 502 and a sending module 503 .

所述接收模块501用于接收报文。所述处理模块502,用于根据接收所述报文的入接口以及所述报文的目的地址,在与所述入接口绑定的VPN实例内查找与所述报文匹配的第一策略路由。所述第一策略路由用于指示到达所述报文的目的地址的下一跳为所述第二网络设备。所述发送模块503,用于通过所述第一L3VPN隧道,将所述报文发送给所述第二网络设备。在一个具体的实施方式中,所述接收模块501,具体用于接收第一CE设备发送的所述报文。即所述第一网络设备为与所述CE设备直连的第一PE设备。在另一个具体的实施方式中,,所述L3VPN还包括第四网络设备,所述接收模块用于接收所述第四网络设备发送的所述报文,其中,所述第四网络设备配置有第二策略路由,所述第二策略路由用于指示到达所述报文的目的地址的下一跳为所述第一网络设备,所述第四网络设备和所述第一网络设备之间建立有第三L3VPN隧道,所述第三L3VPN隧道用于所述第四网络设备向所述第一网络设备发送所述报文。具体地,在本申请实施例中,所述第一网络设备可以为与所述第一CE设备直连的第一PE设备,第二网络设备可以为与第二CE设备直连的第二PE设备,第三网络设备可以为与第三CE设备直连的第三PE设备,第四网络设备可以为与第四CE设备直连的第四PE设备。该第一至第四CE设备分别位于4个不同的VPN站点内,但属于同一个VPN。The receiving module 501 is used for receiving messages. The processing module 502 is configured to search for a first policy route that matches the message in the VPN instance bound to the inbound interface according to the inbound interface that receives the message and the destination address of the message . The first policy route is used to indicate that the next hop to the destination address of the packet is the second network device. The sending module 503 is configured to send the packet to the second network device through the first L3VPN tunnel. In a specific implementation manner, the receiving module 501 is specifically configured to receive the message sent by the first CE device. That is, the first network device is the first PE device directly connected to the CE device. In another specific implementation manner, the L3VPN further includes a fourth network device, and the receiving module is configured to receive the message sent by the fourth network device, wherein the fourth network device is configured with a second policy route, where the second policy route is used to indicate that the next hop to the destination address of the packet is the first network device, and the fourth network device and the first network device establish a relationship There is a third L3VPN tunnel, and the third L3VPN tunnel is used by the fourth network device to send the packet to the first network device. Specifically, in this embodiment of the present application, the first network device may be a first PE device directly connected to the first CE device, and the second network device may be a second PE device directly connected to the second CE device device, the third network device may be a third PE device directly connected to the third CE device, and the fourth network device may be a fourth PE device directly connected to the fourth CE device. The first to fourth CE devices are respectively located in 4 different VPN sites, but belong to the same VPN.

图6是根据本申请实施例提供的一种转发报文的装置600的示意图。该装置600应用于L3VPN中。该装置600可以用于执行图2所示的方法200。如图6所示,该装置600包括:输入接口601、输出接口602、处理器603和存储器604。该输入接口601、输出接口602处理器603和存储器604可以通过总线系统605相连。FIG. 6 is a schematic diagram of an apparatus 600 for forwarding a packet according to an embodiment of the present application. The device 600 is used in L3VPN. The apparatus 600 can be used to perform the method 200 shown in FIG. 2 . As shown in FIG. 6 , the apparatus 600 includes: an input interface 601 , an output interface 602 , a processor 603 and a memory 604 . The input interface 601 , the output interface 602 , the processor 603 and the memory 604 can be connected through a bus system 605 .

所述存储器604用于存储包括程序、指令或代码。所述处理器603,用于执行所述存储器604中的程序、指令或代码,以控制输入接口601接收信号、控制输出接口602发送信号以完成方法200中的相关操作。The memory 604 is used to store programs, instructions or codes. The processor 603 is configured to execute programs, instructions or codes in the memory 604 to control the input interface 601 to receive signals, and control the output interface 602 to send signals to complete the relevant operations in the method 200 .

图7是根据本申请实施例提供的一种转发报文的装置700的示意图。该装置700应用于L3VPN中。所述L3VPN包括第一网络设备、第二网络设备和第三网络设备。所述第一网络设备与所述第二网络设备之间建立第一L3VPN隧道,所述第二网络设备和所述第三网络设备之间建立第二L3VPN隧道。所述装置700位于所述第一网络设备中。该第一网络设备例如可以是图1所示的PE1或PE4,该装置700可以用于执行图2所示的方法200以及图3所示的方法300。该装置700包括:输入接口701、输出接口702、处理器703和存储器704。该输入接口701、输出接口702处理器703和存储器704可以通过总线系统705相连。FIG. 7 is a schematic diagram of an apparatus 700 for forwarding a packet according to an embodiment of the present application. The device 700 is used in L3VPN. The L3VPN includes a first network device, a second network device and a third network device. A first L3VPN tunnel is established between the first network device and the second network device, and a second L3VPN tunnel is established between the second network device and the third network device. The apparatus 700 is located in the first network device. The first network device may be, for example, PE1 or PE4 shown in FIG. 1 , and the apparatus 700 may be used to execute the method 200 shown in FIG. 2 and the method 300 shown in FIG. 3 . The apparatus 700 includes: an input interface 701 , an output interface 702 , a processor 703 and a memory 704 . The input interface 701 , the output interface 702 , the processor 703 and the memory 704 can be connected through a bus system 705 .

所述存储器704用于存储包括程序、指令或代码。所述处理器703,用于执行所述存储器704中的程序、指令或代码,以控制输入接口701接收信号、控制输出接口702发送信号以及完成方法200以及方法300中的相关操作。The memory 704 is used to store programs, instructions or codes. The processor 703 is configured to execute programs, instructions or codes in the memory 704 to control the input interface 701 to receive signals, control the output interface 702 to send signals, and complete the related operations in the method 200 and the method 300 .

应理解,在本申请实施例中,上述处理器603和处理器703可以是中央处理单元(Central Processing Unit,简称为“CPU”),还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in this embodiment of the present application, the above-mentioned processor 603 and processor 703 may be a central processing unit (Central Processing Unit, referred to as “CPU” for short), and may also be other general-purpose processors, digital signal processors (DSPs) , Application Specific Integrated Circuits (ASICs), Off-the-Shelf Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

存储器604和存储器704可以包括只读存储器和随机存取存储器,并分别向各自对应的处理器提供指令和数据。存储器一部分还可以包括非易失性随机存取存储器。例如,存储器还可以存储设备类型的信息。Memory 604 and memory 704 may include read-only memory and random access memory, and provide instructions and data, respectively, to their respective processors. A portion of the memory may also include non-volatile random access memory. For example, the memory may also store device type information.

总线系统605和总线系统705除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统。In addition to the data bus, the bus system 605 and the bus system 705 may also include a power bus, a control bus, a status signal bus, and the like. However, for the sake of clarity, the various buses are labeled as bus systems in the figure.

在实现过程中,方法200以及300的各步骤可以通过处理器603和处理器703中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例所公开的定位方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质分别位于上述各存储器中,上述各处理器读取对应的存储器中的信息,结合其硬件完成上述方法200以及300的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the methods 200 and 300 can be completed by the hardware integrated logic circuit in the processor 603 and the processor 703 or the instructions in the form of software. The steps of the positioning method disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor. The software modules may be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in each of the above-mentioned memories, and each of the above-mentioned processors reads the information in the corresponding memories, and completes the steps of the above-mentioned methods 200 and 300 in combination with its hardware. To avoid repetition, detailed description is omitted here.

需要说明的是,图4-7提供的装置,应用于图1所示的网络100中,实现转发报文的方法。一个具体的实现方式中,图4中的处理模块401可以用图6中的处理器603实现,发送模块402可以由图6中的输出接口602实现。图5中的处理模块502可以用图7中的处理器703实现,发送模块503可以由图7中的输出接口702实现,接收模块501可以由图7中的输入接口701实现。It should be noted that the apparatuses provided in FIGS. 4-7 are applied to the network 100 shown in FIG. 1 to implement a method for forwarding packets. In a specific implementation manner, the processing module 401 in FIG. 4 may be implemented by the processor 603 in FIG. 6 , and the sending module 402 may be implemented by the output interface 602 in FIG. 6 . The processing module 502 in FIG. 5 can be implemented by the processor 703 in FIG. 7 , the sending module 503 can be implemented by the output interface 702 in FIG. 7 , and the receiving module 501 can be implemented by the input interface 701 in FIG. 7 .

本申请还提供了一种通信系统,包括用于向PE设备配置策略路由的控制管理设备以及PE设备。所述控制管理设备可以是图4、图6对应的实施例所提供的设备。所述PE设备可以是图5、图7对应的实施例所提供的装置。所述通信系统用于执行图2-图3对应的实施例的方法200和方法300。The present application also provides a communication system, including a control and management device for configuring a policy route to a PE device, and a PE device. The control management device may be the device provided by the embodiments corresponding to FIG. 4 and FIG. 6 . The PE device may be the apparatus provided by the embodiments corresponding to FIG. 5 and FIG. 7 . The communication system is used to execute the method 200 and the method 300 of the embodiments corresponding to FIGS. 2-3 .

应理解,在本申请的各种实施例中,各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present application, the size of the sequence numbers of each process does not imply the sequence of execution, and the execution sequence of each process should be determined by its function and internal logic, and should not be used in the embodiments of the present application. Implementation constitutes any limitation.

本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的模块及方法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art can realize that the modules and method steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and module described above can refer to the corresponding process in the foregoing method embodiments, which is not repeated here.

本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请所描述的功能可以用硬件、软件或它们的任意组合来实现。所述功能如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。Those skilled in the art should appreciate that, in one or more of the above examples, the functions described in this application may be implemented in hardware, software, or any combination thereof. If the functions are implemented in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution, and the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

本说明书的各个部分均采用递进的方式进行描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点介绍的都是与其他实施例不同之处。尤其,对于装置和系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例部分的说明即可。Each part of this specification is described in a progressive manner, and the same and similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the points that are different from other embodiments. In particular, as for the apparatus and system embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for related parts, please refer to the descriptions in the method embodiments.

最后,需要说明的是:以上所述仅为本申请技术方案的较佳实施例而已,并非用于限定本申请的保护范围。显然,本领域技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。Finally, it should be noted that the above descriptions are only preferred embodiments of the technical solutions of the present application, and are not intended to limit the protection scope of the present application. Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the scope of the present application. If these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalent technologies, any modifications, equivalent replacements, improvements, etc. made should be included within the protection scope of the present application.

Claims (10)

1. A method for forwarding a packet in a three-layer virtual private network (L3 VPN), wherein the L3VPN comprises a first network device, a second network device and a third network device, a first L3VPN tunnel is established between the first network device and the second network device, and a second L3VPN tunnel is established between the second network device and the third network device, the method comprising:
the first network equipment acquires a first policy route from control management equipment;
the first network device configures the first policy route in a first VPN instance bound to a first interface, where the first policy route is used to instruct the first network device to send a message, which is received from the first interface and matches the first policy route, to the second network device;
the first network device receives a message from the first interface, and searches the first policy route matched with the message in the first VPN instance according to the destination address of the message, wherein the first policy route is used for indicating that the next hop reaching the destination address of the message is the second network device;
the first network equipment sends the message to the second network equipment through the first L3VPN tunnel; wherein,
the second network device stores a forwarding table entry reaching a destination address of the packet, where the forwarding table entry is used to instruct the second network device to forward the packet to the third network device, and the second L3VPN tunnel is used for the second network device to send the packet to the third network device.
2. The method according to claim 1, wherein the first network device is an operator edge PE device, and the receiving, by the first network device, the packet specifically includes:
and the PE equipment receives the message sent by the CE equipment at the edge of the user.
3. The method according to claim 1, wherein the receiving, by the first network device, the packet specifically includes:
the first network device receives the message sent by a fourth network device, the fourth network device is configured with a second policy route, the second policy route is used for indicating that a next hop reaching a destination address of the message is the first network device, a third L3VPN tunnel is established between the fourth network device and the first network device, and the third L3VPN tunnel is used for the fourth network device to send the message to the first network device.
4. An apparatus for forwarding a packet, the apparatus being applied to a L3VPN, the L3VPN comprising a first network device, a second network device and a third network device, a first L3VPN tunnel being established between the first network device and the second network device, a second L3VPN tunnel being established between the second network device and the third network device, the apparatus being located in the first network device, the apparatus comprising a receiving module, a processing module and a sending module, wherein,
the processing module is configured to obtain a first policy route from a control management device, and configure the first policy route in a first VPN instance bound to a first interface, where the first policy route is used to instruct the first network device to send a message, which is received from the first interface and matches the first policy route, to the second network device;
the receiving module is used for receiving a message from the first interface;
the processing module is further configured to search, in a first VPN instance, the first policy route matched with the packet according to the destination address of the packet, where the first policy route is used to indicate that a next hop reaching the destination address of the packet is the second network device;
the sending module is configured to send the packet to the second network device through the first L3VPN tunnel; wherein,
the second network device stores a forwarding table entry reaching a destination address of the packet, where the forwarding table entry is used to instruct the second network device to forward the packet to the third network device, and the second L3VPN tunnel is used for the second network device to send the packet to the third network device.
5. The apparatus of claim 4, wherein: the first network device is an operator edge PE device, and the receiving module is specifically configured to receive the packet sent by the user edge CE device.
6. The apparatus according to claim 4, wherein the L3VPN further comprises a fourth network device, and the receiving module is configured to receive the packet sent by the fourth network device, wherein the fourth network device is configured with a second policy route, the second policy route is used to indicate that a next hop to reach a destination address of the packet is the first network device, a third L3VPN tunnel is established between the fourth network device and the first network device, and the third L3VPN tunnel is used for the fourth network device to send the packet to the first network device.
7. A communication system for forwarding message, which is applied in a three-layer virtual private network (L3 VPN), comprises a control management device, a first network device, a second network device and a third network device, wherein a first L3VPN tunnel is established between the first network device and the second network device, a second L3VPN tunnel is established between the second network device and the third network device, wherein,
the control management device is configured to send a first configuration message to the first network device, where the first configuration message carries a first policy route, and the first configuration message is used to configure the first policy route in a first VPN instance bound to a first interface of the first network device;
the first network device is configured to receive a packet from the first interface, and search, in the first VPN instance, the first policy route matched with the packet according to a destination address of the packet, where the first policy route is used to indicate that a next hop reaching the destination address of the packet is the second network device;
the first network device is further configured to send the packet to the second network device through the first L3VPN tunnel according to the indication of the first policy routing; wherein,
the second network device stores a forwarding table entry reaching a destination address of the packet, where the forwarding table entry is used to instruct the second network device to forward the packet to the third network device, and the second L3VPN tunnel is used for the second network device to send the packet to the third network device.
8. The communication system according to claim 7, wherein the first network device is an operator edge PE device, and the first network device is specifically configured to receive the packet sent by a customer edge CE device.
9. The communication system of claim 7, further comprising a fourth network device that establishes a third L3VPN tunnel with the first network device, wherein,
the control management device is further configured to send a second configuration message to the fourth network device, where the second configuration message carries a second policy route, and the second configuration message is used to bind the second policy route in a second VPN instance bound to a second interface of the fourth network device;
the fourth network device is configured to receive the packet from the second interface, and search, in the second VPN instance, the second policy route matched with the packet according to a destination address of the packet, where the second policy route is used to indicate that a next hop reaching the destination address of the packet is the first network device;
the fourth network device is further configured to forward the packet to the first network device through the third L3VPN tunnel according to the indication of the second policy routing;
the first network device is specifically configured to receive the packet forwarded by the fourth network device.
10. A computer-readable storage medium comprising a computer program which, when run in a computer, causes the computer to perform the method of any one of claims 1-3.
CN201610902960.6A 2016-10-17 2016-10-17 A method, device and system for forwarding messages Active CN107959611B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610902960.6A CN107959611B (en) 2016-10-17 2016-10-17 A method, device and system for forwarding messages

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610902960.6A CN107959611B (en) 2016-10-17 2016-10-17 A method, device and system for forwarding messages

Publications (2)

Publication Number Publication Date
CN107959611A CN107959611A (en) 2018-04-24
CN107959611B true CN107959611B (en) 2021-03-23

Family

ID=61953830

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610902960.6A Active CN107959611B (en) 2016-10-17 2016-10-17 A method, device and system for forwarding messages

Country Status (1)

Country Link
CN (1) CN107959611B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768861B (en) * 2018-06-29 2021-01-08 新华三信息安全技术有限公司 Method and device for sending service message
CN111092801B (en) * 2018-10-23 2021-05-18 华为技术有限公司 Data transmission method and device
CN109617814B (en) * 2019-01-11 2021-07-27 安徽皖兴通信息技术有限公司 Method for forwarding packet access network policy
CN114205297B (en) * 2020-08-28 2024-05-17 华为技术有限公司 Traffic forwarding processing method and device
CN115118655B (en) * 2022-06-21 2023-12-12 阿里巴巴(中国)有限公司 Cross-network message forwarding method and device, electronic equipment and readable storage medium
CN115883356A (en) * 2022-11-30 2023-03-31 中盈优创资讯科技有限公司 Method and device for opening L3VPN service of white box equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102394804A (en) * 2011-11-02 2012-03-28 中兴通讯股份有限公司 VPN system building method and VPN system
CN102449964A (en) * 2011-07-22 2012-05-09 华为技术有限公司 Three-layer virtual private network routing control method, device and system
WO2013154813A1 (en) * 2012-04-13 2013-10-17 Nicira, Inc. Extension of logical networks across layer 3 virtual private networks
CN104980347A (en) * 2014-04-04 2015-10-14 华为技术有限公司 Tunnel establishing method and tunnel establishing device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2227883B1 (en) * 2008-01-09 2012-05-02 Telefonaktiebolaget L M Ericsson (publ) Setting up a virtual private network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102449964A (en) * 2011-07-22 2012-05-09 华为技术有限公司 Three-layer virtual private network routing control method, device and system
CN102394804A (en) * 2011-11-02 2012-03-28 中兴通讯股份有限公司 VPN system building method and VPN system
WO2013154813A1 (en) * 2012-04-13 2013-10-17 Nicira, Inc. Extension of logical networks across layer 3 virtual private networks
CN104980347A (en) * 2014-04-04 2015-10-14 华为技术有限公司 Tunnel establishing method and tunnel establishing device

Also Published As

Publication number Publication date
CN107959611A (en) 2018-04-24

Similar Documents

Publication Publication Date Title
CN111865898B (en) Communication method, device and system based on flow rule protocol
EP3713162B1 (en) Route processing method and apparatus
CN107959611B (en) A method, device and system for forwarding messages
CN103685022B (en) Message forwarding method and service provider network edge equipment
US10237163B2 (en) Static route advertisement
CN108702328B (en) IS-IS extension for flexible path splicing and selection for traffic traversing segment routing and MPLS networks
US9860169B1 (en) Neighbor resolution for remote EVPN hosts in IPV6 EVPN environment
US10666459B1 (en) System and method to facilitate interoperability between virtual private LAN service (VPLS) and ethernet virtual private network (EVPN) with all-active multi-homing
CN110784411A (en) Method, apparatus and system for establishing a BIER forwarding entry
EP3863233B1 (en) Method and device used for ethernet virtual private network
WO2020052410A1 (en) Communication method, device, and system
CN102035740B (en) Multi-protocol label switching three-layer private virtual net fast rerouting method and system
CN114500369A (en) Method, equipment and system for controlling routing iteration
EP3125481A1 (en) Information transmission method, device and communication system
EP4236251A2 (en) Label management method and device for processing data stream
WO2012116545A1 (en) Multiprotocol label switching (mpls) virtual private network (vpn) over routed ethernet backbone
EP3890262B1 (en) Routing distributing method, device and system
WO2013159694A1 (en) Label distribution method, device and system
CN103634210B (en) Find the method and apparatus of the opposite end PE equipment of VPLS example
WO2016119461A1 (en) Method and network device for establishing bgp lsp tunnel
CN106789705A (en) The method and apparatus of transmission control message
CN106169969B (en) Method, related equipment and system for establishing label switching path of virtual private network
CN112910771B (en) Connection establishment method, device, equipment and storage medium
CN104639453B (en) Pseudo-wire flow control methods and relevant device
EP4425837A1 (en) Method for receiving bgp-intent routing, and method for advertising bgp-intent routing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant